Analysis Date2015-01-23 22:09:45
MD50c496865a4f9b9789deb18328e2e47a9
SHA1f2efa5d2af0b4243b6cd1af4ecebe0660b6059df

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 2e50996cc73c4c2fb7ea8f79cf982b26 sha1: 4c62e23e5abafa1f03a8e80ed7ffedc9eda29f3d size: 20480
Section.rdata md5: e5615fe4c75b4f7ba6eaedb684bf431c sha1: 27541132674b32e7533d791c34de2415e887138b size: 4096
Section.data md5: 65f79c130923371bceab73bb68dbb967 sha1: feb2d4680321a46c6bde5074d3d3e12c9429bbe2 size: 8192
Section.data md5: d89efb396e2de62e8a0356fbc6793f99 sha1: c6816dce2333c00a20f5f33ba9769dbebd233704 size: 413696
Section.rsrc md5: fc951643d696459ebe5bb20c2a5be2c8 sha1: 83f4962da803f7f3c2f76b3c23352fbee47cb277 size: 16384
Section.tca8 md5: e2da60e60884e66baa96bd5c4525f05c sha1: 6c1dde8f314898520715cbeae4a954081448936f size: 28672
Timestamp1972-12-25 05:33:23
PEhash8c5cda10058d0b9316a5f5fd8d0b1f561ed30a6c
IMPhash9165ea3e914e03bda3346f13edbd6ccd
AV360 SafeVirus.Win32.Agent.O
AVAd-AwareWin32.Viking.AR
AVAlwil (avast)Flystud-AZ [Trj]
AVArcabit (arcavir)Win32.Viking.AR
AVAuthentiumW32/Nuj.A.gen!Eldorado
AVAvira (antivir)W32/Fujacks.DR
AVBullGuardWin32.Viking.AR
AVCA (E-Trust Ino)Win32/Viking.D
AVCAT (quickheal)W32.Agent.DP
AVClamAVWorm.Fujack-55
AVDr. WebWin32.HLLW.Autoruner.8224
AVEmsisoftWin32.Viking.AR
AVEset (nod32)Win32/Agent.DP virus
AVFortinetW32/Fujacks.BF!tr
AVFrisk (f-prot)W32/FlyStudio.A.gen!Eldorado
AVF-SecureWin32.Viking.AR
AVGrisoft (avg)Win32/Fujacks.S
AVIkarusTrojan.Win32.FlyStudio
AVK7Virus ( 00108a531 )
AVKasperskyVirus.Win32.Agent.dp
AVMalwareBytesTrojan.Autorun
AVMcafeeW32/Fujacks.ay
AVMicrosoft Security EssentialsVirus:Win32/Viking.NK
AVMicroWorld (escan)Win32.Viking.AR
AVRisingWin32.Agent.hn
AVSophosW32/FuzVir-A
AVSymantecW32.Loorp.A!inf
AVTrend MicroPE_JEEFO.D
AVVirusBlokAda (vba32)Virus.Win32.Koklek

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat"

Creates FileC:\WINDOWS\system32\dllcache\lsasvc.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe

Creates FilePIPE\SfcApi
Creates FilePIPE\wkssvc
Creates FileC:\WINDOWS\system32\qmgr.dll
Creates FileC:\WINDOWS\system32\mspmsnsv.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat"
Starts ServiceWmdmPmSN

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmdmPmSN\Start ➝
2
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileNtHid
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\Documents and Settings\NetworkService\Cookies\index.dat
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\J4JO9XJZ\desktop.ini
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\OLAF8TEF\desktop.ini
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\2B8LUT85\desktop.ini
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N9PBU78I\desktop.ini
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\TEMP\NtHid.sys
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Deletes FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\desktop.ini
Deletes FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\desktop.ini
Deletes FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\desktop.ini
Deletes FileC:\WINDOWS\TEMP\NtHid.sys
Deletes FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\desktop.ini
Creates Mutexc:!documents and settings!networkservice!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!networkservice!cookies!
Creates Mutexc:!documents and settings!networkservice!local settings!temporary internet files!content.ie5!
