Gen.Win32.AVKiller.cmGfaGpgvgjb_7ef9d56436

Dynamic Analysis

Payload

Behaviour	Description
WormAutorun	A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

Process activity

The Trojan creates the following process(es):

taskkill.exe:1072
taskkill.exe:616
taskkill.exe:1980
sc.exe:828
rundll32.exe:1996
cacls.exe:1632
cacls.exe:1016

The Trojan injects its code into the following process(es):

%original file name%.exe:1972

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process rundll32.exe:1996 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%System%\drivers\acpiec.sys (5 bytes)

The process %original file name%.exe:1972 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\ (4 bytes)
%System%\killkb.dll (12169463 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs (96 bytes)
%System%\CatRoot2 (96 bytes)
%WinDir%\SoftwareDistribution (4 bytes)
%System%\drivers\etc\hosts (5 bytes)
%WinDir% (1640 bytes)
C:\$Directory (592 bytes)
%System%\dllcache (4 bytes)
%WinDir%\inf (400 bytes)
%WinDir%update.dll (31471014 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%System%\config\systemprofile (4 bytes)
%System%\drivers\pcidump.sys (5404535 bytes)
%System%\config (12 bytes)
%System%\drivers (296 bytes)
%Documents and Settings%\%current user% (4 bytes)
%System% (1296 bytes)

Registry activity

The process taskkill.exe:1072 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A 41 9C A8 BB E5 03 58 BE 7D 60 D3 72 F6 39 96"

The process taskkill.exe:616 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB 73 DD 83 62 68 4D F3 00 B0 DA 30 C3 09 C4 A0"

The process taskkill.exe:1980 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7F EE E1 44 0E C1 6E 3C F0 E6 FC F0 96 F3 58 FB"

The process sc.exe:828 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 17 C4 D6 EC F4 CC E0 4C 60 3E 0B 21 BE 0C 44"

The process rundll32.exe:1996 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "60 54 65 C0 CF 4B EC 68 19 86 F1 3E AC F4 9C 4A"

The process cacls.exe:1632 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 5A F5 39 A5 26 56 66 95 C6 C8 83 25 AB 16 98"

The process cacls.exe:1016 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DE 68 05 53 34 69 05 45 D9 56 EA B1 98 47 FD 65"

Dropped PE files

MD5	File path
baa09efedc1df8cc16a5ca6f58bfe861	c:\WINDOWS\LastGood\system32\drivers\acpiec.sys
9859c0f6936e723e4892d7141b1327d5	c:\WINDOWS\system32\dllcache\acpiec.sys
baa09efedc1df8cc16a5ca6f58bfe861	c:\WINDOWS\system32\drivers\OLD3.tmp
601b3f2466bfa6989b9c7586b5ba54aa	c:\WINDOWS\system32\drivers\pcidump.sys
888ad04f5495f8deef8b2764a93bdde0	c:\WINDOWS\system32\killkb.dll
4a1b0afbaa603e8c7be2f447f491cdd4	c:\WINDOWSupdate.dll

