Analysis Date2014-02-22 02:56:56
MD55f6cd71d29b9921dacf4ef8479d89f81
SHA1299c8a61e632743dde175c80729a4294869bf08f

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 0f3cb6d707543ba2ea2d0beebbece2c8 sha1: 092c16eb10f7b884df50ea5e099f22bdca106aab size: 64512
Section.rdata md5: 79603fe16ce70d42890ab9d10ef36c91 sha1: f7976993ac526efcb4e84036305816611d1e3239 size: 12800
Section.data md5: b341f8b8689bc673bb7fcf6c76d55232 sha1: 7e7652a3a2cb126b3fc452d1d474d7bdbaeb92a6 size: 51200
Section.rsrc md5: 37e80bf84840d92a1f8a3d5d6ca37e30 sha1: c7a56bd64e83df93b3eff24239f8318ff72ced91 size: 512
Section.drdata md5: 84c48b8da7e9b9d3c5667ad9819debd9 sha1: d2258cfecefde0e3ad67dd5b9883a2bbc60890e8 size: 61440
Timestamp2013-12-18 20:38:59
PackerMicrosoft Visual C++ ?.?
PEhash948c6806a3684c894fbd448ff0e0e1719ebce240
IMPhash19960cedd2e99305a2d68f3831c45bcc
AVavgBackDoor.Generic18.BTR
AVmcafeeRDN/Downloader.a!pf
AVmsseTrojanDownloader:Win32/Cutwail.BS

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\vinukykeapud ➝
C:\Documents and Settings\Administrator\vinukykeapud.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\vinukykeapud.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\paintball[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\icigrain[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\avant-ime[1].htm
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\plus[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\agence-des-druides[1].htm
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\arquiteturadigital[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\pcpeds[1].htm
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\xing-group[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\lockerlookz[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\empordalia[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\screaminpeach[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\asterisk.com[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\sarahdavid[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\sortedorganizing[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\realtechre[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\lockerlookz[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\empordalia[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\paintball[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\screaminpeach[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\icigrain[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\asterisk.com[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\sarahdavid[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\avant-ime[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\plus[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\agence-des-druides[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\sortedorganizing[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\pcpeds[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\arquiteturadigital[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\xing-group[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\realtechre[1].htm
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutexvinukykeapud
Winsock DNSxing-group.com
Winsock DNSgenmar.gen.tr
Winsock DNSsortedorganizing.com
Winsock DNSbocr.cz
Winsock DNSpcpeds.com
Winsock DNScourtney.ca
Winsock DNScsmbc.org
Winsock DNSaustriansurfing.at
Winsock DNShifuken.com
Winsock DNSplus.ba
Winsock DNStessera.co.jp
Winsock DNSgcs-cpa.com
Winsock DNSacmepacificrepairs.com
Winsock DNSasterisk.com.sg
Winsock DNSsarahdavid.com
Winsock DNSempordalia.com
Winsock DNSkvadratoff.ru
Winsock DNSiktus.fr
Winsock DNSchildscope.com
Winsock DNSsgprinting.ca
Winsock DNScelebikalip.com.tr
Winsock DNSskaner.com.pl
Winsock DNSniray.com.cn
Winsock DNSezmedi.com
Winsock DNSwww.traderush.com
Winsock DNSavant-ime.com
Winsock DNSbigtopmultimedia.com
Winsock DNSscreaminpeach.com
Winsock DNSbethisraelcenter.org
Winsock DNSlockerlookz.com
Winsock DNSenzoyrodrigo.com.br
Winsock DNSrealtechre.com
Winsock DNSagence-des-druides.com
Winsock DNSpaintball.be
Winsock DNSespace-hotelier.com
Winsock DNSicigrain.com
Winsock DNScbsprinting.com.au
Winsock DNSpaulrenna.com
Winsock DNSarquiteturadigital.com
Winsock DNSteasing-video.com

