B086a2a5c8d526e7be90613f33d1aa8e
Jump to navigation
Jump to search
Description
Summary
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.
Thank you for your comprehension.
Identification
| MD5 | b086a2a5c8d526e7be90613f33d1aa8e |
|---|---|
| SHA1 | 0be01d789933abfcf32f938666e8ed0345e4c11c |
| SHA256 | 2e806b7ba57df1b44cb2d48e84942f7843c884bdb24c80635443f03ae84a5dcb |
| ssdeep | 49152:LJZoQrbTFZY1iaEpX5cR87HSS/fREnTwS0OZtEQi1:LtrbTA1wd5ci3REyOi1 |
| imphash | d3bf8a7746a8d1ee8f6e5960c3f69378 |
| File name | sedrf.exe |
| File location | C:\users\%user%\appdata\roaming\33xx\ |
| File size | 1.6 MB ( 1632551 bytes ) |
| File type | Win32 EXE |
| Magic literal | PE32 executable for MS Windows (GUI) Intel 80386 32-bit |
| TrID |
|
Antivirus detection
| Antivirus | Result | Update |
|---|---|---|
| Ad-Aware | 20140408 | |
| AegisLab | 20140408 | |
| Agnitum | 20140407 | |
| AhnLab-V3 | 20140407 | |
| AntiVir | TR/Drop.Autoit.qvko | 20140408 |
| Antiy-AVL | 20140408 | |
| Avast | 20140408 | |
| AVG | 20140408 | |
| Baidu-International | 20140408 | |
| BitDefender | 20140408 | |
| Bkav | 20140408 | |
| ByteHero | 20140408 | |
| CAT-QuickHeal | 20140408 | |
| ClamAV | 20140408 | |
| CMC | Trojan.Win32.Generic!O | 20140408 |
| Commtouch | 20140408 | |
| Comodo | UnclassifiedMalware | 20140408 |
| DrWeb | Trojan.PWS.Panda.655 | 20140408 |
| Emsisoft | 20140408 | |
| ESET-NOD32 | a variant of Win32/Injector.Autoit.AHN | 20140408 |
| F-Prot | 20140408 | |
| F-Secure | 20140408 | |
| Fortinet | 20140407 | |
| GData | 20140408 | |
| Ikarus | 20140408 | |
| Jiangmin | 20140408 | |
| K7AntiVirus | 20140408 | |
| K7GW | 20140407 | |
| Kaspersky | Trojan.Win32.Scarsi.vlw | 20140408 |
| Kingsoft | 20130829 | |
| Malwarebytes | 20140408 | |
| McAfee | Artemis!B086A2A5C8D5 | 20140408 |
| McAfee-GW-Edition | Heuristic.BehavesLike.Win32.Suspicious-BAY.S | 20140408 |
| Microsoft | 20140408 | |
| MicroWorld-eScan | 20140408 | |
| NANO-Antivirus | 20140408 | |
| Norman | 20140408 | |
| nProtect | 20140408 | |
| Panda | 20140408 | |
| Qihoo-360 | Malware.QVM10.Gen | 20140408 |
| Rising | 20140408 | |
| Sophos | Mal/Generic-L | 20140408 |
| SUPERAntiSpyware | 20140408 | |
| Symantec | 20140408 | |
| TheHacker | Trojan/Dropper.Dapato.bwjk | 20140408 |
| TotalDefense | 20140408 | |
| TrendMicro | 20140408 | |
| TrendMicro-HouseCall | TROJ_GEN.F47V0408 | 20140408 |
| VBA32 | 20140408 | |
| VIPRE | 20140408 | |
| ViRobot | 20140408 |
Links
- Virustotal.com: https://www.virustotal.com/en/file/2e806b7ba57df1b44cb2d48e84942f7843c884bdb24c80635443f03ae84a5dcb/analysis/1396962194/
- Malwr analysis: https://malwr.com/analysis/NGZmZmRjZDZmMzBiNDQyZDljNWM3NWFkMWI2NmYzODU/
- Download: https://www.dropbox.com/s/tqrl1vb8u6q88o4/b086a2a5c8d526e7be90613f33d1aa8e.zip (pass: infected)
Artifacts
Mutexes
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.
Thank you for your comprehension.
Persistence
The malware ensures it will be automatically restarted after a reboot by creating several registry keys:
| Key | Name | Type | Value |
|---|---|---|---|
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | ok | REG_EXPAND_SZ | C:\Documents and Settings\malware\Application Data\33xx\sedrf.exe |
| HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | ko | REG_EXPAND_SZ | C:\Documents and Settings\malware\Application Data\33xx\sedrf.exe |
| HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1HOC72KD-R7E1-N703-87I1-3025514N7RQC} | StubPath | REG_EXPAND_SZ | C:\Documents and Settings\malware\Application Data\33xx\sedrf.exe restart |
Note
Windows Active Setup is a process that runs automatically when a Windows user logs in.
Registry keys
In addition to the above mentionned registry keys, the following keys are created:
| Key | Name | Type | Value |
|---|---|---|---|
| HKEY_CURRENT_USER\Software\glTfX | InstalledServer | REG_EXPAND_SZ | C:\Documents and Settings\malware\Application Data\33xx\sedrf.exe |
| HKEY_CURRENT_USER\Software\glTfX | ServerStarted | REG_EXPAND_SZ | 09/04/2014 13:55:37 |
Files
Created
Following files have been created:
- %appdata%\Microsoft\Windows\glTfX.cfg (encrypted configuration file)
- %appdata%\Microsoft\Windows\glTfX.dat (encrypted data file)
- %appdata%\33xx\sedrf.exe (the malware copies itself into this location)
Deleted
The malware deletes following file:
- %homepath%\Local Settings\Temp\x.html
Network indicators
The malware performs regular requests to a bunch of domains on ports 9292/tcp to 9494/tcp, requesting the same resource: /1234567890.functions. Here is an example:
GET /1234567890.functions HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) Host: yadkoumfizabi.servehttp.com:9292 Connection: Keep-Alive
Defensive capabilities
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.
Thank you for your comprehension.
