2015年8月19日星期三

[20/08-2015#ophk #opchina #OpISIS #Op_Tibet #OpTaiwan #OpRussian]-[19/082015]-uodate-By深網中文 Deep Web Chinese([China] how to FIG break even on the Great Wall of Deep Web (graphic explanation board)[中國]如何圖收支平衡上的Deep Web的長城（圖形說明板）-)-Update[18/08-2015]By Apple Daily reported - and - by our variety great of Anonymous publication of you do not know....!-and finally by Apple daily on the Apple Forum: Title: All of us, unfortunately, only so two !(our favorite ) [famous writer - Mr. Li Yi]{李怡先生} This article also represents of Hong Kong people's,, anti-tyranny anti-corruption slave - thief wolf Leung Chun-Ying (aka ' Corpse crooked ", below) garbage government !! 更新[18/08-2015]-由蘋果日報的報導-和-由我們的偉大匿名發佈的各種你不知道的....!最後由蘋果日報的蘋論:標題:我們所有的不幸，只有這麼兩個 !(我們最喜歡的)[著名作家-李怡先生!]這篇文章也是代表香港人們的反暴政反貪污腐化的無良''屍歪垃圾政府!! Update [18 / 08-2015] von Apple Daily berichtet - und - durch unsere große Auswahl von Anonymous Veröffentlichung der man nicht weiß, .... - und schließlich von Apple täglich auf der Apple-Forum: Titel: Alle von uns, leider nur so zwei (unser Favorit) [berühmte Schriftsteller - Herr Li Yi] {李怡先生} Dieser Artikel stellt auch der Hong Kong Volks ,, Anti-Tyrannei Anti-Korruptions-Slave - Dieb Wolf Leung Chun-Ying (aka ' Corpse krumm ", unten) Müll Regierung !! アップルデイリーによりアップデート[18/08から2015]報告 - と - 私達の様々なあなたの匿名出版の偉大は....知らない - アップルフォーラムで毎日、最終的にAppleが：！タイトル：私たちのすべて、残念ながらを！、だけなので、2つ（私たちのお気に入り）[有名な作家 - 李李] {李怡先生}この記事ではまた、香港の人々年代の表し,,抗専制政治腐敗防止スレーブ - 泥棒狼レオンチョン英（別名 '死体）以下、「曲がったごみ政府!! Apple က Daily သတင်းစာအားဖြင့် Update ကို [18/08-2015] ဖော်ပြခဲ့သည် - နှင့် - ကျွန်တော်တို့ရဲ့အမျိုးမျိုးအားဖြင့်သင်တို့၏ Anonymous ကထုတ်ဝေ၏ကြီးမြတ် .... ကျမမသိဘူး - Apple ရဲ့ Forum ကိုအပေါ်နေ့စဉ်နှင့်နောက်ဆုံး Apple က: ခေါင်းစဉ်: ငါတို့ရှိသမျှသည်, ကံမကောင်း ! သာဒါကြောင့်နှစ်ဦး (ကျွန်ုပ်တို့၏အကြိုက်ဆုံး) [နာမည်ကျော်စာရေးဆရာ - မစ္စတာ Li ကရီ] {李怡先生} ဤဆောင်းပါးကိုလည်းဟောင်ကောင်ကလူရဲ့ကိုယ်စားပြု ,, Anti-စိုးမိုးမှု Anti-အကျင့်ပျက်ခြစားမှုကျွန် - သူခိုးဝံပုလွေ Leung Chun-Ying က (aka '' အလောင်းကောင်) အောက်တွင် "ကောက်အမှိုက်သရိုက်အစိုးရ !! All The World Country lauguage**-

[20/08-2015#ophk #opchina #OpISIS #Op_Tibet #OpTaiwan #OpRussian]-
[19/082015]-uodate-By深網中文 Deep Web Chinese([China] how to FIG break even on the Great Wall of Deep Web (graphic explanation board)[中國]如何圖收支平衡上的Deep Web的長城（圖形說明板）)**-
*Update[18/08-2015]By Apple Daily reported - and - by our variety great of Anonymous publication of you do

not

know....!-and finally by Apple daily on the Apple Forum: Title: All of us, unfortunately, only so two !(our favorite ) [famous writer - Mr. Li Yi]{李怡先生} This article also represents of Hong Kong people's,, anti-tyranny anti-corruption slave - thief wolf Leung Chun-Ying (aka ' Corpse crooked ", below) garbage government !!
更新[18/08-2015]-由蘋果日報的報導-和-由我們的偉大匿名發佈的各種你不知道的....!最後由蘋果日報的蘋論:標題:我們所有的不幸，只有這麼兩個 !(我們最喜歡的)[著名作家-李怡先生!]這篇文章也是代表香港人們的反暴政反貪污腐化的無良''屍歪垃圾政府!!

Update [18 / 08-2015] von Apple Daily berichtet - und - durch unsere große Auswahl von Anonymous Veröffentlichung der man nicht weiß, .... - und schließlich von Apple täglich auf der Apple-Forum: Titel: Alle von uns, leider nur so zwei (unser Favorit) [berühmte Schriftsteller - Herr Li Yi] {李怡先生} Dieser Artikel stellt auch der Hong Kong Volks ,, Anti-Tyrannei Anti-Korruptions-Slave - Dieb Wolf Leung Chun-Ying (aka ' Corpse krumm ", unten) Müll Regierung !!
アップルデイリーによりアップデート[18/08から2015]報告 - と - 私達の様々なあなたの匿名出版の偉大は....知らない - アップルフォーラムで毎日、最終的にAppleが：！タイトル：私たちのすべて、残念ながらを！、だけなので、2つ（私たちのお気に入り）[有名な作家 - 李李] {李怡先生}この記事ではまた、香港の人々年代の表し,,抗専制政治腐敗防止スレーブ - 泥棒狼レオンチョン英（別名 '死体）以下、「曲がったごみ政府!!
Apple က Daily သတင်းစာအားဖြင့် Update ကို [18/08-2015] ဖော်ပြခဲ့သည် - နှင့် - ကျွန်တော်တို့ရဲ့အမျိုးမျိုးအားဖြင့်သင်တို့၏ Anonymous ကထုတ်ဝေ၏ကြီးမြတ် .... ကျမမသိဘူး - Apple ရဲ့ Forum ကိုအပေါ်နေ့စဉ်နှင့်နောက်ဆုံး Apple က: ခေါင်းစဉ်: ငါတို့ရှိသမျှသည်, ကံမကောင်း ! သာဒါကြောင့်နှစ်ဦး (ကျွန်ုပ်တို့၏အကြိုက်ဆုံး) [နာမည်ကျော်စာရေးဆရာ - မစ္စတာ Li ကရီ] {李怡先生} ဤဆောင်းပါးကိုလည်းဟောင်ကောင်ကလူရဲ့ကိုယ်စားပြု ,, Anti-စိုးမိုးမှု Anti-အကျင့်ပျက်ခြစားမှုကျွန် - သူခိုးဝံပုလွေ Leung Chun-Ying က (aka '' အလောင်းကောင်) အောက်တွင် "ကောက်အမှိုက်သရိုက်အစိုးရ !!
**All The World Country lauguage**-

**Please use the Google god of high-tech translator to translate your national / local language ah ^^ -

**請各位使用谷歌大神的高科技翻譯器來翻譯你們的國家/地方的語言啊^^-

**지역 / 국가 언어 아 ^^ 번역 하이테크 번역기의 구글 하나님을 사용하십시오 -

**Se il vous plaît utiliser le dieu Google de traducteur de haute technologie pour traduire votre ah langue nationale / locale ^^-

**あなたの国内/地域言語ああ^^翻訳するハイテクトランスレータのGoogleの神を使用してください -

**Будь ласка, використовуйте бога Google високотехнологічного перекладача, щоб перевести свій національним / регіональним мовою ах ^^-

**กรุณาใช้พระเจ้าของ Google แปลที่มีเทคโนโลยีสูงในการแปล / ชาติภาษาท้องถิ่นของคุณอา ^^-

**Si prega di utilizzare il dio Google Traduttore di high-tech per tradurre il vostro / ah lingua locale nazionale ^^-

**Fadlan isticmaal ilaah Google ee turjumaan farsmada heerka sare ah loo turjumi / ka ah luuqada maxaliga ah ee qaranka ^^-

**Gunakan dewa Google penerjemah berteknologi tinggi untuk menerjemahkan nasional / ah bahasa lokal ^^-

**Por favor, utilice el dios Google Traductor de alta tecnología para traducir su / ah nacional idioma local ^^-

**आफ्नो राष्ट्रिय / स्थानीय भाषा आह ^^ अनुवाद गर्न उच्च-प्रविधी अनुवादक को गुगल देवता प्रयोग गर्नुहोस् -

**Bonvolu uzi la Google dio de alta-tech tradukisto por traduki vian nacian / lokan lingvon ah ^^-

*[20/08-2015 #ophk #opchina #OpISIS #Op_Tibet #OpTaiwan #OpRussian]-*

‏@ROMelody88

@TheMeritz My Dear huge @TheMeritz please #OpISIS #Op_Tibet #opchina #ophk #OpRussian #OpTaiwan your @ROMelody88

#OpHongKong

- Our Pastebin :: http://pastebin.com/u/OpHK

- Our Twitter :: @OpHongKong

http://www.nscc-tj.gov.cn/ -Microsoft-IIS/6.0- National Super Computer Center

http://www.chengduinvest.gov.cn/

Hong Kong Targets

http://www.doj.gov.hk -- Edgecast

http://www.aud.gov.hk/ - Audit Commission - Edgecast

http://www.cso.gov.hk/ -Chief Secretary for Administration - Apache F5 BIG-IP

http://www.customs.gov.hk/ - Edgecast

http://www.cpu.gov.hk/ Central Policy Unit - Edgecast

http://www.gpa.gov.hk/ - Government Property Agency - Edgecast

http://www.grs.gov.hk - Government Records Service - Edgecast
IP address 83.243.11.171
[20/08-2015 #ophk #opchina #OpISIS #Op_Tibet #OpTaiwan #OpRussian]-

http://www.csd.gov.hk Hong Kong Correctional Services - F5 BIG-IP

Top Targets

www.china.org.cn - Sun-ONE-Web-Server/6.1 [http://www.cvedetails.com/vulnerability-list/vendor_id-5/product_id-2239/SUN-One-Web-Server.html]

www.china-embassy.org - Apache/2.4.4 (Unix) mod_jk/1.2.37

www.china.com/ - nginx/1.1.5

www.chinese-embassy.org.uk - Apache/2.4.4 (Unix) mod_jk/1.2.37

http://www.mps.gov.cn - Chinese Police

http://www.police.gov.hk - Hong Kong Police

http://www.mod.gov.cn - Ministry of Defence of China

http://www.moj.gov.cn - Ministry of Justice for China

http://www.gov.cn/ Server Info:: Apache/Squid

Secondary List

http://www.court.gov.cn/

http://www.spp.gov.cn - Supreme People's Procuratorate

http://www.cyberpolice.cn

http://www.ebeijing.gov.cn/ Server Info: Apache/2.4.4 (Unix)

http://eng.mod.gov.cn/ Server Info: Apache

http://www.credit.gov.cn/ Server Info: Apache/2.0.49 (Unix)

www.stats.gov.cn

www.mep.gov.cn

www.ndrc.gov.cn

www.bj.cyberpolice.cn

Apache Servers:

http://www.gov.cn/ Server Info:: Apache/Squid

http://mail.gov.cn - 202.123.110.47

http://ssl.gov.cn - 61.145.199.172

http://blog.gov.cn - 70.39.84.254

http://www.cnnic.cn/ Server Info: Apache

http://www.ebeijing.gov.cn/ Server Info: Apache/2.4.4 (Unix)

http://english.mofcom.gov.cn/ Server Info: Apache

http://www.stats.gov.cn/english/ Server Info: Apache/2.2.25 (Win32)

http://english.mep.gov.cn/ Server Info: Apache/2.4.3 (Unix)

http://en.ndrc.gov.cn/ Server Info:: Apache/2.4.7 (Unix)

http://eng.mod.gov.cn/ Server Info: Apache

http://www.saic.gov.cn/english/ Server Info: Apache/2.2.22 (Win32)

http://www.saic.gov.cn/sbjenglish/ Server Info: Apache/2.2.22 (Win32

http://www.cma.gov.cn/en/ Server Info: Apache/2.2.15 (Unix) PHP/5.2.6

http://www.chinalaw.gov.cn/ Server Info: Apache

http://english.sanya.gov.cn/ Server Info: Apache/2.4.7 (Unix)

http://english.ningbo.gov.cn/ Server Info: Apache/2.2.23 (Unix)

http://english.gz.gov.cn/ Server Info: Apache

http://www.npc.gov.cn/Server Info: Apache

http://www.safea.gov.cn/english/ Server Info: Apache/1.3.41 (Unix) PHP/4.4.8

http://english.wh.gov.cn/ Server Info: Apache-Coyote/1.1

http://www.mwr.gov.cn/english/ Server Info: Apache/2.2.25 (Win32)

http://www.csrc.gov.cn/pub/csrc_en/ Server Info: Apache

http://en.changsha.gov.cn/ Server Info: Apache/2.2.3 (Asianux)

http://en.beidou.gov.cn/ Server Info: Apache

http://en.wuxi.gov.cn/ Server Info: Apache

http://en.msa.gov.cn/ Server Info: Apache/2.2.23 ((Unix) mod_ssl/2.2.23 OpenSSL/0.9.8b PHP/5.4.4)

http://www.nlc.gov.cn/english.htm Server Info: Apache

http://english.bjedu.gov.cn/publish/portal1/ Server Info: Apache/2.4.3 (Unix)

http://www.bjgaj.gov.cn/eng/ Server Info: Apache-Coyote/1.1

http://english.shaanxi.gov.cn/ Server Info: Apache/2.0.47 (Win32)

http://english.hebei.gov.cn/ Server Info:Apache/2.4.6 (Unix)

http://www.zhuhai.gov.cn/english/ Server Info: Apache

http://www.mlr.gov.cn/mlrenglish/ Server Info:Apache/2.2.23 (Unix)

http://www.chinare.gov.cn/en/ Server Info: Apache/2.2.9 (Win32) PHP/5.2.5

http://www.credit.gov.cn/ Server Info: Apache/2.0.49 (Unix)

http://library.cma.gov.cn Server Info: Apache/2.2.6 (Win32) mod_jk/1.2.32

http://mail.sjz.gov.cn Server Info: Apache/2.0.46 (Red Hat)

http://fgj.gdd.gov.cn Server Info: Apache, Linux 2.6.18-22

http://www.chinare.gov.cn Server Info: Apache/2.2.9 (Win32) PHP/5.2.5

http://www.dqghj.gov.cn Server Info: Apache/2.2.22 (Win32) PHP/5.2.17

http://www.gaohang.gov.cn Server Info: Apache

http://www.gdofa.gov.cn Server Info: Apache/2.2.15 (Red Hat)

http://www.haoyunjiao.gov.cn Server Info: Apache

http://www.hbqx.gov.cn Server Info: TWebAP/1.0.8.49

http://www.hljcredit.gov.cn Server Info: Apache-Coyote/1.1

http://www.hzfgj.gov.cn Server Info: Apache

http://www.islandsdc.gov.hk Server Info: Apache

http://www.bhxq.gov.cn Server Info: Apache

http://www.laobian.gov.cn Server Info: Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i mod_autoindex_color PHP/5.2.8

http://www.lcsd.gov.hk Server Info: Apache

http://www.zuoyun.gov.cn Server Info: Apache

http://form.nlc.gov.cn Server Info: Apache (Trace Method Allowed)

http://www.tj.gov.cn/english/ Server Info: Apache 2.4.9 (Unix)

http://www.gzjjzd.gov.cn Server Info: Apache (Tomcat/Cayote JSP engine 1.1)

http://www.hljcredit.gov.cn Server Info: Apache (Tomcat/Cayote JSP engine 1.1)

http://www.jledu.gov.cn Server Info: Apache 2.2.15

http://www.ykaj.gov.cn Server Info: Apache 2.2.3 (CentOS)

http://www.ft.gov.cn Server Info: Apache 2.0.59 ((Unix) DAV/2 PHP/5.2.8)

http://www.lcsd.gov.hk Server Info: Apache

http://zyz.sipac.gov.cn Server Info: Apache/2.2.17 (Win32) mos_ssl/2.2.17 OpenSSL/0.9.8.o PHP/5.3.4 mos_perl/2.0.4 Per

http://www.safea.gov.cn Server Info: Apache httpd 1.3.41 ((Unix) PHP/4.4.8)

http://www.tyrd.gov.cn Server Info: Apache

http://event.familycouncil.gov.hk Server Info: Apache

https://csboa2.csb.gov.hk Server Info: Apache

http://m.hketransport.gov.hk Server Info: Apache 2.2.24

http://ccne.mofcom.gov.cn Server Info: Apache 2.2.4 ((Win32) mod_jk/1.2.25)

http://www.tjlottery.gov.cn Server Info: Apache

http://www.thx.gov.cn Server Info: Apache 2.2.26 (CentOS)

http://www.zjww.gov.cn Server Info: Apache (Coyote/1.1)

http://www.cdmbc.gov.cn Server Info: Apahe 2.2.22 ((Win32) PHP/5.2.11)

http://www.shmec.gov.cn Server Info: Apache

http://www.safea.gov.cn Server Info: Apache 1.3.41 ((Unix) PHP/4.4.8)

http://www.amo.gov.hk Server Info: Apache

http://www.pixianzx.gov.cn Server Info: Apache 2.2.9 ((Win32) PHP/5.2.6)

http://www.shgaoqiao.gov.cn Server Info: Apache

http://www.ft.gov.cn Server Info: Apache 2.0.59 ((Unix) DAV/2 PHP/5.2.8)

http://www.aqtyj.gov.cn Server Info: Apache 2.2.17 ((Unix) PHP/5.2.17)

http://www.chenghua.gov.cn Server Info: Apache 2.2.17

http://www.tjca.gov.cn Server Info: Apache 2.2.8 (DAV/2 mod_ssl/2.2.8 OpenSSL/0.9.8e PHP/5.2.5 mod_apreq2-20051231/2.6.0 mod_perl/2.0.2 Perl/V5.10.0)

http://www.lcsd.gov.hk Server Info: Apache

http://english.qingdao.gov.cn Server Info: Apache 2.2.23 (Unix)

http://sc.legco.gov.hk Server Info: Apache 2.0.64 (FJT 4.4.48) (Win32) mod_ssl/2.0.64 OpenSSL/1.0.0 mod_is

http://en.msa.gov.cn Server Info: Apache 2.2.23 ((Unix) mod_ssl/2.2.23 OpenSSL/0.9.8b PHP/5.4.4)

http://hzzcpd.train.gov.cn Server Info: Apache 2.2.15

http://sc.legco.gov.hk Server Info: Apache 2.0.64(FJT4.4.48) (Win32) mod_ssl/2.0.64 OpenSSL/1.0.0 mos_is

http://wsj.weifang.gov.cn Server Info: Apache 2.4.7 (Win32)

IIS Servers:

http://english.sipo.gov.cn/ Server Info: Microsoft-IIS/6.0

http://www.most.gov.cn/eng/ Server Info:Microsoft-IIS/6.0

http://en.cnta.gov.cn/ Server Info: Microsoft-IIS/6.0

http://english.customs.gov.cn/ Server Info: Microsoft-IIS/6.0

http://www.enghunan.gov.cn/ Server Info: Microsoft-IIS/6.0

http://en.changchun.gov.cn/ Server Info: Microsoft-IIS/6.0,iis-1-157

http://english.pudong.gov.cn/ Server Info: Microsoft-IIS/6.0

http://www.sipac.gov.cn/english/ Server Info: Microsoft-IIS/6.0

http://www.973.gov.cn/English/Index.aspx Server Info: Microsoft-IIS/6.0

http://english.xm.gov.cn/ Server Info: Microsoft-IIS/6.0

http://english.dg.gov.cn/ Server Info: Microsoft-IIS/6.0

http://english.agri.gov.cn/ Server Info: Microsoft-IIS/7.0

http://english.eximbank.gov.cn/ Server Info: Microsoft-IIS/7.5

http://qinghe.mzfz.gov.cn Server Info: Microsoft-IIS/6.0

http://www.51a.gov.cn Server Info: Microsoft-IIS/6.0

http://www.ahhs.gov.cn Server Info: Microsoft-IIS/6.0

http://www.panzhihua.gov.cn:8001 Server Info: Microsoft-IIS/7.5

http://www.meizhou.gov.cn Server Info: Microsoft-IIS/6.0

http://english.agri.gov.cn/ Server Info: Microsoft-IIS/7.0

http://fgj.getdd.gov.cn Server Info: Microsoft-IIS 6.0 MSQL (Open FTP Port 21)

http://www.cnsa.gov.cn Server Info: Microsoft-IIS/6.0

http://www.ytboc.gov.cn Server Info: Microsoft-IIS/6.0

http://www.hbshrss.gov.cn Server Info: Microsoft-IIS

http://www.meizhou.gov.cn Server Info: Microsoft-IIS 6.0

http://www.jsfpc.gov.cn Server Info: Microsoft-IIS 6.0

http://www.sjzqxga.gov.cn Server Info: Microsoft-IIS 6.0

http://hkerouting.gov.hk Server Info: Microsoft-IIS 6.0

http://www.ytboc.gov.cn Server Info: Micorosoft-IIS 6.0

http://www.jsfpc.gov.cn Server Info: Microsoft-IIS 6.0

http://www.dywfy.gov.cn Server Info: Microsoft-IIS 7.0

http://www.fso-createhk.gov.hk Server Info: Microsoft-IIS 7.5

http://qinghe.mzfz.gov.cn Server Info: Microsoft-IIS

http://www.hljdep.gov.cn Server Info: Microsoft-IIS

http://www.matahu.gov.cn Server Info: Microsoft-IIS

http://www.meizhou.gov.cn Server Info: Microsoft-IIS 6.0

http://www.sjzgaj.gov.cn Server Info: Microsoft-IIS 6.0

http://www.npjm.gov.cn Server Info: Mirosoft-IIS

http://www.gxq.gov.cn Server Info: Microsoft-IIS 6.0

http://www.big5.xm.gov.cn Server Info: Microsoft-IIS

http://www.pets.gov.hk Server Info: Microsoft HTTPAPI 2.0 (SSDP/UPnP)

http://en.cq.gov.cn Server Info: Microsoft HTTPAPI 2.0 (SSDP/UPnP)

http://www.hx.gov.cn Server Info: Microsoft HTTPAPI 2.0 (SSDP/UPnP)

Nginx Servers:

http://www.pbc.gov.cn:8080 Server Info: IBM_HTTP_Server

http://www.jxedz.gov.cn/ Server Info: Nginx 0.7

http://en.hainan.gov.cn/ Server Info: Nginx

http://www.nmshh.gov.cn Server Info: Nginx/1.4.4

http://www.fdi.gov.cn Server Info: Nginx/1.4.1

http://www.cnao.gov.cn/ Server Info: Nginx

http://www.dttz.gov.cn Server Info: Nginx/1.0.15

http://english.jsjyt.gov.cn Server Info: Nginx, OpenSSH 4.3 (Protocol 2.0)

http://nsaww.nsa.gov.cn/ Server Info: Nginx/0.7.67

http://www.nanjing.gov.cn/en/ Server Info: Nginx

http://www.createhk.gov.hk Server Info: Nginx

http://eng.weather.gov.cn Server Info: Nginx 1.1.8

http://www.wangjiang.gov.cn Server Info: Nginx

http://www.ncct.gov.cn Server Info: Nginx 1.0.2

http://www.sdnsf.gov.cn Server Info: Nginx

http://fair.shandongbusiness.gov.cn Server Info: Nginx

http://www.hr.gov.cn Server Info: Nginx 1.0.15

http://www.sdjgj.gov.cn Server Info: Nginx 1.4.4

http://english.zhangjiajie.gov.cn Server Info: Nginx

DB Leak: Gov E-Mails (http://pastebin.com/QVC0gsSk)

http://mail.tj.gov.cn/ --> mail login page IP: 60.28.81.150

http://mail.mps.gov.cn/ --> mail login page

http://app.mps.gov.cn:8102/consult/ --> login page

http://mail.chinalaw.gov.cn/ --> mail login page

http://bm.kjzfw.net/Member/Login --> member login

http://bm.kjzfw.net/Account/LogOn?ReturnUrl=%2fAdmin --> admin login

http://mail.cnsa.gov.cn/ --> mail login

New Targets

http://www.fehd.gov.hk Server Info: ECAcc (sea/1C3C)

http://www.mcor.swd.gov.hk Server Info: ECAcc (ewr/14B9)

http://www.energylabel.emsd.gov.hk Server Info: ECAcc (ewr/14B9)

http://lyw.sh.gov.cn Server Info: Squid proxy 2.2.STABLE4

http://english.sz.gov.cn/ Server Info:: IBM_HTTP_Server

http://www.nbcp.gov.cn/ Server Info: IBM_HTTP_Server

http://www.chinaipr.gov.cn/ Server Info: Oracle-Application-Server-10g

http://english.nanning.gov.cn/ Server Info: ASERVER/1.2.9-3

http://eng.sfda.gov.cn/ Server Type: server_50604cf2a6f65

http://www.fmprc.gov.cn Server Info: FC

http://big5.fmprc.gov.cn Server Info: FC

http://www.cmse.gov.cn Server Info: FC

http://en.cmse.gov.cn Server Info: FC

http://www.hefei-stip.gov.cn Server Info: WAF

http://eng.hangzhou.gov.cn Server Info:

http://www.pcoss.labs.gov.cn Server Info:

http://aqxxgk.anqing.gov.cn Server Info:

http://gbcode.ofca.gov.hk Server Info:

http://minzheng.pengzhou.gov.cn Server Info:

http://tgzp.jledu.gov.cn Server Info:

http://translate.legislation.gov.hk Server Info:

http://www.shunqing.gov.cn Server Info:

http://www.ziyangxian.gov.cn Server Info:

http://www.zsda.gov.cn Server Info:

http://www.ipass.gov.hk Server Info:

KillApache Vuln

www.gdd.gov.cn

www.ebeijing.gov.cn

www.stats.gov.cn

www.mep.gov.cn

www.ndrc.gov.cn

www.ytboc.gov.cn

www.saic.gov.cn

www.zjww.gov.cn

www.cma.gov.cn

www.sanya.gov.cn

www.shmec.gov.cn

www.matahu.gov.cn

www.jsfpc.gov.cn

www.mwr.gov.cn

www.hljcredit.gov.cn

www.changsha.gov.cn

www.gzjjzd.gov.cn

www.beidou.gov.cn

www.chenghua.gov.cn

www.nlc.gov.cn

www.bjedu.gov.cn

www.ccne.mofcom.gov.cn

www.hebei.gov.cn

www.shgaoqiao.gov.cn << uber easy

www.gdd.gov.cn

www.sjz.gov.cn

www.xm.gov.cn

www.hljcredit.gov.cn

www.gaohang.gov.cn
=====

*[20/08-2015#ophk #opchina #OpISIS #Op_Tibet #OpTaiwan #OpRussian]-
http://melody-free-shaing.blogspot.com/2015/08/update1808-2015by-apple-daily-reported.html
======##############

Hsinchu region to share experiences demining area

Deep Web Chinese 24 days ago.

Currently younger netizens to share experiences with the results, I hope not bombed enthusiasts brothers share a boycott scam with mine workers, and also welcomes any ideas or want to share advice, immediately add on to your reference.

Snow <- safety seriously, Tel: 0934334678.
Kelly <- safety seriously, Tel: 0981654050.
Tingting <- safety seriously, Line: 0981227970.
Cola <- safety seriously, Line: aaaooo2129, Tel: 0985-116145.
Sunnie <- safety seriously, Tel: 0989754827.
. Candy is tonight <- lie with the degree of difference according to steal, Line: candy520668, Tel: 0987434732.
. Sugar Sugar Ke to children, the same person <- deceptive photos, phone: 0909-177-214.
Xiaohan <- Security, Line: nini930479 ← turn "Chungli theater"
Rainbow <- safety, but looks not control, phone: 0926948417
Happy children <- mines, Line: gankyy, Phone: 0986847961
Lin Yutong, Dooley wet working girl hall, using the same photo of a girl Chicks, lie to <- fraud syndicate, Line: lqs0224, tea202
Lingling <- scam. Cheat card, Line: xl1818
Small words <- mines, Line: gguuee, Phone: 0971492272
Mimi <- Security Huns moon sister, Line: 0976745767..
Xiaoxuan <- two have been recommended safety, Line: sun3915, Tel: 0989663915.
Blessings <- Security moon sister, Line: a0970931853, Tel: 0970931853.
Classic bamboo, currently five <- are safe, Line: toyko333
Orange <- I, massage outside the control of Pop, Line: akbbkk.
Xiaohui teacher <- Cougar wind, 40y up, 0.3 Massage, Phone: 0956808775
Anna = yuki = cherries <- Cougar wind, 40y up, afraid to smoke, Line: anna520527, Phone: 0970365306
Xiao bamboo <- mines, Line: geyjoop, Phone: 0973072151
Micro-ni-ni Sugar & <- Security 0.3, phone:. 0909315429 0979789004, Line: TOP5429 0979789004.
Kiki <- my photos, just cute little horse, moonlight fairy, massage acceptable, Phone: 0965335909
Qiaoqiao <- Dalei, Phone: 0909313542
Grass <- scam, fake photographs, Line: auqddk0879, Phone: 0909290879
mimi <- scam, fake photographs, Line: GUKM558, Phone: 0903242402
Ann <- Ray, Tel: 0909086753
Fifi <- photos questioned only a small horse, has been completed orogeny, appearance control can be washed, LINE: j85688, Phone: 0983304351
Night fragrant sisters <- Full I shine, moonlight fairy, good massage, Tel: 0970-373-369
Murphy <- my photos, can be washed Crime Unit, Line: ssqqmm0204

=====

新竹地區掃雷心得分享區

深網中文 24 days ago

目前小弟跟網友們分享的心得結果，希望能給還沒被炸過的同好弟兄們分享一起抵制詐騙集團跟地雷個工，也歡迎有任何心得想分享或指教，馬上補充上給大家參考。

雪 <- 安全.認真，電話: 0934334678
凱莉 <- 安全.認真，電話: 0981654050
婷婷 <- 安全.認真，Line: 0981227970
可樂 <- 安全.認真，Line: aaaooo2129，電話:0985-116145
小柔 <- 安全.認真，電話: 0989754827
糖果,就是今夜 <- 騙人照.偷時.配合度差.，Line: candy520668 ，電話: 0987434732
糖糖.可欣.可兒,同一人 <- 騙人照.，電話: 0909-177-214
小涵 <- 安全，Line: nini930479 ←轉『中壢戰區』
彩虹 <- 安全，但外貌控不宜, 電話: 0926948417
樂兒 <- 地雷，Line: gankyy，電話: 0986847961
林雨桐，杜雷濕正妹會館，都使用相同幼齒女孩照片，騙人照<- 詐騙集團，Line: lqs0224 ,tea202
玲玲 <- 詐騙集團．騙點卡，Line: xl1818
小言 <- 地雷，Line: gguuee，電話: 0971492272
美美 <- 安全.匈奴族.月亮妹，Line: 0976745767
小軒 <- 兩人已推薦.安全，Line: sun3915 ，電話: 0989663915
恩恩 <- 安全.月亮妹，Line: a0970931853，電話: 0970931853
竹之經典, 目前五位 <- 都安全，Line: toyko333
橘子<- 本人，按摩.外控普普，Line: akbbkk
小惠老師<- 熟女風，40y up，0.3按摩，電話: 0956808775
安娜=yuki=櫻桃<- 熟女風，40y up，不怕菸的來，Line: anna520527，電話: 0970365306
曉竹 <- 地雷，Line: geyjoop，電話: 0973072151
微妮&糖妮 <- 安全 0.3，電話: 0909315429 . 0979789004， Line: TOP5429 . 0979789004
琪琪<- 本人照,可愛小隻馬,月光仙子，按摩尚可，電話: 0965335909
巧巧<- 大雷，電話: 0909313542
小草<- 詐騙集團,假照片，Line: auqddk0879，電話: 0909290879
mimi<- 詐騙集團,假照片，Line: GUKM558，電話: 0903242402
安安<- 雷，電話: 0909086753
菲菲<- 照片質疑,小隻馬,已造山完成，外貌控可衝，LINE：j85688，電話: 0983304351
夜香姊妹<- 全本人照,月光仙子，按摩不錯，電話: 0970-373-369
莫菲<- 本人照,重案組可衝，Line:ssqqmm0204

=====

[China] how to FIG break even on the Great Wall of Deep Web (graphic explanation board)

Deep Web Chinese about a month ago.

[中國] 如何圖破長城連上深網(圖文解說板)

深網中文 about a month ago.

=====

How wall

Deep Web Chinese 14 days ago

Article Directory
★ party state why they want to close up? ★ party state why they want to close up? Why should we over the wall? Why should we over the wall?
★ Literacy --GFW is incorrect stuff? ★ Literacy --GFW is incorrect stuff?
★ ★ start talking about Google products start talking about Google products
★ ★ modify the hosts file modify hosts file
★ ★ modify modify DNS server DNS server
★ ★ encryption encrypt Web proxy Web proxy
★ ★ agent software agent software
★ VPN client ★ VPN Client
Summary ★ proxy and VPN software tools summary ★ agent tools and VPN software
★ ★ Mobile phone wall wall
★ ★ other resources other resources
★ ★ end end

One day of the year in May 2009, BlogSpot and again hit the wall, was GFW sealed. I blog on BlogSpot (in the " here ") also suffered no real winners, cups ah cups! Fortunately, the original left hand, in CSDN built a mirrored Blog for backup. At that time in order to allow thousands of blog readers I can continue to access, he specifically wrote this note literacy, universal look over the wall of all the basic "posture."
Due to technological advances over the wall, the paper will be constantly updated. Students will be over the wall, please " here "to see the latest version of this article. Students not over the wall, please send an email to help_gfw@yahoo.com , then automatic reply, obtain the latest content herein (preferably abroad letter mail, it is strongly recommended Gmail).

★ party state why they want to close up? Why should we over the wall?

Why offend the majority of Internet users prefer my party (already super three hundred million) also engage in GFW for network blockade pinch? Simply put, there is a lot of information on the Internet, it is a party state does not want you to see. By GFW, the party state can control what you can see and can not see what. After controlling the information channels, the party-state can be easily fooled you, to brainwash you, so you become brain damage.
Now you understand? As long as you are subject to the GFW, you do not have "free access to the Internet", and therefore there is no "freedom of access to information." But I always think: "Free Internet access is a fundamental right of Internet users." So, all these years I have been looking for ways to popularize the wall pose. If you agree with this view, would you please help spread this tutorial to the people around, and everybody's need to participate in the fight against GFW.
Because this article is mainly about the wall technique, this topic is not further carried out. Interested students can look at a few posts I (in the wall) before:
" Party and the Internet contest "
" Faced with the wall, we can do is - let GFW fall into the ocean of people's war "

★ Literacy --GFW is incorrect stuff?

Taking into account some users never know "GFW" what that is, what I colloquially literacy.
GFW is my party in order to strengthen control over the Internet and blockade, a great effort, pay big bucks to get out of a stuff. This stuff deployed in the heavenly Internet international export. Since it is a pay big bucks to get out, is naturally very cattle very powerful. This thing has the following main features:

◇ DNS spoofing (DNS contamination)

"DNS spoofing" foreign language called "DNS Spoofing"; "DNS pollution" also known as "domain cache poisoning", leaving the country called "DNS Cache Poisoning". The two are a meaning, just different names.
If you are using a wall of the DNS server, then a DNS query every time you will have to go through the international export. At this time, GFW DNS query results will be falsified by the technical means - make your query to the Web site IP is wrong. In this way, you naturally can not the site.
By the way, "DNS spoofing" and "DNS hijacking" are two different things. "DNS hijacking" refers to the record on the DNS server has been artificially modified wrong. In heavenly, many domestic ISP deliberately modify records on their own DNS server to record certain sensitive site modified wrong.
About "DNS pollution", it was also specifically wrote a " literacy DNS principle, also on "domain name hijacking" and "domain spoofing / Domain pollution" . "

◇ IP blocking (IP blacklist)

As the name suggests, it is to block certain IP addresses.
If you want to access the website, IP their sites to be included GFW IP blacklist. Then the site would not be a normal visit.

◇ sensitive word filtering (keyword filter)

GFW maintains a very long list of sensitive words, and the list is constantly updated. Some of the more sensitive political vocabulary, are on the list.
If you visit a Web page that contains any sensitive words, then the page GFW will shield through technical means, so you can not see.

Through the above several functions, it can effectively prevent users see the party do not want you to see. If you are curious and want to know more detailed information about the GFW, please look over the wall " here . "

★ start talking about Google products

Said earlier, a lot of shit, now cut to the chase. Rather cattle X start talking about Google company.
Google provides a lot of good, Web-based products (such as Gmail, Google Reader, Google Groups, Google Docs), these products basically support HTTPS access (that is, encrypted access), and therefore can be used as wall weapon. I take a few of them to chat.

