Sample details: e0bf6bc380a2133b3d341d577389a568 --

Hashes
MD5: e0bf6bc380a2133b3d341d577389a568
SHA1: 5e7bd15f60d373d9608d171532aa8a6bc3281d30
SHA256: bd03c60fc8fcc09a37f29036d9b59efbd8e75abc73c746c8d95b0a83d635bf59
SSDEEP: 24576:sCv1xDMgWyzcTzF3eB+/m7usk2wwmGiorm0s0:six1BzYJeB+/FsPm0s0
Details
File Type: PE32
Added: 2019-10-09 18:18:53
Yara Hits
YRP/yodas_Protector_v1033_dllocx_Ashkbiz_Danehkar_h | YRP/IsPE32 | YRP/HasDebugData | YRP/IsBeyondImageSize | YRP/HasRichSignature | YRP/maldoc_find_kernel32_base_method_1 | YRP/domain | YRP/IP | YRP/url | YRP/contentis_base64 | YRP/System_Tools | YRP/Browsers | YRP/Dropper_Strings | YRP/Misc_Suspicious_Strings | YRP/Big_Numbers1 | YRP/MD5_Constants | YRP/BASE64_table | YRP/VC6_Random | YRP/suspicious_packer_section |
Source
http://sinastorage.com/yun2016/B32d.rar
Strings
		!This program cannot be run in DOS mode.
h.rdata
H.data
.reloc
T$$`h/
Vhhcdmh@
Vhofifh
H4 _^[
xOSVW3
tPQQj`j
SSj@PW
PhLlruh#
hTskh+
WVVj j
t*9A<t%
t*9A<t%
Yhasdf
hasdfW
_VVj`j
_VVj`j
SVWj@3
9X(t|h
9X,t_h
9X4tBhj
9X8t%jPYf
t>jdSW
tpj Yj
QQSVW3
D8	hj!
d$,T`h
t&@WPS
u@hKsktj
u/hKsktj(WU
SVhKtdi3
SVhKtdi3
SSSSVj
SSSSVj
SSSSVj
%hKtdij\S
PQSSSS
SSSSVj
hKtdij.S
toSSSV
1hKtdijFS
tgSSSV
thSSSV
SSSSj j
PSSVSS
v.9^0t)SP
PhTrtph
~bWhlY
QQSVW3
j XPWV
t?j0Xf
URPQQh
<ItO<ht?<lt
v	N+D$
UQPXY]Y[
Whpgsr
WhgaerSWWWh
Whgserh
hSBFVPV
hQDYSP
hQDYSP
hQDYSP
hQDYSP
tVVVj`j
1f;2u_f
v(Sj	W
vKSj	W
hQDYSP
^SSj`j
^SSj`j
=NB10u
=RSDSu2h 
hgCPAj0j
htslpj
u2VVj j
u2VVj j
hasdfW
hasdfW
Shpgerh
Shdgerh
Shcger
ShcgerWSSSh
ShcgerWSSSh
<uAWh`
hQDYSP
Phofifj
t\HtFHt0Ht!Ht
explorer.exe
Write File Error!
Read File Error!
ExAllocatePool failed
Open Destin File Error!
Open Source File Error!
%d.%d.%d.%d
255.0.
255.240.
255.255.
172.16.
192.168.
127.127.127.127
POST /
HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Location: %s
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: %d
<html><frameset><frame src="%s"></frame></frameset></html>
HTTP/1.0 302 
HTTP/1.1 302 
HTTP/1.
