Analysis Date2014-11-19 11:29:34
MD50de2dc76a10d583f2d8c5c1e780a7f39
SHA16254c2496592386deff31705224d0fadf031a20f

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 31f7e4942a69134a3238568042999b64 sha1: 58e332f7ade6c9cee244269f5442cec45969d0c1 size: 8192
Section.rdata md5: 9327197b7a78a619c28e951135d659ef sha1: 60f3dad3a8faad4da30f87704e33aeb0ddcda309 size: 8192
Section.data md5: 7a2d359f33cebac9ff9ebf2138ab7d23 sha1: b5049f625e265e503f9b881595a678c3e81f546c size: 4096
Section.rsrc md5: 1bd9f19f7088c7bb60f15f40bc66b5ff sha1: 952504c78bcb834a386c26f013a5e5a891b68200 size: 585728
Timestamp2014-01-15 06:40:43
VersionLegalCopyright: Copyright (C) 2014
InternalName: YOSHIDA
FileVersion: 3, 3, 51, 33528
CompanyName: Microsoft Corporation. All rights reserved.
PrivateBuild:
LegalTrademarks:
Comments:
ProductName: Microsoft JUSTSYSTEM JTD FILE
SpecialBuild:
ProductVersion: 3, 3, 51, 33528
FileDescription: Microsoft JUSTSYSTEM JTD FILE
OriginalFilename: YOSHIDA.EXE
PackerMicrosoft Visual C++ v6.0
PEhashe095d3f450b6fdffeca7a7b72a67fc7ef6785f1d
IMPhash849b1c4ae2e50505f79126be7ad8fa53
AV360 SafeBackdoor.Generic.905022
AVAd-AwareBackdoor.Generic.905022
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)no_virus
AVBullGuardBackdoor.Generic.905022
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebBackDoor.HRB.8
AVEmsisoftBackdoor.Generic.905022
AVEset (nod32)no_virus
AVFortinetW32/PLUGX.TEL!tr.bdr
AVFrisk (f-prot)no_virus
AVF-SecureBackdoor.Generic.905022
AVGrisoft (avg)BackDoor.Generic18.BAQU
AVIkarusBackdoor.Win32.Plugx
AVK7Riskware ( 0040eff71 )
AVKasperskyno_virus
AVMalwareBytesno_virus
AVMcafeeRDN/Generic BackDoor!b2n
AVMicrosoft Security EssentialsBackdoor:Win32/Plugx.A
AVMicroWorld (escan)Backdoor.Generic.905022
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend MicroBKDR_PLUGX.TEL
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\H646352S\MsMpEng.exe
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\YOSHIDALUCKYSEC.lnk
Creates FilePIPE\wkssvc
Creates FilePIPE\srvsvc
Creates FileC:\Documents and Settings\Administrator\Application Data\H646352S\mpsvc.dll
Creates FilePIPE\lsarpc
Creates ProcessC:\Documents and Settings\Administrator\Application Data\H646352S\MsMpEng.exe

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\H646352S\MsMpEng.exe

Creates MutexDBWinMutex

Network Details:


Raw Pcap

Strings
..
.
[.[.....Y[
.\
 
.1yj
.
..
<

040904b0
040904B0
2YOSHIDA
333f3
3, 3, 51, 33528
4.4.0304.0
67.3.6536.9
About4Quit the application; prompts to save documents
&About YOSHIDA...
About YOSHIDA
Activate Task List
Antimalware Service Executable
Change the window position
Change the window size
Close
Close the active document
Comments
CompanyName
Copy1Cut the selection and put it on the Clipboard
&Copy	Ctrl+C
Copyright (C) 2014
Create a new document
Cu&t	Ctrl+X
?Display program information, version number and copyright
&Edit
Enlarge the window to full size"Switch to the next document window&Switch to the previous document window9Close the active window and prompts to save the documents
Erase
Erase All3Copy the selection and put it on the Clipboard
Erase everything
Erase the selection
Exit
E&xit
f3fff
&File
FileDescription
FileVersion
Find
Find the specified text
         (((((                  H
&Help
Insert Clipboard contents
InternalName
JHKSAHUEXEXEDAS
LegalCopyright
Legal_policy_statement
Legal_Policy_Statement
LegalTrademarks
Microsoft
Microsoft Corp
Microsoft Corporation
 Microsoft Corporation.  All rights reserved.
