Analysis Date2015-11-17 23:00:31
MD58886763e821ca32356298af6f69cfb27
SHA1b402ee7ebd694b4b3787b83b4d061321c56aa699

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: e98ce3d4b15fd44ea6f576f7c89fe050 sha1: eb1890579012bfd7d6dc6baeec0c757090af9c66 size: 199680
Section.rdata md5: 3ce2e15f43435e0e98f21ff1ae26d8c5 sha1: 1fb7c6534e6e1973eb1124c242efd90e32a76728 size: 59904
Section.data md5: 8180ba10727964551be51c93da36bd0b sha1: facf449fd401e1fd40e04eab77344ac7f0191bc7 size: 29696
Section.reloc md5: 2bf797ee082907af362a63a4dfc73917 sha1: feee281ba3b0b7cb832f589b1c4fa1b50b9ca3a5 size: 8704
Timestamp2013-03-30 14:27:51
Pdb pathd:\enter\Against\verb\my\stick\consonant\start\summerplease.pdb
PackerMicrosoft Visual C++ ?.?
PEhash4deb83729678c90bc42a857ff7431d14a38c1472
IMPhashdc30004d7554212a9764e7d3d60dbd50
AVRisingno_virus
AVMcafeePWSZbot-FDM!8886763E821C
AVAvira (antivir)TR/Crypt.XPACK.Gen7
AVTwisterTrojan.8BEC@2FF56FF#7421.mg
AVAd-AwareGen:Variant.Graftor.127565
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)Win32/TrojanDownloader.Wauchos.A
AVGrisoft (avg)Win32/Cryptor
AVSymantecTrojan.Zbot
AVFortinetW32/Zbot.PKJO!tr
AVBitDefenderGen:Variant.Graftor.127565
AVK7Trojan-Downloader ( 0039179f1 )
AVMicrosoft Security EssentialsWorm:Win32/Gamarue
AVMicroWorld (escan)Gen:Variant.Graftor.127565
AVMalwareBytesTrojan.Agent.NR
AVAuthentiumno_virus
AVFrisk (f-prot)no_virus
AVIkarusWin32.SuspectCrc
AVEmsisoftGen:Variant.Graftor.127565
AVZillya!Downloader.Andromeda.Win32.2928
AVKasperskyTrojan.Win32.Generic
AVTrend Microno_virus
AVCAT (quickheal)Worm.Gamarue.B
AVVirusBlokAda (vba32)TrojanDownloader.Andromeda
AVPadvishno_virus
AVBullGuardGen:Variant.Graftor.127565
AVArcabit (arcavir)Gen:Variant.Graftor.127565
AVClamAVWin.Trojan.Agent-906159
AVDr. WebTrojan.MulDrop4.29612
AVF-SecureGen:Variant.Graftor.127565
AVCA (E-Trust Ino)Win32/Gamarue.EeEIaSD
AVRisingno_virus
AVMcafeePWSZbot-FDM!8886763E821C
AVAvira (antivir)TR/Crypt.XPACK.Gen7
AVTwisterTrojan.8BEC@2FF56FF#7421.mg
AVAd-AwareGen:Variant.Graftor.127565
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)Win32/TrojanDownloader.Wauchos.A
AVGrisoft (avg)Win32/Cryptor
AVSymantecTrojan.Zbot
AVFortinetW32/Zbot.PKJO!tr
AVBitDefenderGen:Variant.Graftor.127565
AVK7Trojan-Downloader ( 0039179f1 )
AVMicrosoft Security EssentialsWorm:Win32/Gamarue
AVMicroWorld (escan)Gen:Variant.Graftor.127565
AVMalwareBytesTrojan.Agent.NR
AVAuthentiumno_virus
AVFrisk (f-prot)no_virus
AVIkarusWin32.SuspectCrc

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\00E35EEE ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\ImageBase ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\01.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\MSI\msiexec.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\01.tmp
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\MSI\msiexec.exe"

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\MSI\msiexec.exe"

Creates ProcessC:\WINDOWS\system32\wuauclt.exe

Process
↳ C:\WINDOWS\system32\wuauclt.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\36874 ➝
C:\Documents and Settings\All Users\Local Settings\Temp\msybtpshq.pif\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_CURRENT_USER\Software\IMAGE_FILE_HEADER ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\Local Settings\Temp\msybtpshq.pif
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\03.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\02.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\04.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\MSI\msiexec.exe
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex3227095050
Creates MutexTLS
Winsock DNSimg.suckmycocklameavindustry.in
Winsock DNSpe.suckmycocklameavindustry.in
Winsock DNSsc.suckmycocklameavindustry.in

