Analysis Date2014-11-07 04:02:08
MD54e2c12df923147889b82ea0d212d3cc3
SHA16ac0d84c7d96ce75f9badb93634d8c4c3fe93f5a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 19cf40ced51311c7864bc66fed7dcc89 sha1: f35157a5c23a62f1fb6b25ef3c8986f2bdf5d3b4 size: 3584
Section.rdata md5: a1128c677f2829be6d3148aa9eb5dd77 sha1: 0bb87919aa4af019c13d1066453d7ded924f206e size: 1024
Section.data md5: e1b40e261dcec67abeaed3440f9cc2c9 sha1: 88c5573b7c53b56c65ac2346c0c8d9be0ce4d994 size: 13312
Section.rsrc md5: 1aff5827dccf170fff69b4c341de7b25 sha1: de02599846d7214726068113c23894966aa17a18 size: 303104
Timestamp2010-12-28 17:34:24
VersionLegalCopyright: Copyright (c) Microsoft Corporation
ProductVersion: 3.18
FileVersion: 5.45
CompanyName: Microsoft Corporation
PEhasha4550a251aa4bc7626e71ff729560b65b6a1c33a
IMPhash61a8437564140f26f858d3c847342303
AV360 SafeGen:Variant.Kazy.12085
AVAd-AwareGen:Variant.Kazy.12085
AVAlwil (avast)Crypt-KIA [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Chepdu.B.gen!Eldorado
AVAvira (antivir)TR/ATRAPS.Gen
AVBullGuardGen:Variant.Kazy.12085
AVCA (E-Trust Ino)Win32/Chepdu.B!generic
AVCAT (quickheal)no_virus
AVClamAVWin.Trojan.Agent-745209
AVDr. Webno_virus
AVEmsisoftGen:Variant.Kazy.12085
AVEset (nod32)Win32/Chepdu.AG
AVFortinetW32/Chepdu.AJP!tr
AVFrisk (f-prot)W32/Chepdu.B.gen!Eldorado
AVF-SecureGen:Variant.Kazy.12085
AVGrisoft (avg)Cryptic.CEJ
AVIkarusTrojan.Cryptic
AVK7Backdoor ( 04c4bbe61 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Downloader
AVMcafeeRDN/Generic.dx!ddh
AVMicrosoft Security EssentialsTrojan:Win32/Chepdu.W
AVMicroWorld (escan)Gen:Variant.Kazy.12085
AVNormanGen:Variant.Kazy.12085
AVRisingno_virus
AVSophosno_virus
AVSymantecTrojan.Gen
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\fh94610.dll
Creates FilePIPE\wkssvc

Network Details:


Raw Pcap

Strings
lautf strsyros IcsaIuaeltgoecpenelhlibsaao ln
 nlis
sntsnS2rhpesu2Aeg
PdplAe
ltclratcos
ltx3o
eE.SGv
 nieleSsee
leFllrdHah/3ht!ww(u e) ec aeeelsdn ec pcns thsehltId tatleoNsbslnpoloo c
ifnahogtaisrsnea eu.flaysla lpmtInaelrls
J
.
.
=
u
us
00
.
00
E-0-0
00-
\
..
.
.
.
XuXs
0 
 
............?- 
-
.
.
.

040904b0
1.47.130.1756
3.18
333f3
4.59.181.1415
5.45
APPID
CompanyName
Copyright (c) Microsoft Corporation
f3fff
FileDescription
FileVersion
        h((((           
       H
                                 H
         (((((                  H
         h((((                  H
href="
http://
https://
InternalName
jjjj
jjjjjj
jjjjjjj
LegalCopyright
libwyd1
Microsoft Corporation
Module
(null)
OriginalFilename
ProductName
ProductVersion
pyright 2008
REGISTRY
StringFileInfo
Translation
TYPELIB
VarFileInfo
VS_VERSION_INFO
xml2w32.dll
XML parser library
``````
```````
``````-
^^^^^^
^^^^^_
~~~~~(
<<<<<<
<<<<<<@
<<<?<<
=====^
>>>>>>
;!;%;);-;
;#<-<]<
::::::
!!!!!!