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 5743 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1	v.onondown.com.cn
127.0.0.2	ymsdasdw1.cn
127.0.0.3	h96b.info
127.0.0.0	fuck.zttwp.cn
127.0.0.0	www.hackerbf.cn
127.0.0.0	geekbyfeng.cn
127.0.0.0	121.14.101.68
127.0.0.0	ppp.etimes888.com
127.0.0.0	www.bypk.com
127.0.0.0	CSC3-2004-crl.verisign.com
127.0.0.1	va9sdhun23.cn
127.0.0.0	udp.hjob123.com
127.0.0.2	bnasnd83nd.cn
127.0.0.0	www.gamehacker.com.cn
127.0.0.0	gamehacker.com.cn
127.0.0.3	adlaji.cn
127.0.0.1	858656.com
127.1.1.1	bnasnd83nd.cn
127.0.0.1	my123.com
127.0.0.0	user1.12-27.net
127.0.0.1	8749.com
127.0.0.0	fengent.cn
127.0.0.1	4199.com
127.0.0.1	user1.16-22.net
127.0.0.1	7379.com
127.0.0.1	2be37c5f.3f6e2cc5f0b.com
127.0.0.1	7255.com
127.0.0.1	user1.23-12.net
127.0.0.1	3448.com
127.0.0.1	www.guccia.net
127.0.0.1	7939.com
127.0.0.1	a.o1o1o1.nEt
127.0.0.1	8009.com
127.0.0.1	user1.12-73.cn
127.0.0.1	piaoxue.com
127.0.0.1	3n8nlasd.cn
127.0.0.1	kzdh.com
127.0.0.0	www.sony888.cn
127.0.0.1	about.blank.la
127.0.0.0	user1.asp-33.cn
127.0.0.1	6781.com
127.0.0.0	www.netkwek.cn
127.0.0.1	7322.com
127.0.0.0	ymsdkad6.cn
127.0.0.0	www.lkwueir.cn
127.0.0.1	06.jacai.com
127.0.1.1	user1.23-17.net
127.0.0.1	1.jopenkk.com
127.0.0.0	upa.luzhiai.net
127.0.0.1	1.jopenqc.com
127.0.0.0	www.guccia.net
127.0.0.1	1.joppnqq.com
127.0.0.0	4m9mnlmi.cn
127.0.0.1	1.xqhgm.com
127.0.0.0	mm119mkssd.cn
127.0.0.1	100.332233.com
127.0.0.0	61.128.171.115:8080
127.0.0.1	121.11.90.79
127.0.0.0	www.1119111.com
127.0.0.1	121565.net
127.0.0.0	win.nihao69.cn
127.0.0.1	125.90.88.38
127.0.0.1	16888.6to23.com
127.0.0.1	2.joppnqq.com
127.0.0.0	puc.lianxiac.net
127.0.0.1	204.177.92.68
127.0.0.0	pud.lianxiac.net
127.0.0.1	210.74.145.236
127.0.0.0	210.76.0.133
127.0.0.1	219.129.239.220
127.0.0.0	61.166.32.2
127.0.0.1	219.153.40.221
127.0.0.0	218.92.186.27
127.0.0.1	219.153.46.27
127.0.0.0	www.fsfsfag.cn
127.0.0.1	219.153.52.123
127.0.0.0	ovo.ovovov.cn
127.0.0.1	221.195.42.71
127.0.0.0	dw.com.com
127.0.0.1	222.73.218.115
127.0.0.1	203.110.168.233:80
127.0.0.1	3.joppnqq.com
127.0.0.1	203.110.168.221:80
127.0.0.1	363xx.com
127.0.0.1	www1.ip10086.com.cm
127.0.0.1	4199.com
127.0.0.1	blog.ip10086.com.cn
127.0.0.1	43242.com
127.0.0.1	www.ccji68.cn
127.0.0.1	5.xqhgm.com
127.0.0.0	t.myblank.cn
127.0.0.1	520.mm5208.com
127.0.0.0	x.myblank.cn
127.0.0.1	59.34.131.54
127.0.0.1	210.51.45.5
127.0.0.1	59.34.198.228
127.0.0.1	www.ew1q.cn
127.0.0.1	59.34.198.88
127.0.0.1	59.34.198.97
127.0.0.1	60.190.114.101
127.0.0.1	60.190.218.34
127.0.0.0	qq-xing.com.cn
127.0.0.1	60.191.124.252
127.0.0.1	61.145.117.212
127.0.0.1	61.157.109.222
127.0.0.1	75.126.3.216
127.0.0.1	75.126.3.217
127.0.0.1	75.126.3.218
127.0.0.0	59.125.231.177:17777
127.0.0.1	75.126.3.220
127.0.0.1	75.126.3.221
127.0.0.1	75.126.3.222
127.0.0.1	772630.com
127.0.0.1	832823.cn
127.0.0.1	8749.com
127.0.0.1	888.jopenqc.com
127.0.0.1	89382.cn
127.0.0.1	8v8.biz
127.0.0.1	97725.com
127.0.0.1	9gg.biz
127.0.0.1	www.9000music.com
127.0.0.1	test.591jx.com
127.0.0.1	a.topxxxx.cn
127.0.0.1	picon.chinaren.com
127.0.0.1	www.5566.net
127.0.0.1	p.qqkx.com
127.0.0.1	news.netandtv.com
127.0.0.1	z.neter888.cn
127.0.0.1	b.myblank.cn
127.0.0.1	wvw.wokutu.com
127.0.0.1	unionch.qyule.com
127.0.0.1	www.qyule.com
127.0.0.1	it.itjc.cn
127.0.0.1	www.linkwww.com
127.0.0.1	vod.kaicn.com
127.0.0.1	www.tx8688.com
127.0.0.1	b.neter888.cn
127.0.0.1	promote.huanqiu.com
127.0.0.1	www.huanqiu.com
127.0.0.1	www.haokanla.com
127.0.0.1	play.unionsky.cn
127.0.0.1	www.52v.com
127.0.0.1	www.gghka.cn
127.0.0.1	icon.ajiang.net
127.0.0.1	new.ete.cn
127.0.0.1	www.stiae.cn
127.0.0.1	o.neter888.cn
127.0.0.1	comm.jinti.com
127.0.0.1	www.google-analytics.com
127.0.0.1	hz.mmstat.com
127.0.0.1	www.game175.cn
127.0.0.1	x.neter888.cn
127.0.0.1	z.neter888.cn
127.0.0.1	p.etimes888.com
127.0.0.1	hx.etimes888.com
127.0.0.1	abc.qqkx.com
127.0.0.1	dm.popdm.cn
127.0.0.1	www.yl9999.com
127.0.0.1	www.dajiadoushe.cn
127.0.0.1	v.onondown.com.cn
127.0.0.1	www.interoo.net
127.0.0.1	bally1.bally-bally.net
127.0.0.1	www.bao5605509.cn
127.0.0.1	www.rty456.cn
127.0.0.1	www.werqwer.cn
127.0.0.1	1.360-1.cn
127.0.0.1	user1.23-16.net
127.0.0.1	www.guccia.net
127.0.0.1	www.interoo.net
127.0.0.1	upa.netsool.net
127.0.0.1	js.users.51.la
127.0.0.1	vip2.51.la
127.0.0.1	web.51.la
127.0.0.1	qq.gong2008.com
127.0.0.1	2008tl.copyip.com
127.0.0.1	tla.laozihuolaile.cn
127.0.0.1	www.tx6868.cn
127.0.0.1	p001.tiloaiai.com
127.0.0.1	s1.tl8tl.com
127.0.0.1	s1.gong2008.com
127.0.0.1	4b3ce56f9g.3f6e2cc5f0b.com

