Warning! We are currently in recovery mode. The complete archive is not available.

Sample details: dd9a05981d3bcd06b44d0979a6a917c7 --

Hashes
MD5: dd9a05981d3bcd06b44d0979a6a917c7
SHA1: 41379aae06dead45955a1d4e6d65561b9cad1727
SHA256: 35e76b1be97318bc439dcd8a33b4b495da5ef4451fddc6b34f983d57d58f87d1
SSDEEP: 6144:yUqlfLbmzmiG+3dB8XvuqTzUSiUxEnnCDVw+E:yU6fezI+tKTz/Rw7
Details
File Type: PE32
Yara Hits
YRP/Visual_Cpp_2005_DLL_Microsoft | YRP/Visual_Cpp_2003_DLL_Microsoft | YRP/IsPE32 | YRP/IsDLL | YRP/IsWindowsGUI | YRP/IsPacked | YRP/HasOverlay | YRP/HasDigitalSignature | YRP/HasDebugData | YRP/HasRichSignature | YRP/domain | YRP/url | YRP/contentis_base64 | YRP/anti_dbg | YRP/win_files_operation | YRP/BLOWFISH_Constants | YRP/RijnDael_AES | YRP/RijnDael_AES_CHAR | YRP/RijnDael_AES_LONG | YRP/BASE64_table | YRP/VC8_Random | YRP/GenerateTLSClientHelloPacket_Test |
Parent Files
081bd29bab7797263b2991d51efbc60e
Strings
		!This program cannot be run in DOS mode.
`.rdata
@.data
@.kkkkk0
@.kkkkk1
`.reloc
$h :s	
DF hlm
4$h0an
t$<VSh~
t$$PUh
D$`SUVW
\$@9l$pr
D$$QRP
tgSUVW
L$ _^][3
L$ ^][3
L$$^][3
A;D$hu
~` <py
k)[h)0c	
?I{UF*
B	?:JA
VJ[[Rwkn>
L$<_^][3
~4-%;Y
JcfZXd
A478h)j
ms*(`Z
ks]dU{
u.oyD8i
C}BQj/g
L<	;KhY
SSN3cq`V
oaa|]AD
&w%p;)
*xsq&]H
`gCmkx3_
x4FM&,
s!(`6JK
p4%c3	2 3
(^~*#:
*H$?'8
f\OBp`
^%@<m\Ar"8
VcTuH~
8))v2h6
r&`$7O2
1%xqh)
9je5tHC
b{^Ew 5"Jm
a2spdk
0WWWWW
0WWWWW
QQSVWd
0A@@Ju
t"SS9]
0SSSSS
HHtXHHt
>If90t
j@j ^V
>=Yt1j
< tK<	tG
s[S;7|G;w
tR99u2
0SSSSS
PPPPPPPP
0SSSSS
PPPPPPPP
t+WWVPV
URPQQh
^SSSSS
j"^SSSSS
v	N+D$
;t$,v-
UQPXY]Y[
string too long
invalid string position
Unknown exception
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
EncodePointer
DecodePointer
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
CorExitProcess
(null)
`h````
xpxxxx
runtime error 
TLOSS error
SING error
DOMAIN error
An application has made an attempt to load the C runtime library incorrectly.
Please contact the application's support team for more information.
- Attempt to use MSIL code from this assembly during native code initialization
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
- not enough space for locale information
- Attempt to initialize the CRT more than once.
This indicates a bug in your application.
- CRT not initialized
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
- not enough space for environment
- not enough space for arguments
- floating point support not loaded
Microsoft Visual C++ Runtime Library
<program name unknown>
Runtime Error!