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.96.11
DNSicigrain.com
Type: A
199.91.125.58
DNSpaintball.be
Type: A
213.186.33.19
DNSarquiteturadigital.com
Type: A
208.113.187.143
DNSscreaminpeach.com
Type: A
198.41.249.164
DNSscreaminpeach.com
Type: A
162.159.240.165
DNSpcpeds.com
Type: A
162.159.241.72
DNSpcpeds.com
Type: A
162.159.240.72
DNSplus.ba
Type: A
141.101.116.246
DNSplus.ba
Type: A
141.101.117.246
DNSsortedorganizing.com
Type: A
74.220.199.6
DNSagence-des-druides.com
Type: A
213.186.33.3
DNSsarahdavid.com
Type: A
198.41.191.66
DNSsarahdavid.com
Type: A
198.41.189.66
DNSsarahdavid.com
Type: A
198.41.188.66
DNSsarahdavid.com
Type: A
198.41.190.66
DNSsarahdavid.com
Type: A
198.41.184.67
DNSrealtechre.com
Type: A
205.251.133.202
DNSempordalia.com
Type: A
5.56.61.199
DNSavant-ime.com
Type: A
188.121.45.218
DNSbigtopmultimedia.com
Type: A
108.162.198.246
DNSbigtopmultimedia.com
Type: A
108.162.199.246
DNSezmedi.com
Type: A
218.150.78.243
DNSkvadratoff.ru
Type: A
188.93.212.32
DNScsmbc.org
Type: A
149.47.157.224
DNSy8k6h.x.incapdns.net
Type: A
149.126.74.93
DNScbsprinting.com.au
Type: A
162.159.249.145
DNScbsprinting.com.au
Type: A
162.159.250.145
DNSacmepacificrepairs.com
Type: A
69.198.129.78
DNSxing-group.com
Type: A
59.106.165.171
DNSlockerlookz.com
Type: A
50.63.84.77
DNSasterisk.com.sg
Type: A
211.25.3.196
DNSsmtp.live.com
Type: A
DNSniray.com.cn
Type: A
DNSwww.traderush.com
Type: A
HTTP POSThttp://plus.ba/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://agence-des-druides.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://icigrain.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://paintball.be/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://sarahdavid.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://screaminpeach.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://arquiteturadigital.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://sortedorganizing.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://pcpeds.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://empordalia.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://realtechre.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://avant-ime.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://bigtopmultimedia.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://kvadratoff.ru/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://ezmedi.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://csmbc.org/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://www.traderush.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://cbsprinting.com.au/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://acmepacificrepairs.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://xing-group.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://lockerlookz.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://asterisk.com.sg/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://avant-ime.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Flows TCP192.168.1.1:1031 ➝ 65.55.96.11:25
Flows TCP192.168.1.1:1038 ➝ 141.101.116.246:80
Flows TCP192.168.1.1:1040 ➝ 213.186.33.3:80
Flows TCP192.168.1.1:1043 ➝ 199.91.125.58:80
Flows TCP192.168.1.1:1045 ➝ 213.186.33.19:80
Flows TCP192.168.1.1:1044 ➝ 198.41.191.66:80
Flows TCP192.168.1.1:1046 ➝ 208.113.187.143:80
Flows TCP192.168.1.1:1047 ➝ 198.41.249.164:80
Flows TCP192.168.1.1:1048 ➝ 74.220.199.6:80
Flows TCP192.168.1.1:1049 ➝ 162.159.241.72:80
Flows TCP192.168.1.1:1050 ➝ 5.56.61.199:80
Flows TCP192.168.1.1:1051 ➝ 205.251.133.202:80
Flows TCP192.168.1.1:1052 ➝ 188.121.45.218:80
Flows TCP192.168.1.1:1053 ➝ 108.162.198.246:80
Flows TCP192.168.1.1:1054 ➝ 218.150.78.243:80
Flows TCP192.168.1.1:1055 ➝ 188.93.212.32:80
Flows TCP192.168.1.1:1056 ➝ 149.47.157.224:80
Flows TCP192.168.1.1:1057 ➝ 149.126.74.93:80
Flows TCP192.168.1.1:1058 ➝ 162.159.249.145:80
Flows TCP192.168.1.1:1059 ➝ 69.198.129.78:80
Flows TCP192.168.1.1:1060 ➝ 59.106.165.171:80
Flows TCP192.168.1.1:1061 ➝ 50.63.84.77:80
Flows TCP192.168.1.1:1062 ➝ 211.25.3.196:80
Flows TCP192.168.1.1:1063 ➝ 188.121.45.218:80

Raw Pcap

Strings
..
.CC
 
.A
.P...G.M.
0jj0
atl.dll
d[Wh(
                                 H
         (((((                  H
         h((((                  H
Jaqqoru
Maceslinga
msvcrt.dll
"T+*U=
                          