Creates ServiceNtHid - C:\WINDOWS\TEMP\NtHid.sys
Winsock DNS209.222.14.3
Winsock DNSwww.490a-B8B5-9B8C1E870B0C.com
Winsock DNSwww.baidu.com
Winsock DNSpc1.114central.com

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1880

Process
↳ Pid 1160

Network Details:

DNSwww.a.shifen.com
Type: A
180.76.3.151
DNSpc1.114central.com
Type: A
209.222.14.3
DNSnbtj.114anhui.com
Type: A
DNSwww.baidu.com
Type: A
DNSwww.490a-B8B5-9B8C1E870B0C.com
Type: A
HTTP GEThttp://209.222.14.3/nbok01/dnfTT.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://209.222.14.3/nbok01/tlTT.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://209.222.14.3/nbok01/RXCQTT.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1033 ➝ 209.222.14.3:80
Flows TCP192.168.1.1:1034 ➝ 209.222.14.3:80
Flows TCP192.168.1.1:1035 ➝ 209.222.14.3:80

Raw Pcap
0x00000000 (00000)   47455420 2f6e626f 6b30312f 646e6654   GET /nbok01/dnfT
0x00000010 (00016)   542e6578 65204854 54502f31 2e300d0a   T.exe HTTP/1.0..
0x00000020 (00032)   41636365 70743a20 2a2f2a0d 0a557365   Accept: */*..Use
0x00000030 (00048)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000040 (00064)   2f342e30 2028636f 6d706174 69626c65   /4.0 (compatible
0x00000050 (00080)   3b204d53 49452036 2e303b20 57696e64   ; MSIE 6.0; Wind
0x00000060 (00096)   6f777320 4e542035 2e313b20 5356313b   ows NT 5.1; SV1;
0x00000070 (00112)   202e4e45 5420434c 5220322e 302e3530    .NET CLR 2.0.50
0x00000080 (00128)   37323729 0d0a486f 73743a20 3230392e   727)..Host: 209.
0x00000090 (00144)   3232322e 31342e33 0d0a436f 6e6e6563   222.14.3..Connec
0x000000a0 (00160)   74696f6e 3a204b65 65702d41 6c697665   tion: Keep-Alive
0x000000b0 (00176)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f6e626f 6b30312f 746c5454   GET /nbok01/tlTT
0x00000010 (00016)   2e657865 20485454 502f312e 300d0a41   .exe HTTP/1.0..A
0x00000020 (00032)   63636570 743a202a 2f2a0d0a 55736572   ccept: */*..User
0x00000030 (00048)   2d416765 6e743a20 4d6f7a69 6c6c612f   -Agent: Mozilla/
0x00000040 (00064)   342e3020 28636f6d 70617469 626c653b   4.0 (compatible;
0x00000050 (00080)   204d5349 4520362e 303b2057 696e646f    MSIE 6.0; Windo
0x00000060 (00096)   7773204e 5420352e 313b2053 56313b20   ws NT 5.1; SV1; 
0x00000070 (00112)   2e4e4554 20434c52 20322e30 2e353037   .NET CLR 2.0.507
0x00000080 (00128)   3237290d 0a486f73 743a2032 30392e32   27)..Host: 209.2
0x00000090 (00144)   32322e31 342e330d 0a436f6e 6e656374   22.14.3..Connect
0x000000a0 (00160)   696f6e3a 204b6565 702d416c 6976650d   ion: Keep-Alive.
0x000000b0 (00176)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f6e626f 6b30312f 52584351   GET /nbok01/RXCQ
0x00000010 (00016)   54542e65 78652048 5454502f 312e300d   TT.exe HTTP/1.0.
