Flattr this analysis!

Tags: None

Analysis

Category Started Completed Duration
FILE 2013-12-12 09:13:00 2013-12-12 09:13:29 29 seconds

File Details

File Name Zkauhxfbmpubhr.exe
File Size 760832 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 2a1609ef72f07abc97092cb456998e43
SHA1 5c3b36d335ebee8c5aa1c00080fad0e029481918
SHA256 038d31670f03d386e6f3affe331bf76cb894d695b0f9012d828db9413c223a07
SHA512 a46c4272188dfd8fc976a2afbab8c4050b88ee33742866a71a984afd7bab04f56c8c756e5efcd95a0b7c4d03e7f2575f2cc2a8e70c7e99d783c6e6ee20442522
CRC32 F85E9853
Ssdeep 12288:KVFrN8zAxOt3lkOiBapbT2Nk4nh8w7Zqx6h8KKB4ZO:KVFRVxD6cpW2d8PaO
Yara
  • shellcode - Matched shellcode byte patterns
You need to login

Signatures

Starts servers listening on 0.0.0.0:0
File has been identified by at least one AntiVirus on VirusTotal as malicious
Performs some HTTP requests
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)
Steals private information from local Internet browsers
Installs itself for autorun at Windows startup

Screenshots


Hosts

IP
188.65.211.137

Domains

Domain IP
ypxnqheckgjkbu.org 188.65.211.137

Summary

PIPE\lsarpc
C:\DOCUME~1\User\LOCALS~1\Temp\UZQDCDE.tmp
C:\WINDOWS\system32\msctfime.ime
C:\DOCUME~1\User\LOCALS~1\Temp\UZQDCDE.tmp.Config
C:\WINDOWS\system32\rsaenh.dll
C:\Documents and Settings\User\Local Settings\Application Data\Mrrmkokislmfndtxl.exe
C:\DOCUME~1\User\LOCALS~1\Temp\GQH9F2B.tmp
C:\DOCUME~1\User\LOCALS~1\Temp\GQH9F2B.tmp.Config
C:\DOCUME~1\User\LOCALS~1\Temp\Zkauhxfbmpubhr.exe
C:\Documents and Settings\User\Local Settings\Temporary Internet Files
C:\Documents and Settings\User\Local Settings\History
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\
C:\
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\index.dat
C:\Documents and Settings\User\Cookies\
C:\Documents and Settings\User\Cookies\index.dat
C:\Documents and Settings\User\Local Settings\History\History.IE5\
C:\Documents and Settings\User\Local Settings\History\History.IE5\index.dat
c:\autoexec.bat
C:\Documents and Settings
C:\Documents and Settings\User\Local Settings
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
C:\WINDOWS\system32\Ras\*.pbk
C:\Documents and Settings\User\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\UXAF8DAF\home[1]
C:\Documents and Settings\User\Desktop\Uktaakzsxhnfrbr.bmp
C:\DOCUME~1\User\LOCALS~1\Temp\MKPBF1E.bat
C:\DOCUME~1\User\LOCALS~1\Temp\NFC8ACA.tmp
C:\DOCUME~1\User\LOCALS~1\Temp\NFC8ACA.tmp.Config
C:\Documents and Settings\User
C:\Documents and Settings\User\Local Settings\Application Data
C:\DOCUME~1
C:\DOCUME~1\User
C:\DOCUME~1\User\LOCALS~1
C:\DOCUME~1\User\LOCALS~1\Temp
C:\Documents and Settings\User\Local Settings\Application Data\attrib.*
C:\Documents and Settings\User\Local Settings\Application Data\attrib
C:\Python27\attrib.*
C:\Python27\attrib
C:\PHP\attrib.*
C:\PHP\attrib
C:\WINDOWS\system32\attrib.*
C:\WINDOWS\system32\attrib.COM
C:\WINDOWS\system32\attrib.EXE
nul
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IMM
HKEY_CURRENT_USER\SOFTWARE\Microsoft\CTF
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\SystemShared
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Offload
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\DESHashSessionKeyBackward
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced Cryptographic Provider v1.0
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\CryptoLocker_0388
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced RSA and AES Cryptographic Provider
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\UA Tokens
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Pre Platform
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Pre Platform
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_LOCAL_MACHINE\System\Setup
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Path1
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Path2
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Path3
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Path4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\UA Tokens\Special Paths
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Path4\FEATURE_AUTOPROXY_CACHE_ANAME_KB921400
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Path4\FEATURE_TEMPORARYFILES_FOR_NOCACHE_840387
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Path4\FEATURE_TEMPORARYFILES_FOR_NOCACHE_840386
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Path4\RETRY_HEADERONLYPOST_ONCONNECTIONRESET
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Path4\FEATURE_CHUNK_TIMEOUT_KB914453
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Path4\FEATURE_CERT_TRUST_VERIFIED_KB936882
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Path3\FEATURE_BUFFERBREAKING_818408
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Path3\FEATURE_SKIP_POST_RETRY_ON_INTERNETWRITEFILE_KB895954
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Path3\FEATURE_ENSURE_FQDN_FOR_NEGOTIATE_KB899417
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Path3\FEATURE_HTTP_DISABLE_NTLM_PREAUTH_IF_ABORTED_KB902409
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Path3\FEATURE_PERMIT_CACHE_FOR_AUTHENTICATED_FTP_KB910274
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Path3\FEATURE_WPAD_STORE_URL_AS_FQDN_KB903926
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Path3\FEATURE_USE_CNAME_FOR_SPN_KB911149
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Path3\FEATURE_KEEP_CACHE_INDEX_OPEN_KB899342
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Path3\FEATURE_WAIT_TIME_THREAD_TERMINATE_KB886801
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Path3\FEATURE_FIX_CHUNKED_PROXY_SCRIPT_DOWNLOAD_KB843289
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Http Filters\RPA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Http Filters\RPA
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INCLUDE_PORT_IN_SPN_KB908209
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING
HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing
HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\RASAPI32
HKEY_USERS\S-1-5-21-1547161642-507921405-839522115-1004
HKEY_USERS\S-1-5-21-1547161642-507921405-839522115-1004\Software\Microsoft\windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1547161642-507921405-839522115-1004
HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/octet-stream
HKEY_CURRENT_USER\Software\Classes\Vinwnoorzahhv
HKEY_CURRENT_USER\Software\Classes\.exe
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Pull paragraph
CTF.TimListCache.FMPDefaultS-1-5-21-1547161642-507921405-839522115-1004MUTEX.DefaultS-1-5-21-1547161642-507921405-839522115-1004
ShimCacheMutex
Global\Pbgxjzonhmypdtp
Local\Hdddcehphjapdl
Local\Qpmoeztuepgplnvp
_!MSFTHISTORY!_
c:!documents and settings!user!local settings!temporary internet files!content.ie5!
c:!documents and settings!user!cookies!
c:!documents and settings!user!local settings!history!history.ie5!
WininetStartupMutex
WininetConnectionMutex
WininetProxyRegistryMutex