)*	)'_
]]]]]]
]]]]]%
{{{{{=
{{{{{_
}}}}}}|
@@@@@@
\\\\\\
&0,0=0
0*0/0=0
0$0(0,000<0H0P0X0\0`0d0p0t0x0
0:0@0m0u0
0*010?0D0I0N0`0e0j0o0
0$060A0
0(080D0s0
0"090H0[0f0r0
0?0k0~0
0*0O0^0m0
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz
0!131?1Q1V1)2B3O3w3|3
0*151E1Q1]1j1
0.171Y1`1o1
0$1J1c1
0:1P1j1
=%>,>0>4>8><>@>D>H>
0D1J1Z1
=0>E>Z>l>v>~>
)0G0W0h0
;0;G;c;{;
0H0Z0g0
:0;L;V;`;p;x;
(0Q0h0
=$=0=U={=
;0Y0|0
101<1[1~1
1 1,10181<1D1H1
1"11151k1
1"1@1c1
1-1X1e1
1$272=2B2N2V2m2{2
1 2Z2e2q2
1@@7E 
1b2g2^3
1D1M1U1d1s1
1F2M2[2e2~2
<1<g<q<
1#QNAN
1#SNAN
<&<1<=<u<
2$202:2B2M2x2
2 2(2,24282@2D2H2`2t2
2"2,2V2b2h2
2,2;2Y2x2
2'232@2]2i2
2#242>2I2y2
2'2g2{2
2#2g223b3
2 2L2P2`2p2
2(2O2x2
2:2X2`2~2
2%3x3|3
2A2U2\2
=2=?=N=
303<3c3y3
313m3}3
3-333l3
3 3,343D3`3p3
3+363H3S3e3p3
3;3Q3t3
3*434z4
3$4*4G4n5
363O3m3
3C4R4z4
3I4V4e4l4v4~4
:3:X:t:
;!;&;4;
404<4C4P4U4]4f4z4
41575>5D5K5Q5x5~5
4$4,444<4D4L4T4\4d4h4l4p4t4x4|4
4!4<4T4
4#464A4T4}4
4+474<4Q4
4$4d4t4
4'4K4V4d4r4
4&545B5P5}5
4:5P5]5i5t5
4 6$6(6,6064686<6@6D6L6P6\6`6t6
4A7l|H
?#?+?4?F?T?`?
:4:>:M:W:c:m:
:!:4:?:W:c:
50656U6m6
5 505<5
5(515:5E5Q5]5t5
5(545@5K5X5b5y5
5'545?5V5j5~5
5$5<5D5L5X5p5
5)5;5S5
5/5E5X5_5z5
5$5P5w5
5>5R5^5j5
5	6+6_6
5<6G6v6
575D5q5
585X5x5
=+>5>[>g>m>z>
=5><>O>S>
=#>5>U>[>|>
6 6$6(6,6064686<6@6D6H6L6P6T6X6\6`6d6h6l6p6t6x6|6
6/6A6^6
6*6F6m6
6"6G6c6o6~6
6(6P6`6t6
676<6K6T6a6l6~6
6=7J7W7w7|7
6-7L7a7
686j6}6
<6=E=R=[=a=g=n=u=z=
=,=6=@=H=T=`=k=
;*;6;P;
6P7\7`7l7p7`;
>)>6>R>[>d>l>v>
=6=S=`=l=x=
:6;S;`;v;
6X8]86:"<
7$707|7
7 7'7-7;7A7F7L7Z7f7
7 7(7F7p7
7 787@7H7P7X7`7h7p7x7
7$797Q7l7
7(838p8
7 8>8t8
7	8J8R8Z8c8y8
7c708s8
7H8P8X8`8h8p8x8
:7:J:b:
7Lyu[h=
7R7n7z7
848W8x8
8(80888D8\8h8
8"8&8*8.82868A8
8%8+8;8e8
8 8*8.8V8\8g8w8
8 8N8^8s8|8
898Y8y8
8G9U9c9
.8h?6=
8K9Q9b9
8N8e8q8~8
8Z9d9m9
;8<Z<q<
919T9u9
9*:5:A:N:a:j:
9'939@9S9_9y9
9+979P9p9
9 9+979D9P9k9
999A9G9P92:T:
99:M:^:x:
= =,=9=b=v=
9D9m9+<
<9=H=c=o={=
9K:q:y:
9?:S:j:
<9=X=x=
aaaaaa
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuv
A buffer overrun has been detected which has corrupted the program's
aDd5&I
ADVAPI32.dll
AEQNGUQTW
Ae{SC;
AFCVVFNPCBGABBPIUEAQQAHDTTAPAOBCIUTNGXOVBYNMTDVUG
*#ALib
AODTELLEPLBKHONEJFNDECIPCHAYMN
Apartment
ARMYQJPRCVV
A security error of unknown cause has been detected which has
</assembly>    
	<assemblyIdentity processorArchitecture="x86" version="1.0.0.0" name="x" type="win32"/> 
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 
August
AUTPRX32.DLL
AUWYTLVUQALNZIDWELYICAXNHQURLOJVESIQGTGQLUMNKGBMBBPFPO
.?AVCAtlException@ATL@@
.?AV_com_error@@
.?AVtype_info@@
A;xKCA]
BBBBB 
BBBBB)
bbbbbb
BBBBBB
BBBBBB^
BBENZHSEYQEGBMEDRCEKMNRDBADSMDUZAJCRVJSTIAFNQWUFDRUBTLCAXJRBBQIGFXGECUNUUKFTINHGXBZULFUQJBMDOUZJEJ
>b>h>l>p>t>
BKDCSTKMEAWDCWVKGFOHOPABZGMRKARBUMXWRZCDHNWNAYKVEFVMHMRAZUGGQTESCCPNLDBZYDK
^<bkN_
;B<L<c<y<
BNACWDQTYP
BOVGNSNUTWAEGDLTTBKVVJSSRHGYUYPZOQTMKLKPWCFGAZYPQYIACVQZREQCTFFEE
B(Phhb
BPTGPFDSMUBBODNQWRDESGPTQLWPNMOOZVNATNMQVUWEYMEURGZPISYFYXOKSTRUAHCDQ
B[$qRC
@B{{}R
BRQQQQ
BTFgGP
Buffer overrun detected!
