Sample details: db19d34e5935f9f230ee3c8dcaed8d7b --

Hashes
MD5: db19d34e5935f9f230ee3c8dcaed8d7b
SHA1: bbe9d7b90cfd6e9a61165270e189b3ad7d4ea6cb
SHA256: f13f67fc5e53225d048a6d7b8ed82eaadd4fa5d8320b5b6b67b1ee7bebe1a005
SSDEEP: 12288:Ue82Y0Wtx6C6OET19AMVJIGtM5qmvmybBx4Vbiqoy6sDkWfIVQWZ8219UKQ2p:t82XGxs7A2JI2M5xvmybBx4Vbiqoy6sc
Details
File Type: PE32
Yara Hits
YRP/Armadillo_v171 | YRP/Microsoft_Visual_Cpp_v60 | YRP/Microsoft_Visual_Cpp_v50v60_MFC_additional | YRP/Microsoft_Visual_Cpp_50 | YRP/Microsoft_Visual_Cpp_v50v60_MFC | YRP/Armadillo_v171_additional | YRP/Microsoft_Visual_Cpp | YRP/IsPE32 | YRP/IsWindowsGUI | YRP/HasRichSignature | YRP/domain | YRP/IP | YRP/contentis_base64 | YRP/System_Tools | YRP/Antivirus | YRP/Dropper_Strings | YRP/Misc_Suspicious_Strings | YRP/create_service | YRP/network_tcp_listen | YRP/network_tcp_socket | YRP/escalate_priv | YRP/screenshot | YRP/keylogger | YRP/sniff_audio | YRP/rat_rdp | YRP/rat_webcam | YRP/win_registry | YRP/win_token | YRP/win_private_profile | YRP/win_files_operation | YRP/Str_Win32_Winsock2_Library | YRP/Str_Win32_Wininet_Library | YRP/Str_Win32_Internet_API | YRP/IronTiger_Gh0stRAT_variant |
Source
http://42.51.45.51:8080/win.exe
Strings
		!This program cannot be run in DOS mode.
Y,=DY,=DY,=D"01DZ,=D
03D^,=D637DR,=D639D],=Do
6D[,=Do
9D[,=D
#bDX,=D
#`DD,=DY,<D
!DX,=DY,=D{,=D
36D},=D
*;DX,=DRichY,=D
`.rodata
`.rotext
`.rdata
@.data
WVhzGA
BD9X4tV9X8tQj
~lWhLdH
^pSh<dH
Yt6G;~
tT<\uB
PVVVVV
PSSSSSW
<At=<Bt9
t+</t'
SVWj?3
97t*9w
PVWh'k@
PSVh'k@
VVVh\s@
SSSh.}@
PSSSSS
PSSSSSSVS
APPPQh
APPPQh
APPPQh2
PAPQhq
APPPQh
APPPQhc
APPPQh
APPPQh
PAPQh?
PAPQh5
PAPQhy
PAPQhA
tGVWSP
SVWjm3
b9]$u]9]
t0Ht$Ht
YYjBVW
t0It$It
Jt0Jt$Jt
t?Ht$-
tKHt@Ht-Ht"Ht
.SSSSj@
&SSSSj 
_^][YY
Y_^][Y
SVSSSP
ItSItLIt7It$IIt
SSSSSSSj
SVWj?3
VWj@Y3
SVWj@Z2
QQSUVWh
_^][YY
QQSUVW3
_^][YY
SPSSSSh
SPSSSSh
PSSj j
PPPVhU!A
VWj@Y3
VWj@Y3
_WVh\eH
SVWj?^3
SSSSSS
PSSSSSSSSSS
PWWVh7DA
JJt#Jt
YY_^][Y
PPVh7DA
t@Wj2_SSj
t@Wj2_SSj
^ X_^[
~(9~$u
W(9W$u
tZ9H tU9H$tP
Fdf+Fh
D$(8D*
T$LPQR
|$HPWS
T$(PQR
T$DPVS
T$LRWS
L$LQVS
|$ WUSV
D$$SUV
T$,RWV
T$,RWV
T$,RWV
L$,QWV
T$,RWV
L$ RUPj
T+3x%A
;D$<s!
