About contagio exchange

CONTAGIO EXCHANGE Contagio exchange was created to absorb malware samples shared by readers of Contagio. This is meant to be a community driven malware collection.
Edit Aug 2013 - The community is busy and Mila too so this was not a very active site (my fault probably) so I will be just dumping malware strings here - it often helps in malware identification and googling is the best way.
With just strings, not exactly a fun blog to read but might become s useful resource over time.
I will not be posting samples here, just md5. You can find the corresponding samples on contagio or ping me if you can't find
M
P.S. Robot pictures delivered by Robohash.com (generated from file hashes)

Monday, September 2, 2013

Vidgrab strings - APT

File: DW20.exe
MD5:  588d3316d4bbfdbb25658d436f06ed96
Size: 118784







!This program cannot be run in DOS mode.
]{@
Rich
.text
`.rdata
@.data
.rsrc
@ANu-------------------snip
@3@
p3@
Sleep
GetTickCount
VirtualFreeEx
CloseHandle
GetModuleFileNameA
CreateFileA
SetSystemTime
GetLocalTime
GetCurrentThreadId
ResumeThread
GetStartupInfoA
GetVersion
KERNEL32.dll
GetMessageA
PostThreadMessageA
GetInputState
USER32.dll
ADVAPI32.dll
SHSetValueA
SHDeleteValueA
SHLWAPI.dll
memset
__CxxFrameHandler
_except_handler3
strcat
??3@YAXPAX@Z
??2@YAPAXI@Z
memcpy
memcmp
fclose
fwrite
fopen
MSVCRT.dll
_exit
_XcptFilter
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_controlfp
GetModuleHandleA
XY`XX
X[XXX\Z\
X[[
[]W\VH
ZHVG
yXX
01+x(*7?*9XX5x;9667,x:=x*-6xXX16x
x57<=vUUR|[\Zd[[
\ZH
\Pw
\ZP
ZPe
x\@e
YZH
1;0[
W\[H
Y\8XXa
[H[\
XVySY^XX
PZVRZ\Z[
MZ]HZ\xZ\XXHZZ
XXZMx[JKp[PX
Z^^UZGZUZmZ[[k[
\l]JX8{XX
ZT8yXX<ZPW[
^PHJ)
PUWQWHRHZ
RWWSv,= ,
YZM
ZO\[Z
8v*<9,9
{UZI|IT\GP]Z
&XhZC[P\
ZT^[Zp
v*=47;XX
@YZMZIK
XJZTR[ZO
RWWSWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWPWHWHWH\H
NXH
m@xXH[#dXP
0XJ
^XX
P-@^y
^LW
THY
.yXX
uZhZu
',XJH+V0X
ZBX[-P
fXW^h
[TZ
MDZ
XO_Kx_KW
\oKXZ
,]W
_XI
MpZ
/xz
lJrW
Z^W
Z^[
aIW
[7XH
Zx>
^Xx
WXX[
ZPY>XX
XH-S
H>YH
f[Jx-^>ZK
[Uh
X-_ZTYH
{[V
zhHZ
L.2XH
M|Z
XZX
2YX\[
iXH
wJXH
jXHX
Z_YZ
0zY
[^MXZ=
|P\\&H[o[
cZH$
Y8{
ZXX
ZS{
]4Zg
e[^Y
HhXH0XZ0
XZ`
MLZ*d^,XX|
0HiXH
0Z8
Z|Z
rZ|7
ZlW
_r-F
vZ/9Z_T
.Kq
\ZUZ
]Kr
MeZ
eIIK
e8ZH
e<Z^
]0Z^
[Xx8X
MdZ
RNhZU`ZU
@0>J
ZW\ZWc
0@ZSj:k_
ZNTZ
a\a-K0
MHZK
!LZ
L[@Y
)xZ
-wW8Z
]8T
YQP:2Y
TX[g
.KZ
}lZ
XZY
z5T<
}ZSX
Hp4|T
eX:
z'*L
[Tu[]
Y\@+
YXY
-Va]
\(Jj&v
U[P
U,ZA-g0
$[M\k
[V0\|
 ZE
eZ<a\
PXh
U[z
`XX
JlMk
-P\Q
Z-z
Z%Z=Q
ZQTZQ
}x[
[Hf
T-TZ@o
[-~[}
%TX,I_
PZF
ZcM
[Tb]TPyXH
vZTJ@W[WHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
zXX
Z\[K
ZP&Z\(Z\8Z\
Z\dZ\DZ\rZ\[|b{XX
ZTH
CZPDZ\jZ\
Z\[x
ZD[Px]
YZI
ZPZ_P[z
ZQPMZQ
[t[\
VhZCX8
Zx[p
ZP[D_\
\C[t[\
Vh[E
[p`ZP
-[D_\W
_@[t[\
Vh[x+
[T[\
ZLX
L[P[}Z\
ZT:*
Rp~J8jJZFW[XXG
XX [
1*,-94
*==X
YXX
*7;
<<*=++XXXX
79<
1:*9*!
