Backdoor.Win32.PcClient_82b072430d

Dynamic Analysis

Payload

Behaviour	Description
WormAutorun	A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Backdoor's file once a user opens a drive's folder in Windows Explorer.

Process activity

The Backdoor creates the following process(es):

taskkill.exe:560
taskkill.exe:188
taskkill.exe:1480
sc.exe:548
rundll32.exe:1720
cacls.exe:348
cacls.exe:1584

The Backdoor injects its code into the following process(es):

%original file name%.exe:136

File activity

The process rundll32.exe:1720 makes changes in the file system.

The Backdoor creates and/or writes to the following file(s):

%System%\drivers\acpiec.sys (13 bytes)

The process %original file name%.exe:136 makes changes in the file system.

The Backdoor creates and/or writes to the following file(s):

C:\ (4 bytes)
%System%\wbem\Logs (4 bytes)
C:\autorun.inf (21 bytes)
%WinDir%\WinSxS (12 bytes)
%System%\drivers\etc\hosts (5 bytes)
C:\$Directory (20 bytes)
%System%\dllcache (4 bytes)
%WinDir%\inf (400 bytes)
%System%\config\systemprofile\Application Data\Microsoft (4 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%System%\config\systemprofile (4 bytes)
%System%\drivers\pcidump.sys (5404535 bytes)
%System%\config (8 bytes)
%System%\drivers (296 bytes)
%WinDir%\phpq.dll (22141559 bytes)
%System%\func.dll (18378359 bytes)
%Documents and Settings%\%current user% (4 bytes)
C:\1.exe (7345 bytes)

Registry activity

The process taskkill.exe:560 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0B D1 EC BD 2A E6 41 B4 1C 52 8C 20 16 DE AC A7"

The process taskkill.exe:188 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E8 BD 7E 83 1F 47 74 D7 F6 AA CC 03 9A B4 47 3E"

The process taskkill.exe:1480 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 BF 9E F9 BA 09 05 C8 77 0E AD 91 05 17 71 D0"

The process sc.exe:548 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 D6 68 04 0D 13 B7 B4 FF 4D F0 1A D0 D7 34 7A"

The process rundll32.exe:1720 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D 10 83 5C EF 68 0B 48 2B 27 90 6F BC 5C 5D 04"

The process cacls.exe:348 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C 8D AB F2 94 F8 90 96 AA 04 4E FF 04 F2 55 6E"

The process cacls.exe:1584 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AE 28 58 1F 20 6A DA E8 90 47 40 C8 D6 06 F4 C8"

Dropped PE files

MD5	File path
522afca05d2634a769adbe29d64cfa08	c:\WINDOWS\LastGood\system32\drivers\acpiec.sys
4485601a5a45d10f44cd57c1f09048e0	c:\WINDOWS\phpq.dll
9859c0f6936e723e4892d7141b1327d5	c:\WINDOWS\system32\dllcache\acpiec.sys
522afca05d2634a769adbe29d64cfa08	c:\WINDOWS\system32\drivers\OLD3.tmp
601b3f2466bfa6989b9c7586b5ba54aa	c:\WINDOWS\system32\drivers\pcidump.sys
e13f938795bc9fc449d0a7ef6deb2c8b	c:\WINDOWS\system32\func.dll