103.55.25.63
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789
[aaa]Write DisplayName failed, status:%08x
[aaa]Write ImagePath failed, status:%08x
[aaa]Write ErrCtrl failed, status:%08x
[aaa]ZwCreateKey failed, status:%08x
[aaa]ZwWriteFile failed, status:%08x
[aaa]ZwCreateFile failed, status:%08x
PowerChange
[aaa]b_filesize<=0||bfilemem==NULL
dYx1EnVxiIUedRN/eHU6HnEe1A==
fXhFdYx1Oh5xHtQ=
gHmDiHw6HnEe1A==
jHl6gHmDiHY6HnEe1A==
gHmDiHo6HnEe1A==
jHl6gHmDiDoecR7U
h3F6dzpM3t5CQzqHcXp31A==
hYR4cYhxQ946HnEe1A==
hYR4cYhxQ946hHyE1A==
hYR4cYhxOh5xHtQ=
hYR4cYhxOoR8hNQ=
get dns failed, host:%s
get dns sus, host:%s, ip:%s
enter GetNextHostAndIPByIdx, idx:%d
data.php
g_bSeverIpGot == TRUE
first insert is : %s
qwfzupdate.oss-cn-beijing.aliyuncs.com
127.0.0.1
8.8.8.8
114.114.114.114
https://
http://
+-END-+
+-START-+
HTTP/1.1 200 OK
GET /%s HTTP/1.1
Accept: */*
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Host: %s
Connection: Keep-Alive
return[
error [13]
error [16]
error [17]
error [18]
error [15]
error [14]
Content-Length:
error [12]
error [11]
error [10]
error [9]
error [8]
error [7]
error [6]
error [5]
error [4] destip:%s, port:%d
error [2]
error [1]
%s?t=%s&m=%s
%u.%u.%u.%u
TransportAddress
ConnectionContext
\Windows\
PsSetCreateProcessNotifyRoutine
PsSetLoadImageNotifyRoutineEx
PsSetLoadImageNotifyRoutine
IoInitializeTimer
IoRegisterShutdownNotification
CmRegisterCallback
ZwQuerySystemInformation failed
\SystemRoot\system32\%s
ZwReadFile ImageSectionHeader faild
ExAllocatePool pVirtualAddress faild
ZwReadFile pImageSectionHeader faild
ExAllocatePool pImageSectionHeader faild
ZwReadFile ImageNtHeader faild
ZwReadFile ImageDosHeader faild
ZwCreateFile faild
[xyz]Del sysfile serviceName:%S
[xyz]DelReg serviceName:%S
VerifySignature
NdisAllocatePacket
NtSuspendThread
%08x%08x%08x%08x
wcslen_ex_End
wcscpy_ex_End
wcsstri_ex_End
System
EXPLORER.EXE
regedit.exe
ZwQuerySystemInformation failed!
ExAllocatePool failed!
Timer:%x, funAddr:%x!
KeUpdateSystemTime
Unknown
127.127.127.127
127.7.7.7
61.163.70.228
58.213.140.96
1.194.187.4
222.89.68.50
101.201.172.229
www.chinaz.com
cn.bing.com
www.sogo.com
www.jd.com
www.taobao.com
www.360.cn
www.163.com
www.qq.com
www.sina.com.cn
www.baidu.com
TIR7dzpzf33U
(null)
`h````
xpxxpp
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
evbdx.sys
c813b5ea4e464f86eea9308448cd084b
aed162896df91d8eb6553fa867bad4da
028f72aebea4840356d3c6c87fbd401c
8de160c295aa9a56a2487833ad6eaecd
c7fe96a30a086f4a62059a01b13b6d2b
943a1d024c75e08dfa554f7e46a7f9d7
c02042d055690091b52578b23b7a7793
28b24d83436924985a1dfe807ea23adc
4f15269a5c41952f1b3b8030ccc2a1f9
b2a1be22afec4985a84f95844462a804
13a37ce690c836a4d3f7236fbcead92d
cc29a0f49d2dad9d8071a2d40e6b338b
7b56b7c90230cca0265ce6f6d1b9a1b7
8f20daf9879e057e4ad635d397a7abe6
9aacd9105133e4aeb5b0e0e5c779b8af
1195931833648ee8645c3564c6ac87f0
d4626eda3a81486c5233c39fe074d29c
a622a1ef440089b0601975dcc233b99b
c64e5ac7835e5388477a057887899ea1
0e7a57288a11db7c9f1a7443ad3d1156
29aeb3a87e88c932f2203bb4662abc2f
ee08b15ba537cf09f6dec29d6a7b0ea0
387da27c191182592af615b880b27a71
669db2a7c981e0e11bd7ed80a799142d
688e8d7a1cdffc3a8b587b2aaaa0ebe2
d53e9f4cc35b14a847fd7571a7b9b07a
ef2d5e8efe3c7a8e5834f806e1823cd5
5e902e5469caf9505620ebc528bc1f84
