HEUR:Trojan.Win32.Generic (Kaspersky), DeepScan:Generic.Malware.P!Tk.B2E6ED99 (B) (Emsisoft), DeepScan:Generic.Malware.P!Tk.B2E6ED99 (AdAware), Backdoor.Win32.PcClient.FD, GenericAutorunWorm.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor, Worm, WormAutorun, Malware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 92ba7a6ffbeaf11f08bf1b80e290b006
SHA1: a48844d3b71464fa0fb5253bf76afec418b4d4f6
SHA256: a1df0abbbf5d633bfa8b2c383faad7baac1e77c4a4f3691181a3bafaae7b2bb7
SSDeep: 3072:PKWQaSusddv0jIQ44sVPF/TCSUnL67d1zkeQ4uHeOdHSj/MmJ6fAkNsfJ TN:Pydv0jIQ0N/TnUnO7dQ GHurfu
Size: 246272 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-07-25 18:30:12
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the DeepScan's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The DeepScan creates the following process(es):
taskkill.exe:188
taskkill.exe:1368
taskkill.exe:1376
sc.exe:1500
rundll32.exe:492
cacls.exe:1028
The DeepScan injects its code into the following process(es):
%original file name%.exe:580
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process rundll32.exe:492 makes changes in the file system.
The DeepScan creates and/or writes to the following file(s):
%System%\drivers\acpiec.sys (14 bytes)
The process %original file name%.exe:580 makes changes in the file system.
The DeepScan creates and/or writes to the following file(s):
C:\autorun.inf (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%System%\m1846741.dll (12169462 bytes)
%WinDir% (384 bytes)
C:\ (4 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs (96 bytes)
%System%\drivers\etc\hosts (5 bytes)
%WinDir%\s265006334.dll (35485887 bytes)
C:\1.exe (1281 bytes)
C:\$Directory (4 bytes)
%System%\config (104 bytes)
%System%\drivers\pcidump.sys (5404535 bytes)
%System%\drivers (96 bytes)
%System% (744 bytes)
Registry activity
The process taskkill.exe:188 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B 58 FD 22 CB 6E 36 15 12 5C 48 0B 6B 2C 18 C0"
The process taskkill.exe:1368 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "82 95 7B 00 07 E1 2E B2 06 F3 52 BB D1 AE 48 F5"
The process taskkill.exe:1376 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "77 A6 E2 CB AA 5C 0A 51 A4 3F 91 3A 4A FC DF DB"
The process sc.exe:1500 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "29 88 1A A9 31 BF 59 51 8F FE 69 81 45 B8 3A 56"
The process rundll32.exe:492 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 13 19 BE 46 A9 93 D2 E3 FC 62 09 A1 75 92 55"
The process cacls.exe:1028 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 1D 98 88 15 B6 3B 40 D2 86 87 B1 5C 06 33 5D"
Dropped PE files
MD5 | File path |
---|---|
47ce67ae447dba7ca7349f53812e9f89 | c:\WINDOWS\LastGood\system32\drivers\acpiec.sys |
8e6fb4575c611d4bd5675319da81b786 | c:\WINDOWS\s265006334.dll |
9859c0f6936e723e4892d7141b1327d5 | c:\WINDOWS\system32\dllcache\acpiec.sys |
47ce67ae447dba7ca7349f53812e9f89 | c:\WINDOWS\system32\drivers\OLD3.tmp |
601b3f2466bfa6989b9c7586b5ba54aa | c:\WINDOWS\system32\drivers\pcidump.sys |
3e3b8a35aefc6e462746d6689348fa7e | c:\WINDOWS\system32\m1846741.dll |
HOSTS file anomalies