BUPPMLNGAFS
bx`fDq*
: ;%;C;[;
ccafrC
cccccc
CCCCCC
CCCCCC_
cceEfm
ceKArg#
cember
;C<g<q<
CharNextA
CloseHandle
CLSID\
CoCreateInstance
comctl32.dll
COMCTL32.dll
Component Categories
continue execution and must now be terminated.
CorExitProcess
corrupted the program's internal state.  The program cannot safe
CoTaskMemAlloc
CoTaskMemFree
CoTaskMemRealloc
CPDFATARETDKRYXIERJUB
CPRUVMBZG
Created by MIDL version 6.00.0347 at Tue Mar 26 07:32:32 2008
CreateFileA
CreateMenu
CreateProcessA
CreateThread
CRRHHV
csfq`I	
CUJMYOMBVISTZALUECASINDINDASHQTWNMXXG
@.data
DBKYKSENCWAPCHWYM
dddddd
dddddd>
DDDDDD
DDDDDD(
DDDDDD}
dddd, MMMM dd, yyyy
Delete
DeleteCriticalSection
;(;D;g;q;z;
DGYCFFITICBIJCOFCQCUKIYRAWPGVUFVRCMXNPOOSRJJVJXEYENCXIYKYMHUEGQTJEHZWOLQO
DialogBoxIndirectParamA
DisableThreadLibraryCalls
DJHEUBWQGGBLAKTFSUUDDRPQYZHCMLORMF
DKEBZKBPQGOZUDTTD
DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer
DMDOFW
DNISOKAA
DOMAIN error
DOMPeekWd
DRQMJXSXQPJNBMGZLRXCQYAZ
DWWWWW
DYHkzY
DZIYDJCPJLLPVXFYHWSICZMTQGBCBARRDDTMWSXKIGQBTHVKYFUYKCPMCNG
e0VFOTdEREExLUJGODUtMzk1QS05MTg1LTJFOERGRjMxRURERH0=
EAZAQJSTJMIDFIJBENOQPBWGSAMYYUGOKGBEMKLAXPTTMBVKNUE
ECGAFEDMVBYBSEAPOQNQ
EDY{0U
EECnCI
EEEEE!