0390051d1f96f6ca8b22e9b5588968d5
cce0d0b2a1a59aa4810eb0c6be364456
819f9affcc43c274ac365f49bd6a4df7
9b4aa8d1d972d5d0ea147ad214f50aa0
c61cf6fb84247b5c37f13a164d14cf73
4bdf77428e61cd012a02d98f5ad41fb6
89f2cb0834f7cba34f7b522440ad6eec
c152c1b48340467339cd28e01502d429
e5494b08ad27ea24a92abd504be9f6ad
0bfd1f7ccad512ab6a923f509dbc761c
d1e14317a59a21be847ced268bfe7494
09a0b788d584a0c9b420fdf22de7ede6
089d79240640ef9ce83054fbe316a30c
03cc55f5aaaeb8f24f616738210ba4c7
fb4fd7ad884110bda89fc4a0c43a901a
3c14355ab91bc4a0959ec069424229ff
b7e206249ba7249f593794048627cab1
ee61766b53d8571310abedec37cc7261
e36dc618f7308a5c4018b1c2c989325f
8afe5c7655f6ed407ea1cec473acb8be
bddcef3566ef9e0bef66a098d845196b
b169e9428e23eb1e258e3031770bdd6d
31dd91ddc742e39e2fed3fb9302539f1
f06ab478d1cebc4fd5c7b083e69b0294
3817fc5b494b8ea146be857c8686275e
04b3c2ffe905f708819254205059d61a
71ca42060ee72b374934bb108211c531
a65a5927dbccb09e35d83a1628beab81
c71f3e3a6d8d05353a50b0766db4bd8f
15894048592af018733fd897fd0229c9
fIiIhEY/P3d/Ond1eneMeXqDiYM6c3991A==
fIiIhEY/P4ODOodxeoGFeH96dzpzf33U
fIiIhEY/P32JOkXed3V6d4x5ejpzf33U
fIiIhEY/P3t7Oolxf4GFeH96dzpzf33U
fIiIhEY/P4mFejpF3kF4HnmCdTpzf33U
fIiIhEY/P46OOnp5hYGFeH96dzpzf33U
fIiIhEY/P32JOkVBiXVxHoM6c3991A==
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
Qihoo 360 Software (Beijing) C
Microsoft Windows
Atheros Communications Inc.
Wuhan Century Mengke Network T~
Hyunsolution Co.,Ltd
l<ANanjing xScaler Information TeHK
Xinyi Electronic Technology (Sa
NJiajie Yin
&Shenzhen Luyoudashi Technologyj
People search network Co., Ltd[
-^)P/7
Changsha Kaijin Network Techno
k{Zhuhai liancheng Technology Co
S!Xuanyi Electronic (Shanghai) C?
NJiajie Yin
Shenzhen Jinxian Technology Co0
LHandan City Congtai District LCw9S
Chongqing Shahai Information TN
Shenzhen yundian Technology Co<X
Beijing Kate Zhanhong Technolo
ShangHai YiWei network tec co.Ql
Fuqing Yuntan Network Tech Co.
innotek GmbH
Beijing Ruidongtiandi Info.Tec5
rBeijing Kylin Network Informat#
BEIJING XINDA HUANYU NETWORK SMSQJV$
]yPartner Tech(Shanghai)Co.,Ltd
AJiangsu innovation safety assej
Guangzhoushi Xunmeng Computer e
6Xi' an JingTech electronic TecZ
Zhang Bin
EVANGEL TECHNOLOGY (HK) LIMITE~
IXiaodong Wang
Shenzhen Hongjiakang Technolog
Shanghai Huaqianshu Informatio
Shanghai Huaqianshu Informatio0
EldoS Corporation
Guangzhoushi Xunmeng Computer 
XdChengdu Qiqiao Software Co., LP
:wShenzhen WangTengda Technology&
Kasherlab Technology Inc.
]Hangzhou Hootian Network Techng
]Shenzhen Hechuangzhiyuan TechnO
Changsha Qiansheng Garden Land_%
Beijing Huxin Hutong Informati
]Beijing Longweishengda Technol
BEIJING WANXIANGBOZHONG SYSTEMw5
 Blueone Technology Co., Ltd
>=Putian Yaxiya Information Techr9{_;
sShenzhen Intech Indesign Techn
Suzhen Zhou
`Synhe Technology  Co., Ltd
Xi'an QinYi Technology Co., Lt
Shenzhen Hua
nan Xingfa ElecU+A
QShanghai easy kradar Informatie
YI ZENG
&Huiping Zhong
LaBaoji zhihengtaiye co.,ltd
Beijing Chunbai Technology Devj.3
Xi'an Xinli Software Technolog
kXi'an Xinli Software Technolog
IQ Technology Inc.
a[Guangxi Nanning Shengtai'an E-l
2Xtreaming Technology Inc.
SHANGMAO CHEN
HT Srl
Ba Zhaoxin
Bandisoft
Fan Li
.Hu Qinqin
Orbita LLC
Taizhou Union Networking Servi 
=Nanjing Zhixiao Information TeL
pC3RE LIMITED
fRandkne29 Limited
4oMw<.