T$,PQh
{4_^]3
\$LU@VW
\$LU@VW
l$P@VW
\$TU@VW
D$\BAH
D$`FBAH
l$L@VW
\$LU@VW
l$P@VW
D$\BAH
\$,U@VW
\$,U@VW
l$0@VW
\$4U@VW
D$<BAH
D$@FBAH
l$,@VW
\$,U@VW
l$0@VW
D$<BAH
L$8SUW
T$ EGJ
T$ CGJ
T$ EFJ
L$8SUW
l$D@BE
l$@@BE
T$(FGJ
T$(AGBE
T$ ACFEJ
T$ GFJ
l$,ABE
T$(+T$,
T$ FGJ
D$0SUV
T$(PQR
T$@UVW
L$DG@FI
L$`SVQQ
D$8SUVW
D$8SUVW
T$,B@M
D$(SUV
L$,CBI
L$,CBI
L$,CBI
D$`SUV
D$,FEH
L$HSUV
D$,FEH
L$,CBI
D$DSUVW
D$0SUV
L$HSUV
L$HSUV
D$0SUVW
D$<FAH
L$<FBI
L$<FBI
D$0SUVW
D$<FAH
L$<FBI
L$<FBI
\$ GEK
\$ GEK
D$LSUVW
L$`9L$
D$DSU@VW
T$X9T$
D$DSU@VW
T$X9T$
D$LSUVW
L$`9L$
D$DSU@VW
T$X9T$
D$DSU@VW
L$X9L$
\$HEBK
\$HEBK
D$4CEH
D$0SUV
D$\QRUP
T$TQSRU
T$0PQS
T$@PQS
T$0PQS
T$HPQS
T$lj?U
UPQWRV
L$4WQV
\$0UVW
QxRPUV
T$HQWj?P
|$LQSRW
T$LPQRU
T$HQVj?P
l$LRWPU
D$LQRPS
l$(~z+
D$<;L$(s
L$<;D$
SUVWP3
D$,SUV
pP_^]f
xP_^]f
t$(SWj
L$0QWVS
T$@RWVU
D$0PWVS
L$@QWVU
D$8RWVP
L$4VQSWR
L$4VQSWR
L$ SUV
T$$USVP
D$0QRP
uD9{`~?
PVVj QRS
u$9{`~
H@QWRVS
F8PWVS
<a|0<z
SWPUQR
CPj@QR
D$0QPV
PUh$mI
D$ SUV
D$ RWP
T$ QWR
D$(_^+
D$@SUV3
L$HHt"
\$$;D$D|5
D$,;t$D|1;
D$@SUV3
L$HHt"
\$$;D$D|<
D$,;t$D|8;
Ht}Ht~
L$,SUV
L$@PQWS
D$8VW@UP
L$@VWQU
@_^][Y
T$ PVQR
T$$PVQR
T$ PVQR
T$$PVQR
';D$8}
L$0SVQW
D$0SVWP
T$ PVQR
T$lRQP
D$Hu5;
L$lWQRP
D$@QVURP
D$LQRP
D$LQRP
D$LQRP
D$LQRP
)\$89T$(t
D$829l$8}-
u#;D$8u
M(RWUQ
RPQSVWU
RPQVWU
RPQVSU
Ntt:;~
D$DQRP
T$TQSRP
D$LPWW
D$hUWQRP
D$lUWR
T$tPQRV
D$XQRP3
T$tUWVVQ
T$tQVj
T$tQVj
T$tQVj
T$tQVj
L$pQVj	PS
L$pQVj	PS
L$pQVj	PS
T$tQVj
L$pQVj	PS
L$pQVj	PS
L$pQVj	PS
T$tQVj
L$pQVj	PS
L$pQVj	PS
L$pQVj	PS
tqHtLHt%
t$hRVW
HtXHt+
T$XRQP
L$8QSPRt
T$,QSPR
T$,QSMPRt
T$,QSPR
tqHtHH
tqHtHH
D$Lt!H
\$hVWS
\$TJt8
tgItDIt!H
t$(Jt-
tSIt9It
D$$SUV
D$<PVj
L$<QVj
T$<RVj
D$<PVj
L$<QVj
T$PRVj
D$<PVj
L$PQVj
T$<RVj
D$PPVj
L$<QVj
T$<RVj
D$PPVj
L$<QVj
T$PRVj
D$<PVj
L$PQVj
T$<RVj
D$<PVj
L$PQVj
T$<RVj
D$PPVj
L$<QVj
T$PRVj
L$$SUV
L$<QVj
T$<RVj
L$<QVj
T$<RVj
l$<UVj	P
L$0UVj
UVj	PR
D$0UVj
UVj	PQ
T$0UVj
L$<QVj
UVj	PR
D$0UVj
UVj	PQ
T$0UVj
l$<UVj	P
L$0UVj
T$<RVj
l$<UVj	P
L$0UVj
UVj	PR
D$0UVj
UVj	PQ
T$0UVj
VRPQUW
VRPQUW
L$ RQP
L$`PQR
D$HRPQ
C$_^][
T$@SUV
L$`|M;
\$(9|$d|D
\$89|$\|B;
}&9F }!
