Analysis Date2014-01-08 03:18:17
MD52bc9bfcc2127b50b703aeb4ac35556c5
SHA19b863f720571fa306d9395d32e1575e149bb4567

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 844d12a7992ca7d5de90f13516e31a46 sha1: 2ee1beb5595b636dfd7d39beaaf0dbfd79bbe7de size: 8192
Section.rdata md5: c716b23f3ae753cb601d098b9219199a sha1: 45404240e8af3bd8db4a970761d040403e4fe10c size: 4096
Section.data md5: ea4ea891fc585d6fa12a899c79e0eab7 sha1: f36151ca967a281860490b04c38cb346c4756880 size: 4096
Section.rsrc md5: 8565b534101c4937c6a357f127c6a7b4 sha1: 89f8f7e0062a03a8599d76a93956b28358f3ff01 size: 561152
Timestamp2013-12-16 01:51:07
VersionLegalCopyright: JustSystem(C) 1992-2015
InternalName: IntelligenttRANS.EXE
FileVersion: 6, 14080, 67, 8796
CompanyName: JustSystem Background Intelligent Transfer
PrivateBuild:
LegalTrademarks:
Comments:
ProductName: JustSystem PAN User Interface
SpecialBuild:
ProductVersion: 6, 14080, 67, 8796
FileDescription: JustSystem Background Intelligent Transfer
OriginalFilename: IntelligenttRANS.EXE
PackerMicrosoft Visual C++ v6.0
PEhashbf65a532b95dce6e2862a878332220da7ae50a79
AVavgPakes_c.AETG
AVmcafeeBackDoor-FBOE!885F177DE5B2
AVmsseBackdoor:Win32/Plugx.A

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\IntelligentTransfer.lnk
Creates FilePIPE\wkssvc
Creates FilePIPE\srvsvc
Creates FileC:\Documents and Settings\Administrator\Application Data\6105222911\MsMpEng.exe
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Application Data\6105222911\MpSvc.dll
Creates Process"C:\Documents and Settings\Administrator\Application Data\6105222911\MsMpEng.exe"
Creates Mutexmalware.exe

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

Process
↳ "C:\Documents and Settings\Administrator\Application Data\6105222911\MsMpEng.exe"

Creates MutexDBWinMutex

Network Details:


Raw Pcap

Strings
040904b0
040904B0
041104b0
4.4.0304.0
6, 14080, 67, 8796
87.23.5656.5892
87.23.5656.5892 (011113-6782)
ABOUT __TrendMicro(&A)...
Antimalware Service Executable
Background Intelligent Transfer Service 2.5 Proxy
Button1
Check1
Comments
CompanyName
DIDDIIREDDSHUEOAIEJL
FDHTRUY
FileDescription
FileVersion
         (((((                  H
IntelligenttRANS.EXE
InternalName
@jjh
jjjjjj
JustSystem Background Intelligent Transfer
JustSystem(C) 1992-2015
JustSystem PAN User Interface
LegalCopyright
Legal_policy_statement
Legal_Policy_Statement
LegalTrademarks
Microsoft
Microsoft Corp
Microsoft Corporation
 Microsoft Corporation.  All rights reserved.
 Microsoft Corporation. All rights reserved.
Microsoft Malware Protection
mpsvc.dll
MsMpEng.exe
 Operating System
OriginalFilename
PrivateBuild
ProductName
ProductVersion
SpecialBuild
Static
StringFileInfo
SubC
THRW
Translation
UYIREG
VarFileInfo
VS_VERSION_INFO
WESAJEXJFJEJKSKEASE
 Windows
~~~~~~~
~~~~~~~~~~
~~~~~~~~~~~~~
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<==
=%%%%%%
>>>>>>>>
>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>;=;;;:;
---.././////
!     
!    ! 
!  !!!!  ->	
!!!!!!!!!
!"""!""""!
!+.///./
???????????????????????????????????????????????????**
//........................................................................................................................................................//
......
........
............................................................................................................................................................
