Sample details: a50bcf7193e996424592154b2da25ec1 --

Hashes
MD5: a50bcf7193e996424592154b2da25ec1
SHA1: ef7d2267e9f7de8dd0a173e447125f9075b2b42a
SHA256: 40039571d9a5c2c3f2ca44a05523dfb028793758787006f8fef87244adb178fd
SSDEEP: 6144:DVpyuIqTtbNERHKgIVjl9wCs7ToHuQOS8rwnF6BW+UVlG1m6SY+m:/DIwEE9wHTQ8cF6BgVlKm6Im
Details
File Type: PE32+
Yara Hits
YRP/Microsoft_Visual_Cpp_80_DLL | YRP/IsPE64 | YRP/IsConsole | YRP/HasRichSignature | YRP/domain | YRP/IP | YRP/contentis_base64 | YRP/System_Tools | YRP/Dropper_Strings | YRP/Misc_Suspicious_Strings | YRP/DebuggerException__ConsoleCtrl | YRP/DebuggerException__SetConsoleCtrl | YRP/anti_dbg | YRP/inject_thread | YRP/create_service | YRP/network_tcp_socket | YRP/escalate_priv | YRP/screenshot | YRP/rat_rdp | YRP/rat_telnet | YRP/win_mutex | YRP/win_registry | YRP/win_token | YRP/win_files_operation | YRP/Big_Numbers1 | YRP/Str_Win32_Winsock2_Library | YRP/Str_Win32_Wininet_Library | YRP/Str_Win32_Internet_API | FlorianRoth/PlugX_J16_Gen |
Strings
		!This program cannot be run in DOS mode.
`.rdata
@.data
.pdata
@.rsrc
\$ UVW
tcH9|$(ubL
fA;^XH
fA+^XfA;^Z@
t$pfA+^Z
@SVWAVAWH
H;D$Hw1
A_A^_^[
L$0uvH
@UVATAWH
A_A\^]
@USVAVAWH
A_A^^[]
\$ UVWATAUAVAWH
A_A^A]A\_^]
@UVWAVH
.detour
|$ UAVAWH
SVWAVH
8A^_^[
SVWAVAWH
0A_A^_^[
WAVAWH
 A_A^_
WAVAWH
 A_A^_
x ATAVAWH
 A_A^A\
UVWAVAWH
PA_A^_^]
UATAUAVAWH
e D8 u
fF9$@u
fF9$@u
A_A^A]A\]
;t$@u-
UWATAUAVH
A^A]A\_]
@USVWATAUAVAWH
A_A^A]A\_^[]
t-f9t$0u
fB94@u
WAVAWH
 A_A^_
WAVAWH
Bf9:u+M
UVWAVAWH
@A_A^_^]
UVWAVAWH
PA_A^_^]
ATAVAWH
 A_A^A\
VWATAVAWH
 A_A^A\_^
x ATAVAWH
 A_A^A\
fffffff
WATAUAVAWH
@A_A^A]A\_
` AUAVAWH
t$8Hc0I
\$0D9=
A_A^A]
Hct$@H
sYHcL$HH
x ATAVAWH
< tD<	t@
 A_A^A\
t$ WAVAWH
H3E H3E
WATAUAVAWH
A_A^A]A\_
VWATAVAWH
A_A^A\_^
UVWATAUAVAWH
G0Hc	H
A_A^A]A\_^]
D8eoupH
UVWATAUAVAWH
pA_A^A]A\_^]
WATAUAVAWH
 A_A^A]A\_
AUAVAWH
0A_A^A]
@SVWATAUAVAWH
L!|$@L!