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
03>>>Q
0A@@Ju
0?EUEM
0SSSSS
%0SWinveer
0WWWWW
2_32tOpelloc
2qQuertrcm
374H4U4
4c49O9XU
4~f9.u
4rlAUeHos
4Type.batEFGHV1)
`5}5EM
6:64"6
6808G171
6B7z>X>U
7d7[U8\8E
9D;K;j
$a\$$;
A3^3F	7
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
adre6785SHLW
AEAtet-\micEM
AEr7i7
ailm.air\k
AjUEAAE
Aliv.OPMN
am cAM
An application has made an attempt to load the C runtime library incorrectly.
ancheerv
API.Inteetrn
AProcPtuarE
aryEftso
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
August
BBFFf;
\bjeOtTGeGetS
bmeDirA
cdefndoi
CleeatdReaeo
(comocn/
.comuvwtTQRS
ContaryE
CorExitProcess
CreateWindowExW
Crlefi
Crreahad
CrroctLA
CrSemaGetVryVaeObjodePme
- CRT not initialized
CrypptryM
CRYPtpOplAllk
@.data
dddd, MMMM dd, yyyy
December
DecodePointer
DefWindowProcW
DeleteCriticalSection
DispatchMessageW
dlaneMutrtViPateter
.dlletmMritWteea
.dllInst
DOMAIN error
dqbhkveerefin`a
@.drdata
D$($ uDS
%dUVWXk
E 6.Loadx
E":,:9K9-
Ea9j9QE
eAamoseHioptesuRnrmirmin
eAlllAelph
EAntPr
eateernt
ectsteunastLocEx
EEUESk
El %er200
emenioato
EMpicm
emRoLE
EMS3WV
EMv)fEAj
eNamternoAll2Nexs
EncodePointer
enReintfsprwualAVirt
EnterCriticalSection
Ent vq
EodemMA
EQellW
equettpHland
ericsme
estAlstr4
eTilurreGetCg
etMGttextrlsEvenintf
ETpl&A
EU"353
EUnjh7
eValickCP
eValudledgSetssAetEveormab
EVPMQM
ExileFocerhreaeyExER32Cond
ExitProcess
ExpandEnvironmentStringsW
EypCrE
@@f98u
February
Fir2oseCTe-
- floating point not loaded
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FreeEnvironmentStringsA
FreeEnvironmentStringsW
Friday
FromksTotAex
ft\wAppM
FualeaCr
FVh\6A
GadreesocodtCleFit
GeetCr
GeGetTFileialT
GetACP
GetActiveWindow
GetCommandLineA
GetCommandLineW
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetMessageW
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleW
GetOEMCP
GetP6j
GetProcAddress
GetProcessHeap
GetProcessWindowStation
GetStartupInfoA
GetStartupInfoW
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemInfo
GetSystemMetrics
GetSystemPowerStatus
GetSystemTimeAsFileTime
GetTickCount
GetUserObjectInformationA
GetVersionExA
GseRextte
GWh\6A
gzipp,zi
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapjE
HeapReAlloc
HeapSize
HH:mm:ss
hoo.efcd
HtmagInnecenPrsProk
HtVtpOp
IJKL*/*
IJKL%d
ileSrocPaitW
indofo
Inform
InFreeNET.VariHttpAPI.C
inglxA
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
InjtrIAptereep
inSWyz0xHi
IntepyFistHetrcp
InterlockedDecrement
InterlockedIncrement
ionAHeapetCl
i :ro`i
IsDebuggerPresent
istemtErrf
itiatrcp
J4dReaquRe
JanFebMarAprMayJunJulAugSepOctNovDec
January
jEKnow
jghi3412Pro 
j h@8A
j(j ^V
jQg: g
jThX7A
jUj_^[
kernel32.dll
KERNEL32.dll
KERNEL32.DLL
Ki70Ku
klmnlPriurre-Lpt
klPUUU
Knet.3
kxsficrMinSWJKLIpqrs
landteeaelete
LCMapStringA
LCMapStringW
leaeuleHGetFntoushapyPer
LeaveCriticalSection
lesuGetPHttpc
LibrcAron
LineipltTimeeSem
lizee32.
LoadLibraryA
LoadLibraryW
|$$LPD
L$$Qh0
lrMussceo
lsessc
lsv2\p
ltt9}]
.mangu
MAQmokl
ME5436
mentileN
MEQ\=u=x;
MESidnMA
MessageBoxA
\micLeng
Microsoft Visual C++ Runtime Library
MjSVJL
M%<<<M
MM/dd/yy
Monday
Mozidq
mPROFt
;%;MQE
M$R8cEj
mscoree.dll
 MSIle;b en-age:anagE 6.
:mtPrnackUz
MU?$? 
MultiByteToWideChar
MUQCrea
Mx^ftj
mzxp1r v4
nariStrS\j
nFil.dllEL32ateTitFotemIetEGxitCyptRA
nftComs
NINEUA
nntCola/l
.nonraogk
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
nrsio1; Sj
ntvepatiABCDk
 Nwsge:a
oAnf2341
ocesenA
ocesProcInr
October
=O?d?M
odtMpiA
olToProenhan
omeStpsm
 opqr 
oSn32oRemrSFotSGe
otEnvAPI.ques
P6F6@A
->>>p9
PA949N6e6
PA$DSD
PAeFiloSyT
patilla/t
PeekMessageW
PEf1kXE
PEiial
Ph,2Q<
phorolumRegOueA
PI.DWS2_torcyA
Pkxs.e
Please contact the application's support team for more information.
plicent-
plicYZab
pPOST: ap Nwso
PPPPPPPP
Program: 
<program name unknown>
ptGymptIingrh
PUEUUP
- pure virtual function call
puseif 
QAyIer
qd CeistV
QEmatr
Qinuvj
Qj run
QQSVWh
QueryPerformanceCounter
r200.sbc
rCoCPara
`.rdata
.rdata
ReadeateHLPAdll
RegisterClassExW
.reloc
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
      <requestedPrivileges>
RetModeExAlose
rlAintr3
RlueEeThrKERNA
rmanxceEmDirA
rnetCoInr
rosoth: 
rosoXn
RT77AA
RtlUnwind
rtuaablem
runtime error 
Runtime Error!
rveephicaeio
S0[0 <
Saturday
    </security>
    <security>
SePritexntileNu
September
SetHandleCount
SetLastError
SetUKey
SetUnhandledExceptionFilter
SING error
sMemoondC
socetTGereahFileteea
sofocom
ss3ent
sspsmt
sstreDn
stHeqrsp
Sunday
SunMonTueWedThuFriSat
`svtr``
Syst4567g
Sy*texAe
T 5.late
T 5.n/ocn
t^9(uZ
tAdaesqu
tD9(u@
Te.arToeNammandew
TerminateProcess
ternance
ternGetCtpSetrleess3
ternrStrckUa.dlletCoCoCr
ternspwn
tet- MSI
tgrne.rvtpht
t!h$,A
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
th: pt-L
ThrespripttO
Thursday
tKorAE
tKoreeattTGe
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
tncpyRegDToFieatedulo
tpHtcdefastL
tProndRenA
tpsmrnke
TQRSiors
TranslateMessage
trcaumPrntfA:
trSSetCoterns
  </trustInfo>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
\tSAPPMSA1RMU
tt3j@hWW}
Tuesday
;t$,v-
tVerrocAltMueThmct
t+WWVPV
;$(~\U
U1>Q>1m1X
u@9PSS
UAEO /VEU
UAMCryp
UAm:t:
uartEEE
UE;7Tt
UEUnde.dirU
u&hh+A
u,hL,A
UMDU}=
- unable to initialize heap
- unable to open console device
unCofA
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
UQPXY]Y[
URPQQhL
urread
USeatedeCht
USER0; W:repaepe2Win`
USER32.dll
USER32.DLL
UserModsFulessHeyptBl
USERtrA
UskTaU
UUMAS>
UY7`7U
uyel32ai.mgot inSWr200"p
VienReddRAE
VirtualAlloc
VirtualFree
v	N+D$
w64Pdevi
\warestuvsoftp
WatSysprwsroceeA
Wednesday
WideCharToMultiByte
Win7!--<R2
wnetOpSl!
WriteFile
WritgQue
ws\cLoadn
WVPh<d
WWPPPPh
x64_cmpd
xisel.ya
y>AjQU
yptrdll.
ysteempFceCoeThtSetTA
>=Yt/j
YYu-9D$
YYuTVWh
zpdll.