_CHEZB LTD
wBopsoft
%Bopsoft
pHenan Pushitong Intelligent  T&
AC777 LTD
ZBeijing Baijianqi Touzi Guanlin
Zhou Donghang
Nanjing Anyue Technology Inc.
]TNetEase (Hangzhou) Network Co.9'
Xi' an JingTech electronic Tecdk.{&Y
jf-tec
JLOBY LIMITED
KASDAM LTD
+COURAGE MEDIA LTD
Wang Zhen
Bdzd[H
MATCHPEAK LTD
Bing Jin
}Cycology Ltd
tXiamen phantom domain network ]T	5
xwNantong Huicheng Tech CO.,LTD
@Peng Tong
Zhang Zhengqi
Binzhoushi Yongyu Feed Co.,LTdv
Lincangshi Guangxie Network Tem2
Beijing Founder Apabi Technolo
WMYuchengxian Feiwu service Co.,>
lCHENGDU YIWO Tech Development 	
ABeijing Founder Apabi Technolo
-Haining shengdun Network Infor/
l<ANanjing xScaler Information Ten
Wuhan Century Mengke Network T
't|Beijing JoinHope Image Technolo2
Shenyang Lingkai Technology De]$
Luca Marcone
vT@|:Oq`
Huo Zhang
Xiamen ChengChuang Technology 
Hubei Olympic Tour Information6
VBeijing Sages Education Consul*
LSHENZHEN LIRINUO S&T DEVELOPME
\Shanghai Denghan Jingmao Co., 
\Zhao Fei
h.rdata
H.data
.pdata
h.rdata
H.data
.pdata
HINIT1
h.rdata
H.data
.pdata
HINIT1
h.rdata
H.data
.pdata
HINIT1
h.rdata
H.data
.pdata
HINIT1
h.rdata
H.data
.pdata
HINIT1
h.rdata
H.data
.pdata
HINIT1
h.rdata
H.data
.pdata
HINIT.text
h.rdata
H.data
.pdata
h.rdata
H.data
.pdata
HINIT1
h.rdata
H.data
.pdata
HINIT1
h.rdata
H.data
.pdata
HINIT1
h.rdata
H.data
.pdata
HINITZ
!This program cannot be run in DOS mode.
h.rdata
H.data
.pdata
h.rdata
H.data
.pdata
h.rdata
H.data
.pdata
h.rdata
H.data
.pdata
h.rdata
H.data
.pdata
h.rdata
H.data
.pdata
h.rdata
H.data
.pdata
h.rdata
H.data
.pdata
h.rdata
H.data
.pdata
h.rdata
H.data
.data0
h.rdata
H.data
h.rdata
H.data
h.rdata
H.data
.data0
h.rdata
H.data
h.rdata
H.data
.data0
h.rdata
H.data
.rdata01
h.nbvk
H.cxzh
h.rdata
H.data
h.rdata
H.data
h.rdata
H.data
h.rdata
H.data
h.rdata
H.data
h.rdata
H.data
.reloc
h.rdata
H.data
h.rdata
H.data
h.rdata
H.data
.rdata
H.data
.reloc
h.rdata
H.data
b.reloc
h.rdata
H.data
.reloc
h.rdata
H.data
h.rdata
H.data
.edata
h.rdata
H.data
.edata
h.rdata
H.data
.reloc
h.rdata
H.data
b.reloc
h.rdata
H.data
.reloc
h.rdata
H.data
h.rdata
H.data
b.reloc
h.rdata
H.data
.reloc
h.rdata
H.data
h.rdata
H.data
`PAGED_CO
h.rdata
H.data
.edata
h.rdata
H.data
.edata
h.rdata
H.data
.edata
http://pki-crl.symauth.com/ca_219679623e6b4fa507d638cbeba72ecb/L
.rdata
/?a=1&t=4&s1=%u&s2=%d&s3=%d
.sedata1
http://pki-crl.symauth.com/ca_219679623e6b4fa507d638cbeba72ecb/L
http://pki-crl.symauth.com/ca_219679623e6b4fa507d638cbeba72ecb/L
SVWjiYje^jxf
Zjr_j.f
j Xj/f
u}j"Xf
j XjSf
jsZjif
ZjuXjrf
wt;7PdA^
;.*0m1v<
sjgY$=
O*yi)f
d$<T`h
L$$`Uh
QG~hDO	
y>L-ZF
EObfdO3d[C
{M"gEB
&ud4%L
^liYPR
D$ dCn
T$,h_T
l~b"Qm
w	9!$ 
%#&v;H
!p4H![9
mw#:>(
'xSEl~`
EelA&`
bury6N
\$Dh}R'3
O~,Q1^
Sw.UUn
9	n{_L
LVysdE
\"(;([
lDwKD)
}(!>P{
T63?#>
I# Jx%
t$4hi(N@
RpE";H
>cFP!A0
	[pRo3
oz'E ER
xs,x7KU
88-g|:
o4JXk8Z/!&
t$(UPf
FC4_#e@
?Ry	:AA
j'9K%W
W%=;9n
\$$[[`
hbp[:`f
T$(hw5
%<Os\5
t$HhX5
e"TlMm}
dev-)|	
8s94pY
d2h8P 
z"+AF.