 Microsoft Corporation. All rights reserved.
Microsoft Corporation.  All rights reserved.
Microsoft JUSTSYSTEM JTD FILE
Microsoft Malware Protection
mpsvc.dll
MsMpEng.exe
MS Sans Serif
&New	Ctrl+N
Next Pane5Switch back to the previous window pane
Open
Open an existing document
&Open...	Ctrl+O
Open this document
Open this document(Switch to the next window pane
 Operating System
OriginalFilename
Paste
&Paste	Ctrl+V
Previous Pane
PrivateBuild
ProductName
ProductVersion
Ready
Recent File
Redo
Reduce the window to an icon
Repeat1Replace specific text with different text
Repeat the last action
Replace%Select the entire document
!Restore the window to normal size
Save0Save the active document with a new name
Save As
Save &As...
&Save	Ctrl+S
Save the active document
SCRL
Select All
'Show or hide the toolbar
SpecialBuild
Split
(Split the active window into panes
&Status Bar
StringFileInfo
SubC
Toggle StatusBar
Toggle ToolBar,Show or hide the status bar
&Toolbar
Translation
UIASDGHIDLDLDLDLS
&Undo	Ctrl+Z
Undo&Redo the previously undone action
Undo the last action
VarFileInfo
&View
VS_VERSION_INFO
 Windows
Windows NT PIF Manager Icon Resources Library
YOSHID
YOSHIDA
YOSHIDA.Document
YOSHIDA.EXE
YOSHIDA Version 1.0
YOSHID Document
~~~~~~~
~~~~~~~~~~
~~~~~~~~~~~~~
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<==
< <$<(<,<
=%%%%%%
>>>>>>>>
>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>;=;;;:;
 !_]".
---.././////
!     
!    ! 
!  !!!!  ->	
!!!!!!!!!
!"""!""""!
!+.///./
???????????????????????????????????????????????????**
//........................................................................................................................................................//
......
........
............................................................................................................................................................
''''''
"""""""""""""
"""""""""""""""""""""""""
"""""""""""""""""""""""""""""""""""""""""""""""""""
"#####
('$$$$$$''$''''(
))(((((((((((())
))(((((()))))))))))')))'''')'
))(((()))))))))))')))''''''
))((()))))))))))'')''''
))())))))))'''
))()))))))))))''))
))))'''''
))))())))''
))))))')
))))))))))'''
)))))))))))))'''
}~~~~~~~~~~~~~~
@[@[[[
$$$$$$
$$$$$$$
$$$$$$$$
$$$$$$$$$
$$$$$$$$$$$$$
$$$$$$$$$$$$$$
$$#$$$##$$#"#"$
**)))))))))())**
&;:::;>
##""""""#"
%%%%%%%%
++++++
+++++++
000000000000
$$000000000000$$G
0002,.7
.,0!02,
0!!!02
  !!0024
0!!!0321 ><;
0#080@0Q0Y0k0s0
.,0 !12,,..--/
01+231
01322421 
0%1n1t1
  !02122,
    !02124,
      !!021444
  !!0222
   !!!0224,
 !02422444444++
  !!024443
  !0344441 
  !03445442! R
0 !3/8)(
: :$:(:,:0:4:8:
; ;';,;0;4;Q;{;
070403125309Z
0.8()(8
0E0`0p0v0
";0)f	
0RQn;8w
0_w;_)7
,1 ><=>
1:%"">
    !100!
  !!10000! 
100701213655Z
100831221932Z
)-110110101101110011100111101122
110708205909Z
  1110
.111111111111111111111111111122
1$1,141<1D1L1l1|1
1-1<1E1N1c1u1|1
 !113! 
1,2G2V2r2z2
130124223336Z
130313203724Z
130327200823Z
130327201315Z
131023220157Z0#
13221!!!!13.8((
140424223336Z0
140613203724Z0t1
140627200823Z0
140627201315Z0
 14244444,
161;1E1_1m1u1{1
 1+-/7777//.
1/8((8(
1http://www.microsoft.com/PKI/docs/CPS/default.htm0@
1Jv1=+r
..2 <;
200831222932Z0y1
20131023122501Z
20131023220158.044Z0
20131024122501Z0t0:
2! !022,
210403130309Z0w1
 !!212424444444444,+G
+2210!!!!!!      