Rootkit activity

The Trojan installs the following kernel-mode hooks:

ZwQuerySystemInformation

Using the driver "%System%\drivers\pcidump.sys" the Trojan substitutes IRP handlers in a file system driver (NTFS) to control operations with files:

MJ_CREATE

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

Removals

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):

   taskkill.exe:1072
   taskkill.exe:616
   taskkill.exe:1980
   sc.exe:828
   rundll32.exe:1996
   cacls.exe:1632
   cacls.exe:1016

3. Delete the original Trojan file.
   
4. Delete or disinfect the following files created/modified by the Trojan:

   %System%\drivers\acpiec.sys (5 bytes)
   %System%\killkb.dll (12169463 bytes)
   %WinDir%\SoftwareDistribution\DataStore\Logs (96 bytes)
   %System%\CatRoot2 (96 bytes)
   %System%\drivers\etc\hosts (5 bytes)
   C:\$Directory (592 bytes)
   %System%\dllcache (4 bytes)
   %WinDir%\inf (400 bytes)
   %WinDir%update.dll (31471014 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %System%\config\systemprofile (4 bytes)
   %System%\drivers\pcidump.sys (5404535 bytes)
   

5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
   
6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
7. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
UPX0	4096	73728	0	0	d41d8cd98f00b204e9800998ecf8427e
UPX1	77824	36864	34304	5.46022	fd2effc995d504f5fc70af39539daaad
.rsrc	114688	4096	512	1.58088	04db8b82c4678accefef45abcab0ac5b

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_1972:

`.rsrc

`.rsrc

Ýfds

Ýfds

cmd /

cmd /

im avp.exe

im avp.exe

.rt= disableduruno

.rt= disableduruno

O328%s,

O328%s,

"%s"?