''''''
"""""""""""""
"""""""""""""""""""""""""
"""""""""""""""""""""""""""""""""""""""""""""""""""
"#####
('$$$$$$''$''''(
))(((((((((((())
))(((((()))))))))))')))'''')'
))(((()))))))))))')))''''''
))((()))))))))))'')''''
))())))))))'''
))()))))))))))''))
))))'''''
))))())))''
))))))')
))))))))))'''
)))))))))))))'''
}~~~~~~~~~~~~~~
@[@[[[
$$$$$$
$$$$$$$
$$$$$$$$
$$$$$$$$$
$$$$$$$$$$$$$
$$$$$$$$$$$$$$
$$#$$$##$$#"#"$
**)))))))))())**
&,"~;+
&;:::;>
##""""""#"
%%%%%%%%
++++++
+++++++
000000000000
$$000000000000$$G
0002,.7
.,0!02,
0!!!02
  !!0024
0!!!0321 ><;
.,0 !12,,..--/
01+231
01322421 
  !02122,
    !02124,
      !!021444
  !!0222
   !!!0224,
 !02422444444++
  !!024443
  !0344441 
  !03445442! R
0 !3/8)(
'0539`,
070403125309Z
 070B0T0
0.8()(8
0"#}zj
0z yx1
,1 ><=>
    !100!
  !!10000! 
100701213655Z
100831221932Z
)-110110101101110011100111101122
110708205909Z
  1110
.111111111111111111111111111122
1$1,141<1D1L1T1\1`1d1h1l1
1'1/171G1^1j1p1x1
1-1<1E1N1c1u1|1
 !113! 
130124223336Z
130313203724Z
130327200823Z
130327201315Z
131023220157Z0#
13221!!!!13.8((
140424223336Z0
140613203724Z0t1
140627200823Z0
140627201315Z0
 14244444,
 1+-/7777//.
: :1:7:J:
1/8((8(
1H5L5p8x8|8
1http://www.microsoft.com/PKI/docs/CPS/default.htm0@
1Jv1=+r
1N2U2d2l2w2}2
1QH;xz*O1
1Q|+MF
1U(EAO
..2 <;
200831222932Z0y1
20131023122501Z
20131023220158.044Z0
20131024122501Z0t0:
2! !022,
210403130309Z0w1
 !!212424444444444,+G
+2210!!!!!!      
2!  !22
/222222222222222222222222222233
2'2.262<2C2H2Y2u2
 !!224
 !224,,
2:3T3]3U4u4z4
250701214655Z0|1
260708210909Z0~1
278(((8
2iftO|a
2](kn!
2L2g2w2}2
"[2_Q-13y
2rn9%i#g
$`2X`F
2%YEza
+3++++
+3+++++
3++++++
30Z'fXEa#
,+310!!! R 
*31595+4faf0b71-ad37-4aa3-a671-76bc052344ad0
3212442! 
 !324210! 
32O?tO@D
33+++++++
333,266
333+266
3&3-353;3A3L3T3
*34620+1b4a9a4c-cc84-40ed-a6ea-19411592b3c40
3%4K4e4l4p4t4x4|4
  3/()8/2!!14..
3;	=hb
3http://www.microsoft.com/pkiops/docs/primarycps.htm0@
>3?J?b?u?
/@3z]R
!!!!!!!!!<4&&
410!1+
.4112,
,42211!!!!       !!!22244554420! 
,422113+
,42222122244421 
,42222232344420
.4!  !!224
42244424444422222!0!   
-422+...78
+44%1669
,,44211!!  
44221124232
,442221242210 
44222223342441
+,+4,423333344221200! 
444222444544444455452221!  R
4443443++
,44441223222424200!  >=;Q;
44444222212211111224444
4444444444444444444444444444444++
4.77//...
!4-78((((
48:oIb
4J5U5p5w5|5
@=4jr:Za
4k\r%|
}4Lm.5e
:`}4O|
520!  
54444210   
554444444444444444444444455
+,5545555554455544444555444554445545554454444455554444455545445555544444455555545444555545544,+
+55++5
:5555.
555++5
++55555555555555555555555++
+55+55+,6G
5a5g5u587T7a7n7
`5GaY}"
+5~*p)v
[5sLBvp
61797S7Y7j7
61C|g4{W
6>5^tOt
65. =Y
666666550
6&6+6c6o6v6
6,676=6B6H6U6r6x6
6 6j6p6t6x6|6.737R7_7l7v7
: 6@Lr
6!rK*piB
=6><>U>
--...../7
''''')''''))))7.-.
7,33+./.GG`
740!!035
77////...-
77///..-
77//..-
77//.2!
....................////777
777////...--
777///....
777//..
777.2!
...................././7777
777///////7
77777///.-./.