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.189
DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.190
DNSpe.suckmycocklameavindustry.in
Type: A
50.116.32.177
DNSsc.suckmycocklameavindustry.in
Type: A
50.116.32.177
DNSimg.suckmycocklameavindustry.in
Type: A
50.116.32.177
DNSxdqzpbcgrvkj.ru
Type: A
195.22.28.197
DNSxdqzpbcgrvkj.ru
Type: A
195.22.28.198
DNSxdqzpbcgrvkj.ru
Type: A
195.22.28.199
DNSxdqzpbcgrvkj.ru
Type: A
195.22.28.196
DNSanam0rph.su
Type: A
195.22.28.197
DNSanam0rph.su
Type: A
195.22.28.198
DNSanam0rph.su
Type: A
195.22.28.199
DNSanam0rph.su
Type: A
195.22.28.196
DNSorzdwjtvmein.in
Type: A
195.22.28.199
DNSorzdwjtvmein.in
Type: A
195.22.28.196
DNSorzdwjtvmein.in
Type: A
195.22.28.197
DNSorzdwjtvmein.in
Type: A
195.22.28.198
DNSygiudewsqhct.in
Type: A
52.28.249.128
DNSbdcrqgonzmwuehky.nl
Type: A
176.58.104.168
DNSsomicrososoft.ru
Type: A
193.201.224.46
DNSwww.update.microsoft.com
Type: A
HTTP GEThttp://pe.suckmycocklameavindustry.in/vtnlfdxuomgeyvpnhfzxqoigayrpjhty
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://sc.suckmycocklameavindustry.in/busmkecvtnlfdxuomgeyvpnhfzxqoizz
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://img.suckmycocklameavindustry.in/uomgeyvpnhfzxqoigayrpjhbzsqkicss
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://xdqzpbcgrvkj.ru/in.php
User-Agent: Mozilla/4.0
HTTP POSThttp://anam0rph.su/in.php
User-Agent: Mozilla/4.0
HTTP POSThttp://orzdwjtvmein.in/in.php
User-Agent: Mozilla/4.0
HTTP POSThttp://ygiudewsqhct.in/in.php
User-Agent: Mozilla/4.0
HTTP POSThttp://bdcrqgonzmwuehky.nl/in.php
User-Agent: Mozilla/4.0
HTTP POSThttp://somicrososoft.ru/in.php
User-Agent: Mozilla/4.0
Flows TCP192.168.1.1:1031 ➝ 65.55.50.189:80
Flows UDP192.168.1.1:1032 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1034 ➝ 50.116.32.177:80
Flows TCP192.168.1.1:1035 ➝ 50.116.32.177:80
Flows TCP192.168.1.1:1036 ➝ 50.116.32.177:80
Flows TCP192.168.1.1:1037 ➝ 195.22.28.197:80
Flows UDP192.168.1.1:1038 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1039 ➝ 195.22.28.197:80
Flows UDP192.168.1.1:1040 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1041 ➝ 195.22.28.199:80
Flows UDP192.168.1.1:1042 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1043 ➝ 52.28.249.128:80
Flows UDP192.168.1.1:1044 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1045 ➝ 176.58.104.168:80
Flows UDP192.168.1.1:1046 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1047 ➝ 193.201.224.46:80

Raw Pcap

Strings
.
.
..
..
.
..^
...su
@}
3!....G
0
.CC
 
.
C
y
.
...
.
Ael.
'_bc
dApS
dcD$
G.ll
                                 H
         (((((                  H
         h((((                  H
LgcC@
lPoT
l@ t
m.@/
n@oj
(null)
nV_e
?og_
rat@
rhPx
Sleep
?_V.
= =$=@=\=`=
                          