Program: 
bad exception
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
 Complete Object Locator'
 Class Hierarchy Descriptor'
 Base Class Array'
 Base Class Descriptor at (
 Type Descriptor'
`local static thread guard'
`managed vector copy constructor iterator'
`vector vbase copy constructor iterator'
`vector copy constructor iterator'
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector vbase copy constructor iterator'
`eh vector copy constructor iterator'
`managed vector destructor iterator'
`managed vector constructor iterator'
`placement delete[] closure'
`placement delete closure'
`omni callsig'
 delete[]
 new[]
`local vftable constructor closure'
`local vftable'
`udt returning'
`copy constructor closure'
`eh vector vbase constructor iterator'
`eh vector destructor iterator'
`eh vector constructor iterator'
`virtual displacement map'
`vector vbase constructor iterator'
`vector destructor iterator'
`vector constructor iterator'
`scalar deleting destructor'
`default constructor closure'
`vector deleting destructor'
`vbase destructor'
`string'
`local static guard'
`typeof'
`vcall'
`vbtable'
`vftable'
operator
 delete
__unaligned
__restrict
__ptr64
__clrcall
__fastcall
__thiscall
__stdcall
__pascal
__cdecl
__based(
`h`hhh
xppwpp
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
USER32.DLL
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
CONOUT$
Invalid source, size is not a multiple of 4
Invalid parameter
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=
bad allocation
%d|%s|%d@
vector<T> too long
=j&&LZ66lA??~
}{))R>
f""D~**T
V22dN::t
o%%Jr..\$
&&Lj66lZ??~A
99rKJJ
==zGdd
""Df**T~
;22dV::tN
$$Hl\\
C77nYmm
%%Jo..\r
55j_WW
&Lj&6lZ6?~A?
~=zG=d
"Df"*T~*
2dV2:tN:
x%Jo%.\r.
a5j_5W
ggV}++
Lj&&lZ66~A??
bS11*?
Xt,,4.
RRvM;;
MMfU33
PPxD<<%
Bc!! 0
~~zG==
Df""T~**;
dV22tN::
xxJo%%\r..8$
pp|B>>q
aaj_55
UUPx((
='9-6d
_jbF~T
11#?*0
,4$8_@
t\lHBW
QPeA~S
>4$8,@
p\lHtW
+HpXhE
T[$:.6
,4$8'9-6:.6$1#?*XhHpSeA~NrZlE
Sbt\lH
QeFbF~TiKwZ
4$8,9-6'.6$:#?*1hHpXeA~SrZlN
SbE\lHtQeF
F~TbKwZi
$8,4-6'96$:.?*1#HpXhA~SeZlNrSbE
lHt\eF
Q~TbFwZiK
8,4$6'9-$:.6*1#?pXhH~SeAlNrZbE
SHt\lF
QeTbF~ZiKw
 iciNWq
Ze2Zh@
A4x{%`
BFUa.X
	-f3F2
w``u N
Incorrect key length
Incorrect buffer length
Data not multiple of Block Size
Object not Initialized
Empty key
d:\work\QisuClient\trunk\project3.0\plugin\AntiCheat\AntiCheatClient\Release\edtool.pdb
GetSystemTimeAsFileTime
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetCurrentThreadId
GetCommandLineA
RaiseException
RtlUnwind
GetCPInfo
InterlockedIncrement
InterlockedDecrement
GetACP
GetOEMCP
IsValidCodePage
GetModuleHandleW
GetProcAddress
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
SetLastError
GetLastError
LCMapStringA
WideCharToMultiByte
MultiByteToWideChar
LCMapStringW
HeapFree
HeapAlloc
HeapSize
ExitProcess
WriteFile
GetStdHandle
GetModuleFileNameA
SetHandleCount
GetFileType
GetStartupInfoA
DeleteCriticalSection
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
HeapCreate
HeapDestroy
VirtualFree
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetStringTypeA
GetStringTypeW
LeaveCriticalSection
EnterCriticalSection
GetLocaleInfoA
VirtualAlloc
HeapReAlloc
LoadLibraryA
InitializeCriticalSectionAndSpinCount
SetFilePointer
GetConsoleCP
GetConsoleMode
SetStdHandle
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
CreateFileA
CloseHandle
FlushFileBuffers
KERNEL32.dll
edtool.dll
GetInstance
.?AVout_of_range@std@@
.?AVtype_info@@
                          
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
                          
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
.?AVbad_exception@std@@
<4,$?7/'
(3-!0,1'8"5.*2$
?456789:;<=
 !"#$%&'()*+,-./0123
ABCDEFGHIJKLMNOPQRSTUVWXYZ234567
ABCDEFGHIJKLMNOPQRSTUVWXYZ234567
.?AVruntime_error@std@@
.?AVexception@std@@
.?AVbad_alloc@std@@
.?AVCEncryptManager@@
.?AVlogic_error@std@@
.?AVlength_error@std@@
.?AVCEncryptTool@@
.?AVIEncryptInterface@@
.?AVCRijndael@@
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
:y7:+R
!M^AB7
i!%ixzFC
]~~.+{
!8WM%h
<& :mRk
}]ldT9
mzvX?]t
SZ\\K-
[Hqlm0M
_VsIH>
DVm'ptx
!xGwu	
sXU\Q5JAF
I,yA`M
]/k@RN
++86#(
\}Xlj,Bi
/m,u7q
[EE	*q
#DFzz,{9
'-eejH
,,31k5
R]|'YN
6{ j{:0
ind_DW4
`}\Apm
"RVAZw
d g7e9!u;hP
28$.iL
=eL<':
ss?`<?