7777/77
7777777G
77////G
.--/78(
.-./78
./788())
.788)(((((88
7())(8888888
78(((88888888
7	8a8w8
7'KEa 
7_pM'=
7/V//VVVVV//V//V///VV//VVVVVVVV//VVVVVV/VVVVV/VVVUUV-
'''))')))))))8
))()())))(()))))))))))))))))())((((((((8
818;8F8K8S8j8
))((((((()))))))))))'))))))')))))))))))))((87
))((()())))))))))))')))))))))))))((()(()(87-33,
874! 1.())8
))((((((88
))()())))(())))()))))))))())((((((((88
88(()'
88()))(
((((888(
))(888
))((888
)))(((888
))))(((888
)))))((((888
))))))((((888
)))))))))((888
))((()))()()((((((8888
)))))))))()(((8888
(()88(((888
))(((()(((())))((((88888
8)((((8888
8)(((((8888
88(888
888888
))(()))))))))))())))))))((((((888888
))(())))))))))))))))())(((((888888
)))(((())))))))))(((((((888888
)))))))))))(((888888
(()(8888888
))((((((())))))))((8888888
))(((()))))))))))()((((((8888888
888(8(((888
8())(8888888
{89#;,
8http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0
8.TMLa
8;!@x(v
9#:1:b:h:u:
9%4"e(
^}%95Tg
9 9094989<9@9D9H9L9P9T9`9
!?9::9E
9	9L9V9[9`9e9~9
9G9N9c9
9{n\(E
9@![Y~
/]A?0+
A1BI*~n
A37Ky:q2TX>
AA@@@@)A
AB<L0i
abnormal program termination
 abR@!
^Ac8_du
_acmdln
_adjust_fdiv
aEQnPi
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>aI
aiiiiii
-~)A<K
AOC1301
aO)wY/
A`pD~-
AppendMenuA
        </application>
        <application>
A"Q9.4!
'AsmTs
</assembly>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
August
'aX4BtE
axxr P
ba__`````````__ac
	bb			
b				b		
			bbb
bbbb	b
b	bbJ	
bbbJ		J
B#b{%Is
	bbJbb
BDBEER
!B-F3s
Bhttp://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0
b			Jb
	bJ	b	b
bJbbb	
b[~RgB
B.rsrc
cccKcc
cdUUUUUUUUUUUUU[i
Chttp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0X
Chttp://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0a
chzz{|}~~wommrutuhi
CkOwNgdPgHASJBUYENfwxZWuPhDhftsY
CloseHandle
clq@(T{
CoCreateInstance
CoInitialize
    </compatibility>
    <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
_controlfp
<!-- Copyright (c) Microsoft Corporation -->
CoUninitialize
<,CQa_
CreateDirectoryA
CreateFileA
CreateMutexA
CreateProcessA
~_CWxBS
__CxxFrameHandler
\ ]D.(
`.data
@.data
%d%d%d
dddd, MMMM dd, yyyy
December
DeleteCriticalSection
=dfdR[
dHHHHHHHHH^`
DIDDIIREDDSHUEOAIEJL
__dllonexit
DOMAIN error
d)_/p#3
DrawIcon
D]U;q9
e@1cu=
Ee(Bar
Ehttp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl0Z
Ehttp://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z
Ehttp://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl0Z
Ehttp://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0
$ehV%3B
e-iz2J
e=L"w4
EnableWindow
EnterCriticalSection
_except_handler3
ExitProcess
eZ>kK(
F_____
February
F__F_F
fi910r
FindResourceA
- floating point not loaded
+"$fm~
FreeEnvironmentStringsA
FreeEnvironmentStringsW
Friday
	^F[vx
f<$<Yh=
f-yM0$
---...//////.//G
G.+2221110!!!       