Static Analysis
Sections
Name VirtAddr VirtSize RawSize Entropy -------------------------------------------------------------------------------- .text 0x1000 0x8061c 0x80800 6.684690 .rdata 0x82000 0xdfc0 0xe000 4.799741 .data 0x90000 0x1a758 0x6800 2.150072 .rsrc 0xab000 0x5d5b8 0x5d600 6.286825
IAT
Resources
Name RVA Size Lang Sublang Type -------------------------------------------------------------------------------- RT_ICON 0xab538 0x128 LANG_ENGLISH SUBLANG_ENGLISH_UK GLS_BINARY_LSB_FIRST RT_ICON 0xab660 0x128 LANG_ENGLISH SUBLANG_ENGLISH_UK GLS_BINARY_LSB_FIRST RT_ICON 0xab788 0x128 LANG_ENGLISH SUBLANG_ENGLISH_UK GLS_BINARY_LSB_FIRST RT_ICON 0xab8b0 0x468 LANG_ENGLISH SUBLANG_ENGLISH_UK GLS_BINARY_LSB_FIRST RT_ICON 0xabd18 0x10a8 LANG_ENGLISH SUBLANG_ENGLISH_UK data RT_ICON 0xacdc0 0x25a8 LANG_ENGLISH SUBLANG_ENGLISH_UK data RT_ICON 0xaf368 0x4228 LANG_ENGLISH SUBLANG_ENGLISH_UK data RT_ICON 0xb3590 0x10828 LANG_ENGLISH SUBLANG_ENGLISH_UK data RT_ICON 0xc3db8 0x42028 LANG_ENGLISH SUBLANG_ENGLISH_UK data RT_MENU 0x105de0 0x50 LANG_ENGLISH SUBLANG_ENGLISH_UK data RT_DIALOG 0x105e30 0xfc LANG_ENGLISH SUBLANG_ENGLISH_UK data RT_STRING 0x105f30 0x530 LANG_ENGLISH SUBLANG_ENGLISH_UK data RT_STRING 0x106460 0x690 LANG_ENGLISH SUBLANG_ENGLISH_UK data RT_STRING 0x106af0 0x4d0 LANG_ENGLISH SUBLANG_ENGLISH_UK data RT_STRING 0x106fc0 0x5fc LANG_ENGLISH SUBLANG_ENGLISH_UK data RT_STRING 0x1075c0 0x65c LANG_ENGLISH SUBLANG_ENGLISH_UK data RT_STRING 0x107c20 0x388 LANG_ENGLISH SUBLANG_ENGLISH_UK data RT_STRING 0x107fa8 0x158 LANG_ENGLISH SUBLANG_ENGLISH_US data RT_GROUP_ICON 0x108100 0x5a LANG_ENGLISH SUBLANG_ENGLISH_UK MS Windows icon resource - 6 icons, 16x16, 256-colors RT_GROUP_ICON 0x108160 0x14 LANG_ENGLISH SUBLANG_ENGLISH_UK MS Windows icon resource - 1 icon RT_GROUP_ICON 0x108178 0x14 LANG_ENGLISH SUBLANG_ENGLISH_UK MS Windows icon resource - 1 icon RT_GROUP_ICON 0x108190 0x14 LANG_ENGLISH SUBLANG_ENGLISH_UK MS Windows icon resource - 1 icon RT_VERSION 0x1081a8 0x19c LANG_ENGLISH SUBLANG_ENGLISH_UK data RT_MANIFEST 0x108348 0x26c LANG_ENGLISH SUBLANG_ENGLISH_US ASCII text, with CRLF line terminators
Strings
F$S3
r$;=
RPWS
h(NH
D$4P
T$8R
PSVW
u@8E
?~0f
0|.f
?~'f
<pF3
Zv!f
ar#f
_^[]
_^[]
S@VW
T$lR
D$tPh
L$pQ
D$dP
t$@f
T$@RW
D$D=
T$@R
T$(R
L$xQ
L$,Q
BRQP
teW3
GWPj
SWPj
[_^]
H0^]
_^[]
QSVW
Ox?3
5L.I
5p.I
5$/I
5H/I
5d/I
=l/I
=<0I
=@0I
=`0I
=d0I
5l0I
=81I
=<1I
=\1I
=`1I
=42I
=82I
=X2I
=\2I
5D1I
5H1I
5h1I
=|2I
503I
=83I
5T3I
=\3I
5`3I
=d3I
5X5I
54?I
=,AI
5pAI
5pBI
5`FI
=\GI
=|HI
5,JI
5lKI
5pKI
5$LI
5\PI
= UI
5HUI
= VI
50[I
5T[I
=x[I
= \I
=@\I
=D\I
=d\I
=h\I
=p\I
=t\I
5,\I
=<]I
=@]I
=H]I
=L]I
=`]I
=d]I
=8^I
=<^I
=\^I
=`^I
=4_I
=8_I
=X_I
=\_I
=|_I
=0`I
=4`I
=T`I
=X`I
=``I
=d`I
=x`I
=|`I
=,aI
=0aI
=8aI
=<aI
=PaI
=TaI
=taI
=xaI
=(bI
=,bI
=LbI
=PbI
=pbI
=tbI
=$cI
=(cI
=HcI
=LcI
=lcI
=pcI
= dI
=$dI
=DdI
=HdI
=hdI
=ldI
=$eI
5@eI
5deI
=HeI
=leI
D$xP
D$GP
L$LQVW
t$T;
L$hQ
T$hR
D$hP
L$hQ
T$xR
D$4@
L$0PQ
;T$4
0f;1
L$0Q
D$`t
L$p9L$\
D$l;
|$4j
D$\PQ
T$T;
D$x@
D$x;D$\
D$p;D$D
;D$\
\$L;
9t$L
D$H;
9D$\
T$x;T$p
D$Dj
8f;9u
8f;9u
D$|@
D$x;D$\
T$p3
\$dQ
D$,;
L$ ;
T$dR
C;\$8r
T$4R
|$ f
D$(RP
\$$P
h!\B
0f;1u
Gt'Ju
QVWS
0f;1u
v)VW3
VW8X
XSVW
_^[]
SVQQQ
WSQRP
L$$QS
L$0Q
T$PR
T$XR@Q
h(VH
G%8E
QVRWj
t19_
uKVj$
{D9{ v
;s r
v)VW3
?~)V
U2SH
u h4SH
hDSH
u h4SH
hTSH
QVPP
t?Hu
`SVW
VPVQ
VPWSj
F@vT2
ODSV
D8LSP
D8LP
OLQW
DSVW
QZ^&
C _H^
4SVWj
h(NH
jdh,
h$MH
v V3
=X&H
^[_]
Vu<+
t:f;
5@fI
hT*H
hD*H
ht(H
uTVWh
Sj Z
0;1tt
j-Zf
j-Xf
_^[]
SW3
SW9E
t?f;
Vuy3
woVW
=lnI
5lnI
5lnI
tq9U
t`9U
9U uV
9U tO9U$uE9U(uE3
>:u9;
9U(u
t,9U
rC9U
9E vgPQj
9U$tE+
9u(vEVSj
9u v&VQj
9U v
9U(v
SW3
^_[]
SVWf
_^[]
_^[u
t!9u
@uoW
~,WPV
98t^
tVPV
t/9U
HYYt
f9;u
t/9u
t*9u
t&:a
SW3
YYVj
^_[]
SW3
=xfI
j-Y3
_^[]
TSj$h
j<SW
j<SW
j<SW
WWWWW
QQWf
ht*H
hl*H
tvHt#
tNHt%
j%Zf
HtcHt.
HtbHu
@_^]
HYYtJHt9H
YY_^
YQPVh
tR:Q
t<:Q
t&:Q
@FA;
oV f
o^0f
of@f
onPf
ov`f
o~pf
FGIu
X^_]
FGIu
u,9E
u,9E
5lnI
Y__^[
9csm
t h
=t!H
5t!H
_^[]
5x!H
Y_^[]
Fpt"
Y;=H
5p#H
5t#H
PPPPP
5,hI
t!Ht
_^[]
Y_^[
Y_^[
hl8H
PPPPP
<v*V
hd8H
h\8H
^SSSSS
v N+D$
u)jAXf;
u+9u
u)jAXf;
u>9u
j0Xf
RPWS
80tT
j Yf
YYt/
_^[]
t'Ou
SVW3
t;f99t6C;]
f99u
sej\Yf
f99u
.t C;]
s%j.Zf
f99u
_^[]
uNSW
WWWWQ
9M$u
-t!;
+t +
9w#k
j@j ^V
SWf9M
j@j
_^[]
j@j
VVhU
@u^V
t%HHt
HHt$HHt
RPWS
90tW
?If90t
YYt.
9]$u
9](SS
t"SS9] u
SVW3
X 9}
t/Ht
9] t
_^[]
@tH9
AWf;
tRHtC
tEHt0
u% U
f9>t
f9>t
>=uu
f9>t
f9>t
URPQQh
L$,3
UVWS
[_^]
SVWj
_^[]
t$WV
Ht%C
Ht(f
j,h`
t!PV
50oI
SSSSS
PSj?
=|!H
PSj?