H5}~wh)<
vS)A;Q
!5p)oTX
z0?=!3),o
`kS24d
36,n8ybw
MgX\"N
"-,v<f.{
fqh3h3j
qMsp51$
}@;4}}
.REuh)L
SXFxBY
g~[fP!
:>E`ydp!
u$?|(V
v|%KVi?a
"'=;!v
G5&jR]
}@M^g}
Zux93/%.,'?
iTXKJh)B
cT-V-{2
i(jlfLv
RH tAee)vq
X1[K4q5$
FU1j%^U
M	_M\*:
p>fZ8w)
c1!!fk
w1SS`S
PzAEv%@S
e=^U3pqXg
"mm1rh
S]qF/F
Ke>Yb@=
VnC9w:
C`ED0;TR
LUyZ:|
%J\GxA\}
X*9:0*
D|CV_O
CP.ro	
;uu(\L
uP:Q[YY
.oBrZv
t19B[[
&07q#n>
HC';5%a&TTb
e]k"u	
{|F:3D
kk.QEQ
-1tw	t$f
ks JJ}u
n:1=&}
qfjNNU
Mbf6NC
6sE?	u
vSQ?=x
#W.ffmKW]y
,I%SR$Q(
{ >b<j> 
 38z-&
N<2_VV
lsqmg!
3)~cZ\
XOwvv<
c6_8/r
;23VVR
L	}Jey8
_HD9im
]E7(F1g4[i@j
KrknTpJ
2C~kZ<
N	,	#k
+x9=71
XwnNY'0
aee)JP
_5:\H[
hM"JdwVS
NiffmK^
on9aRw
(-)<rE
<hwb/t5I
ODxxE?
2NA8Nn
>`g7"z
Ap]VBF
$xvj`TV
D@@9?k
}uW1$y
\tcdn|
o;+8@<
}9rOt>
dwwH@G
s|]fSh_	9
t[\-P>M
p$bN`S
u1hW@M
Zqzx/RR
Jyd~SIg
SBk5oY
+mflXSH
AQLAnu~H
<}%e@E
v[yGvM
<\1Q%C
{eyImd
8bj>C8G
D]Rcj$aq9
V^EMc/
H]Hg=m
 %h>UWZi
xikTlhS
Yx{Y`OL@
y/sr!G
Gijn~DO
cvs1~u
ikgYfI
f6el)PU_
'6gdtL
Bycq,m
ut0n}yj*
%K*vlGw
UqKX=B$
lCK0-,
nMKUCAJ
D5rqt^
HNwm~|'=
p%<iI?>
'll;wx+T
]U	 :%
4W~YjLP[G
;/c!\d
xs'"Z'&hl
eurR0y>
%mn\i*%eb]
/iO/7E
M#sq*6L
/;&"qua
<0{}{+ha
l?5)s$E
9JHWUIC}
4 oChH
[47217
3	MD>x
X,<Z)I
y+nX#{
$)P-f^
-ZNh@AM-
DLg782'
Ncv@rl
MVsOMq
nQ-ZoTcu`
<<-)q5/y
f8@c9Q
n^Wr(b8
fqz_%M7
c:)"L"5
 ax^a*	
PoWSijX
q~k&>F{
.V"b@s
z!vcn\
!c+LP:wy
>5wF|VT
xCu|J~
tt{ybw'
hHaHv^
2)H6mu4
8faa|]AD
f[".,*m
"|xoT&
"ioix>+{
&6hJGP
\>Hey"Po8T
ruow(8a
z:d~bY]<&
%/u+GyH
>r1~-`
%*!='u
)h_ycE:
bZbh)<
x3\cz2
j?gXTe:G
0^?SgL
7MkXOJp{
\W1rs#
GCkqqL
8to@xZ
A3"IWB
|m,uwY
i.$cF^|	
aov}XZS~9
Qa|xn$~
?-8"<"Xv
;0Thh6w-
&K3xcX
mlpPLn
0|Li`:p*
|Li`:&
YQUs{hc
7aZ0G eS
8r\[PJOy
m/y=,az
L&&]%Xh
i delyBY
$xzqM'
R[~DKW
myyia?Md:
2&HOPuq
t&mlKK
cRX}U6
:]I7J\
T=hU_0
b(4?PCP
~?J\TS
S;cF7h2
V8k,,2)
8w#4zp
 3c[9_
,EejD)
qw=6?[
\aerI~
Jh)@b	
O9HOV|8!p
+$ph)6
vgfg0t=
TOIX#]+
uIM_iw!!