G59lEa
g9c}z1
g$E=f+
`Ge`@N
GetACP
GetActiveWindow
GetClientRect
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentStrings
GetEnvironmentStringsW
GetEnvironmentVariableA
GetFileType
GetLastActivePopup
GetLastError
__getmainargs
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetProcAddress
GetProcessHeap
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemMenu
GetSystemMetrics
GetSystemTimeAsFileTime
GetTempPathA
GetTickCount
GetVersion
GetVersionExA
$g/f0A
GGGGGG
GGGGGGG
__GLOBAL_HEAP_SELECTED
G;;;;;;Q;;;QQ;Q;;;;QQ;;;;;;;Q;;;;;;;QQQQQQ;Q;;Q;;;Q;;;Q;Q;Q;;;;;Q;;QQ;;Q;;Q;Q;;;;;;;;QQ;Q;QQ;Q
GRnsdr:r
Gx$qt9
gz+2)}
```H``
H`CI__
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
;H;`;g;o;t;x;|;
HH`````
{(HI?@p
H/jrw$
H:mm:ss
H<p1o=
/hRnAOr
hTCFo;
?http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0T
http://www.microsoft.com0
>http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0
>http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0
<http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0
>http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0
*HUM`z
}HWgRx
h!YS0e
hz=a/8C
I6Bn~a
Ia#######M#M##M###M###################M###M####M#########MM##M##MM##M#####M###M#M####M#M####M##MM#M#####MM##M########M##M#####M####################MM##M####M#a
.idata
IgVAt'
Ihttp://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl0^
%ii1"	
iiiiii
iiiiiiii
-ImO6,
InitializeCriticalSection
_initterm
\IntelligentTransfer.lnk
InterlockedDecrement
InterlockedIncrement
iqhC+cs
IsIconic
i$Uq"Z
*iyFBF
IyPY^Xl
j4#&Z{=
J9!eCnL
JanFebMarAprMayJunJulAugSepOctNovDec
January
J	b	bb	Jb
JbbJ	bbJ
	Jb		J	
%J($Ei%
JeT(9?
JF>N\$
 $JJJJJ
JJJJJJJJJJJJJJJJJJJ
JJJJJJJJJJJJJJJJJJJJJJJJJJJJJJ
	j-+Kr
j=-o,y
;^;j;t;
JVFIlj
k%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
=!=K=}=
k*)-000000000000000000000001110032
k)::9K(
-=kb;}$
KERNEL32.dll
Kic>%6
 KO*P+n
kQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ;Q
kQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
Krc}z0
krrrrrrrrrrrrrrrrrr
krrrrrrrrrrrrrrrrrrr
krrrrrrrrrrrrrrrrrrrr
K@T	m<
_KVe(4
^[=k+W
*?*kXIc
>	?K?z?
~L0r=&
'L7e^	
]L7i*I)4B
LCMapStringA
LCMapStringW
LeaveCriticalSection
[$lfyj)_
L&*H$_Z
"""""""""""""""L"""""L#""L"""""""""""""L"""
"""""L"L"L"""""""""""""""""""""""L""""L""""""""""""""""""""""L"#""""
"""""""""""LL""L"""""""""""""""""""""""""#Mi
LoadIconA
LoadLibraryA
LoadResource
LockResource
L$pj\Q
L<S^7\6h
L%t&8<|_
;m1Ef7
`{M3@	
m4awZYu
M/d/yy
ME6bA#2
MessageBoxA
MFC42.DLL
	microsoft1-0+
Microsoft Code Signing PCA
Microsoft Code Signing PCA0
Microsoft Code Signing PCA 2011
Microsoft Code Signing PCA 20110
Microsoft Corporation0
Microsoft Corporation1
Microsoft Corporation1!0
Microsoft Corporation1(0&
Microsoft Corporation1&0$
Microsoft Corporation1#0!
Microsoft Corporation1200
$Microsoft Root Certificate Authority
$Microsoft Root Certificate Authority0
)Microsoft Root Certificate Authority 20100
)Microsoft Root Certificate Authority 20110
"Microsoft Time Source Master Clock0
Microsoft Time-Stamp PCA
Microsoft Time-Stamp PCA0
Microsoft Time-Stamp PCA 2010
Microsoft Time-Stamp PCA 20100
Microsoft Time-Stamp Service
Microsoft Time-Stamp Service0
Microsoft Visual C++ Runtime Library
^MkV]b
m| l"}
MMMMMMMMMMMMMM
MMMMMMMMMMNMMMMMNMMM
MMMMMMMMMNMMMMMMMMNMNMMNMMMMMMNMMNMMMMMMMMMMMMNMMMMMNMMMMMMMMMNMMMMM
MMMMMNMMMMMNMN
MMNMMMMMNNM
mnosqxz
>Mn)rS
Monday
MOPR1'0%
MpConfigDelValue
MpConfigIteratorEnum
MpConfigIteratorOpen
MpCreateFileAsFlag
MpFuckThisWorld
MpMakeLoveWithYourGirl
MpManagerEnable
MpMExtracted
mpsvc.dll
MpSvc.dll
MpSystemManually
MpSystemSecurityInfo
MpTasklistW
;.?>Mq
MsMpEng.exe
MsMpEng.pdb
MSVCRT.dll
__MSVCRT_HEAP_SELECT
MSZ*fP
MultiByteToWideChar
m	')x,
$MYseb
=NaODS
n!b"oH
nCipher DSE ESN:31C5-30BA-7C911%0#
nCipher DSE ESN:F528-3777-8A761%0#
nCipher NTS ESN:B027-C6F8-1D881+0)
nd];7^X
NEa:*~`
nm4"l(S
{nM6T[
NMMMMMMMMMMMMMMMMM
NN$$N$$$N$$N$NNNN$NN$NNN$N$N$$N$NNNNN$$$$N$$N$NN$NN$$NN$$NNNN$$$N$NNNN$N$NN$N$$$$N$NNN$N$$NN$NNNNN$$$$N$N$$NN$$N$$N$NNNNN$NN$$N$NNN$NNNNNNNN$$NN$N$$N$NNNN$N	bJ	
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
nqwvttu~
<nSh  
nvLh8V.
