Analysis Date2014-11-20 14:40:19
MD5704f2be22a27d2e01cb916e078d32964
SHA1d8bd4c0256513d27c41e472fb552848339093c11

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 2b5063826bbe8f7195388d8c3ab9cf61 sha1: 46dac5f5b0774559c4cf19271a69b07426ead0e9 size: 638464
Section.rdata md5: 604637250d297658f25bdd9b2991ce38 sha1: 8cf65a9ee0a3a93b9e7a9eb44aead3fc3d67b95e size: 52224
Section.data md5: 78d4b1ff509339e04e6813d4c4615123 sha1: 8276950a33d85515703b421c125ac90aa3867d74 size: 123392
Timestamp2014-02-12 17:38:44
PackerMicrosoft Visual C++ ?.?
PEhashfa7f035fabb8882a42269365a935b4524534de6d
IMPhash053c47f994568c9544a0448f2359147c
AV360 SafeGen:Variant.Symmi.22722
AVAd-AwareGen:Variant.Symmi.22722
AVAlwil (avast)Downloader-VHF [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Symmi.AH.gen!Eldorado
AVAvira (antivir)no_virus
AVBullGuardGen:Variant.Symmi.22722
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftGen:Variant.Symmi.22722
AVEset (nod32)Win32/Kryptik.BQWI
AVFortinetW32/COMROKI.A!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Symmi.22722
AVGrisoft (avg)Win32/Cryptor
AVIkarusTrojan.Crypt2
AVK7no_virus
AVKasperskyTrojan.Win32.Generic:Trojan.Win32.PEF.pf.silent.175154:Trojan.Win32.PEF.pf.silent.181830:Trojan.Win32.PEF.pf.silent.374886:Trojan.Win32.PEF.pf.silent.375904:Trojan.Win32.PEF.pf.silent.376942:Trojan.Win32.PEF.pf.silent.377697:Trojan.Win32.PEF.pf.silent.378515:Trojan.Win32.PEF.pf.silent.379237:Trojan.Win32.PEF.pf.silent.380145:Trojan.Win32.PEF.pf.silent.380997:Trojan.Win32.PEF.pf.silent.416452:Trojan.Win32.PEF.pf.silent.415562:Trojan.Win32.PEF.pf.silent.432299:Trojan.Win32.PEF.pf.silent.432810:Trojan.Win32.PEF.pf.silent.445825:Trojan.Win32.PEF.pf.silent.454569:Trojan.Win32.PEF.pf.silent.456542
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.Y
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVNormanGen:Variant.Symmi.22722
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend MicroTSPY_NIVDORT.SMA
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\hw3tnv1liqxkfbyypfr.exe
Creates FileC:\WINDOWS\system32\stejqrbesk\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\hw3tnv1liqxkfbyypfr.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\hw3tnv1liqxkfbyypfr.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\RPC Session Now KtmRm Biometric Human ➝
C:\WINDOWS\system32\dynkebrhks.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\dynkebrhks.exe
Creates FileC:\WINDOWS\system32\stejqrbesk\etc
Creates FileC:\WINDOWS\system32\stejqrbesk\lck
Creates FileC:\WINDOWS\system32\stejqrbesk\tst
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\dynkebrhks.exe
Creates ServiceError Level Assistant Adaptive - C:\WINDOWS\system32\dynkebrhks.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1148

Process
↳ C:\WINDOWS\system32\dynkebrhks.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\stejqrbesk\rng
Creates FileC:\WINDOWS\system32\stejqrbesk\run
Creates FileC:\WINDOWS\system32\stejqrbesk\cfg
Creates FileC:\WINDOWS\system32\stejqrbesk\lck
Creates FileC:\WINDOWS\TEMP\hw3tnv1rpuxk.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\fkslbzads.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\stejqrbesk\tst
Creates ProcessC:\WINDOWS\TEMP\hw3tnv1rpuxk.exe -r 26327 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\dynkebrhks.exe"