;%;,;\;
$0(0004080<0@0D0H0L0P0T0X0\0`0d0h0l0p0t0x0|0
$0)0/050;0A0F0K0Q0W0]0c0h0m0s0y0
000P0l0p0
0-030>0D0J0x0~0
0(1.1;1@1K1n1t1y1
0	1[1a1
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
0171=1
>0>6>E>K>X>
0A@@Ju
$0$b WO
;0E0m0
>0?N?l?
0$$r/A
0SSSSS
$0$UTrU
0WWWWW
1	282A2M2
	`1*NM$$
1nMbGG
1Z1`1d1h1l1
2%2;2O2U2c2p2}2
272=2H2T2i2o2
2J2Z2u2
$$2$M:
2O2h2o2w2|2
$$ 3$$
3%3+373F3L3U3a3o3u3
3^3d3h3l3p3
$$3GIG
{3GjEj
?3?Q?X?\?`?d?h?l?p?t?
.@3r@.
3.w<kG
;%<.<4<
4$4*474A4L4\4o4
4'484C4Q4_4f4u4
4%4T4Z4
464@4I4T4i4p4v4
4~f9.u
$4$GG6
4N5q5{5
4WUU_o
50$$wt
5$5,545<5D5 6(6
5'5.5H5R5h5r5
5-6g6~6
^$5AMM
5B5L5U5x5
=5===C=H=U=[=f=r=x=
5$$nUU
=.=5=N=Z=g=n=
5oSQr	3
?$?5?q?
60A0\0c0h0l0p0
6#6+61686>6E6K6S6Z6_6g6p6|6
6 6&62676x8
6!797D7h7q7x7
<$<6<?<E<K<W<f<
6UU)O/
6X{Q3}
$$7$$$
708=8G8U8^8h8
7+717:7M7q7
7$7.767A7q7
7 7&7-747;7B7I7P7W7_7g7o7{7
7,7I7O7k7
$7$$.^&!ev$
;-<7<F<~<
<(=.=7=>=I=U=
;#;-;7;<;N;X;g;t;~;
7u$6z$
7uAuu*uuu
858H8a8s8
8$828=8
8"8(8.8=8Z8
=(>8>H>X>h>
8I9O9h9n9
8.;?;_;m;
8Pe3-	
8SS%GG~
8uu=iuu%GG
:{9+>_
94<$=P>w>
9$$6UUU
9%9B9H9S9X9`9f9p9w9
9@H~So
9jjSI2
"9jjVMMu%u
$$9lESS
9 :=:`:m:y:
aaeLIw
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
a$$d[$$
$aE$$$
A$$"jj$
An application has made an attempt to load the C runtime library incorrectly.
-ao2$E$$V
$$!aoGGU
ap?Cde.
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
August
%~a^UU
BBFFf;
%$$bGG
BGGE$$
bj$N,$
bMSSG 
}$$"#C
c6UUulmu
>/?C?d?j?
C@@@dV
$Cg$uH
cit en
_cjjy0$
cJMv$$,uu
CloseHandle
CoInitialize
CONOUT$
CopyFileW
CoRegisterClassObject
CoRegisterSurrogate
CorExitProcess
CoUninitialize
c$@@r?
CreateDirectoryW
CreateFileA
- CRT not initialized
$$$cUa?U
cUUjofj
CUU/@UUUO
CW$$5$
_Cxitv/
CXM'+M
@.data
dddd, MMMM dd, yyyy
December
DecodePointer
DeleteCriticalSection
d:\enter\Against\verb\my\stick\consonant\start\summerplease.pdb
d@@Gnsi
%.dh'H~
 Dhora
 dicEn  
Dispatch@@@ATL@@
$$d;MM
d==MMkMq
DOMAIN error
DSSUmU
@d_@te
DUUSwS
d$	w+$
:+:?:E:
$$$eDA$
e$$$hT$
e-ICse
E~iFGG
eiorael
>:>@>E>K>R>h>t>
$e$MM$
EncodePointer
EnterCriticalSection
eqQ3};
esAM/_
ESP@Sj
Euu|ASS
EUUL$$+Y
ExitProcess
$(;$$f
f5MM<f
@@f98u
February
F\=HuD
!~?Fjj
- floating point support not loaded
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FlushFileBuffers
?F?L?Y?l?
$f$Ms{
FreeEnvironmentStringsA
FreeEnvironmentStringsW
Friday
f(s Ro
$FW$W_
G^4bbX
G7.G<a
GetACP
GetActiveWindow
GetCommandLineA