2!  !22
/222222222222222222222222222233
 !!224
 !224,,
250701214655Z0|1
260708210909Z0~1
278(((8
<	=,=2=>=N=U=\=b=
'2O+xe
2sa;g$
2TNaEET
2x3=^k
$`2X`F
+3++++
+3+++++
3++++++
,+310!!! R 
*31595+4faf0b71-ad37-4aa3-a671-76bc052344ad0
3212442! 
 !324210! 
33+++++++
3$3,313=3B3_3e3
333,266
333+266
33330p333333
33330wp3
3.333B3H3X3c3u3
343Q3i3
*34620+1b4a9a4c-cc84-40ed-a6ea-19411592b3c40
3/7v]~
  3/()8/2!!14..
385<5`8h8l8p8t8x8|8
3D,?NpWT0
3hd"J9e'
3http://www.microsoft.com/pkiops/docs/primarycps.htm0@
3'.Ls^Y
3u4@01
!!!!!!!!!<4&&
410!1+
.4112,
,42211!!!!       !!!22244554420! 
,422113+
,42222122244421 
,42222232344420
.4!  !!224
42244424444422222!0!   
-422+...78
4$404<4
+44%1669
,,44211!!  
44221124232
,442221242210 
44222223342441
+,+4,423333344221200! 
444222444544444455452221!  R
4443443++
,44441223222424200!  >=;Q;
44444222212211111224444
4444444444444444444444444444444++
4 4&4.4L4R4c4z4
4.77//...
!4-78((((
4ago3C
51585J5R5b5s5
520!  
54444210   
554444444444444444444444455
+,5545555554455544444555444554445545554454444455554444455545445555544444455555545444555545544,+
+55++5
:5555.
555++5
++55555555555555555555555++
+55+55+,6G
:5:;:C:R:
5G5M5o5
?$?5?Q?
60YWgQ
,6|$,3
666666550
6:6@6a6k6v6{6
6.6C6g6
6&6N6i6q6w6}6
>`6Bg&EWgir
6eiXc;
6+E'OI3
<6G8^U_
6 qJ4Ay
#6w kc
--...../7
''''')''''))))7.-.
7<}1@8
7,33+./.GG`
740!!035
76U-Je
77////...-
77///..-
77//..-
77//.2!
7)73797|7
....................////777
777////...--
777///....
777//..
777.2!
...................././7777
777///////7
77777///.-./.
7777/77
7777777G
7!7(7.787>7C7I7Y7b7|7
7)787G7y7
77////G
.--/78(
.-./78
./788())
.788)(((((88
7())(8888888
78(((88888888
7#8)8G8X8k8
788P8W8_8d8h8l8
,\&7@ 8n
7AUx';^
-7\(d(
7h`>-L5yv
7=+kdr
7/V//VVVVV//V//V///VV//VVVVVVVV//VVVVVV/VVVVV/VVVUUV-
'''))')))))))8
))()())))(()))))))))))))))))())((((((((8
8%>,6 
))((((((()))))))))))'))))))')))))))))))))((87
))((()())))))))))))')))))))))))))((()(()(87-33,
874! 1.())8
))((((((88
))()())))(())))()))))))))())((((((((88
88(()'
88()))(
((((888(
))(888
))((888
)))(((888
))))(((888
)))))((((888
))))))((((888
)))))))))((888
))((()))()()((((((8888
)))))))))()(((8888
(()88(((888
))(((()(((())))((((88888
8)((((8888
8)(((((8888
88(888
888888
))(()))))))))))())))))))((((((888888
))(())))))))))))))))())(((((888888
)))(((())))))))))(((((((888888
)))))))))))(((888888
(()(8888888
))((((((())))))))((8888888
))(((()))))))))))()((((((8888888
888(8(((888
8())(8888888
8B9H9L9P9T9
8[,Ck;
]8EQ/JK
+8@f?-
8http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0
?8?M?c?j?t?z?