Process
↳ C:\WINDOWS\system32\dynkebrhks.exe

Creates FileC:\WINDOWS\system32\stejqrbesk\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\dynkebrhks.exe"

Creates FileC:\WINDOWS\system32\stejqrbesk\tst

Process
↳ C:\WINDOWS\TEMP\hw3tnv1rpuxk.exe -r 26327 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSdonaven4guia.com
Type: A
216.239.138.217
DNSdavedekilai.com
Type: A
69.172.201.208
DNStablefruit.net
Type: A
69.195.129.70
DNSstickmarch.net
Type: A
69.195.129.70
DNSknowedge.net
Type: A
184.168.221.45
DNSsignarmy.net
Type: A
216.239.139.75
DNSsignedge.net
Type: A
184.168.221.1
DNSjumpgray.net
Type: A
69.195.129.70
DNSthreeedge.net
Type: A
216.239.38.21
DNSthreeedge.net
Type: A
216.239.32.21
DNSthreeedge.net
Type: A
216.239.34.21
DNSthreeedge.net
Type: A
216.239.36.21
DNSfredesecas.com
Type: A
DNSlaloponea.com
Type: A
DNSfeltfeet.net
Type: A
DNSlookfeet.net
Type: A
DNSfelteach.net
Type: A
DNSlookeach.net
Type: A
DNSfeltyesterday.net
Type: A
DNSlookyesterday.net
Type: A
DNSfeltwedge.net
Type: A
DNSlookwedge.net
Type: A
DNSthreefeet.net
Type: A
DNSlordfeet.net
Type: A
DNSthreeeach.net
Type: A
DNSlordeach.net
Type: A
DNSthreeyesterday.net
Type: A
DNSlordyesterday.net
Type: A
DNSthreewedge.net
Type: A
DNSlordwedge.net
Type: A
DNSdrinkfeet.net
Type: A
DNSwifefeet.net
Type: A
DNSdrinkeach.net
Type: A
DNSwifeeach.net
Type: A
DNSdrinkyesterday.net
Type: A
DNSwifeyesterday.net
Type: A
DNSdrinkwedge.net
Type: A
DNSwifewedge.net
Type: A
DNSknowgray.net
Type: A
DNSablegray.net
Type: A
DNSknowapril.net
Type: A
DNSableapril.net
Type: A
DNSknowarmy.net
Type: A
DNSablearmy.net
Type: A
DNSableedge.net
Type: A
DNSpickgray.net
Type: A
DNSsonggray.net
Type: A
DNSpickapril.net
Type: A
DNSsongapril.net
Type: A
DNSpickarmy.net
Type: A
DNSsongarmy.net
Type: A
DNSpickedge.net
Type: A
DNSsongedge.net
Type: A
DNSroomgray.net
Type: A
DNSsigngray.net
Type: A
DNSroomapril.net
Type: A
DNSsignapril.net
Type: A
DNSroomarmy.net
Type: A
DNSroomedge.net
Type: A
DNSmovegray.net
Type: A
DNSmoveapril.net
Type: A
DNSjumpapril.net
Type: A
DNSmovearmy.net
Type: A
DNSjumparmy.net
Type: A
DNSmoveedge.net
Type: A
DNSjumpedge.net
Type: A
DNShillgray.net
Type: A
DNSwhomgray.net
Type: A
DNShillapril.net
Type: A
DNSwhomapril.net
Type: A
DNShillarmy.net
Type: A
DNSwhomarmy.net
Type: A
DNShilledge.net
Type: A
DNSwhomedge.net
Type: A
DNSfeltgray.net
Type: A
DNSlookgray.net
Type: A
DNSfeltapril.net
Type: A
DNSlookapril.net
Type: A
DNSfeltarmy.net
Type: A
DNSlookarmy.net
Type: A
DNSfeltedge.net
Type: A
DNSlookedge.net
Type: A
DNSthreegray.net
Type: A
DNSlordgray.net
Type: A
DNSthreeapril.net
Type: A
DNSlordapril.net
Type: A
DNSthreearmy.net
Type: A
DNSlordarmy.net
Type: A
DNSlordedge.net
Type: A
DNSdrinkgray.net
Type: A
DNSwifegray.net
Type: A
