Sample details: 2b2015ca59de820f85b5725463ce3067 --

Hashes
MD5: 2b2015ca59de820f85b5725463ce3067
SHA1: efe8a1ebade7e520f72e104b9615ca1040b2471d
SHA256: cfeb82890456cb503f585f6e0d5f10bddac277bb3bcc8ddbe81fe3abe8cf8f0d
SSDEEP: 3072:Bg9lK8nSY39Ukr5lhgnf+uoBNGcqqgvoCWZjFE:q9lrh39Ukr5z4+uQPZ5E
Details
File Type: PE32
Yara Hits
YRP/Misc_Suspicious_Strings | YRP/contentis_base64 | YRP/domain | YRP/VC8_Microsoft_Corporation | YRP/Microsoft_Visual_Cpp_8 | YRP/IsPE32 | YRP/IsWindowsGUI | YRP/HasDebugData | YRP/IsBeyondImageSize | YRP/anti_dbg | YRP/screenshot | YRP/win_files_operation |
Source
http://photoscape.ch/Setup.exe
Strings
		!This program cannot be run in DOS mode.
`.rdata
@.data
PSSSSSSSSj
RSSSSSSh 
QPPPPPPPPj
l$L+T$L
D$L+t$L
T$@RWj
T$@RWh
D$@9D$P|
9t$Tu|9L$xuv
u~9\$dte
T$(PQR
D$HQRPW
D$X9|$(t
;D$0|39=X
T$(VQRW
D$0VPj
tWItHIt9It 
HHt$HHt
?If90t
t,hdeA
^SSSSS
t$<"u	3
< tK<	tG
j@j ^V
	X 9} 
v	N+D$
tIj"[:
ukSSSSS
URPQQh`
t"SS9] u
;t$,v-
UQPXY]Y[
v	N+D$
<+t"<-t
+t HHt
PPPPPPPP
PPPPPPPP
VC20XC00U
QQSVWd
f-00f=
t*=RCC
;7|G;p
tR99u2
tRHtCHt4Ht%HtFHHt
Unknown exception
cmd.exe
COMSPEC
bad allocation
(null)
`h````
xpxxxx
CorExitProcess
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
_nextafter
_hypot
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
SystemRoot
 Complete Object Locator'
 Class Hierarchy Descriptor'
 Base Class Array'
 Base Class Descriptor at (
 Type Descriptor'
`local static thread guard'
`managed vector copy constructor iterator'
`vector vbase copy constructor iterator'
`vector copy constructor iterator'
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector vbase copy constructor iterator'
`eh vector copy constructor iterator'
`managed vector destructor iterator'
`managed vector constructor iterator'
`placement delete[] closure'
`placement delete closure'
`omni callsig'
 delete[]
 new[]
`local vftable constructor closure'
`local vftable'
`udt returning'
`copy constructor closure'
`eh vector vbase constructor iterator'
`eh vector destructor iterator'
`eh vector constructor iterator'
`virtual displacement map'
`vector vbase constructor iterator'
`vector destructor iterator'
`vector constructor iterator'
`scalar deleting destructor'
`default constructor closure'
`vector deleting destructor'
`vbase destructor'
`string'
`local static guard'
`typeof'
`vcall'
`vbtable'
`vftable'
operator
 delete
__unaligned
__restrict
__ptr64
__eabi
__clrcall
__fastcall
__thiscall
__stdcall
__pascal
__cdecl
__based(
GetProcessWindowStation
GetUserObjectInformationW
GetLastActivePopup
GetActiveWindow
MessageBoxW
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
`h`hhh
xppwpp
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
1#QNAN
1#SNAN
0x%08x (%d)
COMBOBOX
WM_PAINT
Create
Development 
vector<T> too long
deque<T> too long
invalid map/set<T> iterator
map/set<T> too long
<8bunz8
l,kg<i
<@En[vP
?uZEeu
?uZEeu
?UUUUUU
?UUUUUU
bad exception
?Dj0Q:W$=
5s3R6=
?ZEM-'^
?{yK+;
?765@Z
?e')lW
UUUUUU
?333333
?333333
?UUUUUU
?$rxxx
C:\eyeball\VSTA\qua.pdb
y]|KEL
"Igy;5
l6Q`{%
IMTGu<
|[=8kQ(
LlEK,!