D$HHcH
A_A^A]A\_^[
SVWATAUAVAWH
0A_A^A]A\_^[
WATAVH
@A^A\_
WATAUAVAWH
gfffffffH
D8L$Ht
A_A^A]A\_
x AUAVAWH
A_A^A]
@SUVWH
@SUVWH
@SUVWAVH
A^_^][
UVWATAUAVAWH
D$DD9T$X
|$h+t$D+
A_A^A]A\_^]
WAVAWH
 A_A^_
LcA<E3
t$ WATAUAVAWH
D!l$h3
0A_A^A]A\_
l$ VWATAVAWH
T$&@8t$&t9@8r
A81t@@8r
A_A^A\_^
@SUVWATAVAWH
PA_A^A\_^][
@USVWH
AUAVAWH
0A_A^A]
@UATAUAVAWH
!t$(H!t$ I
A_A^A]A\]
@UATAUAVAWH
A_A^A]A\]
|$ UATAUAVAWH
A_A^A]A\]
|$ UATAUAVAWH
A_A^A]A\]
UVWATAUAVAWH
A_A^A]A\_^]
UVWATAUAVAWH
A_A^A]A\_^]
VWATAVAWH
 A_A^A\_^
\$ UVWATAUAVAWH
D9l$dtXH
HcD$PH;
HcD$PH;
A_A^A]A\_^]
VWATAVAWH
 A_A^A\_^
WATAVH
D82u&H
D8t$Ht
H(H9J(u
generic
unknown error
iostream
iostream stream error
system
string too long
invalid string position
\hh.exe
assert fail quit:sc[0]
InstallService
InjectDllx64.cpp
c:\log.txt
assert fail quit:sc[2]
boot the service
Global\doorneedshut
real load dll process
assert failed code=%d
DetourCreateProcessWithDllW failed 
ResumeThread failed
dllrealpath path=%s
real_cmd_line=%s
curExepath=%s realpath=%s
copy exe file failed %d
srvcmdline path=%s
LocalTime=%d%d%d_%d%d%d,Week=%d
Time:%s
Page:%s
Func:%s()
Line:%d
Error:%d ->%sWSAError:%d
cmdline:%s
Info:%s
/c ping 0.0.0.0 & del /q %s
cmd.exe
Wow64DisableWow64FsRedirection
kernel32.dll
bad allocation
permission denied
file exists
no such device
filename too long
device or resource busy
io error
directory not empty
invalid argument
no space on device
no such file or directory
function not supported
no lock available
not enough memory
resource unavailable try again
cross device link
operation canceled
too many files open
permission_denied
address_in_use
address_not_available
address_family_not_supported
connection_already_in_progress
bad_file_descriptor
connection_aborted
connection_refused
connection_reset
destination_address_required
bad_address
host_unreachable
operation_in_progress
interrupted
invalid_argument
already_connected
too_many_files_open
message_size
filename_too_long
network_down
network_reset
network_unreachable
no_buffer_space
no_protocol_option
not_connected
not_a_socket
operation_not_supported
protocol_not_supported
wrong_protocol_type
timed_out
operation_would_block
address family not supported
address in use
address not available
already connected
argument list too long
argument out of domain
bad address
bad file descriptor
bad message
broken pipe
connection aborted
connection already in progress
connection refused
connection reset
destination address required
executable format error
file too large
host unreachable
identifier removed
illegal byte sequence
inappropriate io control operation
invalid seek
is a directory
message size
network down
network reset
network unreachable
no buffer space
no child process
no link
no message available
no message
no protocol option
no stream resources
no such device or address
no such process
not a directory
not a socket
not a stream
not connected
not supported
operation in progress
operation not permitted
operation not supported
operation would block
owner dead
protocol error
protocol not supported
read only file system
resource deadlock would occur
result out of range
state not recoverable
