Trojan.Downloader.JRXX (B) (Emsisoft), Trojan.Downloader.JRXX (AdAware)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: feecdea8e9cc55853109a6f095a9ae9d
SHA1: f8664a49dee27e47b828874178520c2707acce41
SHA256: 6a36bf7e674ad0624c41286df56e780ae9afd500541d87c4d1bf538a29f13642
SSDeep: 12288:OJpsQMfeO /6ge ng5qCF/iU0M6vdVj9/PnT/jfNril0:g77j/6h nHCR0M61V1/zj1rP
Size: 794624 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: Lorenzi Davide (hexagora.com)
Created at: 2015-06-30 17:02:04
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:320
The Trojan injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:
ZonesLockedCacheCounterMutexZonesCounterMutexZonesCacheCounterMutexRasPbFileWininetProxyRegistryMutexWininetConnectionMutexWininetStartupMutexc:!documents and settings!adm!local settings!history!history.ie5!c:!documents and settings!adm!cookies!c:!documents and settings!adm!local settings!temporary internet files!content.ie5!_!MSFTHISTORY!_ShimCacheMutex
File activity
The process %original file name%.exe:320 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O1MJGDMZ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AM37NIVC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\B7VTVYFD\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RA97X8QI\desktop.ini (67 bytes)
Registry activity
The process %original file name%.exe:320 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE C3 30 A0 03 11 A0 9A F6 26 AF 35 8A 86 E8 70"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:320
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O1MJGDMZ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AM37NIVC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\B7VTVYFD\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RA97X8QI\desktop.ini (67 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
Company Name: fdsfds
Product Name: gfdvfdstgr
Product Version: 4.0.0.1
Legal Copyright: (C) ?gfdf?gfd????
Legal Trademarks:
Original Filename: TQ.exe
Internal Name: EQ.exe
File Version: 4.0.0.1
File Description: vfdhsgdshgrsg
Comments:
Language: Language Neutral
Company Name: fdsfdsProduct Name: gfdvfdstgrProduct Version: 4.0.0.1Legal Copyright: (C) ?gfdf?gfd????Legal Trademarks: Original Filename: TQ.exeInternal Name: EQ.exeFile Version: 4.0.0.1File Description: vfdhsgdshgrsgComments: Language: Language Neutral
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 261417 | 262144 | 4.60996 | 9d9d0674db89bbf27cb0239f5470214d |
.rdata | 266240 | 57374 | 61440 | 3.32904 | 98719aa4f2ba16c3a3e964c033b5719a |
.data | 327680 | 26172 | 12288 | 2.52203 | f3b7b9af92e6848125088f350458bf31 |
.rsrc | 356352 | 454632 | 454656 | 4.42046 | e0b6ee922bdb197568e56c99bf743219 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 71
046d6f9a68fda4ea0014449c3cbeb772
ed4e3b2e69e350d982a6f554d2bef621
d3a3ff999e0cf5d1d80db4ffb503ae08
cc3217fce697458e61f5ac6ebb2675de
c3ad3c8596148125c90a2fa51bf5a80b
acb9dd567989a1feb25aecf5e2b38ed8
a7b4c5e2543b4efd8ad166cc450b7c09
932545b04d84c810bcfd4fa103ace67e
519ac83f27aa048becf9036f4a0a77af
d9c92690f6f7eb7acd0431d10a042095
30719bcbbe3274a39bbef81e7214a7c5
c4b7e7b49001c43f4bb14a579c1c984b
bac1df40b4fd6076d0b2a4bf8dacc600
6fdcab021389a8682493aba99b6b8162
4a01688f66378e8470087f5c651ca06f
363608133c3e40624f9c3c2963b4eef8
32e7620e4061a26e6f31cc1312612abf
127bc8b65fd82e0976968d45b61ae049
f6f63502b304f89bfabc7174754156af
f0fe2a71c8f42da50a261e173072ad4e
d81c73f13e3081c29d7d93d3d67a0205
9fba302183d16ccbcefd90b766ddb2a0
68c8ff1c4bd9dc597fdee149617fe643
faa69705f95700c2639a609959a7a7d5
f4a0c47a7d4bd882b2882379c7b04996
Network Activity
URLs
URL | IP |
---|---|
hxxp://int.dpool.sina.com.cn/iplookup/iplookup.php?format=json | 180.149.136.219 |
hxxp://count.dcttl.com/setup/az_jg.php?op=click_install&ri=%original file name%.exe&vs=1.1&mc=00-0C-29-8A-8B-37&tm=1440969186&key=cf5d2ef0642ed8cb5c290cdf0ff458f5&sd=&dq={"ret":1,"start":-1,"end":-1,"country":"u4e4cu514bu5170","province":"","city":"","district":"","isp":"","type":"","desc":""}&sc=1276*818&os=Windows XP(32) | 122.226.102.82 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /iplookup/iplookup.php?format=json HTTP/1.1
User-Agent: Http
Host: int.dpool.sina.com.cn
HTTP/1.1 200 OK
Server: Tengine
Date: Sun, 30 Aug 2015 21:13:07 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 127
Connection: close
DPOOL_HEADER: tyr105
SINA-LB:aGEuMTE4LmcyLnlmLmxiLnNpbmFub2RlLmNvbQ==
SINA-TS:OThmMjk2Y2UgMCAwIDAgNCAwCg==
{"ret":1,"start":-1,"end":-1,"country":"\u4e4c\u514b\u5170","province":"","city":"","district":"","isp":"","type":"","desc":""}..