D$4SUV
L$$9N,~
N,9V,}
N09~0}
T$PPQURW
9D$HtJ
T$XPUQRVW
t=It!I
|$0PWt
SQJPWt
D$lPQR
\$<t5It
SQJPWt
T$,QWR
D$,RWP
T$pPQR
D$LPWSV
T$DQWSVR
T$DQWSVR
L$(WSVUQP
t$L^][
t$P_^][
t$<_^][
D$xSUV3
T$|PQSURWV
D$|QRSUPWV
T$pUWS
T$pUWS
T$pUWS
D$ RPSU
T$ QRSU
tbIt>I
\$4QPS
\$4RPS
L$pQPS
\$(t=Jt!
\$0RQPS
D$tPQW
D$$RPSU
T$$QRSU
t;Jt%UQJPSt
UQJPSt
L$$PQUS
D$$RPUS
|$PQPS
T$0QRUS
L$0PQUS
tbIt>I
l$<QPU
l$<RPU
L$@QPU
D$(PQW
L$,PQUS
D$,RPUS
t;Jt%UQJPSt
SQJPUt
T$,QRUS
L$,PQUS
\$$t=It!I
|$0PWt
SQJPWt
t$<_^][
VWh\uL
7QhRuL
T$`RVPQ
L$,PQRS
?hffffQ
Qj(SVR
T$,WRh
L$pQRP
L$|j(QP
D$(RPV
T$\ha2U0R
L$\ha2U0Q
T$hha2U0R
D$xRPQ
D$$RPQSV
T$(QRh
|$8QRWVh0
D$@SUV
ha2U0Q
T$ ha2U0R
jm[^C;1
m[KK.:#,
XBKBKX
!{bhbh
BKTbBK
bh~X~X=
AmA-Tb
BKBKbh~XF
BKBK!;
	%	%	%	%	
	%	%	%	%	
	%	%	%	%	
VUVUVUVU
@43434343
	|	|	|	|	%	%	%	%	
XBKBKX
!{bhbh
BKTbBK
bh~X~X=
XI2BK;
AmA-A-
BKBKBK
bh!;~X
XBKBKX
!{bhbh
BKTbBK
bh~X~X=
AmA-Tb
BKBKbh~XBKBK!;
BKBKbh~XBKBK!;
AmA-Tb
AuthenticAMD
								
        !!!!!!!!""""""""########$$$$$$$$%%%%%%%%&&&&&&&&''''''''(((((((())))))))********++++++++,,,,,,,,--------........////////00000000111111112222222233333333444444445555555566666666777777778888888899999999::::::::;;;;;;;;<<<<<<<<========>>>>>>>>????????@@@@@@@@AAAAAAAABBBBBBBBCCCCCCCCDDDDDDDDEEEEEEEEFFFFFFFFGGGGGGGGHHHHHHHHIIIIIIIIJJJJJJJJKKKKKKKKLLLLLLLLMMMMMMMMNNNNNNNNOOOOOOOOPPPPPPPPQQQQQQQQRRRRRRRRSSSSSSSSTTTTTTTTUUUUUUUUVVVVVVVVWWWWWWWWXXXXXXXXYYYYYYYYZZZZZZZZ[[[[[[[[\\\\\\\\]]]]]]]]^^^^^^^^________````````aaaaaaaabbbbbbbbccccccccddddddddeeeeeeeeffffffffgggggggghhhhhhhhiiiiiiiijjjjjjjjkkkkkkkkllllllllmmmmmmmmnnnnnnnnooooooooppppppppqqqqqqqqrrrrrrrrssssssssttttttttuuuuuuuuvvvvvvvvwwwwwwwwxxxxxxxxyyyyyyyyzzzzzzzz{{{{{{{{||||||||}}}}}}}}~~~~~~~~
VUVUVUVU
@43434343
	|	|	|	|	%	%	%	%	
????????????????
 deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly 
								
 inflate 1.1.4 Copyright 1995-2002 Mark Adler 
jm[^C;1
m[KK.:#,
UUUUUU
								
This software is derived from the GNU GPL XviD codec (1.3.0).
Your software distributor has to give access to its source code.
