Analysis Date2015-04-07 15:27:04
MD593bd7f2cf8d15cb65a4e77df67af2a12
SHA16c1ab3b727b8b6f3c53625f57461e0a059179561

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 90bcb6a73bec62cb442df7d65ee98de6 sha1: 42c2f12a12601cc4e65b409f0bbe46556141a4c7 size: 194048
Section.rdata md5: 2c3934d311cd261f5b1d226c7768a7d0 sha1: b9759e434f91095d5800815d876961c00d81030e size: 50688
Section.data md5: 93a642023deb0b58584bc8a3e4505ffa sha1: 1da7d95cca05ebf11b8c0e9e597062cfa4c9d5aa size: 42496
Section.reloc md5: 00bbd2f356e148f3a976326fdfc492c8 sha1: 6cde877b8033e5a3668e8207af3b16a5c5bc5b86 size: 11776
Timestamp2015-01-20 06:53:03
PackerMicrosoft Visual C++ 8
PEhashbbd6eb68ad63c675468e9f76d7578909a5a5b086
IMPhash7415122d36f9d046bd602df2d1e77996
AV360 Safeno_virus
AVAd-AwareGen:Variant.Kazy.543304
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Gen:Variant.Kazy.543304
AVAuthentiumW32/Trojan.PKED-2713
AVAvira (antivir)TR/Crypt.Xpack.125949
AVBullGuardGen:Variant.Kazy.543304
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebTrojan.MulDrop.origin:DLOADER.Trojan - infected container, incurable
AVEmsisoftGen:Variant.Kazy.543304
AVEset (nod32)Win32/Korplug.A
AVFortinetW32/Korplug.A!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Kazy.543304
AVGrisoft (avg)Agent5.HIW
AVIkarusTrojan.Win32.Korplug
AVK7Trojan ( 0039c54e1 )
AVKaspersky 2015Trojan.Win32.Generic
AVMalwareBytesno_virus
AVMcafeeRDN/Generic BackDoor!bcg
AVMicrosoft Security EssentialsBackdoor:Win32/Plugx.gen!B
AVMicroWorld (escan)Gen:Variant.Kazy.543304
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)Trojan.Win64.Kriskynote:Trojan.Kriskynote

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe 201 0

Process
↳ C:\malware.exe 201 0

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\CLASSES\FAST\CLSID ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates ProcessC:\malware.exe 209 1784
Creates MutexGlobal\DelSelf(00000328)
Creates MutexGlobal\DelSelf(000006F8)
Creates MutexGlobal\DelSelf(00000144)
Creates MutexGlobal\DelSelf(00000224)
Creates MutexGlobal\DelSelf(00000268)
Creates MutexGlobal\DelSelf(000001EC)
Creates MutexGlobal\DelSelf(0000048C)
Creates MutexGlobal\DelSelf(00000274)
Creates MutexGlobal\DelSelf(000004A4)
Creates MutexGlobal\DelSelf(00000748)
Creates MutexGlobal\DelSelf(00000488)
Creates MutexGlobal\DelSelf(000003C8)
Creates MutexGlobal\DelSelf(0000023C)
Creates MutexGlobal\DelSelf(000004C0)
Creates MutexGlobal\DelSelf(00000518)
Creates MutexGlobal\DelSelf(00000358)
Creates MutexGlobal\DelSelf(000000F0)
Creates MutexGlobal\DelSelf(00000460)
Creates MutexGlobal\DelSelf(00000404)
Winsock DNS142.4.111.153

Process
↳ C:\malware.exe 209 1784

Network Details:

HTTP POSThttp://142.4.111.153/update?id=00497008
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; SV1)
Flows TCP192.168.1.1:1031 ➝ 142.4.111.153:80
Flows TCP192.168.1.1:1031 ➝ 142.4.111.153:80
Flows UDP192.168.1.1:53 ➝ 192.168.1.1:53
Flows TCP192.168.1.1:1033 ➝ 142.4.111.153:80

Raw Pcap
0x00000000 (00000)   19b8880d b75d74b5 eef2746c 17ad53d4   .....]t...tl..S.
0x00000010 (00016)                                         

0x00000000 (00000)   504f5354 202f7570 64617465 3f69643d   POST /update?id=
0x00000010 (00016)   30303439 37303038 20485454 502f312e   00497008 HTTP/1.
0x00000020 (00032)   310d0a41 63636570 743a202a 2f2a0d0a   1..Accept: */*..
0x00000030 (00048)   4f6c6453 65727665 723a2030 0d0a4368   OldServer: 0..Ch
0x00000040 (00064)   65636b3a 20300d0a 506f7374 53697a65   eck: 0..PostSize
0x00000050 (00080)   3a203631 3435360d 0a506f73 74536572   : 61456..PostSer
0x00000060 (00096)   69616c3a 20310d0a 55736572 2d416765   ial: 1..User-Age
0x00000070 (00112)   6e743a20 4d6f7a69 6c6c612f 342e3020   nt: Mozilla/4.0 
0x00000080 (00128)   28636f6d 70617469 626c653b 204d5349   (compatible; MSI
0x00000090 (00144)   4520362e 303b2057 696e646f 7773204e   E 6.0; Windows N
0x000000a0 (00160)   5420352e 313b202e 4e455420 434c5220   T 5.1; .NET CLR 
0x000000b0 (00176)   322e302e 35303732 373b2053 5631290d   2.0.50727; SV1).
0x000000c0 (00192)   0a486f73 743a2031 34322e34 2e313131   .Host: 142.4.111
0x000000d0 (00208)   2e313533 0d0a436f 6e74656e 742d4c65   .153..Content-Le
0x000000e0 (00224)   6e677468 3a20300d 0a436163 68652d43   ngth: 0..Cache-C
0x000000f0 (00240)   6f6e7472 6f6c3a20 6e6f2d63 61636865   ontrol: no-cache
0x00000100 (00256)   0d0a0d0a                              ....


Strings
(
=
-
-1
+-0-E-
-0
.
\
00-+   
0
0
- 
000
kernel32.dll
LoadLibraryAVirtualAllocVirtualFreeExitThreadntdllRtlDecompressBuffermemcpykernel32.dll
odibrryA
VirtulAlloc
VirtulFree
ExitThred
ntdll
RtlDecopreBuer
ecpy
u
                                 
\??\
%0.8d_
%10.254\share\
%16.16X
%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X
%4.4d-%2.2d-%2.2d %2.2d:%2.2d:%2.2d
- abort() has been called
Advapi32.dll
af-za
af-ZA
AKernelBase.dll
%ALLUSERSPROFILE%
%ALLUSERSPROFILE%\Intel(R) Capability Licensing Service Interface CPUMonitor
April
ar-ae
ar-AE
ar-bh
ar-BH
ar-dz
ar-DZ
ar-eg
ar-EG
ar-iq
ar-IQ
ar-jo
ar-JO
ar-kw
ar-KW
ar-lb
ar-LB
ar-ly
ar-LY
ar-ma
ar-MA
ar-om
ar-OM
ar-qa
ar-QA
ar-sa
ar-SA
ar-sy
ar-SY
ar-tn
ar-TN
ar-ye
ar-YE
assert fail rtn:%s
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
August
az-az-cyrl
az-AZ-Cyrl
az-az-latn
az-AZ-Latn
\BaseNamedObjects\%s
be-by
be-BY
bg-bg
bg-BG
BindingSCInit(pid,blk,hProcess)==CHK_SUCC
BindingSC(pi.dwProcessId,sccode)==CHK_SUCC
bn-in
bn-IN
bs-ba-latn
bs-BA-Latn
ca-es
ca-ES
CLSID
CMD.EXE
CompanyName
CONIN$
CONOUT$
ConsentPromptBehaviorAdmin
CR6002
CreateProcessW(NULL,(WCHAR*)path.c_str(),NULL,NULL,FALSE,CREATE_SUSPENDED|CREATE_NEW_CONSOLE,NULL,NULL,&si,&pi)!=0
- CRT not initialized
CRYPTBASE.dll
cs-cz
cs-CZ
cy-gb
cy-GB
da-dk
da-DK
dddd, MMMM dd, yyyy
de-at
de-AT
December
de-ch
de-CH
de-de
de-DE
de-li
de-LI
de-lu
de-LU
\Device\Floppy
DISPLAY
div-mv
div-MV
\Documents and Settings\All Users
DOMAIN error
eboot.cfg
el-gr
el-GR
EnableLUA
en-au
en-AU
en-bz
en-BZ
en-ca
en-CA
en-cb
en-CB
en-gb
en-GB
en-ie
en-IE
en-jm
en-JM
en-nz
en-NZ
en-ph
en-PH
entry=%p
en-tt
en-TT
en-us
en-US
en-za
en-ZA
en-zw
en-ZW
es-ar
es-AR
es-bo
es-BO
es-cl
es-CL
es-co
es-CO
es-cr
es-CR
es-do
es-DO
es-ec
es-EC
es-es
es-ES
es-gt
es-GT
es-hn
es-HN
es-mx
es-MX
es-ni
es-NI
es-pa
es-PA
es-pe
es-PE
es-pr
es-PR
es-py
es-PY
es-sv
es-SV
es-uy
es-UY
es-ve
es-VE
et-ee
et-EE
eu-es
eu-ES
.exe
exe.is_valid_pe==CHK_YES
fa-ir
fa-IR
February
fi-fi
fi-FI
FileDescription
FileVersion
- floating point support not loaded
fo-fo
fo-FO
fr-be
fr-BE
fr-ca
fr-CA
fr-ch
fr-CH
fr-fr
fr-FR
Friday
fr-lu
fr-LU
fr-mc
fr-MC
gl-es
gl-ES
Global\DelSelf(%8.8X)
gu-in
gu-IN
         (((((                  H
HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0
he-il
he-IL
HH:mm:ss
hi-in
hi-IN
hProcess!=NULL
hr-ba
hr-BA
hr-hr
hr-HR
hSuccNotify
hu-hu
hu-HU
hy-am
hy-AM
id-id
id-ID
- inconsistent onexit begin-end variables
Intel(R) Capability Licensing Service Interface CPUMonitor
is-is
is-IS
IsWow64Process(hP,&isX64)
it-ch
it-CH
it-it
it-IT
ja-jp
ja-JP
January
jjjj
jjjjj
jjjjjj
July
June
ka-ge
ka-GE
kernel32.dll
kk-kz
kk-KZ
kn-in
kn-IN
kok-in
kok-IN
ko-kr
ko-KR
ky-kg
ky-KG
LNULL
lt-lt
lt-LT
lv-lv
lv-LV
March
MediaCenter.exe
memBase!=NULL
~MHZ
Microsoft Visual C++ Runtime Library
mi-nz
mi-NZ
mk-mk
mk-MK
ml-in
ml-IN
MM/dd/yy
mn-mn
mn-MN
Monday
Mozilla/4.0 (compatible; MSIE 
m_pemem.m_len > sizeof(IMAGE_DOS_HEADER)+sizeof(IMAGE_NT_HEADERS32)
mpsvc.dll
mr-in
mr-IN
ms-bn
ms-BN
mscoree.dll
MsMpEng.exe
ms-my
ms-MY
mspmsp.ids
mt-mt
mt-MT
nb-no
nb-NO
NeedPassUAC()
nl-be
nl-BE
nl-nl
nl-NL
nn-no
nn-NO
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
ns-za
ns-ZA
(null)
October
ole32.dll
open
pa-in
pa-IN
\Parameters
PI[%8.8X]
pid=%x
\\.\pipe\a%d
\\.\pipe\b%d
\\.\PIPE\RUN_AS_USER(%d)
pl-pl
pl-PL
ProductName
ProductVersion
Program: 
\ProgramData
:\Program Files (x86)
<program name unknown>
pt-br
pt-BR
pt-pt
pt-PT
- pure virtual function call
quz-bo
quz-BO
quz-ec
quz-EC
quz-pe
quz-PE
R6008
R6009
R6010
R6016
R6017
R6018
R6019
R6024
R6025
R6026
R6027
R6028
R6030
R6031
R6032
R6033
R6034
real len=0x%x,real write len=0x%x
remoteAddr!=NULL
remoteAddr=%p
ResumeThread(pi.hThread)!=-1
ro-ro
ro-RO
runhere!
runtime error 
Runtime Error!
ru-ru
ru-RU
S-1-16-12288
sa-in
sa-IN
Saturday
%s %d %d
%s\%d.plg
SeDebugPrivilege
se-fi
se-FI
se-no
se-NO
September
ServiceDll
se-se
se-SE
SeShutdownPrivilege
\Sessions\%d\BaseNamedObjects\%s
SeTcbPrivilege
SING error
sk-sk
sk-SK
sl-si
sl-SI
sma-no
sma-NO
sma-se
sma-SE
smj-no
smj-NO
smj-se
smj-SE
smn-fi
smn-FI
sms-fi
sms-FI
sNT AUTHORITY
Software\CLASSES\FAST
Software\CLASSES\FAST\PROXY
SOFTWARE\Microsoft\Internet Explorer\Version Vector
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Run
sq-al
sq-AL
sr-ba-cyrl
sr-BA-Cyrl
sr-ba-latn
sr-BA-Latn
sr-sp-cyrl
sr-SP-Cyrl
sr-sp-latn
sr-SP-Latn
static
\StringFileInfo\%4.4X%4.4X\%s
Sunday
sv-fi
sv-FI
sv-se
sv-SE
sw-ke
sw-KE
syr-sy
syr-SY
System
SYSTEM
System\CurrentControlSet\Services
SYSTEM\CurrentControlSet\Services\
\SystemRoot\
ta-in
ta-IN
te-in
te-IN
%temp%\
%temp%\chk_harddisk_state.dll
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
th-th
th-TH
Thursday
TLOSS error
tn-za
tn-ZA
tr-tr
tr-TR
tshell32.dll
tSystem Idle Process
tt-ru
tt-RU
Tuesday
uk-ua
uk-UA
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
ur-pk
ur-PK
USER32.DLL
uz-uz-cyrl
uz-UZ-Cyrl
uz-uz-latn
uz-UZ-Latn
\VarFileInfo\Translation
vconfig.dt
Version: 1.28.487.1
VirtualProtectEx(hProcess,addr,sc_in_entry.GetLen(),newProtect,&oldProtect)!=0
vi-vn
vi-VN
waitResult==WAIT_OBJECT_0
Wednesday
WElevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
%windir%
%windir%\
%windir%\explorer.exe
%WINDIR%\SYSTEM32\SERVICES.EXE
%windir%\system32\sysprep
%windir%\system32\sysprep\CRYPTBASE.dll
%windir%\system32\sysprep\sysprep.exe
; Windows NT %d.%d
WINSTA0
*(WORD*)m_pemem == 0x5a4d
WriteProcessMemory(hProcess,addr,sc_in_entry,sc_in_entry.GetLen(),&len)!=0
WriteProcessMemory(hProcess,remoteAddr,totalSc,totalSc.m_len,&len)!=0
xh-za
xh-ZA
zh-chs
zh-CHS
zh-cht
zh-CHT
zh-cn
zh-CN
zh-hk
zh-HK
zh-mo
zh-MO
zh-sg
zh-SG
zh-tw
zh-TW
zu-za
zu-ZA
================================================
                          
;><[<{<
< <$<(<,<0<
0 0$0(0,0004080<0@0
0 0$0(0,080<0@0D0H0L0P0T0\0`0d0
0,000@0D0H0P0h0x0|0
0 0&0.0u0
0$0,040<0D0L0T0\0d0l0t0|0
0	0.040G0S0\0h0m0x0
0)0.0c0j0v0
0&0+0C1L1X1]1g1p1|1
0,0<0y0
0*030?0D0O0X0d0i0x0
0,030g0y0
0#0b0z0
 0/0d0k0
0<0D0L0T0`0
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
0%191}1
0*1R1[1|1
0+1V1e1f2u2
? ?$?(?,?0?4?8?<?@?D?H?L?P?T?X?\?`?d?h?l?p?t?x?|?