#.yz-i
T)n=@q$
Z4QAAD
ZG9& 52e
+_7b'k
ToYtDo
<$hN	h
-`BAJs
D$ r[+o
g{(:Im
=$K \c
T$@hck
&fg2eOP
R0bBp9
df$[/{
!2u-`2n
@H${Yl
yIB Af
N^gT6p
gOZoga~h
B9,6V{
'{Qxj-s*-
,yj:&a
t$ ^^f
4j/S9H}
$1z*?(
sDfs0Fd0
:63l8a
	~.<=-
5rH=5p
<Ovt\O
Zh*}:o)
3y>L7D
wYIZH0
<nw`f"EGs
sHUu'.
"EPy_&
zO^F;(3^;Q
}m14;/f
UpJx\h
sr~adP%E]
#Ju5	l
7j?SoQ-U
j8e%V3
=1VT1&
3VN#gzOE
`+B=p,O
;c(zqV
_r7Z(#
R5qXr#
!M[d815
>Ru1vZ
i<ouWl
"\K\/l	$`
K~ke^eE
`A|9xC(
(.yN	@n
5'\*} 
Y	P5'5
z(Uu8M
n}|M	V
6a!]"'
B'{xVq
U^<yBu5
'H\QvwB
QV)tq[
91gTQF!
%BWu3q
Os<	Ot%
h)t6.3"M
$/ip>P
ltWDgr
"2{o\	
[0u?,y
H}0;25
s;(j?E%n
iN\OTS
\-K~T{/5h
h"t`8f
\$$VhMLB
)k_Rp?
	#*T<9
B_	w]>
h[$.^Q
Dk55xj
PYMnS7
k^d9L!
c]$r]PT
+9F*;Y+
gH;(AJ
o*-ppd
WDa$O3
Cx}*02
wsw:/[o
X*G[l1
M_m[N	
Bq@"x=
G9.<Hc
6.~P2E
6S#z'Z@
U|TniE
v6IYLh
cjXW<:
;J}=@`
[P2lh[2
Q3\	~	q
sgq_# i
<"M\?Ys
i~<.>.)9
zcBH]e
=jQx0D
+Wm?D1a
mtV!Z$
f,?$3.
oc[H<fT
@LAFex*
:+$+(f
I?$..xC
{zOs>t
T$<hqL
Yl^p5u(Z}jdF
w+^kPe4P
t:@SP+!
!FI\I=
;	?8Y>
qV_*	4
_#Tv{$
urf;z^
x2UPy/y
/.WZ_C(
u$(y,>
^MXh_^
*qqky;
p2%A02+
!FxZ 30Rw
J]]-[iB
y.h:n>
B*]5UzH
M@S0M6t9n
A~Nk*t
m`%B%1
=-L~)_
	X=q)[
l$0h;B-8
~+Xm?Z
;2kvhp
`8#.!Y
SXC/7R
p6 mp>#O
6)5EQ#o
6+5`T#
#>C/[R
v6	>{!#O
[6R4j{#
/xC/aE
6eyI;#/yF
]E#/fY
6b/Mk#o~H
>mg#/>P
d6i{DjC
X6tRU	#/
5DgZ #/4^
Rjz#oSG
8-XY8#
aAzCo(F
v6!~|!C
v63jn"#o
6("Nr#
JFm#O.C
-7UCnCL
Ak)cnfA
5CSJ=C
#6*]{B#
6b?:4cn
F!C/G^
dIA#/z@
fL#OeR
63rv:C/
cv|COR_
_6Lm0M#
6$5}1#/
3'&C/4H
b-#O&Z
XGCobF
2JCO W
E4H#./V
rv>#/fU
6	j)"cN
+(CNhS
Bvc.}H
g68	lB#
cjc._J
	6F4v.