?ffffff
?ffffff
?333333
AVICAP32.dll
capCreateCaptureWindowA
capGetDriverDescriptionA
CreateThread
CreateEventA
SetEvent
CloseHandle
InitializeCriticalSection
DeleteCriticalSection
VirtualFree
LeaveCriticalSection
EnterCriticalSection
VirtualAlloc
WideCharToMultiByte
WaitForSingleObject
ResetEvent
lstrcpyA
InterlockedExchange
CancelIo
GetFileAttributesA
OpenProcess
lstrlenA
GetPrivateProfileSectionNamesA
ExpandEnvironmentStringsA
lstrcatA
FreeLibrary
GetProcAddress
LoadLibraryA
MultiByteToWideChar
lstrcmpA
GetPrivateProfileStringA
GetVersionExA
DeleteFileA
GetLastError
CreateDirectoryA
CreateProcessA
GetDriveTypeA
GetDiskFreeSpaceExA
GetVolumeInformationA
GetLogicalDriveStringsA
FindClose
LocalFree
FindNextFileA
LocalReAlloc
FindFirstFileA
LocalAlloc
RemoveDirectoryA
GetFileSize
CreateFileA
ReadFile
SetFilePointer
WriteFile
MoveFileA
HeapFree
LocalSize
CreateToolhelp32Snapshot
GetProcessHeap
Process32Next
Process32First
ExitThread
GetTickCount
GetCurrentProcessId
TerminateThread
GetWindowsDirectoryA
GetCurrentProcess
GetSystemDirectoryA
GetLocalTime
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
GlobalSize
GlobalMemoryStatusEx
GetSystemInfo
ExitProcess
GetModuleFileNameA
DuplicateHandle
OpenEventA
WinExec
GetCurrentThreadId
CopyFileA
SetFileAttributesA
GetVersion
DeviceIoControl
GetStartupInfoA
CreatePipe
DisconnectNamedPipe
TerminateProcess
PeekNamedPipe
WaitForMultipleObjects
GetModuleHandleA
GetComputerNameA
FileTimeToSystemTime
SystemTimeToTzSpecificLocalTime
lstrcmpiA
GetExitCodeThread
KERNEL32.dll
wsprintfA
CharNextA
MessageBoxA
EnumWindows
ExitWindowsEx
GetWindowTextA
GetForegroundWindow
GetAsyncKeyState
GetKeyState
BlockInput
SendMessageA
SystemParametersInfoA
keybd_event
MapVirtualKeyA
SetCapture
WindowFromPoint
SetCursorPos
mouse_event
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
GetClipboardData
GetSystemMetrics
SetRect
GetDesktopWindow
ReleaseDC
GetCursorPos
GetMessageA
GetInputState
IsWindowVisible
PostMessageA
ShowWindow
CloseDesktop
SetThreadDesktop
OpenInputDesktop
GetUserObjectInformationA
GetThreadDesktop
OpenDesktopA
PostThreadMessageA
USER32.dll
SelectObject
CreateDIBSection
CreateCompatibleDC
DeleteObject
DeleteDC
BitBlt
GetDIBits
CreateCompatibleBitmap
GDI32.dll
OpenProcessToken
IsValidSid
LookupAccountNameA
LsaClose
LsaRetrievePrivateData
LsaOpenPolicy
RegCloseKey
RegQueryValueA
RegOpenKeyExA
StartServiceA
CloseServiceHandle
OpenServiceA
OpenSCManagerA
AdjustTokenPrivileges
LookupPrivilegeValueA
RegQueryValueExA
RegSetValueExA
RegCreateKeyExA
RegEnumKeyExA
RegQueryInfoKeyA
RegEnumValueA
RegDeleteValueA
RegDeleteKeyA
UnlockServiceDatabase
ChangeServiceConfigA
LockServiceDatabase
QueryServiceStatus
DeleteService
ControlService
QueryServiceConfigA
EnumServicesStatusA
RegOpenKeyA
CreateProcessAsUserA
SetTokenInformation
DuplicateTokenEx
StartServiceCtrlDispatcherA
ChangeServiceConfig2A
CreateServiceA
RegCreateKeyA
CloseEventLog