^}%95Dg
9%969x9
9$9,929:9C9L9
9 9$9(9,9094989<9@9D9P9
!?9::9E
9D<f@y7
@9k5Hi
9;RX|<
a0y`j(*
a3s!}i
}a_5	WY|
A=A=]:
AA@@@@)A
abnormal program termination
Abx%^l
|aC*Do.i
_acmdln
_adjust_fdiv
A|gUT77
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>aI
aiiiiii
a||Lwty
AOC1301
        </application>
        <application>
aq6ZUY
</assembly>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
August
a uPeF
AvXT+\
aV&_Y-wR
A.-wIR
axh[z~
.}Az!$
'B1r+uB
B}2*\4
b3*LS@
ba__`````````__ac
	bb			
b				b		
_bb#%3
			bbb
bbbb	b
BBBBBBB
BBBBBBBBBBBBBBB
BBBBBBBBBBBBBBBBBBBBBBB
b	bbJ	
bbbJ		J
	bbJbb
Bhttp://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0
b			Jb
	bJ	b	b
bJbbb	
Bkkkkkkkkkkkkkkkkkkkkkk
@B;nD7
B.rsrc
?bs)%u/!
b"x8/	
cccKcc
%c%d%d%d%c
cdUUUUUUUUUUUUU[i
+C&~g	3
Chttp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0X
Chttp://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0a
chzz{|}~~wommrutuhi
cj|tTUEW@t{j|t
CloseHandle
CMainFrame
C\?o4K
CoCreateInstance
CoInitialize
    </compatibility>
    <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
_controlfp
<!-- Copyright (c) Microsoft Corporation -->
CoUninitialize
CreateDirectoryA
CreateFileA
CreateProcessA
CreateThread
CV5|( 
c?w#$O
__CxxFrameHandler
CYOSHIDADoc
CYOSHIDAView
,	D*@7,
d7-'oP
`.data
@.data
&Dd9%n
dddd, MMMM dd, yyyy
DDGwp8
December
DeleteCriticalSection
dHHHHHHHHH^`
:<:D:^:j:z:
__dllonexit
DOMAIN error
d<V[sl;
E/avwEV
Ehttp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl0Z
Ehttp://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z
Ehttp://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl0Z
Ehttp://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0
:E#%m+
EnableWindow
EnterCriticalSection
ePt:Y|8
_except_handler3
ExitProcess
e@X~.j
F_____
F0]@^c
]FDq![
February
F__F_F
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffhwfffffffffffffffffffffh
ffffffffffffffffg
ffffffffffffffffp
ffffffffffffffffw
fffffffffffffffw
ffffffw
FindResourceA
FKf OW
+FKs?Z
- floating point not loaded
FreeEnvironmentStringsA
FreeEnvironmentStringsW
Friday
F{r:J(ckd
F:=TyC
fwwwwfffffffffffffh
---...//////.//G
g|%13F8
G.+2221110!!!       
g	2uZv?oW
`Ge`@N
GetACP
GetActiveWindow
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentStrings
GetEnvironmentStringsW
GetEnvironmentVariableA
GetFileType
GetLastActivePopup
GetLastError
__getmainargs
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetProcAddress
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemTimeAsFileTime
GetTempPathA
GetTickCount
GetVersion
GetVersionExA
GgfvdsGHYOmBVDertjGjhgFEPkhnbT
GGGGGG
GGGGGGG
gka)v\A
__GLOBAL_HEAP_SELECTED
G;;;;;;Q;;;QQ;Q;;;;QQ;;;;;;;Q;;;;;;;QQQQQQ;Q;;Q;;;Q;;;Q;Q;Q;;;;;Q;;QQ;;Q;;Q;Q;;;;;;;;QQ;Q;QQ;Q
_Gr5=?.
G$Wz6J
/gYIX\ra{
```H``
]-.H|(
h 0eBp
h0n0u0
H8H>F4
h@cHLZ
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HH`````
H:mm:ss
hP1MYP
hrq? >fT
>->:>H>S>f>
?http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0T
http://www.microsoft.com0
>http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0
>http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0
<http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0
>http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0
,hX(`D
I7"):YH
Ia#######M#M##M###M###################M###M####M#########MM##M##MM##M#####M###M#M####M#M####M##MM#M#####MM##M########M##M#####M####################MM##M####M#a
<?%ibe>`
Ic>FF"[
.idata
IEzRp0
I"(g"N
Ihttp://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl0^
iiiiii
iiiiiiii
InitializeCriticalSection
_initterm
InterlockedDecrement
InterlockedIncrement
ioQ8v#
IQnZ=\!