> >$>(>,>0>4>8><>@>D>H>L>P>T>X>\>`>d>h>t>x>|>
< <(<,<0<8<L<T<\<d<h<l<t<
='=0=B=Z=`=i=o=y=
[0d0p0u0
0I0]0g0s0
0J0e0}0
0K1T1`1e1m1v1|1
:0:P:X:`:h:p:x:
?$?0?P?X?`?h?p?x?
0tNHt6Ht[Ht
;0;T;x;
101T1x1
1(101P1t1
1$1,141<1D1H1P1X1`1h1p1x1
1$1,141<1D1L1T1\1d1l1t1|1
1 1)151:1B1K1W1\1c1l1r1w1
1,1:1D1N1U1_1j1t1
1&1?1I1V1`1
111O1X1d1i1t1}1
1$14181L1P1`1d1h1p1
1&1T1g1
1?1U1e1
1	2#2,2n2
1&252u2-3S3
1 2C2Q2Y2i2
1!2N2t2
1	3#353C3Z3h3
1(3?3w3
141;1~1
142.4.111.153
172>2E2L2S2
=	>1>8>B>[>a>
: :,:1:9:B:H:M:S:
1A2Z2i2
1E1R1[1
1J1R1W1]1d1i1
1M1_1e1j1
1M2h2y2
1#QNAN
1s1y1}1
1#SNAN
1u#D8L
1X2_2g2~2
2 2(20282@2H2P2X2`2h2p2x2
2#2*222L2T2m2
2(222:2N2|2
2$2,242<2D2L2T2\2d2l2t2|2
2$2,242<2D2P2t2
2 2)252:2B2
2#2*262J2X2g2t2
2<2\2d2l2t2|2
222M2Y2h2q2~2
2$24282H2L2P2T2\2t2
2>3G3Q3W3z3
253G3q3
<,=2=7=?=
282?2K2o2~2
:2;8;<;@;D;
294G4Q4
: :2:D:
2i3q3}3
?'?2?;?@?N?c?i?q?v?
2O3:4E4W4
??2@YAPEAX_K@Z
30=0s0
3%303G3Q3Z3
3 3(30383@3H3P3X3`3h3p3x3
3"3.333>3G3S3X3g3v3
3(3,3<3@3D3L3d3
3&3:3@3E3R3X3^3d3j3p3v3|3
3 3-3@3J3S3
3$3,343<3D3L3T3\3d3l3t3|3
3+3>3F3X3b3k3
3:3`3t3
3<3H3h3p3x3
3(3L3p3
344>4E4L4S4Z4a4h4o4v4}4
3(4D4`4
3<4G4\4h4m4
3!4J4O4r4w4
354:4_4d4
364E4{5
>#>'>+>/>3>7>;>?>C>G>K>
:!:&:,:3:8:>:K:R:
>3>8>q>
>3>B>L>V>_>w>
3C4P4]4
;!;3;E;W;i;{;
3F3M3[3k3z3
??3@YAXPEAX@Z
< =4=<=\=|=
<#</<4<
41474R4b4k4s4
434C4P4
4 4(40484@4H4P4X4`4h4p4x4
4$4,444<4D4L4T4\4d4l4t4|4
4$4,444<4D4L4X4|4
4#4)4;4E4N4
4 4(4g4u4
4$4(4H4h4
4%4*4R4l4~4
445f5z5
4$474>4m4
4!4E4P4i4q4w4
4"4H4P4\4
4/4I4f4p4
4*565J5q5{5
4'5b5u5F6X6
=4=:=B=H=N=T=Z=`=f=m=
<$<,<4<<<D<L<T<\<d<l<t<|<
=$=,=4=<=D=L=T=\=d=l=t=|=
>$>,>4><>D>L>T>\>d>l>t>|>
;$;,;4;<;D;L;T;\;d;l;t;|;
?$?,?4?<?D?L?T?\?d?l?t?|?