Version Infos

LegalCopyright \xa9 2008-2013, Clearleap Software Corp.
InternalName Slowprepare
FileVersion 6.1.832.115
CompanyName Clearleap Software Corp.
LegalTrademarks Slowprepare\xae
Comments http://www.headpa.net
ProductName Slowprepare
ProductVersion 6.1.832.115
FileDescription Slowprepare
Translation 0x0000 0x04b0

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
.text 0x00001000 0x00036519 0x00036600 6.92128604651
.rdata 0x00038000 0x0001500c 0x00015200 5.68539875827
.data 0x0004e000 0x000122b8 0x00004400 5.05667592918
.rsrc 0x00061000 0x00064d80 0x00064e00 5.93711313639
.reloc 0x000c6000 0x00004d0a 0x00004e00 3.23527910847

Imports

Library KERNEL32.dll:
0x438090 GetStartupInfoW
0x438094 RaiseException
0x438098 RtlUnwind
0x43809c HeapReAlloc
0x4380a0 HeapSize
0x4380a4 ExitProcess
0x4380a8 TerminateProcess
0x4380b4 IsDebuggerPresent
0x4380b8 GetStdHandle
0x4380bc GetModuleFileNameA
0x4380d0 GetCommandLineA
0x4380d4 GetCommandLineW
0x4380d8 SetHandleCount
0x4380dc GetFileType
0x4380e0 GetStartupInfoA
0x4380e4 HeapDestroy
0x4380e8 HeapCreate
0x4380ec VirtualFree
0x4380f4 GetTickCount
0x4380f8 GetProcessHeap
0x4380fc VirtualAlloc
0x438100 Sleep
0x438104 GetCPInfo
0x438108 GetACP
0x43810c GetOEMCP
0x438110 IsValidCodePage
0x438114 GetConsoleCP
0x438118 GetConsoleMode
0x43811c GetLocaleInfoA
0x438120 GetStringTypeA
0x438124 GetStringTypeW
0x438128 LCMapStringA
0x43812c LCMapStringW
0x438130 SetStdHandle
0x438134 WriteConsoleA
0x438138 GetConsoleOutputCP
0x43813c WriteConsoleW
0x438140 CreateFileA
0x438144 HeapAlloc
0x438148 HeapFree
0x43814c GetCurrentProcess
0x438150 FlushFileBuffers
0x438154 SetFilePointer
0x438158 WriteFile
0x43815c InterlockedExchange
0x438160 GetModuleHandleA
0x438164 GlobalFlags
0x438168 GetThreadLocale
0x43816c GlobalAddAtomW
0x438170 GlobalFindAtomW
0x438174 GlobalDeleteAtom
0x438178 LoadLibraryW
0x43817c LoadLibraryA
0x438180 lstrcmpW
0x438184 GetVersionExA
0x438188 GetVersion
0x438190 MultiByteToWideChar
0x438194 GetCurrentThreadId
0x438198 FormatMessageW
0x43819c FreeLibrary
0x4381a4 GetModuleHandleW
0x4381a8 GetProcAddress
0x4381ac TlsFree
0x4381b0 GlobalFree
0x4381b8 LocalReAlloc
0x4381bc TlsSetValue
0x4381c0 TlsAlloc
0x4381c8 GlobalAlloc
0x4381cc GlobalHandle
0x4381d0 GlobalUnlock
0x4381d4 GlobalReAlloc
0x4381d8 GlobalLock
0x4381e0 TlsGetValue
0x4381e8 LocalFree
0x4381ec LocalAlloc
0x4381f0 lstrlenW
0x4381f4 WideCharToMultiByte
0x4381f8 GetCurrentProcessId
0x4381fc GetModuleFileNameW
0x438200 FindResourceW
0x438204 LoadResource
0x438208 LockResource
0x43820c SizeofResource
0x438210 GetLastError
0x438214 SetLastError
0x438218 CloseHandle
0x43821c OpenMutexW
0x438220 PrepareTape
0x438228 VirtualProtectEx
Library USER32.dll:
0x438274 GrayStringW
0x438278 DrawTextExW
0x43827c DrawTextW
0x438280 TabbedTextOutW
0x438284 DestroyMenu
0x438288 ClientToScreen
0x43828c SetWindowTextW
0x438294 LoadIconW
0x438298 WinHelpW
0x43829c GetCapture
0x4382a0 GetClassLongW
0x4382a4 GetClassNameW
0x4382a8 SetPropW
0x4382ac GetPropW
0x4382b0 RemovePropW
0x4382b4 IsWindow
0x4382b8 GetWindowTextW
0x4382bc GetForegroundWindow
0x4382c0 GetDlgItem
0x4382c4 GetTopWindow
0x4382c8 DestroyWindow
0x4382cc GetMessageTime
0x4382d0 GetMessagePos
0x4382d4 MapWindowPoints
0x4382d8 GetClientRect
0x4382dc GetMenu
0x4382e0 PostMessageW
0x4382e4 CreateWindowExW
0x4382e8 GetClassInfoExW
0x4382ec GetClassInfoW
0x4382f0 RegisterClassW
0x4382f4 AdjustWindowRectEx
0x4382f8 CopyRect
0x4382fc PtInRect
0x438300 GetDlgCtrlID
0x438304 DefWindowProcW
0x438308 PostQuitMessage
0x43830c CallWindowProcW
0x438310 SetWindowLongW
0x438314 SetWindowPos
0x43831c IsIconic
0x438320 GetWindowPlacement
0x438324 GetWindowRect
0x438328 GetWindow
0x43832c SetMenuItemBitmaps
0x438334 LoadBitmapW
0x438338 GetFocus
0x43833c ModifyMenuW
0x438340 EnableMenuItem
0x438344 CheckMenuItem
0x438348 LoadCursorW
0x43834c GetSystemMetrics
0x438350 GetDC
0x438354 ReleaseDC
0x438358 GetSysColor
0x43835c GetSysColorBrush
0x438360 SetWindowsHookExW
0x438364 CallNextHookEx
0x438368 DispatchMessageW
0x43836c GetKeyState
0x438370 PeekMessageW
0x438374 ValidateRect
0x438378 GetMenuState
0x43837c GetMenuItemID
0x438380 GetMenuItemCount
0x438384 GetSubMenu
0x438388 UnhookWindowsHookEx
0x438390 SendMessageW
0x438394 GetParent
0x438398 GetWindowLongW
0x43839c GetLastActivePopup
0x4383a0 IsWindowEnabled
0x4383a4 EnableWindow
0x4383a8 MessageBoxW
0x4383ac SetForegroundWindow
0x4383b0 UnregisterClassA
Library GDI32.dll:
0x438030 RectVisible
0x438034 PtVisible
0x438038 GetStockObject
0x43803c DeleteDC
0x438040 ScaleWindowExtEx
0x438044 SetWindowExtEx
0x438048 ScaleViewportExtEx
0x43804c SetViewportExtEx
0x438050 OffsetViewportOrgEx
0x438054 SetViewportOrgEx
0x438058 SelectObject
0x43805c Escape
0x438060 SetMapMode
0x438064 RestoreDC
0x438068 SaveDC
0x43806c ExtTextOutW
0x438070 GetDeviceCaps
0x438074 CreateBitmap
0x438078 GetClipBox
0x43807c SetTextColor
0x438080 SetBkColor
0x438084 DeleteObject
0x438088 TextOutW
Library WINSPOOL.DRV:
0x4383b8 ClosePrinter
0x4383bc DocumentPropertiesW
0x4383c0 OpenPrinterW
Library OLEAUT32.dll:
0x43823c None
0x438240 None
0x438244 None
0x438248 None
0x43824c None
0x438250 None
0x438254 None
0x438258 None
0x43825c None
Library Secur32.dll:
0x43826c FreeContextBuffer
Library OLEACC.dll:
0x438230 LresultFromObject