EEEEEE
EEEEEE(
EFkj@|
<,=E=g=
EKKWOIHLJBJEZ
e\MZ[b
EndDialog
ENTBGQCLYGRKJDXQTLHGORETQHEFSYLOX
EnterCriticalSection
EPMSULAE
EP-PkO
ESMEBDWLFJQOSYTVSVGRTMMTDNSSFNHFHJUGSOYDDUNSWBYKBATMAKTACNKOFHJIIU
E SSSS
e unknown>
EWDOCBIOFNVNQVVHBOSBUUBBJAKWVODSBUJSLBDBVEOTYACQBARFDHSXMPFSTOHLNTYQOWBLGHFLESIYUEPG
ExitProcess
F,98uX
FCOQSGRDGGDCVPGHJIUOSLGOSFDMCJFLMFTDJEBTASZZSGLBRYOZOTJEXEQMSITZM
February
FFFFFF
(fH75V(
fh94610.dll
FileType
FindResourceA
FJUZUFXPHBYX
FKFSOJVOFKELGZIQGQJEHYFLZXJ
FLHXGYZILSLUYKFOQXLGWYDTAANMOPRNBDLGJAUUGVDZPCCMMDPESNUXAL
- floating point not loaded
FlushFileBuffers
F|ME08
FNJJ=H
ForceRemove
FQSYESESCHZJKKJYRINFEBKZJSOTKWDLIVIPEAPO
;F(r(8_
FreeEnvironmentStringsA
FreeEnvironmentStringsW
FreeLibrary
FreeResource
Friday
FUKAHPIPPLZAEGMWYVIWOLNRMOSRPJGLYHFQEKNXGXRHNYMITKITDCPZFLXCMGBMHN
FUOSPJNCWXETKQEYNFBRZDZPGQCPAZZAJJSMQUTEYTYEOWDPOICHCDXBLHAMXRSBLRBPVAVWNWNEBVOHTF
FUQCZXMABZNBOTQHSOKFDJIBUTQUKSQBAYJLIUERNUEHHEPFXKBNOXLIPXLZZKBTCVMPRRKZUUHN
@G0E3h
GAIsProcessorFeaturePresent
GB^^E#
g{CBDO-
GDVNQKFUV
GetACP
GetActiveWindow
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDlgItem
GetDoubleClickTime
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileTime
GetFileType
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetLocalTime
GetModuleFileNameA
GetModuleHandleA
GetMUILanguage
GetOEMCP
GetProcAddress
GetProcessWindowStation
GetStartupInfoA
GetStdHandle
GetStrin
GetStringTypeA
GetSystemInfo
GetSystemMetrics
GetSystemTimeAsFileTime
GetThreadLocale
GetTickCount
GetUserObjectInformationA
GetVersion
GetVersionExA
GetVolumeInformationA
ggggg~
GGGGGG
gh80z]B
GJNBPFXKRUKPGIRQBZMCFAITNELRKXZXXCIAFJXWAFIDBSEGNXYNEBGSPT
GlobalAlloc
GlobalFree
GMYHFZOHCMAUQZDJGQHMOZEMKQBWALEJTFMAULDBGGNWZESEQXBUZMDCZHXYBGTPTKMOORFGUJYEUSCGNMZFPLLBGTKTHXVQQEAXPT
:":~:g;n;
GNVPLSTAHAGUWLQKBIOULVHNEKIDFDOEBACDYUQYZJTPFQRTLOKMUFNKGEVEAMQIIFTCKAVSDXJLGDPAKRBXKMCQEOEQKCRS
=-=G=S=e=s=
>%>G>t>
gTypeW
GWDOGLIVGMOCFGVCLHPQHJRGBXQRUOHHILBJGGZVDREBVQS
GXMFEITFNWXZACFDMDVRPZONWXPHIXJKDQRIDNRTIFNHGMDQY
`h````
H2X2\2d2
Hardware
HDLUCYRBSVWLEVBRNRIEOW
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
hf2qi9
hf@{h^`
HGAWPRVTUWF
hhhhh`
HHHHH*
hhhhhh
HHHHHH
HH:mm:ss
HHtjHHtF
HHtZHHtV
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_DYN_DATA
HKEY_LOCAL_MACHINE
HKEY_PERFORMANCE_DATA
HKEY_USERS
:(;H;n;
HSLSHUWXUWFYOJWBLME
HUFUEYAFGRKAFYURFWJUHOBOJCBHLJDTFXX
;.<;<H<U<`<m<