0x00000020 (00032)   0a416363 6570743a 202a2f2a 0d0a5573   .Accept: */*..Us
0x00000030 (00048)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x00000040 (00064)   612f342e 30202863 6f6d7061 7469626c   a/4.0 (compatibl
0x00000050 (00080)   653b204d 53494520 362e303b 2057696e   e; MSIE 6.0; Win
0x00000060 (00096)   646f7773 204e5420 352e313b 20535631   dows NT 5.1; SV1
0x00000070 (00112)   3b202e4e 45542043 4c522032 2e302e35   ; .NET CLR 2.0.5
0x00000080 (00128)   30373237 290d0a48 6f73743a 20323039   0727)..Host: 209
0x00000090 (00144)   2e323232 2e31342e 330d0a43 6f6e6e65   .222.14.3..Conne
0x000000a0 (00160)   6374696f 6e3a204b 6565702d 416c6976   ction: Keep-Aliv
0x000000b0 (00176)   650d0a0d 0a                           e....


Strings
.
\
. 
.
?
7GP
.
z...
.
.
-
..
*..
..
0
.
},
..K
..
FILE
         (((((                  H
08101BB
(-0G>c
0h0l0p0t0x0|
$!0h{Ipe
0-hvQ*
"0%k&A
0mq/qW="
|0Nka@
0 &Op~
0/ s$Q
0tjX\X
[0!TU:
0U~\$%]
1.1E1K1Z1h1
;13B<J<
13si~[v
?1*4'Q
14~ &!zA
15X,v]\L`9:\
17#0vCf
;1bM]l
1CB5L#
1=>=F=
:1G1P1]1
1L`mp&
1p:(TI
1vhp_W
1<}WCU
?%?2?]?
2(2B2N2W2c2l2x2
2?3H3Q
27 mx3
2D2J2O2U2b1n2t2
>)>2>E>S>\>s
$2eXs?>
$2h2*F
2iMyFW
2K2f2v2
2-n#XtC
!2o o%U
2T2d2{2
2wQJ~g
&2xnRr
=2Y.>4
3$30l3XkG
3=3B3j3p3|3
3AaO\oT
+3boQi
(3CLVr1
`;3D;H;L
)3e9>w
3Gm<x<c
3?Pw|&
!3(Rr{\
@3T3e3
3-U#7)
3uo"/}
3y!4>a/
4&414]4
4%4+4G4z4
\$45lR
490a-B8B5-9
49-E88E-4c47-98DC
4aaf-A336-C255
.4=aYiM%
4BB4003860154917BC7D8230BF4FA58A
4Cq|a#
4?#D	$
_4H/+)
4Jj0_S
4L9)-+
&:4:,N
]4	/o#E
4Q5e5x
4 \RegEx.fnr
4@sl'/
4#-Tdn
4TG@@!
4uc}FPDH
~?4^-v
4WLR|~
4	z@-$
52F260023059454187AF826A3C07AF2A
5$5)56A
5!6&6/6
5BB4003870154917CC7D8230CF4FA58B
|5B]K^
5-(C8X
5	[C>9
;!;+;5;?;C;J;P;Z;d;n;x;
:5:F:Y:w:|:
5f).@yWt
5,;/jIp
5K$|*0
5n#hk]
5?)nNh
5 ?T@u
~5V4m7
60gnv+
62}m=M#
6.6:6C6M6W6\6
:66Sr2[
.6;8Pt
#&>6>Cg
6eal[$J$
6<}}fT
6,m,Gd
6.sG }
6sgAE8C
6 ?yZPPk 0
6':zm#
6ZS;' 
71767D7R7^7i7p7
//74aj
75-2K;
7.{645FF040
(7f0Kh
7FC663
7h0%6,M
7@ip:K
&7l5o!