GET /setup/az_jg.php?op=click_install&ri=%original file name%.exe&vs=1.1&mc=00-0C-29-8A-8B-37&tm=1440969186&key=cf5d2ef0642ed8cb5c290cdf0ff458f5&sd=&dq={"ret":1,"start":-1,"end":-1,"country":"u4e4cu514bu5170","province":"","city":"","district":"","isp":"","type":"","desc":""}&sc=1276*818&os=Windows XP(32) HTTP/1.1
User-Agent: Http
Host: count.dcttl.com
HTTP/1.1 200 OK
Server: nginx
Date: Sun, 30 Aug 2015 21:13:12 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=60
X-Powered-By: PHP/5.3.29
0..
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_320:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
\$ SSSSh
\$ SSSSh
aSSSh
aSSSh
.VVVVVSRSSj
.VVVVVSRSSj
FTPjK
FTPjK
FtPj;
FtPj;
C.PjRV
C.PjRV
CNotSupportedException
CNotSupportedException
hhctrl.ocx
hhctrl.ocx
%s (%s:%d)
%s (%s:%d)
f:\rtm\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
f:\rtm\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
commctrl_DragListMsg
commctrl_DragListMsg
CCmdTarget
CCmdTarget
comctl32.dll
comctl32.dll
comdlg32.dll
comdlg32.dll
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
ntdll.dll
ntdll.dll
kernel32.dll
kernel32.dll
%s.dll
%s.dll
f:\rtm\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
f:\rtm\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
user32.dll
user32.dll
MSWHEEL_ROLLMSG
MSWHEEL_ROLLMSG
mscoree.dll
mscoree.dll
KERNEL32.DLL
KERNEL32.DLL
Please contact the application's support team for more information.
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
operator
operator
portuguese-brazilian
portuguese-brazilian
GetProcessWindowStation
GetProcessWindowStation
USER32.DLL
USER32.DLL
OLEACC.dll
OLEACC.dll
%s?ri=%s&equipment=%d
%s?ri=%s&equipment=%d
%s\*.*
%s\*.*
%sA%sA%sA%sA%s
%sA%sA%sA%sA%s
hXXp://int.dpool.sina.com.cn/iplookup/iplookup.php?format=json
hXXp://int.dpool.sina.com.cn/iplookup/iplookup.php?format=json
%d*%d
%d*%d
%s(%s)
%s(%s)
%s?op=click_install&ri=%s&vs=%s&mc=%s&tm=%s&key=%s&sd=%s&dq=%s&sc=%s&os=%s
%s?op=click_install&ri=%s&vs=%s&mc=%s&tm=%s&key=%s&sd=%s&dq=%s&sc=%s&os=%s
%s?op=install&ri=%s&vs=%s&mc=%s&tm=%s&key=%s&bar=%s
%s?op=install&ri=%s&vs=%s&mc=%s&tm=%s&key=%s&bar=%s
%s?op=%s&ri=%s&vs=%s&mc=%s&tm=%s&key=%s
%s?op=%s&ri=%s&vs=%s&mc=%s&tm=%s&key=%s
%s?op=1&gid=%d&no=%d&&ri=%s&vs=%s&mc=%s&tm=%s&key=%s
%s?op=1&gid=%d&no=%d&&ri=%s&vs=%s&mc=%s&tm=%s&key=%s
%s\%s
%s\%s
ay.exe
ay.exe
Tray.exe
Tray.exe
wanxiang.exe
wanxiang.exe
pubwin.exe
pubwin.exe
yaoqianshu.exe
yaoqianshu.exe
FrzState2k.exe
FrzState2k.exe
fzclient.exe
fzclient.exe
DFServ.exe
DFServ.exe
BarChargesProxy.exe
BarChargesProxy.exe
PowerRemind.exe
PowerRemind.exe
wxServer.exe
wxServer.exe
DisklessView.exe
DisklessView.exe
BarClientView.exe
BarClientView.exe
HintClient.exe
HintClient.exe
DesktopNav.exe
DesktopNav.exe
freezemagic.exe
freezemagic.exe
%Program Files% (x86)\TTWord\
%Program Files% (x86)\TTWord\
%Program Files%\TTWord\
%Program Files%\TTWord\
%s\WuWord.exe
%s\WuWord.exe
%s\dic\
%s\dic\
%s%s%s
%s%s%s
in Json::Value::operator[](ArrayIndex): requires arrayValue
in Json::Value::operator[](ArrayIndex): requires arrayValue
in Json::Value::operator[](int index): index cannot be negative
in Json::Value::operator[](int index): index cannot be negative
in Json::Value::resolveReference(key, end): requires objectValue
in Json::Value::resolveReference(key, end): requires objectValue
f:\WuWord\release\WuWord.pdb
f:\WuWord\release\WuWord.pdb
GetCPInfo
GetCPInfo
GetProcessHeap
GetProcessHeap
GetConsoleOutputCP
GetConsoleOutputCP
KERNEL32.dll
KERNEL32.dll
CreateDialogIndirectParamA