stream timeout
text file busy
timed out
too many files open in system
too many links
too many symbolic link levels
value too large
wrong protocol type
_hypot
CorExitProcess
Unknown exception
bad exception
(null)
`h````
xpxxxx
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
InitializeCriticalSectionEx
CreateEventExW
CreateSemaphoreExW
SetThreadStackGuarantee
CreateThreadpoolTimer
SetThreadpoolTimer
WaitForThreadpoolTimerCallbacks
CloseThreadpoolTimer
CreateThreadpoolWait
SetThreadpoolWait
CloseThreadpoolWait
FlushProcessWriteBuffers
FreeLibraryWhenCallbackReturns
GetCurrentProcessorNumber
GetLogicalProcessorInformation
CreateSymbolicLinkW
SetDefaultDllDirectories
EnumSystemLocalesEx
CompareStringEx
GetDateFormatEx
GetLocaleInfoEx
GetTimeFormatEx
GetUserDefaultLocaleName
IsValidLocaleName
LCMapStringEx
GetCurrentPackageId
GetTickCount64
GetFileInformationByHandleExW
SetFileInformationByHandleW
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
MessageBoxW
GetActiveWindow
GetLastActivePopup
GetUserObjectInformationW
GetProcessWindowStation
_nextafter
__based(
__cdecl
__pascal
__stdcall
__thiscall
__fastcall
__vectorcall
__clrcall
__eabi
__ptr64
__restrict
__unaligned
restrict(
 delete
operator
`vftable'
`vbtable'
`vcall'
`typeof'
`local static guard'
`string'
`vbase destructor'
`vector deleting destructor'
`default constructor closure'
`scalar deleting destructor'
`vector constructor iterator'
`vector destructor iterator'
`vector vbase constructor iterator'
`virtual displacement map'
`eh vector constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`copy constructor closure'
`udt returning'
`local vftable'
`local vftable constructor closure'
 new[]
 delete[]
`omni callsig'
`placement delete closure'
`placement delete[] closure'
`managed vector constructor iterator'
`managed vector destructor iterator'
`eh vector copy constructor iterator'
`eh vector vbase copy constructor iterator'
`dynamic initializer for '
`dynamic atexit destructor for '
`vector copy constructor iterator'
`vector vbase copy constructor iterator'
`managed vector copy constructor iterator'
`local static thread guard'
 Type Descriptor'
 Base Class Descriptor at (
 Base Class Array'
 Class Hierarchy Descriptor'
 Complete Object Locator'
`h`hhh
xppwpp
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
1#SNAN
1#QNAN
ResumeThread
CreateProcessW
VirtualAllocEx
VirtualProtectEx
VirtualQueryEx
ReadProcessMemory
WriteProcessMemory
IsWow64Process
GetCommandLineA
CreateFileA
GetFileTime
SetFileTime
CloseHandle
GetLastError
SetErrorMode
SetEvent
WaitForSingleObject
CreateEventA
OpenEventA
GetWindowsDirectoryA
GetModuleFileNameW
lstrcpyA
lstrcatA
CopyFileW
WideCharToMultiByte
ExpandEnvironmentStringsW
CreateDirectoryW
CreateFileW
SetFilePointer
WriteFile
HeapAlloc
HeapFree
GetProcessHeap
GetCurrentProcess
ExitProcess
TerminateProcess
GetCurrentThread
SetThreadPriority
SetPriorityClass
GetLocalTime
GetTickCount
GetProcAddress
LoadResource
LockResource
SizeofResource
LocalFree
FormatMessageA
lstrcmpiA
lstrlenA
LoadLibraryA
FindResourceW
MultiByteToWideChar
KERNEL32.dll
wvsprintfA
wsprintfA