!This program cannot be run in DOS mode.
`.rdata
@.data
@.reloc
b<^Y6ER
f$]h|p
!c;1'=!!Pe
$p$;g+
OHW'$&bR
j$ssp9&
HEqhS!`_
UKe$wm
h76IK84
Tl:UkI
y_&'2a
FshNt^
A?$NQe
[,CuS?
{</";$W
$m]jUB
>IQKJ/G
,\E4_=
=EvIN~
Y$D3';8
N+Ovn4
K_,HR.u
;1cH.xB
GqGzVT
atI2xY
G1m0NZs
t$N\NL
~VkE3^
?)&F-
n.>\N2
 At~l
}Q?mR3
VL$L$[
/8fB7%
h(|$u/
sCI,m3O
sHxCpp
2]I^Q)
}QFZu
<*&Y2Jzo
&|`??
jDiAzW
D^TE$7rp
}8sPB>
gqu\]$)
zYKt<?
cV-~HsJp
!r72o5x
2:8w3+
H$V}h3
NjRt$D
"5:Cac
|\G#}j
O46Zp@
yq190
?};oo1o
^'G^b]
PD\&5@
WEe~a}
@P*<>x'
26rU29
X&'k1a
XxwKyD
M%2PM>
PIbhX'0
)|f\Zc
[XJ$QfIk
zG*`r7m
Y|_Iu2
M;7We=
FD;{tN
6:cg'+.
"i'*aFs
z#zQU
ITS/'g
s'v4%@y
$l2y*
,_$J2M
!|YLJr
pZ7_~8
ZRd:#B
YBI5*J
bCd@Uz!k
u'h0%E
S\_^[]
S\_^[]
j hOaB
t39w u&
_ 9w$u
O 9Htu
u0j0^VP
SVWj(3
+F(_;E
F(@@;F,v
F(;^ r
F(;F0u
^(_^[]
QQSVWd
0WWWWW
@@BBf;
@@BBf;
0WWWWW
0WWWWW
0WWWWW
BBFFf;
YYuTVWh}
>=Yt/j
4~f9.u
QQSVWh
@@f98u
@@f98u
j@j ^V
HtHu4j
s[S;7|G;w
tR99u2
YYu-9D$
URPQQh
_VVVVV
^WWWWW
uL9=0LE
0SSSSS
0SSSSS
0SSSSS
t^9(uZ
tD9(u@
0A@@Ju
;t$,v-
UQPXY]Y[
0SSSSS
_VVVVV
^SSSSS
j"^SSSSS
PPPPPPPP
PPPPPPPP
<+t(<-t$:
+t HHt
u&f!;f;
t+WWVPV
9~$~!S
CInvalidArgException
CNotSupportedException
CMemoryException
CException
CObject
COleException
CMapPtrToPtr
Exception thrown in destructor
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
CCmdTarget
GetMonitorInfoA
GetMonitorInfoW
EnumDisplayDevicesW
EnumDisplayMonitors
MonitorFromPoint
MonitorFromRect
MonitorFromWindow
GetSystemMetrics
DISPLAY
InitCommonControls
InitCommonControlsEx
HtmlHelpW
hhctrl.ocx
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
CArchiveException
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl
CGdiObject
CUserException
CResourceException
CByteArray
bad allocation
CorExitProcess
mscoree.dll
runtime error
TLOSS error
SING error
DOMAIN error
An application has made an attempt to load the C runtime library incorrectly.
Please contact the application's support team for more information.
- Attempt to use MSIL code from this assembly during native code initialization
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
- not enough space for locale information
- Attempt to initialize the CRT more than once.
This indicates a bug in your application.
- CRT not initialized
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
- not enough space for environment
- not enough space for arguments
- floating point support not loaded
Microsoft Visual C++ Runtime Library
<program name unknown>
Runtime Error!
Program:
.mixcrt
EncodePointer
KERNEL32.DLL
DecodePointer
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
bad exception
GAIsProcessorFeaturePresent
KERNEL32
InitializeCriticalSectionAndSpinCount
kernel32.dll
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
Complete Object Locator'
Class Hierarchy Descriptor'
Base Class Array'
Base Class Descriptor at (
Type Descriptor'
`local static thread guard'
`managed vector copy constructor iterator'
`vector vbase copy constructor iterator'
`vector copy constructor iterator'
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector vbase copy constructor iterator'
`eh vector copy constructor iterator'
`managed vector destructor iterator'