◇ Google Reader

Google Reader is a first "blog reader," but also a home travel, a good tool over the wall essential. Unfortunately, this good tool in the July 1, 2013 has been Google closed.
In this regard, he wrote a two blog " Death Google Reader - cause analysis, countermeasures, lessons learned , "" alternative of Google Reader, which is more reliable? "Everybody for reference.
Closer to home, "blog reader" has the advantage - you can use it to access the site by a wall. But there are two prerequisites:
Premise 1-- you use "blog reader" itself is not the premise 2-- wall is the wall you want to visit sites, support RSS output (also known as "RSS Feed").

◇ Gmail

Gmail's Web interface, very easy to drop (from its market share soared in recent years can be seen). Because Gmail itself supports HTTPS encryption access, and therefore has become another weapon over the wall. Before you use Gmail, remember to Gmail "Settings" screen, find the "General" tab, the inside of the "Always use https" on the hook.
Some sensitive sites (such as "Voice of America"), in order to facilitate access to everybody, specializing in mail subscription feature: you can get daily updates by e-mail these sites. There are many forums (such as Google Groups forum), also provide e-mail subscriptions. Once you have Gmail, you can use it to get the content above website updates.
Insert an ad: In the end of June 2013 (Google Reader Close Eve), I blog also opened mail subscription feature. Look at this, " e-mail subscription feature releases - free over the wall "Google Reader alternatives" . "
In addition to use Gmail to subscribe to web content, you can use Gmail to get some circumvention software (will explain later).

◇ Google Drive / Google Docs

Google Docs (now renamed "Google Drive / GDrive") is a very convenient tool for document sharing. Because it also supports HTTPS mode (please forgive I long-winded), so you can use it to write a variety of politically sensitive articles, and then share the Internet. For example, I of this "how over the wall," the post, you can also use http://docs.google.com/View?docid=0AbZnRSbuUv3sZGNwNXg4NDNfMTRjd25uZ2Zkcw&hl=en share. This way of sharing the benefits of that: Google Docs URL path string is a string of erratic, GFW is not easy to block.
Hateful, 60th birthday party on the occasion of the country, GFW Google Docs to get rid of 443 ports. Because 443 is the default port for HTTPS protocol, port 443 blocked Google Docs means that you will not be able to use the encrypted HTTPS protocol direct access Google Docs, and can only be accessed using plaintext HTTP protocol. But do not worry guys, we still have a ways to see the subsequent "modify the hosts file."

★ modify the hosts file

Most operating systems support the hosts file, which provides IP of "alias mechanism." This IP-based alias mechanism can be used to combat domain GFW blockade. Given the limited space, specific technical details aside.

◇ How to Set

If you are using a Windows system, you can use the following command to open the hosts file.
notepad% SystemRoot% \ system32 \ drivers \ etc \ hosts

If you use the Linux system or Apple Mac systems, you can use the following command to open.
vi / etc / hosts

After opening, the IP address and the domain name those blocked sites added to the hosts file (one per line) can be. For example, the above mentioned Google Drive, its IP is 74.125.227.198, as long as the hosts that we add the following line:
74.125.227.198 drive.google.com
You can then use as usual based on the HTTPS protocol Google Drive.

◇ advantages and disadvantages

The advantage of using this tactic is that:
(1) very fool - no need to install software;
(2) the performance of well - among transit without going through the proxy.
But there must be good or bad, this tactic disadvantages are obvious:
(1) If you access the HTTP protocol pages, and the content contains sensitive words, then this tactic still the game;
(2) If the GFW not only sealed domain, also closed IP, then this tactic is still out of the question;
(3) If the IP of a site has changed, the times that you have to modify your hosts file, it is truly in trouble.

In summary, modify the hosts file another way, such as Google Drive can only be used like a huge influence on the site. Because people have used Google Drive more, GFW embarrassed the entire domain names and IP sections are blocked. Therefore, it had selectively blocked HTTPS protocol, but spared the HTTP protocol (HTTP protocol is plain, easy to perform keyword filtering GFW). In this case, "modify the hosts file" tricks can come in handy.

★ modify DNS server

Then modify the hosts file, come to talk about modifying DNS. This trick is used to prevent domain hijacking drops (but not prevent domain contamination). Domain name hijacking activities, looks like a lot of domestic carriers (such as Shanghai Telecom) have done. So pinch, try not to use DNS server operators to provide your location, not insurance. After all, domestic carriers are subject to the control of the party state, it is estimated they involuntarily.
I recommend several foreign countries, well-known, good character reference DNS to everybody.
Google is indeed the cattle X company, and very humane. It provides the following in mind two good DNS server.
8.8.8.8
8.8.4.4

To prevent the GFW to Google's DNS server seal kill, everybody has a much longer back up a couple. Here are the DNS IP can be no Google's DNS so easy to remember the.
OpenDNS:
208.67.222.222
208.67.220.220

Chunghwa Telecom's DNS:
168.95.192.1
168.95.192.2

Hong Kong Broadband's DNS:
203.80.96.9
203.80.96.10

As for how to modify your computer's DNS server, should not you teach it? Students will not, on their own Google to investigate.

★ encryption Web Proxy

Google after the finish of the series of tools, some students may be asked: do not provide RSS feeds, and do not provide mailing lists of sites supposed to pinch? Do not be afraid, there is another stuff can pass through the wall that is encrypted Web proxy.
HTTPS encrypted Web-based way of proxy, the main benefits are: no need to install additional software, the browser can handle alone. However pinching, HTTPS proxy once with more people, prone to GFW's attention, death is not far away (so-called pig afraid of strong people afraid of becoming famous). If you want this trick, they have often teach some of the proxy site.
I have been over the wall in this tutorial, we will put a few incidental HTTPS web proxy, easy to use and talk directly. Unfortunately, since the third quarter of 2010, GFW I began eyeing the (seemingly GFW lackeys, we also look at the blog). So pinch, I can not put specific encryption Web proxy put out, so those cheap lackeys. Students want their own to Google it.

★ Agent Software

Agent software key chapter of this tutorial, but oh!
Party state recently increased internet censorship, many circumvention tools are ineffective. Everyone look at the focus "Since by the door", "no. Circles" that several of introduction!

◇ Agent Works

Circumvention principle proxy tool is such drops:
Suppose you want to access a website by a wall (such as reactionary websites, pornographic websites :) by proxy over the wall, this time will go through the following steps:
(1) your Internet software (usually a browser) will send data to your computer's proxy tool;
(2) The tool the data is encrypted, and then sent to a foreign proxy server;
(3) The proxy server to decrypt the data, and then send it to you to visit the website.
(4) The return of data from the site, but also through the above channels, and ultimately back to your browser.

◇ agent classification

According to whether encryption, proxy agents, and encryption software can be divided into two kinds of non-encrypted proxy (this is not nonsense thing :). In order to avoid the GFW sensitive word filtering, we have to use encryption agent software.
According to the protocol type, a common HTTP proxy and SOCKS proxy. If you are purely browser over the wall, HTTP proxy enough to use; if you need to let other software (such as MSN) over the wall, then starting a SOCKS proxy.

Get ◇ Agents tools

I mentioned below, a lot of software, official sites have been wall. In order to facilitate everybody downloads, I put a few common tools onto the Microsoft network disk, then finishing "on Google Code summary list "(Unfortunately this page is also a wall).
Users who can not over the wall, the wall Hai ready to download. To fool the country's Webmaster, put the walls of circumvention tools are embedded in the image file. So, you download a picture file. After downloading, you need to change the file extension "7z", you can use 7zip or WinRAR to open, and then extract the proxy tool.

Note ◇ Agents tools

Because of the way through the use of encryption GFW, it will certainly be discounted drop in performance. I recommend everybody at the same time using two browsers: a browse regular Web site, and the other by a wall configured proxy browsing websites. For students using Firefox or Chrome, you can install some third-party proxy plug-ins (eg: AutoProxy , FoxyProxy ), used to automatically switch the proxy mode and non-proxy mode.
In addition, the name of some sites is very sensitive, I can no longer posted for this article to other places (to circumvent keyword filters), made a name for sensitive appropriate transformation; there are some sites, even very sensitive domain, I use bit.ly He made the jump. (Due to too much fame bit.ly also been blocked, you need to open these bit.ly wall jump address)

◇ since by the door

Since by the door (from the move. State. Net), it is a company dedicated to the development of the political background to break the GFW. Upgrade its version more frequently, preferably regularly updated to the latest version of the nets to get the best results.
Since by the door is the green software, small (about 2 trillion), with a digital signature. If you are not downloaded from the official website, the best look at a digital signature to ensure that the file has not been tampered with (such as viruses). As for how to verify a digital signature, please look over the wall " here . "
Since by the door also divided "Expert Edition" and "Professional Edition" two. Much is said Expert Edition for technology use; Professional Edition for a novice to use :). I personally feel that maybe is not very different version.
It uses HTTP proxy mode, the port is "8580."
Since by the official site of the door in " here "(Wall has long been used here bit.ly jump). Inconvenient to visit its official website the students can give "freeget.one@gmail.com" to get it through the mail; even if you are too lazy to send e-mail, go to the following page to download:
7.4.2 Professional Edition ( wall Download )
7.4.2 Expert Edition ( wall Download )

◇ no. Border

"None. Profession" in the background, using a very similar way, "since by the door." Starting in November 2011, no. Circles over the wall using a new mechanism, the ability to have a significant upgrade over the wall. Relevant details, see I specifically wrote the post " a new version of unbounded. - Race Alternatively wind 3 after failure . "
None. Border use HTTP proxy mode, the port number is "9666."
Official site in the " here "(long been a wall, jump here with bit.ly).
Not on the official website of the students, go to the following web site to download the latest version 14.03: wall download

◇ TOR

TOR also called "onion network." Online often hear people say "with a set (TOR homonym) wall" refers to it. This stuff is an open source project to protect the freedom and privacy of personal Internet. It works can be found " here . "
TOR's official website has been the wall, and everybody can get TOR by email. As follows:
Send plain text messages to the theme of "help" to gettor@torproject.org, after receiving the reply message and then reply to the prompts once to collect TOR package in your mailbox. Strongly recommended to use Gmail, to ensure the best results. Try not to use domestic mail, remember!
Since the TOR of too much fame, GFW special attention to it. Many TOR GFW bridge relay are included IP blacklists, leading TOR can not be used alone. But that's okay, we still way through the public proxy, together on the TOR network nodes worldwide. Specific configuration, see I wrote " wearing "set" method over the wall . "
In addition, TOR although they can not be used alone, but can be used with other circumvention tools with TOR, construct double agent. Dual agency occult very good, if you often sensitive remarks published online, remember to use a double agent. Literacy tutorial on dual agency, see I wrote a series of blog " How to hide your tracks, avoiding chase provinces . "

◇ I2P

TOR I2P is very similar to the circumvention tools (TOR called onion routing, and I2P garlic routes). Talia's main purpose is to "conceal identity", over the wall additional uses only incidentally.
The cost of security and firmness I2P stronger than the TOR, the result is very slow. So I2P is primarily used as a backup circumvention tools. When your favorite tools fail, you can take it to an emergency.
I2P provides proxy has two ports, "4444" port is used to proxy HTTP protocol, "4445" port is used to proxy HTTPS protocol. Configure browser proxy to be careful, do not confuse. Specific configuration, see I wrote " simple literacy I2P uses . "
Official site " here . " Not on the official website of the students, go to the following web site to download the latest version 0.9.12: wall download

◇ race. Wind

(Since the court opened 18 large, GFW strengthen the race. Wind blocked, recently more than a year, race the wind is very unstable)
Tournaments wind is a veteran of the software over the wall. Early in the race. Wind 2 provides only the Web Agent. From the race. Wind 3 began, introduced a client software. This client is very cow B, while supporting SSH and VPN-based proxy mode mode (on the VPN model, this article will introduce the follow-up). Moreover, it is also the single green software, than the world. Bounds. Tong also small (just over 300 KB), and with a digital signature. (How to verify the digital signature, please look over the wall " here ")
If the season wind patterns over the wall using a VPN, all your network software without any settings, you can follow the wall; if the games use a proxy mode over the wall, then open two ports:.. "8080" port for the HTTP proxy, "1080" port for the SOCKS proxy.
More on race. Wind detail, see the blog post " two-pronged race. wind 3 "
Get race. Wind is very simple. You just need to race the wind official website provides mailbox get@psiphon3.com send any messages, can immediately receive automatic reply. In reply, directly attached to race. Wind executable program (if the mail attachment named "psiphon3.asc", to "psiphon3.exe" can be run directly).

★ VPN Client

Having a proxy tool, again introduce VPN client software.

Principle ◇ VPN over the wall

VPN is actually between the local and remote VPN server to establish an encrypted channel, all the data to the destination site via foreign VPN server. However, the agent software is different, VPN software will be a virtual network adapter in your system in the past. Then, you access the application (no matter what type), are available through the virtual NIC and VPN server for data transmission.
Some offer VPN services, direct use of open source, the famous OpenVPN as a client - you can go to the " here "to download; still others use their own developed client - so you need to go to its official site download. Below, I list some free use of VPN.

◇ VPN Gate

This is a new circumvention tool released in March 2013, developed by the University of Tsukuba in Japan. The VPN's highlights are: its server provided by volunteers from around the world, is distributed. As a result, GFW would be difficult to completely blocked. Use it over the wall, fast and stable. This is the best free VPN circumvention tools.
It is the Chinese version of the official website in the " here "(required to access over the wall). Because VPN Gate installation package is relatively large (with more than thirty trillion), and updated very frequently, so I did not provide walls for download. To download the students, you can use a Web proxy (described earlier) on its official website, it's official website has a list of mirror sites. These mirror sites change every hour, in order to circumvent the GFW blocked. Download the installation package from the mirror site, without the wall.
For more introduction VPN Gate, see I wrote the tutorial " Literacy VPN Gate-- distributed VPN server "

Summary ★ agent tools and VPN software

Because proxy and VPN software tools relatively similar, sum up a little contrast.

Cons Pros & VPN ◇ proxy tool of

Most proxy tools are free, but a lot of VPN software is commercial software, take notes drops. Few no cost VPN, but also life or traffic restrictions.
Further, since the VPN you need to install the virtual network adapter in your system, it is not a green software VPN software, and most require administrator privileges to install. This is for users of this I prefer green software, is also a significant drawback.

Cons Pros ◇ VPN's & Agents tools

Because a VPN virtual network card, you use a variety of software (browser / chat / e-mail client) without any settings, you can directly transfer data through the virtual NIC. This is a big advantage of VPN.

◇ no absolute strong tool

Before 2010, I always thought TOR is very strong drop. However, the brutal facts so I recognize that there are weak --TOR time (starting from early March 2010, TOR began instability, almost not used). Throughout the past few years, almost every circumvention tools have had blocked record. Therefore, in order to be able to long-term over the wall, everyone usually have to be more prepared in several different proxy or VPN tool, do not hang in a tree.

◇ List

To make everybody see more intuitive, we compiled the following table:

Name	Release	Official Website	Download Page	Wall way	Types of	Are Green
Since by the door	7.4.2 7.4.2	Here	Professional Edition Expert Edition	HTTP proxy, port 8580	Free Software	It is
None. Border	14.03	Here	Here	HTTP proxy, port 9666	Free Software	It is
I2P	0.9.12	Here	Here	HTTP proxy, port 4444 HTTPS proxy, port 4445	Open source software free software	It is
Race Wind	3.45	Here	Here	HTTP proxy, port 8080 SOCKS proxy, port 1080 VPN	Open source software free software	It is

★ phone over the wall

Right now the popularity of smartphones greatly, so the phone will be put on the agenda over the wall. Here are some common phone wall method

◇ agent software

Phone system can also run over the wall agent. For example, no. Community, race the wind, TOR has provided a mobile version.

◇ VPN

Smart phone, you can run the VPN client. Thus, you can make phone via VPN over the wall. In the popular Andr oid for example, it supports OpenVPN, PPTP, L2TP and other types of VPN. Because the VPN front just introduced here without further ado.
VPN Speaking on the phone over the wall, I recommend that everybody try fqrouter. About this tool has been widely used in the heavenly, very stupid and stability is also good. Its literacy tutorial See " fqrouter-- Android circumvention tool (Free ROOT) . "

◇ mobile browser

Why mobile browser can squeeze through the wall? Generally works like this drop: As the mobile phone more sensitive to network traffic, in order to compress network traffic, some mobile browser by way of the operation of the proxy server. For example, when you attempt to access a page, the browser is not directly to the site requesting data, but by the phone for the browser to request a proxy server, and then by the proxy server to get the data compression and optimization, then back to the mobile browser.
With the above manner mobile browser, if the proxy server settings in foreign countries, there is hope for a breakthrough GFW drops. Due to the increasingly stringent blockade party state, many mobile browser default proxy server are blocked. Therefore, through the mobile browser over the wall, you need to modify your browser software, it does not use the default proxy server, use your specified server.
Different mobile browser, change clothes are not the same way. Due to space limitations, it no longer makes a detailed description, given only mobile browser to change clothes several articles.
Popular mobile browser (Opera Mini, UCWeb) method to change clothes
Mobile wall method --Java version of Opera Mini and UCWeb change foreign server

★ Other Resources

Since the nets of technologies emerging over the wall, in order to advance with the times, we have to continue to learn. Here are a few related blog.

◇ I's blog

First of all, I give myself to make a cheek advertising :-)
What if I find a new skill over the wall, it will be the first time I sent to the Blog or Twitter. I welcome everybody subscribe to the blog (subscription address: http://feeds2.feedburner.com/programthink ), can also Follow I (on Twitter ProgramThink ).
If you read this post on the wall or have questions, or have anything to add to this tutorial and recommendations, can go to the blog site I leave a message, you can give Email ( program.think@gmail.com ). I will try to seal the deal over the wall storm. If you found this article which does not open the download link, please notify the span. I will be replaced, so that GFW off guard :)

◇ GFW blog

Subsequently, highly recommended thematic blog GFW, more sensitive to its subscription address, I inconvenient to write directly based bit.ly jump address is: " http://bit.ly/nDMBl . "
Also, you can access its Google Group, the address is: " https://groups.google.com/group/gfw-blog . " The Group has been closed, with a fly recommended "blog reader" subscription.

Some information ◇ Wikipedia

Good stuff on Wikipedia, it is quite multi-drop ah! Recommended several articles related to everybody Chou Chou: " .. in the country network review... "," breakthrough network review..... . "

★ end

Long-winded so long space, basically the usual tricks are introduced before. Finally, borrow Dickens wrote in "Tale of Two Cities," saying:

This is the best of times, worst of times;
This is the age of wisdom, is foolish years;
It is the epoch of belief, but also the epoch of incredulity;
This is the season of Light, is the season of Darkness;
This is the spring of hope, but also the winter of despair;
Everything in front of everybody, nothing in front of everybody;
Everybody is Naoto heaven; everybody is straight to hell.

I wish the walls of netizens can successfully master the wall position, as soon as possible to breathe the air of freedom on the Internet!

=====
文章目錄
★党国为啥要封网？ ★黨國為啥要封網？咱们为啥要翻墙？咱們為啥要翻牆？
★扫盲——ＧＦW 是嘛玩意儿？ ★掃盲——ＧＦW 是嘛玩意兒？
★先从Google 系列产品说起 ★先從Google 系列產品說起
★修改hosts 文件 ★修改hosts 文件
★修改DNS 服务器 ★修改DNS 服務器
★加密Web 代理 ★加密Web 代理
★代理软件 ★代理軟件
★VPN 客户端 ★VPN 客戶端
★代理工具和VPN 软件的总结 ★代理工具和VPN 軟件的總結
★手机翻墙 ★手機翻牆
★其它的资源 ★其它的資源
★结尾 ★結尾

公元2009年5月的某天，BlogSpot 又一次撞牆，被ＧＦW 封了。俺在BlogSpot上的博客（在“ 這裡 ”）也遭受池魚之殃，杯具啊杯具！還好當初留了一手，在CSDN建了個鏡像Blog作備份。當時為了讓俺博客的幾千個讀者能夠繼續訪問，咱特地寫了這個掃盲帖，全面普及一下翻牆的各種基本“姿勢”。
由於翻牆技術日新月異，本文也會不斷更新。會翻牆的同學，請通過“ 這裡 ”看本文的最新版本。不會翻牆的同學，請發郵件給help_gfw@yahoo.com ，即可通過自動回信，獲取本文最新的內容（發信最好用國外的郵箱，強烈推薦Gmail）。

★黨國為啥要封網？咱們為啥要翻牆？

為啥我黨寧可得罪廣大網民（早已超三億）也要搞ＧＦW 來進行網絡封鎖捏？簡單地說，互聯網上有很多信息，是黨國不希望你看到的。通過ＧＦW，黨國可以控制你能看到啥，不能看到啥。控制了信息渠道之後，黨國可以很容易地忽悠你，對你進行洗腦，讓你變成腦殘。
現在你明白了吧？只要你受制於ＧＦW，你就沒有“訪問互聯網的自由”，因而也沒有“獲取信息的自由”。但是俺始終認為：“ 訪問互聯網的自由是網民的基本權利 ”。所以，俺這些年來，一直在想辦法普及翻牆姿勢。如果你也認同上述觀點，請你幫助傳播本教程給周圍的人，與ＧＦW 鬥爭需要大夥兒的參與。
由於本文主要講翻牆技術，這個話題就不深入展開了。有興趣的同學可以看看俺之前的幾個帖子（在牆外）：
《黨和互聯網的較量》
《面對牆，我們所能做的就是——讓ＧＦW陷入到人民戰爭的汪洋大海之中》

★掃盲——ＧＦW 是嘛玩意兒？

考慮到某些網友從來不知“ＧＦW”為何物，俺通俗地掃盲一下。
ＧＦW 就是我黨為了加強對互聯網的控制和封鎖，下大力氣、花大價錢搞出來的一個東東。這個東東部署在天朝互聯網的國際出口。既然是花大價錢搞出來的，自然是很牛很強大。這個玩意兒具有如下主要功能：

◇DNS 欺騙（DNS 污染）

“DNS 欺騙”洋文叫“DNS Spoofing”；“DNS 污染”又稱為“域名緩存投毒”，洋文叫“DNS Cache Poisoning”。這兩者是一個意思，只是叫法不同。
如果你使用的是牆外的DNS 服務器，那麼，你每次進行DNS 查詢，都會要經過國際出口。這時候，ＧＦW 會通過該技術手段偽造DNS 的查詢結果——使得你查詢到的網站IP 是錯誤的。如此一來，你自然就無法該網站。
順便說一下，“DNS 欺騙”與“DNS 劫持”是兩碼事。 “DNS 劫持”是指DNS 服務器上的記錄被人為修改成錯誤的。在天朝，很多國內的ISP 會故意修改自己DNS 服務器上的記錄，把某些敏感網站的記錄修改成錯誤的。
關於“DNS污染”，俺後來還專門寫過一篇《掃盲DNS原理，兼談“域名劫持”和“域名欺騙/域名污染” 》。

◇IP 封鎖（IP 黑名單）

顧名思義，就是屏蔽某些IP 地址。
如果你要訪問的網站，其網站的IP 被ＧＦW 列入IP 黑名單中。那麼該網站就無法正常訪問。

◇敏感詞過濾（關鍵字過濾）

ＧＦW 會維護一個很長很長的敏感詞列表，並且該列表是經常更新的。一些政治方面比較敏感的詞彙，都位於該列表上。
如果你訪問的網頁中包含任何一個敏感詞，那麼ＧＦW會通過技術手段屏蔽該頁面，讓你看不到。

通過以上幾項功能，它可以有效阻止網民看到黨不想讓你看到的信息。如果你比較好奇，想了解更詳細的關於ＧＦW的介紹，請翻牆看“ 這裡 ”。

★先從Google 系列產品說起

前面說了很多屁話，現在開始切入正題。先從相當牛X的Google 公司說起。
Google提供了很多優秀的、基於Web的產品（比如Gmail、Google Reader、Google Groups、Google Docs），這些產品基本上都支持HTTPS方式訪問（也就是加密訪問），因此能用作穿牆利器。俺拿其中的幾個來聊一聊。

◇Google Reader

Google Reader首先是一款“博客閱讀器”，而且還是一款居家旅行、翻牆必備的好工具。可惜這個好工具在2013年7月1日被Google 關閉了。
關於此事，俺專門寫了2篇博文《 Google Reader之死——原因分析、應對措施、教訓》《 Google Reader的替代品，哪個比較靠譜？》供大夥兒參考。
言歸正傳，“博客閱讀器”的好處在於——可以用它來訪問被牆的網站。但是有兩個前提：
前提1——你用的“博客閱讀器”本身沒有被牆前提2——你要訪問的被牆網站，支持RSS 輸出（也叫“RSS 訂閱”）。

◇Gmail

Gmail 的Web 操作界面，相當滴好用（從它這幾年的市場佔有率猛增就可以看出來）。由於Gmail本身支持HTTPS加密方式訪問，因此也成了另一個翻牆的利器。使用Gmail之前，記得到Gmail的“設置”界面，找到“常規”標籤頁，把裡面的“ 始終使用https ”勾上。
有些敏感的網站（比如“美國之音”），為了便於大夥兒訪問，專門提供了郵件訂閱功能：你可以通過郵件獲取這些網站的每日更新。還有很多論壇（比如Google Groups上的論壇），也都提供郵件訂閱功能。有了Gmail之後，你就可以用它來獲取上述網站的內容更新。
插個廣告：在2013年6月底（Google Reader 關閉前夕），俺博客也開通了郵件訂閱功能。請看這篇《郵件訂閱功能發布——免翻牆的“Google Reader替代品” 》。
除了能用Gmail 來訂閱網站內容，還可以用Gmail 來獲取一些翻牆軟件（後面會介紹）。

◇Google Drive / Google Docs

Google Docs （如今改名為“Google Drive / GDrive”）是一個很方便進行文檔分享的工具。由於它也支持HTTPS方式（請原諒俺的囉嗦），所以你可以用它來寫各種政治敏感的文章，然後再分享到Internet上。比如，俺的這篇“如何翻牆”的帖子，也可以用http://docs.google.com/View?docid=0AbZnRSbuUv3sZGNwNXg4NDNfMTRjd25uZ2Zkcw&hl=en進行分享。用這種方式分享的好處在於：Google Docs 的URL 路徑是一串無規律的字符串，ＧＦW不容易進行封殺。
可恨的是，黨國60大壽之際，ＧＦW 把Google Docs 的443端口乾掉了。由於443是HTTPS 協議的默認端口，封鎖Google Docs 的443端口意味著你將無法用加密的HTTPS 協議直接訪問Google Docs，而只能用明文的HTTP 協議進行訪問。不過大夥兒別著急，咱們還是有辦法，請看後續的“修改hosts 文件”。

★修改hosts 文件

大部分操作系統都支持hosts 文件，它提供了IP 的“別名機制”。這種基於IP 的別名機制可以用來對抗ＧＦW 的域名封鎖。考慮到篇幅有限，具體的技術細節暫且不提。

◇如何設置

如果你使用Windows 系統，可以使用如下命令打開hosts 文件。
notepad %SystemRoot%\system32\drivers\etc\hosts

如果你使用Linux 系統或蘋果的Mac 系統，可以用如下命令打開。
vi /etc/hosts

打開之後，把那些被封鎖的網站的IP 及域名加入hosts 文件（每行一個）即可。比方說，上述提到的Google Drive，它的IP 是74.125.227.198，那我們只要在hosts 加入如下一行：
74.125.227.198 drive.google.com
然後就可以像往常一樣使用基於HTTPS 協議的Google Drive 了。

◇優缺點分析

使用此招數的好處在於：
(1) 非常傻瓜化——不需要安裝軟件；
(2) 性能很好——當中無需經過代理的中轉。
但是有好必有壞，此招數的壞處也很明顯：
(1) 如果你訪問的是HTTP 協議的網頁，且內容包含敏感詞，那麼此招數照樣沒戲；
(2) 如果ＧＦW 不光封域名，還封IP，那麼此招數也還是沒戲；
(3) 如果某個網站的IP 已經變化了，那你就要與時俱進地修改你的hosts 文件，煞是麻煩。

綜上所述，修改hosts文件的法子，只能用於諸如Google Drive 之類影響力巨大的網站。因為Google Drive 用的人已經比較多，ＧＦW 不好意思把整個域名及IP 段都封殺。因此，只好選擇性地封鎖HTTPS 協議，而對HTTP 協議網開一面（HTTP 協議是明文的，便於ＧＦW 進行關鍵詞過濾）。這種情況下，“修改hosts 文件”的招數就可以派上用場了。

★修改DNS 服務器

說完修改hosts 文件，再來說說修改DNS。這招是用來防止域名劫持滴（但是不能防止域名污染）。域名劫持的勾當，貌似國內很多運營商（比如上海電信）都乾過。所以捏，盡量不要用你所在運營商提供的DNS 服務器，不保險。畢竟國內的運營商都受到黨國的控制，估計他們也身不由己。
俺推薦幾個國外的、知名的、人品好的DNS 給大夥兒參考。
Google 不愧是牛X的公司，而且很人性化。它提供瞭如下兩個很好記的DNS 服務器。
8.8.8.8
8.8.4.4

為了防止ＧＦW 把Google 的DNS 服務器封殺掉，大夥兒還得多再備份幾個。下面這些DNS 的IP 可就沒Google 的DNS 那麼好記了。
OpenDNS：
208.67.222.222
208.67.220.220

台灣中華電訊的DNS：
168.95.192.1
168.95.192.2

香港寬頻的DNS：
203.80.96.9
203.80.96.10

至於如何修改你電腦的DNS 服務器，應該不用俺教了吧？不會的同學，自己上Google 去查。

★加密Web 代理

說完Google 的系列工具之後，可能有同學會問了：既沒有提供RSS 訂閱，又沒有提供郵件列表的站點咋辦捏？不要怕，還有另外一個東東可以穿牆，那就是加密Web 代理。
基於HTTPS 方式的加密Web 代理，主要好處是：無需安裝其它軟件，光靠瀏覽器就可以搞定。不過捏，HTTPS 代理一旦用的人多了，容易引起ＧＦW 的注意，死期也就不遠了（正所謂人怕出名豬怕壯）。如果你想用這招，就得經常去逛一些代理網站。
本來俺在這個翻牆教程中，會附帶放幾個HTTPS 的web 代理，便於大夥兒直接使用。可惜自從2010年3季度，ＧＦW 開始盯上俺了（貌似ＧＦW 的走狗，也在看俺的博客）。所以捏，俺就不把具體的加密Web 代理放出來了，以免便宜了那些走狗。想要的同學，自己去Google 一下。

★代理軟件

代理軟件可是本教程的重點章節哦！
最近黨國加大網絡封鎖，很多翻牆工具都失效了。 大夥重點看“自.由.門”、“無.界”這幾款的介紹！

◇代理的工作原理

代理工具的翻牆原理是這樣滴：
假設你想通過翻牆代理訪問某個被牆的網站（比如反動網站、黃色網站:），這時候會經歷如下幾個步驟：
(1) 你的上網軟件（通常是瀏覽器）會把數據發送給你電腦中的代理工具；
(2)該工具把數據進行加密，然後發送給國外的某個代理服務器；
(3) 該代理服務器把數據解密，然後發送給你要訪問的網站。
(4) 從該網站回傳的數據，也是經過上述途徑，最終回到你的瀏覽器。

◇代理的分類

按照是否加密，代理軟件可分為加密代理和不加密代理2種（這不是廢話嘛:）。為了避開ＧＦW敏感詞過濾，咱必須得使用加密代理軟件。
按照協議類型，常見的有HTTP 代理和SOCKS 代理。如果你純粹用瀏覽器翻牆，HTTP 代理就夠用了；如果你還需要讓其它軟件（比如MSN）翻牆，那就得用SOCKS代理。

◇代理工具的獲取

俺下面提到的很多軟件，官方站點都已經被牆。為了便於大夥兒下載，俺把幾個常用的工具放到微軟網盤上，然後在Google Code上整理了“ 匯總清單 ”（可惜該頁面也被牆了）。
對於無法翻牆的網友，俺還準備了牆內的下載 。為了騙過國內的網站管理員，放到牆內的翻牆工具，都嵌入到圖片文件內。因此，你下載的是一個圖片文件。下載後，你需要把該文件的擴展名改為“7z”，就可以用7zip或WinRAR打開，然後解壓出代理工具。

◇代理工具的注意事項

由於使用加密的方式穿透ＧＦW，所以性能上肯定會打折扣滴。建議大夥兒同時用兩個瀏覽器：一個瀏覽普通的網站，另一個配置好代理瀏覽被牆的網站。對於使用Firefox或Chrome的同學，也可以安裝一些第三方的代理插件（比如： AutoProxy 、 FoxyProxy ），用來自動切換代理模式和非代理模式。
另外，有些網站的名稱很敏感，俺為了本文能夠再轉貼到其它地方（規避關鍵詞過濾），對敏感名稱做了適當的變換；還有一些網站，連域名都很敏感，俺用bit.ly作了跳轉。（由於bit.ly的名氣太大，也遭封殺， 你需要翻牆才能打開這些bit.ly的跳轉地址 ）

◇自.由.門

自.由.門（來自於動.態.網），是一家具有政治背景的公司專門開發來突破ＧＦW 的。它的版本升級比較頻繁，最好經常更新到最新版本，以獲取最佳的破網效果。
自.由.門是綠色軟件，不大（2兆左右），帶有數字簽名的。如果你不是從官方網站下載，最好查看一下數字簽名，以確保該文件沒有被篡改（比如感染病毒）。至於如何驗證數字簽名，請翻牆看“ 這裡 ”。
自.由.門還分“專家版”和“專業版”兩款。據說專家版適合技術老鳥用；專業版適合菜鳥用:)。俺個人覺得這倆版本差別不大。
它使用HTTP 代理的方式，端口是“8580”。
自.由.門的官方站點在“ 這裡 ”（早就被牆，此處用bit.ly跳轉）。不方便訪問其官網的同學，可以通過發郵件給“ freeget.one@gmail.com ”來獲取它；如果你連郵件都懶得發，可以到如下頁面下載：
7.4.2專業版（牆外下載）
7.4.2專家版（牆外下載）

◇無.界

“無.界”的背景、使用方式都很類似於“自.由.門”。從2011年11月開始，無.界採用了新的翻牆機制，翻牆能力有顯著提升。相關的詳細介紹，請看俺專門寫的帖子《新版本無.界——賽.風3失效後的另一選擇》。
無.界使用HTTP 代理的方式，端口號是“9666”。
官方站點在“ 這裡 ”（早就被牆，此處用bit.ly跳轉）。
上不了官網的同學，請到如下網址下載最新的14.03版本：牆外下載

◇TＯR

TＯR 也叫“洋蔥網絡”。網上常聽人說的“帶套（TＯR 的諧音）穿牆”就是指它。這玩意兒是一個開源項目，用於保護個人上網的自由和隱私。它的工作原理可以參見“ 這裡 ”。
TＯR 的官方網站已經被牆，大夥兒可以通過郵件方式獲取TＯR。具體如下：
先發送主題為“help”的純文本郵件到gettor@torproject.org ，收到回信後根據郵件的提示再回復一次 ，即可在你的郵箱中收取TＯR的軟件包。強烈推薦使用Gmail，以確保最佳效果。盡量別使用國內的郵箱，切記！
由於TＯR 的名氣太大，ＧＦW 特別關照它。很多TＯR 的網橋中繼都被ＧＦW 列入IP 黑名單，導致TＯR 無法單獨使用。不過沒關係，咱們依然可以通過公共代理的方式，聯上TＯR 在全球的節點網絡。具體配置方法請看俺寫的《戴“套”翻墻的方法》。
另外，TＯR 雖然無法單獨使用，但是可以用TＯR 跟其它翻牆工具搭配，構造雙重代理。雙重代理的隱匿性非常好，如果你經常在網上發表敏感言論，要記得使用雙重代理。關於雙重代理的掃盲教程，請看俺寫的系列博文《如何隱藏你的踪跡，避免跨省追捕》。

◇I2P

I2P 是非常類似於TＯR 的翻牆工具（TＯR 叫洋蔥路由，而I2P 是大蒜路由）。它倆的主要用途是“隱匿身份”，翻牆只是順帶的附加用途。
I2P 的安全性和堅挺程度比TＯR 更強，換來的代價是速度很慢。所以I2P 主要是用來作為備用翻牆工具。當你常用的工具失效時，就可以拿它來救急。
I2P 提供的代理有兩個端口，“4444”端口用來代理HTTP 協議，“4445”端口用來代理HTTPS 協議。在配置瀏覽器代理的時候要小心，別搞混了。具體配置方法請看俺寫的《簡單掃盲I2P的使用》。
官方站點在“ 這裡 ”。上不了官網的同學，請到如下網址下載最新的0.9.12版本：牆外下載