DNSdrinkapril.net
Type: A
DNSwifeapril.net
Type: A
DNSdrinkarmy.net
Type: A
HTTP GEThttp://donaven4guia.com/forum/search.php?method=validate&mode=sox&v=023&sox=3bac9e00
User-Agent:
HTTP GEThttp://davedekilai.com/forum/search.php?method=validate&mode=sox&v=023&sox=3bac9e00
User-Agent:
HTTP GEThttp://tablefruit.net/forum/search.php?method=validate&mode=sox&v=023&sox=3bac9e00
User-Agent:
HTTP GEThttp://stickmarch.net/forum/search.php?method=validate&mode=sox&v=023&sox=3bac9e00
User-Agent:
HTTP GEThttp://knowedge.net/forum/search.php?method=validate&mode=sox&v=023&sox=3bac9e00
User-Agent:
HTTP GEThttp://signarmy.net/forum/search.php?method=validate&mode=sox&v=023&sox=3bac9e00
User-Agent:
HTTP GEThttp://signedge.net/forum/search.php?method=validate&mode=sox&v=023&sox=3bac9e00
User-Agent:
HTTP GEThttp://jumpgray.net/forum/search.php?method=validate&mode=sox&v=023&sox=3bac9e00
User-Agent:
HTTP GEThttp://threeedge.net/forum/search.php?method=validate&mode=sox&v=023&sox=3bac9e00
User-Agent:
HTTP GEThttp://donaven4guia.com/forum/search.php?method=validate&mode=sox&v=023&sox=3bac9e00
User-Agent:
HTTP GEThttp://davedekilai.com/forum/search.php?method=validate&mode=sox&v=023&sox=3bac9e00
User-Agent:
HTTP GEThttp://tablefruit.net/forum/search.php?method=validate&mode=sox&v=023&sox=3bac9e00
User-Agent:
HTTP GEThttp://stickmarch.net/forum/search.php?method=validate&mode=sox&v=023&sox=3bac9e00
User-Agent:
HTTP GEThttp://knowedge.net/forum/search.php?method=validate&mode=sox&v=023&sox=3bac9e00
User-Agent:
HTTP GEThttp://signarmy.net/forum/search.php?method=validate&mode=sox&v=023&sox=3bac9e00
User-Agent:
HTTP GEThttp://signedge.net/forum/search.php?method=validate&mode=sox&v=023&sox=3bac9e00
User-Agent:
HTTP GEThttp://jumpgray.net/forum/search.php?method=validate&mode=sox&v=023&sox=3bac9e00
User-Agent:
HTTP GEThttp://threeedge.net/forum/search.php?method=validate&mode=sox&v=023&sox=3bac9e00
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 216.239.138.217:80
Flows TCP192.168.1.1:1037 ➝ 69.172.201.208:80
Flows TCP192.168.1.1:1038 ➝ 69.195.129.70:80
Flows TCP192.168.1.1:1039 ➝ 69.195.129.70:80
Flows TCP192.168.1.1:1040 ➝ 184.168.221.45:80
Flows TCP192.168.1.1:1041 ➝ 216.239.139.75:80
Flows TCP192.168.1.1:1042 ➝ 184.168.221.1:80
Flows TCP192.168.1.1:1043 ➝ 69.195.129.70:80
Flows TCP192.168.1.1:1044 ➝ 216.239.38.21:80
Flows TCP192.168.1.1:1045 ➝ 216.239.138.217:80
Flows TCP192.168.1.1:1046 ➝ 69.172.201.208:80
Flows TCP192.168.1.1:1047 ➝ 69.195.129.70:80
Flows TCP192.168.1.1:1048 ➝ 69.195.129.70:80
Flows TCP192.168.1.1:1050 ➝ 184.168.221.45:80
Flows TCP192.168.1.1:1051 ➝ 216.239.139.75:80
Flows TCP192.168.1.1:1052 ➝ 184.168.221.1:80
Flows TCP192.168.1.1:1053 ➝ 69.195.129.70:80
Flows TCP192.168.1.1:1054 ➝ 216.239.38.21:80