>:u8FV
jd_Fj
PPPPP
95,oI
Pf95
PVVRV
Pf95
VVVVVQRSSj
VVVVV
VVVVV
954oI
954oI
WVS3
2WWj
t@;E
8csm
w f
"u 3
tAVWP
Y[_^
5hfI
%hfI
PPPPP
8"u8
t j\Yf
t$9U
QQSVWh
5tfI
5\fI
5lnI
=hnI
5lnI
_^[]
9] SS
v4;5
vL;5
PPPPPPPP
VW9]
_^[]
t"Ou
PPPPPPPP
=TqI
hpCH
hXCH
5dqI
5TqI
Jvf;
Jvf;
Jvf;
Jvf;
Jvf;
Jvf;
Jvf;
~%9M
QVj
r 8^
r"9U
r"9U
80t/
PPPPP
SQRP
jdRP
@PVS
@PVS
Wj0S
|-;E
VVVVV
5hrI
=drI
%XrI
-TrI
QSWVj
tCHt(Ht
3t(;
SSSSS
t(9}
SVWUj
h8,B
]_^[
h@,B
;t$,v-
UQPXY]Y[
5`fI
95hfI
5`fI
<8=u
u'9E
SSSSW
SSSSW
@PWV
_^[]
PPPPP
WVU3
v N+D$
<Xt
u+9u
@hlKH
SVW3
QQSV3
=hfI
VVVVj
tCVV
9M$u
<+t"<-t
+t HHt
PPPPP
u"9U
h|KH
u 9p
u 9E
;9u
0K;]
tx~?j
t1SW
5`fI
tSj=V
u`9]
5`fI
?sjj
5`fI
5`fI
tPVV
SSSSS
SSSSS
_^[]
^_[3
<$Xf
h3\B
h.\B
hM\B
hH\B
hf\B
hR\B
;Ad};
7Jf;
h\WH
F;s r
80u'
80u'
@ A;N
AQRP
PVh,
QVh$
RVh4
PVh4
D$$PjeQ
WQPV
L$$Q
T$ R
D$ P
L$ h\VH
D$(PQ
jwhx
jshx
PjoQ
Rh0MH
h XH
D$(P
D$@P
L$,Q
T$@R
D$,P
D$@+
)t$D
h4YH
hXYH
uL9C
F;s r
h\WH
u*PVQ
h8ZH
hTZH
QRh4
QjoR
PjoQ
~LW3
PjzQ
Rj{P
Qj{R
h\VH
Ph\ZH
PHQR
PjyQ
Qj|R
PjpS
T$4BR
T$p9T$\~
PWSQ
D$p9D$\
RjoP
T$ R3
D$ PR
T$ R
L$ QP
L$ QP
RjyP
:f9_
D$$P
RjyP
D$ ;
D$ P
D$ ;
D$ ;
D$|Pjp
T$?R
t$(P
\$4PS
L$DQ
T$LR
L$xQ
\$$j
D$`PWQ
T$$PR
L$@Q
T$HR
PjnV
L$$PjnQ
L$$PjmQ
L$$PjkQ
L$$PjlQ
L$$PjnQ
QjrS
t$VV
QjrR
PjrW
QjrS
RjrQ
Pj|Q
PjrQ
QjyP
G PRV
RjrP
PjrS
D$lP
T$pRQW
L$hQ
T$hRh0
D$lP
t$$Sj
t$$Sj
L$hQ
T$hRh
D$lP
D$\=
D$\PQ
L$0QR
L$XQP
QjrW
QjrW
t$H;
D$H;
D$H;
_^[]
KteKt)KuB
0u5+E
_^[]
_^[]
xT;E
_^[]
N@G:
_^[]
'u`@
u ;E
<\uEF
<\u,
<\u5F
<Qu#F
W\RPQV
:G`u
:Gat
<(u)
<)t)<|u
_^[]
_^[]
<{uH
<}t <-t
:}u#
t2PV
tZWP
;pxuZ
QSPW
Pj0V
9_Xu
9_\u
9_`u
9_dt
@t@f
t"f+
Xd_^[]
|=;E
<SVW
PQRV
=8&H
;Gds
t^WP
u h4SH
u h4SH
Phx)H
PVQSRj
QPSj
_^[]
Ht^HtTW
=x'H
QSj&S
t1VP
PVj&S
SVW3
T$<h
D$<h0
L$<Q
D$@P
D$<h
L$<h0
T$<R
t%h0
Wj Q
;VLuq
t _^3
=0$H
SVWu.
_^[]
SVPj
[_^]
s^[t
u _^2
h,aH
h,aH
thWV
tYWV
PjxPPh
Qhh}H
RPQj
ukVW
SVWj*P3
h\VH
h\VH
h\VH
N Qj
hD|H
h\VH
hX|H
F PW
tth\VH
4A@f
58uJ
f97t
Qh$WH
A,Ht*Ht
hxaH
91t @
91t @
[_^]
Vh4aH
t j W
5,&H
upPPPj
=,&H
9A t
9A t
_^[]
9_^[]
x@;w
_^[]
hhUH
_^[]
dSV3
_^[]
8crtsu
M QS
:crts
_^[]
_^[]
_^[]
y]_^3
_^[]
F ^]
_^[]
h()H
hX)H
_^[]
QhH)H
VRPQ
5L&H
5T&H
t1;}
VWh+
=T&H
VRPj
VRPj
Vh+lC
_^[]
VRPWS
WPQR
50 H
97vC
F;7r
hHNH
hXNH
=ERCPt
Wl+Wh
M BR
QRPV
9G ~+
;G |
;G(vU
;O(w
;G }b
;G |
9O ~&
;O |
;G(vL
;G(w
;G |
WRPQ
WQRP
OhNH;
;wxs
Wl+Wh
WRPQ
t ;u
M BR
WRPQCSV
U$AQ
E t ;u
9G<t ;wh
tm;wl
RQPV
;wls\
QRPV
Gl+G
9G|t
;wxv
G\9G|
9GPt
;wls`
OlQPV
Wl+W
Wl+W
G\9G|
;Gxs
;wlr#
;wxv
G\9G|
Z;whu
;wxw
;wlr
;wxv
G\9G|
t%;wlsG
RQPV
Wl+W
:G,u
PWQVR
U$@Pj
QRPSV
RWPVQ
WRPQSV
PWQVR
|;;wl
WQRPSV
U$@Pj
QRPSV
HFC:
;wlr
;wxv
G\9G|
WRPQSV
M +u
WRPQSV
;wls
;wxv
G\9G|
WQRPSV
|&;wl
}6;wls
;wxv
G\9G|
WQRPSV
|(;wl
;wxv
G\9G|
WRPQSV
WRPQSV
}9;wls
t%@F;E
;wxv
G\9G|
WQRPSV
|+;wl
;wxv
W\9W|
U @Pj
PQRSV
WPQRSV
}1;wls
t$BF;
;wxv
G\9G|
WRPQSV
RQPV
Gl+G
:G,u
F;wls
F;wlr
F;wlr
';wls,
w.ti
w't2
F;wls
F;wls
QRPV
Gl+G
:G,u
;wls
|^;wl
|);wl
RQPV
Gl+G
:O,u
GlF;
;wlsz
QRPV
Gl+G
:O,u
GlF;
G\9G|
s$F;
G\9G|
G\9G|
F;wl
O\9O|
O\9O|
w<tD
O\9O|
G\9G|
G\9G|
O\9O|
G\9G|
;wxv
O\9O|
WQRPSV
WQRPSV
;wls`
RQPV
Gl+G
:O,u
G\9G|
G\9G|
;wlsH
F;wl
G\9G|
;wls
;wxv
G\9G|
WPQRSV
U @P
WPQRSV
(_^[
M @P
;Wu9
U @P
QRPV
E AQ
RPQV
E(Ru:
WRPQ
QRPV
M(BR
M$BR
U$@P
E$AQ
M$BR
U$@P
E$AQ
E$AQ
E$AQ
;Gdu
9_puu
U$@P
RPQV
(_^[
O\9O|
G\9G|
G\9G|
G\9G|
RWPVQ
;wlr
;wxv
G\9G|
WQRPSV
G\9G|
WQRPSV
WRPQSV
WQRPSV
;wxv
G\9G|
WQRPSV
WQRPSV
}Q;wls+
;wxv
G\9G|
WPQRSV
WRPQSV
G\9G|
;wxv
O\9O|
U @Pj
PQRSV
WPQRSV
W\9W|
U$@Pj
QRPSV
Wl+U
WRPQSV
G\9G|
W\9W|
E,@Pj
PQRSV
WQRPSV
WRPQSV
WQRPSV
WRPQSV
WPQRSV
WPQRSV
WQRPSV
W\9W|
WQRPSV
WPQRSV
WPQRSV
WRPQSV
E,@Pj
PQRSV
RQPV
Wl+W
:G,u
5;wl
WPQRSV
U$@Pj
QRPSV
RQPV
Wl+W
:G,u
WPQRSV
!""""""##$%&'())))))**+,-./KKKKKKKK001234566678789:;<=;<=KKKKK>?@ABCDEFGH
8ERCPt!
t._^
<hv}
uF_^3
SRVP
u[_^3
SQVP
S\RPQV
:C`u
:Cat
\QPRV
:A`u
t"_^3
u__3
uY_3
;w$r&
SVWj
PQRW
<0Tt
RPQV
QWSR
PWSQR
QRjSP
SVWPh0
+~<+^@
^@_^[
WVh0
@t5f
u _^2
f F~_^
99u
f F~_^
pxW3
_^[]
_^[]
PVh0
RQh>
=T&H
QPhg
N~_^
tBPh0
u 9E
FG;=
u G;=
=T&H
Vj0R
_^[Y]
tFPh0
=(&H
u ^[3
)CHjGj
PVh0
u`SW
99t?