;u(;EX
KmdCQr
qX#^?_
# p /w
3;Ep6[
_o3d(`
DPiU@+%
FindResourceA
LoadResource
HeapAlloc
GetTickCount
FormatMessageA
LoadLibraryW
SizeofResource
SetConsoleCursorPosition
MulDiv
lstrcatA
InterlockedExchange
GetStdHandle
GetLastError
SetLastError
GetProcAddress
LoadLibraryA
LockResource
GetModuleHandleA
KERNEL32.dll
RegisterClassA
CopyRect
GetDialogBaseUnits
SetClipboardViewer
DestroyMenu
GetSystemMetrics
OpenClipboard
FindWindowExW
GetCursorPos
SetWindowPos
RedrawWindow
DefWindowProcA
EndDialog
GetDlgItem
ChangeClipboardChain
ReleaseDC
CreateWindowExA
GetClipboardData
GetWindowLongA
GetAncestor
SetWindowLongA
CheckMenuRadioItem
GetCursorInfo
BeginPaint
SendMessageA
GetClientRect
IsWindowEnabled
LoadMenuA
IsClipboardFormatAvailable
LoadStringA
GetSubMenu
KillTimer
GetWindowDC
TrackPopupMenu
PostQuitMessage
GetWindowRect
SetTimer
DestroyWindow
EndPaint
USER32.dll
TextOutA
EnumFontsA
GetStockObject
SetPixelFormat
CreateRectRgn
Ellipse
Rectangle
CreateCompatibleBitmap
ColorMatchToTarget
CreateCompatibleDC
SelectObject
DeleteObject
ExcludeClipRect
CopyEnhMetaFileA
SetBkColor
GetDeviceCaps
CreateFontIndirectW
CreateDIBSection
DeleteDC
CreateHatchBrush
DrawEscape
GetTextExtentPoint32A
PatBlt
BitBlt
GDI32.dll
ConnectToPrinterDlg
WINSPOOL.DRV
LookupAccountNameA
AllocateAndInitializeSid
GetLengthSid
LogonUserA
ADVAPI32.dll
SHGetDesktopFolder
SHBrowseForFolderA
SHGetFileInfoA
SHGetMalloc
SHGetPathFromIDListA
SHELL32.dll
GetHGlobalFromStream
ole32.dll
mmioAscend
WINMM.dll
GetOwnerModuleFromUdpEntry
GetOwnerModuleFromTcpEntry
GetAdaptersAddresses
IPHLPAPI.DLL
COMCTL32.dll
glClear
glBegin
glLineWidth
glColor3f
OPENGL32.dll
DrawThemeText
OpenThemeData
IsThemeBackgroundPartiallyTransparent
DrawThemeBackground
IsThemeActive
DrawThemeParentBackground
CloseThemeData
UxTheme.dll
phoneGetLamp
TAPI32.dll
GetCommandLineA
HeapSetInformation
GetStartupInfoW
RaiseException
HeapFree
IsProcessorFeaturePresent
EncodePointer
DecodePointer
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
TerminateProcess
GetCurrentProcess
GetFileAttributesA
GetModuleHandleW
ExitProcess
WriteFile
GetModuleFileNameW
GetModuleFileNameA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStringsW
SetHandleCount
InitializeCriticalSectionAndSpinCount
GetFileType
DeleteCriticalSection
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
InterlockedIncrement
GetCurrentThreadId
InterlockedDecrement
HeapCreate
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
SetFilePointer
GetConsoleCP
GetConsoleMode
EnterCriticalSection
LeaveCriticalSection
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
GetExitCodeProcess
WaitForSingleObject
CloseHandle
CreateProcessA
RtlUnwind
HeapSize
SetStdHandle
WriteConsoleW
MultiByteToWideChar
LCMapStringW
GetStringTypeW
HeapReAlloc
CompareStringW
SetEnvironmentVariableA
CreateFileW
FlushFileBuffers
VirtualQuery
.?AVlogic_error@std@@
.?AVlength_error@std@@
.?AVout_of_range@std@@
.?AVtype_info@@
                          
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
                          
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
.?AVexception@std@@
.?AVbad_alloc@std@@
.?AVbad_exception@std@@
	ComSysControl.CtrlPanel.1 = s 'CtrlPanel Class'
		CLSID = s '{A35E5F84-E3CF-4914-8FDB-DB96D9D9624A}'
	ComSysControl.CtrlPanel = s 'CtrlPanel Class'
		CLSID = s '{A35E5F84-E3CF-4914-8FDB-DB96D9D9624A}'
		CurVer = s 'ComSysControl.CtrlPanel.1'
	NoRemove CLSID
		ForceRemove {A35E5F84-E3CF-4914-8FDB-DB96D9D9624A} = s 'CtrlPanel Class'
			InprocServer32 = s '%MODULE%'
				val ThreadingModel = s 'Apartment'
PADHKCR