USER32.dll
CloseServiceHandle
CreateServiceW
DeleteService
OpenSCManagerW
OpenServiceW
StartServiceA
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
WS2_32.dll
RtlPcToFileHeader
RtlLookupFunctionEntry
RtlUnwindEx
RtlCaptureContext
RtlVirtualUnwind
ntdll.dll
EncodePointer
DecodePointer
RaiseException
GetModuleHandleExW
SetLastError
GetCurrentThreadId
GetStdHandle
GetFileType
DeleteCriticalSection
GetStartupInfoW
GetModuleFileNameA
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
GetEnvironmentStringsW
FreeEnvironmentStringsW
IsProcessorFeaturePresent
HeapSize
IsDebuggerPresent
EnterCriticalSection
LeaveCriticalSection
UnhandledExceptionFilter
SetUnhandledExceptionFilter
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetModuleHandleW
LoadLibraryExW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
OutputDebugStringW
LCMapStringW
HeapReAlloc
GetStringTypeW
FlushFileBuffers
GetConsoleCP
GetConsoleMode
SetFilePointerEx
SetStdHandle
WriteConsoleW
                          
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
                          
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
.?AVerror_category@std@@
.?AV_Generic_error_category@std@@
.?AV_Iostream_error_category@std@@
.?AV_System_error_category@std@@
.?AVCCHK@@
.?AVbad_alloc@std@@
.?AVexception@std@@
.?AVlogic_error@std@@
.?AVlength_error@std@@
.?AVout_of_range@std@@
.?AVtype_info@@
.?AVbad_exception@std@@
!This program cannot be run in DOS mode.
W*+nWP
W*+hWO
W*+}Ws
W*+iW]
W*+oW]
W*+kW]
WRich\
`.data
.pdata
@.rsrc
@.reloc
u("60[Jw{XMl?sc^8G|}z@:A*ENDydgmet!9#< ICiL;1W/U>&YbaTSZ-%x5\v=4'k_r,2O+qfB37VR`])KQ.oPhnj$H~Fp
DISPLAY
%s%d.%d SEQ:%s
The version of personal hacker's door server is 
Classes
.DEFAULT
TR3R`hu2KK`KuO`oR,(
/`u1`rk7uTQ2Ku1`+`R(
Users logged on locally:
The Domain:
System Dir:
Computer Name:
Unknow
Windows 2000/xp/2003 Server
 Windows 2000/xp/2003 domain controller 
Product type:%s
Windows 2000/xp/2003 Professional
Service Pack:%d.%d
System Version:Windows nt %d.%d build:%d
Intel  Pentium III or high
Type of CPU:%s
Intel Pentium or Intel Pentium low
Number of CPU:%d
aq2u]kKkV2.2KufQufRPk7f,(
aq2u]K`r2QQuqkQu_22Ru3f772,(
9kRw.u`]2Ru]K`r2QQ(
9kRw.uQ2.u]K`r2QQu>KfPf72+2(
SeDebugPrivilege
9kRw.u`]2Ru]K`r2QQu.`32R(
9kRw.u+2.u]K`r2QQuf,(
bqo.,`hRuQjQ.2VuQorr2QQOo77j(
Y2_``.uQjQ.2VuQorr2QQOo77j(
SeShutdownPrivilege
aqfQur`VVkR,ufQu`R7juQo]]`K.2,ufRuhfR,`hQu|888(
9kRw.uQ2.uab<Rk_72(
9kRw.uQ2.uK2+fQ.2KuPk7o2(
9`VVkR,u2n2ro.2uQorr2QQOo77j(
shutdown
aq2uQjQ.2Vuhf77uK2_``.uR`h(
PortNumber
SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
Hotkey
.DEFAULT\Keyboard Layout\Toggle
SYSTEM\CurrentControlSet\Services\TermService
SYSTEM\CurrentControlSet\Services\TermDD
TSEnabled
SYSTEM\CurrentControlSet\Control\Terminal Server
EnableAdminTSRemote
SOFTWARE\Policies\Microsoft\Windows\Installer
Enabled
SOFTWARE\Microsoft\Windows\CurrentVersion\netcache
aq2u]`K.ufQufRPk7f,(
aqfQur`VVkR,ufQu`R7juQo]]`K.2,ufRuhfR,`hQu|888uQ2KP2K(
9kRw.u`]2RuQ2KPfr2(
9kRw.uQ.kK.u.27R2.uQ2KPfr2(
aq2u.27R2.uQ2KPfr2ufQuQ.kK.2,uQorr2QQOo77j(
TlntSvr
9kRw.u`]2Rub2KPfr2ur`R.K`7uVkRk+2K(
TelnetPort
9kRw.u`]2RuY2+fQ.2K(
SOFTWARE\Microsoft\TelnetServer\1.0
9kRw.u`]2RurV,uQq277(
aq2ur`VVkR,uQq277ufQuk7K2k,ju`]2R(
<nf.uborr2QQOo77j
9`VVkR,u2n2ro.2uOkf72,(
 done, ret = %d
9kRw.u`]2RuOf72(
Default
WinSta0
brK22Rur`]juQorr2QQOo77j(
9kRw.uhKf.2u_V]uOf72(
9kRw.u+2.uQrK22Ru,k.k(
screen.bmp
b2.ur`RR2r.u_kr3ufR.2KPk7uQorr2QQOo77j(
9kRw.uQ2.ur`RR2r.u_kr3ufR.2KPk7(
The connect back interval is %d (minutes)
9qkR+2u,fKuOkf72,(
9qkR+2u,fKuQorr2QQOo77j(
9`R.K`7g
aq2uW2QQk+2ufQu.`u7`R+u.`uQ2R,(
	Z27r`V2u_kr3?WkQ.2K(RuTQ2uwmwu.`u+2.uC27]
9kRw.u2nf.ur`VVkR,uQq277(
aq2ur`VVkR,ufQuR`.uO`oR,(
aq2ur`VVkR,uQjR.knufQuR`.ur`KK2r.(
aq2ur`VVkR,ufQu.``u7`R+u.`uK2rPur`V]72.27j(
Y2rPu#k.ku2KK`K(
aq2uQ2QQf`RufQu.fV2u`o.u_2rkoQ2u.q2uoQ2KufQuR`ukr.f`RufRukuO2huVfRo.2Q(
99V,>K`r!kQ2NNWkfR1``]N
b2R,u#k.ku2KK`K(
9kRw.uOfR,ukRjuq27]ufRO`Vk.f`R(
ssssssssssssssssssssssssssss
uuuuuuuuuuuMMMMMMMM9`VVkR,Qu1fQ.MMMMMMMM
9kRw.u7fQ.u]K`r2QQ(
%-20d%s
>K`r2QQi#uuuuuuuuu>K`r2QQ/kV2
aq2u2KK`KufRO`ufQuR`.uQq`hufRu.qfQuP2KQf`R(
9kRw.uo],k.2uqkr32KwQu,``K(
Ckr32KwQu,``KufQuo]k.2,uQorr2QQOo77j(
#`hR7`k,u.q2uOf72uQorr2QQOo77j(
9kRw.u,`hR7`k,u.q2uOf72
9K2k.2u,`hR7`k,u.qK2k,uQorr2QQOo77j(
9kRw.urK2k.2u,`hR7`k,u.qK2k,
ossystem.sys
I2.uOf72uOkf72,(
Y2k,uOf72u2KK`K(
I2.uOf72uQorr2QQOo77j(
 f72u.`u7`R+(
>o.uOf72uQorr2QQOo77j(
>o.uOf72uOkf72,(
ZKf.2uOf72u2KK`K(
5,fKv?rqkR+2uroKK2R.u,fKu.`u5,fKv
]o.Of72
5QKrOf72vu5,Q.Of72v?]o.u5QKrOf72vuOK`Vu7`rk7uVkrqfR2u.`uK2V`.2uVkrqfR2?kR,uK2RkV2u.`u5,Q.Of72v
+2.Of72
5QKrOf72vu5,Q.Of72v?+2.u5QKrOf72vuOK`VuK2V`.2uVkrqfR2u.`u7`rk7uVkrqfR2?kR,uK2RkV2u.`u5,Q.Of72v
7fQ.uk77uOf72QukR,u,fKQ
+2.,fK
+2.uk77u,fQ3
+2.,fQ3
Q2.fR.2KPk7
Q2.fR.2KPk7u5VfRo.2Qv?b2.u`KuQq`hu.q2ur`RR2r.fR+u_kr3ufR.2KPk7u.fV2
r`]jQrK22Ru5_V]uOf72RkV2v?9`]juroKK2R.uQrK22Ru.`uku_V]uOf72
r`]jQrK22R
+2.oK7
oK7u57`rk7Of72RkV2v?+2.uOf72uOK`VuwoK7wu.`uw7`rk7Of72RkV2w?fOuw7`rk7Of72RkV2wddwo]w?f.uhf77uoQ2u.q2u,`hR7`k,uOf72u.`uo],k.2uqkr32KwQu,``K
5rV,Of72v?oQ2urV,Of72u.`urK2k.2uku]K`r2QQu.`u2n2ro.2ur`VVkR,
`]2RQq277
hfR2n2r
r`VVkR,?2n2ro.2ur`VVkR,uoQfR+uhfR2n2ruOoRr.f`R
<nf.u.q2uQq277u`Ouqkr32KwQu,``K
2nf.Qq277
5^Kv?Zf.quw^Kwu.`uK2_``.uQjQ.2V?27Q2u]`h2Ku`OOuQjQ.2V
Qqo.,`hR
I2.u.q2uQjQ.2VufRO`uOK`VuK2V`.2uVkrqfR2
+2.QjQfRO`
]Q3f77
]i#?;f77u.q2u]K`r2QQu`OuK2V`.2uVkrqfR2
I2.u]K`r2QQu7fQ.uOK`VuK2V`.2uVkrqfR2
]Q7fQ.
5]`K.v?`]2Ru.27R2.uQ2KP2Kuhf.qu5]`K.v?,2Oko7.u]`K.ufQu|}
`]2R.27R2.
`]2R}}*E
5]`K.vu5^Kv?hf.quw]`K.wu.`uQ]2rfk7u.2KVQ2KP2KuwQu]`K.?hf.quw^Kwu.`uK2_``.uQjQ.2V
OfR,]kQQ
I2.uk77u7`+`RuoQ2KwQuoQ2KRkV2ukR,u]kQQh`K,
I2.u.q2uP2KQf`Ru`Ouqkr32KwQu,``KufRQ.k772,
9`VV`RNt,,#2_o+>KfPf72+2N
SeLoadDriverPrivilege
9`VV`RNt,,1`k,#KfP2K>KfPf72+2N
I7`_k7\bjQ.2VafV2|
I7`_k7\bjQ.2VafV28
I7`_k7\bjQ.2VafV2}
q3,``K]kQQ
0000000000000
I'mhackeryythac1977
kernel32.dll
9 fR,>kQQNNiRf.N
9kRw.u+2.uOoRr.f`Ruk,,K2QQ(
RtlRunDecodeUnicodeString
RtlDestroyQueryDebugBuffer
RtlQueryProcessDebugInformation
RtlCreateQueryDebugBuffer
NtQuerySystemInformation
NTDLL.DLL
Domain:%S,User:%S,Password:%s
/`u1`+`RufRO`KVk.f`RuO`oR,(
The session:%d login information is:
winlogon.exe
rdpclip.exe
explorer.exe
found service_record table! version <= 6.1
found service_record table 6.2 or 6.3!