IUN9vQ
JanFebMarAprMayJunJulAugSepOctNovDec
January
J	b	bb	Jb
JbbJ	bbJ
	Jb		J	
JHKSAHUEXEXEDAS
 $JJJJJ
JJJJJJJJJJJJJJJJJJJ
JJJJJJJJJJJJJJJJJJJJJJJJJJJJJJ
jrfRR-
j|tTY8
k%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
k*)-000000000000000000000001110032
KE\ie(
KERNEL32.dll
k?F#ba
^\KMtB
kq4:A_
kQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ;Q
kQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
krrrrrrrrrrrrrrrrrr
krrrrrrrrrrrrrrrrrrr
krrrrrrrrrrrrrrrrrrrr
^&Ks6/
ksihbiI
kTHyss
kTP%Zg
*?*kXIc
L$ ]_^
LCMapStringA
LCMapStringW
LeaveCriticalSection
L&*H$_Z
lk,fOv40
"""""""""""""""L"""""L#""L"""""""""""""L"""
"""""L"L"L"""""""""""""""""""""""L""""L""""""""""""""""""""""L"#""""
"""""""""""LL""L"""""""""""""""""""""""""#Mi
LoadLibraryA
LoadResource
Local AppWizard-Generated Applications
LockResource
`LU[WL|
m~_^?*
:M9wR]tbt
mBeX#o=
Mc`+^=
M/d/yy
MessageBoxA
MFC42.DLL
;)mgAM
+M[+^i
	microsoft1-0+
Microsoft Code Signing PCA
Microsoft Code Signing PCA0
Microsoft Code Signing PCA 2011
Microsoft Code Signing PCA 20110
Microsoft Corporation0
Microsoft Corporation1
Microsoft Corporation1!0
Microsoft Corporation1(0&
Microsoft Corporation1&0$
Microsoft Corporation1#0!
Microsoft Corporation1200
$Microsoft Root Certificate Authority
$Microsoft Root Certificate Authority0
)Microsoft Root Certificate Authority 20100
)Microsoft Root Certificate Authority 20110
"Microsoft Time Source Master Clock0
Microsoft Time-Stamp PCA
Microsoft Time-Stamp PCA0
Microsoft Time-Stamp PCA 2010
Microsoft Time-Stamp PCA 20100
Microsoft Time-Stamp Service
Microsoft Time-Stamp Service0
Microsoft Visual C++ Runtime Library
	m]J1["
mmmmmmmm
mmmmmmmmmm
mmmmmmmmmmm
MMMMMMMMMMMMMM
mmmmmmmmmmmmmmmmmmmmmm
mmmmmmmmmmmmmmmmmmmmmmm
mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm
MMMMMMMMMMNMMMMMNMMM
MMMMMMMMMNMMMMMMMMNMNMMNMMMMMMNMMNMMMMMMMMMMMMNMMMMMNMMMMMMMMMNMMMMM
MMMMMNMMMMMNMN
MMNMMMMMNNM
mnosqxz
Monday
MOPR1'0%
mpsvc.dll
mS,1#]d
MsMpEng.exe
MsMpEng.pdb
MSVCRT.dll
__MSVCRT_HEAP_SELECT
:;:m:t:x:|:
M+)|tXT+^
MultiByteToWideChar
n0Vf5s
;N1m5Buu
n9R|a 
N[B6s#
nCipher DSE ESN:31C5-30BA-7C911%0#
nCipher DSE ESN:F528-3777-8A761%0#
nCipher NTS ESN:B027-C6F8-1D881+0)
NMMMMMMMMMMMMMMMMM
NN$$N$$$N$$N$NNNN$NN$NNN$N$N$$N$NNNNN$$$$N$$N$NN$NN$$NN$$NNNN$$$N$NNNN$N$NN$N$$$$N$NNN$N$$NN$NNNNN$$$$N$N$$NN$$N$$N$NNNNN$NN$$N$NNN$NNNNNNNN$$NN$N$$N$NNNN$N	bJ	
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
nqwvttu~
NT<c77
N={Th;
O}3L>~V(FZw
October
_oey;N
OGp888888
$$o~H$
O~=hw]
oK0D$"<
ole32.dll
_onexit
onrtuvvpv
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%OO$$#"
orllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllro
_^ORUB
o@>y]z
p0wwww
Pc/=]B
__p__commode
pD!=3r
pffffff
pfffffffffff
__p__fmode
)PFYFB
(P(i0S1
p$I8,'`-
pnffffffffff
pnfhwwwwww
PostMessageA
PPPPPPPP
Program: 
<program name unknown>
prvxwsuz
- pure virtual function call
pwwwwppwwww
=;Q;==
QEX82q'
-q_Fy@n
-QGssZ
qoljjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj
::::::::::::::::::::::::::::QQ
Q+)&q~m
QQQQQQ
>;Q::Q:QQQ:Q::QQQ:QQ:Q::Q:::Q::Q:QQQQ
qqqqqqqqqqqqqqqqqqqqqqqqqqn
QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ;;
QueryPerformanceCounter
  !! R>=;=
R    !0222++
>^.r)"1
R  !!2224
}r3>.[
%r3@$N
ra,kCG
r~akow
Rbkd&w
`.rdata
Redmond1
.reloc
@.reloc
                <requestedExecutionLevel level="asInvoker" uiAccess="false" /> 
            </requestedPrivileges>
            <requestedPrivileges>
r,jg@Z
(RLaeo~tU
"RmA-w
RNIIIIIIIIIIIIIIIIIIIIIIIIJJJ
Rqhx.6
r=/sI _gp
RSQt+F
@.rsrc
RtlUnwind
runtime error 
Runtime Error!