>T1wP]'
?im8`SvLhR
Mnk0k0i
Z6w{3H
/k{<Wm1
l],:WW
O1uw}}
))v2'lyr
Q)m&^j
8|kPBW~
Kped3MR
`^&p|7
;{t~$:c
hzngzY#
s"v:f!?
LXUYah)N
"\as~m
Azq4U(
B]C}4>
PV|Pf~~
V*{9tL
r4w93}
[O;h7*
P&C<y\
uPfQ4j
11a30L
g?-y3l#
FhLy{f84
f6@YN)
7q$h)4S
[dj%6{k+)<
FQY^a7
Tk=hgg`1
CS5y!2
XNYUar2
}[bztR
r*;7l;
z#VpA0
,8Ef<T
iDtE3=p
9C{5Ft
EiEOq:
?x(CM1
	N]5(~
/(":ys&
wDFaFJ
U,v_oy
|6ozU/B
bw{88G
UI#!NBg5t
u6"Cp2
7r]X;~
2q)T25qk
4yw+#z
Pnma:b
E)Z{7r
]_#xy/
$z/$MJ
9ic'iz
Qwn.*.
3rg*2J
DI2ED2X
ww;| (6|=7
(j[`cNK
![h)^R
WyxO_A
Fjm/4-3
{{rWKkw
x~(/s',
4zUP	4
+ga|iG
=WXb[+d
tH;;H&}j
BZ3&-Z
O}cwwr$^w]>
p,Jjz2
!4c{ir'y
Kq ttg
%9;rs\E)
&{c6+/%
1%qv~w
GR[cod
t@Tq`F
y:s$XQW
F@=)oU
u08CZ)Q
J<b>R}
5!kz*c
"09yl`
>CNDUP0
gjn<sf
sJg%= c
}}B@#}
b:&OkSBmnC
q^ULs(
$0J+E$;)
55|Uj1=&
(=vdO`
k<+0vI
wRI^EP
a|]'j\
ESF}im
SfrM3a(g
U*Oh),
ZOA2?*)1
(RRacg
e8C>tt
ji,i!^
L*tL-E[
OTAQAB?
+x4.29<
qpD9gk
&"}dJMP
v}&<}>
-vMF!W
'+9z#f
+@(x.j
oC<0.Y
B/F&qC
$l*PV]'
?_Q~nt8a25
5y	@~r
+W%&J0
++;+jg
Rw,w,u W
E<zw"p
Yj5ie9
@	VZ^];
%B='lMI
XkAF]G
%,T.h)
9'`V)	
$8Tj<8)
R.nd0r
kxv-zP 
mrg*q0
#	tazl
5kVZrk
K+}{ae
oN@!}R2)
5+666Z6C8P8w8J:
2C6R6f6
0(0B0\0v0
0D4_4{4
?7?@?n?
060J0Z0|0
0D1Z1z1
242Q2f2
3(3N3b3|3
:<:\:t:
;$<*<2<?<S<m<
.252M2`2
4O5T5^5
8P9h9m9
=#=)=3=<=G=S=X=h=m=s=y=
0'050>0H0|0
0"1W1j1
2?3K3^3p3
4:4c4t4
717B7~7
8'8-888D8Y8`8t8{8
979F9M9Z9}9
9(:.:J:b:
;%;/;g;o;
<'<.<I<N<V<\<c<i<p<v<~<
=!=&=3=A=G=T=t=z=
6C6a6h6l6p6t6x6|6
6F7Q7l7s7x7|7
8 8j8p8t8x8|8
8*909P9
=$=(=,=0=4=8=<=@=
?!?:?r?