XXZ
/[z
7<-4=
96<4=ZL-qX_
=*+176XX
Xx[
4==(XvX
47+^nX
kjv<44XXaZ
=*.1;=
,9,-Z"YX
=?1+,=*^A
,*4],*Xy
Y4-Z
ZE\
  ^
^#*X
Z/;+,75:Z>
Z+,*6;(!X
\mHxX
Z>KWXWY
161,Z
5XHX
Z59]
9<2-+,
<1.M
{t_\
KXX
ZPXX
.;07+,\5^
91Ju]
W^WHWHWHWHVHSoftwX
are\rar
WYWHWHWHWHWHWHWH
YWHWHWHWHWHWHWHZH
*=9,=L
0Z_<K{
=*6=4
[JW\WHWH
OWHWHWHWHWHWHWHWHWH^H
ZSYhOXXh
heisj
j9j,j#XXj
jZXXkBk~k
XXk
kXXXlPlWlNlxl
luljl`XXlel
l8l5l,l
XXl
m9XXm?m*m'm
XXm
mWnyX`n%n
|Z[X8XXh0h
h\iH
i@i
iZzW[WHWHWHWHWHWHWH
_WHWHWHWHWHWHWHWHWHWHWHXXXXX
XY`XX
>=>>>:Z\
ZPEX[[~[]W\VH.?>>0!
7XX
jVWM
NLQYXXL_S
]_PPQJ
LKXXP
zqm
SQZ[
33\P4
ZH!vH
ZPxI
J^\H
JP\p
J_\pPXu]
\P^
ZPlW]V[4^'Y
W_>n{>>r?<>z
n_E
5?8]W<<\P4
.ZS[\
>>.ZZ>>ZCK
ZNL
[P>
]MN
[<[GZKZiZ[[k\l]JZ^][
?>j?
7]TW^]H<>
)]RW^WHTH[,;TJTU
%Z_J_ZJ
Z%[t
ZP_
Z@[[zL
L[RQ]>>
#[JZ
 ZP
Z__[Zp|_TWPWHWHWHWHWHWHWHWHWHWH
'WHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
?>"Z\0Z\
Z\HZ\`Z\rZ\
Z\*Z\
ZdlZ\ZZ\HZ\
]Z\
Z\:
?>*
Z\|Z\jZ\XZ\FZ\
Z\[
Z\[T
Z\PZ\@Z\[tB
Z\>z
Z\"Z\
Z\xZ\dZ\TZ\FZ\
Z\>
?>2Z\"
Z\|Z\dZ\JZ\
Z\PZ(
ZP,
]Z\xZ\dZ\XZ\DZ\
Z\"
Z\r
Z\^Z
rZ\\ZTPZ\@Z\
Z\>
?>,Z\
Z\&Z\4Z\
Z\pZ\`Z\LZ\
Z\JZ\VZ\hZ\tZ\
Z\ Z\2Z\
Z\K
Z\R
Z\<
J0ZP&Z\
Z\~Z\tZ\jZ\`Z\TZ\JZ\
BZ\
Z\*
zd[
ZH[
8>>
ZP[H
Z\[T
~4.Z
>[\ZETZ|
Z\fZ\tZ\
Z\HZ\"[
Z\ZG>
Z\.