CreateDialogIndirectParamA
GetKeyState
GetKeyState
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
USER32.dll
USER32.dll
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GDI32.dll
GDI32.dll
WINSPOOL.DRV
WINSPOOL.DRV
RegCloseKey
RegCloseKey
RegOpenKeyA
RegOpenKeyA
RegOpenKeyExA
RegOpenKeyExA
RegDeleteKeyA
RegDeleteKeyA
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
COMCTL32.dll
COMCTL32.dll
SHLWAPI.dll
SHLWAPI.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
GdiplusShutdown
GdiplusShutdown
gdiplus.dll
gdiplus.dll
InternetOpenUrlA
InternetOpenUrlA
WININET.dll
WININET.dll
iphlpapi.dll
iphlpapi.dll
.PAVCOleException@@
.PAVCOleException@@
.PAVCException@@
.PAVCException@@
.PAVCObject@@
.PAVCObject@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.PAVCUserException@@
.PAVCUserException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCArchiveException@@
.PAVCArchiveException@@
.PAVCFileException@@
.PAVCFileException@@
zcÃ
zcÃ
.?AVCCmdTarget@@
.?AVCCmdTarget@@
Windows XP
Windows XP
Windows 7
Windows 7
Windows 8
Windows 8
c:\%original file name%.exe
c:\%original file name%.exe
"iTXtXML:com.adobe.xmp
"iTXtXML:com.adobe.xmp
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
K;T%F
K;T%F
{.EiYK
{.EiYK
:ð.$
:ð.$
B@-I0}
B@-I0}
p-3MQ}
p-3MQ}
Zl.RP
Zl.RP
0
0
F:\gp$:j9
F:\gp$:j9
K%S; ;CA
K%S; ;CA
5{9wsSsh_
5{9wsSsh_
TCPS
TCPS
fTpy
fTpy
aE .dt
aE .dt
%X>?k
%X>?k
" id="W5M0MpCehiHzreSzNTczkc9d"?> N/m
" id="W5M0MpCehiHzreSzNTczkc9d"?> N/m
" id="W5M0MpCehiHzreSzNTczkc9d"?> P
" id="W5M0MpCehiHzreSzNTczkc9d"?> P
" id="W5M0MpCehiHzreSzNTczkc9d"?> ,
" id="W5M0MpCehiHzreSzNTczkc9d"?> ,
" id="W5M0MpCehiHzreSzNTczkc9d"?> @
" id="W5M0MpCehiHzreSzNTczkc9d"?> @
.st5rdY
.st5rdY
.SkaYp
.SkaYp
" id="W5M0MpCehiHzreSzNTczkc9d"?> ;"
" id="W5M0MpCehiHzreSzNTczkc9d"?> ;"
" id="W5M0MpCehiHzreSzNTczkc9d"?> L
" id="W5M0MpCehiHzreSzNTczkc9d"?> L
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
#LI.MH
#LI.MH
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
D,.Ij
D,.Ij
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
tGHt.Ht&
tGHt.Ht&
- floating point support not loaded
- floating point support not loaded
COMDLG32.dll
COMDLG32.dll
RegCreateKeyExW
RegCreateKeyExW
ShellExecuteW
ShellExecuteW
bizidong
bizidong
accKeyboardShortcut
accKeyboardShortcut
hXXp://jq.qq.com/?_wv=1027&k=bJ87In
hXXp://jq.qq.com/?_wv=1027&k=bJ87In
hXXp://VVV.wuroom.com
hXXp://VVV.wuroom.com
Build:%s %s
Build:%s %s
10:14:46
10:14:46
%s\dic\*.txt
%s\dic\*.txt
%s,%d
%s,%d
%*[^|]||%[^
%*[^|]||%[^
%[^|]|%[^|]|%[^
%[^|]|%[^|]|%[^
%s\dic\%s.txt
%s\dic\%s.txt
%s\dic\RWord.bin
%s\dic\RWord.bin
%swuword.bin
%swuword.bin
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
1, 0, 0, 1
1, 0, 0, 1
WuWord.exe
WuWord.exe
All Files (*.*)
All Files (*.*)
No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.
No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.
#Unable to load mail system support.
#Unable to load mail system support.
Access to %1 was denied..An invalid file handle was associated with %1.
Access to %1 was denied..An invalid file handle was associated with %1.
Seek failed on A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.
Seek failed on A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.
Disk full while accessing %1..An attempt was made to access %1 past its end.
Disk full while accessing %1..An attempt was made to access %1 past its end.
No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.
No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.
4.0.0.1
4.0.0.1
EQ.exe
EQ.exe
TQ.exe
TQ.exe