h^X0C;
IBYOPPZGLO
IBZWUQNDMCAPAQLXUDD
ICXJTXHQRQIABIJEVDYCEXFSJUJRZFUPYQBLNDAUVHMCGTTOHEJSZXCHNIAUILWMGZXMYAEX
IDASJAQHFOSMHHFUXJQMRZWPCDFJLJZZ
idDzh8
<>=I=d=k=p=t=x=
IDOMPeek
IFYEICIRSVTN
IGRHKNGUMYYEFHMCJUFPBABSTIRATRDFIUFIZAKYTKJDNQRCCFUEPQQBLSNYOBZOIXOIOVILMELLGHQCXQDPSOGK
ihIvn@
IICVELYQAFLGCTYHMNJXTENAPAQJMQEFAZ
iiiii@
iiiiii
IIIIII{
iiiiiQ
IJKLZBDBNJJCGVSBKDTCPTNHNCSBJNLMUZMEPEEACIXLXWJKIEMHYKVTFTHDICZRRJKFKQEYVIVKQFLPPDEILQZTZSBNVSLHYSWN
\Implemented Categories
InitCommonControls
InitCommonControlsEx
initialization
InitializeCritical
InitializeCriticalSectionAndSpinCount
InprocServer32
Interface
InterlockedDecrement
InterlockedExchange
InterlockedIncrement
internal state.  The program cannot safely continue execution and must
IOoOX_
IOPGRA
iPPVxH
IPZMMSPTXXAGKYWJPLNSKCZHGJXTHJDGZLXLXLZDPHAMOUU
= >I>r>
iSaSGG
IsBadCodePtr
IsBadReadPtr
IsBadWritePtr
IsDBCSLeadByte
IVMNXJOIVNEVJYJLVLSBGJPSXVLGNEQRTFWMVLMAAWHFDUNQUOAGAOEWPXJJSACDJQZQLWZILGDDTQANVDKODJ
IVZWEBMHLHSONPBDYUMYWOJBGVZGFXKMPODHLGENEGUCFNAXRUUHMNQZTPQUKXOBMJFOFXNRMCNLLMFAIGLHTLS
}@IXma
iY^KOO
IZOFWZZPYOPNKFWDDWADZCMSNTRNYPAEYAJOUMQAYZIYGQYBVHWCXZBNJWKMIYAVBEHVDRIGYGVZGXTQLEQCFFSLFNXUTDRVGXV
JanFebMarAprMayJunJulAugSepOctNovDec
January
JCCCCC
JCVGDEXLJXRZXTOTYLGWDNVYWTFAQAOLRQUTDZNGUKKENAHYSIAPXBMCGUCFAAXRZYGUYPERWCGQJEZQUSFNM
j@h<V@
JIRTPICF
JIXZIPZWKJDBFZALKZTSEUFBCFBTWOJXRITWYVUBRDY
JJJJJ#
JJJJJJ
>.?J?m?
JMGKVSAXMRHJXTTCQHQGAZTIHVIHXUSDVXQJBCKXHRZDNKGCVRXNNTAJSPLNNXOGDJLWVPQOECWSECCEGLNBOMVUEWTLWOD
JMNSSQXT
_J+MVO
JNNnL`
@@`Jv%
JXFBOZYEM
JXVVYJQOAGWWESOGCHICGNNQPWRPKWTREHVSCGKMZZ
JXYMAQVKGDVNQAIPIWDRYXSGINEOLTYHQFDHSZGSETNBWFIGEOZZRQOUTXWZHIGO
{+ k}$
k^D]X]
KERNEL32
kernel32.dll
KERNEL32.dll
KillTimer
KILTVXAIZXHQXQOQTXCREIYCNKBDYASPHBETMEXZYYYZTGEJEXDOIXCELRRWNYOSBIQXKRQMMULVIAWZQSECDINIKXVKWPFHI
kkkkk$
KKKKK!
KKKKKK
KKKKKK?
KKRPLJCOHI
:':.:K:T:Z:j:o:y:
LAYASBUOUOOLELLDXPEZXTLGUPATADVFINTWLIJDSLYQXYHBXFVRBX
>L?b?o?u?z?
lbWWQ|
LCMapStringA
LCMapStringW
LeaveCriticalSection
LIBWWW
llllll
llllll_
L'm}v&
&LnLL]
LoadLibraryA
LoadLibraryExA
LoadResource
LoadStringA
LocalFree
LocalServer32
LockResource
LOYQVJ
?(?@?L?P?T?X?\?
L/sNLZ
lstrcatA
lstrcatW
lstrcmpiA
lstrcmpiW
lstrcpyA
lstrcpynA
lstrcpyW
lstrlenA
lstrlenW
lTGGIn:
LUWIXNSSJSXYYDOXAVRWJEWGXWQZJWWCFYULORRPWYFGZSIZXSZXQKCUUSTAUHAXAMULVAEUXLCXVEMNFPSOKRKSCTUXU
LVJOZKDLOJIEJRWLXOYZKYSPVEHOIOHXAUEGTLBFBQMK
;?<l<x<
lxlhhh
?!?.?L?y?~?