ruvvvvvvvvvwwyyzzzzzzzzzzzzzyxu
r'wwwwwxwwx
Saturday
S{brydj
        </security>
        <security>
September
ServiceCrtMain
__set_app_type
SetHandleCount
SetLastError
_setmbcp
__setusermatherr
?S?e?x?
SHELL32.dll
SHGetSpecialFolderPathA
SING error
S=iW[U
SizeofResource
}Skqlw
^s{m">,
Sp{xom U
s]S9KfT
SS@SSPVSS
sssssss
ssssssss
ssssssssssssssss
ssssttttssssssss
sstuuuuvvvvwwwwwwwwvrl
ssuvvvvvvv
ssvwwvvvvvvv
stttttttssuvw
sttttttttsssssss
sttuuttttuuuuuvvww
sttuuuvwwwwwwwvvvvvvvvuuuuv
stuuuuuvwwwwwwwwvvvvvvvvvuuvwyzzzzzzzzzzzyyyyyyyyyyyz{||||||{zxx
stuuuuuvwwwwwwwwwwwvvvvvvvvvvwxzzzzzzzzzzzyyyyyyyyyyz{{||||||zxxx
stuuuuvvvvw
stuvvvvvvv
stuvvvvvvvu
stuvvvvwwwwwwwwwwwwwwwvvvvvvvvwxzzzzzzzzzzzzzyyyyyyyz{{{{||||{yxxxx
stvwwwvvvvvvvvuuuuuuuuuwxxyyyyxxxxxxxxxxxxxx{|||||||||{{{{{{zx
Sunday
SunMonTueWedThuFriSat
            <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
            <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
            <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
            <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
suuvvvvvvvu
suuvvvvwww
"SWwr{GKi
swxxxxx
sxzzzzyyyyyxxxxxxxxxx
syzzzzzzyyyyyyyxxxxxxxxx
T7h$_>
tbbt3we
TerminateProcess
            <!--The ID below indicates application support for Windows 7 -->
            <!--The ID below indicates application support for Windows 8 -->
            <!--The ID below indicates application support for Windows BLUE -->
            <!--The ID below indicates application support for Windows Vista -->
!This program cannot be run in DOS mode.