090?0H0O0q0
1'101F1Q1k1w1
2 2+202N2
3b3<4D4\4t4
788K8f8
b0^2b2f2j2n2r2v2z2
4$4/4S4\4c4l4
4#565N5`5
8(8J8U8d8
< =%=3=;=G=N=W=j=t=
=B>H>a>g>7?Z?g?s?{?
0$070[0
3'393K3]3o3I5f5
:0:C:N:T:Z:_:h:
;+;<;B;S;
2E2Q2]3l4!5
7L7R7^7
9-9a9g9s9
:F;K;P;U;e;
;3<8<?<D<K<P<
<X=g=p=
8(8.8H8W8d8p8
989k9z9
="=1=6=@=N=
70G0b0
222<2E2P2e2l2r2
454B4G4U405S5^5
;*;E;b;
1(1,10141@1D1|1
9 9$9(9,9094989<9@9D9H9L9P9T9X9\9`9d9h9l9p9t9x9|9
: :$:(:,:0:4:8:<:@:D:H:L:P:T:
;4<8<<<@<D<H<L<P<T<X<\<`<d<h<
; ;0;4;<;T;d;h;x;|;
<$<(<,<4<L<\<`<h<
=,=0=@=D=L=d=t=x=
> >(>@>
?8?T?X?x?
0(0H0h0
1 1D1P1X1
2$2(2D2H2h2
3$3(3H3h3
40484L4T4h4p4t4|4
5$5,5\5l5
5 686L6X6`6x6
747H7T7\7|7
808D8P8X8p8
9$9,949<9D9L9T9\9d9l9x9
0$0(0,0D0H0
6 6D6P6T6X6\6`6h6l6
8$8,848<8D8L8T8\8d8l8t8|8
9P:T:X:\:`:d:h:l:p:t:x:|:
; ;$;(;,;0;4;8;<;H;`;d;h;l;p;t;x;|;
>P?T?X?\?`?d?
3h4h5l5
6$6@6`6
Western Cape1
Durbanville1
Thawte1
Thawte Certification1
Thawte Timestamping CA0
121221000000Z
201230235959Z0^1
Symantec Corporation100.
'Symantec Time Stamping Services CA - G20
http://ocsp.thawte.com0
.http://crl.thawte.com/ThawteTimestampingCA.crl0
TimeStamp-2048-10
Symantec Corporation100.
'Symantec Time Stamping Services CA - G20
121018000000Z
201229235959Z0b1
Symantec Corporation1402
+Symantec Time Stamping Services Signer - G40
http://ts-ocsp.ws.symantec.com07
+http://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
+http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
TimeStamp-2048-20
VeriSign, Inc.1
VeriSign Trust Network1;09
2Terms of use at https://www.verisign.com/rpa (c)101.0,
%VeriSign Class 3 Code Signing 2010 CA0
131119000000Z
170209235959Z0
BEIJING1
BEIJING1907
0BEIJING QIYI CENTURY SCIENCE&TECHNOLOGY CO.,LTD.1>0<
5Digital ID Class 3 - Microsoft Software Validation v21'0%
TECHNOLOGY PRODUCTS DEPARTMENT1907
0BEIJING QIYI CENTURY SCIENCE&TECHNOLOGY CO.,LTD.0
/http://csc3-2010-crl.verisign.com/CSC3-2010.crl0D
https://www.verisign.com/rpa0
http://ocsp.verisign.com0;
/http://csc3-2010-aia.verisign.com/CSC3-2010.cer0
VeriSign, Inc.1
VeriSign Trust Network1:08
1(c) 2006 VeriSign, Inc. - For authorized use only1E0C
<VeriSign Class 3 Public Primary Certification Authority - G50
100208000000Z
200207235959Z0
VeriSign, Inc.1
VeriSign Trust Network1;09
2Terms of use at https://www.verisign.com/rpa (c)101.0,
%VeriSign Class 3 Code Signing 2010 CA0
https://www.verisign.com/cps0*
https://www.verisign.com/rpa0
[0Y0W0U
	image/gif0!0
#http://logo.verisign.com/vslogo.gif04
#http://crl.verisign.com/pca3-g5.crl04
http://ocsp.verisign.com0
VeriSignMPKI-2-80
VeriSign, Inc.1
VeriSign Trust Network1;09
2Terms of use at https://www.verisign.com/rpa (c)101.0,
%VeriSign Class 3 Code Signing 2010 CA
www.iqiyi.com 0
Symantec Corporation100.
'Symantec Time Stamping Services CA - G2
150215110848Z0#
%q1SA0