M` ]a]B
MDEETBF
MessageBoxA
MEXRLHHHAHYOBKMWKPWRFUWCDGZF
MGLFRGB
MHMMME	
MHMOSOZYVMJDYTBAYGMVBAAXZANIIERYSIRTAVKZLTUNKASGNINPMRDFNBRRZRCVAMRQMJXKCJFWQBXIHSUF
Microsoft Visual C++ Runtime Library
MKYSKKTZSAMBCTQQIRH
Ml0{ch_
MM/dd/yy
mmmmm(
MMMMMM
Module32First
Monday
MOVCPMTJAEFNTD
mscoree.dll
msctls_progress32
MS Sans Serif
MTZNFVUGH
MultiByteToWideChar
MVQSBWPQJVTP
MXJTIRRA
MybT:v
NBHPKPVDBRMRP
NEAYHQNNWCMYHFXBJKOYQVJALGDTYTOKDICXRX
NEOKLGUNFYHBCFYSHWYLZTNSWDXIKGTRUESXBXFXHWAJBTERIRIKZUCWHIAZYF
nhttp://
nIb{A?
NMJAAGNLORIXIPTOIJCDQUYVJBDWCXXBTFZOADJPBHNJAPHAERRSRFPEKZYCRQ
NNNNN,
NNNNNN
NoRemove
- not enough space for 
- not enough space for arguments
- not enough space for environment
- not enough space for lowio 
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
November
now be terminated.
NPCQRSZPQNXPAPJZNHRCWGLOELCH
NrKZKL
nS]Trx=
(null)
NWpl``
>$?@?N?X?e?o?|?
oBCGY<
OBNPUGG
~o>Ca&
October
OE<UEF
OFNZTODZKDVAQHSZVSXOKXCWJZBHGPPAWFDJBJUVKVJVGCLITRFGJBHPMBGTAMJKOMNPCHVTU
OFQIFSHFKLJFXUHIQHUAQFMSEYEILEJDWH
OHARWBWINGHIKYPWQQJNKUHKVOTBIXHNLWZCXVTYRDMEWFGXYAPHRKRDUMSCTRELHLQNCWIVFGZDXAELW
oIIxKM
OJUYDXLXLQEWLXFIGSJAJRLZDHBUJZFTNJBBCUBLUIJWPIZNDYUKLFUISRCKAUFBMBEDZOUKWEIZWSZT
OLCJGKYAVSOCUFDTQWFKW
ole32.dll
OLEAUT32.dll
oLLLLL
OM7zB< 
OMAZTBHCHCBSCZVJGOXIJAQCJTZSVQHBZQWOWDTRCAEZLAZWBCGLVFIKCDMSGTFYIIKBUKVYMWCLHLDQBUPZQOVI
ONMRZXAMALKFPNBGLGOQZFRRSMSHZYSPOIUJLOJRUDEQHAUBMBITGS
OOM6L?^
>OOoMa
ooooo_
OOOOOO
OOOOOO$
O\&]Ox
OPVDDGUZN
^oz~~;
ozR1ML
PathFindExtensionA
PBEIPTUGULOOZSIKWVASAPWJKHYHYMHZXIYWCOGZIDAGUOTFSUOGAJTSBQKCGOYOFPMIJHOXYAZNYERF
PBGMNTJXCTKHDIBDUFZZQZZRNHHFMMZSWAVGWINPORSJNMVNKPMZKGAYAUTGWJPPAPDNIWUBWTIE
PCOYVADSZXMBWLZWDNBCPGAS
PCPEQVXZIBRWJIDEYXTFAIOKHOEYVPSKXHWSTGYFZLHCY
pcU*[[
|PDeL\*
PEnTdL
PFSSEAGLUHICLIKQDLFOMQ
PILKSFNMLURSJEBC
\P*L\ 
Please contact the application's support team for more information.
PostQuitMessage
PPPPPP
PPPPPPPP
ppxxxx
PQRFNWUZTAWYEWPIBDHRYAYAGGWNMFEDCNBKQWHVONDRSEAIZAWIQUUNJVGWGJHGTRHZYKOWYLZJDGRXXGJUDVKBVATH
Process32Next
ProgID
Program: 
<program nam
pR~WfR'
PT63Y[
ptf__Y
- pure virtual function call
PVDGASCHKGKL
\*p{X.l
PXL*K`
PZUWJPO
=}^}=Q
>:>Q>[?
qc_V1^
qlvKe~
QNWLVQBAQ
QQQQQ<
QQQQQQ
QQQQQQ.
QQSVW3
QQSVWd
~_QrS]
qTaWQ/
QueryPerformanceCounter
qWWql$
>'>=?R?