GetCommandLineW
GetConsoleCP
GetConsoleMode
GetConsoleOutputCP
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetOEMCP
GetProcAddress
GetProcessHeap
GetProcessWindowStation
GetStartupInfoA
GetStartupInfoW
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemInfo
GetSystemTimeAsFileTime
GetTickCount
GetUserObjectInformationA
GetVersionExA
GfG$fY
^$$*g[G
=GG8l(
GGGA,G
GG;GGM&%
GGGNBMM
,$G	GI
$$<GGiE
GGj1Jj
GGJGG~[
GGjGUU
GG~l=uu9
GGM#iMS
GGNNUMM
$GGt$$
GG?$$V
GGY(SS
GGZsUU
Gj8#j+MM
$$GKG$*Z$
.G#_MM
Go=GGj
goN$$L
$$g)SS
GST*	SU
~GUlUUU*
GutQuMMX
GvGSSp
GvGuSu
GYGSSS
`h````
h$$^$$
$$H9MM
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
hGGVhMM
>(>H>h>
?$?(?H?h?
`h`hhh
HH:mm:ss
$$hISS%>
Hjjj_2j
hMMFM4
hP)eYVl
hpUUp$$ 
I2F$$o
I/C/Wo
 iHl s
ILonoC
iM"mMM
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
InterlockedDecrement
InterlockedIncrement
ioI aan
ipd?Cri
iR$nlUV
IsDebuggerPresent
is ds 
IsValidCodePage
/IUU2m
,?IU?U$`k$
Iu"[UU
$$iW|i}+$
;J^%:.
j4jGGo
j4/juu
JanFebMarAprMayJunJulAugSepOctNovDec
January
jcjS>AS
_jG5wG
$J$Gh9G
JI<]~GG
``[j;j
jj4?MM
jj$,G$
=jjh0GGU)1VUG
jj!MMx
jj*PUU
j,	jSc
,jjSF$$
jj${s$S
>jju\jj
j&juu`$$
+jj?UU
j<#jUU
j@j ^V
jjY"$$	
{jjy`UU
;j<l>~>
/J=NMM
jOj$+$
-jQx6S
#jSIZS}Ci
%jSS'5
j"^SSSSS
ju9uHUUL
jUjj6hj$
jUUx?$$
jUwUSS
J$YUUYhz
$K1MM8
k8MM~ 
kernel32.dll
KERNEL32.dll
KERNEL32.DLL
KGGZ$$
$$k&l$
`KMMjgj
$$KSS4
$$$Kv$M
l@@c@apA
LCMapStringA
LCMapStringW
leAVAn.xT
LeaveCriticalSection
$$l#$jj
$$Ljj$
l$_o6@
LoadLibraryA
@l@o/A@t
<%<L<u<
;lUU$.
l$wg4$$=$
$*l$$Xm$
M0MM_6GGM
M0$$,zMM
$M5jp+T
M6M$$?1
M74MMM
M$$a$$
MessageBoxA
MGOMUU	
MHFM$Y
Microsoft Visual C++ Runtime Library
Mi$M$$
MI;M$$ 
.mixcrt
Mjj^:$$
Mj$jG/G$$
:|$$M~M
$$=\MM
M$}M$]
MM$~	$
MM$|$$#~
MM$0x$
MM6M*M
MMa#'$$$
MM/dd/yy
`MM(f$$
MMGDOG
MMg"U(
MMGVGUfU1
MMI;jj(
MMIUGG*
MMjOt*j
MM.kUU
MML&$'
MMMEMjL
MM;MMv
&mMMuOu
@MMNH$$,UU
MMnSS\/
]MMOnUU
$$'MMp
MMPU$$
MM{q$$
MMQ,$$
MMQ$$M|
MMr+MM
MMrMMo
mMSSan
MM SSH
MM!TSS{c
]MM u\
MMU1hx
$M^}MUo
MM]UUn
MMU+UU
M.)MUUzM
MMW\jjO
MMwUUj;ajML
MNM$$F
Monday
mscoree.dll
[M$$s=H
Mu3MG8/G
m$$uhu
MultiByteToWideChar
MUU{4GG
M~uui.
mUU_rfz!
mvhlI?c
$MvMMM
\M$$W\
MXMS$SMM1
$$MyZM
MZaMGS
MZM$[f
nDni  
$neoIlV
n$eu$G1
Ng||:\
$$<NGG
nhk   
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
$n$SjS
(null)
=$>N>x>
October
`@oJtCa
ole32.dll
OleInitialize
OleSetContainedObject
OleUninitialize
$$)OMM,
$$OMM@ 
ooIs_n
$O|$SS