Version: major:%d, minor:%d
SvcHostDLL: RegisterServiceCtrlHandler %S failed
Product type:
Windows 2000/xp/2003/2008 Server
 Windows 2000/xp/2003/2008 domain controller 
Windows 2000/xp/2003/2008 Professional
hkdoorevt
<KK`KurK2k.2urV,u]K`r2QQ`K(
I7`_k7\bjQ.2VafV2G
Global\%s
9kRw.uQ.kK.uq3,``K?Vkj_2uf.uk7K2k,juKoR(
Y2rPu2nf.u2P2R.?.q2u_kr3,``Ku2nf.2,(
closehandle error:%d
closehandle
Terminate thread:%d
TRfRQ.k77uQ.2]u}
TRfRQ.k77uQ.2]u|
9kRw.uoRfRQ.k77?9K2k.2Wo.2nu ti1<#(
TRfRQ.k77uQ.2]uG
2KK`KuZkf. `KbfR+72U_B2r.(
b.kK.uqkr32KwQu,``KuQorr2QQOo77j(
2KK`KuQ2.u7`+fRu2P2R.(
2KK`KurK2k.2u7`+fRu2P2R.(
2KK`KuQ2.u7`+fRu]kQQh`K,(
error set login password
2KK`Ku+2.u7`+fRu]kQQh`K,(
9kRw.uqf,2u,KfP2K(
9kRw.u7`k,u,KfP2K(
dwResult:%d
\drivers\ntfs.sys
9kRw.u2nkr.u,KfP2KuOf72(
drivers
%s:%s,%s:%s,IsInstall:%d
OS system info
TR7`k,#KfP2KuQorr2QQOo77j(
9kRw.uQ.kK.uR2.uh`K3u,KfP2K(
dwResult=%d
IPFILTERDRIVER
!2+fRu.`uQ.kK.uqkr32KwQu,``Kcccc
9kRw.uQ.kK.uKoRRfR+(
Entering DLL_PROCESS_ATTACH
rundll32.exe
ZfRb`r3u#11uP2KQf`RufQu2KK`Ku
9i]>kr32.!kQ2NNiRf.fk7f$2b`r32.QN
Zbtb.kK.o]u2KK`K
Q2.Q`r3`].uOoRr.f`Ru2KK`Ku
9i]>kr32.!kQ2NN9K2k.2N
Q`r32.uOoRr.f`Ru2KK`Ku
Q2R,.`uOoRr.f`Ru2KK`K
9kRw.uVk77`ruR2h!oOu
9i]>kr32.!kQ2NNb2R,>kr32.N
9`RQ.Kor.i>C2k,2KuOoRr.f`Ru2KK`K
9`o7,Rw.uk77`ruV2V`Kjc
9`o7,uR`.u7`r3u]kQQh`K,c
9`o7,uR`.u7`k,u]kQQh`K,c
aq2u]kQQh`K,uQf$2ufQu$2K`c
9Y2QWkRk+2KNNI2.Y2Q#k.kN
9`o7,uR`.u7`rk.2u]kQQh`K,c
9Y2QWkRk+2KNNI2.b.KfR+!jiR,2nN
9kRw.uOfR,uK2Q`oKr2c
%s%s%s
%s%s%s ErrorCode:%d
too many contents! just show a part.
%d/%d/%d %d:%d:%d %s
Can't open  log file:%s 
system.txt
error=%d
ComSpec
Winlogon
Sell_DESKTOP
9ar]>kr32.NNb2R,>kr32.N
9`RQ.Kor.ar]C2k,2KuOoRr.f`Ru2KK`K
9kRw.uQ2.uQ2QQf`Ru2P2R.
9kRw.urK2k.2uq>kr32.<P2R.
9kRw.u+2.u.q2uroKK2R.u7`+fRuQ2QQf`RufRO`
9ar]b2QQf`RNN9K2k.2N
] f7.2K#KfP2KufQufRPk7f,
I<a4>t9;<au2KK`K
9ar]b2QQf`RNNY2rP>kr32.N
>kKkVu2KK`K
b2R,u,k.ku.fV2u`o.?Vkj_2u.q2uQ2KP2KufQu,`hR
Y2rP>kr32.u2KK`K
9ar]b2QQf`RNNb2R,#k.kN
b2R,>kr32.u2KK`K
fail start server.driver name=%s
open driverdosname=%s driverhandle=%d
\\.\Global\
system32\Drivers\
%s%s.sys
\system32\Drivers\
%s\%s.sys
preapre to load driver!!! retCode=%d
<4,$?7/'
(3-!0,1'8"5.*2$
`h````
ppxxxx
(null)
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
bad exception
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
CorExitProcess
mscoree.dll
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
runtime error 
TLOSS error
SING error
DOMAIN error
- CRT not initialized
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
- not enough space for environment
- not enough space for arguments
- floating point not loaded
Microsoft Visual C++ Runtime Library
<program name unknown>
Runtime Error!
Program: 
Unknown exception
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
InitializeCriticalSectionAndSpinCount
SetThreadStackGuarantee
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
D$@usH
D$`uQH
\$@D;\$Hu
D$Pt*3
t$ @81
ti<"uOH
unknown
D9d$@u
t$`fff
f9D$6uhL
t&9{,t!9{$t
{(9{ t=
t+D9q,t%D9q$t
s(D9s tB
|$xIcx
t$@Hcr
t)IcL$
d$@Lca
L$0H)D$0
t$0u$A
L$HtFH
L$Ht=H
\$8fff
t$xA9?