"%s"?

12345678*.Ogxr

12345678*.Ogxr

update.dll

update.dll

cmd /c taskkill /im avp.exe /f

cmd /c taskkill /im avp.exe /f

cmd /c sc config avp start= disabled

cmd /c sc config avp start= disabled

rundll32.exe %s, droqp

rundll32.exe %s, droqp

\system32\killkb.dll

\system32\killkb.dll

cmd /c taskkill /im ScanFrm.exe /f

cmd /c taskkill /im ScanFrm.exe /f

cmd /c taskkill /im egui.exe /f

cmd /c taskkill /im egui.exe /f

cmd /c taskkill /im ekrn.exe /f

cmd /c taskkill /im ekrn.exe /f

cmd /c sc config ekrn start= disabled

cmd /c sc config ekrn start= disabled

cmd /c cacls "%s" /e /p everyone:f

cmd /c cacls "%s" /e /p everyone:f

cmd /c cacls %s /e /p everyone:f

cmd /c cacls %s /e /p everyone:f

*m5

*m5

URLDownloadToCacheFileA

URLDownloadToCacheFileA

>l`b

>l`b

FdsShbjBntms

FdsShbjBntms

EhmcMdwsEhkd@

EhmcMdwsEhkd@

Lctcp

Lctcp

GmdA_jjBpgtcp

GmdA_jjBpgtcp

GmBpgtcpM`hcarRwnc

GmBpgtcpM`hcarRwnc

016-/-/-0

016-/-/-0

016-/-/-1

016-/-/-1

016-/-/-2

016-/-/-2

016-/-/-/

016-/-/-/

010-03-0/0-57

010-03-0/0-57

016-0-0-0

016-0-0-0

016-/-0-0

016-/-0-0

50-017-060-00497/7/

50-017-060-00497/7/

010-00-8/-68

010-00-8/-68

014-8/-77-27

014-8/-77-27

1/3-066-81-57

1/3-066-81-57

10/-63-034-125

10/-63-034-125

10/-65-/-022

10/-65-/-022

108-018-128-11/

108-018-128-11/

50-055-21-1

50-055-21-1

108-042-3/-110

108-042-3/-110

107-81-075-16

107-81-075-16

108-042-35-16

108-042-35-16

108-042-41-012

108-042-41-012

110-084-31-60

110-084-31-60

111-62-107-004

111-62-107-004

1/2-00/-057-12297/

1/2-00/-057-12297/

1/2-00/-057-11097/

1/2-00/-057-11097/

48-23-020-43

48-23-020-43

10/-40-34-4

10/-40-34-4

48-23-087-117

48-23-087-117

48-23-087-77

48-23-087-77

48-23-087-86

48-23-087-86

5/-08/-003-0/0

5/-08/-003-0/0

5/-08/-107-23

5/-08/-107-23

5/-080-013-141

5/-080-013-141

50-034-006-101

50-034-006-101

50-046-0/8-111

50-046-0/8-111

64-015-2-105

64-015-2-105

64-015-2-106

64-015-2-106

64-015-2-107

64-015-2-107

48-014-120-066906666

48-014-120-066906666

64-015-2-11/

64-015-2-11/

64-015-2-110

64-015-2-110

64-015-2-111

64-015-2-111

GetWindowsDirectoryA

GetWindowsDirectoryA

WinExec

WinExec

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

.lO

.lO

KERNEL32.DLL

KERNEL32.DLL

MSVCRT.dll

MSVCRT.dll

%original file name%.exe_1972_rwx_00401000_0001A000:

update.dll

update.dll

cmd /c taskkill /im avp.exe /f

cmd /c taskkill /im avp.exe /f

cmd /c sc config avp start= disabled

cmd /c sc config avp start= disabled

rundll32.exe %s, droqp

rundll32.exe %s, droqp

\system32\killkb.dll

\system32\killkb.dll

cmd /c taskkill /im ScanFrm.exe /f

cmd /c taskkill /im ScanFrm.exe /f

cmd /c taskkill /im egui.exe /f

cmd /c taskkill /im egui.exe /f

cmd /c taskkill /im ekrn.exe /f

cmd /c taskkill /im ekrn.exe /f

cmd /c sc config ekrn start= disabled

cmd /c sc config ekrn start= disabled

cmd /c cacls "%s" /e /p everyone:f

cmd /c cacls "%s" /e /p everyone:f

cmd /c cacls %s /e /p everyone:f

cmd /c cacls %s /e /p everyone:f

*m5

*m5

URLDownloadToCacheFileA

URLDownloadToCacheFileA

>l`b

>l`b

FdsShbjBntms

FdsShbjBntms

EhmcMdwsEhkd@

EhmcMdwsEhkd@

Lctcp

Lctcp

GmdA_jjBpgtcp

GmdA_jjBpgtcp

GmBpgtcpM`hcarRwnc

GmBpgtcpM`hcarRwnc

016-/-/-0

016-/-/-0

016-/-/-1

016-/-/-1

016-/-/-2

016-/-/-2

016-/-/-/

016-/-/-/

010-03-0/0-57

010-03-0/0-57

016-0-0-0

016-0-0-0

016-/-0-0

016-/-0-0

50-017-060-00497/7/

50-017-060-00497/7/

010-00-8/-68

010-00-8/-68

014-8/-77-27

014-8/-77-27

1/3-066-81-57

1/3-066-81-57

10/-63-034-125

10/-63-034-125

10/-65-/-022

10/-65-/-022

108-018-128-11/

108-018-128-11/

50-055-21-1

50-055-21-1

108-042-3/-110

108-042-3/-110

107-81-075-16

107-81-075-16

108-042-35-16

108-042-35-16

108-042-41-012

108-042-41-012

110-084-31-60

110-084-31-60

111-62-107-004

111-62-107-004

1/2-00/-057-12297/

1/2-00/-057-12297/

1/2-00/-057-11097/

1/2-00/-057-11097/

48-23-020-43

48-23-020-43

10/-40-34-4

10/-40-34-4

48-23-087-117

48-23-087-117

48-23-087-77

48-23-087-77

48-23-087-86

48-23-087-86

5/-08/-003-0/0

5/-08/-003-0/0

5/-08/-107-23

5/-08/-107-23

5/-080-013-141

5/-080-013-141

50-034-006-101

50-034-006-101

50-046-0/8-111

50-046-0/8-111

64-015-2-105

64-015-2-105

64-015-2-106

64-015-2-106

64-015-2-107

64-015-2-107

48-014-120-066906666

48-014-120-066906666

64-015-2-11/

64-015-2-11/

64-015-2-110

64-015-2-110

64-015-2-111

64-015-2-111

GetWindowsDirectoryA

GetWindowsDirectoryA

WinExec

WinExec

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

%original file name%.exe_1972_rwx_10000000_00001000:

.data

.data

.rsrc

.rsrc

@.reloc

@.reloc

\pipe\browser

\pipe\browser

\\%s\IPC$

\\%s\IPC$

Bd

Bd

psapi.dll

psapi.dll

\patch.exe

\patch.exe

\dstdisk.exe

\dstdisk.exe

\defence.exe

\defence.exe

192yuioealdjfiefjsdfas.txt

192yuioealdjfiefjsdfas.txt

%SystemRoot%\System32\DRIVERS\puid.sys

%SystemRoot%\System32\DRIVERS\puid.sys

\drivers\pcidump.sys

\drivers\pcidump.sys

System32\DRIVERS\pcidump.sys

System32\DRIVERS\pcidump.sys

%SystemRoot%\system32\drivers\puid.sys

%SystemRoot%\system32\drivers\puid.sys

\\.\pcidump

\\.\pcidump

\drivers\gm.dls

\drivers\gm.dls

%s%d.txt

%s%d.txt

>>tmp.tmp

>>tmp.tmp

@echo rcx>>tmp.tmp

@echo rcx>>tmp.tmp

@echo %X>>tmp.tmp

@echo %X>>tmp.tmp

@echo n tmp2>>tmp.tmp

@echo n tmp2>>tmp.tmp

@echo w>>tmp.tmp

@echo w>>tmp.tmp

@echo q>>tmp.tmp

@echo q>>tmp.tmp

@debugnul

@debugnul

@rename tmp2 tmp2.exe

@rename tmp2 tmp2.exe

tmp2.exe

tmp2.exe

Windows

Windows

1.exe

1.exe

autorun.inf

autorun.inf

Open=1.exe

Open=1.exe

urlmon

urlmon

\setup.exe

\setup.exe

?mac=%s&ver=%s&key=%d&os=windows

?mac=%s&ver=%s&key=%d&os=windows

.html

.html

.hhqg

.hhqg

qq.exe

qq.exe

360safe.exe

360safe.exe

\explorer.exe

\explorer.exe

\temp\explorer.exe

\temp\explorer.exe

infect_exe

infect_exe

rundll32.exe_1996:

.text

.text

`.data

`.data

.rsrc

.rsrc

msvcrt.dll

msvcrt.dll

KERNEL32.dll

KERNEL32.dll

NTDLL.DLL

NTDLL.DLL

GDI32.dll

GDI32.dll

USER32.dll

USER32.dll

IMAGEHLP.dll

IMAGEHLP.dll

rundll32.pdb

rundll32.pdb

.....eZXnnnnnnnnnnnn3

.....eZXnnnnnnnnnnnn3

....eDXnnnnnnnnnnnn3

....eDXnnnnnnnnnnnn3

...eDXnnnnnnnnnnnn,

...eDXnnnnnnnnnnnn,

.eDXnnnnnnnnnnnn,

.eDXnnnnnnnnnnnn,

%Xnnnnnnnnnnnnnnn1

%Xnnnnnnnnnnnnnnn1

O3$dS7"%U9

O3$dS7"%U9

.manifest

.manifest

5.1.2600.5512 (xpsp.080413-2105)

5.1.2600.5512 (xpsp.080413-2105)

RUNDLL.EXE

RUNDLL.EXE

Windows

Windows

Operating System

Operating System

5.1.2600.5512

5.1.2600.5512

YThere is not enough memory to run the file %s.

YThere is not enough memory to run the file %s.

Please close other windows and try again.

Please close other windows and try again.

9The file %s or one of its components could not be opened.

9The file %s or one of its components could not be opened.

0The file %s or one of its components cannot run.

0The file %s or one of its components cannot run.

MThe file %s or one of its components requires a different version of Windows.

MThe file %s or one of its components requires a different version of Windows.

UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"

UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"

Error in %s

Error in %s

Missing entry:%s

Missing entry:%s

Error loading %s

Error loading %s

%original file name%.exe_1972_rwx_10008000_00002000:

\??\c:\%original file name%.exe

\??\c:\%original file name%.exe

\??\%WinDir%\explorer.exe

\??\%WinDir%\explorer.exe

ers\gm.dls

ers\gm.dls

WinExec

WinExec

CreatePipe

CreatePipe

GetWindowsDirectoryA

GetWindowsDirectoryA

KERNEL32.dll

KERNEL32.dll

USER32.dll

USER32.dll

ADVAPI32.dll

ADVAPI32.dll

WS2_32.dll

WS2_32.dll

InternetOpenUrlA

InternetOpenUrlA

WININET.dll

WININET.dll

MPR.dll

MPR.dll

RPCRT4.dll

RPCRT4.dll

MSVCRT.dll

MSVCRT.dll