Th ] S
Thursday
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
.t+.=ru
    </trustInfo>
    <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
t#SSUP
t.;t$$t(
ttttttssssss
tttttttttsssssss
tttttttttssssssss
ttttttttttsssssss
ttttttttttssssssss
ttttttttttsssssssst
ttttttttttsssssssstus
ttttttttttssssssssuvus
tttttttttttssssssstuwwwww
tttttttttttssssssstvwvus
tttttttttttssssssstvwwvu
ttttttttttttsssssssuwwwwvussx{|}}}}}}}|
tttttttttttttsssssstvwww
ttttttttttttttssssstww
ttttttttttttttttssstuw
tttttttttttttttttttuwx{||||||}}}}}}}}}}}}}}}}|zwuutttttuw
tttttttttttttuuuuv
tttttttttttuuuv
ttttttttuuuvw
ttuuvwwwwwwvvvvvvvvuuuuuv
ttuvwwwwvvvvvvvvuuuuuuuvxyyyyyyyyyyyxxxxxxxxyz||||||||||{{{zyx
ttvvvvvvvvvvvvvvvw
Tuesday
tuuvvvvvvvu
tuuvvvvvvvvvvvvvvww
tuvolf
tuvvvvvvvvvvvvvvw
tuvvwww
tuwvolf
t$$VSS
tvvvvvvvvvvvvvvvwwyzzzzzzzxw
tvvvvvvvvvvvvvvw
twwwwwkV
txyyyyyxxxxxx
ty{|}}}}{
tyz{zzzzzzyyyyyyyxxxxxxxxx
ty{{{zzzzzzzyyyyyyyyxxxxxxx
~u	.]	}
UIASDGHIDLDLDLDLS
UlJs'M
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UpdateWindow
user32.dll
USER32.dll
uttttuuuvwxyzzz{{{{{{{|{||||||||||||}}}}}}}}}}}}}}}|{
/Uu62u
[Uuo`G
uuttuv
uvwwvolf
uvwwwwwwwwwwwvvwwwwwww
uwvvvvvvvvvwwwwwwwwwwwwwwvrl
uwwwwwvvvvvvvuuuuuuuu
uz{{{{zzzzzzzzyyyyyyyxxxxxx
uz{{{{{{zzzzzzzzzyyyyyyyxxxxtk
vBLDdG"
VC20XC00U
vdYD%2
VirtualAlloc
VirtualFree
VirtualProtect
)~/(V*j
V?OdH1
V-O[t{
vuuwwvt
vvvvvvvvvvvvvwxyzzzzzzzzzzzyxs
vvvvvvvvvvvwwxyzzzzzzzzzzzzyxt
vvvvvvvvvvwwxzzzzzyxv
vvvvvvvvw
vvvvvvvwxyzzzyxu
vvvvvvw
vvvvvw
vvvwxyzzzzzzzzzzzzzzzzzzzzzyx
VWuBhpd
vwwwvvvvvvvvuuuuuuuuuuwxxxxxxxxxxxxxxxxxxy{||||||||{{{{{{{{zzx
vwxyzzzzzzzzzzzzzzzzzz{|}}}}{z
vyyzzzzzzzzzzzzzzzzz{|}~~~~~}}
Washington1
WC!|kN
Wednesday
wfffffffffffffffffffffgwffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
wffffffffffffffffffffp
wffffffffffffffffffg
wfffffffffffffffffp
wfffffffffffffffg
wfffffffffffffw
wfffffffffffw
wfffffffffw
wfffffffw
wfffffw
WideCharToMultiByte
(W,oT%8:
WqVNHE
w	RfQ~
WriteFile
~>W*Rzs
.W!UBz
wvuuuuuuuuuuuuuw
wvvuuuuuuuuuuuuuv
wvvvvuuuuuuuuuuuuv
wvvvvvwwyz{{{{{{zw
wwfffffffffffffffffffh
wwffffw
wwfwwwwfffffffffh
wwGttwGwwwwt
wwGtwDwwwwwtDDDDw
wwp0wwww
"WWSh|d
wwtDtwGwp
wwtGwwwwwwwwwwwwwwwtDDDDw
wwvvvvvuuuuuuuuuuuu
wwwfffffffffffffffffh
wwwfffw
wwwfwwwwfffffffh
wwwppwwwp
wwwttDwwp
wwwvsk
wwwwfffffffffffffffh
wwwwfwwwwffffffx
wwwwgvfp
wwwwpppwww
wwwwwfwwwwfffffx