Z\x
Z\LZ\
ZxvZP
Z\&
Z\:ZL
Z\H
Z\\Z\rZ\
Z\*Z\>Z\
Z\:jdlZ@&ZP
Z\lZ\(Z@
Z\pZ\fZ\^Z\8Z
JZPLZh\
Z\bZH
ZhKX
NP<J
Z\lZ\
ZP"Z\^Z\PZ\BZ\
2[dMJ
-Z\QZ\K
ZP4Z\5Z\J
ZPK
7ZP6Z\+Z\:
3ZP*K
ZP2Z\1Z\,Z\
Z\:
[8^J
`pZ\
Z\JZ\[L[\p
[RW\>>XX
JSN>>x>L>W>[>X8P>Z>R>G>p>_>SZH[jy
XZD_>\ZZ[ZR[J>>
/XP
}ZhN>J>
RKZz[>
L\i
ZRbZ\
fZ_>*
>kl\
[TWPZ[F+
IJjZPX
mQXJI_L[bsW]LQMZVXXbwPJ[LP[J
{FNRQL\X[L\JRRWxQLSMbmJQLXX_Y[
~_\]Z[XYVWTXXURSPQNOLMJKHIFGD8Xec`a^WGQGEBC@A>>m[X
z[\KYnLWHWR[Y[Z
mvwxj
}jZ
9Y\S>
r^NZ@iZ
QIM
U[G[
]rZL}R[_L
Z\cZ\C
mZ\BZ\eZ\EZ\^Z\@Z\
Z\Z
ZPaZ\
XXmJ_LJ
NNRW]_JWQ YP
[,[dWDZD
QD[R[]J
shT[ZW_^M^hs_WR^JZ
nR_G
n_KM[WtQNTJ[tL[HWQXyKM
jL_]UQ
p[FJWLhQ
RKS[
kN]
^HzQIP]JZ
yI^LsKJ[PL|LJ
_PZ`Y
vQZ
J?[
_xx_HQLWJr%[L
Q@mJ
]V[
[iPhz
Qtl
u[XL[M\uTtz
T@|Q
8WYVJ
{pk[{>
r[X_W}lz XqipZ
]UL
}lqrr
rq}
u[a
pks_U
\Lx
^PR
[_>
^P\
Z`\
[N_L_j8]
Z\j'>R
}QSNJ
R[[O
>NDczAXLpWCJpv{rl(z{rYY[
wpm{lj[S>
nlwpj
m}l{{J
{f{}kj{_
[E]DZ
m{r{}]h
vqs[u
{pz]l
n[Tm
>Zt{m}\|}
kmZ
rZt}r{
\lZ$j
|\l|L
>3:M34
VD>oo
>]PJ
\HJ
>{ZWJZg>w{
KJQI
R[J
mqxji
$[dH@h[LM
M9W[
U_HHX
[F[ZxRQ_Z
]LGNJ
ZRR
[LLQ<}}QM>qKX8JRQQU
avjj
[@PL[D
n_MMIQLZZ
\Hm[L
[klr[
UhkM[[)Q
W<PL[DS<\H]<P8[LZ'>[P
nqnkK>
]Y:
 Qd
X\/
,Un
L[}L[X|_J[wPMJ_P]L
RWXq\L_LG
NMj
[]E
>RN>
zXX
^pZFWpUpA
[PChms`Xjn
Nh\D^T
]]QKPJ
7S\
{S_WRZ%Z
[tZW>[PO
:5MM_YWPY
mK\MGMJ[SbnLQX*
MzX>W`XJb_`pjb}KLL[PJkg~
PBs[W
>>{4,U
PL^
t$\h{x^
|hR
[h[L[
[P\
WpM
ZZ:
[PS
s_P_Y
^HZ
>kln
@DN
` SL[$KLW,Z,qXXW][bZv[
bqsw
W&>>
xW[RZM>VJJNM
R\PZ_>
mJLz
>]_w
smp
mWYPX
KN>\
zN>
ZDanmjql{Y
FZMi
Z[z
ZIR[p[I\Oh
kPWP
ERk
>.5
fWYWHWHWHWH
WHWHWHWHWHWHWHWHWHWHZH?JV
\^ZHW[WHWHWHWHWHWHWHWHWHWHGFWHWHWHWH[H[M[J;G[TW\[H[UL'
T[TW\[HWx[LS\{m{jj
RJ*
SGWTWH>W
WiWH
]JWH
Q[:
JKN
lGj$k
MbE
Q6III
G_VQQNLQk
]QSQF>>Wx
iWx\
WNWC\
!\_R]
:ROWSWH
WHPHh
^KW_VH
[_\T[{Z
ImgmZ_J
C[K
W\WHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWHgXWHWHWHWHWHWH>mqxji
l{bXXsW]LQMQXJb
]JWH[XX
m[JKNbwPMJ_RR[ZXX
}QSNQP[PJMbE
|XX|