_^[]
@DPW
T$<t<j
D$8P
L$4QW
T$ R
D$8P
L$8QW
T$<t
D$8P
L$8Q
T$8R
)D$0)D$4
L$4QW
\$ R
D$4Pj
V(@Aj
L$4Qj
D$4PW
L$8Q
T$0RW
D$,PW
9:t:
69>t
h4aH
h4aH
QSSS
D$(P
u'SSWVh
L$ Q
L$0i
D$$i
Pj SWV
QVWS
tdWP
RPWS
_^[]
_^[]
_^[]
F4WhT
u$Ph
t!Wj
uIPh
QPt
=T'H
@PQj+S
BRPj,S
_^[]
Pj2j
=L'H
E ;E
9] }`
E ;E
_^[]
_^[]
_^[]
t'h0
FLWP
5<uJ
80u/
Xu!j
$RPQ
N,QR
_^[]
t+VR
^_[]
_^[]
_^[]
G0PV
Qj P
h(~H
h(~H
5 uI
t=jch_0C
h8uI
uuWj
h8uI
h =C
Qha;D
_^[]
_^[]
^,t2
t _^2
_^[]
t29s u-P
_^[]
Qj[h
Qj[V
Qj[h
Qj[V
<(t|<"tx<%tt<'tp<$tl<&th<!td<ot`<]t\<[tX<\tT<
tL<_tH<
~ f1<C@;
__^[]
__^[]
FCf;
ubVW
9Y<v7
;Z<r
AQWP
>_^]
SVW3
:_^[]
8_^[]
<G u
<G t
<G u
<G t
<G u
<G t
<G(u
<G u
<G t
<G u
<G t
;t/f
<G t
<G u
<G t
<G;u
<Q;t
:;u<
8^=u
8^<t7
8^=t
8^<t
Rh8)H
^(^[
G$PV
Vh4YD
=(&H
Ph)p
Ph,p
Ph*p
Ph+p
WQhs
=\!H
Pj%h
=\!H
Pj'h
0SVW
0SVW
XSVW
h OH
h0OH
QRVf
PQRf
PQRt
_^[]
_^[]
>ERCPt,
wWtN
VUUU
VUUU
VUUU
;M ~
QRPW
RPQW
t1;]
PQRS
t+;]
QRPS
RPQS
uV;}
u);}
u tE
_^[]
RSWV
$RSWV
QSWV
SPRQ
SQRP
SQRP
WQRS
WVh0
VQRj
PSj{V
WVh0
T$ RV
;D$
;D$(
;D$$|};D$,
t<Ph0
PRj V
_^[]
_^[]
VRj+W
_^[]
SVWPh0
D$(PQ
D$(PQ
tZWP
QRh0
PQWV
PQSV
RPWV
QRWV
PQWV
RPWV
PQWV
RPWV
QRWV
uf_^2
RPh0
QRh0
=T&H
PQht
dSVW
QRh0
PRh2
PWh0
PVh0
L$(QRh0
T$$WR
|$ ;W
;N0t
=T&H
L$XQj
N0Pj
V0Rh0
D$(P
V0Qj h
D$(Pj
D$80
D$(Pj
D$(Pj
L$$WQ
@t j
L$ j
L$(Q
T$(RWh+
QRh0
QRh0
QRh0
QRh0
5T&H
5T&H
RSh`
=T&H
RPht
QRh0
t6Vj
QRh0
u 9E
RQPS
9X0u
QRh0
QRh0
QRh0
QWh0
QRh0
tRJt6JuV
RPVQ
PRVQ
WSVQ
QRh0
PVh0
VWPh0
HPIQS
tlVh0
2Wh0
tZWP
tZWP
u$Wh
v`Rh
NxQR
N`Rj
u$Sh
tZWP
u^PW
F$h
_^[]
F4QP
w0tY
_4PS
[_^]
F0^]
F W3
_^[]
Ht:Ht
Ht:Ht
D$$P
T$,R
L$ Q
L$ Q
D$(P
D$$P
T$,R
BRPW
97v+
F;7r
VQh
VRh
_^[]
hXYH
"u63
_^[]
_^[]
^8SPQ
N$RQ
N88M
F4_^[
thPV
PQWS
5h!H
QSVW
crts
t,9U(u$
#uZG
V\RPQW
:F`u
9_^3
\u%G
HH 9M
FVh/
FVh_
S SR
Vh.
@FVh0
Vh^
FVh`
FVh(
Vh)
Vh'
FVh)
?\u0
VPGWQR
VQGWRP
QVRj
RVPj
V$PQS
VRWP
VRGWPQ
3<'t
<4u.
C<qu
9_^3
<)t!G
;<<u
*<'u
;F,|
;V,}%
PWRV
:RuR3
u)Wh
<=t4<>t
9M(tH
;F,|
F0+M
9N,~6
N4A;
;N,|
F$G3
+u+G
<)t^<:tW
E VP
`u93
9U(u2
9_^3
9M(t`;
9N,~6
;F,|
;F,}
uP9E
VRPSQ
F@;N<~
9_^3
_^[H
9_^3
9_^3
9_^3
9_^3
9_^3
9_^3
9_^3
9_^3
9_^3
9_^3
9_^3
9_^3
WSh0
ItCI
VPh8
_^[]
_^[]
VQh3
_^[]
VQh4
_^[]
QRh0
9M u
9M$u
PGWha
F~_^
E$SV
U(QPh
u _^2
M QRh0
M PQ
U SR
G~_^
U(QPh
u _^2
j SWRQ
H~_^
RPh0
=T&H
E$SV
PQSj
u _^2
5T&H
W~_^
=T&H
RQPj
9E u
M 9E$u
M QRW
U,QP
=T&H
V~_^
9E u
9E$u
PQSj
N~_^
U,QP
u _^2
t!Qj
WSPQR
u _^2
5T&H
W~_^
QPRh
u _^2
C~_^
u _^2
N~_^
Rh$MH
F~_^
E,Rh$MH
E(SV
u _^2
A~_^
QRh0
QRh0
t{Ph0
_^[]
x,t2
VWj$
_^[]
t^j$
_^[]
=,$H
R8QP
f;P,
f;q,r
RLQP
f;J,
RPQP
f;p,r
AQSR
_^[]
tZWP
VRPQ
tWhP
\$df
D$hf
D$4PQ
T$(R
D$DP
T$(j
|$0Pj
L$8j
D$Hj
T$<5
L$Hj
D$dj
T$pj
D$(P
9D$$
9T$(t
L$dP
L$D3
\$hf
D$DP
L$@Q
L$8Q
T$4RP
_^[Y]
_^[Y]
_^[Y]
_^[Y]
_^[Y]
_^[Y]
^[Y]
tZj
6;7}
_^[]
_^[]
[_^]
[_^]
VWh4
uEVWh$
VWh,
PVh4
QVh$
h\VH
_^[]
_^[]
u Sj
F SPV
KHVWh
PQRh`VH
_^[]
_^[]
FVPj
WVPj
HPWR
_^[]
W9^$
9^4~d
C;^4|
F4_^[
|Z;T
WjcP
NTPj
FTRP
VDRP
N4QP
FTRP
FTQP
D$<f
D$P3
D$Pf
\$8f
T$`R
D$0P
L$DQR
D$,P
L$8Q
FD9D$Dt
F4;D$0~
9|uj
*L$8
PQh2
wqt<-
PPQj
_^[]
vqh
QRPW
TSVW
L$8j
D$<0
T$0Rj
xXf;
T$0R
S0Qj
;C0t
jWSV
QRh0
5T&H
QRh0
SWhH
=T&H
QPh<
=T&H
G0h>
=T&H
5T&H
=T&H
QPVj
PQVj
RPVj
RPVj
QRVj
PQVj
RPVj
PQh!