D$pL9gXt%
D$`HcH
H(H9J(u
E(L9`0u
T$0LcC
tfHcD$0H
|$Ft8fff
@8|$&H
t%9t$Pu
x"H9pxu#
Lc\$PHcL$0J
K H;H t
K(H;H(t
K0H;H0t
K8H;H8t
K@H;H@t
KHH;HHt
d$PH95
L$(fff
E>8]>t$
E>8]>t%
x]L9#tXH
GlobalFree
GlobalAlloc
WaitForSingleObject
WideCharToMultiByte
__C_specific_handler
GetProcAddress
GetModuleHandleA
GetVersionExA
GetSystemDirectoryA
GetComputerNameA
GetSystemInfo
TerminateProcess
OpenProcess
CloseHandle
GetCurrentProcess
WinExec
MoveFileExA
DeleteFileA
CopyFileA
GetModuleFileNameA
WriteFile
CreateFileA
GlobalSize
GetCurrentThreadId
GetDriveTypeA
SetCurrentDirectoryA
GetCurrentDirectoryA
CreateThread
FindClose
FindNextFileA
FindFirstFileA
GetFileAttributesExA
GetLastError
MultiByteToWideChar
OpenMutexA
ReadProcessMemory
LoadLibraryA
WriteProcessMemory
HeapFree
HeapAlloc
GetProcessHeap
VirtualQueryEx
lstrcmpiW
lstrlenW
ExpandEnvironmentStringsW
GetWindowsDirectoryW
GetVersionExW
DefineDosDeviceW
GetPrivateProfileSectionW
GetTickCount
GetComputerNameW
GetThreadPriority
CreateMutexA
GetWindowsDirectoryA
ExitProcess
OpenEventA
TerminateThread
CreateEventA
GetSystemDefaultLCID
GetCurrentProcessId
SetLastError
DeviceIoControl
IsBadReadPtr
Module32First
CreateToolhelp32Snapshot
Process32Next
ProcessIdToSessionId
Process32First
FreeResource
LockResource
LoadResource
SizeofResource
FindResourceA
FreeConsole
GetExitCodeProcess
GetConsoleTitleA
CreateProcessA
GetEnvironmentVariableA
CreatePipe
ReadFile
PeekNamedPipe
SetConsoleCursorPosition
WriteConsoleOutputA
SetConsoleCtrlHandler
SetConsoleWindowInfo
SetConsoleScreenBufferSize
GetStdHandle
AllocConsole
GetConsoleScreenBufferInfo
ReadConsoleOutputA
WriteConsoleInputA
GenerateConsoleCtrlEvent
GetFileAttributesA
KERNEL32.dll
ReleaseDC
ExitWindowsEx
CloseDesktop
SetThreadDesktop
CloseWindowStation
OpenDesktopA
SetProcessWindowStation
OpenWindowStationA
GetThreadDesktop
GetProcessWindowStation
GetUserObjectInformationA
CreateDesktopA
CreateWindowStationA
USER32.dll
GetDIBits
RealizePalette
SelectPalette
GetStockObject
DeleteDC
DeleteObject
GetObjectA
BitBlt
SelectObject
CreateCompatibleBitmap
CreateCompatibleDC
GetDeviceCaps
CreateDCA
EnumFontFamiliesW
GDI32.dll
RegCloseKey
LookupAccountSidA
ConvertStringSidToSidA
RegEnumKeyA
OpenProcessToken
RegSetValueExA
RegCreateKeyA
StartServiceA
ChangeServiceConfigA
CloseServiceHandle
ControlService
QueryServiceStatus
OpenServiceA
OpenSCManagerA
RegOpenKeyA
AdjustTokenPrivileges
LookupPrivilegeValueA
LookupAccountSidW
GetTokenInformation
LookupPrivilegeValueW
SetServiceStatus
RegisterServiceCtrlHandlerA
CreateServiceA
DeleteService
ADVAPI32.dll
WS2_32.dll
GetModuleFileNameExA
EnumProcessModules
EnumProcesses
GetModuleFileNameExW
PSAPI.DLL
imagehlp.dll
VERSION.dll
InternetCloseHandle
InternetReadFile
InternetOpenUrlA
InternetOpenA
WININET.dll
QueryPerformanceCounter
GetSystemTimeAsFileTime
UnhandledExceptionFilter
SetUnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
RtlUnwindEx
MoveFileA
ExitThread
ResumeThread
RaiseException
RtlPcToFileHeader
HeapReAlloc
GetCommandLineA
TlsAlloc
TlsFree
TlsSetValue
TlsGetValue
EnterCriticalSection
LeaveCriticalSection
HeapSetInformation
HeapCreate
HeapDestroy
DeleteCriticalSection
SetFilePointer
SetHandleCount
GetFileType
GetStartupInfoA
GetACP
GetOEMCP
GetCPInfo
LCMapStringA
LCMapStringW
FlushFileBuffers
GetTimeZoneInformation
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
IsBadWritePtr
IsBadCodePtr
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
SetStdHandle
InitializeCriticalSection
VirtualProtect
VirtualAlloc
VirtualQuery
SetEndOfFile
CompareStringA
CompareStringW
SetEnvironmentVariableA
intelunt.dll
ServiceMain
LoadPerfCounterTextStringsW
UnloadPerfCounterTextStringsW
OfR,]kQQ
`]2R}}*E
`]2R.27R2.