}}}
ZxC>p_S[[)MZ]b[FNRQ
XL[L
M]XZH
Mmgmj{sz
Z>Z>mN[]>Pw[F\
TXZ
_[Zf>>
mGMJ[SlQQHXJ
bM\T
bPJQMULPR^X
\n]{
wZR[
nLQ][MMX
>y[Jj]Nj_\ZLX_W[
IH\WJV
Z#>9
Z9[
kpupqX
ZImJ_J[
H_RK[
XXz{r{j{
j}|>>jws{x
wjZir
}uZS>
I}rqmwpy\P_yxwp\s
ZX>PT
>>{mj
|rwmv{zX`>mgp
l{}{whZUZ
[Hm{
Rp[
>Z{j{p[
}n9
DHM
]^Zk>{LLQL
Q]_X
JWPY
S[SQLG>
MJhMIv\
>kz_`
W`^`4[
ZMH\
WLoK[LGzlLHW][
8ztPXWY
ShZ
\xZT
\TQo>
9ZZZlmXH{lhw}{a|qqjaJ
lj9vT>_L}>_N>P@
kjq_N_tz{s
Tpz_NQtzwmJ
{z{E_tu{lp
{razlJ
lZA_@xwr{a^-_EYX_Diwp
aqipanlq}{
YmmR`]Dmvj
RFQ
wpj{l
}VTjZ7TxZ
>n_KM[z
\Pan[P
ZA}QPz_K[RK>lKPP]Fi
JQNSDz
LJRImZx[
Mz3Z
J6>>
ZR{Pk
KJ8XQZW_RZ
JbiWPZQIMxxb}KLL
ch[LMWQP
PLP[JziJZ
YM>_z`_N
ZRZ
>>bVI
JoK8
[LM
\WPZ
ZZP3|
{PJLXZG
Zr>>
Rp>9
>>9
K9z
K[=
u[G[
ZIPH[
{lZH
{FJJ#[ZkZ
8>RL
,>wXYNVRN_NW
>W@^?Z@
_Z7ZP[
]j]
[H]r
[H_xKJ
p]QL]
[L[
WH]
>>^X[K
ZOZ
>>]
ZZIQ>N>[>M
ZVFZ\ZCz
Z>RZZ[T
]>>lZQmZ\vZ\J
P]9
Z??Zs>ZNXu<ZH
Xs=]P
2y:K
]M0{
9x^Pp^P}^Pz]PZ^bO[Z
Z(][
>>BZIJ@MB
MW[[JZ@Z[FB
Z[M[lX[pQ>>g[M>G
kPUPQIL@>>n
Z;>hWMJ_ZQZL
[DfnPH
[Hpj
\lpj
\Ps
ZV>>vjjnXH
sQH
Yn[L\YS_
YRG34r<<QP
VJJNHx
KNZ_J[
]8XQS
jGN[
TFJ
VJSR\AP[
u[[HXN
$3434
|_ZXH
l[OK[MJ
wP*
ZG[
,QZIb
*[\M_X[
]V\T_pr
YZ4Zh]B
m{K{>_
\_WZN|K[
Zk>
X_:
WNXX
M[J
ZPM
ZVTC]NWpRp_ZZL
UtJZ
ZUXFMMJ
QRm[Jb^Sbp[JIQLU
XXz
}HX{
C>|
7>>
nwz
ZOM
[J]I
_bz<;]SK>
SI[d
sU\\
4\^
nRKYWPl 34
ZmJ
z{m}lw
znjwqpb
Mb}z
L_R
OQLhXb
>>PU
mJLWPY>
|KWRZ
nkJSZ?X^>
+DJ>F>J_XZA[
zWMNR_Gz
>>^@[
_Tw]QP>
lRR[
PW`[L
Q`>e
Mc[
xJa[
>>s]j%[>>
J_>
\Tj
mZn>
hy>
H_M[
[|[
[Tk
X]]mH]vj
^H\
H\jL_G^yM]V[Z^Tl_HsQ
YP]UmX}JR
]V>>kXm[
YPJQHp
]Vs]MVW[R_
xPM]MLH]
uhIM]]s>LT
WMz
]Uu
hMH^AsnP#
HN\y-HZ
\MZ
PQZ
RHLJHPPM]_]
L_HJ_MU\s_HYL
MF\S>lMQ
_MVm[LH\AZ<zTM_
UF[[(>UIM[P\xxLDm
HJ_J[
u\W>
[Ppqz
H[m[
qbw[}V[]U
lK_K]RJM]
k<&Z
JPU
w{f
-]W>
]S\
;`Z_>U0W
8jFI_L[
lgtntlKPbk
JV[
PJo
nZoM
WoWoWoJVM
bw{O
LLV
PEN;Q
g}r{lb
JS<
+5T@[
rK8+S*N
wWGZa
nX*
Z\Z[xbb
bmQKPZ
[Lh
ZMMX]aQM
QN[
\6Z
q\L
|L{V^
gmG
ZD[
ZC>Z#
bS[PK
>>J
.L>.