$^}nx<
NXHSQ>
n;=yr"
October
>-OD9A9
oK0D$"<
ole32.dll
_onexit
onrtuvvpv
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%OO$$#"
$.oPDyQ(
OpenMutexA
orllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllro
o@>y]z
oZKR)jo
{p/,-5{{
P8%NEA
__p__commode
__p__fmode
=PlS@)|
:(:;:P:n:|:
pN:L7W
__^_po
PostMessageA
PPPPPPPP
pQIn=@<
Program: 
<program name unknown>
prvxwsuz
ps`aDH
- pure virtual function call
pY;O3:
=;Q;==
{+QE;0
QEX82q'
[Qjjz=
qoljjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj
::::::::::::::::::::::::::::QQ
QQQQQQ
>;Q::Q:QQQ:Q::QQQ:QQ:Q::Q:::Q::Q:QQQQ
qqqqqqqqqqqqqqqqqqqqqqqqqqn
QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ;;
QueryPerformanceCounter
  !! R>=;=
R    !0222++
R  !!2224
r5gGBd
r~akow
`.rdata
Redmond1
.reloc
@.reloc
                <requestedExecutionLevel level="asInvoker" uiAccess="false" /> 
            </requestedPrivileges>
            <requestedPrivileges>
RETHGRETHGFBDGDRETHGFBDGDFBDGD
Ric5Sbb
RNIIIIIIIIIIIIIIIIIIIIIIIIJJJ
Rr`uUI)x
@.rsrc
RtlUnwind
runtime error 
Runtime Error!
ruvvvvvvvvvwwyyzzzzzzzzzzzzzyxu
Rw	`Rw
<R<X<\<`<d<
RX"iIr51T
Saturday
        </security>
        <security>
SendMessageA
September
ServiceCrtMain
ServiceCrtMainwse
__set_app_type
SetHandleCount
SetLastError
_setmbcp
__setusermatherr
SHELL32.dll
SHGetSpecialFolderPathA
SHu_'e
SING error
SizeofResource
SkNj6z?
sprintf
SRb`Ck
SS@SSPVSS
sssssss
ssssssss
ssssssssssssssss
ssssttttssssssss
sstuuuuvvvvwwwwwwwwvrl
ssuvvvvvvv
ssvwwvvvvvvv
strrchr
stttttttssuvw
sttttttttsssssss
sttuuttttuuuuuvvww
sttuuuvwwwwwwwvvvvvvvvuuuuv
stuuuuuvwwwwwwwwvvvvvvvvvuuvwyzzzzzzzzzzzyyyyyyyyyyyz{||||||{zxx
stuuuuuvwwwwwwwwwwwvvvvvvvvvvwxzzzzzzzzzzzyyyyyyyyyyz{{||||||zxxx
stuuuuvvvvw
stuvvvvvvv
stuvvvvvvvu
stuvvvvwwwwwwwwwwwwwwwvvvvvvvvwxzzzzzzzzzzzzzyyyyyyyz{{{{||||{yxxxx
stvwwwvvvvvvvvuuuuuuuuuwxxyyyyxxxxxxxxxxxxxx{|||||||||{{{{{{zx
Sunday
SunMonTueWedThuFriSat
            <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
            <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
            <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
            <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
suuvvvvvvvu
suuvvvvwww
swxxxxx
sxzzzzyyyyyxxxxxxxxxx
syzzzzzzyyyyyyyxxxxxxxxx
t%5o=i8[c
TerminateProcess
            <!--The ID below indicates application support for Windows 7 -->
            <!--The ID below indicates application support for Windows 8 -->
            <!--The ID below indicates application support for Windows BLUE -->
            <!--The ID below indicates application support for Windows Vista -->
!This program cannot be run in DOS mode.