◇賽.風

（自從朝廷開18大，ＧＦW 加強對賽.風封殺，最近一年多，賽.風很不穩定）
賽.風也是老牌的翻牆軟件。早期的賽.風2僅提供網頁代理。從賽.風3開始，推出了客戶端軟件。這個客戶端很牛B，同時支持基於SSH 的代理模式和VPN模式（關於VPN模式，本文後續會介紹）。而且，它也是單個綠色軟件，比世.界.通還小巧（僅有300多KB），且帶有數字簽名。（如何驗證數字簽名，請翻牆看“ 這裡 ”）
如果賽.風使用VPN模式翻牆，你所有的網絡軟件無需任何設置 ，就能跟著翻牆；如果賽.風使用代理模式翻牆，則開啟兩個端口：“8080”端口用於HTTP代理， “1080”端口用於SOCKS 代理。
更多關於賽.風的詳細介紹，請看俺博客的帖子《雙管齊下的賽.風3 》
獲取賽.風很簡單。你只需往賽.風官網提供的郵箱get@psiphon3.com發送任意郵件，立馬就能收到自動回复。 在回信中，直接就附上了賽.風的可執行程序 （如果郵件裡的附件名叫“psiphon3.asc”，改為“psiphon3.exe”即可直接運行）。

★VPN 客戶端

說完了代理工具，再來介紹一下VPN 客戶端軟件。

◇VPN 翻牆的原理

VPN 其實也是在本地與遠程的VPN 服務器之間建立一個加密通道，所有數據都經由國外的VPN 服務器到達目的網站。但是，與代理軟件不同，VPN 軟件會在你的系統中虛擬出一個網卡來。然後，你上網的應用程序（不管是何種類型），都可以通過這個虛擬網卡和VPN 服務端進行數據傳輸。
有些提供VPN服務的公司，直接使用開源的、大名鼎鼎的OpenVPN作為客戶端——你可以到“ 這裡 ”下載；還有一些則使用自己公司開發的客戶端——因此你需要到它的官方站點下載。下面，俺列舉一些可以免費使用的VPN。

◇VPN Gate

這是2013年3月發布的新型翻牆工具，由日本的筑波大學開發。這款VPN 的亮點在於：它的服務器由世界各地的志願者提供，是分佈式的。這樣一來，ＧＦW 就難以徹底封殺。使用它翻牆，速度快而且穩定。這是目前最理想的免費VPN 翻牆工具。
它的中文版官網在“ 這裡 ”（需要翻牆才能訪問）。由於VPN Gate 的安裝包比較大（有三十多兆），而且更新非常頻繁，所以俺沒有提供牆內下載。要下載的同學，可以先用Web 代理（前面介紹過）上它的官網，它的官網上有鏡像站點的列表。這些鏡像站點每個小時都會變化，以規避ＧＦW 的封殺。從鏡像站點下載安裝包， 無需翻牆 。
關於VPN Gate的更多介紹，請看俺寫的教程《掃盲VPN Gate——分佈式的VPN服務器》

★代理工具和VPN 軟件的總結

由於代理工具和VPN 軟件比較類似，俺稍微對比總結一下。

◇代理工具的優點& VPN 的缺點

大部分代理工具都是免費的，而VPN 軟件很多是商用軟件，要花鈔票滴。少數不花錢的VPN，也有使用期限或者流量限制。
另外，由於VPN 需要在你的系統中安裝虛擬網卡，因此VPN軟件都不是綠色軟件，且多半需要管理員權限才能安裝。這對於俺這種偏好綠色軟件的用戶來說，也是一個明顯的缺點。

◇VPN 的優點& 代理工具的缺點

由於VPN虛擬出一個網卡，你使用的各種軟件（瀏覽器/聊天工具/郵件客戶端） 無需任何設置 ，就可以直接通過這個虛擬網卡傳輸數據。這是VPN的一大優點。

◇沒有絕對堅挺的工具

2010年之前，俺一直以為TＯR 是很堅挺滴。然而，殘酷的事實讓俺認識到——TＯR 也有疲軟的時候（從2010年3月初開始，TＯR 就開始不穩定，幾乎沒法用了）。縱觀這幾年，幾乎每一款翻牆工具都有過被封殺的紀錄。因此，為了能夠長期翻牆，大夥平時一定要多備幾種不同的代理或VPN 工具，千萬別在一棵樹上吊死。

◇一覽表

為了讓大夥兒看得更直觀，俺整理瞭如下表格：

名稱	版本	官方網站	下載頁面	翻牆方式	類型	是否綠色
自.由.門	7.4.2 7.4.2	這裡	專業版專家版	HTTP代理，端口8580	免費軟件	是
無.界	14.03	這裡	這裡	HTTP代理，端口9666	免費軟件	是
I2P	0.9.12	這裡	這裡	HTTP代理，端口4444 HTTPS代理，端口4445	開源軟件免費軟件	是
賽.風	3.45	這裡	這裡	HTTP代理，端口8080 SOCKS代理，端口1080 VPN	開源軟件免費軟件	是

★手機翻牆

眼下智能手機大為普及，因此手機翻牆也就提上議事日程。下面介紹幾種常見的手機翻牆方法

◇代理軟件

手機系統也可以運行翻牆代理。比如無.界、賽.風、TOR 都有提供了手機版。

◇VPN

智能手機上，也可以跑VPN 客戶端。這樣，就可以讓手機通過VPN 翻牆。以廣受歡迎的Android 為例，它支持OpenVPN、PPTP、L2TP 等多種類型的VPN。由於VPN 前面剛介紹過，此處不再囉嗦。
說到手機上的VPN 翻牆，建議大夥兒嘗試一下fqrouter。關於這款工具在天朝之內已經廣為使用，很傻瓜而且穩定性也不錯。它的掃盲教程請看《 fqrouter——安卓系統翻牆利器（免ROOT）》。

◇手機瀏覽器

手機瀏覽器為啥能穿牆捏？大致原理是這樣滴：由於手機對於網絡流量比較敏感，為了盡量壓縮網絡流量，某些手機瀏覽器採用代理服務器的方式運作。比如當你企圖訪問某個網頁時，瀏覽器並不是直接向該網站請求數據，而是通過手機瀏覽器對應的一個代理服務器去請求，然後由代理服務器拿到的數據進行壓縮和優化，然後再回傳給手機瀏覽器。
採用上述方式的手機瀏覽器，如果代理服務器設置在國外，是有希望突破ＧＦW 滴。由於黨國的封鎖越發嚴厲，很多手機瀏覽器默認的代理服務器都被屏蔽了。因此，要通過手機瀏覽器翻牆，需要通過修改瀏覽器軟件，讓它不使用默認的代理服務器，改用你指定的服務器。
不同的手機瀏覽器，改服的辦法也不盡相同。限於篇幅，俺不再作詳細介紹，僅給出幾款手機瀏覽器改服的文章。
常用手機瀏覽器（Opera Mini、UCWeb）改服方法
手機翻牆方法——Java版Opera Mini和UCWeb改國外服務器

★其它的資源

由於翻牆破網的技術層出不窮，為了與時俱進，咱還得不斷學習。下面介紹幾個相關的博客。

◇俺的博客

首先，厚著臉皮給俺自個兒作個廣告:-)
俺如果發現什麼新的翻牆技巧，會在第一時間發到俺的Blog 或Twitter 上。歡迎大夥兒訂閱俺的博客（訂閱地址： http://feeds2.feedburner.com/programthink ），也可以在推特上Follow俺（ @ProgramThink ）。
如果你看完本帖後，對翻牆還是有疑問、或者對本教程有什麼補充和建議，可以到俺博客站點留言，也可以給俺Email（ program.think@gmail.com ）。俺會盡可能幫你搞定翻牆難關。如果你發現本文有哪個下載鏈接打不開，也請通知俺。俺會及時更換，讓ＧＦW 防不勝防:)

◇ＧＦW blog

接著，隆重推薦ＧＦW的專題blog，它的訂閱地址比較敏感，俺不便直接寫，基於bit.ly的跳轉地址是：“ http://bit.ly/nDMBl ”。
另外，還可以訪問它的Google Group，地址是：“ https://groups.google.com/group/gfw-blog ”。這個Group已經被封，推薦請用靠譜的“博客閱讀器”訂閱。

◇維基百科的一些資料

維基百科上的好東東，那是相當滴多啊！推薦幾篇相關的文章給大夥兒瞅瞅：“ 中.國.網.絡.審.查 ”、“ 突.破.網.絡.審.查 ”。

★結尾

囉嗦了這麼長的篇幅，基本上把常用的招數都介紹過了。最後，借用一下狄更斯寫於《雙城記》的名言：

這是最好的時代，也是最壞的時代；
這是智慧的年代，也是愚蠢的年代；
這是信仰的時期，也是懷疑的時期；
這是光明的季節，也是黑暗的季節；
這是希望的春天，也是失望的冬天；
大夥兒面前應有盡有，大夥兒面前一無所有；
大夥兒正在直登天堂；大夥兒正在直落地獄。

祝愿牆內的網友們都能順利掌握翻牆姿勢，早日呼吸到互聯網上自由的空氣！

===========

How to connect to the TOR network at home?

Deep Web Chinese about a month ago

Original article link: http://blog.timshan.idv.tw/2014/01/how-to-tor-browser-bundletor.html

Now if you mention the anonymous network, the best known is probably the onion routing (The Onion Router), Navy had not been listening to establish a network in order to protect the government's communications and sponsorship Tor Project, its high internal NSA occult Connected briefing file: Tor Stinksa (full version provided by The Guardian) are considered difficult to identify Tor users in through one after artificial than real success can identify users account for only a very small proportion. Such a feature makes Tor was welcomed by many people, including necessarily connected to the Internet via a Proxy users, ISP monitoring of state power by the people, as well as engage in highly occult work, perhaps in the near future will face Taiwanese We had to use Tor situation.

Talk so much, that in the end user how to use the Tor line? After a series of early adopters need to set in order to successfully make the browser even on Tor, which in terms of End User is a high threshold, but now Tor Project has been launched to Firefox ESR (What's this?) Exclusive basis Browser: Tor Browser Bundle (referred TBB), the user only needs to download the Tor Project website after decompression, can be used immediately without the need for complicated settings.

Update: Update network settings, Bridge made from BridgeDB teaching, and more Hidden Service list.

Basic Information

Software name: Tor Browser Bundle
Current Version: ~~4.0.3~~ 4.5.3
Support Platform: Windows (8, 7, Vista, XP), Apple OSX (10.6+), Linux, Unix, BSD
Download page: https://www.torproject.org/download/download-easy.html.en

Precautions

Why can not you use Google? I believe this is the beginning of a user when using TBB most unaccustomed place, in fact, the reason is very simple, because each outlet node (Exit Nodes) at the same time there are many users share, so naturally will determine the IP for Google abnormalities traffic. Although no way to use Google, but another well-known search engine Bing.com does not prohibit Tor users, and another because of the privacy controversy and the rise of anonymous search engine DuckDuckGo also a good choice.
Do not use TBB even on Facebook (Facebook has provided Tor dedicated .onion URL), G + and other community sites: I think we probably have the impression, there was a time Facebook and Google accounts stolen is quite serious, so let these two The company has launched a two-stage verification services, but if the account login location access too, will temporarily disable the account activities to ensure data security, and use Tor, then, probably because this point was Facebook account and Goolge ban activities, so be sure to pay attention to.
Do not use P2P through Tor: we will raise this point is not based on legal considerations, but Tor nodes are provided voluntarily by the user, but there will be many users to share, if the use of P2P will affect other users and create a voluntary basis those problems, so do not do it.
Do not use TBB to click on the Google Adsense ads, NSA had TBB is to use DoubleClickID to identify users.
I believe many people are curious as to why TBB not install other Ad-blockingc or Anti-tracking the expansion pack? FAQ is official this response:
"Tor Browser aims to provide sufficient privacy that additional add-ons to stop ads and trackers are not necessary. Using add-ons like these may cause some sites to break, which we do not want to do ?. Additionally, maintaining a list of "bad" sites that should be black-listed provides another opportunity to uniquely fingerprint users. "
In short, the original intention of doing so in violation of the Tor, in addition to maintain the blacklist, so that interested parties may have the opportunity to produce a set of Tor users exclusive fingerprint, cause tor user is identified and isolated, so the official reluctance to do so. But I personally install Ghostery tendency to prevent network tracing, but when in use will be taken all the way blocked, will not allow certain additional tracking, this part of the user's own judgment.
TBB usually associated with security updates and patches related to the occult, so be sure to keep TBB in the latest version, otherwise they will lose the use of TBB meaning.

Network Settings

In just installed Tor Browser Bundle, when NetWork Setting window appears, in fact, the average user can directly select Connect to start using, but we are here to tell us a little portion Configure

Network Setting outset will ask if you have been Proxy, here follow the user to choose their own situation, the average home user connection is not through the Proxy.

If you click on a step, "Yes", the next step will require the user to enter the Proxy Information.

Proxy assumptions have been that problems Select "No", the next question is: your Internet service provider (ISP) to block or monitor whether there are connections between the Tor network? The official recommendation here is, if you can not determine the answer to this option, then you choose "no." If the user selects "Yes", then the next will be asked to set Tor Bridge, which makes it more difficult to get Internet connection Tor is ISP blocked, but the relative expense compared to other Tor users connection speed out more , which Tor Project team referred to a viable solution in official documents, and that is to get through BridgeDB Tor Bridge.

Next, the user needs to select the Bridge to use, the official recommended to use obfs3, but in addition to Meek-amazon and Meek-azure (Microsoft) and Meek-google, as to which one to use will be determined by the users themselves, if it is in China Users Meek-google naturally not be options.

After a successful connection to the Tor, it will be displayed in the following figure like About: tor page, but if that fails About: tor will be red.

If you are not satisfied with just the network settings, users in the Tor Browser screen, tap Tor onion icon, then select "Open Network Settings" option.

So that you can adjust the settings according to their own needs it!

Through BridgeDB to get Tor Bridge

As mentioned earlier, in order to make it more difficult to monitor the Internet, Tor users will be connected through a Tor Bridge Tor network, but experienced users use Tor Bridge should be very clear, the connection quality Tor Bridge is not a miserable word enough to describe it, this issue Tor Project team recommends that users get the BridgeBD Birdge to improve the connection quality.

First, connect to BridgeDB home , then tap at Step Two: Get bridge (Bridge)

Obtaining bridging pages, recommend that users select obfs3 Transport type this, the user will have to pay attention to China's millions can not choose obfs2.

In order to prevent a large number of interested parties made through the Robots Bridge, where you need to enter a verification code.

This is the time I get three Bridge

Next, point your browser at the Tor onion onion icon, then select "Opne Network Settings" option.

Check the "My Internet Service Provider (ISP) blocks connection to the Tor network", and then select Enter custom bridges, Birdge then paste just made, so set came to an end.
Note: This is a bridge must be independent of each line, otherwise it will not be read correctly bridge.

=====

如何在家裡連上TOR網路?

深網中文 about a month ago

本文原始連結: http://blog.timshan.idv.tw/2014/01/how-to-tor-browser-bundletor.html

現在如果提到匿名網路，最廣為人知的大概就是洋蔥路由(The Onion Router)，當初美國海軍為了建立一個不被監聽的網路以保護政府通訊而贊助Tor Project，其隱匿性之高連NSA內部的簡報檔：Tor Stinksa(完整版由衛報提供)都認為要辨識Tor的使用者困難重重，在透過人工一一比對之後能真正成功辨識出的使用者也只佔了極小的比例。這樣的一個特性使得Tor受到許多人士的歡迎，包括非得經由Proxy連上網路的使用者、ISP受到國家權力監控的人民、還有從事高度隱匿性工作的人，或許不久的將來台灣人也會面臨不得不使用Tor的處境。

講那麼多，那使用者到底要如何才能使用Tor上網呢？早期使用者需要經過一系列的設定才能順利讓瀏覽器連上Tor，這對End User而言是一道很高的門檻，但是現在Tor Project已經推出以Firefox ESR(這是什麼？)為基礎的專屬瀏覽器：Tor Browser Bundle(簡稱TBB)，使用者只需要到Tor Project的網站下載解壓縮以後，就可以立即使用而無須繁複的設定。

更新：更新網路設定、從BridgeDB取得Bridge的教學，以及更多的Hidden Service清單。

基本資訊

軟體名稱：Tor Browser Bundle
當前版本：~~4.0.3~~ 4.5.3
支援平台：Windows (8, 7, Vista, XP), Apple OSX (10.6+), Linux, Unix, BSD
下載頁面：https://www.torproject.org/download/download-easy.html.en

注意事項

為什麼無法使用Google？我相信這是使用者剛開始用TBB時最不習慣的地方，其實道理很簡單，因為每個出口節點(Exit Nodes)同時有許多的使用者在共享，因此自然會判定該IP對Google有異常的流量。雖然沒辦法使用Google，但另一個知名搜尋引擎 Bing.com並未禁止Tor的使用者，而另一個因為隱私權爭議而崛起的匿名搜尋引擎DuckDuckGo也是不錯的選擇。
不要使用TBB連上Facebook(Facebook有提供Tor專用的.onion網址)、G+等社群網站：我想大家或許還有印象，有段時間 Facebook和Google帳號被盜用的相當嚴重，因此讓這兩家公司先後推出兩階段是驗證的服務，同時若帳號登入的地點出入太大，就會暫時禁止該帳號的活動以確保資料安全，而使用Tor的話很可能因為這點而遭到Facebook與Goolge禁止帳號活動，因此務必注意。
不要透過Tor使用P2P：會提出這點並非基於法律的考量，只是Tor的結點都是由使用者自願提供，同時會有許多使用者共享，若使用P2P會影響到其他使用者且造成自願提供者的困擾，因此切勿這麼做。
不要用TBB來點擊Google Adsense廣告，NSA當初就是用DoubleClickID來辨識TBB的使用者。
相信很多人很好奇，為什麼TBB不安裝其他Ad-blockingc或Anti-tracking的擴充套件？FAQ中是官方這樣回應：
「Tor Browser aims to provide sufficient privacy that additional add-ons to stop ads and trackers are not necessary. Using add-ons like these may cause some sites to break, which we don't want to do?. Additionally, maintaining a list of "bad" sites that should be black-listed provides another opportunity to uniquely fingerprint users. 」
簡而言之，這麼做違反了Tor的初衷，另外維持黑名單，可能讓有心人士有機會產生一組Tor用戶專屬的fingerprint，導致tor使用者被辨識出來，因此官方不願意這麼做。但我個人傾向安裝Ghostery來防止網路追蹤，只是在使用的時候會採全部封鎖的方式，不會另外允許某些特定 tracking，這部分由使用者自行判斷。
TBB的更新通常與安全性與隱匿性的修補有關，因此務必保持TBB在最新版本，否則會失去使用TBB的意義。

網路設定

在剛安裝好Tor Browser Bundle的時候，會出現NetWork Setting的視窗，一般的使用者其實直接選擇Connect就可以開始使用，但我們這裡就稍微介紹一下Configure的部

一開始Network Setting會問你是否有經過Proxy，這裡請依照使用者自身的狀況做選擇，一般家庭用戶連線是沒有經過Proxy的。

如果你上一步點選「是」，下一步就會要求使用者輸入Proxy相關資訊。

假設是否有經過Proxy那個問題選擇「否」，下一個問題是：你的網路服務提供者(ISP)是否有封鎖或監視與Tor網路之間的連線？這裡官方的建議是這樣，如果你無法確定這個選項的答案，那請你選擇「否」。假如使用者選擇「是」，那接下來會被要求設定Tor Bridge，這會使得到Tor網路的連線更難被ISP封鎖，但相對的是比其他Tor使用者犧牲掉更多的連線速度，對此Tor Project團隊在官方文件中提到一種可行的解決方案，那就是透過BridgeDB來獲得Tor Bridge。

接下來，使用者需要選擇使用的Bridge，官方建議使用obfs3，但另外還有Meek-amazon和Meek-azure(微軟)以及Meek-google，至於使用哪一個就由使用者自行決定，如果是在中國的使用者Meek-google自然不會是選項。

成功連線到Tor之後，會顯示如下圖般的About:tor頁面，但如果失敗About:tor就會是紅色的。

如果不滿意方才的網路設定，使用者在Tor Browser的畫面，點一下Tor洋蔥的圖示，然後選擇"Open Network Settings"這個選項。

這樣就可以依照自己的需求調整設定了！

透過BridgeDB來獲得Tor Bridge

前面提到，為了使得網路監控更加困難，Tor的使用者會透過Tor Bridge來連上Tor網路，但是有Tor Bridge使用經驗的使用者應該很清楚，Tor Bridge的連線品質不是一個慘字足以形容的，對此問題Tor Project團隊建議使用者上BridgeBD取得Birdge來改善連線品質。

首先連到BridgeDB的首頁，然後點選一下步驟二：取得橋接(Bridge)

在取得橋接的頁面，建議使用者選擇obfs3這種Transport類型，在中國的使用者則要注意千萬不可以選擇obfs2。

為了預防有心人士透過機器人大量取得Bridge，這裡需要輸入驗證碼。

這就是我這次獲得的三個Bridge

接下來，在洋蔥瀏覽器點一下Tor洋蔥的圖示，然後選擇"Opne Network Settings"這個選項。

勾選"My Internet Service Provider (ISP) blocks connection to the Tor network"，然後選擇Enter custom bridges，然後將方才取得的Birdge貼上，這樣設定就告一段落了。
注意：這裡每一個bridge必須獨立一行，否則會無法正確讀取bridge。

==========

*[19/082015]-uodate-By深網中文 Deep Web Chinese([China] how to FIG break even on the Great Wall of Deep Web (graphic explanation board)[中國]如何圖收支平衡上的Deep Web的長城（圖形說明板）-)**-
http://melody-free-shaing.blogspot.com/2015/08/update1808-2015by-apple-daily-reported.html

===========##############################

http://hk.apple.nextmedia.com/realtime/china/20150818/54104632

[Tianjin] explosion forced the staff to donate EDB users: donation mess rape!

Left fundraiser authorities issued notice, the right is the corner of the blast site. (The Internet).
Tianjin Big Bang week economic losses are difficult to estimate. Internet users broke the news, send donations at Tianjin Nankai District notice that all primary and secondary schools and kindergartens subordinate units, from the party and government leaders at all to donate money to the staff. During the summer vacation because schools may be able to support, then deducting money from staff salaries. Internet users criticized: "donation mess rape can be bad, do not rape when voluntary."

Xufeng Wen users through the microblogging message, directory circulation to the District Board of Education to open nursery school, kindergarten and primary and secondary schools under the requirements of each unit party and government leaders, deputy leaders, middle-level cadres and staff donations. Notice also said that during the time when the holiday, the school can be the first to deliver and pay by check, deducted from wages. Allegedly, fund-raising has forced much of the education system must donate, donation TBNA did eyesight requirements must donate 100 yuan (RMB ‧ below), donated 50 yuan are unqualified, which calls for up to donate.

Nankai District Government responded evening, fundraisers are party members and cadres should request in the region-wide program, directed by the District Red Cross funds raised donated to the fire brigade, open and transparent, to accept supervision.

=====
http://hk.apple.nextmedia.com/realtime/china/20150818/54104632

【天津大爆炸】教育局逼職員捐錢? 網民：勸捐搞成強姦!

左圖為當局下達的募捐通知，右圖為爆炸現場一角。(互聯網).
天津大爆炸發生一星期，經濟損失難以估計。網民爆料，天津南開區委下發募捐通知，要求各中小學幼兒園及直屬單位，上至黨政一把手，下至教職員全部要捐錢。因正值暑假期間，學校可以代支，再從職員工資扣錢。網民批評：「勸捐搞成強姦可不好，別把強姦當自願。」

網民徐鳳文透過微博留言，指南開區教委轉發各中小學幼兒園，要求各中小學幼兒園及直屬單位黨政一把手、副職幹部、中層幹部及教職員工募捐。通知又指，正值放假期間，學校可先交付代付支票，從工資中扣除。據稱，教育系統的募捐一直強迫必須捐多少、濱海新區沒明目的募捐要求必須捐100元（人民幣‧下同），捐 50元的都不合格，要求必須補捐。

南開區政府晚上回應，募捐活動是應黨員幹部要求，在全區範圍開展的，所募資金由區紅十字會定向捐給消防官兵，公開透明，接受監督。

=====
http://hk.apple.nextmedia.com/realtime/china/20150818/54104499

[Big Bang] Tianjin Greenpeace: China this year has been like an explosion 13

Tianjin giant crater left by the blast site. (The Internet).
Tianjin Binhai New Area, a large explosion, causing serious casualties. Environmental group Greenpeace says this is not a single event, this year, at least 13 similar bombings in the Mainland. The organization condemned the Chinese official indifference to chemicals control.

"New Europe" (New Europe) quoted Greenpeace East Asia Toxic chemicals expert Wuyi Xiu (Yixiu Wu) means, Tianjin explosion tip of the iceberg, since 2015, including Jiangsu, Fujian, Shandong and other places have been 13 accidents similar to explosions ʱ?? In fact, Nanjing last month had a chemical plant explosion, spread around three chemical trucks. Wuyi Xiu noted that the Chinese authorities on hazardous chemicals management policies obviously missing.

It is reported that Tianjin Greenpeace after the explosion, the explosion sent a team to understand the damage to the local environment and human rights. According to them within 9 kilometers of the blast site made four tests did not measured high concentrations of sodium cyanide or cyanide. Greenpeace called on the Chinese authorities and governments should implement stringent chemical storage and effective management, otherwise the bombings will continue similar occurrence in Tianjin.

WebMD

=====
http://hk.apple.nextmedia.com/realtime/china/20150818/54104499

【天津大爆炸】綠色和平：同類爆炸中國今年已13宗

天津爆炸現場留下的巨坑。(互聯網).
天津濱海新區大爆炸，造成嚴重死傷。環保組織綠色和平表示，這絕非單一事件，今年以來，內地至少還有13宗類似爆炸案。該組織譴責中國官方漠視對化學物品的管控。

《新歐洲》（New Europe）引述綠色和平東亞區域有毒化學物質專家武毅秀（Yixiu Wu）指，天津爆炸只是冰山一角，2015年以來，包括江蘇、福建、山東等地已經發生13宗類似的爆炸意外。事實上，南京上個月就曾發生化學工廠爆炸，波及周遭3輛化學卡車。武毅秀指出，中國當局在危險化學物品管理政策上有明顯的缺失。

據悉，綠色和平組織在天津爆炸發生後，曾派出小組了解爆炸對當地環境與人權的損害。據他們在爆炸現場9公里內所做的4次測試，並未測得高濃度的氰化鈉或氰化物。綠色和平呼籲中國當局與各國政府應該對化學物品存放實施嚴格、有效的管理，否則類似天津的爆炸事件仍會持續發生。

中央社

=====
http://hk.apple.nextmedia.com/realtime/china/20150818/54101558

[Big Bang] Tianjin Port, Tianjin official continued, "diving" Municipal Committee attended the first conference

Tianjin authorities press conference held this morning explosion. (The Internet).
11:00 this morning, held in Tianjin Port, Tianjin authorities "8.12" explosion 8th press conference. Tianjin Municipal Committee, Party Secretary of Tianjin Binhai New Area Zong Guoying, Tianjin Armed Police Corps commander Baoying Xiang, who attended. Tianjin Port concern the responsible person, today continued absence. Municipal Standing Committee of the conference, the first time to participate. Yesterday for the first time to attend the conference, deputy mayor in charge of production safety Tianjin He Shushan, absent again today.

=====
http://hk.apple.nextmedia.com/realtime/china/20150818/54101558

【天津大爆炸】天津港負責人繼續「潛水」市委首出席發佈會

天津當局今早舉行爆炸事故新聞發佈會。(互聯網).
今早11時，天津當局舉行天津港「8.12」爆炸事故第8場新聞發佈會。天津市委常委、濱海新區區委書記宗國英，武警天津市總隊司令員鮑迎祥等人出席。備受關注的天津港相關負責人，今日繼續缺席。此次發佈會首次有市委常委參加。而昨天首度出席發佈會、負責安全生產的天津副市長何樹山，今日再度缺席。

=====
http://hk.apple.nextmedia.com/realtime/news/20150818/54101447

[Big Bang] Tianjin Port toxic smoke blowing several opportunities? Movie Deconstructing expert system

Tianjin after the big bang, earlier circulated on the Internet a picture refers to the Tianjin toxic gases may be floated in Hong Kong, it was considered credible, but the incident has caused a lot of people are concerned about whether the chemicals will be blown to Hong Kong? HKUST Environmental Analysis Division Head Pingzhi Xiong from 20:00 on Wednesday, that is, before the explosion about 3.5 hours until tonight (18) 7:00 forecast wind path, southern China has been blowing south to southwest wind, Tianjin and Beijing area feed contaminants has been unable to move south, he was referring to the incident has been for several days, the possibility of blowing dust explosion in southern China is almost "0%."

HKUST ambient air particulates PM 2.5 Faculty data, along with wind data, made into a short video display during the move to PM 2.5 in. The closer the red represents the higher the concentration, the more you tend to lower the concentration of light blue, the explosion was just a moment and a place in Tianjin, 冯志雄 means the figure is difficult to see, the movie appears red range, power plants, cars and factories discharging pollutants. The movie shows that particulates have been round and round in the Beijing-Tianjin region, sometimes spread to Liaoning and Shanghai, is basically not cross the Yangtze River.

Pingzhi Xiong Analysis southern China after the incident has been blown south to southwest wind, Tianjin area contamination unable south. The closer the red represents the higher the concentration of suspended particulates PM 2.5, the bias light blue, the lower the concentration. (HKUST Environmental Division provided).

Pingzhi Xiong said the Pearl River Delta area over the past few days an amount from about 30 micrograms of particulates per cubic meter, while Hong Kong was only 20 micrograms, and Beijing is only one-fifth. He was referring to the big bang blow smoke had "scattered sun", so even blow northeasterly change next month, it will not affect Hong Kong.

Secretary for Food and Health Ko Wing-man has said, we have to understand the different sectors, emphasizing the EPA has been monitoring air quality in Hong Kong, now found no problems, but also to monitor the Hong Kong Observatory has the wind.

=====
http://hk.apple.nextmedia.com/realtime/news/20150818/54101447

【天津大爆炸】毒煙吹港機會幾大？專家製短片解構

馮志雄分析事發後華南一帶一直吹南至西南風，天津一帶污染物無法南下。越近紅色代表懸浮粒子PM 2.5濃度越高，越偏向淺藍色則濃度越低。 (科大環境學部提供).

天津大爆炸後，早前網上流傳一幅圖指天津有毒氣體可能飄到香港，有人認為不可信，但事件已引起不少人關注，究竟化學物質會否吹到香港？科大環境學部主任馮志雄分析自上周三晚上8時、即爆炸前約3.5小時，至今晚（18）7時預測風向路徑，華南一帶一直吹南至西南風，料天津及北京一帶的污染物一直無法南下，他指事發至今已數日，爆炸煙塵吹向華南的可能性幾乎是「0%」。

科大環境學部將空氣懸浮粒子PM 2.5數據，連同風向數據，製作成一段短片，顯示期間的PM 2.5的移動。越近紅色代表濃度越高，越偏向淺藍色則濃度越低，由於爆炸只是一瞬間及位於天津一處，馮志雄指難以在圖上看到，短片出現的紅色範圍，為發電廠、汽車和工廠等排出的污染物。該短片顯示，懸浮粒子一直在京津地區團團轉，有時擴散至遼寧和上海，基本上未有越過長江。

馮志雄表示，珠三角一帶過去數日懸浮粒子含量約每立方米30微克，而香港一度只有20微克，僅及北京五分一。他指大爆炸炸出的黑煙早已「散晒」，所以即使下月改吹東北風，也不會影響香港。

食物及衞生局局長高永文日前表示，已經向不同部門了解，強調環保署一直監察香港空氣質素，現時沒有發現問題，而天文台亦有監察香港近日風向。

=====
http://hk.apple.nextmedia.com/international/art/20150819/19261149

逾7成日網民　肯定戰後談話

主張擺脫「謝罪外交」的日本首相安倍晉三，在戰後70周年談話中，表示「不能要子孫繼續為戰爭道歉」，被外界認為缺乏誠意，但反而得到民眾支持，有逾7成網民對安倍談話表示肯定。

20萬人投票

日本雅虎（Yahoo）網站在安倍晉三於8月14日發表談話後，進行網上民調，至今已有20萬人投票，當中8成是男性，結果有超過54%網民對安倍談話表示十分肯定，而表示肯定的亦有19%，只有約26%認為談話不值得評價。
過往只對二戰侵略行為表示懊悔的安倍，在備受注目的70周年談話中雖然承繼村山談話，但依然未有親自道歉，被批評玩弄語言偽術，更有傳媒指他是受政治壓力才加入道歉等關鍵字眼，言不由衷。
日本新聞網

=====
http://hk.apple.nextmedia.com/international/art/20150819/19261152

Japan's surrender in World War II will feature the original

Japan will be on display at the end of World War II surrender the original.
This year is the 70th anniversary of the end of World War II, the Japanese authorities following the Publication Japanese Emperor Hirohito "beautiful sound to play," the original, the Foreign Ministry announced yesterday from the precious historical documents on display later this month when Japan signed the "Japan subdue book" original and so on.

■ Figure left for the Shigemitsu, right is UMEZU

The first exhibition Allies' command No. "

Japan August 15, 1945 announced its acceptance of the "Potsdam Proclamation", after the unconditional surrender on September 3 sent a 11-member delegation to the United States Navy warships anchored in Tokyo Bay, "Missouri" signed the surrender. Japanese representative as Foreign Minister Mamoru Shigemitsu and Army Chief of Staff UMEZU etc., and allies by Supreme Allied Commander General MacArthur, as well as the United States, Republic of China, Britain, Russia, Australia, Canada, France, the Netherlands and New Zealand jointly signed on behalf of nine countries ʱ??
This time the first public display at the same time the Allies to "instructs the first number" issued by the Japanese government, which documented the provisions of the Japanese troops to stop the fighting, the disarmament program, as well as military facilities and prisoners account information. Relevant documents will show in Tokyo diplomatic Historical Museum August 31 to September 12.
Japan's Kyodo Net

=====
http://hk.apple.nextmedia.com/international/art/20150819/19261152

日本將展出二戰投降書原版

日本在月底將展出二戰的投降書原版。

今年是二次大戰結束70周年，日本當局繼公開日皇裕仁「玉音播放」原版後，外務省昨日宣佈本月底起展出當年日本簽署的「日本降伏書」原版等珍貴歷史文獻。

■圖左為重光葵，圖右為梅津美治郎

首展盟軍「第一號命令」

日本在1945年8月15日宣佈接受《波茨坦公告》，無條件投降後，於9月3日派出11人代表團，到停泊在東京灣的美國海軍戰艦「密蘇里號」正式簽署投降書。日方代表為外相重光葵及陸軍參謀長梅津美治郎等，而盟國則由盟軍最高司令麥克阿瑟將軍，以及美國、中華民國、英國、蘇聯、澳洲、加拿大、法國、荷蘭及新西蘭9國代表聯合簽署。
今次同時首次公開展出盟軍向日本政府下達的「第一號命令」，該文件記載對日軍停止戰鬥、解除武裝程序，以及交代軍事設施及俘虜資訊的各項規定。有關文件將於8月31日至9月12日在東京外交史料館展覽。
日本共同網

=====
http://hk.apple.nextmedia.com/news/art/20150819/19261672

9.26 at the end of four student leaders were sued Zhou Yongkang: Political Revenge

WASHINGTON liquidation umbrella movement again. Last September 26 into the Citizens' Square, the occupation of 79 days to kick off, Zhou Yongkang, former Secretary-General of the Federation, the current Secretary-General Luoguan Cong,

Scholarism convener and member Joshua Wong Chun Lam Xuan, the crowd early by the police Organized Crime and the three The Council Investigation Bureau (known as O mind) to make an appointment arrested yesterday have notified, will be formally charged by the end. Each of whom described as political vengeance, that he would not regret it.
Reporter: Ma Zhigang

罗冠聪 yesterday revealed the first in facebook, received calls O mind, refers to his alleged involvement in illegal rallies inciting others last September 26, the police will be formally charged by the end. He questioned the authorities, as the involvement of organized sports felon who is thinking, "appears in the eyes of the Hong Kong Government, the organizers of the movement is not a felon, is the triad ...... no wonder that people learned friend put Street Station, have attracted a bunch of O Wai Kee block "," rulers of this age, so really there is no confidence? "

Zhou Yongkang, former secretary general of the Federation refers to an interview, the police received a similar call yesterday, the same day that he participate in civic plaza unlawful assembly, will be formally charged, being only this one counts, "I believe the Department of the Air sheet drainage Die, Dixia Youmao My name is Amy shadow to first decide Link sue. "

■ Last year, 9.26 in the evening, a large number of people to build a wall to stop police entering the adult citizens cleared plaza.

Joshua Wong: really funny

He believes the authorities will continue to prosecute those involved in protests, described as political revenge, "If the threat to ditch political core, hoping to break the structure of government and business collusion generous whom illegal, Link can imagine," line "side of a generous law law. " To his knowledge, the Federation and the remaining three people, including Cen Ao Hui, Guo Liang and Zhong Yaohua, yet received a police call.
Scholarism convener Joshua Wong appeared at overseas, he responded in fb refer to themselves as early as the beginning of the police has received notification O remember, will be based on 9.26 square regain citizen action, formal charges he was involved in an illegal assembly and inciting others to engage in illegal gatherings two crimes this month on the 27th to go to the police station for investigation. He was referring to people who want to enter the public space have to face political prosecution is ridiculous, but stressed that the day of choice no regrets, that is engaged in social movements is bound to pay the price, I hope to find the future direction of the continuation of the democratic movement on the eve of this year 9.28.