The DeepScan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 5743 bytes in size. The following strings are added to the hosts file listed below:
127.0.0.1 | v.onondown.com.cn |
127.0.0.2 | ymsdasdw1.cn |
127.0.0.3 | h96b.info |
127.0.0.0 | fuck.zttwp.cn |
127.0.0.0 | www.hackerbf.cn |
127.0.0.0 | geekbyfeng.cn |
127.0.0.0 | 121.14.101.68 |
127.0.0.0 | ppp.etimes888.com |
127.0.0.0 | www.bypk.com |
127.0.0.0 | CSC3-2004-crl.verisign.com |
127.0.0.1 | va9sdhun23.cn |
127.0.0.0 | udp.hjob123.com |
127.0.0.2 | bnasnd83nd.cn |
127.0.0.0 | www.gamehacker.com.cn |
127.0.0.0 | gamehacker.com.cn |
127.0.0.3 | adlaji.cn |
127.0.0.1 | 858656.com |
127.1.1.1 | bnasnd83nd.cn |
127.0.0.1 | my123.com |
127.0.0.0 | user1.12-27.net |
127.0.0.1 | 8749.com |
127.0.0.0 | fengent.cn |
127.0.0.1 | 4199.com |
127.0.0.1 | user1.16-22.net |
127.0.0.1 | 7379.com |
127.0.0.1 | 2be37c5f.3f6e2cc5f0b.com |
127.0.0.1 | 7255.com |
127.0.0.1 | user1.23-12.net |
127.0.0.1 | 3448.com |
127.0.0.1 | www.guccia.net |
127.0.0.1 | 7939.com |
127.0.0.1 | a.o1o1o1.nEt |
127.0.0.1 | 8009.com |
127.0.0.1 | user1.12-73.cn |
127.0.0.1 | piaoxue.com |
127.0.0.1 | 3n8nlasd.cn |
127.0.0.1 | kzdh.com |
127.0.0.0 | www.sony888.cn |
127.0.0.1 | about.blank.la |
127.0.0.0 | user1.asp-33.cn |
127.0.0.1 | 6781.com |
127.0.0.0 | www.netkwek.cn |
127.0.0.1 | 7322.com |
127.0.0.0 | ymsdkad6.cn |
127.0.0.0 | www.lkwueir.cn |
127.0.0.1 | 06.jacai.com |
127.0.1.1 | user1.23-17.net |
127.0.0.1 | 1.jopenkk.com |
127.0.0.0 | upa.luzhiai.net |
127.0.0.1 | 1.jopenqc.com |
127.0.0.0 | www.guccia.net |
127.0.0.1 | 1.joppnqq.com |
127.0.0.0 | 4m9mnlmi.cn |
127.0.0.1 | 1.xqhgm.com |
127.0.0.0 | mm119mkssd.cn |
127.0.0.1 | 100.332233.com |
127.0.0.0 | 61.128.171.115:8080 |
127.0.0.1 | 121.11.90.79 |
127.0.0.0 | www.1119111.com |
127.0.0.1 | 121565.net |
127.0.0.0 | win.nihao69.cn |
127.0.0.1 | 125.90.88.38 |
127.0.0.1 | 16888.6to23.com |
127.0.0.1 | 2.joppnqq.com |
127.0.0.0 | puc.lianxiac.net |
127.0.0.1 | 204.177.92.68 |
127.0.0.0 | pud.lianxiac.net |
127.0.0.1 | 210.74.145.236 |
127.0.0.0 | 210.76.0.133 |
127.0.0.1 | 219.129.239.220 |
127.0.0.0 | 61.166.32.2 |
127.0.0.1 | 219.153.40.221 |
127.0.0.0 | 218.92.186.27 |
127.0.0.1 | 219.153.46.27 |
127.0.0.0 | www.fsfsfag.cn |
127.0.0.1 | 219.153.52.123 |
127.0.0.0 | ovo.ovovov.cn |
127.0.0.1 | 221.195.42.71 |
127.0.0.0 | dw.com.com |
127.0.0.1 | 222.73.218.115 |
127.0.0.1 | 203.110.168.233:80 |
127.0.0.1 | 3.joppnqq.com |
127.0.0.1 | 203.110.168.221:80 |
127.0.0.1 | 363xx.com |
127.0.0.1 | www1.ip10086.com.cm |
127.0.0.1 | 4199.com |
127.0.0.1 | blog.ip10086.com.cn |
127.0.0.1 | 43242.com |
127.0.0.1 | www.ccji68.cn |
127.0.0.1 | 5.xqhgm.com |
127.0.0.0 | t.myblank.cn |
127.0.0.1 | 520.mm5208.com |
127.0.0.0 | x.myblank.cn |
127.0.0.1 | 59.34.131.54 |
127.0.0.1 | 210.51.45.5 |
127.0.0.1 | 59.34.198.228 |
127.0.0.1 | www.ew1q.cn |
127.0.0.1 | 59.34.198.88 |
127.0.0.1 | 59.34.198.97 |
127.0.0.1 | 60.190.114.101 |
127.0.0.1 | 60.190.218.34 |
127.0.0.0 | qq-xing.com.cn |
127.0.0.1 | 60.191.124.252 |
127.0.0.1 | 61.145.117.212 |
127.0.0.1 | 61.157.109.222 |
127.0.0.1 | 75.126.3.216 |
127.0.0.1 | 75.126.3.217 |
127.0.0.1 | 75.126.3.218 |
127.0.0.0 | 59.125.231.177:17777 |
127.0.0.1 | 75.126.3.220 |
127.0.0.1 | 75.126.3.221 |