?7N7T7]
\7rc7:
7$>su1")
7tc!>o
~?=7,Y
7zFa6e
8-00AA
84#z\(
@.&'85
{-8<8^8
>!>*>8>B>H>V>`>n>t>
8o^NUjH
8<QC`1%I
8w0<.w
9*:/$:
9340947F
^}%950
954E}K
@\96DBA2^
9 9[9`9g9m9s9~9
9&9/9>9Q9e9o9{9
-9;9A9F9
9ao^@q
9hfQI]
9Mx5"wu
/9r>Hh'o
~(9~$u
9.:U&~
9-wTQB&
(9X\ps=o
A0^0s0
]a3Uhz
A4J4Y4_4
A67-586
=a|6yA
abnormal program termination
adPZIw
ADVAPI32.dll
adWnCv
AE4C57'
agX \s
}AIj`p
!AkaWNi
?.`Akk@IW*
AL(z\>
a+,<|M
aM4	SK
Am?j>"
$A|OTs
a Play
appmgmts.dlld
-aQhQM4
.,'a)s
a,<S@^
aTQ"v^N
At[rAD
A~VoaE
AwrXb)
aXQ><n
aZ^x	T
b]%{!`$<[
B1GAw"
B2s}I^
B./5:<
b+@5`h
B?6 V&e
`}b7(G
"B8TZY
=b;8y0
@BA8tTIn~
BA\cLd
"bd	WVS
b,e$uq
Bh(\I]y
b<qUf@b
>|bREo
Br`h`m
browser
bs6MkQy
B-s@E,-
<%[]BT
buffer error
:buvto
bXd*.3
bzfe)1iu~.
!B zI|
`-C'!?
C0M0W0
C1E870B0C
)+C2,|
c2{^0F
c'4<AG
#C!5&|)
c6lm&/
CancelConne
 cannot be run i
Can't open file!
Can't retrieve the temporary directory!
Cc2iE[$
C=chi/P)_"
 CC>k:
cD&p)`G
cecXXc~
CiUCSsV2
cJ"|nT
+CjW&S
CloseHandle
*CmVS1Eb
\com.run
Copyro
c.p@8)=
<'<CP<Z<|<
cQS,.5
CreateDirectoryA
CreateFileA
CreateProcessA
crypt'c
C+,s[f
CSk6i[U
c!sR8!D/
C%unKF
d09f2340818511d396f6aaf844c7e325
D0H0L0P0T0X0\0`0dw4
d*1LL	
(,D2*F
d74rkh
D)7A{B
DA-6D69-472e-8981-DBC71
D 'Ap@J
@.data
data error
d`b&p	
&D*BvI
d}*BWK
'D&E'@
default
(D/fc_oL
D&=FuaT6
DF"xON
_DGG]\`
Dh:<=|7;
Dhh"c9
dhys&[s
`dIG*(
d$?	o$HGjIy
/d%o*I1
]/D`oL
DOMAIN error
DOS mode.
d#=.pR
@D=Q0~w
dq;Cvg
-DrPoW8
- Dsl|
DSUVWh
DU[4h;
dU5 B~
Du7@$!m|
=&=,=D=v=
[Dz/}%
DZ2+&@
D!?z",kBF]s`X
{.& e$
"E1 dp
%e`3OXL^
E8J8O8[8`8i8o8z8
=eD6U/
`	eDlj
eDW;E/
+eDwm-
(Ef+]d^
;efD\A
EG% _+t
e='|JRp
E+	l	{^
_E|m;{
empty distance tree with lengths
ep1'*"/
eParam$
e~rj>s
?	es&4N
Esht*6
euG	/a@[
e)UN:r
e$vn%a
_>"E%x&
ExecuUA
ExitProcess
explorer 
Expor.exe
eYIr6?D
e+(Y\r
E`zk^Q
F|)3/]a
-f3R#}I@
F??3@YAXP
f4)!ba
F4`qOt
F7FC1AE45C5C4758AF03EF19F18A395D
F9 #8:
F'a-[\5mC
Failed to decompress data!
Failed to load kernel library!
Failed to read data from the file!
Failed to read file or invalid data in file!
f+D?	D
FF3	\"
f%gP_40
file error
f-ILs,ZN
Fi-,Rr4
	!+FJ3[
fJ[r-?ht
F(\J)V
}==FL\
fl/df+
- floating point not loaded
F,__-N
FO1R8O
FoQ6y'9H
FreeEnvironmentStringsA
FreeEnvironmentStringsW
ft&:DI
FuMrv1m
fw}x&W
^fX=*1>@
>F+^xgrQ"
fX_^px
fY.Req
FY-Tz_
G| 0+020e0k
Gb:NL=E/
gd/0^b
GetACP
GetActiveWindow
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetLastActivePopup
GetModuleFileNameA
GetModuleHandleA
GetNewSock
GetOEMCP
GetProcAddress
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetTempPathA
GetVersion
!GFgQjx
gFoG*|
gfpvs?