RaiseException
RAVWINZ
	RBvn`
RBXIRGCNWEBHHCXDNNABMMCGOSMNFFTDYJEKIE
`.rdata
RDGWHTQVNQQTANQYSXAWHAPUIKPWGLHWOGXVDRXEFQXMMYVGNALKFOOLQTHRCKTB
RegCloseKey
RegCreateKeyA
RegCreateKeyExA
RegDeleteKeyA
RegDeleteValueA
RegEnumKeyA
RegEnumKeyExA
RegOpenKeyA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryValueExA
RegSetValueExA
@.reloc
       				<requestedExecutionLevel level="requireAdministrator" uiAccess="false"/> 
  			<requestedPrivileges> 
			</requestedPrivileges>
\Required Categories
RHPSRE
RKPCHMSSXPTIOSMBVUPANDJSOLGEQZYXIYWSFPIBDENSLGIWVZJJEWJZYXTJEIZJYWNZDD
RLQNNZCWDFDLAVDAHUWRKCDKXIFRWIBHJVEYKPU
rMj\M\
RMJZJEBOYXKPSC
RMNCCYLFQLAEPRPNKUBMBQWQVEJZVKVUFOXGJETWZFXWQAZEQTGSKMYAOSXSXZCSLQHGMVBNCWBI
RRRRRR
RRr_Z$
RSNEJHAATSB
\RtD\z
RtlUnwind
runtime error 
Runtime Error!
RWTDKTG
S2q+`@n
Saturday
ScmHo`
ScUUUU
Section
           		</security>
		<security> 
SECURITY
SendMessageA
September
SetCaretBlinkTime
SetFilePointer
SetFileTime
SetHandleCount
SetLastError
SetStdHandle
SetTimer
SetUnhandledExceptionFilter
&SfS|\
SHELL32.dll
ShellExecuteA
SHGetSpecialFolderPathA
shlwapi.dll
SHLWAPI.dll
SING error
SizeofResource
SkGYxQ
Software
sP[QZ|
SQXAOVCJTVULBALPSLOVMIUSCLSXLPGGOFJVCVZGOZOWTITLFABTEODF
=sRv7QW
stdole2.tlbWWW
StringFromCLSID
StringFromGUID2
StrStrA
Sunday
SunMonTueWedThuFriSat
;S=v={=
SVWj ^
SXFKDHNUVTGCFPFXJGACMPYQPFOCOMMOTVLNJKTPJGCGIQRIQZDVHRMVZZYJDMZDODJBBAGHAPLJEVXCQ
sXS;7|D;w
SYSTEM
sYY.Yk
T18FW;
t1x1|1
t2WWVPVSW
TAEIPZXUAWBXVWEQTLZLZIJVNCSUAHWNCFUPNRLGQSODDSXAMOGLRRCFQJCDYLZWTIWWERSQXBFMULYQXSHOIPINEAMANXTNJVHSDLO
TCUHWKANVQELLLYOOANNMWRWFVLIMXZWKPYGLPYRNOYHJAAQMPSLXIFWLFNSHIAQNVNWBSALXTMRGYEOACXZQPMKQTCCUP
tD3=n<
^Td{nK
TerminateProcess
TerminateThread
+t"HHt
This application has requested the Runtime to terminate it in an unusual way.
!This program cannot be run in DOS mode.
thread data
ThreadingModel
Thursday
TKQ.DLL
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
TMDKSYFC
TOXDRKTBWDEE
	</trustInfo>
   	<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
t!SS9]
t#SSUP
tTimer
t.;t$$t(
TTTTTT
Tuesday
t$$VSS
TWFKQBTDCWWDSIJNZ
TypeLib
u5SSWh
UGPBHBAEGYJBMMQEZWZXBRQNTYCQZJPCBLLGCYXWSIUIRLAHAUKVEVDANWASAXSBLIOZRXEKRIOROTYIMSXBOVJQTXOAYMSYXLTGL
ULTGBSMYOMJVRTHL
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
Unknown security failure detected!
UPTFTIM
URIIGSFUDWOJBRFUKLKWXXIZKFRYKYBFYFVFZZFLYDDURNK
URYLXZTRIEB
user32.dll
USER32.dll
UTNADYLAHQHWNFKIZVRUWUHGXKLEWVIIVQRTUDVWKCBKFLTUQJNKDQDJJUXJWNAMXFTZKFDSYWHFRAAJEQIZYHD
UTTHVUAYIPJCQAATTAILDXCEORATLXELVHPITKPGFJZVNYHGSZMSWRMQZYRXSVJPKNIMQIVLOZVM
-uuCCK
UUUUUU
UVKHMMPMIA
UVXRDYKLLOMU
UWUUWP
UZVWYFCZYUSBSQSAXHSCFKKMW
=V=\=}=
VC20XC00U
VersionIndependentProgID
VFEXSR
VGPEKHSRYT
VHAQOWWIW
VHIVSUNPYY
VirtualAlloc
VirtualFree
VirtualProtect
VirtualQuery
VKJYTX
v	N+D$
VQQQ^!