Thursday
TJ'nTg
TJSA>*
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
t@N#WX(
TOTt	x
    </trustInfo>
    <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
t#SSUP
tSxQZ~;
t.;t$$t(
ttttttssssss
tttttttttsssssss
tttttttttssssssss
ttttttttttsssssss
ttttttttttssssssss
ttttttttttsssssssst
ttttttttttsssssssstus
ttttttttttssssssssuvus
tttttttttttssssssstuwwwww
tttttttttttssssssstvwvus
tttttttttttssssssstvwwvu
ttttttttttttsssssssuwwwwvussx{|}}}}}}}|
tttttttttttttsssssstvwww
ttttttttttttttssssstww
ttttttttttttttttssstuw
tttttttttttttttttttuwx{||||||}}}}}}}}}}}}}}}}|zwuutttttuw
tttttttttttttuuuuv
tttttttttttuuuv
ttttttttuuuvw
ttuuvwwwwwwvvvvvvvvuuuuuv
ttuvwwwwvvvvvvvvuuuuuuuvxyyyyyyyyyyyxxxxxxxxyz||||||||||{{{zyx
ttvvvvvvvvvvvvvvvw
Tuesday
tuuvvvvvvvu
tuuvvvvvvvvvvvvvvww
tuvolf
tuvvvvvvvvvvvvvvw
tuvvwww
tuwvolf
t$$VSS
tvvvvvvvvvvvvvvvwwyzzzzzzzxw
tvvvvvvvvvvvvvvw
twwwwwkV
txyyyyyxxxxxx
ty{|}}}}{
tyz{zzzzzzyyyyyyyxxxxxxxxx
ty{{{zzzzzzzyyyyyyyyxxxxxxx
@'uc5;y
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
user32.dll
USER32.dll
uttttuuuvwxyzzz{{{{{{{|{||||||||||||}}}}}}}}}}}}}}}|{
/Uu62u
uuttuv
uvwwvolf
uvwwwwwwwwwwwvvwwwwwww
uwvvvvvvvvvwwwwwwwwwwwwwwvrl
uwwwwwvvvvvvvuuuuuuuu
UxW,'.C
//uZ\+g
uz{{{{zzzzzzzzyyyyyyyxxxxxx
uz{{{{{{zzzzzzzzzyyyyyyyxxxxtk
@v:7@Gs
:V;b;q;w;
VC20XC00U
$vF-B8@
VirtualAlloc
VirtualFree
VirtualProtect
vrF<R3
vuuwwvt
vvvvvvvvvvvvvwxyzzzzzzzzzzzyxs
vvvvvvvvvvvwwxyzzzzzzzzzzzzyxt
vvvvvvvvvvwwxzzzzzyxv
vvvvvvvvw
vvvvvvvwxyzzzyxu
vvvvvvw
vvvvvw
vvvwxyzzzzzzzzzzzzzzzzzzzzzyx
VWuBhpd
vwwwvvvvvvvvuuuuuuuuuuwxxxxxxxxxxxxxxxxxxy{||||||||{{{{{{{{zzx
vwxyzzzzzzzzzzzzzzzzzz{|}}}}{z
vyyzzzzzzzzzzzzzzzzz{|}~~~~~}}
/|&VZ4
w,5<",+=$
Washington1
wcDIO=
Wednesday
WESAJEXJFJEJKSKEASE
}W	]HS
WideCharToMultiByte
WN>B~H
wO][UZ
WqVNHE
	?Wres
WriteFile
ws%#PQv
wvuuuuuuuuuuuuuw
wvvuuuuuuuuuuuuuv
wvvvvuuuuuuuuuuuuv
wvvvvvwwyz{{{{{{zw
,Ww4ox
"WWSh|d
wwvvvvvuuuuuuuuuuuu
wwwvsk
wwwwwwwwvvvvvvvuuuus
wwwwwwwwwvuu
wwwwwwwwwwww
wwwwwwwwwwwwwwvrlf
wwwwwwwwwwwwwwwvrl
wwwwwwwwwwwwwwwwvvvvw
wwwwwwwwwwwwwwwwwvrl
wwwwwwwwwwwwwwwwwwwwvrl
wwwwwwwxxyyyzzzzw
wz|||{
wz{{{{{{{{zzzzzzzzzyyyyyyyxxuk
X1LQ@m4
^@x.#2s
X%3eCP
>X:6 *'
Xc)M(s
_XcptFilter
X-DrXl
<?xml version="1.0" encoding="UTF-8" ?> 
]"Xo	g
xoNcyj
x:r6B^
xu1CtB
 [XvHk!