YN>.
1[MZ\
H>.
O>*2.ZS> Z]_@ZS>
^@-ZU9Z\JnR
QY]
{m{jZK>b@
[T\hWP
N_JW\R[
[@\K
XX[L
>WPMZJW]W*
S[SQLG>Z
__z
b[_S_V(
>>XWZ
^f_DPZ>
zQDXP_Z
[4_\^
j%.
'VB]
haZ
tP~~_hSxJ
>aWPXQZG
A>.X
>.FZ\@Z\
XXo7
XX#
TvO
UZD
qb?*
R8]]
XX36
`.Wr
LXXOY
UXX
~XX
gXX
(XX_
1XX
/rVf
H8O
XX.
&XX
3TA
?XXb]
oUU\_R"
pXX>\
8RE
iXX
BXX
[XXr
ar4
XXB3
O;n
..5
XXR
XX(
M,5]
TS3
XXdTD5
9Cz
8Wci\
XX8UPH%
XXt
lXX
uXX
r%4
^XXD:
GXX
=y5
:XXT
#XX
TK4XX
Y9L-XXi>;
XX%
VPXX
QIXXy
NT1
8XbXX5?/
U_{XX
R(F
syWw
XXIP
XXY
<%Vc
>ZY
RZ{
XXq6
XX_k
XX;g
ccI
"RR
0dXX
UQW
NXXH
795S
"XX,
OjN
[UXX
9XX
TC%
XXf;qG
z@\
"jXX
XX-7>
XXIjc
\L#
qXXgf,0('
XXp
7XX
VI[XX
J%7#
,XX:
vlN
@XX^
XX.qc
a0R
XXJ},d
IXX
%XX
RXXd q
+a@
">XX
Q%c
xXX
A]j
XXs
 MI
XX9
xDI
cXX]p
=9R
00XX
qY=
\XXr!
+XX
%>j
mGXX
wh@
XX\-
XX8
[yP
mXXK
XX/
|DI
XXe
vXX
(q;
XXo-0
k2ZXX
$7m
yb5NXX
# I
#^
XX5
rM.*XXd
XXxs
[n<
fXX)`
rXXs\
XX"O
g M
L"XX
qoHL
)J{
KFXX
uA(63C
XXJ
 |F
z@S
PRXX
IT<l
W6XXA
+S]X
+wp!muGK
XX]
7"p
p~{
zzXX
Mf1~
w|#
}nXXV
jY<
Ki7
*Bn
bd{Q`S
XX%
bXX
;3D
XXt
XX.$
vXX
/ix
^XXcF
XX2U
:XX
.XX
w~&
XXhi
J9zXX
-;I
9au
HkK
\1w
av+
>ZY[XXY
XXq6CZ
h.]f
i'n
Y}6LK
+XX&/
$|XX
yD6
eXX
2XXa
XXIfl3
dqi
QwA
XX6
BXX
fXX
H*1XX
XX)"
@W0
EUvI
XXV
:_r
@nX
XX~;
2"$
AXX
XXX
j^z
XX9
xY)
j<N
XXn
(XX
XXFk
`XX
@ny
\7XXx
XXP
w)tp
XX/
T"`
GXX
;'Us^XX@
x>V
XXh]
m76+
pL#
x/'
.XX?D^
iyXX
`/{8
sH]XX
ZoG
XX
{5\0
'9Wr
,Oc
XXw
-XX
RzXX_
cXX
#g4XX
XX0I
Po"
XXO
Ew3
XXgP
Yo!
DXP
>I9
'NT
BXX
.ZT
hZU
*?bq]8RXX
rW.XX`
YOL
XXy
XXR
bXXK
>XX
XX6
fVrXX/
OXX8
XX!