127.0.0.1 | 75.126.3.222 |
127.0.0.1 | 772630.com |
127.0.0.1 | 832823.cn |
127.0.0.1 | 8749.com |
127.0.0.1 | 888.jopenqc.com |
127.0.0.1 | 89382.cn |
127.0.0.1 | 8v8.biz |
127.0.0.1 | 97725.com |
127.0.0.1 | 9gg.biz |
127.0.0.1 | www.9000music.com |
127.0.0.1 | test.591jx.com |
127.0.0.1 | a.topxxxx.cn |
127.0.0.1 | picon.chinaren.com |
127.0.0.1 | www.5566.net |
127.0.0.1 | p.qqkx.com |
127.0.0.1 | news.netandtv.com |
127.0.0.1 | z.neter888.cn |
127.0.0.1 | b.myblank.cn |
127.0.0.1 | wvw.wokutu.com |
127.0.0.1 | unionch.qyule.com |
127.0.0.1 | www.qyule.com |
127.0.0.1 | it.itjc.cn |
127.0.0.1 | www.linkwww.com |
127.0.0.1 | vod.kaicn.com |
127.0.0.1 | www.tx8688.com |
127.0.0.1 | b.neter888.cn |
127.0.0.1 | promote.huanqiu.com |
127.0.0.1 | www.huanqiu.com |
127.0.0.1 | www.haokanla.com |
127.0.0.1 | play.unionsky.cn |
127.0.0.1 | www.52v.com |
127.0.0.1 | www.gghka.cn |
127.0.0.1 | icon.ajiang.net |
127.0.0.1 | new.ete.cn |
127.0.0.1 | www.stiae.cn |
127.0.0.1 | o.neter888.cn |
127.0.0.1 | comm.jinti.com |
127.0.0.1 | www.google-analytics.com |
127.0.0.1 | hz.mmstat.com |
127.0.0.1 | www.game175.cn |
127.0.0.1 | x.neter888.cn |
127.0.0.1 | z.neter888.cn |
127.0.0.1 | p.etimes888.com |
127.0.0.1 | hx.etimes888.com |
127.0.0.1 | abc.qqkx.com |
127.0.0.1 | dm.popdm.cn |
127.0.0.1 | www.yl9999.com |
127.0.0.1 | www.dajiadoushe.cn |
127.0.0.1 | v.onondown.com.cn |
127.0.0.1 | www.interoo.net |
127.0.0.1 | bally1.bally-bally.net |
127.0.0.1 | www.bao5605509.cn |
127.0.0.1 | www.rty456.cn |
127.0.0.1 | www.werqwer.cn |
127.0.0.1 | 1.360-1.cn |
127.0.0.1 | user1.23-16.net |
127.0.0.1 | www.guccia.net |
127.0.0.1 | www.interoo.net |
127.0.0.1 | upa.netsool.net |
127.0.0.1 | js.users.51.la |
127.0.0.1 | vip2.51.la |
127.0.0.1 | web.51.la |
127.0.0.1 | qq.gong2008.com |
127.0.0.1 | 2008tl.copyip.com |
127.0.0.1 | tla.laozihuolaile.cn |
127.0.0.1 | www.tx6868.cn |
127.0.0.1 | p001.tiloaiai.com |
127.0.0.1 | s1.tl8tl.com |
127.0.0.1 | s1.gong2008.com |
127.0.0.1 | 4b3ce56f9g.3f6e2cc5f0b.com |
Rootkit activity
The DeepScan installs the following kernel-mode hooks:
ZwQuerySystemInformation
Using the driver "%System%\drivers\pcidump.sys" the DeepScan substitutes IRP handlers in a file system driver (NTFS) to control operations with files:
MJ_CREATE
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the DeepScan's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
taskkill.exe:188
taskkill.exe:1368
taskkill.exe:1376
sc.exe:1500
rundll32.exe:492
cacls.exe:1028 - Delete the original DeepScan file.
- Delete or disinfect the following files created/modified by the DeepScan:
%System%\drivers\acpiec.sys (14 bytes)
C:\autorun.inf (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%System%\m1846741.dll (12169462 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs (96 bytes)
%System%\drivers\etc\hosts (5 bytes)
%WinDir%\s265006334.dll (35485887 bytes)
C:\1.exe (1281 bytes)
C:\$Directory (4 bytes)
%System%\config (104 bytes)
%System%\drivers\pcidump.sys (5404535 bytes) - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: Sherry.ai Software
Product Name: Sherry.ai(R) Windows(R)
Product Version: 1.0.0.1
Legal Copyright: (C) Sherry.ai. All rights reserved.