Another member of the public school Xuan Lin Chun will be charged with one common assault, but he was referring to the police from the date of arrest to date, the so-called assault case never explained to him. "As protesters had expected to assume responsibility. No matter what-sue, I will not even regret into the Citizens' Square, what a system is an important life decision."
Last September 26, the Federation, learn more members of the public square projecting into citizens, including the Joshua Wong detained lift off the leaf margin, not on bail, he was not yet 18 years old, he was detained for more than 40 hours the police.

=====
http://hk.apple.nextmedia.com/news/art/20150819/19261672

9.26四學生領袖　月底被起訴
周永康：政治復仇

【本報訊】雨傘運動清算再來。去年9月26日衝入公民廣場，為79日佔領行動揭開序幕，學聯前秘書長周永康、現任秘書長羅冠聰、學民思潮召集人黃之鋒與成員林淳軒，眾人年初被警方有組織罪案及三合會調查科（俗稱O記）預約拘捕後，昨陸續收到通知，月底將被正式起訴。各人均形容是政治復仇，表明不會後悔。
記者：馬志剛

羅冠聰昨率先在facebook透露，接獲O記來電，指他在去年9月26日涉嫌煽動他人參與非法集會，警方將於月底正式起訴。他質疑當局視參與、組織運動者是重犯的思維，「看來在香港政府眼中，運動的組織者不是重犯，就是黑社會……難怪學民的朋友擺街站，都引來一堆O記圍堵」、「掌權者對這個世代，真的這麼沒有信心？」
學聯前秘書長周永康接受訪問指，昨同樣接獲警方來電，指他當日在公民廣場參與非法集會，將被正式起訴，暫時只有這一條罪名，「相信佢哋係睇片，睇下有冇影到我叫咪先決定咁告」。

■去年9.26晚上，大批市民築成人牆阻止警方進入公民廣場清場。

黃之鋒：實在可笑

他相信當局將陸續對參與抗爭者提出檢控，形容是政治復仇，「如果威脅到佢個政治核心、期望打破政商勾結嘅結構都為之非法，咁可想而知，『法』係邊個嘅法」。據他所知，學聯其餘3人包括岑敖暉、梁麗幗與鍾耀華，暫未接獲警方來電。
學民思潮召集人黃之鋒現身處海外，他在fb回應指自己早在月初已接獲警方O記通知，將基於9.26重奪公民廣場行動，正式起訴他參與非法集會及煽動他人參與非法集會兩罪，本月27日要到警署接受調查。他指市民想進入公共空間卻要面對政治檢控實在可笑，但強調無悔當日抉擇，指參與社運必然要付上代價，但願能在今年9.28前夕找到延續民主運動的未來方向。

另一學民成員林淳軒則將被起訴一項普通襲擊罪，但他指警方自當日拘捕至今，從未向他解釋所謂襲擊案情。「身為抗爭者早已預計要承擔責任。無論用乜起訴，我都唔會後悔衝入公民廣場，呢個係人生中一個重要決定」。
去年9月26日，學聯、學民多名成員突衝入公民廣場，其中黃之鋒被扣上孖葉抬離，不獲准保釋，當時仍未滿18歲的他被警方扣留超過40小時。

=====
http://hk.apple.nextmedia.com/news/art/20150819/19261511

Wong Yuk-man pro-beam special court confrontation

黎树雄 photo.
WASHINGTON Wong Yuk-man of the Legislative Council in July last year the Chief Executive's Question and Answer will throw the cup, was the Attorney General to prosecute common assault, a charge that he attacked Leung Chun-ying. Huang yesterday afternoon to the Central Police Station to report, dozens of supporters of Solidarity (map). He was referring to the day the President Tsang Yok-sing has according to the rules of procedure will be expelled from the Chamber, he does not understand why should the Attorney General to prosecute him. He thought it was political pressure, welcomed the Chief Executive in the courtroom and confront him.
Wong Yuk-man before entering the police station holding V-sign shouting, "Mr Leung down to hell," walked out of the police station after approximately one hour, refers to the Eastern Magistracy tomorrow hearing the case, it is expected to have no money to hire a lawyer, be sure to choose self-defense and not guilty, he To be invited over a hundred witnesses in court, "Mr Jasper so needless to come out and walk the court ah?"

Chase real thing burst size city that like Apple [site] FB!

=====
http://hk.apple.nextmedia.com/news/art/20150819/19261511

黃毓民促梁特上庭對質

黎樹雄攝.
【本報訊】立法會議員黃毓民去年7月在行政長官答問會投擲水杯，遭律政司起訴普通襲擊罪，控罪指他襲擊梁振英。黃昨午到中區警署報到，數十名支持者聲援（圖）。他指當日立法會主席曾鈺成已照議事規則將他逐出議事廳，不明白律政司為何還要起訴他。他認為這是政治打壓，歡迎特首在法庭上與他對質。
黃毓民進入警署前高舉V字手勢高呼「梁振英落地獄」，約1小時後步出警署，指東區裁判法院明日開庭審理案件，預計無錢請律師，一定選擇自辯和不認罪，他更擬邀請過百證人上庭，「曾鈺成使唔使嚟法庭啊？」

Chase real thing burst size city that like Apple [site] FB!

=====

#TANGODOWN_HACKED 已轉推

‏@AyyildizOrg

Hakkari’de çatışma: 3 şehit 6 yaralı http://www.korkusuzmedya.com/gundem/hakkaride-catisma-3-sehit-6-yarali-h114696.html …

Clashes in Hakkari: 3 killed 6 injured Chief of Staff, Hakkari's Yüksekova district of troops in that three soldiers were killed in an attack by a terrorist group, it has announced that six soldiers were wounded. Friday August 14, 2015

OKU, YORUMLA ve PAYLAŞ ==> http://translate.googleusercontent.com/translate_c?depth=1&hl=zh-TW&rurl=translate.google.com&sl=tr&tl=en&u=http://www.korkusuzmedya.com/gundem/hakkaride-catisma-3-sehit-6-yarali-h114696.html&usg=ALkJrhjS9pgZXRg5fF8dOHNSlJF-KLWpmA

===

=====

This Aerial Assault Drone Can Hack Computers Inside Walled Compounds

By Waqas on August 14, 2015.

A drone is known for killing people or for its surveillance capabilities, but an aerial assault drone with hacking capabilities? Yes, you read that right!
This Sunday, the collection of hackers got beefed up some more with the emergence of a drone equipped with weapons that could easily crack into your computer networks from a close range. That is, regardless of the fact if they are in walled compounds or skyscrapers, this drone can crack them.

must readDrone caught delivering phones, knife and drugs at a high-security prison

aerial-assault-drone-equipped-with-hacking-weaponries-launched-at-def-con

David Jordan from the US-based firm Aerial Assault showed off the drone at the DefCon hacking conference. This drone can be extremely helpful in missions like hovering outside walls or landing atop high-rises for finding out cracks in computer networks.

David Jordan @DMJordan2

Check out our drones at @wallofsheep today. We'll be doing a live demo today at 1:00pm. @_defcon_ #FlyingRobots

3:02 AM - 9 Aug 2015

While showing this drone at the AFP Jordan stated that “There has never been this capability before.” That’s because this particular drone contains software tools that are used to conduct “penetration testing.
Penetration testing usually is done by computer security experts or hackers while searching for computer networks vulnerabilities.
The Aerial Assault model is different from the drones launched previously by hackers because it scans for networks as well as unsecured wireless connections. Apart from identifying weaknesses of networks this drone records precise GPS data of a target and also sends all the information to its handler, said Jordan.
These drones are up for sale at $2,500 per piece.
At Def Con, hackers got attracted to drones for their capability of sniffing out unsecure wireless internet networks. However, according to Jordan, the capabilities of Aerial Assault drone has heightened the ante with its highly effective automated tools that could surpass and sabotage physical defenses.

must readDARPA Testing Submarine Drone That Survives Under Ocean for Years

Aerial Assault Drone is Armed With Hacking Weapons

Report typos and corrections to admin@hackread.com

Waqas

Waqas Amir is a Dubai based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.

=====

這種空中打擊無人機可以入侵計算機內部寨化合物

通過Waqas 上 2015年8月14日.
一個無人機是著名的殺人或者其監視能力，但空中攻擊無人機與黑客的能力？ 是的，你沒有看錯！
這個星期天，黑客收集得到了加強了一些有出現無人機裝備的武器，可以輕鬆破解到您的計算機網絡從近距離。也就是說，不管他們是否是圍牆化合物或摩天大樓的事實，這種無人機可以破解它們。

必須閱讀無人機提供抓到手機，小刀和藥品的高安全監獄

空中突擊，無人機裝備與 - 黑客-weaponries推出-AT-DEF-CON

大衛喬丹來自美國的一家公司空中打擊秀出無人機在DEFCON黑客會議 。這種無人機可以在像盤旋外牆或登陸頂上高樓查找出在計算機網絡中的裂縫任務非常有幫助。

David Jordan @DMJordan2

Check out our drones at @wallofsheep today. We'll be doing a live demo today at 1:00pm. @_defcon_ #FlyingRobots

3:02 AM - 9 Aug 2015

雖然這顯示出在無人駕駛法新社喬丹說，“有以前從來沒有這種能力。”這是因為這個特殊的無人機包含用於進行“滲透測試工具軟件。
滲透測試通常是由計算機安全專家或做黑客，同時尋找計算機網絡漏洞。
空中突擊模式是因為它掃描網絡以及不安全的無線連接黑客先前打開的無人機不同。除了識別網絡的弱點，這種無人機精確記錄GPS數據的目標，並同時發送所有的信息，其處理程序，喬丹表示。
這些無人機都掛牌出售2500美元每件。
在防守力精讀，黑客得到了吸引雄蜂為他們嗅出不安全的無線網絡網絡的能力。然而，根據約旦，空中突擊無人機的能力已經提高，其高效的自動化工具，可以超越和破壞物理防禦的賭注。

必須閱讀 DARPA測試無人駕駛潛艇能承受住在海洋多年

Aerial Assault Drone is Armed With Hacking Weapons

Report typos and corrections to admin@hackread.com

Waqas

Apr 23 Link HTA w Trojan:Win32/Tapaoux.A download

Malicious HTA file in hxxtp://report-inshop.com/policies/A Step in the Right Direction.hta

downloads additional malware wincfg.exe Trojan:Win32/Tapaoux.A

BCCCA07E2147BE4CF30E73A6714D8C38 A Step in the Right Direction.hta
1971EE25847D246116835C7157CF7F89 wincfg.exe
19A08F48D71044E0A4091EF4A4E16131 April 07.pdf

Details

From: Richard Wilson [mailto:richard.wilson34@hotmail.com]
Sent: Friday, April 23, 2010 7:52 AM
To: XXXXXXXXXX
Subject: Obama's New Nuclear Policies: A Step in the Right Direction

Obama's New Nuclear Policies: A Step in the Right Direction

Arms Control, Nuclear Weapons, Nonproliferation, Defense
Michael E. O'Hanlon, Director of Research and Senior Fellow, Foreign Policy

The Brookings Institution

Documents View (Acrobat Version 9.0 or less)

Headers
Received: from BLU139-W28 ([65.55.111.137]) by blu0-omc4-s33.blu0.hotmail.com
with Microsoft SMTPSVC(6.0.3790.3959); Fri, 23 Apr 2010 04:52:29 -0700
Message-ID:
Return-Path: richard.wilson34@hotmail.com
Content-Type: multipart/alternative;
boundary="_f03abef7-5a0c-4660-b04a-387c90937f45_"
X-Originating-IP: [ 123.125.156.137 ]
From: Richard Wilson

http://www.robtex.com/ip/123.125.156.137.html#blacklists
http://www.robtex.com/ip/123.125.156.137.html#whois inetnum: 123.112.0.0 - 123.127.255.255 *netname: UNICOM-BJ
descr: China Unicom Beijing province network
descr: China Unicom
country: CN
person: ChinaUnicom Hostmaster
nic-hdl: CH1302-AP
e-mail: abuse@chinaunicom.cn
address: No.21,Jin-Rong Street
address: Beijing,100140
address: PRChina
phone: +86-10-66259940
fax-no: +86-10-66259764
country: CN
changed: abuse@chinaunicom.cn 20090408
mnt-by: MAINT-CNCGROUP
source: APNIC

person: sun ying
address: fu xing men nei da jie 97, Xicheng District
address: Beijing 100800
country: CN
phone: +86-10-66030657
fax-no: +86-10-66078815
e-mail: hostmast@publicf.bta.net.cn
nic-hdl: SY21-AP
mnt-by: MAINT-CNCGROUP-BJ
changed: suny@publicf.bta.net.cn 19980824
changed: hm-changed@apnic.net 20060717
changed: hostmast@publicf.bta.net.cn 20090630
source: APNIC

*

Virustotal
A Step in the Right Direction.hta from hxxtp://report-inshop.com/policies/A Step in the Right Direction.hta
http://www.virustotal.com/analisis/746e8ea808d2fa9c51e72f25a84c0924ecddc4b82ee3efae122e27158b1b2c2e-1272024139
File A_20Step_20in_20the_20Right_20Dir received on 2010.04.23 12:02:19 (UTC) Current status: finished Result: 0/40 (0.00%) Additional information File size: 198809 bytes MD5 : bccca07e2147be4cf30e73a6714d8c38

From A Step in the Right Direction.hta - Shellcode 2 exe (sandsprite.com) results

http://www.virustotal.com/analisis/4c66155cc842c8bf1a13172a3b1e15ea991bec4c8fd7f29c9eea1cdc26659791-1272129493

shellcode.exe

File shellcode.exe received on 2010.04.24 17:18:13 (UTC)
Current status: finished
Result: 14/40 (35.00%)
AntiVir 8.2.1.224 2010.04.23 PCK/Dumped
Authentium 5.2.0.5 2010.04.24 W32/SmallTrojan.M.gen!Eldorado
AVG 9.0.0.787 2010.04.24 Agent_r.OV
CAT-QuickHeal 10.00 2010.04.23 (Suspicious) - DNAScan
Comodo 4676 2010.04.24 TrojWare.Win32.TrojanDownloader.Small.~AOLO
F-Prot 4.5.1.85 2010.04.24 W32/SmallTrojan.M.gen!Eldorado
Jiangmin 13.0.900 2010.04.24 Trojan/Agent.ckpb
Kaspersky 7.0.0.125 2010.04.24 Trojan-Downloader.Win32.Small.aolo
McAfee 5.400.0.1158 2010.04.24 Generic Downloader.fa
McAfee-GW-Edition 6.8.5 2010.04.23 Packer.Dumped
Microsoft 1.5703 2010.04.24 TrojanDownloader:Win32/Sileco.A
TheHacker 6.5.2.0.268 2010.04.23 Trojan/Downloader.Small.aolo
TrendMicro 9.120.0.1004 2010.04.24 TROJ_SMALL.SMJ2
Additional information
File size: 102994 bytes MD5 : 9b41c8a47770bb3f8ff5f76aad49c84f

wincfg.exe from hxxp://report-inshop.com/policies/wincfg.exe - see wireshark screenshot above

http://www.virustotal.com/analisis/de4ff8901766e8fc89e8443f8732394618bf925ce29b6a8aafe1d60f496e7f0e-1272127473

File wincfg.exe received on 2010.04.24 16:44:33 (UTC)
Result: 1/40 (2.50%)
Microsoft 1.5703 2010.04.24 Trojan:Win32/Tapaoux.A
File size: 357344 bytes
MD5 : 1971ee25847d246116835c7157cf7f89

Anubis report http://anubis.iseclab.org/?action=result&task_id=1a1a33275cdb76c24b932808a50af114f