`managed vector constructor iterator'
`placement delete[] closure'
`placement delete closure'
`omni callsig'
delete[]
new[]
`local vftable constructor closure'
`local vftable'
`udt returning'
`copy constructor closure'
`eh vector vbase constructor iterator'
`eh vector destructor iterator'
`eh vector constructor iterator'
`virtual displacement map'
`vector vbase constructor iterator'
`vector destructor iterator'
`vector constructor iterator'
`scalar deleting destructor'
`default constructor closure'
`vector deleting destructor'
`vbase destructor'
`string'
`local static guard'
`typeof'
`vcall'
`vbtable'
`vftable'
operator
delete
__unaligned
__restrict
__ptr64
__clrcall
__fastcall
__thiscall
__stdcall
__pascal
__cdecl
__based(
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
USER32.DLL
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
Unknown exception
(null)
`h````
xpxxxx
`h`hhh
xppwpp
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
1#QNAN
1#SNAN
CONOUT$
Y,#'Xl
A!P.[0
oNH__]
dJ8i&.
~}PVR3(
%>t~*."S
` ^Z!n
=cO.'v
y]%qI
SuM9mxA
fbZC9u
57)ueO|z
)KF(HM
IPA=ILXW
=_Wk=ML
QhQdV
KKz[eK
}tVFQ]
_(y-ZP
,?uq,3
L^#q|^E
u&y_W
'TUO;.
{~VX|V
S(z6h[
p,<aa)
VZ& _
y/-!Xi
_Q,g@ZN
G"BK>#
X?uyo+\
BE(6J$@]
T<6BN%p
?ffffff
VirtualProtectEx
PrepareTape
OpenMutexW
CloseHandle
SetLastError
GetLastError
SizeofResource
LockResource
LoadResource
FindResourceW
GetModuleFileNameW
GetCurrentProcessId
WideCharToMultiByte
lstrlenW
LocalAlloc
LocalFree
LeaveCriticalSection
TlsGetValue
EnterCriticalSection
GlobalLock
GlobalReAlloc
GlobalUnlock
GlobalHandle
GlobalAlloc
InitializeCriticalSection
TlsAlloc
TlsSetValue
LocalReAlloc
DeleteCriticalSection
GlobalFree
TlsFree
GetProcAddress
GetModuleHandleW
InterlockedDecrement
FreeLibrary
FormatMessageW
GetCurrentThreadId
MultiByteToWideChar
InterlockedIncrement
GetVersion
GetVersionExA
lstrcmpW
LoadLibraryA
LoadLibraryW
GlobalDeleteAtom
GlobalFindAtomW
GlobalAddAtomW
GetThreadLocale
GlobalFlags
GetModuleHandleA
InterlockedExchange
WriteFile
SetFilePointer
FlushFileBuffers
GetCurrentProcess
HeapFree
HeapAlloc
GetProcessHeap
GetStartupInfoW
RaiseException
RtlUnwind
HeapReAlloc
HeapSize
ExitProcess
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetStdHandle
GetModuleFileNameA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineA
GetCommandLineW
SetHandleCount
GetFileType
GetStartupInfoA
HeapDestroy
HeapCreate
VirtualFree
QueryPerformanceCounter
GetTickCount
GetSystemTimeAsFileTime
VirtualAlloc
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
GetConsoleCP
GetConsoleMode
GetLocaleInfoA
GetStringTypeA
GetStringTypeW
LCMapStringA
LCMapStringW
SetStdHandle
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
CreateFileA
KERNEL32.dll
MessageBoxW
EnableWindow
IsWindowEnabled
GetLastActivePopup
GetWindowLongW
GetParent
SendMessageW
GetWindowThreadProcessId
UnhookWindowsHookEx
GetSubMenu
GetMenuItemCount
GetMenuItemID
GetMenuState
ValidateRect
PeekMessageW
GetKeyState
DispatchMessageW
CallNextHookEx
SetWindowsHookExW
GetSysColorBrush
GetSysColor
ReleaseDC
GetSystemMetrics
LoadCursorW
CheckMenuItem
EnableMenuItem
ModifyMenuW
GetFocus
LoadBitmapW
GetMenuCheckMarkDimensions
SetMenuItemBitmaps