QRFC
>.u=
SVWP
NxU;
Nx6;
C9P<t>
u _^3
TSVW
VRPj
u _^2
R0WW
tPj
0SVW
QVRS
dw3i
>_^3
jdh,
RQWP
Pj@V
5T&H
Pj0Q
Qj2h
Pj0Q
=T&H
x tH
RQVP
PWVj
RSPV
j PQj
Pj@S
Pj0S
tjS
~XW3
SPQW
SQRW
L$(Q
D$ PQW
QVRW
PVQW
SVW3
SVW
SVW
SWRP
)t?Q
SVWP
t0Ht
_^[]
_^[]
QSVW
RPWSQ
RPSW
$RPQV
$RPQ
QSVW
t _^2
=\"H
L$0Q
T$,RP
D$<h0
L$<h
Mh\VH
=(#H
>[_3
SVWj
SVWj
SVWj
(SVWj
8\t j\
8:uK
8\u=
4SVWj
4SVWj
SVWj
T$ R
D$ h
L$ h
T$ h
D$0P
T$ R
RSSP
T$(RS
D$ P
T$$R
D$4P
L$<Q
=(#H
L$0Q
L$8Q
L$0Q
T$0h(
D$<P
5\"H
5\"H
5\"H
SVWh
QjfR
WjrQ
PVQRSh
PQRh
QjfR
RVPQSh
RPQh
8[tH
8_u
8[u}C
L$8Q
T$HR
T$$R
RWPVj
L$(Q
7RQV
;L$
t"Ht _^2
WVSh$
WVSh4
u2PPP8E
t#h,}H
hP}H
FVPj
WVPj
HPWR
_^[]
98v-
G;9r
DSVW
T$(j
D$,0
L$ Qj
t'HuN
T$ Rj
<SVW
T$ j
D$$0
t-HuN
Ox-WS
}0WS
QOWRS
t#1E
u!f;E
RVj
80u{
8Xu`j
Rh$aH
Qh,aH
bub3
\$ f
\$$u#Sj
L$$Q
T$,RPj}
9\$,t
L$(QV
T$ RV
N SQV
PVQRSh$WH
GWPj
SWPj
[_^]
8{u C
t$SW
V4RP
Rh8)H
D$,PW
L$(QP
T$,RW
D$(P
L$,Q
t$$t4Ht
T$,R
D$,P
T$,RQ
D$,PW
L$(Qh
D$,PW
T$,RW
T$ +
_^[]
_^[]
SVQW
_^[]
D$,PQ
T$(R
D|(P
L$,QP
T$,R
L$,QVW
D$,3
L$ +L$
T$$+T$
]t!;]
]t [_2
8#u
SVWj
u _^[
8|u&j|
_^[Y]
$SVWP
usG;
WQhs
=T&H
At8;
PWWW
ERCP
_^[]
_^[]
QRh0
SRVP
SPVQ
~ ;M
RSPVQ
PVh0
PSQVR
t ^_2
PSQWj
RSPWj
G;|$
D$,P
L$ Q
L$,Q
T$ R
D$$P
G;|$
D$ P
wDVj
L$<Q
D$LP
L$@Q
L$ h
RWPQS
T$<R
D$ j
T$@;s
QPSR
D$@P
L$$Q
T$HSR
D$@P
8\uP
8\u@j
h\VH
h\VH
JRFV
_^[]
8*u"
hhUH
h\UH
(SVW
t4jA
WjD3
D$lWP
D$hD
D$ v'
T$DR
D$@P
L$@Q
T$@R
D$0P
L$lQ
L$(WR
T$ PQRVS
T$0R
D$lP
L$@Q
D$@P
T$@R
D$@P
D$@P
D$@P
D$$Ph
5x H
T$4Rj
D$,Pj
D$$P
L$<Qj
PjrQ
_^[]
GWPj
SWPj
[_^]
L$$Q
L$0Q
T$$R
t$DV
D$$P
L$0Q
D$$P
T$\j
j@j@
L$4Q
T$<Rj@Vj
D$lP
T$(QR
D$8P
L$<Qj@Vj
T$lRP
D$,P
L$8Q
D$4P
T$0R
D$$P
D$0P
L$$Q
D$PD
D$\h
D$`0
D$l4
D$xD
L$ f
T$$9T$
D$$9D$
DunS
T$$QR
D$(P
t$$RV
D$$P
;D$$
T$(R
T$(R
HtkH
L$ 3
L$,Q
t$0f
t!Hto
GtHt'Ht
vOtX
h9jF
PWRR
RQWP
RQWP
SVW3
T$,R
D$,P
L$(Q
D$$+
KS@P
T$0R
D$TP
L$HQ
G;|$
\$ S
D$\j
D$XX
L$XQ
T$tR
D$tf
D$tf
D$XP
T$8R
L$4QP
80uLj
8Xu0
SQSV
t]WV
tRWV
_^[]
E#PQ
E PQ
>_^[
QWPR
t QWQV
t WS
Rh0~H
WPQj
QSj}
bub3
H,QR
^0SP
w?t&
t,j@
WQRVP
8SVW
h4QH
h\QH
h(PH
h8PH
hPPH
hXPH
hdPH
hhPH
hlPH
hpPH
htPH
=@&H
H^Y]
RVPQ
_^[]
QRWj
_^[]
_^[Y]
Vj h
_^[]
_^[]
5T&H
=P&H
=T&H
WVPQ
5T&H
=P&H
WVh0
PQh0
D$(j
D$,0
T$ Rj
L$ Qj
T$D;
D$ Pj
QNVRW
_^[]
_^[]
}(u 2
_^[]
VVRQ
L$ Q
T$dR
T$8R
D$pP
L$lQ
D$<t
T$\9s
D$DP
L$tQ
8%u
8\ueFVS
;L$\
T$XR
|$PO
t$dPV
D$`P
D$$P
L$(Q
D$$P
T$$R
QSVW
PSQ
>tFS
TSVWh
D$,P
D$`P
L$DQ
T$XR
T$,R
D$,P
D$(P
L$@Q
D$,P
D$4j
T$0RP
L$,HPQ
T$(RS
L$(Q
L$XQ
T$4R
D$PP
T$DR
D$,P
D$8P
T$XRj
D$@P
T$tR
D$8P
T$PR
D$DP
L$hQ
D$,P
L$,Q
D$PP
D$ Ht
T$$R
D$@j
L$4Q
T$@RW
T$$R
L$`Q
T$DR
D$XP
T$,R
D$@P
L$,Q
T$Xj
9|$
L$ PQ
T$ PR
6QWj
T$ PR
L$$Q
L$$Q
D$$P
T$`R
D$DP
L$XQ
D$4P
L$0Q
D$@P
T$(Rj
=t H
D$$P
D$ H
D$$P
D$$P
T$0Rj
D$$P
D$$P
SVW
L$0QW
T$0RW
L$@Q
D$@PQ
QVRP
D$ P
SSPQ
SSWR
QSRPV
VVVj
h\VH
tSVW
T$(f
L$(Q
T$4R
D$dP
L$8Q
T$4R
D$0P
L$0Q
T$(RSP
L$XQ
D$PP
L$pQP
D$xP
L$XQh
D$PP
>_^3
WSWQ
WSWR
u2SP
tSVW
L$0@
L$0
T$ R
D$,Q
L$,RPQ
D$ P
T$$R
D$ P
D$ P
T$ R
T$,R
D$8P
L$,Q
L$LQVS
F;t$$|
T$LRVS
h\VH
h\ZH
|$DR
L$4QV
D$$P
T$(P
Qhh)H
t\j8
u VS
H,RP
(SVW
8$uK
D$HP
L$<QR
D$0h
L$0h
T$0htQH
D$0h
L$@Q
T$$RV
D$0h
L$@Q
T$0h8PH
D$@P
L$,Q
T$0hdPH
L$0hhPH
D$0hlPH
T$0hpPH
L$0htPH
D$0h\QH
L$@h
T$0h
D$@P
L$0h
T$@h
D$@h
T$PR
D$PP
_^[]
_^[]
RPQV
_^[]
lSVW
D$8P
L$4Q
T$ RPQ
T$<R
4SVW
T$0R
T$ R
D$4P
D$$P
tZj8
t|j8
_^[Y]
_^Y]
_^Y]
hP"@
<SVW
L$$;B0u
\$0C
T$,;
D$ 3
L$09L$(
\$$F
L$,f;
T$,RQP
|$,Hu
T$HRP
\$4f
D$0@
D$0;D$(
T$8R
T$8R
T$ R
T$ R
T$ RP
D$8%
D$@P
D$8PS
9\$(
C;\$(
D$8P
D$0_^[
9>~$
WPh0
U$S3
t79]
t29]
_^[]
5H$H
_^[]
WVh0
D$HPS
T$HQR
=T&H
D$PP
L$DQh
T$\RSP
h(~H
T$\R
L$\Q
T$XRj
L$XQh
C;\$
D$@RPh
D$Dj
WVh0
9M u
U 9M$u
_^[]
QRh0
^0Sh0
Wj!j
j!j j
=T&H
=T&H
v0Vh0
uM9p0uH
QRh=
QVh0
1E Rh0
U Rj
U$+E
M WRSPht
Pj0R
_^[]
_^[]
h,aH
Ph,aH
Rt!3
TSVW
PjrQ
u28E
SRQP
_^[]
@SVWjX
_^[]
RPh0
PSWV
PSWV
PSWV
PSWV
PSWV
PSWV
PSWV
PSWV
PQRWV
RQPSWV
RQPSWV
PQRSWV
PQSWV
RQPSWV
PSWV
QRPSWV
PQRSWV
RQPSWV
PQSW
RPQSWV
PSWV
PSWV
PSWV
PSWV
PSWV
QRSW
u8Sh0
~|Uu
V|PQR
FlPWV
t 9E
PPj1Q
9Fdt
Nd9E
9F`t
,SVW
L$4Q
>;\$
L$,Q
D$,P
>;\$
9L$$
D$0+
T$,WRP
L$(;
D$0RP
D$(@
D$(;
\$4t
9|$4
T$,PRV
L$,PVQ
D$49D$
L$ QP
L$$QP
_^[]