Raw Pcap

Strings
a
" 
 ' 
%+#I64
.,
.
 
.
e
+
:
:
%+#.*
%+#.*L
+%D%A%26A&
......
-_
s
h1
21212
 
"1"2dll1x
 00
S
\
.
.
.
.
..
...
...
...
....
...
...
 ! 
" 
# .
$
.
&
'
('
)
*)+,-.)/)
[
Z
[Z
[
 
d2
h2
1
1
x
ngEOC.HarahAcdSsaCKFjr2nWvCpvEarndbSrr3aSnTnd
 
- 
CC
-E-
-0
-0010+-0
0
-0
00-+ 
.
.
-e-
. 
00-+ 
\
00:\
:..
  .
...........?- 
0
0
0
0
-
A
.
.d-.
..~
.
..
...
E(null)
                                 H
         (((((                  H
         h((((                  H
jjjj
jjjjh
jjjjj
KERNEL32.DLL
Ljjj
mscoree.dll
                          
,\#-;>
\=)(\?
\$<_^[
\$([_^]
\$$_^[
						
										
																		
{/'\:0
\$0_^[
&;\/~0
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
*|0}4+
0A@@Ju
%[0d4d
\$0h N
0qVpkH
0SSSSS
0WWWWW
1#QNAN
]/]1=R
1#SNAN
$2[a<+
?2<-Uo
 _^][3
3lg(Otf
3P{1]6
3r-3W	
3&sQ,8z
3t$xWh
*3:{vP
\$49t$(
_4Ee@t
\$4VWS
5d8vG(.
 5KU"K
6%"8D7OOhsff
6O?r'D
6Px6xs
6R.U_D
6uR'2Z)
_$7]bX@j%
7o`'FQ
7wKWCc-@yi4
$83?Xip
-85GF7TU
]8\$8t
|$8-Fa
8.J\O3%.
8,&p^A
8\$&t 
8VVVVV
\$ 9_<
+){9+)
9\$8u&
9D$(t5
]9<eiM
]9iM9V
9l7Q3e
9l$@tE
^@9n8r
^\9nTr
\$$9\$T
|$@9\$Ts
9t$@uvj	h
9|$TvI
9\$ uf
9\$(uF
&9Wd @
\$ 9Z<
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
Adeque<T> too long
[AJw*q
~A\)+ L
america
american
american english
american-english
An application has made an attempt to load the C runtime library incorrectly.
A O%"^
<at9<rt,<wt
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
.?AUctype_base@std@@
August
australian
.?AVbad_alloc@std@@
.?AVbad_cast@std@@
.?AVbad_exception@std@@
.?AV?$basic_ios@DU?$char_traits@D@std@@@std@@
.?AV?$basic_ostream@DU?$char_traits@D@std@@@std@@
.?AV?$basic_ostringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@
.?AV?$basic_streambuf@DU?$char_traits@D@std@@@std@@
.?AV?$basic_stringbuf@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@
.?AV?$ctype@D@std@@
.?AVexception@std@@
.?AVfacet@locale@std@@
.?AVfailure@ios_base@std@@
.?AVios_base@std@@
.?AV?$_Iosb@H@std@@
.?AVlength_error@std@@
.?AV_Locimp@locale@std@@
.?AVlogic_error@std@@
.?AV?$numpunct@D@std@@
.?AV?$num_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@
.?AVout_of_range@std@@
.?AVruntime_error@std@@
.?AVtype_info@@
 a}V(UM
A;>WSpQ
b9@R7rH
bad allocation
bad cast
bad exception
 Base Class Array'
 Base Class Descriptor at (
__based(
B#E{\c
BeginPaint
belgian