G+"FY_
G,+G(+C
Gg#efN
"$/GhI
g(>/I[
>g&I2k
.gjA#M
g"|jd@/ 
g)-nFg
gQ/)F58=4>m
g"Q{mgbu
:)gqZ0s
GuL^io
'(GvI8;
G.X_g2S
_GY?<iyB
"GZ{{$
|H?1)'
h1l1.T
<h3%'h
H-&3Ng
H5aWa*
;hDdk h$
^HD&l`%
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
$hE^ O
^h>"f]
HFdOl}{
Hi8|ho k
H`{Mc"q_~hK
=  Hq}Q
h%RJN?X9
h%_Tk9S
Hur3'$
H=~VaE
H<W^T%
HXy37\
Hy3I<	
&}[hy&c+O
*HYn$,
HyVoK;v
~HZJks
I%"]^3
i=`6p=
[i$Bh;+
Ibnh67
I^byLTBp
ifyTrLo
Ig(UL2
igVCRT
I_i<y2
iJD%A#%
`ilP'3
incompatible version
incomplete distance tree
incomplete dynamic bit lengths tree
incomplete literal/length tree
incorrect data check
incorrect header check
InfGma
ingCompatibil
insufficient memory
Insufficient memory!
invalid bit length repeat
invalid block type
Invalid data in the file!
invalid distance code
invalid literal/length code
invalid stored block lengths
invalid window size
IocSymbgT*
iPInMu
?I ppy
IQO_QC
i|tlh`
iu{*1Uf
:(i{Vi
IXR-!m
,%I$XSN
.|iYAh
j/0@0E0R0f0
j	0ASD2
#J<3~(
&>J~5;!+
J6xS1z
j?-8S&(k
j9E%(b
jAc{W5
jC`)8W
JCIqZk|QJ
JFyN01
J?:%IW1
!&jJ>t-
jkeLOTop
JS*5Ko
JwkxQ?
J\x	T;
k3rxK;
 -k 4/
K68u&[
K7'7"1
k8}x-`
KASZon
kca:\lsa
{'kdW)6%
KERNEL32.dll
KERNEL32.DLL
KEveny
k_H|2i;
kH5ACG
;kL3S9D
k/lWs`
kmDKyWcD
K_~`q5
KQgVb[
K:\Q.pdb`q
~~K-rJ
krnlHe
krnln.fne
krnln.fnr
kSN_rwq
+k\spec.fne
ku;[]=6yU
k#U:i`
}kw	e1
K~<xDAt
 KYEv8
}K{Zu7
L5PFHP7b
L6-[D"
 l^8A)
LAicFrj
LCMapStringA
LCMapStringW
lDtIOrsP4
l}e6d9
+"l(e8
(Li^5zuR
:Lk+"q
L;MI)[
l^m*xB#
l=o0]Q
LoadLibraryA
*;log9
* lo l7
lp6a J
l+.Q1D]=
lstrcatA
LTiK+r
$l!;)u
lv9!?t/
%&!lW	
Lx.rLpr
lyib6o_
l<z{%80
^M1=gK<
?\m4kk
.m5rVH!
M<!8Q6
M!Aeg:
=M`bUf
m+Cnmq
M:d:m:
MessageBoxA
<\M>gT
$Mh)?M
mhw?kM
Microsoft Visual C++ Runtime Library
ml_C)i
&ml.'_]L
"MMQPvN
!,)M-o
m?oJyZ
{|mo}Y
MQRNfS
mqun#O
m?RI2"~'
MSN Gam
MSVCRT.dll
mtunL4
|mU36Q
MultiByteToWideChar
m&vX"n,
^$Mw0}
=`MyPD
M/"~Z{
MZ/E"2
~m'*_zv
?)`N|;
N7:zkU4
-nbmkU<
need dictionary
.n{+fK)
nGCq/j
N=^hmk
>Nh~"n
niSj`*=6l
Nl-lhC
N;NQ$^Op
(]N?<o
|"No5b
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
Not found the kernel library!