L$l;
L$`3
T$@R
D$,t
t$h9t$l
D$(P
D$XR
D$PP
T$h+
L$4u
;t$l
L$4QP
L$xQ
D$`P
t$lFVj
T$|R
9\$l
L$dQR
;\$l
T$ R
D$ P
D$(P
L$0QS
D$4PS
GtP+
PjoQ
@t'f
PjnQ
L$ Q
L$$Q
T$(R
D$,P
T$ R
T$$R
D$(P
L$,Q
T$0R
L$8Q
T$@R
L$HQP
D$ P
D$$P
L$(Q
T$,R
D$ P
D$$P
L$(Q
T$,R
D$ P
D$$P
L$(Q
T$,R
T$ R
T$$R
D$(P
L$,Q
T$PRu
L$ Q
L$$Q
T$(R
D$,P
T$TRP
D$$P
L$XQVS
T$ R
T$$R
D$(P
L$,Q
D$ P
D$$P
L$(Q
T$,R
Rj h
D$.f
L$HQPP
T$lRP
T$`RW
D$DP
L$(Qj
D$8P
L$PQ
T$8R
L$TQ
T$4R
D$TP
|$4u
L$ WQ
>_^3
Ht2Hub
80u
T$$R
L$ Q
L$hQ
L$ Q
D$ P
L$8QV
L$,f
D$(f
L$0f
t$ ;\$$
L$Hh,aH
D$,Q
L$4R
T$<P
D$DQ
L$LR
PQWR
$SVW
=T"H
9\$D
D$@P
|$DO
T$@R
D$<P
L$8Q
L$0R
T$$j
L$$j
|$(j
D$,P
Rhh)H
T$<RP
T$,Rh
T$(RP
t$(PV
~{@Pj
F;t$
L$XQP3
L$pP
Kt3Kt
L$0QQ
D$4P
T$(RR
L$,Q
D$ PP
T$$R
L$Ph
T$$R
D$Ph
T$Hh
D$"P
L$Hh
T$$R
D$Hh
L$&Q
T$Hh
D$(P
L$Hh
L$0Qh
89t$
F;t$
L$$Q
T$ @RP
L$$Q
L$HQh
f9T{
G;|$
T$<R
T$,R
L$ Q
L$ Q
4SVW3
QRPV
y9=
PRj Q
tQWV
L$,Q
D$(P
T$(R
;D$ v
L$(Q
T$(R
\$$j
L$(Q
L$ QV
$SVW
L$$QR
D$(+D$
\$,+\$$
SRQP
T$ Rj
_^[Y]
_^[Y]
PQR
L$ Q
T$ R
D$4PQR
4SVW
D$0P
D$$PV
L$ QP
4SVW
D$0P
T$ R
T$ RP
D$ Pj
L$0Q
D$ PV
L$ QV
D$ P
Ht4Ht*Ht
QRSP
VWPh0
SPjNQ
=T&H
L$PQj
T$tj
HPjOQ
5T&H
T$PRj
K4;K\
D$$PVh0
VVVR
s VR
5T&H
D$<Pj
T$xRj
5T&H
L$(Qj
D$PPj
D$0F
Pj h
t$$<
D$<Pj
T$xRj
T$$RPh0
T$ QRj
T$(Rj
L$PQj
D$0Ft5
L$$QRh0
T$ QRh
D$$PQh0
HVQR
xVQR
hVQR
XVQR
|$ WR
D$,R
D$hP
L$$Q
T$dR
D$,P
L$hQ
T$,R
D$hP
|$$;
L$0Q
D$hP
;D$$r
D$,P
L$hQ
|$$;
D$0PV
L$hQ
;D$$|
t$ j
L$,Q
T$hR
D$$;
D$0PQ
L$hQ
;D$$r
C;\$
T$@R
D$,P
L$hQ
|$H;
;D$Hr
D$PP
F;t$
soSh
T$ P
T$$RQ
$SVW
T$$R
D$ P
\$,9_
D$ PQ
T$ RS@Phx
L$ Q
D$(P
L$8Q
L$HQSP
5tEf
PWVQ
t[8X@tV
Gu#@
_^[]
_^[]
_^[]
PjrS
_^[]
RPQW
va8] t
D$ PW
\$48
T$DR
D$8PQhx
tI95p
L$$Q
PRhx
\$T;
L$(Q
G;|$
T$DR
L$XQPhx
D$8P
tEhL
L$<Q
VSQW
_^[Y]
tIWh0
_^[Y]
_^[Y]
_^[Y]
_^[Y]
_^[Y]
_^[Y]
_^[Y]
_^[Y]
_^[Y]
_^[Y]
_^[Y]
_^[Y]
VSWP
_^[Y]
_^[Y]
_^[Y]
_^[Y]
_^[Y]
_^[Y]
_^[Y]
_^[Y]
_^[Y]
_^[Y]
_^[Y]
_^[Y]
_^[Y]
_^[Y]
VSWP
_^[Y]
wLt9
VSWP
_^[Y]
VSWP
_^[Y]
_^[Y]
RW@S
t`HtNHuf
@u1@
PjnW
@u @
RjrW
DSVW
QjrR
QjrR
QjrS
RWVS
PjrS
Pj}Q
QjzR
Nt5f
Gt/f
NtLf
GtFf
Ot;f
Ht5f
RjyP
Rj{P
Qj{R
Rj}P
Qj|R
RjnP
8*u
PWSQ
Nt0f
Gt*f
Nt@f
Gt:f
Ot/f
Ht)f
Qj{R
Rj{P
Qj~R
Rj~P
QjnV
t*Ht
RWSP
RWSQ
Nt5f
Gt/f
RPWS
Nt5f
Gt/f
RjyP
PjqQ
Rj{P
Pj{Q
Rj~P
Pj~Q
RjnP
VSPj
VSPj
bad allocation
CorExitProcess
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
July
June
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
Unknown exception
(null)
( 8PX
700WP
`h````
xpxxxx
_nextafter
_logb
frexp
fmod
_hypot
_cabs
ldexp
modf
fabs
floor
ceil
sqrt
atan2
atan
acos
asin
tanh
cosh
sinh
log10
UTF-8
UTF-16LE
UNICODE
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
GetProcessWindowStation
GetUserObjectInformationW
GetLastActivePopup
GetActiveWindow
MessageBoxW
e+000
('8PW
700PP
`h`hhh
xppwpp
Complete Object Locator'
Class Hierarchy Descriptor'
Base Class Array'
Base Class Descriptor at (
Type Descriptor'
`local static thread guard'
`managed vector copy constructor iterator'
`vector vbase copy constructor iterator'
`vector copy constructor iterator'
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector vbase copy constructor iterator'
`eh vector copy constructor iterator'
`managed vector destructor iterator'
`managed vector constructor iterator'
`placement delete[] closure'
`placement delete closure'
`omni callsig'
delete[]
new[]
`local vftable constructor closure'
`local vftable'
`RTTI
`udt returning'
`copy constructor closure'
`eh vector vbase constructor iterator'
`eh vector destructor iterator'
`eh vector constructor iterator'
`virtual displacement map'
`vector vbase constructor iterator'
`vector destructor iterator'
`vector constructor iterator'
`scalar deleting destructor'
`default constructor closure'
`vector deleting destructor'
`vbase destructor'
`string'
`local static guard'
`typeof'
`vcall'
`vbtable'
`vftable'
operator
delete
new
__unaligned
__restrict
__ptr64
__eabi
__clrcall
__fastcall
__thiscall
__stdcall
__pascal
__cdecl
__based(
1#QNAN
1#INF
1#IND
1#SNAN
This is a compiled AutoIt script. AV researchers please email [email protected] for support.