&AT3
]b?UUo
"R_XX\
\>pR8
XXE
XXn
XXw
r[s
oXX
=#XX
4ra
n;O
5..
3XX
IXX
]5,
3ST
DTd
VW8
\ic
[YXX
OPU8
DdY
XX@
iXXY
4%XXr
:D^
XXk
XX$
5yXX=
5XX
L9Y
;>i-
DXX*E
XX3B
XX|V
XXeQ
1TXXNX8
/?5b
XXW_U
^(XX
wWys
dXX
8XX
_tXX
cV%<
X'%
XX\
:CI
{hdXX
,om
XXN
Icc
RR"
XXx
[cc
QUXX
59XX7
NXXjO
"XX
XX%Cf
Gq;
\@z
qXX
>7{
XX\
bUG
#~jXX
(0,f1+
XXN
XX7
,XX
@XXx
[IV
#7XX%J:,
G[XX
N^@
XXjF
cqx
R0S
d,}
RXXN
>XX
$Vd
e}IXX
q 2
%XX
XX\
]XXs
YXX
XX9
IMvN
XX]c
cx$
|@j
=kG
XXr\
j>%
q)n
@hE
XX\
XX8
PXXKm
jTXX/
%XXX
\XX
XXe
P<x
XXg97
;q(XX
0-o
45byXX
I  ^#XX
.MrXX
d**
D)D
XXs
<nXX[
`)f
XX?
/?XX
eXX
\sr
XX+
4XXO
M g
"Hoq
XX{@
FAu
qC36(B
\XX
F|
S@z
RTI
l<W
A6]S+
XXo[
WXX
)um!pt
KXXGq
p"7
{~p
z~1fM|w
XX#j
Vnk
<YiK
XX7m
nB*
@XX
=`Q{da
XXS
D3XX;
XX_
WbXX
k8XX
XXK
xiXX/
Fc^
uXX
$XXc
&~XXw
5/XX
z9J
XX'
GXX
I;-
XXC
ua9
XXW
LXX3
PXX
KkH
w1\
[XXk
+va
\XX
C6q
f].hn'XXi
EXX
KL6}
XXAN
/&+
6Dy
nXX
qdI
XX.
lfI
iqAwXXQ
XXy'<
*XXf
*HXX
XXN
gr+
IvU
3XX1
rzQXX
Xn@h
zXX^j2
N<O
XXv
V)G
cXX
XX!
gXX
`yn@
XX7
~XX
XXH
XX`"q
sUXX';
7XX
V>x
+67m#LXXp
.XX
'/x
XXXK^D?.L
{/`
HsXX
XXGo
rW9
XXo
jXX
cO,
Heb
XX8
AXX
cBH
g#XX
XXW
b?@
"oP
XXX(
w7:XX
3wE%
!J2
XXZ[XR_J[
}QXXNGLWYVJ
t[_P
RQKN
y_WR@
[`_\
>.:>:>6Z\Y:t
[T;>.ZV]T8>
ZZ]T:Z@.>
>.6ZR[@_T
ZR>?
R[@[R<?>:]T<?ZT.[T
Z%@
8?.>>
Z\~Z\[G>WYSH?ZUS\<ZH5
S\=ZHS\:ZHS\;ZHS\ZWW[>_8_
8Zb[\9ZP[\6ZP[\7ZP[\4ZP5
[\5ZP[\2ZP[\3ZP[\Z_W[WHWHTH[
[X[
[$./,>69784;5:2=X
3<0?1>2>6>
Z\rZ\
Z\RZ\
Z\"Z\
Z\bZ\
Z\BZ\
Z\<Z\
Z\|Z\
Z\\Z\
Z\,Z\
Z\lZ\
Z\LZ\
Z\4Z\
Z\tZ\
Z\TZ\
Z\$Z\
Z\dZ\
Z\DZ\
Z\8Z\
Z\xZ\
Z\XZ\
Z\(Z\
Z\hZ\
Z\HZ\
Z\0Z\
Z\pZ\
Z\PZ\
Z\ Z\
Z\`Z\
Z\@Z\
Z\?Z\
Z\_Z\
Z\/Z\
Z\oZ\
Z\OZ\
Z\7Z\
Z\wZ\
Z\WZ\
Z\'Z\
Z\gZ\
Z\GZ\
Z\;Z\
Z\{Z\
Z\[Z\
Z\+Z\
Z\kZ\
Z\KZ\
Z\3Z\
Z\sZ\
Z\SZ\
Z\#Z\
Z\cZ\
Z\CZ\
Z\->7>-?7>
ZPmZPmZP
ZPMZPMZP
ZP5ZP5ZP
ZPuZPuZP
ZPUZPUZP
ZP%ZP%ZP
ZPeZPeZP
ZPEZPEZP
ZP9ZP9ZP
ZPyZPyZP