	ShdExt.ShdMenuExt.1 = s 'ShdMenuExt Class'
		CLSID = s '{4ED6CF18-A58C-436A-A52C-C507DAD7DE24}'
	ShdExt.ShdMenuExt = s 'ShdMenuExt Class'
		CLSID = s '{4ED6CF18-A58C-436A-A52C-C507DAD7DE24}'
		CurVer = s 'ShdExt.ShdMenuExt.1'
	NoRemove CLSID
		ForceRemove {4ED6CF18-A58C-436A-A52C-C507DAD7DE24} = s 'ShdMenuExt Class'
			ProgID = s 'ShdExt.ShdMenuExt.1'
			VersionIndependentProgID = s 'ShdExt.ShdMenuExt'
			ForceRemove 'Programmable'
			InprocServer32 = s '%MODULE%'
				val ThreadingModel = s 'Apartment'
			'TypeLib' = s '{C20B0F44-2F31-458A-9A96-ABF947A596A0}'
	NoRemove SOFTWARE
		NoRemove Classes
			NoRemove *
				NoRemove ShellEx
					NoRemove ContextMenuHandlers
					{
						ForceRemove ShdExt = s '{4ED6CF18-A58C-436A-A52C-C507DAD7DE24}'
					}
			NoRemove Directory
				NoRemove ShellEx
					NoRemove ContextMenuHandlers
					{
						ForceRemove ShdExt = s '{4ED6CF18-A58C-436A-A52C-C507DAD7DE24}'
					}
		NoRemove Microsoft
			NoRemove Windows
				NoRemove CurrentVersion
					NoRemove s 'Shell Extensions'
					{
						NoRemove Approved
						{
							ForceRemove val {4ED6CF18-A58C-436A-A52C-C507DAD7DE24} = s 'ShdExt Extensions'
						}
					}
	NoRemove AppID
		'%APPID%' = s 'VCLImagePaint3'
		'VCLImagePaint3.DLL'
			val AppID = s '%APPID%'
PADHKCR
	NoRemove AppID
		'%APPID%' = s 'VCLImageCompose'
		'VCLImageCompose.DLL'
			val AppID = s '%APPID%'
	NoRemove CLSID
		ForceRemove {2ACD35AB-F74A-4C20-AA9B-2DE80081626D} = s 'PDFXChange Editor Context menu'
			InprocServer32 = s '%MODULE%'
				val ThreadingModel = s 'Apartment'
			TypeLib = s '{943F8130-AED5-4AEF-A54C-328E7FD20461}'
			Version = s '1.0'
	NoRemove *
		NoRemove shellex
			NoRemove ContextMenuHandlers
				ForceRemove 'PDFXChange Editor Context menu' = s {2ACD35AB-F74A-4C20-AA9B-2DE80081626D}
						
	NoRemove Software
		NoRemove Microsoft
			NoRemove Windows
				NoRemove CurrentVersion
					NoRemove 'Shell Extensions'
					{
						NoRemove Approved
						{
							ForceRemove val '{2ACD35AB-F74A-4C20-AA9B-2DE80081626D}' = s 'PDFXChange Editor Context menu'
						}
					}
PADHKCR
	NoRemove AppID
		'%APPID%' = s 'VCLOfficeFB2File'
		'VCLOfficeFB2File.DLL'
			val AppID = s '%APPID%'
PADHKCR
	NoRemove AppID
		'%APPID%' = s 'PDFXCview'
		'PDFXCview.EXE'
			val AppID = s '%APPID%'
	NoRemove AppID
		'%APPID%' = s 'VCLOfficePDFWriter'
		'VCLOfficePDFWriter.DLL'
			val AppID = s '%APPID%'
Es*U-i
>a**Zw
@^bA}n
.rhn|o
HtDP_&
xYdfgd
My]XpIm
*SR+IZx
]+$tdl
6NOWOY
#-4Zgot
7t"4:#
~4Js0IU
?*dtzctZ"
s|ScTzw
>UoTzo7
-4Zsot
Otjg|}~Vj
3.4Jwm
tzctZ"
4*3<*C
`|{wVz
/.4Jsm
`W	k2d
oVns4Z
6:	,Np
Y;W{rv
B[ZV0T
F"IwX1
7q)gl+\^
-L&;Ss~
0gG5 k4
cAH|LC
7y:#UM
z<m*rx
P{X4{c
6fT@']
I;Pig< 
?e4pUs
`:q3TCmk
lj;qtmZ1+
8Yq!e${d
L.	(T9
E' "R3	
E' #S4	
%Q4	3]B
D&# P1
D&# P1
#O41 P2
C&# N1
~~~~~~~~~~~~~~~~~~~~~~~~~~
}kYDCCCCCCCCCCCCCCCCCCCCCCCCCCDYk}
FFFNNNZZZc7'+8ddddddcZZZ
 $$''''$  
FFFFFNNNNZ5
6ZZZZZZZNNN
}kYDCCCCCCCCCCCCCCCCCCCCCCCCCCDYk}
~~~~~~~~~~~~~~~~~~~~~~~~~~
B%6!N2
PA<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
 <assemblyIdentity
    version="5.0.0.0"
    processorArchitecture="X86"
    type="win32"
    name="Continuum"/>
 <dependency>
  <dependentAssembly>
    <!-- Change the Windows User Account Control -->
  </dependentAssembly>
 </dependency>
  <description>Shared section</description>
 <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
  <security>
   <requestedPrivileges>
    <requestedExecutionLevel
     level="AsInvoker"
     uiAccess="false"/>
   </requestedPrivileges>
  </security>
 </trustInfo>
</assembly>PAD
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD