Analysis Date2015-01-14 11:51:23
MD50d84d1380aee775889fd30bee06053d0
SHA162c0a48dfda49d203e1eecc9ca283b4bdda3f6d1

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 7914b4ad77fc3f9bd3958e25b2146f13 sha1: 28b275c37f739296521ba9cbfecbc01c667916be size: 75264
Section.rdata md5: 9354d4fd6dfd94f1d135e61d721a14c1 sha1: 302457928c2453399d067379b161efc68e354f38 size: 71680
Section.data md5: a0dd3468af787831c1f26f261acd8caf sha1: cfe56a9a2ec2b41abe5870608314a1099ad2d413 size: 9216
Section.rsrc md5: 66b0fb41cd57747a82b175b688eeca8e sha1: ac6a8ce569654567498f97c549861d11cd67b081 size: 30208
Section.text md5: 7e56156dfcfced72ab4622fa6caf7a85 sha1: 35c99a3ae8946265f7e4c460ef3c1ef1a58a46ae size: 111104
Timestamp2014-10-08 10:03:52
VersionLegalCopyright: © Microsoft Corporation. All rights reserved.
InternalName: CTRPP.EXE
FileVersion: 6.0.6000.16384 (vista_rtm.061029-1900)
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
ProductVersion: 6.0.6000.16384
FileDescription: parse/validate performance counter manifest and generate helper source files
OriginalFilename: CTRPP.EXE
PEhashb79532772c9c96580bbfed7bea247403dc930bb9
IMPhashf11af46e68d7a0d285e916f74355a73d
AV360 SafeVirus.Win32.Ramnit.A
AVAd-AwareTrojan.Dropper.XCA
AVAlwil (avast)RmnDrp:Win32:RmnDrp
AVArcabit (arcavir)Trojan.Dropper.XCA
AVAuthentiumW32/Ramnit.E
AVAvira (antivir)W32/Ramnit.C
AVBullGuardTrojan.Dropper.XCA
AVCA (E-Trust Ino)Win32/Ramnit.C
AVCAT (quickheal)W32.Ramnit.BA
AVClamAVW32.Ramnit-1
AVDr. WebWin32.Rmnet.8
AVEmsisoftTrojan.Dropper.XCA
AVEset (nod32)Win32/Ramnit.H virus
AVFortinetW32/Ramnit.C
AVFrisk (f-prot)W32/Ramnit.E
AVF-SecureTrojan.Dropper.XCA
AVGrisoft (avg)Win32/Zbot.G
AVIkarusTrojan.Inject
AVK7Virus ( 001d9d511 )
AVKasperskyVirus.Win32.Nimnul.a
AVMalwareBytesVirus.Ramnit
AVMcafeeW32/Ramnit.a
AVMicrosoft Security EssentialsVirus:Win32/Ramnit.P
AVMicroWorld (escan)Trojan.Dropper.XCA
AVRisingWin32.Mgr.a
AVSophosW32/Ramnit-A
AVSymantecW32.Ramnit.B!inf
AVTrend MicroPE_RAMNIT.DEN
AVVirusBlokAda (vba32)Virus.Win32.Nimnul.b

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\62c0a48dfda49d203e1eecc9ca283b4bdda3f6d1mgr.exe
Creates ProcessC:\62c0a48dfda49d203e1eecc9ca283b4bdda3f6d1mgr.exe
Creates ProcessC:\malware.exe

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit ➝
C:\WINDOWS\system32\userinit.exe,,C:\Program Files\huettqja\pbvjeqsq.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20130508_125854937.html
Creates FileC:\Program Files\huettqja\pbvjeqsq.exe
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Program Files\huettqja\px3.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\Setup.exe
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\pbvjeqsq.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
Creates FileC:\Program Files\Internet Explorer\dmlconf.dat
Creates FileC:\62c0a48dfda49d203e1eecc9ca283b4bdda3f6d1mgr.exe
Deletes FileC:\Program Files\huettqja\px3.tmp
Creates Mutex{37FFEB21-FE56-017C-F492-53D695A61D45}

Process
↳ C:\62c0a48dfda49d203e1eecc9ca283b4bdda3f6d1mgr.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM1.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM2.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM1.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM2.tmp

Process
↳ C:\malware.exe

Network Details:

DNSgoogle.com
Type: A
173.194.125.73
DNSgoogle.com
Type: A
173.194.125.72
DNSgoogle.com
Type: A
173.194.125.71
DNSgoogle.com
Type: A
173.194.125.70
DNSgoogle.com
Type: A
173.194.125.69
DNSgoogle.com
Type: A
173.194.125.68
DNSgoogle.com
Type: A
173.194.125.67
DNSgoogle.com
Type: A
173.194.125.66
DNSgoogle.com
Type: A
173.194.125.65
DNSgoogle.com
Type: A
173.194.125.64
DNSgoogle.com
Type: A
173.194.125.78
DNSstromoliks.com
Type: A
66.228.61.232
DNSpromoliks.com
Type: A
72.14.182.233
DNSpornoliks.com
Type: A
72.14.182.233
Flows TCP192.168.1.1:1032 ➝ 173.194.125.73:80
Flows TCP192.168.1.1:1033 ➝ 66.228.61.232:443
Flows TCP192.168.1.1:1034 ➝ 66.228.61.232:443
Flows TCP192.168.1.1:1035 ➝ 72.14.182.233:443
Flows TCP192.168.1.1:1036 ➝ 72.14.182.233:443
Flows TCP192.168.1.1:1037 ➝ 72.14.182.233:443
Flows TCP192.168.1.1:1038 ➝ 72.14.182.233:443

Raw Pcap

Strings
_..P.
.....
..xr.$.g ..6.=/.....H..;-.XZ\.5...gik......n
Q...r..
..
......
..3.T..../...I...A
......J.O..[...s*........A..
*.M
J..@
.N.a..
=
.".1..$\.. ?'
3.K.#Nv..4.5.@...r...b1Q.......fE^....F..L...d..
~.....+...z.I..|9..W...O.#d...G.`
$J.U.&p
4R
e...
...
....0..."V..".-..<.Qz}..).L...b...>.Y[...\..n.v...Y
.t
oq_...q.l....%.
......-+.......G%..7.......G%.....
.-......oU.2.M.*.e.=.6...>.B.6.:.N.j.%.)m8x...p.v...O@BzE.b...^...zkE.fdfx...*..v.B$.....
..........9........;..x..Y
...>W...s......._.........C.o.\j\...F.w.s<t.P.....N
.b:.X*.^@.t
h.l>..Z.x.|
.[
..MA.h..YQ.d.... ..l.~
..t.|....[..
[....5TJ.5..ab....|...to....
....#....
..2....-..
(..:....T......b.
P..^9
.
.V......x.......K...N|..:...w..W...R..d...V..y
.i
.........&&(.%..$46.C..22D.Q..@@B._".NNP.m0.l\^.k>.zzl.y<.....PJ....1X.'..t..fQ...0..^...8..{...,......E.............!....
;
......#..
.$.1... ".?
.'.0yM..K<>.K..YZL.Y.+ghj.g*(uvx.u85s....FB.....dW...
.rt..........#......
..y...V..v...[......c
....
.....
....
.x-..+...+..9:,.9..GHJ.G
.UVX....Sdf.<&.[bt
x.
n.@N9..|.J`... .Xm.....fz...4......[......2......G......X......c...
Q...
......
.$.(C..4...9:,7..EFH.E
.CTV.c..QRd.q4._`b..B.mnp
.P..|~..^......\
....pjE...Q~x1..._..U....C.....
...g..
...o....
n....
..!..
.../.
.. .=
..,..;
1<J<.I
>JXZ.W.;Xfh.e(HVtv.L6.dr..ZT....+..1..^\C...nh!...O..|z..........`......c......F......c....
.x
..
..w....&(.%.(.46.C.=$2D.Q.J2@B._"g@NP.m0t^\^.k>.lzl.y<.z....J......X.....|f....M......[....U.....i...Z..v...J......i...
.
..........$&.3..!"4kA
./02....=>@.  .[LN.Rx42.]^`k>0lzl.y<=z....J:.....XO...,.f\...)..i...2......9......e......F......]....
Q.........9..$.(>...#46A
."02.O..0>@.] 
NLN.[..\j\.i,%jxz.w:"x..
.H7v....VD...;.tQ......n...#......
......e..
...s....9......ZLuQiE
.....
...$&.q.e.i4..;,..yD .K<>....X4.OPR..xs&.abt..D.opr..R.}~...`....".n....
.l......z
...D..
...K......P..(......M...X
.Z
..q
.g..
y..t'(*.'.y568.5..3DF.S
.ABT.a$GPPR.o2d^^`.}@q|ln.{N~..|..L....!.Z......h....,.v....6......N......G......D......X..K
.
.H...a....$&.3..""4.A
.002.O..>>@.] .\LN.[..jj\.i,.xxz.w:......H....
.V....A.t
..."..#...$..0...*..E..........p......h....
....
..!....../.... .=
$<,..;
9JJ<.I
FXXZ.W.Cffh.e(Pdtv..6err...Tr.....b......p......~....A.|....,......@......S..
....
.
...n
.+..
v..8.
...
**..)..88:.7..FFH.E
$DTV.c.9RRd.q4h``b
.B.nnp..P..|~..^......\....1.j....$.x....<......F......^..
...W......T...
.h
.,...S...&&(.%.
$46.C.
22D.Q..@@B._"
NNP.m0
l\^.k>.zzl.y</...
.J,...
.X9.....fF...&..[...(..x...
......g.,}...h.........:.
...!..3.....X.$:..;..g568..v.2X.Q.
9BBT.$..Nd .M:4>``b
B..l.>...R.}~.
.`....'.n....(.l....4.z.....)
..........+-/..........)..
.
.......S.
...I.)...]568.,.O.c.H.W
.9..XI....iU.....0.q.
4.y.S...J....b2...._..Br..l<....
.J.>..d.
.G.+.t.H..n...!KgQ;M?A.rC.qM
......u.....
h....
..#
...5.....q=>@v["i.[..!..:.....
..G.....U..N
.. ....[..D..y..r1..
P..}
f....
I......J....K.h.2..rIV.G......
KI.<L@SUW.kmotceg._}..suw|...........
   :: 
00-+ 
CC
\
. 
..
.\
{----}
.
..S
i
2u2L
.
.x
c

040904B0
1F=N
1nn/
3D Dark Shadow
3D Light
4$2V
5Cannot create form. No MDI forms are currently active*A control cannot have itself as its parent
5e:YV
6.0.6000.16384
6.0.6000.16384 (vista_rtm.061029-1900)
*@7$
_8jwT
8Oj)P(
A</ 
Abort
&Abort
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
A call to an OS function failed
Access violation
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Active Border
Active Caption
&All
Alt+
Ancestor for '%s' not found
Application Error1Format '%s' invalid or incompatible with argument
Application Workspace
April
Aqua
Assertion failed
August	September
Background
BBABORT
BBALL
BBCANCEL
BBCLOSE
BBHELP
BBIGNORE
BBNO
BBOK
BBRETRY
BBYES
bG):dv%
Bitmap image is not valid
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
b'k	
BkSp
Black
Blue
&B,o
Button Face
Button Highlight
Button Shadow
Button Text
C.5iR
Cancel
Cannot assign a %s to a %s
Cannot create file "%s". %s
Cannot drag a form
Cannot hide an MDI Child Form)Cannot change Visible in OnShow or OnHide"Cannot make a visible window modal
Cannot open file "%s". %s
Canvas does not allow drawing
Caption Text
Class %s not found
&Close
CompanyName
Confirm
Control-C hit
Cream
Ctrl+
CTRPP.EXE
December
Default	Gray Text
Division by zero
DLGTEMPLATE
Docked control must have a name%Error removing control from dock tree
 - Dock zone has no control
 - Dock zone not found
Down
DxI=4Di8
Enter
Error
Error creating window class+Cannot focus a disabled or invisible window!Control '%s' has no parent window
Error reading %s%s%s: %s
Error setting %s.Count8Listbox (%s) style must be virtual in order to set Count"Unable to find a Table of Contents
Exception in safecall method
External exception %x
February
ff54;
File access denied
FileDescription
File not found
FileVersion
Floating point division by zero
Floating point overflow
Floating point underflow
Friday
Fuchsia
Gray
Green
                                 H
         (((((                  H
&Help
         h((((                  H
Highlight Background
Highlight Text
Home
'HU%b
$I#8
iB@G
Icon image is not valid!Cannot change the size of an icon
&Ignore
ijhAm
Inactive Border
Inactive Caption
Inactive Caption Text
Info Background	Info Text
Information
Integer overflow Invalid floating point operation
Interface not supported
InternalName
Invalid argument
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid filename
Invalid ImageList
Invalid ImageList Index)Failed to read ImageList data from stream(Failed to write ImageList data to stream$Error creating window device context
Invalid image size
Invalid numeric input
Invalid pointer operation
Invalid property path
Invalid property value List capacity out of bounds (%d)
Invalid stream format$''%s'' is not a valid component name
Invalid variant operation%Invalid variant operation (%s%.8x)
Invalid variant type
Invalid variant type conversion
I/O error %d
January
jjjjjj
JPEG
July
June
JwQIb'%
?=;(k
KERNEL32.DLL
l,!6
Left
LegalCopyright
Lime
List count out of bounds (%d)
List index out of bounds (%d)+Out of memory while expanding memory stream
March
Maroon
Medium Gray
Menu Background	Menu Text
Menu index out of range
Menu inserted twice
Microsoft
Microsoft Corporation
 Microsoft Corporation. All rights reserved.
Monday
Money Green
mscoree.dll
MS Sans Serif
&m<vr
#mXz
Navy
No argument for format '%s'"Variant method calls not supported
No help found for %s#No context-sensitive help installed$No topic-based help system installed
No help keyword specified.
None
Not enough timers available@GroupIndex cannot be less than a previous menu item's GroupIndex
N&o to All
November
(null)
October
O=F"
Olive
[?"OM
On"s
 Operating System
Operation not supported
OriginalFilename
!OUk&GSf
Out of memory
Out of system resources
parse/validate performance counter manifest and generate helper source files
PgDn
PgUp
\Pih
PREVIEWGLYPH
Privileged instruction(Exception %s in module %s at %p.
ProductName
ProductVersion
Property is read-only
Property %s does not exist
Purple
Range check error
Read
Read beyond end of file	Disk full
Resource %s not found
&Retry
Right
&RSG
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Saturday
Scroll Bar
Shift+
Silver
!'%s' is not a valid integer value
Sky Blue
Space
%s%s
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
%s (%s, line %d)
Stack overflow
Stream read error
Stream write error
StringFileInfo
Sub-menu is not in menu
Sunday
System Error.  Code: %d.
Teal
Text exceeds memo capacity/Menu '%s' is already being used by another form
Thursday
Too many open files
Translation
Tuesday	Wednesday
>'UA
 UBX
Unable to insert a line Clipboard does not support Icons
Unable to Replace Image
Unexpected variant error
Unsupported clipboard format
VarFileInfo
)Variant or safe array index out of bounds
Variant or safe array is locked
Variant overflow
%VrpR"
VS_VERSION_INFO
W!<&
W6}b;
wA2 
Warning
White
Window Background
Window Frame
 Windows
Window Text
Write$Error creating variant or safe array
>!XR
?y9K
Yellow
&Yes
Yes to &All
YkD6S
                          
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
0A@@Ju
0SSSSS
1:6J/F7l|
'1PO^]
2""333:"C8
2""#33:DC8
24&o h
2$B""""C38
2C4"""D338
2z+P$bZ
3:"""""
:33:"$
"*"$33
3333:"$
33333?
333333
333333?
3333333
$3333333
#3333333
33333333
33333333333
333333333333
333333333333?
33333333?333333
333333333333333
333333333333333333
3333333333333338
3333333:3333333383
333333:"33333338
3333333333338
33333:"$3333338
3333:"$3333338
3333339
333333:"C3333338
333333DDD3
333338
33333833
:*3:"$3338
#33338
33338?383
3333Dc3333333
3333f3333333?
3333fc33333338
3333>fd333338
3334JC33333338?333
3336Dc3333338
3336fC3333338
:*"*"$3338
333838
333*C33
333DDD33333?
333>fC333333
333>fd333333
$334B"$3
334C33333338
33B$3333333
33DDDDD3333
33fd3>fC333
33>ffffc338
`[3%432
34""C33333833
3B""$33333
\3J|2E
4"*""C3338
4DF334DC33
'#$)}4j
4s0a=R
4s^V	e
#5m.=|
/5um@|
5X3OI:
	61++94
6uu5M$
7(Aoi[
7{p{Y.
7 t`}(E
8.0,zp
9Dg_[9
9?t,\|U
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
$/A@HG
AjVN='
Allocated memory successfully
An application has made an attempt to load the C runtime library incorrectly.
AnimateWindow
aoqn$T|
a>TOH 
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
August
avvedkji
b~@,\[
b DJ9`ph
B>*nx4
Bqw,'T
B(-Rie
:"C333
"$c33333
c333333
"C333333
C3333333
C33333833?33
"C3338
c33*C333
c6?Ub=
"C8338
Call timer routine in 10 seconds...
CharNextA
CjC338
CloseHandle
c^`^lz
c_MON!|
CONOUT$
Coordinated universal time is %s
CorExitProcess
CreateEventA
CreateEvent failed (%d)
CreateFileA
CreateProcessA
- CRT not initialized
cWZ~wu
_D5	X	
@.data
dbghelp.dll
"dc3333833
D*C33383
:DC33:""$8
DD[Ao=
"DDB""$3
dddd, MMMM dd, yyyy
December
DecodePointer
DeleteCriticalSection
DestroyWindow
-"dIel
DOMAIN error
DrXPwJ
dUCFQF
\"=*`e1
EGqiJ[
Ej#:DHy
EncodePointer
EnterCriticalSection
e|Q}sn
Error: List is not empty.
ExitProcess
EY.6y"
%f=^8U
fC333?3
fC33333
fDFfC338
fdVeP$sw
February
$ff2&`Nf
F*F333383
fff3333
Fh=@|B
- floating point support not loaded
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FlushFileBuffers
F\=P>B
FreeEnvironmentStringsA
FreeEnvironmentStringsW
FreeLibrary
Friday
GetACP
GetActiveWindow
GetCommandLineA
GetCompressedFileSizeW
GetConsoleCP
GetConsoleMode
GetConsoleOutputCP
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetFileVersionInfoA
GetFileVersionInfoSizeA
GetKeyboardType
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetModuleFileNameA
GetModuleHandleA
GetModuleHandleW
GetOEMCP
GetProcAddress
GetProcessWindowStation
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemInfo
GetSystemTimeAsFileTime
GetTickCount
GetUserObjectInformationA
GetVolumeInformationA
GetWindowsDirectoryA