N!o;U67
NR	>V(
N\t`$0
 NT\Curr
NtQu9y
N#+t*Z\
Nv`mG}
N~wN7U
nYAitp
|&(O(]
o15aS>T
_!O.=4
o#71[Aa
oC.<[8!
ocd,>?a
oD_O,.?
oft\Wud
		oI}B
oiUn2o
om%:+X
][on!g
onn`8"
o@P3e4
Op-;4$
~OPEN=-
+OpsSCM
oqm$dg
O<sz_n
&O/_>T
|otB.8
o+](VB
oversubscribed distance tree
oversubscribed dynamic bit lengths tree
oversubscribed literal/length tree
;=p>^$
)P0y|V
"P&%5`
p6k{f*
p6m] P
P{8|s'
P9@{a7
PA/&~)
PathFileExistsA
PathIsDirectoryA
_p	azt:C
PB7mgOo`
P>bd\ir
PB'UH-Y
PC+I^/
P`c`kg&
p@ct	[
=PCwyRs
pd0#%-
#PDK26d
	=P&Dm|j#
P+E/fv
>P?e?k?
pF#dJ	
p]G'#i
P<^GuX/k
pH${P}N
P#}jA#o
;pK'.Zi
"Plk*v
P. *oi
P{OQ7y
{pP|0l
pPqhQa~e
P_Q;yz
	PRn7a
Program: 
<program name unknown>
&>ps:a
PsGe])
?PtG^K
- pure virtual function call
*P!V<b3
PVC>rQ
PVh(f@
pVKwOf
PWithTag
<Px? e,
PxEMrS
pXpnvD
pyfQebM
PysGgm
-/Q-"+
q(/29j
Q4L:pt
q"7. oe2h
Q_8wqlk
q$A3<.
QA6<[s
?QCL#.
Q	 e8"
qeb*@L^
q}'fm@
/QFZOjI
qg!|cL*
/qHN/s
qidu.com
q?jSmX
q kNS;
QlgFlV$
Q?)mjAy
qmmaf.8
,[qN9%
QOb3}N
QQQQQQQ
QR9g'>OX
qrY@/6
q,SjY/J'
_-?;qTq
qT">x{.
Q,VKoR
QY:#^_
>r[`-[
>R^12D~f
^[R6@}
\Ra7207
rAF)+5
rDa={e
 `.rdat[
`.rdata
rDmsD$
ReadFile
recycled.exe
RECYCLER
RegCloseKey
@reloc1
Remote
rf~[RMR
RFue0u
]]RfY\
r(|!gt
_rju@_fd
r]KxL]s
r/Lz))
r	=}Mp
rN&:5~9
-<RoA%'_h7
RtlIoU
RtlUnwind
rUABM<
runtime error 
Runtime Error!
>!~r'v
rZdj|!
,_s&]0
S1[1`1m1
S5@[$D{
sACgS/
S>AU$;
{schedsvc
SDPSRV
s@D<.xdg
'[s(_"er
SetFilePointer
SetHandleCount
sEyMNG
&>Sfh!
[Sh,f@
Shi~4D5
shlwapi.dll
SHLWAPI.dll
SING error
sJ0S5J
/sKp@U
s#+&=N
so8M~	$W
SOFTWARE\Mi
s%~	p2V?
\spec_a.fne
Sp`FFF
SR/7w:
s{$[S1W
S=&]sf6
sSpec7!:
SS@SSPVSS
stream end
stream error
s_/UYY
~!svb/
)sv%GA
svU^<	
S~&w:/
<SW}nO%
)Sw\OW
swsocknetman1ssdp
SYcaI.
S/yp+k
T0iF}J
-T/0JM.