britain
Bv*#K	zc
bZ1$1-
c0]fEH
CallWindowProcA
Ca{m-y
canadian
__cdecl
Cdx H	
CheckDlgButton
chinese
chinese-hongkong
chinese-simplified
chinese-singapore
chinese-traditional
 Class Hierarchy Descriptor'
CloseHandle
__clrcall
cmd.exe
CompareStringA
CompareStringW
 Complete Object Locator'
COMSPEC
CONOUT$
`copy constructor closure'
Copyright (c) 1992-2004 by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.
CorExitProcess
C PjPV
C$PjQV
C.PjRV
C/PjSV
C*PjTV
C+PjUV
C,PjVV
C-PjWV
CreateFileA
CreateProcessA
CreateThread
- CRT not initialized
\$D_^[
D$(_^][
D$0ht	K
D2o}"B
D$4hd	K
D$4j2P
D$4PWQ
D$4SSj
 D63pA
D$8SV3
D$8SWP
D$@9\$Ts
@.data
D$ ;B<
{.D-b4
D$(;C<
D$D9\$h
dddd, MMMM dd, yyyy
+D$(+D$<PVS
D$DPWQ
D$ ;D$(t`
D$ ;D$(t`)l$(
December
DecodePointer
`default constructor closure'
 delete
 delete[]
Delete
DeleteCriticalSection
DeleteFileA
D$$;F<
D$ ;G<
D$(h N
D$$hp3L
D$HSVW
D$,j 3
=,Djl{,
D$ jNS
D$lQUSRP
D$LSUVW
dN,.]b
DOMAIN error
D$P-1U
D$,Ph?
D$ Pj.
D$$Pj$
D$PPQW
D$PPSSj
D$P@PV
D$PPVW
D$ PQUV
D$$PVVj
D$ PWUV
D$,QRP
DrawTextA
D$(RWP
D$,RWV
=d sp~1
D$,SPV
D$ SPW
D$`SUVW
D$<SUVW
D$(SUVW
D$\SUVW
D$<SVW
D$(SVW
D$@SVW
D$,t9U
D$T-Gi">f
D$tSUVW
dutch-belgian
D$(VPW
D$ VSUP
D$$VVj
D$<VWSP
D$(Wj	
D$$Wj	
D$,@WP
D$XSSSh
D$xSUVW
D$XSVW
D$xWPQR
`dynamic atexit destructor for '
`dynamic initializer for '
<^/E!+
e5@tM&
$ecRZ'
EdSVWP
e\grdy
Eh"lM+L;
EhSVWP
`eh vector constructor iterator'
`eh vector copy constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`eh vector vbase copy constructor iterator'
E j?PV
Elh85L
ElSVWP
+el"VW
&e!m{K
EnableWindow
EncodePointer
EndDialog
EndPaint
england
english-american
english-aus
english-belize
english-can
english-caribbean
english-ire
english-jamaica
english-nz
english-south africa
english-trinidad y tobago
english-uk
english-us
english-usa
EnterCriticalSection
EnumSystemLocalesA
EpSVWP
}e+RpI
	etTbq
ExitProcess
F05\#J
F09n(u
F;540L
f6J+@A
f7#)LN}
f|aG3,n
__fastcall
FDrl#"(
February
Fg95.L
FileTimeToLocalFileTime
FileTimeToSystemTime
FindClose
FindFirstFileA
FindResourceA
- floating point support not loaded
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FlushFileBuffers
<f=oLaO
}Fo}M;WF\
ForceRemove
FreeEnvironmentStringsA
FreeEnvironmentStringsW
FreeLibrary
french-belgian
french-canadian
french-luxembourg
french-swiss
Friday
FRNBoL'!
+frU"e
[+Fua}
^F<-uB