ClearEventLogA
OpenEventLogA
LookupAccountSidA
GetTokenInformation
ADVAPI32.dll
SHGetSpecialFolderPathA
SHGetFileInfoA
ShellExecuteA
SHELL32.dll
CoInitialize
CoUninitialize
CoCreateInstance
CoTaskMemFree
ole32.dll
OLEAUT32.dll
InternetCloseHandle
WININET.dll
MFC42.DLL
__CxxFrameHandler
memcpy
memmove
memcmp
_purecall
sprintf
strcpy
strlen
strstr
memset
_except_handler3
strcmp
malloc
strrchr
strncmp
strncpy
strcat
strchr
_errno
printf
fprintf
_local_unwind2
_mbslwr
wcsstr
_mbsstr
_access
fclose
fwrite
mbstowcs
wcscpy
_beginthreadex
wcstombs
calloc
vsprintf
_CIacos
_CIpow
__dllonexit
_onexit
MSVCRT.dll
_XcptFilter
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_controlfp
NetUserDel
NetUserSetInfo
NetUserGetLocalGroups
NetApiBufferFree
NetUserGetInfo
NetLocalGroupAddMembers
NetUserAdd
NetUserEnum
NETAPI32.dll
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
MSVCP60.dll
WSAIoctl
WSASocketA
WS2_32.dll
GetUserProfileDirectoryA
GetProfilesDirectoryA
USERENV.dll
WTSFreeMemory
WTSQuerySessionInformationA
WTSEnumerateSessionsA
WTSAPI32.dll
GetModuleFileNameExA
EnumProcessModules
PSAPI.DLL
waveInGetNumDevs
waveInAddBuffer
waveInPrepareHeader
waveInUnprepareHeader
waveInClose
waveInOpen
waveInReset
waveInStart
waveOutUnprepareHeader
waveOutOpen
waveOutClose
waveOutWrite
waveOutPrepareHeader
WINMM.dll
RaiseException
_stricmp
_strnicmp
_wcsupr
%d * %d:
 Data\Microsoft\Network\Connections\pbk\rasphone.pbk
Administrator
explorer.exe
Microsoft\Network\Connections\pbk\rasphone.pbk
%USERPROFILE%\Application Data\Microsoft\Network\Connections\pbk\rasphone.pbk
ConvertSidToStringSidA
advapi32.dll
L$_RasDefaultCredentials#0
RasDialParams!%s#0
Device
PhoneNumber
DialParamsUID
WinSta0\Default
%s\shell\open\command
%s\*.*
%s%s%s
%s%s*.*
*.*.*.*:*
InternalGetUdpTableWithOwnerPid
DELETE
LISTEN
SYN_SENT
SYN_RCVD
FIN_WAIT1
CLOSE_WAIT
CLOSING
LAST_ACK
TIME_WAIT
CLOSED
InternalGetTcpTable2
AllocateAndGetUdpExTableFromStack
AllocateAndGetTcpExTableFromStack
iphlpapi.dll
Http/1.1 403 Forbidden
<H1>403 Forbidden</H1>
HTTP/1.0 200 OK
192.168.1.2
CONNECT 
http://
%%%c%c%%%c%c
setsockopt Error!
%d.%d.%d.%d
 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Connection: Close
Referer: http://
:80/http://
Host: 
Cache-Control: no-cache
Set IP_HDRINCL Error!
Address %d : %s
Yow! Bad host lookup.
Host name is: %s
Error %d when getting local host name.n
WSASocket() failed: %d
WSAStartup failed: %d
GetWindowTextA
user32.dll
SeShutdownPrivilege
[Num Lock]
[Down]
[Right]
[Left]
[PageDown]
[PageUp]
[Home]
[Insert]
[Scroll Lock]
[Print Screen]
[CTRL]
:]%d-%d-%d  %d:%d:%d
<Enter>
USER32.dll
GetCursorInfo
SeDebugPrivilege
_F&dk5MD-I_M.
TPfG^YJ^
hB6M2g'
ha9 ?+
?(!F!f?
 D!?_M
`c:14_
Lb_T*9=
YGf!:b
IK\*)&tnS>6LW|
_F&dk5MD-I_M.
>)8g	4
TPfG^YJ^
hB6M2g'
ha9 ?+
?(!F!f?
 D!?_M
	O]<ImzXX
Kc|mY}|uF
`c:14_
Lb_T*9=
YGf!:b
Oe	k:-
U	\3+T841KjO
d5=iGX
,=EDXG\OU.
#5a1f5<	LA
VbgU61Alj
LdXT-]l
K@NK0T	H.