VQSVEIMQCUGKUOBQZGQCMQBCEAKENWBB
[[VSr>
VUSSRVU
VVVVV|
VWumhL
}}{VYq
WaitForSingleObject
W`Dd[}:
Wednesday
WETBKBMLFJM
WGGOITDXANLCYJ
WideCharToMultiByte
WLABYOIMXKTHLIXZRSZUPMXF
WriteFile
wsprintfA
wsprintfW
WUJRPXCLWBKASBZDJOGNJTKJDHOJFIUPHHYSEVBANYZJINUYPMXQKMMBX
WWWWVSW
WWWWWW
wxyz0123456789+/====
=	>,>X>~>
:X:a:g:
XASsa[ 
XCKERMEKABGSGDUJOVZYTLPWSLIEC
xd;=dB
xDPSS!
XIWDNLFLZKDFQGOYVYEECJXIHXUNNTW
xl@c#L
XLJEWPNOHQQNMWEHNPDUBTVSDFZXSSZPARQTSFIQVVRDRMGHQQPYZSOBOQXJKBGWTVFHRZ
X\^LL[
XLWNOQVMIQFIYFTWLOZRMQDKEUJGHDYDZMIMUWBNQZDDFURTEVZKFYHWCNP
<?xml version="1.0" encoding="UTF-8" ?> 
XNECNHWZCPQACWWXBXWFISRRKNDQOEDMIPOHQZPOWERMDGEUTBTVHSKUWZTT
XRBZJEZXYCVYAYBWVCBNYCPWTPTQUOHIFWFEUMHASDZXJCUSQLKXOISEB
XRHQOCIUMPCSUPDWLFDQVWTLEEMDWBLBJAGVQFECNHANKSUQCOW
xSl}q*
xt,/Cw
X\THKv
x,{vxS
XWTQCVXHWNLSASYRDMSVCNKCOFASVSTDNMFONLHTCJJMVALZWJDIHEVCFXZOAZ
XXXXXX
XXXXXX_
>#?)?:?X?z?
YCQWAMHULJIHYSTJSXZWEDPMIGRJIQJWFFPVJQSAIHFZFJ
<;<Y<`<d<h<l<p<t<x<|<
YIFXZX
YIUOGCIAXTBKI
Y~kooO
YKTUFGFJPCNGHSTGAJTXEEAHWTUZKKYIFPHTANROAYNFOSLCTXFLXSRPLOKNPYEZKAJCWHDJL
y`LKKM
YLTEXBIFIGCLXMXOBTBBMCEZUSHPXCYKJQQNLIWDUIUMMZMCUTLLCRCVESKFKSDUKESVJJKNJDCNJGKJCXMC
YMAUOTTBKFERIBRQ
YMFUCDVMITIEJUTUACGDVGHJFOWWXGXKLJSJSVSTW
YN9668
YNDORGWLNLZJVCSINLQICIQBAYKRDQEBFPLHXDGWISVPXFNNBASPWAEHLJUGEOGKUSONU
YUAPTGPLS
Yv}N[_
_^][YY
YY_raW
YYYYYY
ZFEMFU
ZFXYHYVYNVCJKFAFWMYXOVUOVJXFHKRBNVTWHEWHJQMVILKGZAFAGBQBELEBGHWGLVVYBQZNELFENRKI
ZJZKCZWPZDZLLTZCOMJSDCZVXLAZJYZMXEMKQSLXENMMGGWXLOZHFTUJ
ZKTXGSCTCU
ZLCAMOWMQLRZM
ZPAHLKXBZBFEBSDMZRJFUXLHJTZSIHYLTQKBDMYPZLYHXYFBBTUTRXHAJJFTJHXXTMTPH
ZPNYOZOKPOGDMWBXAGPFIGUOSGTDVOYTYWOHJVSKVVANZOMIRXDHJDRZZPNSCYCEIHQAQGACLDQ
ZPQYGKKEOVILRLGAAVXXQFKJEIQXXZ
ZQDAWNJ
ZQQPMZKPNTFVEVLOBXULHGJHBGZBGYTLOMSBY
ZSFMYOMTLVYOSEWBJHTIIIHXQISJGISGBXNMFUHQAEPJETZDKVLPFZRISYEDTJANHJA
ZvbCjz
ZVSYROFNOISRYNIOSYPNQTNIHWUIVNXWIYKZMY
z~\\Zz
ZZZZZ"
zzzzzz
ZZZZZZ