FVhP/J
G<)3?L
g4#>AKF,
GAIsProcessorFeaturePresent
GDI32.dll
german-austrian
german-lichtenstein
german-luxembourg
german-swiss
GetACP
GetActiveWindow
GetBkColor
GetCommandLineA
GetConsoleCP
GetConsoleMode
GetConsoleOutputCP
GetCPInfo
GetCurrentDirectoryA
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetCursor
GetDCBrushColor
GetDCPenColor
GetDlgItem
GetDlgItemInt
GetDriveTypeA
GetEnvironmentStrings
GetEnvironmentStringsW
GetExitCodeProcess
GetFileAttributesA
GetFileType
GetFontLanguageInfo
GetForegroundWindow
GetFullPathNameA
GetKeyboardType
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetLocaleInfoW
GetMapMode
GetMenu
GetMenuCheckMarkDimensions
GetMenuContextHelpId
GetMenuItemCount
GetMenuState
GetModuleFileNameA
GetModuleHandleA
GetModuleHandleW
GetObjectType
GetOEMCP
GetPolyFillMode
GetProcAddress
GetProcessHeap
GetProcessId
GetProcessWindowStation
GetPropA
GetQueueStatus
GetRandomRgn
GetScrollPos
GetStartupInfoA
GetStdHandle
GetStretchBltMode
GetStringTypeA
GetStringTypeW
GetSystemTimeAsFileTime
GetTextAlign
GetTextCharacterExtra
GetTickCount
GetTimeZoneInformation
GetUserDefaultLCID
GetUserObjectInformationA
GetVersion
GetWindowDC
GetWindowLongA
GG7G$NN
\Gh<GQI=
GlobalAlloc
GlobalFlags
GlobalHandle
great britain
g[tP]Sfse)
GWhP/J
`h````
\$h9|$`r
h@BA$e
\$HE;-
HeapAlloc
HeapCreate
HeapFree
HeapReAlloc
HeapSize
Hf|}AA
`h`hhh
HH:mm:ss
HHtXHHt
HHtYHHt
hJ :7%
\$,h %L
^	HMf M!,D
\$`h N
\$<h N
\$(h N
\$$h N
\$\h N
holland
hong-kong
hP`_4(
\$$hphL
h/+svG
\$,ht6L
,Hz'KGjU(Y
! -hZv
>If90t
)/i^]G
_ihY?Y5=T
=|^iLL
I]?Lt`
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
InterlockedDecrement
InterlockedExchange
InterlockedIncrement
invalid map/set<T> iterator
invalid string position
ios_base::badbit set
ios_base::eofbit set
ios_base::failbit set
i	Q;wI
irish-english
IsDebuggerPresent
IsProcessorFeaturePresent
IsValidCodePage
IsValidLocale
IsWindowEnabled
IsWindowUnicode
italian-swiss
?Iu{mGv_
^	>IV{U
j2h8,L
j7h\[L
|$@j83
JanFebMarAprMayJunJulAugSepOctNovDec
January
jBhX0L
j ga5i
j!h$1L
j!h\2L
j/h84L
j,hD5L
J*:h~E
J- HIk
j	hlgL
j	hl.L
j,ht6L
\$,j j
j@j ^V
jph8_L
j"^SSSSS
^~j~?t_
j*W0I#
k45qu2
k8FG7U
kbu)c`
Kd)9;tU|0g
KERNEL32
KERNEL32.dll
ke)z87
kjZvNT
KWi'a5
L$0QUR
L$|^[3
L$$_^3
L$\_^]3
L4H,s/
l$8SFf
L$@9=4
\$L9|$Dr
l$$9h<
l$$9n<
L9t$Tr
LC_ALL
LC_COLLATE
LC_CTYPE
{lC{Lq