#NOXA:$1a=
/YT;(,i(MO@
OF&$-G.V
25sGjaR#a24
<.*Sd:
fS2HeT^i[:W
.24f5"\G$
7#UPM6Z	c]3"5
BaiduSdSvc.exe
ServUDaemon.exe
DUB.exe
1433.exe
mssecess.exe
QUICK HEAL
QUHLPSVC.EXE
V3Svc.exe
patray.exe
AYAgent.aye
Miner.exe
TMBMSRV.exe
knsdtray.exe
QQ.exe
K7TSecurity.exe
QQPCRTP.exe
ksafe.exe
rtvscan.exe
ashDisp.exe
Avira(
avcenter.exe
kxetray.exe
egui.exe
Mcshield.exe
RavMonD.exe
KvMonXP.exe
avp.exe
360sd.exe
360tray.exe
Kernel32.dll
WTSGetActiveConsoleSessionId
CreateEnvironmentBlock
userenv.dll
%s Win7
Game Over Good Luck By Wind
FunctionMstsc
FunctionMmc
FunctionRegedit
FunctionTaskmgr
FunctionCMD
%s\dllcache\magnify.exe
%s\dllcache\osk.exe
%s\dllcache\sethc.exe
%s\magnify.exe
%s\osk.exe
%s\sethc.exe
DELSHIFTOSK
PzOdfv
\dllcache\termsrvhack.dll
\termsrvhack.dll
SYSTEM\CurrentControlSet\Services\PzOdfv\Parameters
ServiceDll
%SystemRoot%\system32\termsrvhack.dll
SYSTEM\CurrentControlSet\Control\Terminal Server\Licensing Core
EnableConcurrentSessions
SYSTEM\CurrentControlSet\Control\Terminal Server
fDenyTSConnections
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
KeepRASConnections
SYSTEM\CurrentControlSet\Services\PzOdfv
%s%s %s%s
jingtisanmenxiachuanxiao.vbs
TSDISCON %s
LOGOFF %s
taskkill /f /im cmd.exe
cmd.exe
taskkill /f /im taskmgr.exe
taskmgr.exe
taskkill /f /im regedit.exe
regedit.exe
taskkill /f /im mmc.exe
mmc.exe
taskkill /f /im mstsc.exe
mstsc.exe
PortNumber
\cmd.exe
KERNEL32.dll
GetSystemTimes
kernel32
IsWow64Process
)--SYSTEM
%d * %d
ProcessorNameString
~%u MHz
InternetShortcut
Favorites
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
%d-%d-%d %d:%d:%d
UninstallString
%d%02d%02d
InstallDate
DisplayVersion
Publisher
OperatingSystem
ParentKeyName
DisplayName
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Winlogon
need dictionary
incorrect data check
incorrect header check
invalid window size
unknown compression method
invalid bit length repeat
too many length or distance symbols
invalid stored block lengths
invalid block type
incompatible version
buffer error
insufficient memory
data error
stream error
file error
stream end
invalid distance code
invalid literal/length code
incomplete dynamic bit lengths tree
oversubscribed dynamic bit lengths tree
incomplete literal/length tree
oversubscribed literal/length tree
empty distance tree with lengths
incomplete distance tree
oversubscribed distance tree
xvid-1.3.2
codep: field_pred: %i
codep: field_dct: %i
chroma_optimized_pixels = %i/%i
*** END
*** FINISH bf: head=%i tail=%i   queue: head=%i tail=%i size=%i
*** EMPTY bf: head=%i tail=%i   queue: head=%i tail=%i size=%i
*** BFRAME (flush) bf: head=%i tail=%i   queue: head=%i tail=%i size=%i
*** IFRAME bf: head=%i tail=%i   queue: head=%i tail=%i size=%i
*** PFRAME bf: head=%i tail=%i   queue: head=%i tail=%i size=%i
CLOSED GOP BVOP->PVOP
*** XXXXXX bf: head=%i tail=%i   queue: head=%i tail=%i size=%i
*** BFRAME (store) bf: head=%i tail=%i   queue: head=%i tail=%i size=%i  quant=%i
%d  st:%lld  if:%d
sprite_warping_point[%i] xy=(%i,%i)
XviD%04d%c
DivX503b1393
sprite_warping_point[%i] xy=(%i,%i) *QPEL*
?TpxADj
?ffffff
@ffffff
?a2U0*
?h"lxz
?a2U0*
?8gDio
@h"lxz
@333333
@ffffff
?a2U0*
?8gDio
@333333
?a2U0*
@h"lxz%
?a2U0*
333333
warning LSP High 
warning LSP Low 
DDLLDDDL
LLDDLD
DDLDLD
LDDDDDDD
DDDDDDDDD
DDDDDDDDDDD
DDDDDDDDDDDDD
DDDDDDD
DDDDD@