?'C/6A
6!jW&#o
V6$'D%
o#cn.Y
;6iF]2#
i5pz_ cnRL
6%[7+C
PkCOwY
r64n-GCN2@
C;\#/fW
v6!~K)C
J8{r+WC
X6qZ%z#
6|B5UC
	\#ooC
Y5Xa6+cN
cgxC/WA
KVcOIW
SP%#/>O
618c*Co
-3cNxO
F6'9${C
8H,75#
^6*y%K
\6j\3MC
6Q)\&#o
c,#o}Y
7N#OLJ
^z}#o$L
[JCoVN
xm#O!C
}6qZco#
nJ#OeC
5H_@ACoSL
5rW	Vc
\SSCo7R
6>,[HCN
6C@b=#
6Z	jQ#
p6RtEU#
c6Yc{2C
8r!;jC
K6bZQ(
NBf:}X=
=G{`%k_yL-. 
8S+8e`@BN
vc8M-#F
ITv'\Df
^N,WL%
|:({oz
&$wr2Q&
Ze"{)D
L]hZJw
tAVvG3 
YHi,l11
[I~oF|
l$(]]f
%|,B,6
8>)'97gw
x0R3Wx
P\i9C&
hhJWHh
Db')>J
9Nn|Lxe
6# ,yi>
:M:(YiB
wnZ/[[
v;O+>L`
bUb?/$f
tlyI>D
h:7+*?
b".9/4Y
0U(-nk
c!By	*x
 eVEc1=mzC
sX*I^y^,
611H!5q
lQC8w2
EB)8yK 
"M=DYu
g<B@k?
D$4h+@
a&$wtm8
Xh$bRi
W~X*Ovt=,
|ic@dA~N
l$,hj1
|$8h7V
s7}HN<I
B7KUw13
_dxq"X
l^SPtv9
	mRP<czffJ
k(z{E~U
G6R7hz
+_dAK?XmK
%BC(zC
/3E'0R!
%cFN;^f
O3&d7l=
2VS=-?
GMsV6+
Fd+*\l
uUg%72
_Hcsz9G
\$LhN%
PcX-5NU
-D9D>n
-:zOSg
>!^u	n
{$xX'[
\$$Ph~
hV+8[ b
uR<iUr
B1Z/nSp
nP|;-X3
rM*/E.V
&vxD^x,g
e+<aQ]
dgzh]DA
ANC`2Wl
.|c)/x
8 Q*UF
w q6jb
4V3N^S
*=*Ah>
HjKm7n/h
Xt4W/t
$$hpv%
.v)98m
@i9o].
Qv6WB'
YbECGI
Nc'N<f
|a&- EG;<
6C n1M
eTQYil
Sfct{oRcjiAH
Yn.[`(
'|ibBo
DF;(s,b
q3da/e
Ho6|HEl
?FWU:/$
SL~F	m
bI}-Baz
u<sSq-
OJhITV>'
tQ;/tq
$fv6Y.
@li	}>N
Z-c z_
is7@qv.N
,9iz-r
%>Izh_/
RJYhEZm
T$@ZZU
k<h{o_
ktiy2W
6I~tq/
|Ah=*]
.W36#q3
.yiJW+d9i
52S8M'
Cg-?RwYI
ur1zh	
fFDL_C 
$a	hYi
'+XmE]
EBH=MK
YUxOzol
_Ic61-
GqQXMW
N!!\	u
T$(h=8:H
`h10fg
4WC%qw
h};O*X$
'%K>0[
L$,h!Jx
Yh&>/z
tH=Wet
M" ^#g
8hAO^l
05c df3B
Ln[O](
Btq/4@
	<)0F+
B`r!*J
4t7]*x
oNy)I\	s0F
g5B7Y.
8<~aC5
1XJ|"R
>,Xs k
r5Afs6b
ShVmx:'
7u*8DG
wUB'.!
tL),s6
BOT6SC'B
30SfDW
d So	t63
(`e|aF
|E'o].
G(Z;h<Ig\.
6sM:EG
zo4\']
MrN[ e
/$/NY*
7AuU:h,x
WR>,X3
D$DO7gI
(}jS6">
4$hA*kb
\$@hN 
}_tQ;U
1jE2W8
MH=]*x
!MIA$#
tv[h5p
m]Bm:b
P=o Br
SH9d&b%
`B0[6M
puXkX8
{!4V}J
pzHT59L
:o5=dK
S01l30
=ws=P5
hRv[oT6
w~/zg<
|AA75$
Zov[oT
\A!$!9)f
@GM:O>
8mj].>
v7aZG|
N2r@sW?{N
'G,^&a
gXe%cF
zZB,`xpB7kU
INuuRx
Ff$(?`
:M}e?J
j:/os@J
\)c@7,
4$hhf3
^$&7+x6~
D$(h%h
QwPi]J
dz_#J?