<4<><D<O<r<w<
;*<4<;<L<`<t<
<4=^=n=
4V5e5C9m9Z<
4W7?8J8Z8
5$515;5x5
5%51575Y5k5
5)545T5^5k5q5x5~5
$5(5,5054585<5@5D5H5L5P5T5X5\5`5d5h5l5p5t5x5|5
5 5(50585@5H5P5X5`5h5p5x5
5$5,51575?5D5J5R5W5]5e5j5p5x5}5
5&5+535<5B5G5M5V5\5a5j5s5
5$5,545<5D5L5T5\5d5l50>4>
5$5,545<5D5L5T5\5d5l5t5|5
5%5.5:5?5G5P5V5[5a5
555`5f5t5
5-5?5Q5c5}5
5/5L5_5p5
5;5M5V5}5	6}6
5,5N5{5
5!5O5z5
5+606F6a6m6
5'616R6r6
565<5[5a5
5$6<6`6r6
5 666x6
5 6(6L6`6h6t6
5>6W6p6
585@5D5`5h5l5
5E5c5~5
:#:5:G:L:[:`:y:~:0;a;n;#<A<H<O<+=\=i=
:.:5:G:N:
:5<S<l<s<{<
<	=5=>=Z=d=q=
>+>6>]>
606T6x6
6%636L6^6{6
6 6(60686<6D6X6x6
6 6(60686@6H6P6X6`6h6p6x6
6%6,636:6A6H6O6V6]6d6k6r6y6
6(6.636@6O6X6_6q6
6&6.656V6e6
6!6:6?6
6#6(6.666;6A6I6N6T6\6a6g6o6t6z6
6!6%6.6:6?6E6L6T6^6
6 6$6(6P6T6X6\6`6d6h6
6"6=6M6W6{9
667=7E7
6 696C6p6z6
6)6e6o6
6(6J6`6
6#7*7O7
6#7b7i7
6 7D7h7
6>7R7y7
6&9*9.92969:9>9B94:::F:K:P:U:^:
6a7e7i7m7q7u7y7}7
<-=6=B=G=
6f6s6y6~6
6H7R7\7i7
:$:6:H:Z:
6P8B<Q<t<
>6?s?}?
6Z7c7o8x8d9
707Z7d7y7
73I3S3`3
7#72777P7U7
7 7(70787@7H7P7X7`7h7p7x7
7"7)707c7j7
7&7,71777@7F7K7h7w7
7 7.7<7J7Q7^7g7s7
7.7<7H7T7x7
7,7P7t7
7;7X7}7
787X7x7
7&8-8@8x8~8
7 8D8d8l8t8
7#8K8Y8
7D8J8V8
>#>7>D>V>`>k>r>
<"=.=7=E=W=`=j=
7I7R7a7
> ?7?L?S?n?u?
8 8(80888@8H8P8X8`8
8 8@8`8
8%8+8{8
8 8&8,82888>8D8X8s8
8(8/888D8I8q8~8
8$8,8a8~8
8'8/8A8K8P8V8]8b8u8}8
8 8@8y8
8+8E8_8q8
8(8L8l8t8
8"969G9[9o9
;8;@;F;L;R;X;a;
=8=H=V=f=t=
8L9^9w9
=8=M=i=
8P8i8r8
9,:4:<:D:L:T:\:d:l:t:|:
969C9q9z9
9#939C9L9c9
9 9(949X9|9
9/9>9l9
9+9=9O9i9
9-9?9Q9c9u9
9$9.9R9\9
9/9A9M9R9j9
9$9D9L9T9\9d9l9t9|9
9)9J9b9l9u9|9
9.:C:I:
9E9W9e9n9
9_Pt;9_Tt6hE'
9T:q:{:
:9:@:Z:a:z:
A_A^A]A\_^]
A_A^A]A\_^][
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
AddAccessAllowedAce
AddAccessDeniedAce
address family not supported
address_family_not_supported
address in use
address_in_use
address not available
address_not_available
_adjust_fdiv
AdjustTokenPrivileges
advapi32
ADVAPI32.dll
</<a<h<l<p<t<x<|<
AllocateAndGetTcpExTableFromStack
AllocateAndGetUdpExTableFromStack
AllocateAndInitializeSid
AllocConsole
already connected
already_connected
argument list too long
argument out of domain
AttachConsole
August
.?AVbad_alloc@std@@
.?AVbad_exception@std@@
.?AVCCHK@@
.?AVerror_category@std@@
.?AVexception@std@@
.?AV_Generic_error_category@std@@
.?AV_Iostream_error_category@std@@
.?AVlength_error@std@@
.?AVlogic_error@std@@
.?AVout_of_range@std@@
.?AV_System_error_category@std@@
.?AVtype_info@@
=->A>X>h>t>
=)=.===B=[=`=
<[=b=5>^?
bad address
bad_address
bad allocation
bad exception
bad file descriptor
bad_file_descriptor
bad message
 Base Class Array'
 Base Class Descriptor at (
__based(
=b=h=l=p=t=
BitBlt
bootProc
broken pipe
CallNextHookEx
=C>b>D?Q?]?b?
__cdecl
 /c del 
ChangeServiceConfig2W
ChangeServiceConfigW
=:=C=I=a=
><>C>J>&?
:#:<:C:K:P:T:X:
 Class Hierarchy Descriptor'
CloseClipboard
CloseDesktop
CloseHandle
CloseServiceHandle
closesocket
CloseThreadpoolTimer
CloseThreadpoolWait
CloseWindowStation
__clrcall
CoCreateInstance
CoGetObject
CoInitialize
CommandLineToArgvW
CompareStringEx
 Complete Object Locator'
COMSPEC
connect
connection aborted
connection_aborted
connection already in progress
connection_already_in_progress
connection refused
connection_refused
connection reset
connection_reset
ConnectNamedPipe
CONNECT %s:%d HTTP/1.1
Content-length: 0
Content-Type: text/html
ControlService
ConvertStringSidToSidW
`copy constructor closure'
CorExitProcess
CoUninitialize
CreateCompatibleBitmap
CreateCompatibleDC
CreateDCW
CreateDesktopW
CreateDIBSection
CreateDirectoryW
CreateEnvironmentBlock
CreateEventA
CreateEventExW
CreateEventW
CreateFileMappingW
CreateFileW
CreateIoCompletionPort
CreateMutexW
CreateNamedPipeW
CreateProcessA
CreateProcessAsUserW
CreateProcessW
CreateSemaphoreExW
CreateServiceW
CreateSymbolicLinkW
CreateThread
CreateThreadpoolTimer
CreateThreadpoolWait
CreateToolhelp32Snapshot
CreateWindowExW
cross device link
__CxxFrameHandler
@.data
dddd, MMMM dd, yyyy
December
DecodePointer
`default constructor closure'
DefWindowProcW
 delete
 delete[]
DeleteCriticalSection
DeleteDC
DeleteFileW
DeleteObject
DeleteService
destination address required
destination_address_required
DestroyCursor
DestroyEnvironmentBlock
DestroyIcon
device or resource busy
> ?D?h?