Legal Trademarks:
Original Filename: Svchost.EXE
Internal Name: CALC
File Version: 1.0.0.1
File Description:
Comments:
Language: Language Neutral
Company Name: Sherry.ai SoftwareProduct Name: Sherry.ai(R) Windows(R)Product Version: 1.0.0.1Legal Copyright: (C) Sherry.ai. All rights reserved.Legal Trademarks: Original Filename: Svchost.EXEInternal Name: CALCFile Version: 1.0.0.1File Description: Comments: Language: Language Neutral
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 1488 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rdata | 8192 | 726 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.data | 12288 | 1145 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 16384 | 262144 | 161280 | 4.26571 | f2994eb6bec58869f42a0b1e00a60207 |
.vmp0 | 278528 | 27696 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.vmp1 | 307200 | 83385 | 83456 | 5.47117 | 48809a8c3e23f5c055edaca80f30b526 |
.reloc | 393216 | 92 | 512 | 0.753009 | e000199eeb0430684b8358569cf52f0c |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The DeepScan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_580:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.vmp0
@.vmp0
`.vmp1
`.vmp1
.reloc
.reloc
%s\s%d%d.dll
%s\s%d%d.dll
rundll32.exe %s, droqp
rundll32.exe %s, droqp
%s\system32\m%d%d.dll
%s\system32\m%d%d.dll
cmd /c taskkill /im ScanFrm.exe /f
cmd /c taskkill /im ScanFrm.exe /f
cmd /c taskkill /im egui.exe /f
cmd /c taskkill /im egui.exe /f
cmd /c taskkill /im ekrn.exe /f
cmd /c taskkill /im ekrn.exe /f
cmd /c sc config ekrn start= disabled
cmd /c sc config ekrn start= disabled
cacls %s /e /p everyone:f
cacls %s /e /p everyone:f
cacls "%s" /e /p everyone:f
cacls "%s" /e /p everyone:f
\temp\explorer.exe
\temp\explorer.exe
\drivers\gm.dls
\drivers\gm.dls
explorer.exe
explorer.exe
windows
windows
webtrap
webtrap
WEBSCANX
WEBSCANX
WEBSCAN
WEBSCAN
smtpsvc
smtpsvc
safeweb
safeweb
Kabackreport
Kabackreport
[ffi][nil:>:,::mn^::K
[ffi][nil:>:,::mn^::K
,1(*(*(
,1(*(*(
,1(*(*(,
,1(*(*(,
,1(*(*(-
,1(*(*(-
,1(*(*(*
,1(*(*(*
, ( .( * (02
, ( .( * (02
,1( ( (
,1( ( (
,1(*( (
,1(*( (
0 ( ,2( 1 ( /42*2*
0 ( ,2( 1 ( /42*2*
, ( (3*(13
, ( (3*(13
,/(3*(22(-2
,/(3*(22(-2
,*.( 11(3,(02
,*.( 11(3,(02
, *(1.( ./(,-0
, *(1.( ./(,-0
, *(10(*( --
, *(10(*( --
, 3( ,3(,-3(,,*
, 3( ,3(,-3(,,*
0 ( 00(-,(,
0 ( 00(-,(,
, 3( /-(.*(,,
, 3( /-(.*(,,
, 2(3,( 20(,1
, 2(3,( 20(,1
, 3( /-(.0(,1
, 3( /-(.0(,1
, 3( /-(/,( ,-
, 3( /-(/,( ,-
,, ( 3/(.,(1
,, ( 3/(.,(1
,,,(1-(, 2( /
,,,(1-(, 2( /
,*-( *( 02(,--42*
,*-( *( 02(,--42*
,*-( *( 02(,, 42*
,*-( *( 02(,, 42*
/3(-.( - (/.
/3(-.( - (/.
, *(/ (./(/
, *(/ (./(/
/3(-.( 32(,,2
/3(-.( 32(,,2
/3(-.( 32(22
/3(-.( 32(22
/3(-.( 32(31
/3(-.( 32(31
0*( 3*( .( *
0*( 3*( .( *
0*( 3*(, 2(-.
0*( 3*(, 2(-.