T%]_^3
.t69vg+x
t|*\Ba
.tcLCI0
]tc#yr)52&
te5gjkG}
TerminateProcess
.textVT
~TFeJI
t&fOi@
TgJKf"
The interface of kernel library is invalid!
The kernel library is invalid!
_This #g
!This program cannot be run in DOS mode.
tiRc'G
T;_;i;z;
?:!t$@KJ
TL"|f+W
TLOSS error
tl`TDi
TL|^Xg
^TmH25
'tN,8*
ToFilnH
T\ok\B
too many length or distance symbols
TP|U^d
Tq^9Ze
t#SSUP
TsUgf_u
tTisrv
t.;t$$t(
%tu'g.i
"t:+V0
TV!E:uM
t$$VSS
?%_#txg
;TZ3b?
tZEIh!
u!1D5(i
u=8c.[
u8k4(6
_u9I$R
U.d[,)Q
>"u:F@
+Uf~~E
u hxb@
um1L}y
[<UM?}9N
	U;MhOy
=umj}j 
uMpr.{
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
unknown compression method
U	ORCZ
upLtM)O
#upnphostKn&s
uQUV*vO7Cc
URLDown
user32.dll
USER32.dll
US)zM,e2s
!;Ux78
U}xf^iD
^uy|:5u
UY vZi
@;v;{;
?)V2G3
V3_3o3x3
V3E_#B^
,v\4R,
V^%4.%r;
/V`5dY
V6sion\
"V,=7{
v7Os2_qWSArcvF
#)v|AM]'
VC20XC00U
VGN/]9
V*h>1,
^Vh,f@
vieAak:m
viLU_V
VirtualAlloc
VirtualFree
VirtualProtect
vi}wSu/C
VK\internet.fne
VK('Zq
V[,LF\
?Vm>]~
v@~N~p
'<v[rm
V)`s}?4$d
vThfad
VtZ7e@
;Vv)m)\
VVw<>-
VW},\$c
V{'!wO
\v:.X$
~V'x<dM%
v&]ZJV
/W@~::
;w07[A
$w0*dD
W0YX0wx
W8F&-`Ih
|w9=trW*
(W]a$<W
W-:AWx
?W bdx
]wBSz@X
w	cUKY
_w-DM}
WdPafj
wFD-B`
W[f,QD
WideCharToMultiByte
 winsta0
w'i^&V
WJvYLs
wlpKE2
 w;LU-
WmdmPmSN'Fa
WPpf 8
WQ$zuqd
.WRbZ<:
wrga.X2
Writea7
WriteFile
wsprintfA
wTa	u*
WU<4Wz
WUp_=@
wU(q+Uj
WWk#*A
"WWSh(f@
wy1_Ht
"`x[`&
=X^1d?
^x%_@4
X4LbkL
>,?X58g
>X}+%5xm
_=?X9B
xb!z!:
x`Fxz:5K
/,x&,gi;/
xhAj_aH
XhasPaH{
xh`,'E
 X -ibcB"
<)<.<X<i<o
x@*jx8
=xk]_|
:x$K7r!tX
xmlpbS
Xo~'/B0
'|)Xp<
XPTPSW
XPVSSG
@!XP%Z
~x}&.&r
xR6o oo
XRichS
xriXI{
XuL0E8
xV.#"h
Xv m M
xXA47ukE
XX; tg
xyaG_73
$X:<z*
,}(\y~
Y2)|h\
[$Y3cs;+C}v
#YCTQE
yGK]/Z
.y!GN&
yjhxGS5}
yke<"~oR
yM3 F}
\Yn`w@x
yPWUkC
<y{PY+
|/Yr3Y
YR%V4wQ@
.Y%v~V
Yw]02Ay
/YW'RB
_^][YY
YYh p@
YzOjO<
!~z-	:
Z&{!3(
zAvat)
z*D8C2{
ZHh$<0
zHV)B#
Zi,wHx
z^k(`&~r
zlha;'
zLv!uly)
zMu*BSY#
^'ZN#A
Zn$f4H
z}pq	13'"C
zq2d+E
ZR:9dW
 ZTl(ta
@z}]u2o
zu-%=W