outxlto
O$+{UU
p1t1x1|1
Pc(($$
Please contact the application's support team for more information.
PLu\sh
$$$:pMM
PMM@{$$
PPPPPPPP
PrepareTape
Program: 
<program name unknown>
- pure virtual function call
QMMb{u
:Q;];p;
QQSVWh
Q.SM3M
QueryPerformanceCounter
`.rdata
rehdkr L
.reloc
ResetEvent
rMMu'?u
RtlUnwind
r@tVs@
ru$d$$$2B
runtime error 
Runtime Error!
$$Rwuu
$$@$$S;
Sa%SM>
Saturday
sd Hcu
September
s@@et@@@
SetFilePointer
SetHandleCount
SetLastError
SetStdHandle
SetUnhandledExceptionFilter
$)$S(GSuuT
SING error
SjjJSS
$SM$$$	
\SMMP1
SMM?SS
SS&4SUEU
SS7suuv
SS=$$F
SS(i$$
SSjP	j
SS$<.L$
SSl;SMMF
SS-luu
SSluu/
$SS;MM.@!
S\SMUMB
SSNSSM	
SSnUGG]0U
SS<?$P $
 SSqv$$
SSrUUU
^SSSSS
SS.u$$
SS$uQ$$
S:S$u$S
SS('UU$O$
SSY$$lS:
 stPro
StSuuu
Sunday
SunMonTueWedThuFriSat
S$"UU	
suu]SS
S$X$$$$
SY8F9e
'$SZASG5
SZfSUb,U$$
SZXS$$
t$0VhX
T$$8GG
t^9(uZ
$t/Axp$
taZP@	
tD9(u@
TerminateProcess
[tGGTH%jj
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
Thursday
`=$t$j
.t$$(jj
tjRjGY
t%$$Kp$$<
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
tLxwk_]j
TN8$${
@??@to
tpVjMS
Tuesday
Tuuao$$
;t$,v-
tV=,Lt
t+WWVPV
u$)*$$
U0.UUp
U$$4mJ
*u4wmw
$&^$U5
U7?5Uu
U7UM'(M
U7Uuu\
U\$$cz
udemEt 
Ud)UMM
uDzu$2
UEKU/UU
UepUMn
U_f>?s
UGA5G$$
Ujj/UU
U$$l}A
Ul-dUU
$$Ul\U
Ul_.UU
/=U$+$M
uMFM$$
UMKMSf
UM<UMMO
UmyUUn-U
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
_unOAlto
upKnu$$X
$$U=pU
U|PUMM
UQPXY]Y[
.uquSS
UQU$T$
U(Rich:
urMMG=G
URPQQhx
USER32.DLL
U$S>nS
<USS?uu
U'=U$$
UU@<2U
_UU4MM
uu5uujNQ
UU9UU(
^UU$)a$
uuA@bMMw
U`	U$$Cv
uudUUU
"UUG"AG
$UU~GGm
UU$G$$W
|uuhuUP
UUIErU
U?UjjAuu
uu@jj`Q
UU|jqj
UUJU$$
~UUJuGS^6
uuKSuu
[$U`|UMM
&uuMPw
uuN%SS.
UU/o$$
UU<O$$
uupGGiH
uuPGUU
%UU<Q{I
UUQMMW
uuqSS#
UUQUU;<
.$UU$s
UU+sCA	g
<?UUS?S$
uu@SSU\
UUTrjj
*uUU_!
*Uuu,$$
$$}UUU
uUU8$$
uuu$Dy$$$A$$
uuUhU$
UUUK>U
u	uum$
UUUQtSS
uUUSSS
U#UUtU
UU<<uu$
UU\(UU
uu$)UU\H
UU#UUM
Uuu,uMM
UU~UUT
~UUVSS
u\u$$z
uV?HPP_h
$$U yz
V~$$1{D
VirtualAlloc
VirtualFree
VirtualProtect
VirtualProtectEx
v	N+D$
V$`$UBU
vuNbuu
VUUISS
W1MM\MM)
Wa$$)$
wDaFfR
Wednesday
WideCharToMultiByte
Wk7$$O
WriteConsoleA
WriteConsoleW
WriteFile
wuMP"M
W=uu=n
-wUUUm
$$	x$$
x$$5$S
x=AV^@
-xGdG$
}Xjjai
XjjU'FUSA
xM$#$B
@XMM/u]
x;MU2U$@$
xMxW;W
$xn$$$;
xppwpp
xpxxxx
xQ$$j.j
^@XSSX
x]U.e9
xuu3YF
+$$y$$
Y`Fujx
<YGjjM$$S
yMMp$$
>=Yt/j
YYu-9D$
YYuTVWh
YzuIuu
ZA<=+M
$$z^>$$g
!z^=jjI
ZJPGuu
	ZLMM~
$$ZpMM
zq?$$^
zuuSNOS
z$$W$$