GetWindow
GetWindowRect
GetWindowPlacement
IsIconic
SystemParametersInfoA
SetWindowPos
SetWindowLongW
CallWindowProcW
DefWindowProcW
GetDlgCtrlID
PtInRect
CopyRect
AdjustWindowRectEx
RegisterClassW
GetClassInfoW
GetClassInfoExW
CreateWindowExW
PostMessageW
GetMenu
GetClientRect
SetForegroundWindow
MapWindowPoints
GetMessagePos
GetMessageTime
DestroyWindow
GetTopWindow
GetDlgItem
GetForegroundWindow
GetWindowTextW
IsWindow
RemovePropW
GetPropW
SetPropW
GetClassNameW
GetClassLongW
GetCapture
WinHelpW
LoadIconW
RegisterWindowMessageW
SetWindowTextW
ClientToScreen
DestroyMenu
TabbedTextOutW
DrawTextW
DrawTextExW
GrayStringW
PostQuitMessage
USER32.dll
GetDeviceCaps
CreateBitmap
GetClipBox
SetTextColor
SetBkColor
DeleteObject
ExtTextOutW
SaveDC
RestoreDC
SetMapMode
PtVisible
RectVisible
TextOutW
Escape
SelectObject
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
SetWindowExtEx
ScaleWindowExtEx
DeleteDC
GetStockObject
GDI32.dll
ClosePrinter
DocumentPropertiesW
OpenPrinterW
WINSPOOL.DRV
OLEAUT32.dll
CertFreeCertificateChain
CertFreeCertificateContext
CertGetCertificateChain
CryptHashCertificate
CertCreateCertificateContext
CertCreateSelfSignCertificate
CryptDecodeObject
CertAddEncodedCertificateToStore
CertAddCertificateContextToStore
CertCloseStore
CertVerifyCertificateChainPolicy
CRYPT32.dll
FreeContextBuffer
AcceptSecurityContext
InitializeSecurityContextW
Secur32.dll
CreateStdAccessibleObject
LresultFromObject
OLEACC.dll
UnregisterClassA
.PAVCMemoryException@@
.PAVCSimpleException@@
.PAVCException@@
.PAVCObject@@
.PAVCInvalidArgException@@
.?AVCMemoryException@@
.?AVCSimpleException@@
.?AVCException@@
.?AVCObject@@
.?AVCNotSupportedException@@
.?AVCInvalidArgException@@
.?AUCThreadData@@
.?AVCNoTrackObject@@
.?AV_AFX_THREAD_STATE@@
.?AVAFX_MODULE_THREAD_STATE@@
.?AVAFX_MODULE_STATE@@
.?AVCDllIsolationWrapperBase@@
.?AVCComCtlWrapper@@
.?AVCCommDlgWrapper@@
.?AV_AFX_BASE_MODULE_STATE@@
.?AVCOleException@@
.PAVCOleException@@
.?AVCCmdTarget@@
.?AVCAfxStringMgr@@
.?AUIAtlStringMgr@ATL@@
.?AVCMapPtrToPtr@@
.?AUIUnknown@@
.?AVCCmdUI@@
.?AVCHandleMap@@
.?AVXAccessible@CWnd@@
.?AVXAccessibleServer@CWnd@@
.?AVCWnd@@
.?AVCTestCmdUI@@
.?AV_AFX_HTMLHELP_STATE@@
.?AV?$IAccessibleProxyImpl@VCAccessibleProxy@ATL@@@ATL@@
.?AUIAccessible@@
.?AUIDispatch@@
.?AUIAccessibleProxy@@
.?AV?$CMFCComObject@VCAccessibleProxy@ATL@@@@
.?AVCAccessibleProxy@ATL@@
.?AV?$CComObjectRootEx@VCComSingleThreadModel@ATL@@@ATL@@
.?AVCComObjectRootBase@ATL@@
.?AUIOleWindow@@
.PAVCArchiveException@@
.?AVCArchiveException@@
.?AVCGdiObject@@
.?AVCMenu@@
.?AVCResourceException@@
.?AVCUserException@@
.?AVCDC@@
.?AVCByteArray@@
.?AVtype_info@@
.?AVbad_exception@std@@
.?AVexception@std@@
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
|ktQ5.u
0rM8k@
UI^^ 1
jOh?I]vrk6
i7RR!i
MJ/F_,
.?AVparse_error@rapidxml@@
.?AVexception@std@@
.?AVNTFilterBuffer@@
.?AVNTFilterFile
cK<dYs
k_2m%JI
/+.\3b
AV{a#n
OvV9Uz
eFBvF*
hTEeH
c.oT
w&"XX*&0
t?VYV?
{Duo?r?
X&geOC
#s(rC={.B/
`D@Xe@m|,r
YsPdRY
)-f6c6
!=/WO{
>&mPHe
v";RlI}8>
\vJz)h
~blbO
,k|nn"
Mp3fC0
aI,@um=,.W
@etlVsV
8mXNL6
T+))jN
8iua@
[mc/x;
;?M=o2
@TVIeQ
;Tv}(6
)`)yM"
\~^%G^
te\lgt@
nQcuuW
ipadcr