[################################################# ############################]阿努比斯分析報告wincfg.exe MD5：1971ee25847d246116835c7157cf7f89 [########## ################################################## #################]摘要： - 自動啟動功能：該可執行文件註冊在系統啟動時執行的過程。 [#############################################################################] Anubis Analysis Report for wincfg.exe MD5: 1971ee25847d246116835c7157cf7f89 [#############################################################################] Summary: - Autostart capabilities: This executable registers processes to be executed at system start. 這可能導致不希望的操作自動執行。 This could result in unwanted actions to be performed automatically. - 創建在Windows系統目錄下的文件：經常惡意軟件的keepscopies本身在Windows目錄中由用戶留未被發現。 - Creates files in the Windows system directory: Malware often keepscopies of itself in the Windows directory to stay undetected by users. - 執行文件修改和破壞：可執行modifiesand解構這是不是臨時文件。 - Performs File Modification and Destruction: The executable modifiesand destructs files which are not temporary. - 產生進程：可執行文件的執行過程中產生的過程。 - Spawns Processes: The executable produces processes during the execution. - 執行登記活動：可執行文件讀取和修改註冊表值。 - Performs Registry Activities: The executable reads and modifies registry values. 它還創建和監視註冊表項。 It also creates and monitors registry keys. [================================================= ============================]目錄[================= ================================================== ==========] - 一般信息 - wincfg.exe一）註冊活動b）文件活動三）Windows服務活動D）進程的活動e）其他活動 - SERVICES.EXE一）註冊活動b）文件活動c）其他活動 - CMD.EXE一）註冊活動b）文件活動三）Windows服務活動四）網絡活動e）其他活動 - CMD.EXE一）註冊活動b）文件活動[####### ################################################## ####################] 1.一般資料[######################## ################################################## ###] [============================================= ================================]有關阿努比斯'調用[信息=========== ================================================== =====]所需時間：240秒報告創建：10年4月24日，17時08分58秒UTC終止的原因：超時程序版本：1.74.2783 [== ================================================== =========================]全球網絡活動[==================== ================================================== =======] [= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]的HTTP會話：[= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]從ANUBIS：1038 124.217.226.220:80 - [hummfoundation.org]請求：GET /on/yahoo/banner4.php?jpg= ../yahoo]回應：[200“OK”]請求：GET /on/yahoo/banner3.php?jpg=../(LQAhZ2Uy]回應：[<沒有回复>]請求：GET /對/yahoo/banner4.php?jpg=../yahoo]回應：[200“OK”]請求：GET /on/yahoo/banner4.php?jpg=../yahoo]回應：[200“OK “]請求：GET /on/yahoo/banner3.php?jpg=../(LQAhZ2Uy]回應：[<沒有回复>]請求：GET /on/yahoo/banner3.php?jpg=../ （LQAhZ2Uy]回應：[<沒有回复>]請求：GET /on/yahoo/banner4.php?jpg=../yahoo]回應：[200“OK”]請求：GET /上/雅虎/ ？banner3.php JPG = .. /（LQAhZ2Uy]回應：[<沒有回复>]請求：GET /on/yahoo/banner4.php?jpg=../yahoo]回應：[200“OK”]請求：GET /on/yahoo/banner3.php?jpg=../(LQAhZ2Uy]回應：[<沒有回复>]請求：GET /on/yahoo/banner4.php?jpg=../yahoo] ，回應：[200“OK”]請求：GET /on/yahoo/banner3.php?jpg=../(LQAhZ2Uy]響應：[<沒有回复>] [= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =] TCP連接嘗試：[= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = ]從ANUBIS：1039至124.217.226.220:80從ANUBIS：1040 124.217.226.220:80從ANUBIS：1041 124.217.226.220:80從ANUBIS：1043 124.217.226.220:80從ANUBIS：1044至124.217.226.220： 80 ################################################ #############################] 2. wincfg.exe [############## ################################################## #############] [=================================== ==========================================]關於這個可執行文件的一般信息[= ================================================== ==========================]分析原因：初步分析主題文件名：wincfg.exe MD5：1971ee25847d246116835c7157cf7f89 SHA-1：b00fa08c86dba7d4065018e7234b850d2a541799文件大小：357344字節命令行：“C：\ wincfg.exe”過程狀態的分析結束：死退出代碼：0 ========================= ================================================== ==]負載時DLL [========================================== ===================================]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ NTDLL.DLL ]，基地址：[0x7C900000]，大小：[0x000AF000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ kernel32.dll中]，基地址：[0x7C800000]，大小：[0x000F6000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ USER32.dll初始化]，基地址：[0x7E410000]，大小：[0x00091000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ GDI32.DLL]，基地址：[0x77F10000]，大小：[0x00049000]模塊名稱：[C：\ WINDOWS \ SYSTEM32 \ COMDLG32.DLL]，基地址：0x763B0000]，大小：[0x00049000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ ADVAPI32.dll中]，基地址：[0x77DD0000]，大小：[0x0009B000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ RPCRT4.DLL]，基地址：[0x77E70000]，大小：[0x00092000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \找到Secur32.dll]，基址：[0x77FE0000]，大小：[0x00011000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ COMCTL32.DLL]，基地址：[0x5D090000]，大小：[0x0009A000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ SHELL32 .dll文件]，基地址：[0x7C9C0000]，大小：[0x00817000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ MSVCRT.DLL]，基地址：[0x77C10000]，大小：[0x00058000]模塊名稱：[C： \ WINDOWS \ SYSTEM32 \ SHLWAPI.DLL]，基地址：[0x77F60000]，大小：[0x00076000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ WINSPOOL.DRV]，基地址：[0x73000000]，大小：[0x00026000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ OLE32.DLL]，基地址：[0x774E0000]，大小：[0x0013D000]模塊名稱： [=============================================================================] Table of Contents [=============================================================================] - General information - wincfg.exe a) Registry Activities b) File Activities c) Windows Service Activities d) Process Activities e) Other Activities - services.exe a) Registry Activities b) File Activities c) Other Activities - cmd.exe a) Registry Activities b) File Activities c) Windows Service Activities d) Network Activities e) Other Activities - cmd.exe a) Registry Activities b) File Activities [#############################################################################] 1. General Information [#############################################################################] [=============================================================================] Information about Anubis' invocation [=============================================================================] Time needed: 240 s Report created: 04/24/10, 17:08:58 UTC Termination reason: Timeout Program version: 1.74.2783 [=============================================================================] Global Network Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] HTTP Conversations: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] From ANUBIS:1038 to 124.217.226.220:80 - [ hummfoundation.org ] Request: [ GET /on/yahoo/banner4.php?jpg=../yahoo ], Response: [ 200 "OK" ] Request: [ GET /on/yahoo/banner3.php?jpg=../(LQAhZ2Uy ], Response: [ <no reply>] Request: [ GET /on/yahoo/banner4.php?jpg=../yahoo ], Response: [ 200 "OK" ] Request: [ GET /on/yahoo/banner4.php?jpg=../yahoo ], Response: [ 200 "OK" ] Request: [ GET /on/yahoo/banner3.php?jpg=../(LQAhZ2Uy ], Response: [ <no reply>] Request: [ GET /on/yahoo/banner3.php?jpg=../(LQAhZ2Uy ], Response: [ <no reply>] Request: [ GET /on/yahoo/banner4.php?jpg=../yahoo ], Response: [ 200 "OK" ] Request: [ GET /on/yahoo/banner3.php?jpg=../(LQAhZ2Uy ], Response: [ <no reply>] Request: [ GET /on/yahoo/banner4.php?jpg=../yahoo ], Response: [ 200 "OK" ] Request: [ GET /on/yahoo/banner3.php?jpg=../(LQAhZ2Uy ], Response: [ <no reply>] Request: [ GET /on/yahoo/banner4.php?jpg=../yahoo ], Response: [ 200 "OK" ] Request: [ GET /on/yahoo/banner3.php?jpg=../(LQAhZ2Uy ], Response: [ <no reply>] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] TCP Connection Attempts: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] From ANUBIS:1039 to 124.217.226.220:80 From ANUBIS:1040 to 124.217.226.220:80 From ANUBIS:1041 to 124.217.226.220:80 From ANUBIS:1043 to 124.217.226.220:80 From ANUBIS:1044 to 124.217.226.220:80 [#############################################################################] 2. wincfg.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: Primary Analysis Subject Filename: wincfg.exe MD5: 1971ee25847d246116835c7157cf7f89 SHA-1: b00fa08c86dba7d4065018e7234b850d2a541799 File Size: 357344 Bytes Command Line: "C:\wincfg.exe" Process-status at analysis end: dead Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\comdlg32.dll ], Base Address: [0x763B0000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\COMCTL32.dll ], Base Address: [0x5D090000 ], Size: [0x0009A000 ] Module Name: [ C:\WINDOWS\system32\SHELL32.dll ], Base Address: [0x7C9C0000 ], Size: [0x00817000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ], Base Address: [0x77F60000 ], Size: [0x00076000 ] Module Name: [ C:\WINDOWS\system32\WINSPOOL.DRV ], Base Address: [0x73000000 ], Size: [0x00026000 ] Module Name: [ C:\WINDOWS\system32\ole32.dll ], Base Address: [0x774E0000 ], Size: [0x0013D000 ] Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ]，基地址：[0x773D0000]，大小：[0x00103000] [=================================== ==========================================]運行時DLL [== ================================================== =========================]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ ntoskrnl.exe中]，基地址：[0x00B60000]，大小：[0x00216680]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ MSCTF.dll]，基地址：[0x74720000]，大小：[0x0004C000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ Apphelp.dll]，基址：[0x77B40000]，大小：[0x00022000] [======================================= ======================================] 2.A）wincfg.exe - 註冊表活動[ ================================================== ===========================] [= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]註冊表值修正：[= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]鍵：[ ], Base Address: [0x773D0000 ], Size: [0x00103000 ] [=============================================================================] Run-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntoskrnl.exe ], Base Address: [0x00B60000 ], Size: [0x00216680 ] Module Name: [ C:\WINDOWS\system32\MSCTF.dll ], Base Address: [0x74720000 ], Size: [0x0004C000 ] Module Name: [ C:\WINDOWS\system32\Apphelp.dll ], Base Address: [0x77B40000 ], Size: [0x00022000 ] [=============================================================================] 2.a) wincfg.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell 夾]，值名稱：[AppData的]，新價值：[C：\ Documents和Settings \管理員\應用數據]鍵： Folders ], Value Name: [ AppData ], New Value: [ C:\Documents and Settings\Administrator\Application Data ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell 夾]，值名稱：[啟動]，新價值：[C：\ Documents和Settings \管理員\開始菜單\程序\啟動] [= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]註冊表值閱讀：[= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]鍵：[HKLM \ SOFTWARE \微軟\ CTF \ SystemShared \]，數值名稱：[CUAS]，值：[0]，1次關鍵：[HKLM \系統\ CurrentControlSet \控制\會話管理器]，值名稱：[CriticalSectionTimeout]，值：[2592000] 1次關鍵：[HKLM \ SYSTEM \ SETUP]，值名稱：[SystemSetupInProgress]，值：[0]，1次關鍵：[HKLM \ SYSTEM \ WPA \媒體中心]，值名稱：[安裝]，值：0 ]，1次關鍵：[HKLM \ SOFTWARE \政策\微軟\的Windows \更安全\ CodeIdentifiers]，值名稱：[AuthenticodeEnabled]，值：[0]，1次關鍵：[HKLM \ SOFTWARE \政策\微軟\的Windows \安全\ CodeIdentifiers]，值名稱：[DefaultLevel]，值：[262144]，1次關鍵：[HKLM \ SOFTWARE \政策\微軟\的Windows \更安全\ CodeIdentifiers]，值名稱：[PolicyScope的]，值：[0] ，1次關鍵：[HKLM \ SOFTWARE \政策\微軟\的Windows \更安全\ CodeIdentifiers]，值名稱：[TransparentEnabled]，值：[1]，2次關鍵： Folders ], Value Name: [ Startup ], New Value: [ C:\Documents and Settings\Administrator\Start Menu\Programs\Startup ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SOFTWARE\Microsoft\CTF\SystemShared\ ], Value Name: [ CUAS ], Value: [ 0 ], 1 time Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ], Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time Key: [ HKLM\SYSTEM\Setup ], Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time Key: [ HKLM\SYSTEM\WPA\MediaCenter ], Value Name: [ Installed ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ AuthenticodeEnabled ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ DefaultLevel ], Value: [ 262144 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ PolicyScope ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ TransparentEnabled ], Value: [ 1 ], 2 times Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ]，值名稱：[HashAlg]，值：[32771]，1次關鍵： ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ]，值名稱：[的ItemData]，值：[0x5eab304f957a49896a006c1c31154015]，1次關鍵： ], Value Name: [ ItemData ], Value: [ 0x5eab304f957a49896a006c1c31154015 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ]，值名稱：[ItemSize]，值：[779]，1次關鍵： ], Value Name: [ ItemSize ], Value: [ 779 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ]，值名稱：[SaferFlags]，值：[0]，1次關鍵： ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ]，值名稱：[HashAlg]，值：[32771]，1次關鍵： ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ]，值名稱：[的ItemData]，值：[0x67b0d48b343a3fd3bce9dc646704f394]，1次關鍵： ], Value Name: [ ItemData ], Value: [ 0x67b0d48b343a3fd3bce9dc646704f394 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ]，值名稱：[ItemSize]，值：[517]，1次關鍵： ], Value Name: [ ItemSize ], Value: [ 517 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ]，值名稱：[SaferFlags]，值：[0]，1次關鍵： ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ]，值名稱：[HashAlg]，值：[32771]，1次關鍵： ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ]，值名稱：[的ItemData]，值：[0x327802dcfef8c893dc8ab006dd847d1d]，1次關鍵： ], Value Name: [ ItemData ], Value: [ 0x327802dcfef8c893dc8ab006dd847d1d ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ]，值名稱：[ItemSize]，值：[918]，1次關鍵： ], Value Name: [ ItemSize ], Value: [ 918 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ]，值名稱：[SaferFlags]，值：[0]，1次關鍵： ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ]，值名稱：[HashAlg]，值：[32771]，1次關鍵： ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ]，值名稱：[的ItemData]，值：[0xbd9a2adb42ebd8560e250e4df8162f67]，1次關鍵： ], Value Name: [ ItemData ], Value: [ 0xbd9a2adb42ebd8560e250e4df8162f67 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ]，值名稱：[ItemSize]，值：[229]，1次關鍵： ], Value Name: [ ItemSize ], Value: [ 229 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ]，值名稱：[SaferFlags]，值：[0]，1次關鍵： ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ]，值名稱：[HashAlg]，值：[32771]，1次關鍵： ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ]，值名稱：[的ItemData]，值：[0x386b085f84ecf669d36b956a22c01e80]，1次關鍵： ], Value Name: [ ItemData ], Value: [ 0x386b085f84ecf669d36b956a22c01e80 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ]，值名稱：[ItemSize]，值：[370]，1次關鍵： ], Value Name: [ ItemSize ], Value: [ 370 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ]，值名稱：[SaferFlags]，值：[0]，1次關鍵： ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ]，值名稱：[的ItemData]，值：[HKEY_CURRENT_USER％\軟件\微軟\的Windows \ CurrentVersion \ Explorer的\殼牌文件夾\緩存％白斑*]，1次關鍵： ], Value Name: [ ItemData ], Value: [ %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ]，值名稱：[SaferFlags]，值：[0]，1次關鍵：[HKLM \系統\ CurrentControlSet \控制\ Terminal服務器]，值名稱：[TSUserEnabled]，值：[0]，1次關鍵： HKU \ S-1-5-21-842925246-1425521274-308236825-500 \鍵盤佈局\切換]，值名稱：語言快捷鍵]，值：[1]，2次關鍵：[HKU \ S-1-5 -21-842925246-1425521274-308236825-500 \鍵盤佈局\切換]，值名稱：佈局熱鍵]，值：[2]，2次關鍵： ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ], Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ], Value Name: [ Language Hotkey ], Value: [ 1 ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ], Value Name: [ Layout Hotkey ], Value: [ 2 ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell 夾]，值名稱：[緩存]，值：[C：\ Documents和Settings \管理員\本地設置\ Temporary Internet Files文件]，1次關鍵： Folders ], Value Name: [ Cache ], Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User 外殼文件夾]，值名稱：[AppData的]，值：[％USERPROFILE％\應用數據]，1次關鍵： Shell Folders ], Value Name: [ AppData ], Value: [ %USERPROFILE%\Application Data ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User 外殼文件夾]，值名稱：[啟動]，值：[％USERPROFILE％\開始菜單\程序\啟動]，1次[===================== ================================================== ======] 2.B）wincfg.exe - 文件活動[================================ =============================================] [= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]創建的文件：[= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]文件名：C：\ SystemCheck.bat]文件名：C：\ WINDOWS \ SYSTEM32 \ autocheck.exe]文件名：C：\ WINDOWS \ SYSTEM32 \ autocheck.sys]文件名：[C：\ WINDOWS \ SYSTEM32 \ countryfix.dll] [= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]文件閱讀：[= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]文件名：C：\ WINDOWS \ SYSTEM32 \ countryfix.dll] [= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]文件修改：[= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]文件名：[C：\ SystemCheck.bat]文件名：C：\ WINDOWS \ SYSTEM32 \ autocheck.exe]文件名：C：\ WINDOWS \ SYSTEM32 \ autocheck.sys]文件名：C：\ WINDOWS \ SYSTEM32 \ countryfix.dll]文件名：[智能檢測] [= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]設備控制通信：[= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]文件：[\設備\ KsecDD]，控制代碼：[0x00390008]，8次文件：[智能檢測]，控制碼：[0x0022E660]，1次文件：[智能檢測]，控制代碼：[0x0022E65C]，2倍[= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =存儲器映射文件：[= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]文件名：C：\ SystemCheck.bat]文件名： Shell Folders ], Value Name: [ Startup ], Value: [ %USERPROFILE%\Start Menu\Programs\Startup ], 1 time [=============================================================================] 2.b) wincfg.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\SystemCheck.bat ] File Name: [ C:\WINDOWS\system32\autocheck.exe ] File Name: [ C:\WINDOWS\system32\autocheck.sys ] File Name: [ C:\WINDOWS\system32\countryfix.dll ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\system32\countryfix.dll ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\SystemCheck.bat ] File Name: [ C:\WINDOWS\system32\autocheck.exe ] File Name: [ C:\WINDOWS\system32\autocheck.sys ] File Name: [ C:\WINDOWS\system32\countryfix.dll ] File Name: [ SmartCheck ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Device Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 8 times File: [ SmartCheck ], Control Code: [ 0x0022E660 ], 1 time File: [ SmartCheck ], Control Code: [ 0x0022E65C ], 2 times [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\SystemCheck.bat ] File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ]文件名：C：\ WINDOWS \ WindowsShell.Manifest]文件名：C：\ WINDOWS \ SYSTEM32 \ Apphelp.dll]文件名：C：\ WINDOWS \ SYSTEM32 \ COMCTL32.DLL]文件名：C： \ WINDOWS \ SYSTEM32 \ MSCTF.dll]文件名：C：\ WINDOWS \ SYSTEM32 \ SHELL32.DLL]文件名：C：\ WINDOWS \ SYSTEM32 \ WINSPOOL.DRV]文件名：C：\ WINDOWS \ SYSTEM32 \ CMD.EXE]文件名：C：\ WINDOWS \ SYSTEM32 \ imm32.dll]文件名：C：\ WINDOWS \ SYSTEM32 \ ntoskrnl.exe中]文件名：C：\ WINDOWS \ SYSTEM32 \ rpcss.dll]文件名稱：C：\ WINDOWS \ AppPatch文件\ sysmain.sdb] [=================================== ==========================================] 2.C）wincfg.exe - Windows服務活動[============================================= ================================] [= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]服務啟動：[= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]服務：[智能檢測] [ = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]服務創建：[= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]名稱：智能檢測]類型：SERVICE_DEMAND_START]路徑：C：\ WINDOWS \ SYSTEM32 \ autocheck.sys] [= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]服務刪除：[= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]服務：[智能檢測] [=============================================== ==============================] 2.D）wincfg.exe - 流程活動[======== ================================================== ===================] [= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]流程創建：[= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]可執行文件：[C：\ WINDOWS \ SYSTEM32 \ CMD.EXE]，命令行： ]可執行文件：[]，命令行：C：\ SystemCheck.bat] [= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]遠程線程創建： [= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]受影響的過程：C：\ WINDOWS \ SYSTEM32 \ CMD.EXE]影響過程：[C： \ WINDOWS \ SYSTEM32 \ CMD.EXE] [= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]外國存儲器區讀：[= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]進程：C：\ WINDOWS \ SYSTEM32 \ CMD.EXE] [= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]外國存儲器區寫：[= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]過程：[C：\ WINDOWS \ SYSTEM32 \ CMD.EXE] [==================================== =========================================] 2.E）wincfg.exe - 其他活動[=============================================== ==============================] [= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]互斥創建：[= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]互斥：[CTF.Asm.MutexDefaultS -1-5-21-842925246-1425521274-308236825-500]互斥：[CTF.Compart.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500]互斥：[CTF.LBES.MutexDefaultS-1-5 -21-842925246-1425521274-308236825-500]互斥：[CTF.Layouts.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500]互斥：[CTF.TMD.MutexDefaultS-1-5-21-842925246 -1425521274-308236825-500]互斥： ] File Name: [ C:\WINDOWS\WindowsShell.Manifest ] File Name: [ C:\WINDOWS\system32\Apphelp.dll ] File Name: [ C:\WINDOWS\system32\COMCTL32.dll ] File Name: [ C:\WINDOWS\system32\MSCTF.dll ] File Name: [ C:\WINDOWS\system32\SHELL32.dll ] File Name: [ C:\WINDOWS\system32\WINSPOOL.DRV ] File Name: [ C:\WINDOWS\system32\cmd.exe ] File Name: [ C:\WINDOWS\system32\imm32.dll ] File Name: [ C:\WINDOWS\system32\ntoskrnl.exe ] File Name: [ C:\WINDOWS\system32\rpcss.dll ] File Name: [ C:\Windows\AppPatch\sysmain.sdb ] [=============================================================================] 2.c) wincfg.exe - Windows Service Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Services Started: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Service: [ SmartCheck ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Services Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Name: [ SmartCheck ], Type: [ SERVICE_DEMAND_START ], Path: [ C:\WINDOWS\system32\autocheck.sys ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Services Deleted: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Service: [ SmartCheck ] [=============================================================================] 2.d) wincfg.exe - Process Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Processes Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Executable: [ C:\WINDOWS\system32\cmd.exe ], Command Line: [ ] Executable: [ ], Command Line: [ C:\SystemCheck.bat ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Remote Threads Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Affected Process: [ C:\WINDOWS\system32\cmd.exe ] Affected Process: [ C:\WINDOWS\system32\cmd.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Foreign Memory Regions Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Process: [ C:\WINDOWS\system32\cmd.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Foreign Memory Regions Written: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Process: [ C:\WINDOWS\system32\cmd.exe ] [=============================================================================] 2.e) wincfg.exe - Other Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Mutexes Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Mutex: [ CTF.Asm.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] Mutex: [ CTF.Compart.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] Mutex: [ CTF.LBES.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] Mutex: [ CTF.Layouts.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] Mutex: [ CTF.TMD.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] Mutex: [ CTF.TimListCache.FMPDefaultS-1-5-21-842925246-1425521274-308236825-500MUTEX.DefaultS-1-5-21-842925246-1425521274-308236825-500 ] [= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]視窗SEH例外：[= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]說明：[異常0xc000001d（STATUS_ILLEGAL_INSTRUCTION）在0x40ad09]，1次說明：[異常0xc0000096（STATUS_PRIVILEGED_INSTRUCTION）在0x40adab]，1次[######## ################################################## ################### 3. SERVICES.EXE [######################## ################################################## ###] [============================================= ================================]關於這個可執行文件[常規信息=========== ================================================== =====]分析原因：服務已啟動。 ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Windows SEH exceptions: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x40ad09 ], 1 time Description: [ Exception 0xc0000096 (STATUS_PRIVILEGED_INSTRUCTION) at 0x40adab ], 1 time [#############################################################################] 3. services.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: A service was started. 文件名：SERVICES.EXE MD5：0e776ed5f7cc9f94299e70461b7b8185 SHA-1：cb5a33cec4c7b8ef4bd5dc8c241005b66b26cbbf文件大小：108544字節命令行：C：\ WINDOWS \ SYSTEM32 \ SERVICES.EXE在分析結束進程狀態：活著的退出代碼：0 [====== ================================================== =====================]負載時DLL [======================= ================================================== ====]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ ntdll.dll中]，基地址：[0x7C900000]，大小：[0x000AF000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ kernel32.dll中]，基地址：[0x7C800000]，大小：[0x000F6000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ ADVAPI32.dll中]，基地址：[0x77DD0000]，大小：[0x0009B000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ RPCRT4.DLL]，基地址：[0x77E70000]，大小：[0x00092000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \找到Secur32.dll]，基地址：[0x77FE0000]，大小：[0x00011000]模塊名稱：[C ：\ WINDOWS \ SYSTEM32 \ MSVCRT.DLL]，基地址：[0x77C10000]，大小：[0x00058000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ NCObjAPI.DLL]，基地址：[0x5F770000]，大小：[0x0000C000 ]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ MSVCP60.dll]，基地址：[0x76080000]，大小：[0x00065000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ SCESRV.dll]，基地址：[0x7DBD0000 ]，大小：[0x00051000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ AUTHZ.dll]，基地址：0x776C0000]，大小：[0x00012000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ USER32.dll初始化] ，基地址：[0x7E410000]，大小：[0x00091000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ GDI32.DLL]，基地址：[0x77F10000]，大小：[0x00049000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ USERENV.dll]，基地址：0x769C0000]，大小：0x000B4000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ umpnpmgr.dll]，基地址：[0x7DBA0000]，大小：[0x00021000]模塊名稱： [C：\ WINDOWS \ SYSTEM32 \ WINSTA.dll]，基地址：[0x76360000]，大小：[0x00010000在]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ NETAPI32.DLL]，基地址：[0x5B860000]，大小： [0x00055000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ ShimEng.dll]，基地址：[0x5CB70000]，大小：[0x00026000]模塊名稱：C：\ WINDOWS \ AppPatch文件\ AcAdProc.dll]，基地址： [0x47260000]，大小：[0x0000F000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ Apphelp.dll]，基地址：[0x77B40000]，大小：[0x00022000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \版本。 DLL]，基地址：[0x77C00000]，大小：[0x00008000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ eventlog.dll]，基地址：[0x77B70000]，大小：[0x00011000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ PSAPI.DLL]，基地址：[0x76BF0000]，大小：[0x0000B000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ WS2_32.DLL]，基地址：[0x71AB0000]，大小：[0x00017000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ WS2HELP.dll]，基地址：[0x71AA0000]，大小：[0x00008000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ wtsapi32.dll]，基地址：[0x76F50000]大小：[0x00008000] [============================================ =================================] 3.A）SERVICES.EXE - 註冊表活動[===== ================================================== ======================] [= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]註冊表鍵創建：[= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]鍵：[HKLM \ SYSTEM \ CONTROLSET001 \ CONTROL \類\ {8ECC055D -047F-11D1-A537-0000F8753ED1} \ 0000]鍵：[HKLM \系統\ CurrentControlSet \服務\智能檢測]鍵：[HKLM \系統\ CurrentControlSet \服務\智能檢測\安全] [= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]註冊表項刪除：[= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]鍵：[HKLM \系統\ CurrentControlSet \控制\類\ {8ECC055D-047F-11D1-A537-0000F8753ED1} \ 0000]鍵：[HKLM \系統\ CurrentControlSet \ Enum的\ ROOT \ LEGACY_SMARTCHECK \ 0000 \ Control]鍵的： [HKLM \系統\ CurrentControlSet \ Enum的\ ROOT \ LEGACY_SMARTCHECK \ 0000]鍵：[HKLM \系統\ CurrentControlSet \ Enum的\ ROOT \ LEGACY_SMARTCHECK]鍵：[HKLM \系統\ CurrentControlSet \服務\智能檢測\安全]鍵：[HKLM \系統\ CurrentControlSet \服務\智能檢測\枚舉]鍵：[HKLM \系統\ CurrentControlSet \服務\智能檢測] [= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]註冊表值修正：[= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]鍵：[HKLM \ SYSTEM \ CONTROLSET001 \ ENUM \ ROOT \ LEGACY_SMARTCHECK \ 0000]，值名稱：[驅動程序]，新價值：[{8ECC055D-047F-11D1-A537-0000F8753ED1} \ 0000]鍵：[HKLM \系統\ CurrentControlSet \服務\智能檢測]，值名稱：[DeleteFlag]，新值：[1]鍵：[HKLM \系統\ CurrentControlSet \服務\智能檢測]，值名稱：[顯示名稱]，新價值：智能檢測]鍵：[HKLM \系統\ CurrentControlSet \服務\智能檢測]，值名稱：錯誤控制]，新值：[1]鍵：[HKLM \系統\ CurrentControlSet \服務\智能檢測]，值名稱：[的ImagePath]，新價值：\ ?? \ C：\ WINDOWS \ SYSTEM32 \ autocheck.sys]鍵：[HKLM \系統\ CurrentControlSet \服務\智能檢測]，值名稱：[開始]，新價值：[3]鍵：[HKLM \系統\ CurrentControlSet \服務\智能檢測]，數值名稱：[類型]，新價值： [1]鍵：[HKLM \系統\ CurrentControlSet \服務\智能檢測\安全]，值名稱：[安全]，新價值：[0x01001480900000009c000000140000003000000002001c00010000000280] [= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]註冊表值閱讀：[= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]鍵：[HKLM \ SYSTEM \ CONTROLSET001 \ ENUM \ ACPI \ PNP0303 \ 4 2C5A7332＆0]，值名稱：[ClassGUID]，值：[{4D36E96B-E325-11CE-BFC1-08002BE10318}]，1次關鍵：[HKLM \ SYSTEM \ CONTROLSET001 \ ENUM \ ACPI \ PNP0400 \ 4 2C5A7332＆0]，值名稱：[ClassGUID]，值：[{4D36E978-E325-11CE-BFC1-08002BE10318}]，1次關鍵：[HKLM \ SYSTEM \ CONTROLSET001 \ ENUM \ ACPI \ PNP0501 \ 1]，數值名稱：[ClassGUID]，值：[{4D36E978-E325-11CE-BFC1-08002BE10318}]，1次關鍵：[HKLM \ SYSTEM \ CONTROLSET001 \ ENUM \ ACPI \ PNP0700 \ 4 2C5A7332＆0]，值名稱：[ClassGUID]，值： [{4D36E969-E325-11CE-BFC1-08002BE10318}]，1次關鍵：[HKLM \ SYSTEM \ CONTROLSET001 \ ENUM \ ACPI \ PNP0A03 \ 1]，數值名稱：[ClassGUID]，值：[{4D36E97D-E325-11CE -BFC1-08002BE10318}]，1次關鍵：[HKLM \ SYSTEM \ CONTROLSET001 \ ENUM \ ACPI \ PNP0F13 \ 4 2C5A7332＆0]，值名稱：[ClassGUID]，值：[{4D36E96F-E325-11CE-BFC1-08002BE10318}]， 1次關鍵：[HKLM \ SYSTEM \ CONTROLSET001 \ ENUM \ ACPI_HAL \ PNP0C08 \ 0]，值名稱：[ClassGUID]，值：[{4D36E97D-E325-11CE-BFC1-08002BE10318}]，1次關鍵：[HKLM \ SYSTEM \ CONTROLSET001 \ ENUM \ DISPLAY \ DEFAULT_MONITOR \ 4 2946A9FF＆0＆11223344＆00＆02]，值名稱：[ClassGUID]，值：[{4D36E96E-E325-11CE-BFC1-08002BE10318}]，1次關鍵： Filename: services.exe MD5: 0e776ed5f7cc9f94299e70461b7b8185 SHA-1: cb5a33cec4c7b8ef4bd5dc8c241005b66b26cbbf File Size: 108544 Bytes Command Line: C:\WINDOWS\system32\services.exe Process-status at analysis end: alive Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\NCObjAPI.DLL ], Base Address: [0x5F770000 ], Size: [0x0000C000 ] Module Name: [ C:\WINDOWS\system32\MSVCP60.dll ], Base Address: [0x76080000 ], Size: [0x00065000 ] Module Name: [ C:\WINDOWS\system32\SCESRV.dll ], Base Address: [0x7DBD0000 ], Size: [0x00051000 ] Module Name: [ C:\WINDOWS\system32\AUTHZ.dll ], Base Address: [0x776C0000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\USERENV.dll ], Base Address: [0x769C0000 ], Size: [0x000B4000 ] Module Name: [ C:\WINDOWS\system32\umpnpmgr.dll ], Base Address: [0x7DBA0000 ], Size: [0x00021000 ] Module Name: [ C:\WINDOWS\system32\WINSTA.dll ], Base Address: [0x76360000 ], Size: [0x00010000 ] Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ], Base Address: [0x5B860000 ], Size: [0x00055000 ] Module Name: [ C:\WINDOWS\system32\ShimEng.dll ], Base Address: [0x5CB70000 ], Size: [0x00026000 ] Module Name: [ C:\WINDOWS\AppPatch\AcAdProc.dll ], Base Address: [0x47260000 ], Size: [0x0000F000 ] Module Name: [ C:\WINDOWS\system32\Apphelp.dll ], Base Address: [0x77B40000 ], Size: [0x00022000 ] Module Name: [ C:\WINDOWS\system32\VERSION.dll ], Base Address: [0x77C00000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\eventlog.dll ], Base Address: [0x77B70000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\PSAPI.DLL ], Base Address: [0x76BF0000 ], Size: [0x0000B000 ] Module Name: [ C:\WINDOWS\system32\WS2_32.dll ], Base Address: [0x71AB0000 ], Size: [0x00017000 ] Module Name: [ C:\WINDOWS\system32\WS2HELP.dll ], Base Address: [0x71AA0000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\wtsapi32.dll ], Base Address: [0x76F50000 ], Size: [0x00008000 ] [=============================================================================] 3.a) services.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Keys Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SYSTEM\CONTROLSET001\CONTROL\CLASS\{8ECC055D-047F-11D1-A537-0000F8753ED1}\0000 ] Key: [ HKLM\System\CurrentControlSet\Services\SmartCheck ] Key: [ HKLM\System\CurrentControlSet\Services\SmartCheck\Security ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Keys Deleted: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\System\CurrentControlSet\Control\Class\{8ECC055D-047F-11D1-A537-0000F8753ED1}\0000 ] Key: [ HKLM\System\CurrentControlSet\Enum\Root\LEGACY_SMARTCHECK\0000\Control ] Key: [ HKLM\System\CurrentControlSet\Enum\Root\LEGACY_SMARTCHECK\0000 ] Key: [ HKLM\System\CurrentControlSet\Enum\Root\LEGACY_SMARTCHECK ] Key: [ HKLM\System\CurrentControlSet\Services\SmartCheck\Security ] Key: [ HKLM\System\CurrentControlSet\Services\SmartCheck\Enum ] Key: [ HKLM\System\CurrentControlSet\Services\SmartCheck ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\Root\LEGACY_SMARTCHECK\0000 ], Value Name: [ Driver ], New Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1}\0000 ] Key: [ HKLM\System\CurrentControlSet\Services\SmartCheck ], Value Name: [ DeleteFlag ], New Value: [ 1 ] Key: [ HKLM\System\CurrentControlSet\Services\SmartCheck ], Value Name: [ DisplayName ], New Value: [ SmartCheck ] Key: [ HKLM\System\CurrentControlSet\Services\SmartCheck ], Value Name: [ ErrorControl ], New Value: [ 1 ] Key: [ HKLM\System\CurrentControlSet\Services\SmartCheck ], Value Name: [ ImagePath ], New Value: [ \??\C:\WINDOWS\system32\autocheck.sys ] Key: [ HKLM\System\CurrentControlSet\Services\SmartCheck ], Value Name: [ Start ], New Value: [ 3 ] Key: [ HKLM\System\CurrentControlSet\Services\SmartCheck ], Value Name: [ Type ], New Value: [ 1 ] Key: [ HKLM\System\CurrentControlSet\Services\SmartCheck\Security ], Value Name: [ Security ], New Value: [ 0x01001480900000009c000000140000003000000002001c00010000000280 ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0303\4&2C5A7332&0 ], Value Name: [ ClassGUID ], Value: [ {4D36E96B-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0400\4&2C5A7332&0 ], Value Name: [ ClassGUID ], Value: [ {4D36E978-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0501\1 ], Value Name: [ ClassGUID ], Value: [ {4D36E978-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0700\4&2C5A7332&0 ], Value Name: [ ClassGUID ], Value: [ {4D36E969-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0A03\1 ], Value Name: [ ClassGUID ], Value: [ {4D36E97D-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0F13\4&2C5A7332&0 ], Value Name: [ ClassGUID ], Value: [ {4D36E96F-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI_HAL\PNP0C08\0 ], Value Name: [ ClassGUID ], Value: [ {4D36E97D-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\DISPLAY\DEFAULT_MONITOR\4&2946A9FF&0&11223344&00&02 ], Value Name: [ ClassGUID ], Value: [ {4D36E96E-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\IDE\CDROMQEMU_QEMU_CD-ROM________________________0.9.____\4D51303030302033202020202020202020202020 ]，值名稱：[ClassGUID]，值：[{4D36E965-E325-11CE-BFC1-08002BE10318}]，1次關鍵： ], Value Name: [ ClassGUID ], Value: [ {4D36E965-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\IDE\DISKQEMU_HARDDISK___________________________0.9.1___\4D51303030302031202020202020202020202020 ]，值名稱：[ClassGUID]，值：[{4D36E967-E325-11CE-BFC1-08002BE10318}]，1次關鍵：[HKLM \ SYSTEM \ CONTROLSET001 \ ENUM \ ISAPNP \ READDATAPORT \ 0]，值名稱：[ClassGUID ]，值：[{4D36E97D-E325-11CE-BFC1-08002BE10318}]，1次關鍵：[HKLM \ SYSTEM \ CONTROLSET001 \ ENUM \ LPTENUM \ MICROSOFTRAWPORT \ 5 34A37E9F＆0＆LPT1]，值名稱：[ClassGUID]，值：[{4D36E97D -E325-11CE-BFC1-08002BE10318}]，1次關鍵：[HKLM \ SYSTEM \ CONTROLSET001 \ ENUM \ PCIIDE \ IDECHANNEL \ 4 3DE75EA＆0＆0]，值名稱：[ClassGUID]，值：[{4D36E96A-E325-11CE-BFC1- 08002BE10318}]，1次關鍵：[HKLM \ SYSTEM \ CONTROLSET001 \ ENUM \ PCIIDE \ IDECHANNEL \ 4 3DE75EA＆0＆1]，數值名稱：[ClassGUID]，值：[{4D36E96A-E325-11CE-BFC1-08002BE10318}]，1次關鍵：[HKLM \ SYSTEM \ CONTROLSET001 \ ENUM \ PCI \ VEN_1013＆DEV_00B8＆SUBSYS_00000000＆REV_00 \ 3 13C0B0C5＆0＆10]，值名稱：[ClassGUID]，值：[{4D36E968-E325-11CE-BFC1-08002BE10318}]，1次關鍵：[HKLM \ SYSTEM \ CONTROLSET001 \ ENUM \ PCI \ VEN_10EC＆DEV_8029＆SUBSYS_00000000＆REV_00 \ 3 13C0B0C5＆0＆18]，值名稱：[ClassGUID]，值：[{4D36E972-E325-11CE-BFC1-08002BE10318}]，1次關鍵：[HKLM \ SYSTEM \ CONTROLSET001 \ ENUM \ PCI \ VEN_8086＆DEV_1237＆SUBSYS_00000000＆REV_02 \ 3 13C0B0C5＆0＆00]，值名稱：[ClassGUID]，值：[{4D36E97D-E325-11CE-BFC1-08002BE10318}]，1次關鍵：[HKLM \ SYSTEM \ CONTROLSET001 \ ENUM \ PCI \ VEN_8086＆DEV_7000＆SUBSYS_00000000＆REV_00 \ 3 13C0B0C5＆0＆08]，值名稱： ClassGUID]，值：[{4D36E97D-E325-11CE-BFC1-08002BE10318}]，1次關鍵：[HKLM \ SYSTEM \ CONTROLSET001 \ ENUM \ PCI \ VEN_8086＆DEV_7010＆SUBSYS_00000000＆REV_00 \ 3 13C0B0C5＆0＆09]，值名稱：[ClassGUID]，值：[{ 4D36E96A-E325-11CE-BFC1-08002BE10318}]，1次關鍵：[HKLM \ SYSTEM \ CONTROLSET001 \ ENUM \ ROOT \ ACPI_HAL \ 0000]，值名稱：[ClassGUID]，值：[{4D36E966-E325-11CE-BFC1 -08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\DMIO\0000 ], Value Name: [ ClassGUID ], Value: [ {4D36E97D-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\FTDISK\0000 ], Value Name: [ ClassGUID ], Value: [ {4D36E97D-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\ CONTROLSET001\ENUM\ROOT\LEGACY_AFD\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_BEEP \0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_DMBOOT\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_DMLOAD\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_FIPS\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1- A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_GPC\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_HTTP\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM \CONTROLSET001\ENUM\ROOT\LEGACY_IPNAT\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\ LEGACY_IPSEC\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_KSECDD\0000 ], Value Name : [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_MNMDD\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_MOUNTMGR\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1 -A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NDISTAPI\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NDISUIO\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\ SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NDIS\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT \LEGACY_NDPROXY\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NETBT\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NULL\0000 ], Value Name: [ ClassGUID ], Value : [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_PARTMGR\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F- 11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_PARVDM\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ] , 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_RASACD\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM \SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_RDPCDD\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ ROOT\LEGACY_TCPIP\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_VOLSNAP\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_WANARP\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MEDIA\MS_MMACM ], Value Name: [ ClassGUID ], Value: [ {4D36E96C-E325 -11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MEDIA\MS_MMDRV ], Value Name: [ ClassGUID ], Value: [ {4D36E96C-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MEDIA\MS_MMMCI ], Value Name: [ ClassGUID ], Value: [ {4D36E96C-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MEDIA\MS_MMVCD ], Value Name: [ ClassGUID ], Value: [ {4D36E96C-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM \ROOT\MEDIA\MS_MMVID ], Value Name: [ ClassGUID ], Value: [ {4D36E96C-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_L2TPMINIPORT\0000 ] , Value Name: [ ClassGUID ], Value: [ {4D36E972-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_NDISWANIP\0000 ], Value Name: [ ClassGUID ] , Value: [ {4D36E972-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_PPPOEMINIPORT\0000 ], Value Name: [ ClassGUID ], Value: [ {4D36E972- E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_PPTPMINIPORT\0000 ], Value Name: [ ClassGUID ], Value: [ {4D36E972-E325-11CE-BFC1-08002BE10318 } ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_PTIMINIPORT\0000 ], Value Name: [ ClassGUID ], Value: [ {4D36E972-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\RDPDR\0000 ], Value Name: [ ClassGUID ], Value: [ {4D36E97D-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ ENUM\ROOT\RDP_KBD\0000 ], Value Name: [ ClassGUID ], Value: [ {4D36E97D-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\RDP_MOU\0000 ], Value Name: [ ClassGUID ], Value: [ {4D36E97D-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\SYSTEM\0000 ], Value Name: [ ClassGUID ], Value: [ {4D36E97D-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\SYSTEM\0001 ], Value Name: [ ClassGUID ], Value: [ {4D36E97D -E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\SYSTEM\0002 ], Value Name: [ ClassGUID ], Value: [ {4D36E97D-E325-11CE-BFC1- 08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\Root\LEGACY_SMARTCHECK\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 2 times Key : [ HKLM\SYSTEM\CONTROLSET001\ENUM\Root\LEGACY_SMARTCHECK\0000 ], Value Name: [ Driver ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1}\0000 ], 2 times Key: [ ], Value Name: [ ClassGUID ], Value: [ {4D36E967-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ISAPNP\READDATAPORT\0 ], Value Name: [ ClassGUID ], Value: [ {4D36E97D-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\LPTENUM\MICROSOFTRAWPORT\5&34A37E9F&0&LPT1 ], Value Name: [ ClassGUID ], Value: [ {4D36E97D-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\PCIIDE\IDECHANNEL\4&3DE75EA&0&0 ], Value Name: [ ClassGUID ], Value: [ {4D36E96A-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\PCIIDE\IDECHANNEL\4&3DE75EA&0&1 ], Value Name: [ ClassGUID ], Value: [ {4D36E96A-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_1013&DEV_00B8&SUBSYS_00000000&REV_00\3&13C0B0C5&0&10 ], Value Name: [ ClassGUID ], Value: [ {4D36E968-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_10EC&DEV_8029&SUBSYS_00000000&REV_00\3&13C0B0C5&0&18 ], Value Name: [ ClassGUID ], Value: [ {4D36E972-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_8086&DEV_1237&SUBSYS_00000000&REV_02\3&13C0B0C5&0&00 ], Value Name: [ ClassGUID ], Value: [ {4D36E97D-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_8086&DEV_7000&SUBSYS_00000000&REV_00\3&13C0B0C5&0&08 ], Value Name: [ ClassGUID ], Value: [ {4D36E97D-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_8086&DEV_7010&SUBSYS_00000000&REV_00\3&13C0B0C5&0&09 ], Value Name: [ ClassGUID ], Value: [ {4D36E96A-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\ACPI_HAL\0000 ], Value Name: [ ClassGUID ], Value: [ {4D36E966-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\DMIO\0000 ], Value Name: [ ClassGUID ], Value: [ {4D36E97D-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\FTDISK\0000 ], Value Name: [ ClassGUID ], Value: [ {4D36E97D-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_AFD\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_BEEP\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_DMBOOT\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_DMLOAD\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_FIPS\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_GPC\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_HTTP\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_IPNAT\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_IPSEC\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_KSECDD\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_MNMDD\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_MOUNTMGR\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NDISTAPI\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NDISUIO\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NDIS\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NDPROXY\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NETBT\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NULL\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_PARTMGR\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_PARVDM\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_RASACD\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_RDPCDD\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_TCPIP\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_VOLSNAP\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_WANARP\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MEDIA\MS_MMACM ], Value Name: [ ClassGUID ], Value: [ {4D36E96C-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MEDIA\MS_MMDRV ], Value Name: [ ClassGUID ], Value: [ {4D36E96C-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MEDIA\MS_MMMCI ], Value Name: [ ClassGUID ], Value: [ {4D36E96C-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MEDIA\MS_MMVCD ], Value Name: [ ClassGUID ], Value: [ {4D36E96C-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MEDIA\MS_MMVID ], Value Name: [ ClassGUID ], Value: [ {4D36E96C-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_L2TPMINIPORT\0000 ], Value Name: [ ClassGUID ], Value: [ {4D36E972-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_NDISWANIP\0000 ], Value Name: [ ClassGUID ], Value: [ {4D36E972-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_PPPOEMINIPORT\0000 ], Value Name: [ ClassGUID ], Value: [ {4D36E972-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_PPTPMINIPORT\0000 ], Value Name: [ ClassGUID ], Value: [ {4D36E972-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_PTIMINIPORT\0000 ], Value Name: [ ClassGUID ], Value: [ {4D36E972-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\RDPDR\0000 ], Value Name: [ ClassGUID ], Value: [ {4D36E97D-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\RDP_KBD\0000 ], Value Name: [ ClassGUID ], Value: [ {4D36E97D-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\RDP_MOU\0000 ], Value Name: [ ClassGUID ], Value: [ {4D36E97D-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\SYSTEM\0000 ], Value Name: [ ClassGUID ], Value: [ {4D36E97D-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\SYSTEM\0001 ], Value Name: [ ClassGUID ], Value: [ {4D36E97D-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\SYSTEM\0002 ], Value Name: [ ClassGUID ], Value: [ {4D36E97D-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\Root\LEGACY_SMARTCHECK\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 2 times Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\Root\LEGACY_SMARTCHECK\0000 ], Value Name: [ Driver ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1}\0000 ], 2 times Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\STORAGE\VOLUME\1&30A96598&0&SIGNATUREB15FB15FOFFSET7E00LENGTH13F291800 ], Value Name: [ ClassGUID ], Value: [ {71A27CDD-812A-11D0-BEC7-08002BE2092F} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\SmartCheck\Enum ], Value Name: [ 0 ], Value: [ Root\LEGACY_SMARTCHECK\0000 ], 4 times Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\SmartCheck\Enum ], Value Name: [ Count ], Value: [ 1 ], 8 times [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Monitored Registry Keys: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\EVENTLOG ], Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 1 time [=============================================================================] 3.b) services.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER, Flags: Named pipe ] File Name: [ C:\WINDOWS\system32\config\SysEvent.Evt ] [=============================================================================] 3.c) services.exe - Other Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Drivers Loaded: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Driver: [ HKLM\System\CurrentControlSet\Services\SmartCheck ] Driver: [ HKLM\System\CurrentControlSet\Services\SmartCheck ] [#############################################################################] 4. cmd.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: wincfg.exe wrote to the virtual memory of this process Filename: cmd.exe Command Line: "C:\WINDOWS\system32\cmd.exe" Process-status at analysis end: alive Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\ShimEng.dll ], Base Address: [0x5CB70000 ], Size: [0x00026000 ] Module Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ], Base Address: [0x6F880000 ], Size: [0x001CA000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\WINMM.dll ], Base Address: [0x76B40000 ], Size: [0x0002D000 ] Module Name: [ C:\WINDOWS\system32\ole32.dll ], Base Address: [0x774E0000 ], Size: [0x0013D000 ] Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ], Base Address: [0x77120000 ], Size: [0x0008B000 ] Module Name: [ C:\WINDOWS\system32\MSACM32.dll ], Base Address: [0x77BE0000 ], Size: [0x00015000 ] Module Name: [ C:\WINDOWS\system32\VERSION.dll ], Base Address: [0x77C00000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\SHELL32.dll ], Base Address: [0x7C9C0000 ], Size: [0x00817000 ] Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ], Base Address: [0x77F60000 ], Size: [0x00076000 ] Module Name: [ C:\WINDOWS\system32\USERENV.dll ], Base Address: [0x769C0000 ], Size: [0x000B4000 ] Module Name: [ C:\WINDOWS\system32\UxTheme.dll ], Base Address: [0x5AD70000 ], Size: [0x00038000 ] Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ], Base Address: [0x773D0000 ], Size: [0x00103000 ] Module Name: [ C:\WINDOWS\system32\comctl32.dll ], Base Address: [0x5D090000 ], Size: [0x0009A000 ] Module Name: [ C:\WINDOWS\system32\Apphelp.dll ], Base Address: [0x77B40000 ], Size: [0x00022000 ] [=============================================================================] Run-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntoskrnl.exe ], Base Address: [0x00D00000 ], Size: [0x00216680 ] Module Name: [ C:\WINDOWS\system32\countryfix.dll ], Base Address: [0x10000000 ], Size: [0x0002E000 ] Module Name: [ C:\WINDOWS\System32\mswsock.dll ], Base Address: [0x71A50000 ], Size: [0x0003F000 ] Module Name: [ C:\WINDOWS\system32\WS2HELP.dll ], Base Address: [0x71AA0000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\WS2_32.dll ], Base Address: [0x71AB0000 ], Size: [0x00017000 ] Module Name: [ C:\WINDOWS\system32\WINSPOOL.DRV ], Base Address: [0x73000000 ], Size: [0x00026000 ] Module Name: [ C:\WINDOWS\system32\comdlg32.dll ], Base Address: [0x763B0000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\DNSAPI.dll ], Base Address: [0x76F20000 ], Size: [0x00027000 ] Module Name: [ C:\WINDOWS\system32\WLDAP32.dll ], Base Address: [0x76F60000 ], Size: [0x0002C000 ] Module Name: [ C:\WINDOWS\System32\winrnr.dll ], Base Address: [0x76FB0000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\rasadhlp.dll ], Base Address: [0x76FC0000 ], Size: [0x00006000 ] Module Name: [ C:\WINDOWS\system32\WININET.dll ], Base Address: [0x771B0000 ], Size: [0x000AA000 ] Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ], Base Address: [0x77A80000 ], Size: [0x00095000 ] Module Name: [ C:\WINDOWS\system32\MSASN1.dll ], Base Address: [0x77B20000 ], Size: [0x00012000 ] [=============================================================================] 4.a) cmd.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Keys Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{537ACDEF-2672-3341-CCEA-2BE4DE1673DF} ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Active Setup\Installed Components\{537ACDEF-2672-3341-CCEA-2BE4DE1673DF} ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{537ACDEF-2672-3341-CCEA-2BE4DE1673DF} ], Value Name: [ ], New Value: [ Microsoft Explorer ] Key: [ HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{537ACDEF-2672-3341-CCEA-2BE4DE1673DF} ], Value Name: [ IsInstalled ], New Value: [ 1 ] Key: [ HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{537ACDEF-2672-3341-CCEA-2BE4DE1673DF} ], Value Name: [ StubPath ], New Value: [ "C:\WINDOWS\system32\autocheck.exe" NetSpoolPtr ] Key: [ HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{537ACDEF-2672-3341-CCEA-2BE4DE1673DF} ], Value Name: [ Version ], New Value: [ 1,0,0,6 ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Active Setup\Installed Components\{537ACDEF-2672-3341-CCEA-2BE4DE1673DF} ], Value Name: [ Version ], New Value: [ 1,0,0,0 ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{537ACDEF-2672-3341-CCEA-2BE4DE1673DF} ], Value Name: [ Version ], Value: [ 1,0,0,1 ], 22 times Key: [ HKLM\System\CurrentControlSet\Services\LDAP ], Value Name: [ LdapClientIntegrity ], Value: [ 1 ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], Value Name: [ Domain ], Value: [ ], 18 times Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], Value Name: [ Hostname ], Value: [ pc ], 18 times Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], Value Name: [ UseDomainNameDevolution ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters ], Value Name: [ WinSock_Registry_Version ], Value: [ 2.0 ], 16 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 ], Value Name: [ Num_Catalog_Entries ], Value: [ 3 ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 ], Value Name: [ Serial_Access_Num ], Value: [ 4 ], 14 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], Value Name: [ DisplayString ], Value: [ Tcpip ], 28 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], Value Name: [ Enabled ], Value: [ 1 ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], Value Name: [ LibraryPath ], Value: [ %SystemRoot%\System32\mswsock.dll ], 14 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], Value Name: [ ProviderId ], Value: [ 0x409d05229e7ecf11ae5a00aa00a7112b ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], Value Name: [ StoresServiceClassInfo ], Value: [ 0 ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], Value Name: [ SupportedNameSpace ], Value: [ 12 ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], Value Name: [ Version ], Value: [ 0 ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], Value Name: [ DisplayString ], Value: [ NTDS ], 28 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], Value Name: [ Enabled ], Value: [ 1 ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], Value Name: [ LibraryPath ], Value: [ %SystemRoot%\System32\winrnr.dll ], 14 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], Value Name: [ ProviderId ], Value: [ 0xee37263b80e5cf11a55500c04fd8d4ac ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], Value Name: [ StoresServiceClassInfo ], Value: [ 0 ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], Value Name: [ SupportedNameSpace ], Value: [ 32 ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], Value Name: [ Version ], Value: [ 0 ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], Value Name: [ DisplayString ], Value: [ Network Location Awareness (NLA) Namespace ], 28 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], Value Name: [ Enabled ], Value: [ 1 ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], Value Name: [ LibraryPath ], Value: [ %SystemRoot%\System32\mswsock.dll ], 14 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], Value Name: [ ProviderId ], Value: [ 0x3a244266a83ba64abaa52e0bd71fdd83 ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], Value Name: [ StoresServiceClassInfo ], Value: [ 0 ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], Value Name: [ SupportedNameSpace ], Value: [ 15 ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], Value Name: [ Version ], Value: [ 0 ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 ], Value Name: [ Next_Catalog_Entry_ID ], Value: [ 1012 ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 ], Value Name: [ Num_Catalog_Entries ], Value: [ 11 ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 ], Value Name: [ Serial_Access_Num ], Value: [ 4 ], 14 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\rsvpsp.d ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\rsvpsp.d ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 7 times Key: [ HKLM\System\Setup ], Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Monitored Registry Keys: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 ], Watch subtree: [ 0 ], Notify Filter: [ Key Change ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 ], Watch subtree: [ 0 ], Notify Filter: [ Key Change ], 7 times [=============================================================================] 4.b) cmd.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\system32\Config.tbl ] File Name: [ C:\WINDOWS\system32\ffffz200907021420ca.tmp ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\system32\autocheck.exe ] File Name: [ C:\WINDOWS\system32\autocheck.sys ] File Name: [ C:\WINDOWS\system32\countryfix.dll ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\system32\Config.tbl ] File Name: [ C:\WINDOWS\system32\ffffz200907021420ca.tmp ] File Name: [ SmartCheck ] File Name: [ \Device\RasAcd ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Device Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ unnamed file ], Control Code: [ 0x00390008 ], 7 times File: [ SmartCheck ], Control Code: [ 0x0022E660 ], 1 time File: [ SmartCheck ], Control Code: [ 0x0022E65C ], 1 time File: [ \Device\RasAcd ], Control Code: [ 0x00F14014 ], 8 times File: [ SmartCheck ], Control Code: [ 0x0022C000 ], 6 times File: [ SmartCheck ], Control Code: [ 0x0022C008 ], 6 times File: [ SmartCheck ], Control Code: [ 0x0022C010 ], 75 times File: [ SmartCheck ], Control Code: [ 0x0022C014 ], 2496 times [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\System32\mswsock.dll ] File Name: [ C:\WINDOWS\System32\winrnr.dll ] File Name: [ C:\WINDOWS\system32\DNSAPI.dll ] File Name: [ C:\WINDOWS\system32\WININET.dll ] File Name: [ C:\WINDOWS\system32\WINSPOOL.DRV ] File Name: [ C:\WINDOWS\system32\WS2HELP.dll ] File Name: [ C:\WINDOWS\system32\WS2_32.dll ] File Name: [ C:\WINDOWS\system32\countryfix.dll ] File Name: [ C:\WINDOWS\system32\ntoskrnl.exe ] File Name: [ C:\WINDOWS\system32\rasadhlp.dll ] [=============================================================================] 4.c) cmd.exe - Windows Service Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Services Started: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Service: [ SmartCheck ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Services Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Name: [ SmartCheck ], Type: [ SERVICE_DEMAND_START ], Path: [ C:\WINDOWS\system32\autocheck.sys ] [=============================================================================] 4.d) cmd.exe - Network Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] DNS Queries: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Name: [ www.microsoft.com ], Query Type: [ DNS_TYPE_A ], Query Result: [ ], Successful: [ YES ], Protocol: [ udp ] Name: [ hummfoundation.org ], Query Type: [ DNS_TYPE_A ], Query Result: [ 124.217.226.220 ], Successful: [ YES ], Protocol: [ udp ] [=============================================================================] 4.e) cmd.exe - Other Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Mutexes Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Mutex: [ SysChkUpdate ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Windows SEH exceptions: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x1000d6e9 ], 1 time Description: [ Exception 0xc0000096 (STATUS_PRIVILEGED_INSTRUCTION) at 0x1000d78b ], 1 time [#############################################################################] 5. cmd.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: Started by wincfg.exe Filename: cmd.exe MD5: 6d778e0f95447e6546553eeea709d03c SHA-1: 811a005cf787c6ccbe0d9f1c36c1d49a9cb71fd1 File Size: 389120 Bytes Command Line: cmd /c C:\SystemCheck.bat Process-status at analysis end: dead Exit Code: 1 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] [=============================================================================] Run-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] [=============================================================================] 5.a) cmd.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\Software\Microsoft\Command Processor ], Value Name: [ AutoRun ], Value: [ ], 1 time Key: [ HKLM\Software\Microsoft\Command Processor ], Value Name: [ CompletionChar ], Value: [ 64 ], 1 time Key: [ HKLM\Software\Microsoft\Command Processor ], Value Name: [ DefaultColor ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\Command Processor ], Value Name: [ EnableExtensions ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\Command Processor ], Value Name: [ PathCompletionChar ], Value: [ 64 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ DefaultLevel ], Value: [ 262144 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ PolicyScope ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ ItemData ], Value: [ 0x5eab304f957a49896a006c1c31154015 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ ItemSize ], Value: [ 779 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ ItemData ], Value: [ 0x67b0d48b343a3fd3bce9dc646704f394 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ ItemSize ], Value: [ 517 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ ItemData ], Value: [ 0x327802dcfef8c893dc8ab006dd847d1d ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ ItemSize ], Value: [ 918 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ ItemData ], Value: [ 0xbd9a2adb42ebd8560e250e4df8162f67 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ ItemSize ], Value: [ 229 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ ItemData ], Value: [ 0x386b085f84ecf669d36b956a22c01e80 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ ItemSize ], Value: [ 370 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ], Value Name: [ ItemData ], Value: [ %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\Nls\Language Groups ], Value Name: [ 1 ], Value: [ 1 ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], Value Name: [ 00000C07 ], Value: [ 1 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Command Processor ], Value Name: [ CompletionChar ], Value: [ 9 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Command Processor ], Value Name: [ DefaultColor ], Value: [ 0 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Command Processor ], Value Name: [ EnableExtensions ], Value: [ 1 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ Cache ], Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ], 1 time [=============================================================================] 5.b) cmd.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Deleted: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\SystemCheck.bat ] File Name: [ C:\wincfg.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\SystemCheck.bat ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\SystemCheck.bat ] [#############################################################################] International Secure Systems Lab http://www.iseclab.org Vienna University of Technology Eurecom France UC Santa Barbara http://www.tuwien.ac.at http://www.eurecom.fr http://www.cs.ucsb.edu Contact: anubis@iseclab.org

顯示另一張圖片從四月07.pdf 收到2010.04.24 16時33分25秒（UTC）April_07.pdf 結果：0/40（0.00％）

Additional information
文件大小：46135字節
MD5：19a08f48d71044e0a4091ef4a4e16131

Traffic wincfg.exe - by Anubis

 DNS查詢：
 [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
         Name: [ www.microsoft.com ], Query Type: [ DNS_TYPE_A ],
             Query Result: [ ], Successful: [ YES ], Protocol: [ udp ]
         Name: [ hummfoundation.org ], Query Type: [ DNS_TYPE_A ],
             Query Result: [ 124.217.226.220 ], Successful: [ YES ], Protocol: [ udp ]

  [=============================================================================]
     Global Network Activities
 [=============================================================================]
 [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
     HTTP Conversations:
 [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
         From ANUBIS:1038 to 124.217.226.220:80 - [ hummfoundation.org ]
              Request: [ GET /on/yahoo/banner4.php?jpg=../yahoo ], Response: [ 200 "OK" ]
              Request: [ GET /on/yahoo/banner3.php?jpg=../(LQAhZ2Uy ], Response: [   ]
              Request: [ GET /on/yahoo/banner4.php?jpg=../yahoo ], Response: [ 200 "OK" ]
              Request: [ GET /on/yahoo/banner4.php?jpg=../yahoo ], Response: [ 200 "OK" ]
              Request: [ GET /on/yahoo/banner3.php?jpg=../(LQAhZ2Uy ], Response: [   ]
              Request: [ GET /on/yahoo/banner3.php?jpg=../(LQAhZ2Uy ], Response: [   ]
              Request: [ GET /on/yahoo/banner4.php?jpg=../yahoo ], Response: [ 200 "OK" ]
              Request: [ GET /on/yahoo/banner3.php?jpg=../(LQAhZ2Uy ], Response: [   ]
              Request: [ GET /on/yahoo/banner4.php?jpg=../yahoo ], Response: [ 200 "OK" ]
              Request: [ GET /on/yahoo/banner3.php?jpg=../(LQAhZ2Uy ], Response: [   ]
              Request: [ GET /on/yahoo/banner4.php?jpg=../yahoo ], Response: [ 200 "OK" ]
              Request: [ GET /on/yahoo/banner3.php?jpg=../(LQAhZ2Uy ], Response: [   ]

 [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
     TCP Connection Attempts:
 [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
         From ANUBIS:1039 to 124.217.226.220:80
         From ANUBIS:1040 to 124.217.226.220:80
         From ANUBIS:1041 to 124.217.226.220:80
         From ANUBIS:1043 to 124.217.226.220:80
         From ANUBIS:1044 to 124.217.226.220:80

 Robtex.com

 124.217.226.220

  bidor.net, skyll.net, qcs.com.my, niceugg.net, jadi.com.my and at least 51 other hosts point to 124.217.226.220.
 It is blacklisted in one list.

  http://www.robtex.com/ip/124.217.226.220.html

*inetnum: 124.217.224.0 - 124.217.255.255
netname: PIRADIUS-NET
descr: PIRADIUS NET
country: MY
admin-c: PA124-AP
tech-c: PA124-AP
status: ALLOCATED PORTABLE
mnt-by: APNIC-HM
mnt-lower: MAINT-MY-PIRADIUS
changed: hm-changed@apnic.net 20071217
source: APNIC

person: PIRADIUS NET Administrator
nic-hdl: PA124-AP
e-mail: abuse@piradius.net
address: PIRADIUS NET
address: Unit 21-3A, Level 21
address: Plaza DNP 59, Jalan Abdullah Tahir
address: Taman Century Garden
address: 80300 Johor Bahru, Johor
address: Malaysia
phone: +607 334 8605
fax-no: +607 334 8605
country: MY
changed: admin@piradius.net 20071003
mnt-by: MAINT-MY-PIRADIUS
source: APNIC 
  *

===============================

04月23日鏈接HTAW¯¯木馬：的Win32 / Tapaoux.A下載

在hxxtp惡意HTA文件：在右Direction.hta //report-inshop.com/policies/A步驟

下載其它的惡意程序木馬wincfg.exe：的Win32 / Tapaoux.A

BCCCA07E2147BE4CF30E73A6714D8C38 a。在右Direction.hta步驟
1971EE25847D246116835C7157CF7F89 wincfg.exe
19A08F48D71044E0A4091EF4A4E16131月07.pdf

詳細信息

來自：理查德·威爾遜[郵寄地址：richard.wilson34@hotmail.com]
發送：週五，2010年4月23日7:52
要：XXXXXXXXXX
主題：奧巴馬的新核政策：在正確的方向邁出的一步

奧巴馬的新核政策：在正確的方向邁出的一步

軍控，核武器，不擴散，防禦
邁克爾·奧漢隆大腸桿菌，研究和高級研究員主任，外交政策

布魯金斯學會

文檔視圖（版本的Acrobat 9.0或以下）

頭
收稿日期：從BLU139-W28（[65.55.111.137]）由blu0-omc4-s33.blu0.hotmail.com
與Microsoft SMTPSVC（6.0.3790.3959）; 週五，2010年4月23日4時52分29秒-0700
消息ID：
返回路徑：richard.wilson34@hotmail.com
內容類型：多重/替代;
邊界=“_ f03abef7-5a0c-4660-b04a-387c90937f45_”
的X原產-IP：123.125.156.137]
來自：理查德·威爾遜

http://www.robtex.com/ip/123.125.156.137.html#blacklists
http://www.robtex.com/ip/123.125.156.137.html#whois inetnum：123.112.0.0 - 123.127.255.255 網絡名：聯通-BJ DESCR：中國聯通北京省網絡 DESCR：中國聯通

國：CN 人：中國聯通Hostmaster NIC- HDL：CH1302-AP
電子郵件：abuse@chinaunicom.cn 地址：21號，金融街
地址：北京市，100140
地址：中華人民共和國
電話：+ 86-10-66259940
傳真號碼：+ 86-10-66259764 國：CN
改變：abuse@chinaunicom.cn 20090408 MNT-
方式：MAINT-CNCGROUP 來源：APNIC
負責人：孫穎地址：復興門內大街97，西城區地址：北京市100800
國：CN 電話：+ 86-10-66030657 傳真號碼：+ 86-10-66078815
電子郵件：hostmast@publicf.bta.net.cn NIC-HDL：SY21-AP MNT-
方式：MAINT-CNCGROUP-BJ
改變：suny@publicf.bta.net.cn 19980824
改變：hm-changed@apnic.net 20060717
改變：hostmast@publicf.bta.net.cn 20090630
來源：APNIC **

顯示另一張圖片
從 hxxtp 在右Direction.hta一個步驟 ：在右Direction.hta //report-inshop.com/policies/A步驟
http://www.virustotal.com/analisis/746e8ea808d2fa9c51e72f25a84c0924ecddc4b82ee3efae122e27158b1b2c2e-1272024139
文件A_20Step_20in_20the_20Right_20Dir收到2010.04.23 12時02分19秒（UTC） 目前狀態：完成 結果：0/40（0.00％） 附加信息 文件大小：198809字節 MD5：bccca07e2147be4cf30e73a6714d8c38

從右Direction.hta一個步驟- 2的Shellcode EXE（sandsprite.com）結果

http://www.virustotal.com/analisis/4c66155cc842c8bf1a13172a3b1e15ea991bec4c8fd7f29c9eea1cdc26659791-1272129493

shellcode.exe

收到2010.04.24 17時十八分13秒（UTC）文件shellcode.exe
目前狀態：完成
結果：14/40（35.00％）
的AntiVir 8.2.1.224 2010.04.23 PCK /甩
Authentium公司5.2.0.5 2010.04.24 W32 / SmallTrojan.M.gen！埃爾多拉多
AVG 9.0.0.787 2010.04.24 Agent_r.OV
CAT-QuickHeal 10.00 2010.04.23（可疑） - DNAScan
科摩多4676 2010.04.24 TrojWare.Win32.TrojanDownloader.Small。〜AOLO
架F -普羅特4.5.1.85 2010.04.24 W32 / SmallTrojan.M.gen！埃爾多拉多
江民13.0.900 2010.04.24 木馬/ Agent.ckpb
卡巴斯基7.0.0.125 2010.04.24 木馬Downloader.Win32.Small.aolo
邁克菲5.400.0.1158 2010.04.24 通用Downloader.fa
邁克菲-GW-版6.8.5 2010.04.23 Packer.Dumped
微軟1.5703 2010.04.24 TrojanDownloader：Win32的/ Sileco.A
TheHacker 6.5.2.0.268 2010.04.23 木馬/ Downloader.Small.aolo
趨勢科技9.120.0.1004 2010.04.24 TROJ_SMALL.SMJ2
附加信息
文件大小：102994字節 MD5：9b41c8a47770bb3f8ff5f76aad49c84f

wincfg.exe從hxxp：//report-inshop.com/policies/wincfg.exe -見上面的截圖的Wireshark

http://www.virustotal.com/analisis/de4ff8901766e8fc89e8443f8732394618bf925ce29b6a8aafe1d60f496e7f0e-1272127473

收到2010.04.24 16時44分33 秒（UTC）文件wincfg.exe
結果：1/40（2.50％）
微軟1.5703 2010.04.24 木馬：的Win32 / Tapaoux.A
文件大小：357344字節
MD5：1971ee25847d246116835c7157cf7f89

阿努比斯報告http://anubis.iseclab.org/?action=result&task_id=1a1a33275cdb76c24b932808a50af114f