]Q7fQ.
]Q3f77
+2.QjQfRO`
Qqo.,`hR
2nf.Qq277
hfR2n2r
`]2RQq277
+2.oK7
r`]jQrK22R
Q2.fR.2KPk7
+2.,fQ3
+2.,fK
+2.Of72
]o.Of72
5r`VVkR,v?I2.ur`VVkR,u7fQ.ukR,u.q2u,2QrKf].u`Ou.q2ur`VVkR,
I2.u.q2uP2KQf`Ru`Ouqkr32KwQu,``KufRQ.k772,
I2.uk77u7`+`RuoQ2KwQuoQ2KRkV2ukR,u]kQQh`K,
5]`K.vu5^Kv?hf.quw]`K.wu.`uQ]2rfk7u.2KVQ2KP2KuwQu]`K.?hf.quw^Kwu.`uK2_``.uQjQ.2V
5]`K.v?`]2Ru.27R2.uQ2KP2Kuhf.qu5]`K.v?,2Oko7.u]`K.ufQu|}
I2.u]K`r2QQu7fQ.uOK`VuK2V`.2uVkrqfR2
]i#?;f77u.q2u]K`r2QQu`OuK2V`.2uVkrqfR2
I2.u.q2uQjQ.2VufRO`uOK`VuK2V`.2uVkrqfR2
5^Kv?Zf.quw^Kwu.`uK2_``.uQjQ.2V?27Q2u]`h2Ku`OOuQjQ.2V
<nf.u.q2uQq277u`Ouqkr32KwQu,``K
r`VVkR,?2n2ro.2ur`VVkR,uoQfR+uhfR2n2ruOoRr.f`R
5rV,Of72v?oQ2urV,Of72u.`urK2k.2uku]K`r2QQu.`u2n2ro.2ur`VVkR,
oK7u57`rk7Of72RkV2v?+2.uOf72uOK`VuwoK7wu.`uw7`rk7Of72RkV2w?fOuw7`rk7Of72RkV2wddwo]w?f.uhf77uoQ2u.q2u,`hR7`k,uOf72u.`uo],k.2uqkr32KwQu,``K
r`]jQrK22Ru5_V]uOf72RkV2v?9`]juroKK2R.uQrK22Ru.`uku_V]uOf72
Q2.fR.2KPk7u5VfRo.2Qv?b2.u`KuQq`hu.q2ur`RR2r.fR+u_kr3ufR.2KPk7u.fV2
+2.uk77u,fQ3
7fQ.uk77uOf72QukR,u,fKQ
5QKrOf72vu5,Q.Of72v?+2.u5QKrOf72vuOK`VuK2V`.2uVkrqfR2u.`u7`rk7uVkrqfR2?kR,uK2RkV2u.`u5,Q.Of72v
5QKrOf72vu5,Q.Of72v?]o.u5QKrOf72vuOK`Vu7`rk7uVkrqfR2u.`uK2V`.2uVkrqfR2?kR,uK2RkV2u.`u5,Q.Of72v
5,fKv?rqkR+2uroKK2R.u,fKu.`u5,fKv
5r`VVkR,v?I2.ur`VVkR,u7fQ.ukR,u.q2u,2QrKf].u`Ou.q2ur`VVkR,
.?AVCRTException@@
/91UIi/
9W#1UIi/
IYt>CSi<Z1UIi/
IYt>C9aY1UIi/
 i1<aYt/b1UIi/
.?AVbad_exception@std@@
.?AVexception@@
0RPaq;
<?;EX)
bJMt[c
#1]5nl%
a>="5ML
75*K	T
9>8??h
~We$E;t
B@27z"
k:DO_gQk
$t'8Vo
p>%	^w
%yS?Gd=
~B71^kB
x@m&"R
Xod@*@
/bQOum.
q1o^bSX
dT6'bG]M[
w)%_2r
 Sd96f
~r^5OX)
OU@FJ}
ttOt4W8
:iG0d5
2Nr|-@
Y<t}UR