?V]A@re
@V|@U.
?$@Egi
ue u1oe
r |8VeD
Q?D6aU
X?|.is
9|l@|iHt
)|,>SX
}{8*y,
rWdCw?
3Ja^{2|
9.7p~I
`1VG9dK5
.udAT
88`Slao
| oeSN
e|u7ri
gA@@.R
N[}q*&
&F%p#x
(c@Du&
FwWeO7
urS?il
il?Ig?
|Z<\g|
eS\;&g
uYseUs
_e"NW:
N<#GclL
i?t..k\|
#V){Rx94
-)uI]E
Y{ojJWg
s{ED ?a
RwFlS
CW@sSl
tl?TkVP
|# ^--8*
?d.@q?
ete|6
eAQeo
!,i +u
trtbTsa
|Z#g1?A
*h'D.$
Z.xR~J
=D}jsrm
u#-FL\
slVrVl
muex?VA
a ?taoCP
Trie3t
Ao{B.
A8_V)5{
& .,R@_
x,uJe)
n8jjU^+
!x"t(e
[u0?A9
|GyCiX
w=%9#!
}U?)m
T.`sLb
KgTvBu
vAgS@Q
+sRX|z
gTq|sV
EYImI5-m
i:SS!+
`BA]'g
da?{n|
h .eaH
Q%NDdT
gglFi9k
b&I"lGL
lS*-rp
RP?@ie
GM]~n#\
:QTjy
e$i.V{A
g/cTXJuY
+I)IBR
Qi}qc l'
i{f cs
AX@dyr
t-=f!
?St<B r
#$Ar,!
mHWOQ\
?yD.A
gir.vi@
p4;|BX
[XM~Y$
iB7O_'
;Q}E lg
HvH}jh
$Ck&vi
U)q# |
.rS^|[tl
BQ#IyX
\u NnV
G;=UXm
7D.@.V
hG[W9+
agsif?
rmZ/SW
9l+@Ve
^kOpKN
s?@@C@
!l.B@QS`
W?5Ogob
Osl -*
26|ke@
0V.Dr[
_T7Y4n
Y0sjwOQGF
nFmro<
rGwtY|
OVV.Qt
XV:w44
@V@r.a?
NsvVig
@VAaallr
;tqNAF
F@%M|+
^{x@,E
`e@XAL
&,xzNd
i*IN;uZ
t@?aVA|
FeA}A,`?Du
SUl&,6?
eS5#8\
r@nH.e
lwV{Sr
a|\@g|er
^IPT`yy
m1H@80
G(Olkg?d
A@ar@#n
te|C|uA|9
GXeEE@
@;#38x
[JW9?So*
R%DNjQ
D@[BP|
u1@ .@
Vaq<W=v
Kg-icE
*jc@Ru
e-?yrW@
hB`#sE
A?|pu@a
yPmdV;
g=MW,LsIR
rtpA|e
oE~j/
y\w5Tp
Xl1'&B
u>.|iP
9!W`8:"
CD@T1#
8|sHc5vl
+yw\th
oV#SsQ
d|u.| ^
7S1+$F
sxl0Y.J
PhLzfB.T
3vi*<c
Vi|VPe
W~}Vj^
[|n@eH
.o7%B?I
e ott{V
aspE`=
sul F|{
mq\.y<
deAKki
O)QuC4
???{Ah
m@|vAa
q_PQAb
c{JsrI
X9['U_[
%TzJm~(
.e?.vw
Gl;5Uj
/{XDM
;GGJSx
o@Wrni
qTcPkVD
L |owruVA{s
O|ef@re
PesZ9>
6k-"a<
}v^yod
@.c @r
tt t@|T
M'`GiW
]yU8K-
!,U a+
*^@zZlQ
Tm"oiC
O?@Qgf
ie{{r@;
{W[>_#
.d|rAo
V.@._r
ss+H@Tg
'{_Q8~U
_opbwp7
==R9p9
Y-IqEq
p9hCa~
IMKk4z
`F_;e.=ix
tb{/dDY{
s{@|L{
{d<d+I
ilcWcN<[
CI0!w5x
CV@ae{^8QW
uArBur
R qOn8D
ti<r{t
5Vwr$o
]L&n%,"
e.e/A?H
vgGY0
#19Q@G
E`3Qw-`m
kioiVa
r,l?2T
6Y;J&v
t{?wsaln
sAIg@tN
ABs@oe
{{iy"VZV
cblucV
ren(e@
rxor Se@iV@
,YN@KT
e@CPAa
orTcpNU
@tcn.V
&CVj`t
?*=w-x
p{@e[Ei
||@QDb.
Eo"U&P
.|y.Ie
emzS2mi
8HCPjc
U5<'z\
V%`C%!
w`N-R'
n?ip@p?
DsYIq"
lakASldn
WUz=dS@
@vL/[3
scT{s|l
-^[g\
v@.eecAN@
$*7y`N
*v~l38
+jlUd@F(r
<Mxvs#
\53qTa|OG
tVUua.
e/>`2]
E oN|h
reHVtt d
#&Ql;X
$Y^8s[j
AQp {uk
&`6QZrx
uMQ@sql
H0dm0BN
GWkAN`;h
Ek&tHn
E7cxDYW
Akg.t@<
ue1we],
rT@;`|
v5{!j:!X^
v6Uj}Q1
'YsH 2|
e?s@@o@
@nTg`dP
0aeCti
6K%A#%
)xOZUq
U9>Ee
$Aa.AV
Qs@ti?A
8@t}`
wMKVTf
<pfU;BEI#
[[>]*X
=5uI[T
|r@}?Q@
ig=/!G
niaeA|
7x[a`,R
dees3|
*hM?._
rw0aC
@a||py
v Q.l.Y
*:fE}~pBR
D]|dD0
j:fG]%
es@n!r
%bh7'TV
(#@%y
t_N h,
tA@esoDUt
hb_Vtu
6/?Q6Y
oselhua
mr:!s?
Zsql&q
lsQusc@
@s{pw
?@o@i?
VI*=xs
b!}zDv
bmp?<o
zA"^'>
!wV=%z
c@sieV
eTir.i
d? Vau
ierNTM
XT.bi4u
sitr@a
rsy#@eC
l| A|@AsR
A@@??|
sRo@.TtD
<#<(<-<3<9<?<E<J<O<U<[<a<g<l<q<w<}<
=-=;=G=V=q=
>>=>N>f>n>s>
?"?'?-?2?E?R?g?}?
010B0a0n0x0~0
5.5K6|6
;%;;;F;U;N<
>'>[>q>
?=?`?i?
2M2R2h2x2
3(3H3S334w4
9 969E9N9V9]9r9y9
:6:`:v:N;n;
2a3f3n3
4$6*60666<6G6|6"797G7Z7
8!9*999>9
<#<4<9<?<O<T<^<i<s<z<
>=>N>|>
44#4'4+4/43474;4?4C4G4K4O4S4W4[4_4
<G<a<i<
<1<=<T<
=&>C>h>m>r>A?F?o?
434k4u4z4=5
5T6Y6{6
787K7x7
==>B>]>s>z>
?\?j?o?
0#1*111]2d2k2
5M5^5m5
6(636=6u6
7#727C7t7y7
:8><>@>D>H>L>P>T>X>\>`>d>h>l>p>t>x>|>
? ?$?(?,?0?4?8?<?@?D?H?
0]1b1j1
545W5|5o7
8@8e=m=
>$>>>p>
>!?C?{?
a0g0u0
3 32373?3m3
8 868S8x8}8
99D9I9N9
0020G0P0l0|0
>%>F>Y>
1070C0