ad bzm
,$h-tF
690X_J:V
y)T1eE
NUuQV3b
,973}B <
	P)\N2b^N
Z0Jmtq'
r^.(;hyk
^K[O\>
xJ_$tv
%c&N{|
Xur0U=
O7,^B"
y>,)936
lQQ#!5
0l2@41
!xjvv!=
]qz;1\
Ah=j&L
-=2wd'
Z@W	fb
$$[heL
r5phgX
8JVqQv
$`%LyIe
j9L9IR
QTK5Ux
;((][h
NHd0#`>
yqzRyI
64_#a'
fdS7HZ
]f__@	
g";0[`
9&#:7=d&9S
\Q1mT`a@
?$i<% 
K^K}JD
w@+!ao}F
!#E"cH
BL#|AD 
RvS[Gb
e+_8}oTv
g=uZow+#7@/8
Ki~<iU
@{?O[s
NY+78O
<IqfcX_
JDF#@46a
RF#-]j
nehMZ7
[hU "q
{AGZOy
Z#Guw<
3P@eg|E
\9L$!B
hkU;=f
+Y2PSO9
 3ZO ,
)aFclB5
r;."@tw
P1??J8
zoQdAt9
w\.i~g%
4q\iy;
WZH[HB
fj|h L
D$0hB`
r02yiW
RD!C@i
y=$$c2
2Gn<#;
l$4hdt
R.+ "ff.
0CzOtu
h!`:Ggn
n,UY`"cj
g\	8]*/
w+R0_$:
6Pu&fs
S27C'B
3z/@+'[(
;|o3V}
I>+r}jd
ryixJ_#
7W<IYI
Kag4tz
D$8h1{
_N|^EKYp
)2P@,a}
Fyn}u`>
*Ms`"L
L$@hHnW
@Bm]prSp
l$ h]d
&F%"CF
SP14(ZF
lpu\h61
R2'|S&B=
g5@7d"@o
w:H)~j
D%b*x1
D$$dCn
	|b'L{	}
L_Cs|) EN#g3
Oi,R2*Z
3t'|Ob
3P?$As
XGcpM'
1xM0cgj
-Zc!;I
4$hc:7
bu2nu5
eE!f#-:FCl?
T$ S`f
n\Fy.Y@`Z
9.\-B`'.<
"G3: n
0Hw+]o
~s0sm'A
Df"Eyz
)l1q,Y
b2Af_*
#.?$i9
uDza8-
!([h~,;
n"%VO1
`;V?FC
kvSm}q
xThjZ<
[Or7g[
Y>Uh;0
I[tP{/KRm5
9PLq(/*sw
HS0TvZ
$:(-zN
Sh,JRe`h
BWu3v4
&Al~J}
;{0L84
4V0C`k~k
wYN:h<
D$()e#
!XNLP$
}0u$J:
_*'^69
}@d/I:
=sr2K5
;bm}4Q
A=3*;t^
D$,hj[
R?rpZi
ZOsMx_
f=4f;E
?0;3'u
z?C50x^U
(pBG4CN
N|cg^k-
b`H1qrw
7lg`1"k
a9l~dt
g;Y6072R
T+LkY	TV4
I^$f	y
oh|IC_
d)y-@W
<%:H)(
7%~r>X
R0xt?d
O}!4q0U
HAL.dll
9kpfza
ntoskrnl.exe
IoAllocateIrp
p2!4wU
HjElgz
;I~O.Ft)p2D
,0`W<	
w	v!TV
m	~<	Q
}dIY=W
-WU`A8
Ef%02)
yy b[w
nX})Pu
qK:jyx
(}M=}{g
ExFreePool
-	;7Jxj
DF?$h}O3D
Rn~*=+x'
i1|)vv
ntoskrnl.exe
.{Vi9BwT
[k@*M^
c}NYW5
RgmiN\g;@5
l~di^7
j89	 %
]bRlQv^
wK^K_C8-
iFL_#g
|(z(bG
+xdAK?X*Sp
u{Om?2p
&#*]M@
FU:/sP
PEMBG>i
+]THD-
KeRaiseIrqlToDpcLevel
Nl^SP&c
ntoskrnl.exe
?}HZZA 
Ix2]-ZOS
kp|G\H
tH$w_&
MmMapLockedPagesSpecifyCache
hal.dll
TJ FFQB
x-ydGf
IoAllocateMdl
{/`5RP
Bk0u"%
:gBT{o
AAQt*5
m}h+>,
MmUnlockPages
ExAllocatePool
NtQuerySystemInformation
X[e};n
@%'<`"*
N<a!VS
?GTQt=m
%_z*^6L
}pG%D:
yis	<	(7
laFw'%
j.^6_zM*N
-C4vkXg.