directory not empty
DisconnectNamedPipe
DispatchMessageW
;D;I;u;z;
;:<D<l<y<
dnsapi
DnsFree
DnsQuery_A
DoImpUserProc
[%d][%s:%d][%s:%s:%s]
dt-It#It
DuplicateTokenEx
`dynamic atexit destructor for '
`dynamic initializer for '
__eabi
`eh vector constructor iterator'
`eh vector copy constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`eh vector vbase copy constructor iterator'
:e:j:v:
<:=?=E=L=v=
EName:%s,EAddr:0x%p,ECode:0x%p,EAX:%p,EBX:%p,ECX:%p,EDX:%p,ESI:%p,EDI:%p,EBP:%p,ESP:%p,EIP:%p
EncodePointer
EnterCriticalSection
EnumProcesses
EnumProcessModules
EnumServicesStatusExW
EnumSystemLocalesEx
=E=P=u={=
EqualSid
<	=E=s=
executable format error
ExitProcess
ExitThread
ExitWindowsEx
ExpandEnvironmentStringsW
ExtractIconExW
>"?F?}?
__fastcall
f+A,Zf;
February
~'fffffff
file exists
filename too long
filename_too_long
file too large
FindClose
FindFirstFileW
FindNextFileW
FindResourceW
:+;:;F;L;n;x;
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FlushFileBuffers
FlushProcessWriteBuffers
found service_record table 6.2 or 6.3!
found service_record table! version <= 6.1
F$PRQj
FreeConsole
FreeEnvironmentStringsW
FreeLibrary
FreeLibraryWhenCallbackReturns
FreeSid
Friday
function not supported
G4jxXf
GDI32.dll
GdiFlush
GenerateConsoleCtrlEvent
generic
GetACP
GetActiveWindow
GetAdaptersInfo
GetAsyncKeyState
GetClassNameW
GetClipboardData
GetCommandLineA
GetCommandLineW
GetComputerNameW
GetConsoleCP
GetConsoleCursorInfo
GetConsoleDisplayMode
GetConsoleMode
GetConsoleOutputCP
GetConsoleScreenBufferInfo
GetConsoleWindow
GetCPInfo
GetCurrentPackageId
GetCurrentProcess
GetCurrentProcessId
GetCurrentProcessorNumber
GetCurrentThread
GetCurrentThreadId
GetCursorInfo
GetDateFormatEx
GetDeviceCaps
GetDIBits
GetDiskFreeSpaceExW
GetDriveTypeW
GetEnvironmentStringsW
GetEnvironmentVariableA
GetExtendedTcpTable
GetExtendedUdpTable
GetFileAttributesW
GetFileInformationByHandleExW
GetFileSize
GetFileTime
GetFileType
GetFileVersionInfoSizeW
GetFileVersionInfoW
GetForegroundWindow
gethostbyname
GetIconInfo
GetKeyState
GetLastActivePopup
GetLastError
GetLengthSid
GetLocaleInfoEx
GetLocalTime
GetLogicalProcessorInformation
GetMessageW
GetModuleFileNameA
GetModuleFileNameExW
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleExW
GetModuleHandleW
GetModuleInformation
GetNativeSystemInfo
GetOEMCP
GetOverlappedResult
GetProcAddress
GetProcessHeap
GetProcessWindowStation
GetQueuedCompletionStatus
GetRawInputData
GetShortPathNameA
getsockname
GetStartupInfoW
GetStdHandle
GetStringTypeW
GetSystemDefaultLCID
GetSystemDirectoryW
GetSystemInfo
GetSystemMetrics
GetSystemTime
GetSystemTimeAsFileTime
GetTcpTable
GetThreadDesktop
GetTickCount
GetTickCount64
GetTimeFormatEx
GetTokenInformation
GetUdpTable
GetUserDefaultLocaleName
GetUserNameW
GetUserObjectInformationW
GetVersionExW
GetVolumeInformationW
GetWindowsDirectoryW
GetWindowTextW
GetWindowThreadProcessId
GlobalLock
GlobalMemoryStatus
GlobalMemoryStatusEx
GlobalUnlock
<G=N=V=m=u=
`h````
H0a081_1
HeapAlloc
HeapFree
HeapReAlloc
HeapSize
`h`hhh
HH:mm:ss
HHtVHHt
>$>H>l>
host unreachable
host_unreachable
HSUVWATAUAVAWH
HSUVWATH
HSUVWH
Ht9Ht6Ht3
Ht+Ht$Ht
Ht~HtIHuq
Ht?Huu
HTTP/1.0 200 
HTTP/1.1 200 
HttpAddRequestHeadersA
HttpEndRequestA
HttpOpenRequestA
HttpQueryInfoA
HttpSendRequestExA
HtzHtgHtCHt 
_hypot
I1M1Q1U1Y1]1a1e1i1m1q1u1
identifier removed
illegal byte sequence
ImpersonateLoggedOnUser
inappropriate io control operation
inet_addr
inet_ntoa
InitializeAcl
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