[#############################################################################] Anubis Analysis Report for wincfg.exe MD5: 1971ee25847d246116835c7157cf7f89 [#############################################################################] Summary: - Autostart capabilities: This executable registers processes to be executed at system start. [################################################# ############################]阿努比斯分析報告wincfg.exe MD5：1971ee25847d246116835c7157cf7f89 [########## ################################################## #################]摘要： - 自動啟動功能：該可執行文件註冊在系統啟動時執行的過程。 This could result in unwanted actions to be performed automatically.這可能導致不希望的操作自動執行。 - Creates files in the Windows system directory: Malware often keepscopies of itself in the Windows directory to stay undetected by users. - 創建在Windows系統目錄下的文件：經常惡意軟件的keepscopies本身在Windows目錄中由用戶留未被發現。 - Performs File Modification and Destruction: The executable modifiesand destructs files which are not temporary. - 執行文件修改和破壞：可執行modifiesand解構這是不是臨時文件。 - Spawns Processes: The executable produces processes during the execution. - 產生進程：可執行文件的執行過程中產生的過程。 - Performs Registry Activities: The executable reads and modifies registry values. - 執行登記活動：可執行文件讀取和修改註冊表值。 It also creates and monitors registry keys.它還創建和監視註冊表項。 [=============================================================================] Table of Contents [=============================================================================] - General information - wincfg.exe a) Registry Activities b) File Activities c) Windows Service Activities d) Process Activities e) Other Activities - services.exe a) Registry Activities b) File Activities c) Other Activities - cmd.exe a) Registry Activities b) File Activities c) Windows Service Activities d) Network Activities e) Other Activities - cmd.exe a) Registry Activities b) File Activities [#############################################################################] 1. General Information [#############################################################################] [=============================================================================] Information about Anubis' invocation [=============================================================================] Time needed: 240 s Report created: 04/24/10, 17:08:58 UTC Termination reason: Timeout Program version: 1.74.2783 [=============================================================================] Global Network Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] HTTP Conversations: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] From ANUBIS:1038 to 124.217.226.220:80 - [ hummfoundation.org ] Request: [ GET /on/yahoo/banner4.php?jpg=../yahoo ], Response: [ 200 "OK" ] Request: [ GET /on/yahoo/banner3.php?jpg=../(LQAhZ2Uy ], Response: [ <no reply>] Request: [ GET /on/yahoo/banner4.php?jpg=../yahoo ], Response: [ 200 "OK" ] Request: [ GET /on/yahoo/banner4.php?jpg=../yahoo ], Response: [ 200 "OK" ] Request: [ GET /on/yahoo/banner3.php?jpg=../(LQAhZ2Uy ], Response: [ <no reply>] Request: [ GET /on/yahoo/banner3.php?jpg=../(LQAhZ2Uy ], Response: [ <no reply>] Request: [ GET /on/yahoo/banner4.php?jpg=../yahoo ], Response: [ 200 "OK" ] Request: [ GET /on/yahoo/banner3.php?jpg=../(LQAhZ2Uy ], Response: [ <no reply>] Request: [ GET /on/yahoo/banner4.php?jpg=../yahoo ], Response: [ 200 "OK" ] Request: [ GET /on/yahoo/banner3.php?jpg=../(LQAhZ2Uy ], Response: [ <no reply>] Request: [ GET /on/yahoo/banner4.php?jpg=../yahoo ], Response: [ 200 "OK" ] Request: [ GET /on/yahoo/banner3.php?jpg=../(LQAhZ2Uy ], Response: [ <no reply>] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] TCP Connection Attempts: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] From ANUBIS:1039 to 124.217.226.220:80 From ANUBIS:1040 to 124.217.226.220:80 From ANUBIS:1041 to 124.217.226.220:80 From ANUBIS:1043 to 124.217.226.220:80 From ANUBIS:1044 to 124.217.226.220:80 [#############################################################################] 2. wincfg.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: Primary Analysis Subject Filename: wincfg.exe MD5: 1971ee25847d246116835c7157cf7f89 SHA-1: b00fa08c86dba7d4065018e7234b850d2a541799 File Size: 357344 Bytes Command Line: "C:\wincfg.exe" Process-status at analysis end: dead Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\comdlg32.dll ], Base Address: [0x763B0000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\COMCTL32.dll ], Base Address: [0x5D090000 ], Size: [0x0009A000 ] Module Name: [ C:\WINDOWS\system32\SHELL32.dll ], Base Address: [0x7C9C0000 ], Size: [0x00817000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ], Base Address: [0x77F60000 ], Size: [0x00076000 ] Module Name: [ C:\WINDOWS\system32\WINSPOOL.DRV ], Base Address: [0x73000000 ], Size: [0x00026000 ] Module Name: [ C:\WINDOWS\system32\ole32.dll ], Base Address: [0x774E0000 ], Size: [0x0013D000 ] Module Name: [ [================================================= ============================]目錄[================= ================================================== ==========] - 一般信息 - wincfg.exe一）註冊活動b）文件活動三）Windows服務活動D）進程的活動e）其他活動 - SERVICES.EXE一）註冊活動b）文件活動c）其他活動 - CMD.EXE一）註冊活動b）文件活動三）Windows服務活動四）網絡活動e）其他活動 - CMD.EXE一）註冊活動b）文件活動[####### ################################################## ####################] 1.一般資料[######################## ################################################## ###] [============================================= ================================]有關阿努比斯'調用[信息=========== ================================================== =====]所需時間：240秒報告創建：10年4月24日，17時08分58秒UTC終止的原因：超時程序版本：1.74.2783 [== ================================================== =========================]全球網絡活動[==================== ================================================== =======] [= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]的HTTP會話：[= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]從ANUBIS：1038 124.217.226.220:80 - [hummfoundation.org]請求：GET /on/yahoo/banner4.php?jpg= ../yahoo]回應：[200“OK”]請求：GET /on/yahoo/banner3.php?jpg=../(LQAhZ2Uy]回應：[<沒有回复>]請求：GET /對/yahoo/banner4.php?jpg=../yahoo]回應：[200“OK”]請求：GET /on/yahoo/banner4.php?jpg=../yahoo]回應：[200“OK “]請求：GET /on/yahoo/banner3.php?jpg=../(LQAhZ2Uy]回應：[<沒有回复>]請求：GET /on/yahoo/banner3.php?jpg=../ （LQAhZ2Uy]回應：[<沒有回复>]請求：GET /on/yahoo/banner4.php?jpg=../yahoo]回應：[200“OK”]請求：GET /上/雅虎/ ？banner3.php JPG = .. /（LQAhZ2Uy]回應：[<沒有回复>]請求：GET /on/yahoo/banner4.php?jpg=../yahoo]回應：[200“OK”]請求：GET /on/yahoo/banner3.php?jpg=../(LQAhZ2Uy]回應：[<沒有回复>]請求：GET /on/yahoo/banner4.php?jpg=../yahoo] ，回應：[200“OK”]請求：GET /on/yahoo/banner3.php?jpg=../(LQAhZ2Uy]響應：[<沒有回复>] [= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =] TCP連接嘗試：[= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = ]從ANUBIS：1039至124.217.226.220:80從ANUBIS：1040 124.217.226.220:80從ANUBIS：1041 124.217.226.220:80從ANUBIS：1043 124.217.226.220:80從ANUBIS：1044至124.217.226.220： 80 ################################################ #############################] 2. wincfg.exe [############## ################################################## #############] [=================================== ==========================================]關於這個可執行文件的一般信息[= ================================================== ==========================]分析原因：初步分析主題文件名：wincfg.exe MD5：1971ee25847d246116835c7157cf7f89 SHA-1：b00fa08c86dba7d4065018e7234b850d2a541799文件大小：357344字節命令行：“C：\ wincfg.exe”過程狀態的分析結束：死退出代碼：0 ========================= ================================================== ==]負載時DLL [========================================== ===================================]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ NTDLL.DLL ]，基地址：[0x7C900000]，大小：[0x000AF000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ kernel32.dll中]，基地址：[0x7C800000]，大小：[0x000F6000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ USER32.dll初始化]，基地址：[0x7E410000]，大小：[0x00091000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ GDI32.DLL]，基地址：[0x77F10000]，大小：[0x00049000]模塊名稱：[C：\ WINDOWS \ SYSTEM32 \ COMDLG32.DLL]，基地址：0x763B0000]，大小：[0x00049000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ ADVAPI32.dll中]，基地址：[0x77DD0000]，大小：[0x0009B000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ RPCRT4.DLL]，基地址：[0x77E70000]，大小：[0x00092000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \找到Secur32.dll]，基址：[0x77FE0000]，大小：[0x00011000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ COMCTL32.DLL]，基地址：[0x5D090000]，大小：[0x0009A000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ SHELL32 .dll文件]，基地址：[0x7C9C0000]，大小：[0x00817000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ MSVCRT.DLL]，基地址：[0x77C10000]，大小：[0x00058000]模塊名稱：[C： \ WINDOWS \ SYSTEM32 \ SHLWAPI.DLL]，基地址：[0x77F60000]，大小：[0x00076000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ WINSPOOL.DRV]，基地址：[0x73000000]，大小：[0x00026000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ OLE32.DLL]，基地址：[0x774E0000]，大小：[0x0013D000]模塊名稱： C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ], Base Address: [0x773D0000 ], Size: [0x00103000 ] [=============================================================================] Run-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntoskrnl.exe ], Base Address: [0x00B60000 ], Size: [0x00216680 ] Module Name: [ C:\WINDOWS\system32\MSCTF.dll ], Base Address: [0x74720000 ], Size: [0x0004C000 ] Module Name: [ C:\WINDOWS\system32\Apphelp.dll ], Base Address: [0x77B40000 ], Size: [0x00022000 ] [=============================================================================] 2.a) wincfg.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ ]，基地址：[0x773D0000]，大小：[0x00103000] [=================================== ==========================================]運行時DLL [== ================================================== =========================]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ ntoskrnl.exe中]，基地址：[0x00B60000]，大小：[0x00216680]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ MSCTF.dll]，基地址：[0x74720000]，大小：[0x0004C000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ Apphelp.dll]，基址：[0x77B40000]，大小：[0x00022000] [======================================= ======================================] 2.A）wincfg.exe - 註冊表活動[ ================================================== ===========================] [= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]註冊表值修正：[= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]鍵：[ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ AppData ], New Value: [ C:\Documents and Settings\Administrator\Application Data ] Key: [夾]，值名稱：[AppData的]，新價值：[C：\ Documents和Settings \管理員\應用數據]鍵： HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ Startup ], New Value: [ C:\Documents and Settings\Administrator\Start Menu\Programs\Startup ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SOFTWARE\Microsoft\CTF\SystemShared\ ], Value Name: [ CUAS ], Value: [ 0 ], 1 time Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ], Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time Key: [ HKLM\SYSTEM\Setup ], Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time Key: [ HKLM\SYSTEM\WPA\MediaCenter ], Value Name: [ Installed ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ AuthenticodeEnabled ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ DefaultLevel ], Value: [ 262144 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ PolicyScope ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ TransparentEnabled ], Value: [ 1 ], 2 times Key: [夾]，值名稱：[啟動]，新價值：[C：\ Documents和Settings \管理員\開始菜單\程序\啟動] [= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]註冊表值閱讀：[= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]鍵：[HKLM \ SOFTWARE \微軟\ CTF \ SystemShared \]，數值名稱：[CUAS]，值：[0]，1次關鍵：[HKLM \系統\ CurrentControlSet \控制\會話管理器]，值名稱：[CriticalSectionTimeout]，值：[2592000] 1次關鍵：[HKLM \ SYSTEM \ SETUP]，值名稱：[SystemSetupInProgress]，值：[0]，1次關鍵：[HKLM \ SYSTEM \ WPA \媒體中心]，值名稱：[安裝]，值：0 ]，1次關鍵：[HKLM \ SOFTWARE \政策\微軟\的Windows \更安全\ CodeIdentifiers]，值名稱：[AuthenticodeEnabled]，值：[0]，1次關鍵：[HKLM \ SOFTWARE \政策\微軟\的Windows \安全\ CodeIdentifiers]，值名稱：[DefaultLevel]，值：[262144]，1次關鍵：[HKLM \ SOFTWARE \政策\微軟\的Windows \更安全\ CodeIdentifiers]，值名稱：[PolicyScope的]，值：[0] ，1次關鍵：[HKLM \ SOFTWARE \政策\微軟\的Windows \更安全\ CodeIdentifiers]，值名稱：[TransparentEnabled]，值：[1]，2次關鍵： HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ ]，值名稱：[HashAlg]，值：[32771]，1次關鍵： HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ ItemData ], Value: [ 0x5eab304f957a49896a006c1c31154015 ], 1 time Key: [ ]，值名稱：[的ItemData]，值：[0x5eab304f957a49896a006c1c31154015]，1次關鍵： HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ ItemSize ], Value: [ 779 ], 1 time Key: [ ]，值名稱：[ItemSize]，值：[779]，1次關鍵： HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ ]，值名稱：[SaferFlags]，值：[0]，1次關鍵： HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ ]，值名稱：[HashAlg]，值：[32771]，1次關鍵： HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ ItemData ], Value: [ 0x67b0d48b343a3fd3bce9dc646704f394 ], 1 time Key: [ ]，值名稱：[的ItemData]，值：[0x67b0d48b343a3fd3bce9dc646704f394]，1次關鍵： HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ ItemSize ], Value: [ 517 ], 1 time Key: [ ]，值名稱：[ItemSize]，值：[517]，1次關鍵： HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ ]，值名稱：[SaferFlags]，值：[0]，1次關鍵： HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ ]，值名稱：[HashAlg]，值：[32771]，1次關鍵： HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ ItemData ], Value: [ 0x327802dcfef8c893dc8ab006dd847d1d ], 1 time Key: [ ]，值名稱：[的ItemData]，值：[0x327802dcfef8c893dc8ab006dd847d1d]，1次關鍵： HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ ItemSize ], Value: [ 918 ], 1 time Key: [ ]，值名稱：[ItemSize]，值：[918]，1次關鍵： HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ ]，值名稱：[SaferFlags]，值：[0]，1次關鍵： HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ ]，值名稱：[HashAlg]，值：[32771]，1次關鍵： HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ ItemData ], Value: [ 0xbd9a2adb42ebd8560e250e4df8162f67 ], 1 time Key: [ ]，值名稱：[的ItemData]，值：[0xbd9a2adb42ebd8560e250e4df8162f67]，1次關鍵： HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ ItemSize ], Value: [ 229 ], 1 time Key: [ ]，值名稱：[ItemSize]，值：[229]，1次關鍵： HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ ]，值名稱：[SaferFlags]，值：[0]，1次關鍵： HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ ]，值名稱：[HashAlg]，值：[32771]，1次關鍵： HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ ItemData ], Value: [ 0x386b085f84ecf669d36b956a22c01e80 ], 1 time Key: [ ]，值名稱：[的ItemData]，值：[0x386b085f84ecf669d36b956a22c01e80]，1次關鍵： HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ ItemSize ], Value: [ 370 ], 1 time Key: [ ]，值名稱：[ItemSize]，值：[370]，1次關鍵： HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ ]，值名稱：[SaferFlags]，值：[0]，1次關鍵： HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ], Value Name: [ ItemData ], Value: [ %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* ], 1 time Key: [ ]，值名稱：[的ItemData]，值：[HKEY_CURRENT_USER％\軟件\微軟\的Windows \ CurrentVersion \ Explorer的\殼牌文件夾\緩存％白斑*]，1次關鍵： HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ], Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ], Value Name: [ Language Hotkey ], Value: [ 1 ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ], Value Name: [ Layout Hotkey ], Value: [ 2 ], 2 times Key: [ ]，值名稱：[SaferFlags]，值：[0]，1次關鍵：[HKLM \系統\ CurrentControlSet \控制\ Terminal服務器]，值名稱：[TSUserEnabled]，值：[0]，1次關鍵： HKU \ S-1-5-21-842925246-1425521274-308236825-500 \鍵盤佈局\切換]，值名稱：語言快捷鍵]，值：[1]，2次關鍵：[HKU \ S-1-5 -21-842925246-1425521274-308236825-500 \鍵盤佈局\切換]，值名稱：佈局熱鍵]，值：[2]，2次關鍵： HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ Cache ], Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ], 1 time Key: [夾]，值名稱：[緩存]，值：[C：\ Documents和Settings \管理員\本地設置\ Temporary Internet Files文件]，1次關鍵： HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ AppData ], Value: [ %USERPROFILE%\Application Data ], 1 time Key: [外殼文件夾]，值名稱：[AppData的]，值：[％USERPROFILE％\應用數據]，1次關鍵： HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ Startup ], Value: [ %USERPROFILE%\Start Menu\Programs\Startup ], 1 time [=============================================================================] 2.b) wincfg.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\SystemCheck.bat ] File Name: [ C:\WINDOWS\system32\autocheck.exe ] File Name: [ C:\WINDOWS\system32\autocheck.sys ] File Name: [ C:\WINDOWS\system32\countryfix.dll ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\system32\countryfix.dll ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\SystemCheck.bat ] File Name: [ C:\WINDOWS\system32\autocheck.exe ] File Name: [ C:\WINDOWS\system32\autocheck.sys ] File Name: [ C:\WINDOWS\system32\countryfix.dll ] File Name: [ SmartCheck ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Device Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 8 times File: [ SmartCheck ], Control Code: [ 0x0022E660 ], 1 time File: [ SmartCheck ], Control Code: [ 0x0022E65C ], 2 times [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\SystemCheck.bat ] File Name: [外殼文件夾]，值名稱：[啟動]，值：[％USERPROFILE％\開始菜單\程序\啟動]，1次[===================== ================================================== ======] 2.B）wincfg.exe - 文件活動[================================ =============================================] [= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]創建的文件：[= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]文件名：C：\ SystemCheck.bat]文件名：C：\ WINDOWS \ SYSTEM32 \ autocheck.exe]文件名：C：\ WINDOWS \ SYSTEM32 \ autocheck.sys]文件名：[C：\ WINDOWS \ SYSTEM32 \ countryfix.dll] [= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]文件閱讀：[= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]文件名：C：\ WINDOWS \ SYSTEM32 \ countryfix.dll] [= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]文件修改：[= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]文件名：[C：\ SystemCheck.bat]文件名：C：\ WINDOWS \ SYSTEM32 \ autocheck.exe]文件名：C：\ WINDOWS \ SYSTEM32 \ autocheck.sys]文件名：C：\ WINDOWS \ SYSTEM32 \ countryfix.dll]文件名：[智能檢測] [= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]設備控制通信：[= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]文件：[\設備\ KsecDD]，控制代碼：[0x00390008]，8次文件：[智能檢測]，控制碼：[0x0022E660]，1次文件：[智能檢測]，控制代碼：[0x0022E65C]，2倍[= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =存儲器映射文件：[= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]文件名：C：\ SystemCheck.bat]文件名： C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ] File Name: [ C:\WINDOWS\WindowsShell.Manifest ] File Name: [ C:\WINDOWS\system32\Apphelp.dll ] File Name: [ C:\WINDOWS\system32\COMCTL32.dll ] File Name: [ C:\WINDOWS\system32\MSCTF.dll ] File Name: [ C:\WINDOWS\system32\SHELL32.dll ] File Name: [ C:\WINDOWS\system32\WINSPOOL.DRV ] File Name: [ C:\WINDOWS\system32\cmd.exe ] File Name: [ C:\WINDOWS\system32\imm32.dll ] File Name: [ C:\WINDOWS\system32\ntoskrnl.exe ] File Name: [ C:\WINDOWS\system32\rpcss.dll ] File Name: [ C:\Windows\AppPatch\sysmain.sdb ] [=============================================================================] 2.c) wincfg.exe - Windows Service Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Services Started: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Service: [ SmartCheck ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Services Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Name: [ SmartCheck ], Type: [ SERVICE_DEMAND_START ], Path: [ C:\WINDOWS\system32\autocheck.sys ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Services Deleted: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Service: [ SmartCheck ] [=============================================================================] 2.d) wincfg.exe - Process Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Processes Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Executable: [ C:\WINDOWS\system32\cmd.exe ], Command Line: [ ] Executable: [ ], Command Line: [ C:\SystemCheck.bat ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Remote Threads Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Affected Process: [ C:\WINDOWS\system32\cmd.exe ] Affected Process: [ C:\WINDOWS\system32\cmd.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Foreign Memory Regions Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Process: [ C:\WINDOWS\system32\cmd.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Foreign Memory Regions Written: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Process: [ C:\WINDOWS\system32\cmd.exe ] [=============================================================================] 2.e) wincfg.exe - Other Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Mutexes Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Mutex: [ CTF.Asm.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] Mutex: [ CTF.Compart.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] Mutex: [ CTF.LBES.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] Mutex: [ CTF.Layouts.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] Mutex: [ CTF.TMD.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] Mutex: [ ]文件名：C：\ WINDOWS \ WindowsShell.Manifest]文件名：C：\ WINDOWS \ SYSTEM32 \ Apphelp.dll]文件名：C：\ WINDOWS \ SYSTEM32 \ COMCTL32.DLL]文件名：C： \ WINDOWS \ SYSTEM32 \ MSCTF.dll]文件名：C：\ WINDOWS \ SYSTEM32 \ SHELL32.DLL]文件名：C：\ WINDOWS \ SYSTEM32 \ WINSPOOL.DRV]文件名：C：\ WINDOWS \ SYSTEM32 \ CMD.EXE]文件名：C：\ WINDOWS \ SYSTEM32 \ imm32.dll]文件名：C：\ WINDOWS \ SYSTEM32 \ ntoskrnl.exe中]文件名：C：\ WINDOWS \ SYSTEM32 \ rpcss.dll]文件名稱：C：\ WINDOWS \ AppPatch文件\ sysmain.sdb] [=================================== ==========================================] 2.C）wincfg.exe - Windows服務活動[============================================= ================================] [= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]服務啟動：[= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]服務：[智能檢測] [ = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]服務創建：[= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]名稱：智能檢測]類型：SERVICE_DEMAND_START]路徑：C：\ WINDOWS \ SYSTEM32 \ autocheck.sys] [= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]服務刪除：[= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]服務：[智能檢測] [=============================================== ==============================] 2.D）wincfg.exe - 流程活動[======== ================================================== ===================] [= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]流程創建：[= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]可執行文件：[C：\ WINDOWS \ SYSTEM32 \ CMD.EXE]，命令行： ]可執行文件：[]，命令行：C：\ SystemCheck.bat] [= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]遠程線程創建： [= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]受影響的過程：C：\ WINDOWS \ SYSTEM32 \ CMD.EXE]影響過程：[C： \ WINDOWS \ SYSTEM32 \ CMD.EXE] [= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]外國存儲器區讀：[= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]進程：C：\ WINDOWS \ SYSTEM32 \ CMD.EXE] [= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]外國存儲器區寫：[= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]過程：[C：\ WINDOWS \ SYSTEM32 \ CMD.EXE] [==================================== =========================================] 2.E）wincfg.exe - 其他活動[=============================================== ==============================] [= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]互斥創建：[= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]互斥：[CTF.Asm.MutexDefaultS -1-5-21-842925246-1425521274-308236825-500]互斥：[CTF.Compart.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500]互斥：[CTF.LBES.MutexDefaultS-1-5 -21-842925246-1425521274-308236825-500]互斥：[CTF.Layouts.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500]互斥：[CTF.TMD.MutexDefaultS-1-5-21-842925246 -1425521274-308236825-500]互斥： CTF.TimListCache.FMPDefaultS-1-5-21-842925246-1425521274-308236825-500MUTEX.DefaultS-1-5-21-842925246-1425521274-308236825-500 ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Windows SEH exceptions: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x40ad09 ], 1 time Description: [ Exception 0xc0000096 (STATUS_PRIVILEGED_INSTRUCTION) at 0x40adab ], 1 time [#############################################################################] 3. services.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: A service was started. ] [= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]視窗SEH例外：[= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]說明：[異常0xc000001d（STATUS_ILLEGAL_INSTRUCTION）在0x40ad09]，1次說明：[異常0xc0000096（STATUS_PRIVILEGED_INSTRUCTION）在0x40adab]，1次[######## ################################################## ################### 3. SERVICES.EXE [######################## ################################################## ###] [============================================= ================================]關於這個可執行文件[常規信息=========== ================================================== =====]分析原因：服務已啟動。 Filename: services.exe MD5: 0e776ed5f7cc9f94299e70461b7b8185 SHA-1: cb5a33cec4c7b8ef4bd5dc8c241005b66b26cbbf File Size: 108544 Bytes Command Line: C:\WINDOWS\system32\services.exe Process-status at analysis end: alive Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\NCObjAPI.DLL ], Base Address: [0x5F770000 ], Size: [0x0000C000 ] Module Name: [ C:\WINDOWS\system32\MSVCP60.dll ], Base Address: [0x76080000 ], Size: [0x00065000 ] Module Name: [ C:\WINDOWS\system32\SCESRV.dll ], Base Address: [0x7DBD0000 ], Size: [0x00051000 ] Module Name: [ C:\WINDOWS\system32\AUTHZ.dll ], Base Address: [0x776C0000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\USERENV.dll ], Base Address: [0x769C0000 ], Size: [0x000B4000 ] Module Name: [ C:\WINDOWS\system32\umpnpmgr.dll ], Base Address: [0x7DBA0000 ], Size: [0x00021000 ] Module Name: [ C:\WINDOWS\system32\WINSTA.dll ], Base Address: [0x76360000 ], Size: [0x00010000 ] Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ], Base Address: [0x5B860000 ], Size: [0x00055000 ] Module Name: [ C:\WINDOWS\system32\ShimEng.dll ], Base Address: [0x5CB70000 ], Size: [0x00026000 ] Module Name: [ C:\WINDOWS\AppPatch\AcAdProc.dll ], Base Address: [0x47260000 ], Size: [0x0000F000 ] Module Name: [ C:\WINDOWS\system32\Apphelp.dll ], Base Address: [0x77B40000 ], Size: [0x00022000 ] Module Name: [ C:\WINDOWS\system32\VERSION.dll ], Base Address: [0x77C00000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\eventlog.dll ], Base Address: [0x77B70000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\PSAPI.DLL ], Base Address: [0x76BF0000 ], Size: [0x0000B000 ] Module Name: [ C:\WINDOWS\system32\WS2_32.dll ], Base Address: [0x71AB0000 ], Size: [0x00017000 ] Module Name: [ C:\WINDOWS\system32\WS2HELP.dll ], Base Address: [0x71AA0000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\wtsapi32.dll ], Base Address: [0x76F50000 ], Size: [0x00008000 ] [=============================================================================] 3.a) services.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Keys Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SYSTEM\CONTROLSET001\CONTROL\CLASS\{8ECC055D-047F-11D1-A537-0000F8753ED1}\0000 ] Key: [ HKLM\System\CurrentControlSet\Services\SmartCheck ] Key: [ HKLM\System\CurrentControlSet\Services\SmartCheck\Security ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Keys Deleted: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\System\CurrentControlSet\Control\Class\{8ECC055D-047F-11D1-A537-0000F8753ED1}\0000 ] Key: [ HKLM\System\CurrentControlSet\Enum\Root\LEGACY_SMARTCHECK\0000\Control ] Key: [ HKLM\System\CurrentControlSet\Enum\Root\LEGACY_SMARTCHECK\0000 ] Key: [ HKLM\System\CurrentControlSet\Enum\Root\LEGACY_SMARTCHECK ] Key: [ HKLM\System\CurrentControlSet\Services\SmartCheck\Security ] Key: [ HKLM\System\CurrentControlSet\Services\SmartCheck\Enum ] Key: [ HKLM\System\CurrentControlSet\Services\SmartCheck ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\Root\LEGACY_SMARTCHECK\0000 ], Value Name: [ Driver ], New Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1}\0000 ] Key: [ HKLM\System\CurrentControlSet\Services\SmartCheck ], Value Name: [ DeleteFlag ], New Value: [ 1 ] Key: [ HKLM\System\CurrentControlSet\Services\SmartCheck ], Value Name: [ DisplayName ], New Value: [ SmartCheck ] Key: [ HKLM\System\CurrentControlSet\Services\SmartCheck ], Value Name: [ ErrorControl ], New Value: [ 1 ] Key: [ HKLM\System\CurrentControlSet\Services\SmartCheck ], Value Name: [ ImagePath ], New Value: [ \??\C:\WINDOWS\system32\autocheck.sys ] Key: [ HKLM\System\CurrentControlSet\Services\SmartCheck ], Value Name: [ Start ], New Value: [ 3 ] Key: [ HKLM\System\CurrentControlSet\Services\SmartCheck ], Value Name: [ Type ], New Value: [ 1 ] Key: [ HKLM\System\CurrentControlSet\Services\SmartCheck\Security ], Value Name: [ Security ], New Value: [ 0x01001480900000009c000000140000003000000002001c00010000000280 ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0303\4&2C5A7332&0 ], Value Name: [ ClassGUID ], Value: [ {4D36E96B-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0400\4&2C5A7332&0 ], Value Name: [ ClassGUID ], Value: [ {4D36E978-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0501\1 ], Value Name: [ ClassGUID ], Value: [ {4D36E978-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0700\4&2C5A7332&0 ], Value Name: [ ClassGUID ], Value: [ {4D36E969-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0A03\1 ], Value Name: [ ClassGUID ], Value: [ {4D36E97D-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0F13\4&2C5A7332&0 ], Value Name: [ ClassGUID ], Value: [ {4D36E96F-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ACPI_HAL\PNP0C08\0 ], Value Name: [ ClassGUID ], Value: [ {4D36E97D-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\DISPLAY\DEFAULT_MONITOR\4&2946A9FF&0&11223344&00&02 ], Value Name: [ ClassGUID ], Value: [ {4D36E96E-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [文件名：SERVICES.EXE MD5：0e776ed5f7cc9f94299e70461b7b8185 SHA-1：cb5a33cec4c7b8ef4bd5dc8c241005b66b26cbbf文件大小：108544字節命令行：C：\ WINDOWS \ SYSTEM32 \ SERVICES.EXE在分析結束進程狀態：活著的退出代碼：0 [====== ================================================== =====================]負載時DLL [======================= ================================================== ====]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ ntdll.dll中]，基地址：[0x7C900000]，大小：[0x000AF000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ kernel32.dll中]，基地址：[0x7C800000]，大小：[0x000F6000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ ADVAPI32.dll中]，基地址：[0x77DD0000]，大小：[0x0009B000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ RPCRT4.DLL]，基地址：[0x77E70000]，大小：[0x00092000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \找到Secur32.dll]，基地址：[0x77FE0000]，大小：[0x00011000]模塊名稱：[C ：\ WINDOWS \ SYSTEM32 \ MSVCRT.DLL]，基地址：[0x77C10000]，大小：[0x00058000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ NCObjAPI.DLL]，基地址：[0x5F770000]，大小：[0x0000C000 ]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ MSVCP60.dll]，基地址：[0x76080000]，大小：[0x00065000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ SCESRV.dll]，基地址：[0x7DBD0000 ]，大小：[0x00051000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ AUTHZ.dll]，基地址：0x776C0000]，大小：[0x00012000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ USER32.dll初始化] ，基地址：[0x7E410000]，大小：[0x00091000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ GDI32.DLL]，基地址：[0x77F10000]，大小：[0x00049000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ USERENV.dll]，基地址：0x769C0000]，大小：0x000B4000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ umpnpmgr.dll]，基地址：[0x7DBA0000]，大小：[0x00021000]模塊名稱： [C：\ WINDOWS \ SYSTEM32 \ WINSTA.dll]，基地址：[0x76360000]，大小：[0x00010000在]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ NETAPI32.DLL]，基地址：[0x5B860000]，大小： [0x00055000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ ShimEng.dll]，基地址：[0x5CB70000]，大小：[0x00026000]模塊名稱：C：\ WINDOWS \ AppPatch文件\ AcAdProc.dll]，基地址： [0x47260000]，大小：[0x0000F000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ Apphelp.dll]，基地址：[0x77B40000]，大小：[0x00022000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \版本。 DLL]，基地址：[0x77C00000]，大小：[0x00008000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ eventlog.dll]，基地址：[0x77B70000]，大小：[0x00011000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ PSAPI.DLL]，基地址：[0x76BF0000]，大小：[0x0000B000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ WS2_32.DLL]，基地址：[0x71AB0000]，大小：[0x00017000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ WS2HELP.dll]，基地址：[0x71AA0000]，大小：[0x00008000]模塊名稱：C：\ WINDOWS \ SYSTEM32 \ wtsapi32.dll]，基地址：[0x76F50000]大小：[0x00008000] [============================================ =================================] 3.A）SERVICES.EXE - 註冊表活動[===== ================================================== ======================] [= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]註冊表鍵創建：[= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]鍵：[HKLM \ SYSTEM \ CONTROLSET001 \ CONTROL \類\ {8ECC055D -047F-11D1-A537-0000F8753ED1} \ 0000]鍵：[HKLM \系統\ CurrentControlSet \服務\智能檢測]鍵：[HKLM \系統\ CurrentControlSet \服務\智能檢測\安全] [= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]註冊表項刪除：[= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]鍵：[HKLM \系統\ CurrentControlSet \控制\類\ {8ECC055D-047F-11D1-A537-0000F8753ED1} \ 0000]鍵：[HKLM \系統\ CurrentControlSet \ Enum的\ ROOT \ LEGACY_SMARTCHECK \ 0000 \ Control]鍵的： [HKLM \系統\ CurrentControlSet \ Enum的\ ROOT \ LEGACY_SMARTCHECK \ 0000]鍵：[HKLM \系統\ CurrentControlSet \ Enum的\ ROOT \ LEGACY_SMARTCHECK]鍵：[HKLM \系統\ CurrentControlSet \服務\智能檢測\安全]鍵：[HKLM \系統\ CurrentControlSet \服務\智能檢測\枚舉]鍵：[HKLM \系統\ CurrentControlSet \服務\智能檢測] [= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]註冊表值修正：[= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]鍵：[HKLM \ SYSTEM \ CONTROLSET001 \ ENUM \ ROOT \ LEGACY_SMARTCHECK \ 0000]，值名稱：[驅動程序]，新價值：[{8ECC055D-047F-11D1-A537-0000F8753ED1} \ 0000]鍵：[HKLM \系統\ CurrentControlSet \服務\智能檢測]，值名稱：[DeleteFlag]，新值：[1]鍵：[HKLM \系統\ CurrentControlSet \服務\智能檢測]，值名稱：[顯示名稱]，新價值：智能檢測]鍵：[HKLM \系統\ CurrentControlSet \服務\智能檢測]，值名稱：錯誤控制]，新值：[1]鍵：[HKLM \系統\ CurrentControlSet \服務\智能檢測]，值名稱：[的ImagePath]，新價值：\ ?? \ C：\ WINDOWS \ SYSTEM32 \ autocheck.sys]鍵：[HKLM \系統\ CurrentControlSet \服務\智能檢測]，值名稱：[開始]，新價值：[3]鍵：[HKLM \系統\ CurrentControlSet \服務\智能檢測]，數值名稱：[類型]，新價值： [1]鍵：[HKLM \系統\ CurrentControlSet \服務\智能檢測\安全]，值名稱：[安全]，新價值：[0x01001480900000009c000000140000003000000002001c00010000000280] [= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]註冊表值閱讀：[= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =]鍵：[HKLM \ SYSTEM \ CONTROLSET001 \ ENUM \ ACPI \ PNP0303 \ 4 2C5A7332＆0]，值名稱：[ClassGUID]，值：[{4D36E96B-E325-11CE-BFC1-08002BE10318}]，1次關鍵：[HKLM \ SYSTEM \ CONTROLSET001 \ ENUM \ ACPI \ PNP0400 \ 4 2C5A7332＆0]，值名稱：[ClassGUID]，值：[{4D36E978-E325-11CE-BFC1-08002BE10318}]，1次關鍵：[HKLM \ SYSTEM \ CONTROLSET001 \ ENUM \ ACPI \ PNP0501 \ 1]，數值名稱：[ClassGUID]，值：[{4D36E978-E325-11CE-BFC1-08002BE10318}]，1次關鍵：[HKLM \ SYSTEM \ CONTROLSET001 \ ENUM \ ACPI \ PNP0700 \ 4 2C5A7332＆0]，值名稱：[ClassGUID]，值： [{4D36E969-E325-11CE-BFC1-08002BE10318}]，1次關鍵：[HKLM \ SYSTEM \ CONTROLSET001 \ ENUM \ ACPI \ PNP0A03 \ 1]，數值名稱：[ClassGUID]，值：[{4D36E97D-E325-11CE -BFC1-08002BE10318}]，1次關鍵：[HKLM \ SYSTEM \ CONTROLSET001 \ ENUM \ ACPI \ PNP0F13 \ 4 2C5A7332＆0]，值名稱：[ClassGUID]，值：[{4D36E96F-E325-11CE-BFC1-08002BE10318}]， 1次關鍵：[HKLM \ SYSTEM \ CONTROLSET001 \ ENUM \ ACPI_HAL \ PNP0C08 \ 0]，值名稱：[ClassGUID]，值：[{4D36E97D-E325-11CE-BFC1-08002BE10318}]，1次關鍵：[HKLM \ SYSTEM \ CONTROLSET001 \ ENUM \ DISPLAY \ DEFAULT_MONITOR \ 4 2946A9FF＆0＆11223344＆00＆02]，值名稱：[ClassGUID]，值：[{4D36E96E-E325-11CE-BFC1-08002BE10318}]，1次關鍵： HKLM\SYSTEM\CONTROLSET001\ENUM\IDE\CDROMQEMU_QEMU_CD-ROM________________________0.9.____\4D51303030302033202020202020202020202020 ], Value Name: [ ClassGUID ], Value: [ {4D36E965-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ ]，值名稱：[ClassGUID]，值：[{4D36E965-E325-11CE-BFC1-08002BE10318}]，1次關鍵： HKLM\SYSTEM\CONTROLSET001\ENUM\IDE\DISKQEMU_HARDDISK___________________________0.9.1___\4D51303030302031202020202020202020202020 ], Value Name: [ ClassGUID ], Value: [ {4D36E967-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ISAPNP\READDATAPORT\0 ], Value Name: [ ClassGUID ], Value: [ {4D36E97D-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\LPTENUM\MICROSOFTRAWPORT\5&34A37E9F&0&LPT1 ], Value Name: [ ClassGUID ], Value: [ {4D36E97D-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\PCIIDE\IDECHANNEL\4&3DE75EA&0&0 ], Value Name: [ ClassGUID ], Value: [ {4D36E96A-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\PCIIDE\IDECHANNEL\4&3DE75EA&0&1 ], Value Name: [ ClassGUID ], Value: [ {4D36E96A-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_1013&DEV_00B8&SUBSYS_00000000&REV_00\3&13C0B0C5&0&10 ], Value Name: [ ClassGUID ], Value: [ {4D36E968-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_10EC&DEV_8029&SUBSYS_00000000&REV_00\3&13C0B0C5&0&18 ], Value Name: [ ClassGUID ], Value: [ {4D36E972-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_8086&DEV_1237&SUBSYS_00000000&REV_02\3&13C0B0C5&0&00 ], Value Name: [ ClassGUID ], Value: [ {4D36E97D-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_8086&DEV_7000&SUBSYS_00000000&REV_00\3&13C0B0C5&0&08 ], Value Name: [ ClassGUID ], Value: [ {4D36E97D-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_8086&DEV_7010&SUBSYS_00000000&REV_00\3&13C0B0C5&0&09 ], Value Name: [ ClassGUID ], Value: [ {4D36E96A-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\ACPI_HAL\0000 ], Value Name: [ ClassGUID ], Value: [ {4D36E966-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\DMIO\0000 ], Value Name: [ ClassGUID ], Value: [ {4D36E97D-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\FTDISK\0000 ], Value Name: [ ClassGUID ], Value: [ {4D36E97D-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_AFD\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_BEEP\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_DMBOOT\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_DMLOAD\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_FIPS\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_GPC\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_HTTP\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_IPNAT\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_IPSEC\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_KSECDD\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_MNMDD\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_MOUNTMGR\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NDISTAPI\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NDISUIO\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NDIS\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NDPROXY\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NETBT\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NULL\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_PARTMGR\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_PARVDM\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_RASACD\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_RDPCDD\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_TCPIP\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_VOLSNAP\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_WANARP\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MEDIA\MS_MMACM ], Value Name: [ ClassGUID ], Value: [ {4D36E96C-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MEDIA\MS_MMDRV ], Value Name: [ ClassGUID ], Value: [ {4D36E96C-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MEDIA\MS_MMMCI ], Value Name: [ ClassGUID ], Value: [ {4D36E96C-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MEDIA\MS_MMVCD ], Value Name: [ ClassGUID ], Value: [ {4D36E96C-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MEDIA\MS_MMVID ], Value Name: [ ClassGUID ], Value: [ {4D36E96C-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_L2TPMINIPORT\0000 ], Value Name: [ ClassGUID ], Value: [ {4D36E972-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_NDISWANIP\0000 ], Value Name: [ ClassGUID ], Value: [ {4D36E972-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_PPPOEMINIPORT\0000 ], Value Name: [ ClassGUID ], Value: [ {4D36E972-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_PPTPMINIPORT\0000 ], Value Name: [ ClassGUID ], Value: [ {4D36E972-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_PTIMINIPORT\0000 ], Value Name: [ ClassGUID ], Value: [ {4D36E972-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\RDPDR\0000 ], Value Name: [ ClassGUID ], Value: [ {4D36E97D-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\RDP_KBD\0000 ], Value Name: [ ClassGUID ], Value: [ {4D36E97D-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\RDP_MOU\0000 ], Value Name: [ ClassGUID ], Value: [ {4D36E97D-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\SYSTEM\0000 ], Value Name: [ ClassGUID ], Value: [ {4D36E97D-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\SYSTEM\0001 ], Value Name: [ ClassGUID ], Value: [ {4D36E97D-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\SYSTEM\0002 ], Value Name: [ ClassGUID ], Value: [ {4D36E97D-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\Root\LEGACY_SMARTCHECK\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 2 times Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\Root\LEGACY_SMARTCHECK\0000 ], Value Name: [ Driver ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1}\0000 ], 2 times Key: [ ]，值名稱：[ClassGUID]，值：[{4D36E967-E325-11CE-BFC1-08002BE10318}]，1次關鍵：[HKLM \ SYSTEM \ CONTROLSET001 \ ENUM \ ISAPNP \ READDATAPORT \ 0]，值名稱：[ClassGUID ]，值：[{4D36E97D-E325-11CE-BFC1-08002BE10318}]，1次關鍵：[HKLM \ SYSTEM \ CONTROLSET001 \ ENUM \ LPTENUM \ MICROSOFTRAWPORT \ 5 34A37E9F＆0＆LPT1]，值名稱：[ClassGUID]，值：[{4D36E97D -E325-11CE-BFC1-08002BE10318}]，1次關鍵：[HKLM \ SYSTEM \ CONTROLSET001 \ ENUM \ PCIIDE \ IDECHANNEL \ 4 3DE75EA＆0＆0]，值名稱：[ClassGUID]，值：[{4D36E96A-E325-11CE-BFC1- 08002BE10318}]，1次關鍵：[HKLM \ SYSTEM \ CONTROLSET001 \ ENUM \ PCIIDE \ IDECHANNEL \ 4 3DE75EA＆0＆1]，數值名稱：[ClassGUID]，值：[{4D36E96A-E325-11CE-BFC1-08002BE10318}]，1次關鍵：[HKLM \ SYSTEM \ CONTROLSET001 \ ENUM \ PCI \ VEN_1013＆DEV_00B8＆SUBSYS_00000000＆REV_00 \ 3 13C0B0C5＆0＆10]，值名稱：[ClassGUID]，值：[{4D36E968-E325-11CE-BFC1-08002BE10318}]，1次關鍵：[HKLM \ SYSTEM \ CONTROLSET001 \ ENUM \ PCI \ VEN_10EC＆DEV_8029＆SUBSYS_00000000＆REV_00 \ 3 13C0B0C5＆0＆18]，值名稱：[ClassGUID]，值：[{4D36E972-E325-11CE-BFC1-08002BE10318}]，1次關鍵：[HKLM \ SYSTEM \ CONTROLSET001 \ ENUM \ PCI \ VEN_8086＆DEV_1237＆SUBSYS_00000000＆REV_02 \ 3 13C0B0C5＆0＆00]，值名稱：[ClassGUID]，值：[{4D36E97D-E325-11CE-BFC1-08002BE10318}]，1次關鍵：[HKLM \ SYSTEM \ CONTROLSET001 \ ENUM \ PCI \ VEN_8086＆DEV_7000＆SUBSYS_00000000＆REV_00 \ 3 13C0B0C5＆0＆08]，值名稱： ClassGUID]，值：[{4D36E97D-E325-11CE-BFC1-08002BE10318}]，1次關鍵：[HKLM \ SYSTEM \ CONTROLSET001 \ ENUM \ PCI \ VEN_8086＆DEV_7010＆SUBSYS_00000000＆REV_00 \ 3 13C0B0C5＆0＆09]，值名稱：[ClassGUID]，值：[{ 4D36E96A-E325-11CE-BFC1-08002BE10318}]，1次關鍵：[HKLM \ SYSTEM \ CONTROLSET001 \ ENUM \ ROOT \ ACPI_HAL \ 0000]，值名稱：[ClassGUID]，值：[{4D36E966-E325-11CE-BFC1 -08002BE10318}]，1次關鍵：[HKLM \ SYSTEM \ CONTROLSET001 \ ENUM \ ROOT \ DMIO \ 0000]，值名稱：[ClassGUID]，值：[{4D36E97D-E325-11CE-BFC1-08002BE10318}]，1次關鍵：[HKLM \ SYSTEM \ CONTROLSET001 \ ENUM \ ROOT \ FTDISK \ 0000]，值名稱：[ClassGUID]，值：[{4D36E97D-E325-11CE-BFC1-08002BE10318}]，1次關鍵：[HKLM \ SYSTEM \ CONTROLSET001 \ ENUM \ ROOT \ LEGACY_AFD \ 0000]，值名稱：[ClassGUID]，值：[{8ECC055D-047F-11D1-A537-0000F8753ED1}]，1次關鍵：[HKLM \ SYSTEM \ CONTROLSET001 \ ENUM \ ROOT \ LEGACY_BEEP \ 0000]，值名稱：[ClassGUID]，值：[{8ECC055D-047F-11D1-A537-0000F8753ED1}]，1次關鍵：[HKLM \ SYSTEM \ CONTROLSET001 \ ENUM \ ROOT \ LEGACY_DMBOOT \ 0000]，值名稱： [ClassGUID]，值：[{8ECC055D-047F-11D1-A537-0000F8753ED1}]，1次關鍵：[HKLM \ SYSTEM \ CONTROLSET001 \ ENUM \ ROOT \ LEGACY_DMLOAD \ 0000]，值名稱：[ClassGUID]，值： {8ECC055D-047F-11D1-A537-0000F8753ED1}]，1次關鍵：[HKLM \ SYSTEM \ CONTROLSET001 \ ENUM \ ROOT \ LEGACY_FIPS \ 0000]，值名稱：[ClassGUID]，值：[{8ECC055D-047F-11D1- A537-0000F8753ED1}]，1次關鍵：[HKLM \ SYSTEM \ CONTROLSET001 \ ENUM \ ROOT \ LEGACY_GPC \ 0000]，值名稱：[ClassGUID]，值：[{8ECC055D-047F-11D1-A537-0000F8753ED1}]，1時間關鍵：[HKLM \ SYSTEM \ CONTROLSET001 \ ENUM \ ROOT \ LEGACY_HTTP \ 0000]，值名稱：[ClassGUID]，值：[{8ECC055D-047F-11D1-A537-0000F8753ED1}]，1次關鍵：[HKLM \ SYSTEM \ CONTROLSET001 \ ENUM \ ROOT \ LEGACY_IPNAT \ 0000]，值名稱：[ClassGUID]，值：[{8ECC055D-047F-11D1-A537-0000F8753ED1}]，1次關鍵：[HKLM \ SYSTEM \ CONTROLSET001 \ ENUM \ ROOT \ LEGACY_IPSEC \ 0000]，值名稱：[ClassGUID]，值：[{8ECC055D-047F-11D1-A537-0000F8753ED1}]，1次關鍵：[HKLM \ SYSTEM \ CONTROLSET001 \ ENUM \ ROOT \ LEGACY_KSECDD \ 0000]，數值名稱: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_MNMDD\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_MOUNTMGR\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1 -A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NDISTAPI\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NDISUIO\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\ SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NDIS\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT \LEGACY_NDPROXY\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NETBT\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_NULL\0000 ], Value Name: [ ClassGUID ], Value : [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_PARTMGR\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F- 11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_PARVDM\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ] , 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_RASACD\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM \SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_RDPCDD\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ ROOT\LEGACY_TCPIP\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_VOLSNAP\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_WANARP\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MEDIA\MS_MMACM ], Value Name: [ ClassGUID ], Value: [ {4D36E96C-E325 -11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MEDIA\MS_MMDRV ], Value Name: [ ClassGUID ], Value: [ {4D36E96C-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MEDIA\MS_MMMCI ], Value Name: [ ClassGUID ], Value: [ {4D36E96C-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MEDIA\MS_MMVCD ], Value Name: [ ClassGUID ], Value: [ {4D36E96C-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM \ROOT\MEDIA\MS_MMVID ], Value Name: [ ClassGUID ], Value: [ {4D36E96C-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_L2TPMINIPORT\0000 ] , Value Name: [ ClassGUID ], Value: [ {4D36E972-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_NDISWANIP\0000 ], Value Name: [ ClassGUID ] , Value: [ {4D36E972-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_PPPOEMINIPORT\0000 ], Value Name: [ ClassGUID ], Value: [ {4D36E972- E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_PPTPMINIPORT\0000 ], Value Name: [ ClassGUID ], Value: [ {4D36E972-E325-11CE-BFC1-08002BE10318 } ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_PTIMINIPORT\0000 ], Value Name: [ ClassGUID ], Value: [ {4D36E972-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\RDPDR\0000 ], Value Name: [ ClassGUID ], Value: [ {4D36E97D-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ ENUM\ROOT\RDP_KBD\0000 ], Value Name: [ ClassGUID ], Value: [ {4D36E97D-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\RDP_MOU\0000 ], Value Name: [ ClassGUID ], Value: [ {4D36E97D-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\SYSTEM\0000 ], Value Name: [ ClassGUID ], Value: [ {4D36E97D-E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\SYSTEM\0001 ], Value Name: [ ClassGUID ], Value: [ {4D36E97D -E325-11CE-BFC1-08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\ROOT\SYSTEM\0002 ], Value Name: [ ClassGUID ], Value: [ {4D36E97D-E325-11CE-BFC1- 08002BE10318} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\Root\LEGACY_SMARTCHECK\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 2 times Key : [ HKLM\SYSTEM\CONTROLSET001\ENUM\Root\LEGACY_SMARTCHECK\0000 ], Value Name: [ Driver ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1}\0000 ], 2 times Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\STORAGE\VOLUME\1&30A96598&0&SIGNATUREB15FB15FOFFSET7E00LENGTH13F291800 ], Value Name: [ ClassGUID ], Value: [ {71A27CDD-812A-11D0-BEC7-08002BE2092F} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\SmartCheck\Enum ], Value Name: [ 0 ], Value: [ Root\LEGACY_SMARTCHECK\0000 ], 4 times Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\SmartCheck\Enum ], Value Name: [ Count ], Value: [ 1 ], 8 times [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Monitored Registry Keys: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\EVENTLOG ], Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 1 time [=============================================================================] 3.b) services.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER, Flags: Named pipe ] File Name: [ C:\WINDOWS\system32\config\SysEvent.Evt ] [=============================================================================] 3.c) services.exe - Other Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Drivers Loaded: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Driver: [ HKLM\System\CurrentControlSet\Services\SmartCheck ] Driver: [ HKLM\System\CurrentControlSet\Services\SmartCheck ] [#############################################################################] 4. cmd.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: wincfg.exe wrote to the virtual memory of this process Filename: cmd.exe Command Line: "C:\WINDOWS\system32\cmd.exe" Process-status at analysis end: alive Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\ShimEng.dll ], Base Address: [0x5CB70000 ], Size: [0x00026000 ] Module Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ], Base Address: [0x6F880000 ], Size: [0x001CA000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\WINMM.dll ], Base Address: [0x76B40000 ], Size: [0x0002D000 ] Module Name: [ C:\WINDOWS\system32\ole32.dll ], Base Address: [0x774E0000 ], Size: [0x0013D000 ] Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ], Base Address: [0x77120000 ], Size: [0x0008B000 ] Module Name: [ C:\WINDOWS\system32\MSACM32.dll ], Base Address: [0x77BE0000 ], Size: [0x00015000 ] Module Name: [ C:\WINDOWS\system32\VERSION.dll ], Base Address: [0x77C00000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\SHELL32.dll ], Base Address: [0x7C9C0000 ], Size: [0x00817000 ] Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ], Base Address: [0x77F60000 ], Size: [0x00076000 ] Module Name: [ C:\WINDOWS\system32\USERENV.dll ], Base Address: [0x769C0000 ], Size: [0x000B4000 ] Module Name: [ C:\WINDOWS\system32\UxTheme.dll ], Base Address: [0x5AD70000 ], Size: [0x00038000 ] Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ], Base Address: [0x773D0000 ], Size: [0x00103000 ] Module Name: [ C:\WINDOWS\system32\comctl32.dll ], Base Address: [0x5D090000 ], Size: [0x0009A000 ] Module Name: [ C:\WINDOWS\system32\Apphelp.dll ], Base Address: [0x77B40000 ], Size: [0x00022000 ] [=============================================================================] Run-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntoskrnl.exe ], Base Address: [0x00D00000 ], Size: [0x00216680 ] Module Name: [ C:\WINDOWS\system32\countryfix.dll ], Base Address: [0x10000000 ], Size: [0x0002E000 ] Module Name: [ C:\WINDOWS\System32\mswsock.dll ], Base Address: [0x71A50000 ], Size: [0x0003F000 ] Module Name: [ C:\WINDOWS\system32\WS2HELP.dll ], Base Address: [0x71AA0000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\WS2_32.dll ], Base Address: [0x71AB0000 ], Size: [0x00017000 ] Module Name: [ C:\WINDOWS\system32\WINSPOOL.DRV ], Base Address: [0x73000000 ], Size: [0x00026000 ] Module Name: [ C:\WINDOWS\system32\comdlg32.dll ], Base Address: [0x763B0000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\DNSAPI.dll ], Base Address: [0x76F20000 ], Size: [0x00027000 ] Module Name: [ C:\WINDOWS\system32\WLDAP32.dll ], Base Address: [0x76F60000 ], Size: [0x0002C000 ] Module Name: [ C:\WINDOWS\System32\winrnr.dll ], Base Address: [0x76FB0000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\rasadhlp.dll ], Base Address: [0x76FC0000 ], Size: [0x00006000 ] Module Name: [ C:\WINDOWS\system32\WININET.dll ], Base Address: [0x771B0000 ], Size: [0x000AA000 ] Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ], Base Address: [0x77A80000 ], Size: [0x00095000 ] Module Name: [ C:\WINDOWS\system32\MSASN1.dll ], Base Address: [0x77B20000 ], Size: [0x00012000 ] [=============================================================================] 4.a) cmd.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Keys Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{537ACDEF-2672-3341-CCEA-2BE4DE1673DF} ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Active Setup\Installed Components\{537ACDEF-2672-3341-CCEA-2BE4DE1673DF} ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{537ACDEF-2672-3341-CCEA-2BE4DE1673DF} ], Value Name: [ ], New Value: [ Microsoft Explorer ] Key: [ HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{537ACDEF-2672-3341-CCEA-2BE4DE1673DF} ], Value Name: [ IsInstalled ], New Value: [ 1 ] Key: [ HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{537ACDEF-2672-3341-CCEA-2BE4DE1673DF} ], Value Name: [ StubPath ], New Value: [ "C:\WINDOWS\system32\autocheck.exe" NetSpoolPtr ] Key: [ HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{537ACDEF-2672-3341-CCEA-2BE4DE1673DF} ], Value Name: [ Version ], New Value: [ 1,0,0,6 ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Active Setup\Installed Components\{537ACDEF-2672-3341-CCEA-2BE4DE1673DF} ], Value Name: [ Version ], New Value: [ 1,0,0,0 ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{537ACDEF-2672-3341-CCEA-2BE4DE1673DF} ], Value Name: [ Version ], Value: [ 1,0,0,1 ], 22 times Key: [ HKLM\System\CurrentControlSet\Services\LDAP ], Value Name: [ LdapClientIntegrity ], Value: [ 1 ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], Value Name: [ Domain ], Value: [ ], 18 times Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], Value Name: [ Hostname ], Value: [ pc ], 18 times Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], Value Name: [ UseDomainNameDevolution ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters ], Value Name: [ WinSock_Registry_Version ], Value: [ 2.0 ], 16 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 ], Value Name: [ Num_Catalog_Entries ], Value: [ 3 ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 ], Value Name: [ Serial_Access_Num ], Value: [ 4 ], 14 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], Value Name: [ DisplayString ], Value: [ Tcpip ], 28 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], Value Name: [ Enabled ], Value: [ 1 ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], Value Name: [ LibraryPath ], Value: [ %SystemRoot%\System32\mswsock.dll ], 14 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], Value Name: [ ProviderId ], Value: [ 0x409d05229e7ecf11ae5a00aa00a7112b ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], Value Name: [ StoresServiceClassInfo ], Value: [ 0 ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], Value Name: [ SupportedNameSpace ], Value: [ 12 ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], Value Name: [ Version ], Value: [ 0 ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], Value Name: [ DisplayString ], Value: [ NTDS ], 28 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], Value Name: [ Enabled ], Value: [ 1 ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], Value Name: [ LibraryPath ], Value: [ %SystemRoot%\System32\winrnr.dll ], 14 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], Value Name: [ ProviderId ], Value: [ 0xee37263b80e5cf11a55500c04fd8d4ac ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], Value Name: [ StoresServiceClassInfo ], Value: [ 0 ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], Value Name: [ SupportedNameSpace ], Value: [ 32 ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], Value Name: [ Version ], Value: [ 0 ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], Value Name: [ DisplayString ], Value: [ Network Location Awareness (NLA) Namespace ], 28 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], Value Name: [ Enabled ], Value: [ 1 ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], Value Name: [ LibraryPath ], Value: [ %SystemRoot%\System32\mswsock.dll ], 14 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], Value Name: [ ProviderId ], Value: [ 0x3a244266a83ba64abaa52e0bd71fdd83 ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], Value Name: [ StoresServiceClassInfo ], Value: [ 0 ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], Value Name: [ SupportedNameSpace ], Value: [ 15 ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], Value Name: [ Version ], Value: [ 0 ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 ], Value Name: [ Next_Catalog_Entry_ID ], Value: [ 1012 ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 ], Value Name: [ Num_Catalog_Entries ], Value: [ 11 ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 ], Value Name: [ Serial_Access_Num ], Value: [ 4 ], 14 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\rsvpsp.d ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\rsvpsp.d ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 7 times Key: [ HKLM\System\Setup ], Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Monitored Registry Keys: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 ], Watch subtree: [ 0 ], Notify Filter: [ Key Change ], 7 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 ], Watch subtree: [ 0 ], Notify Filter: [ Key Change ], 7 times [=============================================================================] 4.b) cmd.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\system32\Config.tbl ] File Name: [ C:\WINDOWS\system32\ffffz200907021420ca.tmp ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\system32\autocheck.exe ] File Name: [ C:\WINDOWS\system32\autocheck.sys ] File Name: [ C:\WINDOWS\system32\countryfix.dll ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\system32\Config.tbl ] File Name: [ C:\WINDOWS\system32\ffffz200907021420ca.tmp ] File Name: [ SmartCheck ] File Name: [ \Device\RasAcd ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Device Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ unnamed file ], Control Code: [ 0x00390008 ], 7 times File: [ SmartCheck ], Control Code: [ 0x0022E660 ], 1 time File: [ SmartCheck ], Control Code: [ 0x0022E65C ], 1 time File: [ \Device\RasAcd ], Control Code: [ 0x00F14014 ], 8 times File: [ SmartCheck ], Control Code: [ 0x0022C000 ], 6 times File: [ SmartCheck ], Control Code: [ 0x0022C008 ], 6 times File: [ SmartCheck ], Control Code: [ 0x0022C010 ], 75 times File: [ SmartCheck ], Control Code: [ 0x0022C014 ], 2496 times [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\System32\mswsock.dll ] File Name: [ C:\WINDOWS\System32\winrnr.dll ] File Name: [ C:\WINDOWS\system32\DNSAPI.dll ] File Name: [ C:\WINDOWS\system32\WININET.dll ] File Name: [ C:\WINDOWS\system32\WINSPOOL.DRV ] File Name: [ C:\WINDOWS\system32\WS2HELP.dll ] File Name: [ C:\WINDOWS\system32\WS2_32.dll ] File Name: [ C:\WINDOWS\system32\countryfix.dll ] File Name: [ C:\WINDOWS\system32\ntoskrnl.exe ] File Name: [ C:\WINDOWS\system32\rasadhlp.dll ] [=============================================================================] 4.c) cmd.exe - Windows Service Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Services Started: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Service: [ SmartCheck ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Services Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Name: [ SmartCheck ], Type: [ SERVICE_DEMAND_START ], Path: [ C:\WINDOWS\system32\autocheck.sys ] [=============================================================================] 4.d) cmd.exe - Network Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] DNS Queries: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Name: [ www.microsoft.com ], Query Type: [ DNS_TYPE_A ], Query Result: [ ], Successful: [ YES ], Protocol: [ udp ] Name: [ hummfoundation.org ], Query Type: [ DNS_TYPE_A ], Query Result: [ 124.217.226.220 ], Successful: [ YES ], Protocol: [ udp ] [=============================================================================] 4.e) cmd.exe - Other Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Mutexes Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Mutex: [ SysChkUpdate ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Windows SEH exceptions: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x1000d6e9 ], 1 time Description: [ Exception 0xc0000096 (STATUS_PRIVILEGED_INSTRUCTION) at 0x1000d78b ], 1 time [#############################################################################] 5. cmd.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: Started by wincfg.exe Filename: cmd.exe MD5: 6d778e0f95447e6546553eeea709d03c SHA-1: 811a005cf787c6ccbe0d9f1c36c1d49a9cb71fd1 File Size: 389120 Bytes Command Line: cmd /c C:\SystemCheck.bat Process-status at analysis end: dead Exit Code: 1 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] [=============================================================================] Run-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] [=============================================================================] 5.a) cmd.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\Software\Microsoft\Command Processor ], Value Name: [ AutoRun ], Value: [ ], 1 time Key: [ HKLM\Software\Microsoft\Command Processor ], Value Name: [ CompletionChar ], Value: [ 64 ], 1 time Key: [ HKLM\Software\Microsoft\Command Processor ], Value Name: [ DefaultColor ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\Command Processor ], Value Name: [ EnableExtensions ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\Command Processor ], Value Name: [ PathCompletionChar ], Value: [ 64 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ DefaultLevel ], Value: [ 262144 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ PolicyScope ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ ItemData ], Value: [ 0x5eab304f957a49896a006c1c31154015 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ ItemSize ], Value: [ 779 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ ItemData ], Value: [ 0x67b0d48b343a3fd3bce9dc646704f394 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ ItemSize ], Value: [ 517 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ ItemData ], Value: [ 0x327802dcfef8c893dc8ab006dd847d1d ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ ItemSize ], Value: [ 918 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ ItemData ], Value: [ 0xbd9a2adb42ebd8560e250e4df8162f67 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ ItemSize ], Value: [ 229 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ ItemData ], Value: [ 0x386b085f84ecf669d36b956a22c01e80 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ ItemSize ], Value: [ 370 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ], Value Name: [ ItemData ], Value: [ %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\Nls\Language Groups ], Value Name: [ 1 ], Value: [ 1 ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], Value Name: [ 00000C07 ], Value: [ 1 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Command Processor ], Value Name: [ CompletionChar ], Value: [ 9 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Command Processor ], Value Name: [ DefaultColor ], Value: [ 0 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Command Processor ], Value Name: [ EnableExtensions ], Value: [ 1 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ Cache ], Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ], 1 time [=============================================================================] 5.b) cmd.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Deleted: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\SystemCheck.bat ] File Name: [ C:\wincfg.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\SystemCheck.bat ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\SystemCheck.bat ] [#############################################################################] International Secure Systems Lab http://www.iseclab.org Vienna University of Technology Eurecom France UC Santa Barbara http://www.tuwien.ac.at http://www.eurecom.fr http://www.cs.ucsb.edu Contact: anubis@iseclab.org