	%k~KcV,!q
vtR}MH
	bOkPrsw
ux}j!f
/sA#p}
3Q1!c@}
\d9IS^
::(IYRw
Zm=S68c
j?P{/=
t{d&i~Lh
HalMakeBeep
IoFreeMdl
XMa&tQ;
iN|mk>
i)w9i<
MmProbeAndLockPages
v1 oT1&
%5*X#T
fD}*r7
QG~hDO	
T$$`h/
L$$`Uh
d$,T`h
d$<T`h
;+;5;I;S;Z;n;
=:>v>D?V?
121i1o1x1}1
262A2L2Z2_2m2{2
G1T1h1u1
1E2T2r2
62627A7F7N7&8G8L8n8a9
< <*<1<A<F<
1>2V2}2
4,4<4Q4
4k5p5u5
:J;U;b;o;
7+8?8M8K9
<.=^=s=
53516U8v8
;.<X<d<p<
?'?J?O?
,0=0D0t0
2"2(2-22272<2A2N2V2^2d2l2r2
7+8Q8e8
:*:H:O:k:p:
70C0V0
:4:=:g:y:
;$;J;p;w;
<%<-<7<B<J<T<_<g<q<|<
=#=3=;=K=S=c=k={=
>:?P?Z?a?
1!191B1G1\1c1
3#303@3]3u3~3
6%6T6`6i6x6
7,767Z7~7
7K8V8j8
;1;I;l;s;
<1<9<c<
=&=3=B=
070C0K0^0f0r0
1<1_1d1
2"222B2r2
&0>0d0
7(7:7S7r7|7
0!1-1o1
2/282Q2
8P8x8.;?<
3_3t3K4n4
<\=f=l=~=
222K2\2
4A427s7
94999#:*:
6e6l6{6
6!7[7m7z7
9"929:9@9p9
=S>]>|>
> ?f?{?
:.:C:J:P:e:k:
:F;j;r;
=M>]>o>z>
<0O1W1i1w1
1B2T2\2
3!3,3e4q4
5B6 7s7
5-8 9$9(9,9094989<9a9m9y:9;d;
<*<E<"?
0@4D4H4L4P4T4X4\4L6'7|7
=6>J>8?
0$131F1O1
1c2w2o3
>,>A>M>r>
>$?9?V?
0e0w0}0
1*1S1X1n1
5/6X6m6
9B9b9r9
>!>/>u>}>
?Y?g?m?
0+070E0d0p0~0
1<1D1d1
3'4/4:4[4j4u4
5%5F5Q5\5
6%636B6e6
8'8/878>8i8
:":):4:;:F:M:X:_:j:q:|:
00<0F0f0
1-393c3n3
324E4N4s4
91:?:h:
:	? ?7?N?|?
313E3S3
51575Z5d5j5{5
6B7P7\7g7O9
<)=}=%>
1$1*191>1M1U1_1y1
2'2]2|2	3
1:1F1W1e1n1t1y1I2b2
3!4N4[4
4h6&707I7g7
7*858M8R8
=E>U>b>
?\?l?y?
0D0R0o0
6P7g7~7
9!909T9
>->F>_>x>
2$3/3B3
384>4M4_4u4
5'6-6>6E6L6S6Z6
:):U:y:
=&=f=v=
212Z2g2z2
:#:/:6:B:I:
? ?<?@?\?`?|?
0 0<0@0\0`0|0
1 1<1@1
:P;`;p;
< <$<(<,<8<<<@<D<H<L<P<T<X<\<`<d<h<l<p<t<x<|<
= =$=(=,=0=4=8=<=@=D=H=L=P=T=X=\=
?$?-?4?
10N0b0(2z2
'0U0!6
z0R2O6
0\3l3#4
0,3O3Y3
0r177g7w7
1A1&2#3
=}=H>x>
0>4X5B8
h1N2(5
<b=;?h?
253?3P3q3
i2x4Q5
'022z2
;V;h<&>k?
9#9F<j=
5,6W7`8
2\2m2y2$;
V1.4{4
6 7L8D;
3#4a4o4
8(9H;+=
1'4b4}4}6
5p6m:E>
"112j2
9F:a:~:
3q3{3z4
l3G6T6
8.8j8}8
82:E:h:
1%363O3
?'?E?P?`?
2%3I4V4
:C:v;R>p>