uxtheme.dll
IsThemeActive
kernel32.dll
IsWow64Process
GetNativeSystemInfo
AU3_GetPluginDetails
AU3_FreeVar
MARK
ACCEPT
COMMIT
FAIL
PRUNE
SKIP
THEN
Arabic
Armenian
Avestan
Balinese
Bamum
Bengali
Bopomofo
Braille
Buginese
Buhid
Canadian_Aboriginal
Carian
Cham
Cherokee
Common
Coptic
Cuneiform
Cypriot
Cyrillic
Deseret
Devanagari
Egyptian_Hieroglyphs
Ethiopic
Georgian
Glagolitic
Gothic
Greek
Gujarati
Gurmukhi
Hangul
Hanunoo
Hebrew
Hiragana
Imperial_Aramaic
Inherited
Inscriptional_Pahlavi
Inscriptional_Parthian
Javanese
Kaithi
Kannada
Katakana
Kayah_Li
Kharoshthi
Khmer
Latin
Lepcha
Limbu
Linear_B
Lisu
Lycian
Lydian
Malayalam
Meetei_Mayek
Mongolian
Myanmar
New_Tai_Lue
Ogham
Ol_Chiki
Old_Italic
Old_Persian
Old_South_Arabian
Old_Turkic
Oriya
Osmanya
Phags_Pa
Phoenician
Rejang
Runic
Samaritan
Saurashtra
Shavian
Sinhala
Sundanese
Syloti_Nagri
Syriac
Tagalog
Tagbanwa
Tai_Le
Tai_Tham
Tai_Viet
Tamil
Telugu
Thaana
Thai
Tibetan
Tifinagh
Ugaritic
!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
alpha
lower
upper
alnum
ascii
blank
cntrl
digit
graph
print
punct
space
word
xdigit
no error
\ at end of pattern
\c at end of pattern
unrecognized character follows \
numbers out of order in {} quantifier
number too big in {} quantifier
missing terminating ] for character class
invalid escape sequence in character class
range out of order in character class
nothing to repeat
operand of unlimited repeat could match the empty string
internal error: unexpected repeat
unrecognized character after (? or (?-
POSIX named classes are supported only within a class
missing )
reference to non-existent subpattern
erroffset passed as NULL
unknown option bit(s) set
missing ) after comment
parentheses nested too deeply
regular expression is too large
failed to get memory
unmatched parentheses
internal error: code overflow
unrecognized character after (?<
lookbehind assertion is not fixed length
malformed number or name after (?(
conditional group contains more than two branches
assertion expected after (?(
(?R or (?[+-]digits must be followed by )
unknown POSIX class name
POSIX collating elements are not supported
this version of PCRE is not compiled with PCRE_UTF8 support
spare error
character value in \x{...} sequence is too large
invalid condition (?(0)
\C not allowed in lookbehind assertion
PCRE does not support \L, \l, \N{name}, \U, or \u
number after (?C is > 255
closing ) for (?C expected
recursive call could loop indefinitely
unrecognized character after (?P
syntax error in subpattern name (missing terminator)
two named subpatterns have the same name
invalid UTF-8 string
support for \P, \p, and \X has not been compiled
malformed \P or \p sequence
unknown property name after \P or \p
subpattern name is too long (maximum 32 characters)
too many named subpatterns (maximum 10000)
repeated subpattern is too long
octal value is greater than \377 (not in UTF-8 mode)
internal error: overran compiling workspace
internal error: previously-checked referenced subpattern not found
DEFINE group contains more than one branch
repeating a DEFINE group is not allowed
inconsistent NEWLINE options
\g is not followed by a braced, angle-bracketed, or quoted name/number or by a plain number
a numbered reference must not be zero
an argument is not allowed for (*ACCEPT), (*FAIL), or (*COMMIT)
(*VERB) not recognized
number is too big
subpattern name expected
digit expected after (?+
] is an invalid data character in JavaScript compatibility mode
different names for subpatterns of the same number are not allowed
(*MARK) must have an argument
this version of PCRE is not compiled with PCRE_UCP support
\c must be followed by an ASCII character
EA06
%02X
AU3!
FILE
ICMP.DLL
IcmpCreateFile
IcmpCloseHandle
IcmpSendEcho
GetModuleHandleExW
GetSystemWow64DirectoryW
advapi32.dll
RegDeleteKeyExW
Error text not found (please report)
DEFINE
UTF8)
UCP)
NO_START_OPT)
CRLF)
ANY)
ANYCRLF)
BSR_ANYCRLF)
BSR_UNICODE)
WSOCK32.dll
GetFileVersionInfoSizeW
GetFileVersionInfoW
VerQueryValueW
VERSION.dll
timeGetTime
mciSendStringW
waveOutSetVolume
WINMM.dll
InitCommonControlsEx
ImageList_Create
ImageList_ReplaceIcon
ImageList_Destroy
ImageList_Remove
ImageList_SetDragCursorImage
ImageList_BeginDrag
ImageList_DragEnter
ImageList_DragLeave
ImageList_EndDrag
ImageList_DragMove
COMCTL32.dll
WNetUseConnectionW
WNetCancelConnection2W
WNetGetConnectionW
WNetAddConnection2W
MPR.dll
InternetCloseHandle
InternetOpenW
InternetSetOptionW
InternetCrackUrlW
HttpQueryInfoW
InternetQueryOptionW
InternetConnectW
HttpOpenRequestW
HttpSendRequestW
FtpOpenFileW
FtpGetFileSize
InternetOpenUrlW
InternetReadFile
InternetQueryDataAvailable
WININET.dll
EnumProcesses
EnumProcessModules
GetModuleBaseNameW
GetProcessMemoryInfo
PSAPI.DLL
LoadUserProfileW
CreateEnvironmentBlock
UnloadUserProfile
DestroyEnvironmentBlock
USERENV.dll
GetCurrentDirectoryW
IsDebuggerPresent
SetCurrentDirectoryW
GetFullPathNameW
GetModuleFileNameW
FreeLibrary
LoadLibraryA
GetProcAddress
GetCurrentProcess
CloseHandle
GetLastError
DuplicateHandle
CreateThread
WaitForSingleObject
HeapFree
GetProcessHeap
HeapAlloc
Sleep
GetCurrentThreadId
RaiseException
MulDiv
GetVersionExW
GetSystemInfo
InterlockedIncrement
InterlockedDecrement
WideCharToMultiByte
lstrcpyW
MultiByteToWideChar
lstrlenW
lstrcmpiW
GetModuleHandleW
QueryPerformanceCounter
VirtualFreeEx
OpenProcess
VirtualAllocEx
WriteProcessMemory
ReadProcessMemory
CreateFileW
SetFilePointerEx
ReadFile
WriteFile
FlushFileBuffers
TerminateProcess
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
SetFileTime
GetFileAttributesW
FindFirstFileW
FindClose
DeleteFileW
FindNextFileW
MoveFileW
CopyFileW
CreateDirectoryW
RemoveDirectoryW
SetSystemPowerState
QueryPerformanceFrequency
FindResourceW
LoadResource
LockResource
SizeofResource
EnumResourceNamesW
OutputDebugStringW
GetLocalTime
CompareStringW
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
GetStdHandle
CreatePipe
InterlockedExchange
TerminateThread
GetTempPathW
GetTempFileNameW
VirtualFree
FormatMessageW
GetExitCodeProcess
SetErrorMode
GetPrivateProfileStringW
WritePrivateProfileStringW
GetPrivateProfileSectionW
WritePrivateProfileSectionW
GetPrivateProfileSectionNamesW
FileTimeToLocalFileTime
FileTimeToSystemTime
SystemTimeToFileTime