::#:(:.:2:8:<:B:F:L:P:e:
<(===C=L=S=r=
=">*>6>>>R>]>b>t>~>
?I?N?Y?^?|?
!0.0n0
0r1x1~1
2#2(282=2C2I2_2f2
3B3K3R3[3
4"4;4M4r4
4"5(5A5G5
7h8s8y8~8
9'939@9G9
9':Q:g:s:
;=;C;u;
<4=:=\=a=
>!>->B>H>\>c>
??%?.?:?H?N?Z?`?m?w?}?
-030]0c0
0'1J1T1
2$2,23282@2I2U2Z2_2e2i2o2t2z2
3"3(3D3
4<4I4U4]4e4q4
5"5;5M5S5\5o5
5&6F6V6\6c6p6w6}6
99(959@9R9e9p9v9|9
: :-:3:M:^:d:u:
'121:1Q1X1z1
1H2n3`4
,050A0t0}0
1O1h1o1w1|1
2^2d2h2l2p2
566;6M6k6
8O8h8o8w8|8
9^9d9h9l9p9
=R>a>y>
4v6z6~6
<,<2<;<B<Y<^<c<h<s<
<B=G=N=S=Z=_=
=c>m>x>
252L2R2b2g2
5!5'5_5$6J6
;!;+;D;N;a;
>!>)>@>Y>u>~>
5q5"6?6
:6:I:~:
="=F=X=f=w=
567F:d:Z<l<~<
3/4@4z4
4&545@5N5V5c5
56+6R6_6d6r6A7d7o7
;F=<>D>
5\6b6r6
= =*=9=
20464<4B4M4[4m4
5,6E6v6
627A7[7r7x7~7
8!8R8u8
8"9F9i9
9,:O:r:
:!;D;g;
=.=Q=t=
>#>G>n>
080S0~0
2"2(242:2>2D2H2N2R2W2\2a2f2k2p2u2z2
3 3$3*3.33383=3B3G3L3Q3V3[3g3s3y3}3
4"4(4.42484H4S4]4i4s4
4 4$4(4,404<4@4
5 5$5(5,5054585<5@5D5H5L5P5T5X5\5`5l5p5t5x5|5
606@6L6P6T6X6\6`6d6h6l6p6t6x6|6
888<8@8D8H8L8P8094989D9H9
< <$<(<,<0<4<8<<<@<D<H<L<P<T<X<\<`<d<h<l<p<t<x<|<
= =$=(=,=0=4=8=<=@=D=H=L=P=T=X=\=`=d=h=l=p=t=x=|=
= >$>(>,>0>4>8><>@>D>H>P>T>X>\>`>d>h>l>p>t>x>|>
040L0d0|0
1$1<1T1l1
4 4(4,4044484<4@4D4H4L4P4T4X4\4`4d4h4l4p4t4x4|4
5$5(5P;T;X;\;
2 2$2(2,2024282<2@2D2H2L2P2T2X2\2`2d2h2l2p2t2x2|2
3 3$3(3,3034383<3@3D384<4@4
6,6064686@6X6h6l6p6x6
7 7$7(7,70787P7`7d7t7x7|7
8,808@8D8H8P8h8x8|8
9$9(9,90989P9`9d9t9x9|9
: :(:@:D:\:l:p:t:
; ;$;,;D;H;`;p;t;
<,<0<8<P<`<d<t<x<
=4=D=H=X=\=`=h=
> >0>4>8>@>X>\>t>
?$?<?@?X?h?l?p?t?x?|?
0$0<0@0X0h0l0p0x0
1$14181H1L1P1X1p1
2 2$24282<2@2D2L2d2t2x2
3 3$3,3D3T3X3h3l3p3x3
3,54585<5@5D5L5h5
6(6`6h6t6
7$7,7D7P7p7x7
8(808D8P8X8p8x8
989D9d9l9
:,:8:@:X:`:h:t:
;(;0;<;\;h;
<8<D<d<p<
= =@=L=l=x=
>(>H>T>t>
?$?0?P?\?|?
0,080X0d0
1$1,1D1P1p1|1
2 2(20282D2d2l2
3$303P3\3|3
4,444H4P4h4t4
5,545H5`5l5t5
5$6(60646P6p6
707L7P7p7
848@8H8x8
9,909L9P9l9p9
:0:L:P:p:
;8;T;X;x;
0$0D0`0x0
1 1H1p1
6$6@6\6|6
6@7D7H7L7P7T7X7\7`7d7h7l7p7t7x7|7
:<:\:t:
=$=,=4=0?4?T?t?x?|?
0(181H1X1h1
: :$:(:,:0:@:H:L:P:T:X:\:`:d:h:l:x:
Antivirus Signature
MicroWorld-eScan Trojan.GenericKD.1448213
nProtect Clean
CMC Clean
CAT-QuickHeal Clean
McAfee RDN/Ransom!dw
Malwarebytes Trojan.Backdoor.VB
K7AntiVirus Trojan ( 00458f5c1 )
K7GW Trojan ( 00458f5c1 )
TheHacker Clean
Agnitum Clean
F-Prot Clean
Symantec Suspicious.Cloud.5
Norman Troj_Generic.RPSDF
TotalDefense Clean
TrendMicro-HouseCall TROJ_GEN.R0CCC0DLB13
Avast Win32:Dropper-gen [Drp]
ClamAV Clean
Kaspersky Trojan-Ransom.Win32.Blocker.dbhb
BitDefender Trojan.GenericKD.1448213
NANO-Antivirus Clean
SUPERAntiSpyware Clean
Ad-Aware Trojan.GenericKD.1448213
Emsisoft Clean
Comodo Clean
F-Secure Trojan.GenericKD.1448213
VIPRE Clean
AntiVir TR/Crilock.B.20
TrendMicro TROJ_GEN.R0CCC0DLB13
McAfee-GW-Edition RDN/Ransom!dw
Sophos Troj/Blocker-W
Jiangmin Clean
Antiy-AVL Clean
Kingsoft Win32.Troj.Undef.(kcloud)
Microsoft Trojan:Win32/Crilock.B
ViRobot Trojan.Win32.Agent.760832.A
GData Trojan.GenericKD.1448213
Commtouch Clean
ByteHero Clean
VBA32 Clean
Baidu-International Trojan.Win32.Ransomlock.AKJ
ESET-NOD32 Win32/Filecoder.BQ
Rising Clean
Ikarus Trojan-Ransom.Win32.Blocker
Fortinet W32/Blocker.DBHB!tr
AVG Generic35.APXX
Panda Trj/dtcontx.J