?GF${A*
`Gfw$h0
[@g~,Q
g#\q>d}z
g(rHdG
gVTd[ZY`_n
GyI%(N
|G:-ZW
`h````
HeapAlloc
HeapCreate
HeapFree
HeapReAlloc
HeapSize
`h`hhh
HH:mm:ss
HHtXHHt
hQ0Z8d
HY_^Z[
?i7(Am2
iB>kXX_
>If90t
{[:ifN4
ImageDirectoryEntryToDataEx
ImageRvaToSection
iMSs%%
InitializeCriticalSectionAndSpinCount
InitializeSListHead
InterlockedDecrement
InterlockedFlushSList
InterlockedIncrement
InterlockedPopEntrySList
InterlockedPushEntrySList
IsDebuggerPresent
IsValidCodePage
"J333333
J9?5Hz
JanFebMarAprMayJunJulAugSepOctNovDec
January
"J"C3333
j@j ^V
jo=qLR
j"^SSSSS
jTh(KB
jYb0SL3Z
.[`<k>
k7vGJ	
kernel32.dll
KERNEL32.dll
kEw	}(k
{:K]IxL
K:s-q;
LCMapStringA
LCMapStringW
LeaveCriticalSection
List is empty.
LoadLibraryA
LoadStringA
LocalAlloc
Lz83)p
m-af{V
Memory allocation failed.
MessageBoxA
\mgr.exe
{/mGZGPV/[\>
Microsoft Visual C++ Runtime Library
MM/dd/yy
./&Mmm*
Monday
\"Mr(i
MultiByteToWideChar
n?1%H69
ng0N-xR
NMKS4Qb'
/NNKf2
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
(null)
o~:@2s]
October
OpenMutexA
+	oS}.
OV/t6s@
:OWVEDKJ
p`/|~'
p(A4Dq
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD`
P}{AS,
PI\R9+
p|KH=}=
Please contact the application's support team for more information.
pPhr]}
PPPPPPPP
Problem allocating memory
Program: 
<program name unknown>
psW*8d
- pure virtual function call
$P\V9)
qiU]\=
qK8EI)>
QueryPerformanceCounter
Q|ynTl
-[$RD.
`.rdata
ReplaceFileA
rH4fg.
Rqib}j
r*=}rO
RtlUnwind
runtime error 
Runtime Error!
s075j\
Saturday
September
SetComputerNameExA
SetEvent
SetFilePointer
SetHandleCount
SetLastError
SetLayeredWindowAttributes
SetStdHandle
SetUnhandledExceptionFilter
:_S/g"
Signature is %d
SING error
SRQWVj
^SSSSS
st^d~f
st^`po,
SU3zcq
Sunday
SunMonTueWedThuFriSat
SWJngc
SymGetLineNext64
SymGetModuleBase64
\tajL	
TerminateProcess
@.text
The wait event was signaled.
The wait timed out.
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
Thursday
Timer routine called. Parameter is %d.
TimerRoutine lpParam is NULL
< tK<	tG
\T%>;l
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
t"SS9]
t$<"u	3
Tuesday
;t$,v-
t+WWVPV
u?3=R3
u"7WcG
U|C9]D
-UFni[
`U"@H	
- unable to initialize heap
- unable to open console device
UnDecorateSymbolName
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
UQPXY]Y[
URPQQh
USER32.dll
USER32.DLL
uu5T)c
Uv5MU,
VerQueryValueA
VERSION.dll
vH4fg.
VirtualAlloc
VirtualFree
.:VKU[
v	N+D$
.*Vp=WX
v?qG(o
vtJOEZ
VWQRSj
V}WV`5l
!v#~x0[
>w3bw*
WaitNamedPipeW
Wednesday
WideCharToMultiByte
WriteConsoleA
WriteConsoleW
WriteFile
^WWWWW
x`1.w%gj
X 3dd".
XCtP5Uc
xppwpp
xpxxxx
xs*o[8
?^Y~~-
yp=N"{;
yQZXY-
>=Yt1j
]y|tm-9
;Y_ved
Z3	*X^#x
zh4 _W
;(ZrzI