LocalFileTimeToFileTime
GetDriveTypeW
GetDiskFreeSpaceExW
GetDiskFreeSpaceW
GetVolumeInformationW
SetVolumeLabelW
CreateHardLinkW
DeviceIoControl
SetFileAttributesW
GetShortPathNameW
CreateEventW
SetEvent
GetEnvironmentVariableW
SetEnvironmentVariableW
GlobalLock
GlobalUnlock
GlobalAlloc
GetFileSize
GlobalFree
GlobalMemoryStatusEx
Beep
GetSystemDirectoryW
GetComputerNameW
GetWindowsDirectoryW
GetCurrentProcessId
GetCurrentThread
GetProcessIoCounters
CreateProcessW
SetPriorityClass
LoadLibraryW
VirtualAlloc
LoadLibraryExW
KERNEL32.dll
DestroyIcon
MessageBoxA
GetForegroundWindow
GetSysColorBrush
LoadCursorW
LoadIconW
RegisterClassExW
CreateWindowExW
ShowWindow
SetTimer
RegisterWindowMessageW
CreatePopupMenu
KillTimer
PostQuitMessage
SetFocus
MoveWindow
DefWindowProcW
MessageBoxW
OpenWindowStationW
GetProcessWindowStation
SetProcessWindowStation
OpenDesktopW
CloseWindowStation
CloseDesktop
GetUserObjectSecurity
SetUserObjectSecurity
GetWindowRect
PostMessageW
MapVirtualKeyW
SendMessageW
GetDlgCtrlID
GetParent
GetClassNameW
CharUpperBuffW
EnumChildWindows
SendMessageTimeoutW
ScreenToClient
GetWindowTextW
GetFocus
AttachThreadInput
GetWindowThreadProcessId
GetWindowLongW
InvalidateRect
EnableWindow
IsWindowVisible
IsWindowEnabled
IsWindow
GetDesktopWindow
EnumWindows
DestroyWindow
GetMenu
GetClientRect
BeginPaint
EndPaint
GetDC
ReleaseDC
CopyRect
SetWindowTextW
GetDlgItem
SendDlgItemMessageW
EndDialog
MessageBeep
DialogBoxParamW
LoadStringW
VkKeyScanW
GetKeyState
GetKeyboardState
SetKeyboardState
GetAsyncKeyState
SendInput
keybd_event
SystemParametersInfoW
FindWindowW
IsIconic
SetForegroundWindow
GetMenuItemInfoW
SetMenuItemInfoW
GetMenuItemCount
GetMenuItemID
CheckMenuRadioItem
DeleteMenu
GetCursorPos
TrackPopupMenuEx
IsMenu
InsertMenuItemW
SetMenuDefaultItem
EnumThreadWindows
FindWindowExW
SetActiveWindow
ExitWindowsEx
mouse_event
CreateIconFromResourceEx
LoadImageW
MonitorFromRect
CharLowerBuffW
UnregisterHotKey
PeekMessageW
TranslateMessage
DispatchMessageW
LockWindowUpdate
GetMessageW
BlockInput
OpenClipboard
IsClipboardFormatAvailable
GetClipboardData
CloseClipboard
CountClipboardFormats
EmptyClipboard
SetClipboardData
SetRect
AdjustWindowRectEx
CopyImage
SetWindowPos
GetCursorInfo
RegisterHotKey
ClientToScreen
GetKeyboardLayoutNameW
IsCharAlphaW
IsCharAlphaNumericW
IsCharLowerW
IsCharUpperW
GetMenuStringW
GetSubMenu
GetCaretPos
IsZoomed
MonitorFromPoint
GetMonitorInfoW
SetWindowLongW
SetLayeredWindowAttributes
FlashWindow
GetClassLongW
TranslateAcceleratorW
IsDialogMessageW
GetSysColor
InflateRect
DrawFocusRect
DrawTextW
FrameRect
DrawFrameControl
FillRect
PtInRect
DestroyAcceleratorTable
CreateAcceleratorTableW
SetCursor
GetWindowDC
GetSystemMetrics
GetActiveWindow
CharNextW
wsprintfW
RedrawWindow
DrawMenuBar
DestroyMenu
SetMenu
GetWindowTextLengthW
CreateMenu
IsDlgButtonChecked
DefDlgProcW
ReleaseCapture
SetCapture
WindowFromPoint
USER32.dll
GetDeviceCaps
DeleteObject
GetTextExtentPoint32W
CreateCompatibleBitmap
CreateCompatibleDC
SelectObject
StretchBlt
GetDIBits
DeleteDC
GetPixel
CreateDCW
GetStockObject
GetTextFaceW
CreateFontW
SetTextColor
CreateSolidBrush
CreatePen
SetBkColor
RoundRect
SetBkMode
GetObjectW
SetViewportOrgEx
Rectangle
BeginPath
PolyDraw
Ellipse
MoveToEx
AngleArc
LineTo
CloseFigure
SetPixel
EndPath
StrokePath
StrokeAndFillPath
ExtCreatePen
GDI32.dll
GetOpenFileNameW
GetSaveFileNameW
COMDLG32.dll
OpenThreadToken
OpenProcessToken
LookupPrivilegeValueW
DuplicateTokenEx
CreateProcessAsUserW
CreateProcessWithLogonW
InitializeSecurityDescriptor
InitializeAcl
GetLengthSid
CopySid
LogonUserW
GetTokenInformation
GetSecurityDescriptorDacl
GetAclInformation
GetAce
AddAce
SetSecurityDescriptorDacl
RegOpenKeyExW
RegQueryValueExW
RegCloseKey
AdjustTokenPrivileges
InitiateSystemShutdownExW
OpenSCManagerW
LockServiceDatabase
UnlockServiceDatabase
CloseServiceHandle
RegConnectRegistryW
GetUserNameW
RegCreateKeyExW
RegSetValueExW
RegEnumKeyExW
RegDeleteKeyW
RegDeleteValueW
RegEnumValueW
ADVAPI32.dll
ShellExecuteW
Shell_NotifyIconW
ExtractIconExW
SHGetMalloc
SHGetDesktopFolder
SHGetPathFromIDListW
SHFileOperationW
SHBrowseForFolderW
SHEmptyRecycleBinW
DragQueryFileW
SHGetFolderPathW
ShellExecuteExW
DragQueryPoint
DragFinish
SHELL32.dll
OleSetMenuDescriptor
MkParseDisplayName
OleSetContainedObject
CLSIDFromString
StringFromGUID2
CoInitialize
CoUninitialize
CoCreateInstance
CreateStreamOnHGlobal
CoTaskMemAlloc
CoTaskMemFree
ProgIDFromCLSID
OleInitialize
CreateBindCtx
CLSIDFromProgID
CoInitializeSecurity
CoCreateInstanceEx
CoSetProxyBlanket
OleUninitialize
IIDFromString
ole32.dll
OLEAUT32.dll
ExitProcess
ExitThread
GetSystemTimeAsFileTime
ResumeThread
GetTimeFormatW
GetDateFormatW
GetCommandLineW
GetStartupInfoW
IsProcessorFeaturePresent
HeapSize
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
SetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStringTypeW
HeapCreate
SetHandleCount
GetFileType
SetStdHandle
GetConsoleCP
GetConsoleMode
LCMapStringW
RtlUnwind
SetFilePointer
GetTimeZoneInformation
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetTickCount
HeapReAlloc
WriteConsoleW
SetEndOfFile
SetEnvironmentVariableA
.?AVbad_alloc@std@@
.?AVexception@std@@
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
.?AVtype_info@@
kU'9
HMXB
?Zd;
?/L[
S;uD
z?aUY
D?$?
U>c{
zc%C1
.:3q
-64OS
NKeb
n;^
Qkkbal
i]Wb
9a&g
MGiI
wn>Jj
#.zf
+o*7
?HNH
$Id: qmath.h,v 1.1 2004/01/15 19:50:35 jonbennett Exp $
..(#
pqrstuvwxyz{$--%"!' &,[\
`abcdefghijkmno]
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
</requestedPrivileges>
</security>
</trustInfo>
<dependency>
<dependentAssembly>
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" language="*" processorArchitecture="*" publicKeyToken="6595b64144ccf1df"></assemblyIdentity>
</dependentAssembly>
</dependency>
</assembly>
Detection
Snort
File: emerging-trojan.rules Rule: alert tcp $HOME_NET any -> $EXTERNAL_NET any msg: "ET TROJAN Win32/Xtrat.A Checkin" flow: established,to_server content: "/1234567890.functions HTTP/1.1|0d 0a|" content: !"Host|3a| microsoft.com|0d 0a|" distance: 0 reference: url,threatexpert.com/report.aspx?md5=f45b1b82c849fbbea3374ae7e9200092 classtype: trojan-activity sid: 2016275 rev: 13
Comments
Keywords: Win32/Xtrat.A b086a2a5c8d526e7be90613f33d1aa8e