  • Zkauhxfbmpubhr.exe 1088
    • Mrrmkokislmfndtxl.exe 1916
      • Mrrmkokislmfndtxl.exe 304
      • cmd.exe 1212
        • attrib.exe 868
Zkauhxfbmpubhr.exe, PID: 1088, Parent PID: 1824

network filesystem registry process services synchronization

Mrrmkokislmfndtxl.exe, PID: 1916, Parent PID: 1088

network filesystem registry process services synchronization

Mrrmkokislmfndtxl.exe, PID: 304, Parent PID: 1916

network filesystem registry process services synchronization

cmd.exe, PID: 1212, Parent PID: 1916

network filesystem registry process services synchronization

attrib.exe, PID: 868, Parent PID: 1212

network filesystem registry process services synchronization

Domains

Domain IP
ypxnqheckgjkbu.org 188.65.211.137

Hosts

IP
188.65.211.137

HTTP Requests

URI Data
http://ypxnqheckgjkbu.org/home/
POST /home/ HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)
Host: ypxnqheckgjkbu.org
Content-Length: 192
Connection: Close

IRC Traffic

No IRC traffic.

SMTP Requests

No SMTP requests performed.

File name UZQDCDE.tmp
File Size 367 bytes
File Type XML document text
MD5 8820c7d6e6ee359cacfa5a232c663a38
SHA1 d0ce35dcaa4176d5362de7bce516a8206f6f6dca
SHA256 4a831aa4dc720c637da9fb4b4872fbc6445ef3dda45222592052219b12ffeeb6
CRC32 91337DF3
Ssdeep 6:TM3iSnjilRu9TbX+A0KiK5601pSubJ41ggLovvvhgbIEOYT:TM3iSn2uVp5601pSubJjgLAgbBF
Yara None matched
File name autoexec.bat
File Size 0 bytes
File Type empty
MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CRC32 00000000
Ssdeep 3::
Yara None matched
File name Zkauhxfbmpubhr.exe
File Size 760832 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 2a1609ef72f07abc97092cb456998e43
SHA1 5c3b36d335ebee8c5aa1c00080fad0e029481918
SHA256 038d31670f03d386e6f3affe331bf76cb894d695b0f9012d828db9413c223a07
CRC32 F85E9853
Ssdeep 12288:KVFrN8zAxOt3lkOiBapbT2Nk4nh8w7Zqx6h8KKB4ZO:KVFRVxD6cpW2d8PaO
Yara
  • shellcode - Matched shellcode byte patterns
File name MKPBF1E.bat
File Size 386 bytes
File Type DOS batch file, ASCII text, with CRLF line terminators
MD5 11d9f45ae9c644350ec123fd268967fe
SHA1 2707cd55c1e439f2559ae302ceb5e06dde06486b
SHA256 25221aef04a14e115872872d31e05efdc02af57b8a5f5efae30f2db03a62e874
CRC32 AC9ECABA
Ssdeep 12:9ZojeKmjIaoU2DLgLXHmqmjIaoU2DLgYmjIaoU2DLg1LXHmKDKjgyn:XcVI2XgLXXI2XgYI2Xg1L3DK8y
Yara None matched
File name home[1]
File Size 16 bytes
File Type Non-ISO extended-ASCII text, with no line terminators
MD5 294c207bc693baa95a4df11814aa1369
SHA1 98b4b640085543c657d9626990a7039271d9d34a
SHA256 d18cc9d88053e6be3bd9f5ceaad57ecc840731e429e2d73ce42f547856490955
CRC32 AC1DD18B
Ssdeep 3:zDR5Pn:vHP
Yara None matched
Bummer! No comments yet.

You have to login to comment.