LCMapStringA
LCMapStringW
LC_MONETARY
LC_NUMERIC
LC_TIME
L$dQhT
)L$dSS
L$DURPVQ
LeaveCriticalSection
L$H[_^3
lH^.azr
\$Lh N
L$HQPh
L$HQRj
\$Lj"h\
L$ j@Q
lJU^6%
LoadIconA
LoadLibraryA
LoadResource
LocalAlloc
LocalFlags
`local static guard'
`local static thread guard'
`local vftable'
`local vftable constructor closure'
LockResource
L$@PQ3
L$pQPh<
L$pQPh8
L$PQVSj
L$pRSPQVW
L$,Qj/
L$ QjKj
L$,QPS
L$`QRP
L$$QRV
L$ QUV
L$,QUVR
L$(QWUj
L$ QWVR
L$,RPQ
LSRM?Q
L$`SSP
L$(SU;
L$t_^[3
L$T_^[3
L$tQRPh@
L$tQRPhD
L$\<+t'<-t#<0u
L$ <-u
)L$$VW
L$$WQP
L$XQPh
L$xRSPQWV
M4&ouzC.
`managed vector constructor iterator'
`managed vector copy constructor iterator'
`managed vector destructor iterator'
map/set<T> too long
M;C.1f
MessageBoxA
Microsoft Visual C++ Runtime Library
MM/dd/yy
mn{YD+
Monday
MoveFileA
MultiByteToWideChar
M>Y!{<7
-Mz}-c
:mzz[a
[?n=/>
n*05_:
n(5[F\u
nAFKuQNw
!NAS L
 new[]
new-zealand
(NkPhgh
/n&LU9
NoRemove
norwegian
norwegian-bokmal
norwegian-nynorsk
Norwegian-Nynorsk
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
npN72c
~NSSSh 
(null)
nY!Qf>
}	;}*o]?6
October
oFx[7W;B<b
ok]ic<
OkWBFaQ
OLEAUT32.dll
`omni callsig'
(O'np{
operator
:oV=S).
oxHi7<
p5*j8I/5
__pascal
@	pd^0M
p:e=(0
PeEOjLR
](PjPR
`placement delete closure'
`placement delete[] closure'
Please contact the application's support team for more information.
p^$mjl
portuguese-brazilian
PostMessageA
PPPPPPPP
|$ PQj
PQSUVW
pr china
pr-china
Program: 
<program name unknown>
__ptr64
PU.++/
puerto-rico
- pure virtual function call
\$@PUV
/PV,hhv(
p')*Yf
q-430!
qfo^=S
QH)!=D
qoL}]O
$QQQh 7C
QQSVWd
_q!TXS
QueryPerformanceCounter
	q ]*V
+qVXM`:
$Qw+HW
Q{~'wm
^%qxC#
RaiseException
/rB5g`
`.rdata
ReadFile
RemovePropA
__restrict
Rich4t
~R|iy{
R~:J4p
RJcIr$
R(?{oy
\$$RPQV
RSSSSSSh 
{RTk'wZ
RtlUnwind
runtime error 
Runtime Error!
!^:	S|
s9?@ZQ
SaK=qv!
Saturday
`scalar deleting destructor'
s*-DYs
SendMessageA
September
SetDlgItemTextA
SetEndOfFile
SetEnvironmentVariableA
SetFilePointer
SetFocus
SetHandleCount
SetLastError
SetPixel
SetStdHandle
SetUnhandledExceptionFilter
SetWindowTextA
ShowWindow
S}ifz9
SING error
s!@I<\s^+
SizeofResource
=s;L+{
slovak
south africa
south-africa
south korea
south-korea
spanish-argentina
spanish-bolivia
spanish-chile
spanish-colombia
spanish-costa rica
spanish-dominican republic
spanish-ecuador
spanish-el salvador