InitializeCriticalSectionEx
InitializeSecurityDescriptor
InitiateSystemShutdownA
_initterm
InternetCloseHandle
InternetConnectA
InternetOpenA
InternetOpenUrlA
InternetReadFile
InternetSetOptionA
InternetWriteFile
interrupted
invalid argument
invalid_argument
invalid seek
invalid string position
io error
iostream
iostream stream error
iphlpapi
IPHLPAPI.DLL
is a directory
IsDebuggerPresent
IsProcessorFeaturePresent
IsValidCodePage
IsValidLocaleName
IsWow64Process
<I<X<a<h<z<
j8Xj.f
jA[jZZ+
January
jdZjP^f;
j@j _W
.jkXf;
"jmXf;
JoProc
JoProcAccept
JoProcBroadcast
JoProcBroadcastRecv
JoProcListen
jPXjdf
j VWSP
jWX_^[
jWX_[]
	j*Zj?^
j*Zj?^
kernel32
kernel32.dll
KERNEL32.dll
keybd_event
KeyLog
KillTimer
KingOfPhantom0308_20140826
KLProc
;[<\=l=}=
last error:%d line:%dGetLastError()=0x%x
LCMapStringEx
LCMapStringW
LeaveCriticalSection
line=%d error=%d
? ?$?L?\?l?|?
LoadCursorW
LoadLibraryA
LoadLibraryExW
LoadLibraryW
LoadResource
LocalAlloc
LocalFree
LocalLock
LocalReAlloc
`local static guard'
`local static thread guard'
LocalUnlock
`local vftable'
`local vftable constructor closure'
LockResource
LockWorkStation
LookupAccountSidW
LookupPrivilegeValueW
=(=L=p=
lstrcatA
lstrcmpA
lstrcmpiW
lstrcmpW
lstrcpyA
lstrcpynA
lstrcpynW
lstrcpyW
lstrlenA
lstrlenW
;l<t<|<
;/;;;L;V;_;
<#<<<M<
malloc
`managed vector constructor iterator'
`managed vector copy constructor iterator'
`managed vector destructor iterator'
MapViewOfFile
memcmp
memcpy
memset
MessageBoxW
message size
message_size
>*>;>m>l?
MM/dd/yy
Monday
mouse_event
>*>M>R>^>
msvcrt.dll
MSVCRT.dll
=#>,>M>T>{>
MultiByteToWideChar
Nethood
Netstat
network down
network_down
network reset
network_reset
network unreachable
network_unreachable
 new[]
_nextafter
(NNt3Nt!Nt
no buffer space
no_buffer_space
no child process
no link
no lock available
no message
no message available
no protocol option
no_protocol_option
no space on device
no stream resources
no such device
no such device or address
no such file or directory
no such process
not a directory
not a socket
not_a_socket
not a stream
not connected
not_connected
not enough memory
not supported
November
>'>n>t>
ntdll.dll
NtQueryInformationProcess
NtQueryObject
 > nul
(null)
October
ODBC32.dll
OldServer
OlProc
OlProcManager
OlProcNotify
`omni callsig'
OpenClipboard
OpenEventA
OpenFileMappingW
OpenInputDesktop
OpenProcess
OpenProcessToken
OpenSCManagerW
OpenServiceW
OpenThread
OpenWindowStationW
operation canceled
operation in progress
operation_in_progress
operation not permitted
operation not supported
operation_not_supported
operation would block
operation_would_block
operator
Option
OutputDebugStringW
owner dead
:%:o:y:
P8_^[]
pA\_^][
__pascal
PathFileExistsW
.pdata
@.pdata
permission denied
permission_denied
@Ph0)C
@Ph$7A
~pjCXf
`placement delete closure'
`placement delete[] closure'
PlugProc
PortMap
PostMessageA
PostQueuedCompletionStatus
PostQuitMessage
PostSerial
PostSize
PP9E u
PPPPPPP
PQQSVW
printf
Process
Process32FirstW
Process32NextW
ProcessIdToSessionId
Protocol:[%4s], Host: [%s:%d], Proxy: [%d:%s:%d:%s:%s]
protocol error
protocol not supported
protocol_not_supported
Proxy-Authorization: Basic %s
Proxy-Connection: Keep-Alive
PSAPI.DLL
PSSSQSS
PSSSSSSh 
PSSSSV
__ptr64
<:<P<V<g<
PWWWWV
PWWWWWW
PWWWWWWV
:,:p:x:
<!<+<Q<
<%<?<Q<c<u<
QQSVW3
QQSVWd
QQSVWj
QSVWjT
QueryDosDeviceW
QueryPerformanceCounter
QueryPerformanceFrequency
QueryServiceConfig2W
QueryServiceConfigW
QueryServiceStatusEx
QueueUserAPC
?!?^?r?}?