0*( 3 ( ,.(,/,
0*( 3 ( ,.(,/,
0 ( ./( 1(, ,
0 ( ./( 1(, ,
0 ( /1( *3(,,,
0 ( /1( *3(,,,
1/( ,0(-(, 0
1/( ,0(-(, 0
1/( ,0(-(, 1
1/( ,0(-(, 1
1/( ,0(-(, 2
1/( ,0(-(, 2
/3( ,/(,- ( 114 1111
/3( ,/(,- ( 114 1111
1/( ,0(-(,,*
1/( ,0(-(,,*
1/( ,0(-(,,
1/( ,0(-(,,
1/( ,0(-(,,,
1/( ,0(-(,,,
3-3?3\3{3
3-3?3\3{3
/!/-/6/`0~0
/!/-/6/`0~0
Ci>_f_n_Msg\ifc]Fche
Ci>_f_n_Msg\ifc]Fche
Ci=l_[n_Msg\ifc]Fche
Ci=l_[n_Msg\ifc]Fche
F;.VF
F;.VF
7O6%F
7O6%F
!pJ%C
!pJ%C
.zx\)
.zx\)
LR(.Xu
LR(.Xu
d;.UP
d;.UP
jn/%c
jn/%c
WinExec
WinExec
user32.dll
user32.dll
MSVCRT.dll
MSVCRT.dll
SHELL32.dll
SHELL32.dll
KERNEL32.DLL
KERNEL32.DLL
GetWindowsDirectoryA
GetWindowsDirectoryA
Sherry.ai Software
Sherry.ai Software
1.0.0.1
1.0.0.1
(C) Sherry.ai. All rights reserved.
(C) Sherry.ai. All rights reserved.
Svchost.EXE
Svchost.EXE
Sherry.ai(R) Windows(R)
Sherry.ai(R) Windows(R)
%original file name%.exe_580_rwx_10000000_00001000:
.data
.data
.rsrc
.rsrc
@.reloc
@.reloc
psapi.dll
psapi.dll
\patch.exe
\patch.exe
\dstdisk.exe
\dstdisk.exe
\defence.exe
\defence.exe
192yuioealdjfiefjsdfas.txt
192yuioealdjfiefjsdfas.txt
%SystemRoot%\System32\DRIVERS\puid.sys
%SystemRoot%\System32\DRIVERS\puid.sys
\drivers\pcidump.sys
\drivers\pcidump.sys
System32\DRIVERS\pcidump.sys
System32\DRIVERS\pcidump.sys
%SystemRoot%\system32\drivers\puid.sys
%SystemRoot%\system32\drivers\puid.sys
\\.\pcidump
\\.\pcidump
\drivers\gm.dls
\drivers\gm.dls
%s%d.txt
%s%d.txt
>>tmp.tmp
>>tmp.tmp
@echo rcx>>tmp.tmp
@echo rcx>>tmp.tmp
@echo %X>>tmp.tmp
@echo %X>>tmp.tmp
@echo n tmp2>>tmp.tmp
@echo n tmp2>>tmp.tmp
@echo w>>tmp.tmp
@echo w>>tmp.tmp
@echo q>>tmp.tmp
@echo q>>tmp.tmp
@debugnul
@debugnul
@rename tmp2 tmp2.exe
@rename tmp2 tmp2.exe
tmp2.exe
tmp2.exe
Windows
Windows
1.exe
1.exe
autorun.inf
autorun.inf
Open=1.exe
Open=1.exe
urlmon
urlmon
\setup.exe
\setup.exe
?mac=%s&ver=%s&key=%d&os=windows
?mac=%s&ver=%s&key=%d&os=windows
.html
.html
.hhqg
.hhqg
qq.exe
qq.exe
360safe.exe
360safe.exe
\explorer.exe
\explorer.exe
\temp\explorer.exe
\temp\explorer.exe
nfect_exe
nfect_exe
\pipe\browser
\pipe\browser
\\%s\IPC$
\\%s\IPC$
Bd
Bd
%original file name%.exe_580_rwx_1000A000_00002000:
\??\c:\%original file name%.exe
\??\c:\%original file name%.exe
\??\%WinDir%\explorer.exe
\??\%WinDir%\explorer.exe
ers\gm.dls
ers\gm.dls
WinExec
WinExec
CreatePipe
CreatePipe
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
ADVAPI32.dll
ADVAPI32.dll
WS2_32.dll
WS2_32.dll
InternetOpenUrlA
InternetOpenUrlA
WININET.dll
WININET.dll
rundll32.exe_492:
.text
.text
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
GDI32.dll
GDI32.dll
USER32.dll
USER32.dll
IMAGEHLP.dll
IMAGEHLP.dll
rundll32.pdb
rundll32.pdb
.....eZXnnnnnnnnnnnn3
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
O3$dS7"%U9
.manifest
.manifest
5.1.2600.5512 (xpsp.080413-2105)
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
RUNDLL.EXE
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
YThere is not enough memory to run the file %s.
YThere is not enough memory to run the file %s.
Please close other windows and try again.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Error in %s
Missing entry:%s
Missing entry:%s
Error loading %s
Error loading %s