spanish-guatemala
spanish-honduras
spanish-mexican
spanish-modern
spanish-nicaragua
spanish-panama
spanish-paraguay
spanish-peru
spanish-puerto rico
spanish-uruguay
spanish-venezuela
SPSSSh
SRUQWP
s[S;7|G;w
~!SSSh
~.SSSh
|&SSSh
SSSh  A
^SSSSS
S_t9..
__stdcall
@str	9
`string'
string too long
Sunday
SunMonTueWedThuFriSat
\$$SUV
Sv_C}OGy
.s::vnr
swedish-finland
\$ SWj
SystemRoot
;|$$t	
\$ ;\$(t
t$0j4P
T$0QWR
T$0RVP
T$0UQj
T$4jlR
t$4QSJV
T$4SSj
T$@9\$Dt
tAjahp
td\'NA
TerminateProcess
t=FA9]
T$ G;~
tGHt.Ht&
(</t$h
+t HHt
This application has requested the Runtime to terminate it in an unusual way.
__thiscall
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
T$$h N
T$hRSV
T$HRWVP
Thursday
tIj"[:
T$<j@R
< tK<	tG
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
<\tM</tI
to=4nL
T$,PQRW
T$PRj$
T$PRPW
T$PRPWQ
T$PRPWVV
T$PRSWPP
T$|PSQRWV
t$PWPhh
tR99u2
trinidad & tobago
T$$Rj1
T$,RPW
trqc(L
t$(RQPV
T$<RSP
t"SS9]
t%SSSh0!F
t/SSVhp%@
<+t(<-t$:
\$$;t$T
T$TRQP
tTSSSh
t$<"u	3
Tuesday
;t$,v-
t VV9u
t$,WQV
t+WWVPV
T$X_^[
T$XRPh
T$xVSQR
 Type Descriptor'
`typeof'
}*tZ-`
U5-J!I"%
U6d9zU
>:u8FV
%|"UaC
`udt returning'
.u&g*x
u&hH?J
UiX:z D
u@j	h4
- unable to initialize heap
- unable to open console device
__unaligned
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
UNICODE
united-kingdom
united-states
uNjGh87L
Unknown exception
UpdateColors
U@PWRS
uQh|.J
UQPXY]Y[
uqSSSSS
URPQQh
USER32.dll
USER32.DLL
u[SSSP
UTF-16LE
-<uVJ&
u=v<P#
u,VVWV
\$,UWS
V 1T$0j
v$;5XnL
V9t$(u
`vbase destructor'
`vbtable'
`vcall'
v'CN|-
`vector constructor iterator'
`vector copy constructor iterator'
`vector deleting destructor'
`vector destructor iterator'
`vector vbase constructor iterator'
`vector vbase copy constructor iterator'
`vftable'
$vG>0BW
VirtualAlloc
`virtual displacement map'
VirtualFree
Vj@h0GJ
$VjPhH
v	N+D$
vo}mZr
vPk"Uxf
<=vr<>uM
_V^S;|
<=v^<>u-
vurA;-
_VVVVV
VVVVVQRSSj
|$$VWR
VWWWWh
WaitForSingleObject
wAN _w4
Wednesday
WideCharToMultiByte
WindowFromDC
|$(Wj"
W}Jo0}
WlJXUy
wp7kvM
Wpa}mF
WR	"dR
WriteConsoleA
WriteConsoleW
WriteFile
WRWWWh
WS2_32.dll
\$<WSS
wu,PNn
^WWWWW
x8?HBc
\$Xh N
,@x\L6<.gA
X&(lk?
xLmv<Z
XMQ:#.r
x&?n>`
xppwpp
xpxxxx
<xtX<XtT
~$_^]Y
Y0I;Sr
y2~?~D
Y9sf$Q
?"y.LV
,YngbZ[
?Yn@q+H}e
>=Yt1j
ytG(nLZ_
Y<\u#j\V
\_!zC^t
Z/!d=l
ZE1OlV2
z{ #FI
ZJl|vC
$zku]>,
>&!\zn'
ZN`n-~W
zS, QC5
Zyec<-pv"
zZSp~I