ZPYZPYZP
ZP)ZP)ZP
ZPiZPiZP
ZPIZPIZP
ZP1ZP1ZP
ZPqZPqZP
ZPQZPQZP
ZP!ZP!ZP
ZPaZPaZP
ZPAZPAZP
ZP>>9>
~Z\
Z\^Z\.Z\nZ\
Z\NZ\6Z\
vZ\
Z\VZ\&Z\fZ\
Z\FZ\:Z\
zZ\
Z\ZZ\*Z\jZ\
Z\JZ\=z|
Z\}Z\
Z\]Z\
Z\>>
;>&ZT:Z\*Z\2Z\"Z\<Z\
,Z\4Z\$Z\8Z\(Z\0Z\ Z\?Z\
/Z\7Z\'Z\;Z\+Z\3Z\#Z\=Z\
Z-Z\5Z\%Z\9Z\)Z\>?<=::
;;8ZY9ZY6^Y7^Y4VY5VY2WY
eVH3WYVH0WYWHWHVH1WYWHWHVH>>
:V,--*ZY+ZY(^Y)^Y&VY'VY
$WYVH%WYVH"WYWHWHVH#WYWHWHVHY
|X;8966774455K
K?Ks
.^Y/^Y,^Y-^YJoT[J
T[N
P_N
WW&F7WW'F7WW$F7WW"
<ZQ
=Z\:Z\
8ZP9Z\
4ZP
0ZP.-mZ\*Z\&Z\[e
ZP^Z\NZ\
Z\_[W,[(
[4[0[<[8[
>Ze
Z\>S
Zq>.fZ\
?.rZP
Z\"Z\2Z\
p>.[D?*[
>:X>\4>>x_
o5[
Z}_x
4XP
Zh/
5>^6=
t+G;m
|XyR
VH.
HP5
?cQ(.c
^QH
Xql
CVxHWZM>>.>J
B>.
ZPh
J8>^Y
ZY^S>NZ|_T[P
?Z]
VL[d
Zh[[
^x[T[\[
VL[d
^Lk
c.h
K6XXiT?
{21
Z_XY
XXu
}?1
XvK
+>>1
eZp\
o?=
ZP<^P=^P:^P;
^P8^P9^P6^P7^P4^P5^P2^P3M
^P0^P1[P=
.v1
8s2
wZ{
JV1\
a`ec
mkhXX
/>.m
mmm
|X8
ZS------------------------snip
xYHz
82:
1XY
Y(s^
>>>
YXZ_,
zz4
Lz<
&YXz0Y
K\Y
rYPj
XPf
?>"Z_
?>Fzp
Pjbs
8XZ,
zFPR
XX,
XZr
XX9
zRc:
J >
Z*>
Xrb
B*(
.bz$
~2:fR
XPv
vbRB
0j@p
W[WHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
GWHWHWHWHWHWHWHWHWHWHWHWHWH>
mCZ
I7TS
.K7
w_i
+Rx
[ba^
WriteProcessMemory
VirtualAllocEx
kernel32.dll
VirtualAlloc
GetProcAddress
GetModuleHandleA
VirtualProtect
LoadLibraryA
VirtualFree
SOFTWARE\KasperskyLab\AVP6\environment
ProductRoot
SOFTWARE\KasperskyLab\protected\AVP9\settings
Ins_ProductPath
\UIFramework\uiWinMgr.exe
SOFTWARE\TrendMicro\Vizor
ProductPath
Kernel32.dll
\avp.exe
\klwtblfs.exe
SOFTWARE\KasperskyLab\protected\AVP12\environment
\wmifw.exe
ReadProcessMemory
CreateThread
Sleep
GetThreadContext
CreateProcessA
%SystemRoot%\System32\svchost.exe
Shlwapi.dll
SHGetValueA
VirtualProtectEx
%temp%\tmp092.tmp
Software\rar
data
\fxsst.dll
%SystemRoot%
IDI_ICON5
wwwwwx
D@w
wwwwx
xwp
DDD
wwwwwwwx
wwwwww