RaiseException
`.rdata
ReadConsoleOutputW
ReadFile
read only file system
ReadProcessMemory
RegCloseKey
RegCreateKeyExW
RegDeleteValueW
RegEdit
RegEnumKeyExW
RegEnumValueA
RegEnumValueW
RegisterRawInputDevices
RegOpenCurrentUser
RegOpenKeyExW
RegOverridePredefKey
RegQueryValueExA
RegQueryValueExW
RegSetValueExA
RegSetValueExW
.reloc
RemoveDirectoryW
ResetEvent
resource deadlock would occur
resource unavailable try again
__restrict
restrict(
result out of range
ResumeThread
RevertToSelf
RtlCompressBuffer
RtlDecompressBuffer
RtlGetCompressionWorkSpaceSize
RtlMessageBoxProc
RtlNtStatusToDosError
RtlUnwind
>#?/?s?
:#:':S:{:
Saturday
`scalar deleting destructor'
Screen
ScreenT1
ScreenT2
%s: %d
%s:%d:%d:%s:%s:%s
SelectObject
September
Service
SetCapture
SetConsoleCtrlHandler
SetConsoleScreenBufferSize
SetCursorPos
SetDefaultDllDirectories
SetEndOfFile
SetErrorMode
SetEvent
SetFileAttributesW
SetFileInformationByHandleW
SetFilePointer
SetFilePointerEx
SetFileTime
SetLastError
SetPriorityClass
SetProcessWindowStation
SetSecurityDescriptorDacl
setsockopt
SetStdHandle
SetTcpEntry
SetThreadDesktop
SetThreadpoolTimer
SetThreadpoolWait
SetThreadPriority
SetThreadStackGuarantee
SetTimer
SetTokenInformation
SetUnhandledExceptionFilter
SetWindowLongW
SetWindowsHookExW
SfcIsFileProtected
SHCopyKeyW
SHCreateItemFromParsingName
SHDeleteKeyW
SHDeleteValueW
SHELL32.dll
ShellExecuteExW
ShellT1
ShellT2
SHEnumKeyExW
SHEnumValueW
SHFileOperationW
SHGetValueW
shlwapi
SHLWAPI.dll
ShowWindow
SiProc
SizeofResource
socket
StartServiceW
state not recoverable
__stdcall
stream timeout
`string'
string too long
Sunday
@SUVAUH
@SUVWATAUAVAWH
SVWhp!
,SVWj0X
SWPPPhL
SxWorkProc
system
~';_t|%3
< t8<	t4
Telnet
TelnetT1
TelnetT2
TerminateProcess
TerminateThread
text file busy
+t"HHt
__thiscall
!This program cannot be run in DOS mode.
t>Ht0Ht"Ht
t^Ht Ht
t;Ht$Ht
t$Ht!Ht
t=Ht/Ht!Ht
Thursday
timed out
timed_out
t/It!It
t)jhVW
t)j*Zj?^
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
TMDump(%p : %p : %s)
too many files open
too_many_files_open
too many files open in system
too many links
too many symbolic link levels
TranslateMessage
tSf9B*uM
Tuesday
;t$,v-
tVHuLV
twHumV
 Type Descriptor'
`typeof'
=T=Z=a=g=t=z=
tzHtwHt9Huj
*u1D8L
$u8D8D
ud8CDt
+u*D8D
#u?D8L
`udt returning'
uFVWWWW
u h` C
u(h$#C
__unaligned
UnhandledExceptionFilter
UnhookWindowsHookEx
unknown error
Unknown exception
UP9]lt
/update?id=%8.8x
:uQf9G
UQPXY]Y[
URPQQh 
user32
user32.dll
USER32.dll
userenv
%userprofile%\Intellog.txt
uUjD^V
UVWATAUAVAWH
value too large
`vbase destructor'
`vbtable'
`vcall'
__vectorcall
`vector constructor iterator'
`vector copy constructor iterator'
`vector deleting destructor'
`vector destructor iterator'
vector<T> too long
`vector vbase constructor iterator'
`vector vbase copy constructor iterator'
VerQueryValueW
version
Version: major:%d, minor:%d
`vftable'
VirtualAlloc
VirtualAllocEx
`virtual displacement map'
VirtualFree
VirtualProtect
VirtualProtectEx
VirtualQuery
VirtualQueryEx
Vj	^f;
v	N+D$
VWVVVP
WaitForMultipleObjects
WaitForSingleObject
WaitForThreadpoolTimerCallbacks
Wednesday
;W<f<s<}<
WideCharToMultiByte
WindowFromPoint
WinExec
wininet
Wj0XPV
Wj"_f9>u-3
WNetCloseEnum
WNetEnumResourceW
WNetOpenEnumW
Wow64DisableWow64FsRedirection
WriteConsoleInputW
WriteConsoleW
WriteFile
WriteProcessMemory
wrong protocol type
wrong_protocol_type
ws2_32
WS2_32.dll
WSACleanup
WSAGetLastError
WSAGetOverlappedResult
WSAIoctl
WSARecv
WSARecvFrom
WSASend
WSASendTo
WSASocketA
WSAStartup
wsprintfA
wsprintfW
wtsapi32
Wtsapi32
WTSEnumerateProcessesW
WTSFreeMemory
WTSGetActiveConsoleSessionId
WTSQueryUserToken
WWWWWWWWWh\
:";,;x;
:&:/:<:X:
?X?b?x?
xppwpp
xpxxxx
YYWWWWW
?Z?e?t?