顯示另一張圖片從四月07.pdf 收到2010.04.24 16時33分25秒（UTC）April_07.pdf 結果：0/40（0.00％）

附加信息
文件大小：46135字節
MD5：19a08f48d71044e0a4091ef4a4e16131

交通wincfg.exe - 由阿努比斯

 DNS查詢：
 [=  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  = -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =]
        名稱：[www.microsoft.com]，查詢類型：DNS_TYPE_A]
            查詢結果：[]，成功：[是]協議[UDP]
        名稱：[hummfoundation.org]，查詢類型：DNS_TYPE_A]
            查詢結果：[124.217.226.220]成功：[是]協議[UDP]

  [================================================= ============================]
    全球網絡活動
 [================================================= ============================]
 [=  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  = -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =]
    HTTP對話：
 [=  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  = -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =]
        從ANUBIS：1038 124.217.226.220:80  -  [hummfoundation.org]
             請求：GET /on/yahoo/banner4.php?jpg=../yahoo]回應：[200“OK”]
             請求：GET /on/yahoo/banner3.php?jpg=../(LQAhZ2Uy]回應：[   ]
             請求：GET /on/yahoo/banner4.php?jpg=../yahoo]回應：[200“OK”]
             請求：GET /on/yahoo/banner4.php?jpg=../yahoo]回應：[200“OK”]
             請求：GET /on/yahoo/banner3.php?jpg=../(LQAhZ2Uy]回應：[   ]
             請求：GET /on/yahoo/banner3.php?jpg=../(LQAhZ2Uy]回應：[   ]
             請求：GET /on/yahoo/banner4.php?jpg=../yahoo]回應：[200“OK”]
             請求：GET /on/yahoo/banner3.php?jpg=../(LQAhZ2Uy]回應：[   ]
             請求：GET /on/yahoo/banner4.php?jpg=../yahoo]回應：[200“OK”]
             請求：GET /on/yahoo/banner3.php?jpg=../(LQAhZ2Uy]回應：[   ]
             請求：GET /on/yahoo/banner4.php?jpg=../yahoo]回應：[200“OK”]
             請求：GET /on/yahoo/banner3.php?jpg=../(LQAhZ2Uy]回應：[   ]

 [=  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  = -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =]
    TCP連接嘗試：
 [=  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  = -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =  -  =]
        從ANUBIS：1039至124.217.226.220:80
        從ANUBIS：1040 124.217.226.220:80
        從ANUBIS：1041 124.217.226.220:80
        從ANUBIS：1043 124.217.226.220:80
        從ANUBIS：1044 124.217.226.220:80

 Robtex.com

 124.217.226.220

 bidor.net，skyll.net，qcs.com.my，niceugg.net，jadi.com.my和至少51其他主機指向124.217.226.220。
它被列入黑名單在一個列表中。

  http://www.robtex.com/ip/124.217.226.220.html

inetnum：124.217.224.0  -  124.217.255.255
網絡名：PIRADIUS-NET
DESCR：PIRADIUS網
國家：MY
聯繫-C：PA124-AP
高科技-C：PA124-AP
狀態：已分配PORTABLE
MNT-方式：APNIC-HM
MNT-降低：MAINT-MY-PIRADIUS
改變：hm-changed@apnic.net 20071217
來源：APNIC

負責人：PIRADIUS NET管理員
NIC-HDL：PA124-AP
電子郵件：abuse@piradius.net
地址：PIRADIUS網
地址：單位21-3A，等級21
地址：廣場DNP 59，惹阿都拉塔希爾
地址：塔曼世紀花園
地址：80300柔佛
地址：馬來西亞
電話：607 334 8605
傳真號碼：607 334 8605
國家：MY
改變：admin@piradius.net 20071003
MNT-方式：MAINT-MY-PIRADIUS
來源：APNIC

=====

#TANGODOWN_HACKED 已轉推

‏@E_Anony_

@AN0NGH0STTeam @AN0N_AL_AQSA @TANGODOWN__NEWS Social justice, #AnonGhost team and #AnonSec Hacker. #Respected Bro

#TANGODOWN_HACKED 已轉推

‏@AnonOpSaudiX2

Where did I hear that --> "A SINGLE Central Global Government" United Federation of Nations #UFNations sure without #Humanity

‏@TobitowTHA

Los Chinos me aman jajaja #China #ChinaHacking @LIberoamericaMu :D

‏@TobitowTHA

Los Chinos me aman jajaja #China #ChinaHacking @LIberoamericaMu :D

=====
http://freebeacon.com/national-security/russian-warships-dock-in-iran-for-war-training/

Russian Warships Dock In Iran for War Training

http://freebeacon.com/national-security/russian-warships-dock-in-iran-for-war-training/

俄軍艦停靠在伊朗的戰爭訓練伊朗軍方領導人：“美國軍隊的只有屍體實現的力量”伊朗

Iranian military leader: ‘Only the dead body of the American troops realizes the power of’ Iran.俄軍艦停靠在伊朗的戰爭訓練伊朗軍方領導人：“美國軍隊的只有屍體實現的力量”伊朗.

BY: Adam Kredo
August 10, 2015

BY：亞當KREDO
2015年8月10日

Two Russian warships have docked in northern Iran for a series of naval training exercises with the Islamic Republic, according to Persian-language reports translated by the CIA’s Open Source Center.
The two Russian ships docked in Iran’s Anzali port on Sunday and will hold “joint naval exercises during the three-day stay of the warships in Iran,” according to a Persian-language report in Iran’s state-controlled Fars News Agency.
“The [Russian] warships, Volgodonsk and Makhachkala docked in Anzali Port [near the Caspian Sea], in the fourth naval zone, on the afternoon of 9 August,” the report says.
The war exercises come just weeks after Iran and global powers inked a nuclear accord that will provide Iran with billions of dollars in sanctions relief in return for slight restrictions on the country’s nuclear program.
Russian and Iran have grown close in recent years, with delegations from each country regularly visiting one another to ink arms deals and other agreements aimed at strengthening Iran’s nuclear program.
Russia and Iran agreed earlier this year to begin construction on several new nuclear power plants. Russia has also agreed to sell Iran a controversial advanced missile defense system that can prevent attacks by Western powers.
The Russian fleet docked in Iran’s port “carrying a message of ‘peace and friendship,’” according to Iranian officials quoted by Fars. The fleet was “welcomed by Iranian naval commanders and staff.”
The Russian commander of the fleet is scheduled to hold meetings with “local political and military officials” in Iran’s northern provinces, according to Fars.
Levan Jagarian, Russia’s ambassador to Tehran, reportedly attended the docking ceremony and called for “for boosting mutual ties between the two countries in various fields,” according to the report.
The two nations went on to say that “expanding bilateral economic, political, and military cooperation is among the priorities of the visit.”
A Russian fleet also docked in northern Iran in October.
Last week, a senior Iranian naval commander warned the United States against ever taking military action on Iranian interests, claiming that the response would be “unpredictably strong.”
“The western media are mocking at the U.S. for speaking of ‘on the table options (against Iran)’ because the U.S. always utters some words without the ability to materialize them,” Iranian Revolutionary Guard Corps Naval Commander Ali Fadavi was quoted as saying by the country’s state-run press.
Iran is “ready to give such a powerful response to the slightest move of the U.S. that it won’t be able to make any other moves,” Fadavi was quoted as saying.
The military leader went on to claim that “Iranian Armed Forces are now at the highest level of preparedness” and that “only the dead body of the American troops realizes the power of the Islamic Revolution.
Michael Rubin, a former Pentagon adviser and expert on rogue regimes, said the Obama administration is fundamentally misreading Iran’s intentions in light of the recently inked nuclear accord.
“We’re witnessing a new great game, and Obama is so self-centered he keeps playing solitaire,” Rubin said. “Obama simply doesn’t understand that the world is full of dictators who seek to checkmate America. What he sees as compromise; they see as weakness to exploit.”
Referring to a visit last week to Russia by IRGC leader Qassem Soleimani, who is responsible for the deaths of Americans, Rubin said it is clear that Moscow and Tehran aim to build a tight military alliance.
“Visiting Russia to talk arms purchases and now this naval visit, it’s clear that Putin and Khamenei will waste no time to really develop their military cooperation,” he said.
An axis between Russia, Iran, and North Korea is beginning to emerge Rubin said, citing official releases that a North Korean delegation is currently visiting Russia to tour war games sites.
“The Russian warship visit combined with North Korea scoping out war game sites in Russia suggest a new Axis of Evil is taking shape with Russia the lynchpin between Iran and North Korea,” Rubin said. “As for the United States, rather than the leader of the free world, Obama and Kerry have transformed us in much of the world’s eyes as the pinnacle of surrender.”
Meanwhile, Obama admitted Monday that Iran’s nuclear breakout time will shrink to “a matter of months” once the nuclear accord expires in around 15 years.
This entry was posted in National Security and tagged Iran, Russia. Bookmark the permalink

==========

Tianjin explosion: Dozens dead, areas of Chinese port city devastated

By Will Ripley, Steven Jiang and Jethro Mullen, CNN

Updated 0427 GMT (1127 HKT) August 14, 2015 | Video Source: CNN

A chemical odor hung in the air Thursday. Fires still burned in the thinly populated waterfront industrial district where the explosions went off. And the grim toll kept mounting.

Among the 50 confirmed dead are 17 firefighters, officials said Thursday. More than 700 people have been treated in hospitals, 71 in critical condition, the state-run Xinhua news outlet said. Dozens of people are reported to still be missing.

Authorities said more than 200 chemical specialists from the military had been sent in with detection devices. More than 1,000 firefighters have been trying to deal with the remaining fires.

#Blast aftermath: An abandoned convention center in #Tianjin, #China, after deadly chemical #fire and #explosions ripped through the area.

The explosions originated at a warehouse site owned by Tianjin Dongjiang Port Rui Hai International Logistics Co., a company that stores and transports dangerous chemicals. Firefighters had reportedly been called to the area to tackle a blaze before the first blast went off.

Company executives have been taken into custody, state media said.

The blasts' destructive force tore into Tianjin, smashing buildings and mangling shipping containers.

The first explosion was huge, and the second was even more powerful: the equivalent of 21 metric tons of TNT or a magnitude-2.9 earthquake, according to the China Earthquake Networks Center.

The explosions destroyed the house in which Qian Jiping and his wife, both of them migrant construction workers, were staying.

"When I heard the first explosion, I thought we were finished," Qian said.

Strangers pulled them from the rubble. They fled barefoot, barely feeling the shards of glass that littered the ground.

Across the city, residents were jolted awake as the blasts shattered windows and fish tanks.

"The shock wave just blew through our apartment. It blew out the glass, it blew out the doors, it knocked out the power," said Vafa Anderson, a teacher at an international school who lives less than 2 kilometers (about a mile) from the explosions' epicenter.

Anderson said he was awakened by the first blast and was looking out the window when the second went off, sending a "huge mushroom cloud" into the sky.

Emotions run high at Chinese hospital after blasts 01:54

"I thought it was an earthquake," said Liu Yue, a 25-year-old woman who lives about 4 kilometers (2½ miles) away. "I was extremely scared. I was afraid my family was in danger."

She said the 16-story building she lives in was rocking.

In a statement, the environmental group Greenpeace said it feared the danger was not over.

"We are concerned that certain chemicals will continue to pose a risk to the residents of Tianjin," the statement said.

"According to the Tianjin Tanggu Environmental Monitoring Station, hazardous chemicals stored by the company concerned include sodium cyanide (NaCN), toluene diisocyanate (TDI) and calcium carbide (CaC2), all of which pose direct threats to human health on contact. NaCN in particular is highly toxic. Ca (C2) and TDI react violently with water and reactive chemicals, with risk of explosion. This will present a challenge for firefighting and, with rain forecast for tomorrow, is a major hazard," Greenpeace said.

Wen Wurui, Tianjin's environment protection chief, told a news conference Thursday that some chemical levels in the area were higher than normal but that they wouldn't be dangerous to human health unless someone is exposed to them for long periods.

Slightly under 90,000 people live within a 5 kilometer radius of the blast site, according to China's Earthquake Administration.

The explosions have raised questions about the storage of hazardous materials at Tianjin's port.

A notice posted by the Tianjin Administration of Work Safety on its website last week said city officials held a meeting with executives of more than 20 companies that handle dangerous chemicals at the port.

The agency's director urged the executives to carry out safety management, the notice said.

Those injured in the blasts were taken to various hospitals in the city, with many reported to be suffering from cuts caused by broken glass.

People gathered outside one hospital not far from an area of badly damaged buildings, waiting for news of loved ones.

A severely burned man was wheeled past waiting crowds.

Some people collapsed from the heartbreak of losing someone close to them.

"Why did God take her? Why did God take my daughter?" one man cried out.

READ: What to know about the Tianjin crisis

Will Ripley and Steven Jiang reported from Tianjin. Jethro Mullen reported and wrote from Hong Kong. Shen Lu, Dana Ford, Elizabeth Joseph, Chieu Luu and Don Melvin contributed to this report.

=====
http://english.farsnews.com/newstext.aspx%3Fnn%3D13940513000294&usg=ALkJrhhzDNKmtIbMb_01gnP3bkr53aQ5Ng

德黑蘭（FNA） - 伊斯蘭革命衛隊（IRGC）海軍司令海軍少將阿里Fadavi警告美國不要採取對伊朗的敵視絲毫舉動，強調伊朗的回應將是不可預知的強勁。

“西方媒體都在嘲笑美國的說話'對表選項（對伊朗）'，因為美國總是說出一些話沒有能力兌現他們......我們準備給如此強大的響應一碰美國，這將無法做任何其他的舉動，“Fadavi說，解決在週一北部城市Zibakenar儀式。

他說，伊朗武裝部隊現在在準備的最高水平，指出美軍只有屍體實現伊斯蘭革命的力量。

Fadavi還提到伊朗與世界大國，包括美國之間的核談判，並說，“伊斯蘭革命給了對方一個難得的機會，他們應該注意不要錯過這個機會。”

在三月份的相關言論，Fadavi強調，敵人將永遠不敢襲擊伊朗，因為他們害怕伊朗武裝部隊的威懾力量。

“威懾伊朗的力量阻止敵人攻擊的國家，”少將說Fadavi，解決在城市馬什哈德，伊朗東北部的禮。

他指出，敵人一直試圖攻擊伊朗，但威懾伊斯蘭共和國的力量已經無法實現自己的目標阻止他們。

“美國人和我們的敵人無法站起來反對伊斯蘭制度的威懾力量，不管他們怎麼努力...，”海軍少將Fadavi增加。

同樣在三月，伊朗伊斯蘭革命衛隊司令少將穆罕默德·阿里·賈法裡說，伊朗是無動於衷敵人的戰爭言論，由於其驚人的威懾力，並特別，因為它已經預見到所有可能發生的情況適當的反應。

他提到伊朗的威懾力量和防禦能力面對敵人的威脅，並表示，“我們已經長大了這麼多強大，我們並不感到擔心敵人的不明智的態度，我們可以去過去任何敵人的情況下，這已經證明了我們當代的歷史。“

他強調，伊朗將化解任何敵人的情節和場景，無論是軍事威脅和制裁，賈法裡說，“美國應該找到一條血路，並繼續其瀕危的生命，但我們都驚訝於昂貴的和無用的情況下敵人的堅持。”

他強調，伊朗的戰略是強大的和決定性的。

“國家已經阻止敵人的路徑，其殘忍地塊物化，”他補充說，伊朗目前擁有了各種選項，並且能夠使用這些不同的選擇比以往任何時候的。

Ping On: All of our misfortune, so only two

"We are born in China, / we buried in China; / all our misfortune, / only so two / lying inside, / no longer have to pretend dead;! / Stay outside, / will continue to pretend to live . "- mainland network a poem" Chinese people epitaph "
Yet to digest the news of the explosion in Tianjin, has been an explosion in Bangkok, she looked away, especially where there are two Hong Kong woman was killed. Special government of Thailand issued a red travel warning, but it did not send a warning to Tianjin.
Two different explosions. Bangkok reasons substantially clear is that the political turmoil in recent years, the two factions confront each other, resulting in a number of dissidents opposed to military rule in terrorist attacks. Hong Kong people can not temporarily not set foot since the main place. Tianjin explosion not only due to unknown causes, most likely as yesterday "apple theory" has said, "the truth will go down the drain." And live under the "one country", if re-constitutional, two systems, Hong Kong until 2047 will end, will lead to the implementation of the same political system Tianjin explosion; in fact, this system has been gradually through fraud Executive in Hong Kong penetration, less than 2047 it is possible to fully implemented in Hong Kong as well.

Two Sides of One autocratic regime

We really want to think about what the future will live in a social environment.
Mainland netizens said: Some people criticize the Internet write a Communist, then a minute later they will know; someone put a possible blow up the entire city of dangerous goods in the warehouse until they exploded not know. Why not to regulate speech to regulate the intensity of dangerous goods?
One of the sides does not know, monitor speech and hasty control of dangerous goods, it is specifically the right system. One side is the storage of dangerous goods is simply a violent regime of asset protection benefits as part of those in power, or let them collect money, or the importance of dangerous goods stored at the absolute top of the security concerns surrounding residents; monitoring of speech is also from the other side maintenance purposes authoritarian regimes, so after the explosion Tianjin breath closure of more than three hundred sites, Internet users revealed that the number of deaths due to far more than the official announcement by the police station for further inquiries. This is a ruling class of rights (they call "stability maintenance"), namely, to maintain the power of those in power, and the mainland lawyers 'rights "is a different set of constitutional safeguard citizens' rights, and vice versa. If authorized by the people vote democratic regime, it is necessary to listen to criticism of the government will vigorously control of dangerous goods, not to hurt people, which is one of the two sides to maximize people's rights regime; and maximize the authoritarian regime just ruling power in contrast.
The local government at a press conference, the storage of dangerous goods can not answer how far you want to keep this issue with houses, who are responsible for disaster relief commander no answer. Inventory of dangerous goods Ruihai company has not anyone explain to the public events. Yesterday "Tianjin Daily" reported Ruihai company chairman, vice chairman, who has been controlled in the morning of August 13. "Controlled" What does it mean? He was arrested, or that it can not control them to disclose inside information? "People's Daily" published commentary, referring to the difficulty of investigating these incidents are extremely specific reasons, it takes a long time and I hope in the evidence, again released to the public. This is a delaying tactic. Things will certainly like Sanlu, Wenzhou crash, Eastern Star, and other man-made disasters, like the previous, dragging some time nothing. Anyway, Chinese people are forgetful.
There are conspiracy theories means that the Department of Tianjin explosion caused power struggle is certain forces to the meeting in Beidaihe, ninety parade this sensitive time to borrow against Xi Jinping army soldiers to stand. Understand the country and the people know, have the power to transport, storage or possession of these high-risk goods, can not be the private sector in general, and certainly the highest authority broadly layer related. The autocratic regime is always inseparable from the right to dispute.

They are pretending to be dead and alive

As the number of casualties, the death list, as it has with previous disasters, did they have time to be true? Most of the families in distress, seemed to accept what has happened irreparable, it only seeks compensation for accident liability gently let go. Seeks compensation for destroyed houses, mostly cry of "supernumerary" (ie non-civil service system) families of the victims firemen, they demanded equal treatment for all the dead. When Li Keqiang said that to give equal treatment and "they also are our hero" after, it appears that the authorities put things heal. Yesterday, the father of a dead fireman in front of the TV, said: "As a father, I am proud." As the German dramatist Bertolt Brecht said: a country needs heroes really sad. Because people simply living without accountability disaster liability, disaster will happen again. China to show greater tragedy situation after the explosion.
Back to the text of the poem before, it was many years ago I copied the pages in the mainland, there is no name of the author. Poems are great too deep. Unfortunately, only two Chinese people, is born in China died in China. The two had a full life. Human existence, like official press conference in Tianjin, like the official media every day "funeral when wedding do" touched the hearts of the report, even as the proud son for the death of my father, they are pretending to be dead not to leave alive. ʱ?? China too hard to see the real person, and full of dummies.
All of China's "fake" have infiltrated Hong Kong. Many Hong Kong people, but also because here is China, Hong Kong, so they have to pretend to pretend dead alive. If we do not strive to Hong Kong is still the former Hong Kong chief deception if we allow loading live every day and play dead, and all Hong Kong people are willing to simply stand in front of such a day, then the text previously cited epitaph would be " born in Hong Kong, China "is our tragedy portrayal.
(Https://www.facebook.com/mrleeyee)

Li Yi published Monday to Saturday

Li Yi

=====
http://hk.apple.nextmedia.com/news/art/20150819/19261462

蘋論：我們所有的不幸，只有這麼兩個

「我們生在中國，/我們葬在中國；/我們所有的不幸，/只有這麼兩個！/躺在裏面的，/再也不必假裝死了；/留在外面的，/還要繼續假裝活着。」——大陸網絡一首小詩《中國人墓誌銘》
還沒有把天津爆炸的消息消化完，又被曼谷的爆炸轉移了視線，尤其那裏有兩名香港女子死亡。特府對泰國發出紅色旅遊警示，但對於天津就沒有發警示。
兩場爆炸有所不同。曼谷的原因大致清楚，就是近年的政治動盪、兩派對壘，導致一些反對軍方統治的不滿分子進行恐怖襲擊。香港人完全可以自主要不要暫時不踏足這個地方。天津爆炸不僅原因未明，很可能如昨天《蘋論》所說，「真相只會石沉大海」。而且生活在「一國」之下，若不重新制憲，香港到2047年就會兩制告終，將實行導致天津爆炸同樣的政治制度；實際上這種制度已經逐漸透過行騙長官而在香港滲透，不到2047就有可能全面在香港實施也。

專權體制的一體兩面

我們真要想想，以後會生活在怎樣的社會環境中。
大陸網民說：有人在網上寫一句批評中共的話，一分鐘後他們就能知道；有人在倉庫裏放了可能炸毀整個城市的危險品，直到爆炸了他們都不知道。何不以管制言論的力度來管制危險品？
殊不知，監控言論與輕率管制危險品，正是專權體制的一體兩面。一面是儲存危險品乃保護掌權者利益的一部份，或讓他們斂財，或根本就是暴力政權的資產，危險品儲藏的重要性絕對在對周邊居民安全考慮之上；另一面監控言論也是出自維護專制政權的目的，故天津爆炸後，一口氣封了三百多個網站，有網民因為透露死亡數字遠超過官方公佈的，被公安扣查。這是統治階級的維權（他們叫「維穩」），即維護掌權者的權力，與大陸律師「維權」是維護憲法所定的公民權利不同，而且相反。若是由人民投票授權的民主政權，就必須聽取對政府的批評意見，也會大力管制危險品，不容傷害人民，這是人民權利最大化的政權的一體兩面；與專制政權的統治權力最大化剛好相反。
當地政府在記者會上，無法回答危險品儲存要與民居保持多遠距離這問題，對於誰是負責救災的總指揮也不回答。庫存危險品的瑞海公司未有任何人向公眾交代事件。昨天《天津日報》報道，瑞海公司董事長、副董事長等人在8月13日上午已被控制。「被控制」是甚麼意思？是被拘捕，還是控制他們使其不能向外透露內情？《人民日報》發表時評，指這宗事故具體原因的調查難度極大，需要較長時間，希望在證據確鑿後，再向公眾發佈。這是拖字訣。事情定會像三鹿奶粉、溫州撞車、東方之星等歷次人禍一樣，拖一段時間就不了了之。反正中國人是健忘的。
有陰謀論指，天津爆炸係權鬥造成，是某些勢力要在北戴河會議、九三閱兵這個敏感時期打擊習近平藉閱兵去立軍威。了解國情的人都知道，有權力運送、儲存或擁有這些高危險品的，都不可能是一般民間企業，大致可肯定與最高權力層有關。而專權體制是永遠離不開權爭的。

他們都在裝死地活着

至於傷亡數字、死亡名單，就也與歷次天災人禍一樣，何曾有一次是真實的？大多數遭難者的家屬，似乎都接受已發生的事不可挽回，故只要求賠償，對事故責任就輕輕放過。房子毀了要求賠償，哭訴的多屬於「編外」（即非公務員體制）的死難消防員家屬，他們要求所有死者同等待遇。當李克強說了給予同等待遇和「他們同樣都是我們的英雄」之後，看來當局就把事情撫平了。昨天有一個死難消防員的父親在電視前說：「作為父親的，我感到驕傲。」正如德國戲劇家布萊希特所說：一個國家需要英雄真可悲。因為只顧活着的人而不追究災難責任，災難就會一再發生。爆炸後的事態展現中國更大的悲劇。
回到文前的小詩，那是多年前筆者在大陸網頁抄下的，沒有作者名字。詩寫得太好太深刻了。中國人的不幸只有兩個，就是生在中國死在中國。這兩個就已是全部一生。生存的人，像天津記者會上的官員，像官媒每天「喪事當喜事辦」的感動人心的報道，甚而像那個為死去的兒子驕傲的爸爸，他們不都是在裝死地假活着嗎？中國太難見到真人，而到處是假人。
中國所有的「假」已滲進香港。許多香港人，也因為這裏已是中國香港，從而他們也要假裝死假裝活了。如果我們不力爭香港仍是以前的香港，如果我們任由行騙長官每天裝死裝活，而所有只顧眼前的香港人也甘心忍受這樣的日子，那麼文前所引的墓誌銘也會是「生在中國香港」的我們的悲劇寫照。
（https://www.facebook.com/mrleeyee

）

周一至周六刊出
李怡

李怡

=====

説好的攻擊香港(#ophk)奴隸賊狼梁振英(又名屍歪",下同)政府機關,和香港垃圾警察所有資訊的承諾是否各位匿名英雄哥兒,爺們,女傑士,不會忘記吧!?

是誰告訴我們保衛手無寸鐵的人們,被政治壓迫和恐嚇學生們,
威嚇參與民主運動人士,辛勞記者被無良政府的奴隸公安打至頭破血流,
義工們被獨攬政權的屍歪"利用恐嚇手段;被無良政府的奴隸公安扣留,監控,

加上香港畜牲律政師廢物;
把抗拒不義政權,無良無能屍歪"政府及民建聯中共奴隸獸,
把抗拒貪污腐敗的屍歪"政府的學生們加上'無名罪'作出政治恐嚇,
説要檢控學生們!??

香港人們的道德因屍歪''而腐化墮落,倒退!冷毒漠視民意!
我們的俠義匿名們....
懇請你們拯救在香港的學生們,黃之鋒在引領人們走向屬於香港公民的公民廣場!
這個公民廣場不是屍歪''這烏龜獨佔的!
牠跟大陸共產黨'雜腫'支那豬同樣搶掠人們的資產及人權!

請問天理道德何在?公義在何?
道德敗壞...
屍歪''憑著甚麼當上香港特首?!

賊狼梁振英屍歪'下台,
香港人們要你這畜牲滾回大陸共產黨的奴隸籠子裡!
恥辱了人類的尊嚴!!

我務請匿名兄弟姐妹,把香港賊狼梁振英屍歪"政府機關,和香港垃圾警察所有資訊網站和全部資料!!
作出轟然報復行動!

#ophk #opchina #OpISIS #Op_Tibet #OpTaiwan #OpRussian
我們不會忘記！
我們不會原諒！
我們在任何地方
我們是匿名的！

大陸政府,香港政府期待我們``

Melody.Blog 呼喚朋友,匿名兄弟姐妹們...

=====

[20/08-2015#ophk #opchina #OpISIS #Op_Tibet #OpTaiwan #OpRussian]-
http://melody-free-shaing.blogspot.com/2015/08/update1808-2015by-apple-daily-reported.html
[19/082015]-uodate-By深網中文 Deep Web Chinese([China] how to FIG break even on the Great Wall of Deep Web (graphic explanation board)[中國]如何圖收支平衡上的Deep Web的長城（圖形說明板）)**-
http://melody-free-shaing.blogspot.com/2015/08/update1808-2015by-apple-daily-reported.html
*Update[18/08-2015]By Apple Daily reported - and - by our variety great of Anonymous publication of you do not know....!-and finally by Apple daily on the Apple Forum: Title: All of us, unfortunately, only so two !(our favorite ) [famous writer - Mr. Li Yi]{李怡先生} This article also represents of Hong Kong people's,, anti-tyranny anti-corruption slave - thief wolf Leung Chun-Ying (aka ' Corpse crooked ", below) garbage government !!
更新[18/08-2015]-由蘋果日報的報導-和-由我們的偉大匿名發佈的各種你不知道的....!最後由蘋果日報的蘋論:標題:我們所有的不幸，只有這麼兩個 !(我們最喜歡的)[著名作家-李怡先生!]這篇文章也是代表香港人們的反暴政反貪污腐化的無良''屍歪垃圾政府!!
Update [18 / 08-2015] von Apple Daily berichtet - und - durch unsere große Auswahl von Anonymous Veröffentlichung der man nicht weiß, .... - und schließlich von Apple täglich auf der Apple-Forum: Titel: Alle von uns, leider nur so zwei (unser Favorit) [berühmte Schriftsteller - Herr Li Yi] {李怡先生} Dieser Artikel stellt auch der Hong Kong Volks ,, Anti-Tyrannei Anti-Korruptions-Slave - Dieb Wolf Leung Chun-Ying (aka ' Corpse krumm ", unten) Müll Regierung !!
アップルデイリーによりアップデート[18/08から2015]報告 - と - 私達の様々なあなたの匿名出版の偉大は....知らない - アップルフォーラムで毎日、最終的にAppleが：！タイトル：私たちのすべて、残念ながらを！、だけなので、2つ（私たちのお気に入り）[有名な作家 - 李李] {李怡先生}この記事ではまた、香港の人々年代の表し,,抗専制政治腐敗防止スレーブ - 泥棒狼レオンチョン英（別名 '死体）以下、「曲がったごみ政府!!
Apple က Daily သတင်းစာအားဖြင့် Update ကို [18/08-2015] ဖော်ပြခဲ့သည် - နှင့် - ကျွန်တော်တို့ရဲ့အမျိုးမျိုးအားဖြင့်သင်တို့၏ Anonymous ကထုတ်ဝေ၏ကြီးမြတ် .... ကျမမသိဘူး - Apple ရဲ့ Forum ကိုအပေါ်နေ့စဉ်နှင့်နောက်ဆုံး Apple က: ခေါင်းစဉ်: ငါတို့ရှိသမျှသည်, ကံမကောင်း ! သာဒါကြောင့်နှစ်ဦး (ကျွန်ုပ်တို့၏အကြိုက်ဆုံး) [နာမည်ကျော်စာရေးဆရာ - မစ္စတာ Li ကရီ] {李怡先生} ဤဆောင်းပါးကိုလည်းဟောင်ကောင်ကလူရဲ့ကိုယ်စားပြု ,, Anti-စိုးမိုးမှု Anti-အကျင့်ပျက်ခြစားမှုကျွန် - သူခိုးဝံပုလွေ Leung Chun-Ying က (aka '' အလောင်းကောင်) အောက်တွင် "ကောက်အမှိုက်သရိုက်အစိုးရ !!
**All The World Country lauguage**-
http://melody-free-shaing.blogspot.com/2015/08/update1808-2015by-apple-daily-reported.html
===Melody.Blog===FOLLOW FOLLOW===>/

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

*

沒有留言:

張貼留言

window.___gcfg = {
lang: 'zh-CN',
parsetags: 'onload'
};

訂閱：張貼留言 (Atom)

2015年8月19日 星期三

Hsinchu region to share experiences demining area

新竹地區掃雷心得分享區

[China] how to FIG break even on the Great Wall of Deep Web (graphic explanation board)

[中國] 如何圖破長城連上深網(圖文解說板)

How wall

★ party state why they want to close up? Why should we over the wall?

★ Literacy --GFW is incorrect stuff?

◇ DNS spoofing (DNS contamination)

◇ IP blocking (IP blacklist)

◇ sensitive word filtering (keyword filter)

★ start talking about Google products

◇ Google Reader

◇ Gmail

◇ Google Drive / Google Docs

★ modify the hosts file

◇ How to Set

◇ advantages and disadvantages

★ modify DNS server

★ encryption Web Proxy

★ Agent Software

◇ Agent Works

◇ agent classification

Get ◇ Agents tools

Note ◇ Agents tools

◇ since by the door

◇ no. Border

◇ TOR

◇ I2P

◇ race. Wind

★ VPN Client

Principle ◇ VPN over the wall

◇ VPN Gate

Summary ★ agent tools and VPN software

Cons Pros & VPN ◇ proxy tool of

Cons Pros ◇ VPN's & Agents tools

◇ no absolute strong tool

◇ List

★ phone over the wall

◇ agent software

◇ VPN

◇ mobile browser

★ Other Resources

◇ I's blog

◇ GFW blog

Some information ◇ Wikipedia

★ end

★黨國為啥要封網？ 咱們為啥要翻牆？

★掃盲——ＧＦW 是嘛玩意兒？

◇DNS 欺騙（DNS 污染）

◇IP 封鎖（IP 黑名單）

◇敏感詞過濾（關鍵字過濾）

★先從Google 系列產品說起

◇Google Reader

◇Gmail

◇Google Drive / Google Docs

★修改hosts 文件

◇如何設置

◇優缺點分析

★修改DNS 服務器

★加密Web 代理

★代理軟件

◇代理的工作原理

◇代理的分類

◇代理工具的獲取

◇代理工具的注意事項

◇自.由.門

◇無.界

◇TＯR

◇I2P

◇賽.風

★VPN 客戶端

◇VPN 翻牆的原理

◇VPN Gate

★代理工具和VPN 軟件的總結

◇代理工具的優點& VPN 的缺點

◇VPN 的優點& 代理工具的缺點

◇沒有絕對堅挺的工具

◇一覽表

★手機翻牆

2015年8月19日星期三

★黨國為啥要封網？咱們為啥要翻牆？

【天津大爆炸】綠色和平：同類爆炸中國今年已13宗

【天津大爆炸】天津港負責人繼續「潛水」市委首出席發佈會

【天津大爆炸】毒煙吹港機會幾大？專家製短片解構

逾7成日網民　肯定戰後談話

9.26四學生領袖　月底被起訴
周永康：政治復仇