!x,v`T
XX#^'9uh
XxMq 	b
x{|||}}}}}}}}}}}}}}|xwvuuuttttttuw
xxxxxx
xxxxxxx
xxxxxxxx
xxxxxxxxx
xxxxxxxxxx
xxxxxxxxxxx
xxxxxxxxxxxx
xxxxxxxxxxxxyyyyyy
xxxxxxxxxyyyyyyyyyyzzzzzzzzzzz{{{{{{{{{{{{{{{||{{zt
xxxxxyyyyyzzzzzzzzzzzz{{{{{{{{{{||||||||||||||||||{
xxxy{||||||{{{{{{{{{{zzzyxuk
xxyyyzzzzz{{{{{{{zyws
xxyz{z
xxz{|||||{{{{{{{{{{{zzzzzyvk
xxz{||||{{{{{{{{{{zzzzzzzzywk
xx{{||{{{{{{{{{{{zzzzzzzzzyyvk
xyxyxxxxxxxx
xyyyyxxxxxxxxxx
xyyyyyyxxxxxxw
xyyyyyyyyxxxx
xyyyzzzzzzz{{{{{{{{{{||||||||||||||||}}}}}}}}|{
xyyzzzzzzzzzzzz{{{{{{{zy
xyz{{{{{{{zyv
xyzzzzzzzzzzzzzzzzzz{{{{{{{{zyxxxxxxx
Xz" "k
xz{{{{||||||||||}}}}}}}}}}}}}}}}|{wuttttvw
xz{||||||||}}}}}}}}}}}}}}}}|zwutttttuw
xzzz{z
xz{{|{{{{{{{{{{zzzzzzzzzyyyxvk
YBCA?J=
y!P0AN
Y%?TOp
|}}}}|yts
{{|}}}|yts
}}}|yts
}}}}|yts
YUDJMKSAGUHJFDSDGU
;y#W;?
y{||}}}}}}}}}}}}|xwvuuuuuuttttuw
y{||}}}}}}}}}|xwvuuuuuuuuttuuw
_^][YY
}-Yy4`}$k
Y_y+ l,
yyyyyyyyxxx
yyyyyyyyyxxu
yyyyyyyyyyx
yyyyyyyyyyxxv
yyyyyyyyyyyx
yyyyyyyyyyyyxxxxxxxxyz||||||||||{{yx
yzz{{{{{||||||||||||}}}}}}}}}}}}}}}}}{wuttuww
yzzyxt
yzzzzzyyyyyyyyyyyyxxxyz{||||||||{zx
yzzzzzzzzyw
yzzzzzzzzzy
yzzzzzzzzzzy
yzzzzzzzzzzzzzzzzxv
yzzzzzzzzzzzzzzzzzxw
yzzzzzzzzzzzzzzzzzzy
>/+%z:
z1U(Op[o
zfJ!(T\
Znm4RF
ZQQSSSSSQQ]_<6
#zU{>k
ZvifqN
z{|||}}}}}}}}}}}}}}}}|ywuutttttttvw
zyyyyyyyyyxw
zz{|}~~~~~~~~~~~~~
zz{|}}}|yts
zzz{|}||xts
zzzyyyyyyyx
zzzzyyyzzyz
zzzzz{|}~~~~~~~~~~~~
zzzzz{|||xtssstuuvvvvvvuu
zzzzzzz{|{xtssuuuvuuuuuuu
zzzzzzzz{|}~~~~~~~~~~~
zzzzzzzzz{{xttuuuuuuuuttt
zzzzzzzzzzz{|}~~~~~~~~~~
z{{{{{{{{{{zzzzzzzzzzyyyyyxuk
zzzzzzzzzzzzzz{|}~~~~~~~~~
zzzzzzzzzzzzzz{{{{z
zzzzzzzzzzzzzzzzz{|}~~~~~~~}