wwwwwh
wwwwwp
wwwwww
wwwwwwfwwwvffffx
wwwwwwh
wwwwwwpwppp0wwww
wwwwwww
wwwwwwwfwwvffffwx
wwwwwwwh
"'wwwwwwwp
wwwwwwww
wwwwwwwwfwvfffwxx
wwwwwwwwh
wwwwwwwwvvvvvvvuuuus
wwwwwwwwwfvfffp
wwwwwwwwwhvfp
wwwwwwwwwp
wwwwwwwwwvuu
wwwwwwwwww
wwwwwwwwwwffffp
wwwwwwwwwwgffp
wwwwwwwwwww
wwwwwwwwwwwfffp
wwwwwwwwwwww
wwwwwwwwwwwwww
wwwwwwwwwwwwwwvrlf
wwwwwwwwwwwwwwwvrl
wwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwvvvvw
wwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwvrl
wwwwwwwwwwwwwwwwwwwwvrl
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwx
wwwwwwwwwwwwwwx
wwwwwwwwwwx
wwwwwwwwx
'wwwwwwwx
wwwwwwwxxyyyzzzzw
wz|||{
wz{{{{{{{{zzzzzzzzzyyyyyyyxxuk
#|=	x^
'x1D%t
_XcptFilter
<?xml version="1.0" encoding="UTF-8" ?> 
xwfwwwwfffffffffffh
xwwwxx
x{|||}}}}}}}}}}}}}}|xwvuuuttttttuw
xxxxxx
xxxxxxx
xxxxxxxx
xxxxxxxxx
xxxxxxxxxx
xxxxxxxxxxx
xxxxxxxxxxxx
xxxxxxxxxxxxyyyyyy
xxxxxxxxxyyyyyyyyyyzzzzzzzzzzz{{{{{{{{{{{{{{{||{{zt
xxxxxyyyyyzzzzzzzzzzzz{{{{{{{{{{||||||||||||||||||{
xxxy{||||||{{{{{{{{{{zzzyxuk
xxyyyzzzzz{{{{{{{zyws
xxyz{z
xxz{|||||{{{{{{{{{{{zzzzzyvk
xxz{||||{{{{{{{{{{zzzzzzzzywk
xx{{||{{{{{{{{{{{zzzzzzzzzyyvk
xyxyxxxxxxxx
xyyyyxxxxxxxxxx
xyyyyyyxxxxxxw
xyyyyyyyyxxxx
xyyyzzzzzzz{{{{{{{{{{||||||||||||||||}}}}}}}}|{
xyyzzzzzzzzzzzz{{{{{{{zy
xyz{{{{{{{zyv
xyzzzzzzzzzzzzzzzzzz{{{{{{{{zyxxxxxxx
xz{{{{||||||||||}}}}}}}}}}}}}}}}|{wuttttvw
xz{||||||||}}}}}}}}}}}}}}}}|zwutttttuw
xzzz{z
xz{{|{{{{{{{{{{zzzzzzzzzyyyxvk
Y!B^JR0
yC&7GX
Y/:gC(J[E~`
<{Y^<mI
\YOSHIDALUCKYSEC.lnk
^+y+rOW
|}}}}|yts
{{|}}}|yts
}}}|yts
}}}}|yts
Y+Vg/-/
y{||}}}}}}}}}}}}|xwvuuuuuuttttuw
y{||}}}}}}}}}|xwvuuuuuuuuttuuw
_^][YY
yyyyyyyyxxx
yyyyyyyyyxxu
yyyyyyyyyyx
yyyyyyyyyyxxv
yyyyyyyyyyyx
yyyyyyyyyyyyxxxxxxxxyz||||||||||{{yx
yzz{{{{{||||||||||||}}}}}}}}}}}}}}}}}{wuttuww
yzzyxt
yzzzzzyyyyyyyyyyyyxxxyz{||||||||{zx
yzzzzzzzzyw
yzzzzzzzzzy
yzzzzzzzzzzy
yzzzzzzzzzzzzzzzzxv
yzzzzzzzzzzzzzzzzzxw
yzzzzzzzzzzzzzzzzzzy
{Z5:<` 
,Z9[H5F
@z[a<Y
,@ZCl:
z_eM~$
zft.<9@e'
\Z?}H4
ZQQSSSSSQQ]_<6
zT5whF
z{|||}}}}}}}}}}}}}}}}|ywuutttttttvw
zyyyyyyyyyxw
zz{|}~~~~~~~~~~~~~
|ZZw<#
zz{|}}}|yts
zzz{|}||xts
zzzyyyyyyyx
zzzzyyyzzyz
zzzzz{|}~~~~~~~~~~~~
zzzzz{|||xtssstuuvvvvvvuu
zzzzzzz{|{xtssuuuvuuuuuuu
zzzzzzzz{|}~~~~~~~~~~~
zzzzzzzzz{{xttuuuuuuuuttt
zzzzzzzzzzz{|}~~~~~~~~~~
z{{{{{{{{{{zzzzzzzzzzyyyyyxuk
zzzzzzzzzzzzzz{|}~~~~~~~~~
zzzzzzzzzzzzzz{{{{z
zzzzzzzzzzzzzzzzz{|}~~~~~~~}