HOSTS file anomalies

The Backdoor modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 5743 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1	v.onondown.com.cn
127.0.0.2	ymsdasdw1.cn
127.0.0.3	h96b.info
127.0.0.0	fuck.zttwp.cn
127.0.0.0	www.hackerbf.cn
127.0.0.0	geekbyfeng.cn
127.0.0.0	121.14.101.68
127.0.0.0	ppp.etimes888.com
127.0.0.0	www.bypk.com
127.0.0.0	CSC3-2004-crl.verisign.com
127.0.0.1	va9sdhun23.cn
127.0.0.0	udp.hjob123.com
127.0.0.2	bnasnd83nd.cn
127.0.0.0	www.gamehacker.com.cn
127.0.0.0	gamehacker.com.cn
127.0.0.3	adlaji.cn
127.0.0.1	858656.com
127.1.1.1	bnasnd83nd.cn
127.0.0.1	my123.com
127.0.0.0	user1.12-27.net
127.0.0.1	8749.com
127.0.0.0	fengent.cn
127.0.0.1	4199.com
127.0.0.1	user1.16-22.net
127.0.0.1	7379.com
127.0.0.1	2be37c5f.3f6e2cc5f0b.com
127.0.0.1	7255.com
127.0.0.1	user1.23-12.net
127.0.0.1	3448.com
127.0.0.1	www.guccia.net
127.0.0.1	7939.com
127.0.0.1	a.o1o1o1.nEt
127.0.0.1	8009.com
127.0.0.1	user1.12-73.cn
127.0.0.1	piaoxue.com
127.0.0.1	3n8nlasd.cn
127.0.0.1	kzdh.com
127.0.0.0	www.sony888.cn
127.0.0.1	about.blank.la
127.0.0.0	user1.asp-33.cn
127.0.0.1	6781.com
127.0.0.0	www.netkwek.cn
127.0.0.1	7322.com
127.0.0.0	ymsdkad6.cn
127.0.0.0	www.lkwueir.cn
127.0.0.1	06.jacai.com
127.0.1.1	user1.23-17.net
127.0.0.1	1.jopenkk.com
127.0.0.0	upa.luzhiai.net
127.0.0.1	1.jopenqc.com
127.0.0.0	www.guccia.net
127.0.0.1	1.joppnqq.com
127.0.0.0	4m9mnlmi.cn
127.0.0.1	1.xqhgm.com
127.0.0.0	mm119mkssd.cn
127.0.0.1	100.332233.com
127.0.0.0	61.128.171.115:8080
127.0.0.1	121.11.90.79
127.0.0.0	www.1119111.com
127.0.0.1	121565.net
127.0.0.0	win.nihao69.cn
127.0.0.1	125.90.88.38
127.0.0.1	16888.6to23.com
127.0.0.1	2.joppnqq.com
127.0.0.0	puc.lianxiac.net
127.0.0.1	204.177.92.68
127.0.0.0	pud.lianxiac.net
127.0.0.1	210.74.145.236
127.0.0.0	210.76.0.133
127.0.0.1	219.129.239.220
127.0.0.0	61.166.32.2
127.0.0.1	219.153.40.221
127.0.0.0	218.92.186.27
127.0.0.1	219.153.46.27
127.0.0.0	www.fsfsfag.cn
127.0.0.1	219.153.52.123
127.0.0.0	ovo.ovovov.cn
127.0.0.1	221.195.42.71
127.0.0.0	dw.com.com
127.0.0.1	222.73.218.115
127.0.0.1	203.110.168.233:80
127.0.0.1	3.joppnqq.com
127.0.0.1	203.110.168.221:80
127.0.0.1	363xx.com
127.0.0.1	www1.ip10086.com.cm
127.0.0.1	4199.com
127.0.0.1	blog.ip10086.com.cn
127.0.0.1	43242.com
127.0.0.1	www.ccji68.cn
127.0.0.1	5.xqhgm.com
127.0.0.0	t.myblank.cn
127.0.0.1	520.mm5208.com
127.0.0.0	x.myblank.cn
127.0.0.1	59.34.131.54
127.0.0.1	210.51.45.5
127.0.0.1	59.34.198.228
127.0.0.1	www.ew1q.cn
127.0.0.1	59.34.198.88
127.0.0.1	59.34.198.97
127.0.0.1	60.190.114.101
127.0.0.1	60.190.218.34
127.0.0.0	qq-xing.com.cn
127.0.0.1	60.191.124.252
127.0.0.1	61.145.117.212
127.0.0.1	61.157.109.222
127.0.0.1	75.126.3.216
127.0.0.1	75.126.3.217
127.0.0.1	75.126.3.218
127.0.0.0	59.125.231.177:17777
127.0.0.1	75.126.3.220
127.0.0.1	75.126.3.221
127.0.0.1	75.126.3.222
127.0.0.1	772630.com
127.0.0.1	832823.cn
127.0.0.1	8749.com
127.0.0.1	888.jopenqc.com
127.0.0.1	89382.cn
127.0.0.1	8v8.biz
127.0.0.1	97725.com
127.0.0.1	9gg.biz
127.0.0.1	www.9000music.com
127.0.0.1	test.591jx.com
127.0.0.1	a.topxxxx.cn
127.0.0.1	picon.chinaren.com
127.0.0.1	www.5566.net
127.0.0.1	p.qqkx.com
127.0.0.1	news.netandtv.com
127.0.0.1	z.neter888.cn
127.0.0.1	b.myblank.cn
127.0.0.1	wvw.wokutu.com
127.0.0.1	unionch.qyule.com
127.0.0.1	www.qyule.com
127.0.0.1	it.itjc.cn
127.0.0.1	www.linkwww.com
127.0.0.1	vod.kaicn.com
127.0.0.1	www.tx8688.com
127.0.0.1	b.neter888.cn
127.0.0.1	promote.huanqiu.com
127.0.0.1	www.huanqiu.com
127.0.0.1	www.haokanla.com
127.0.0.1	play.unionsky.cn
127.0.0.1	www.52v.com
127.0.0.1	www.gghka.cn
127.0.0.1	icon.ajiang.net
127.0.0.1	new.ete.cn
127.0.0.1	www.stiae.cn
127.0.0.1	o.neter888.cn
127.0.0.1	comm.jinti.com
127.0.0.1	www.google-analytics.com
127.0.0.1	hz.mmstat.com
127.0.0.1	www.game175.cn
127.0.0.1	x.neter888.cn
127.0.0.1	z.neter888.cn
127.0.0.1	p.etimes888.com
127.0.0.1	hx.etimes888.com
127.0.0.1	abc.qqkx.com
127.0.0.1	dm.popdm.cn
127.0.0.1	www.yl9999.com
127.0.0.1	www.dajiadoushe.cn
127.0.0.1	v.onondown.com.cn
127.0.0.1	www.interoo.net
127.0.0.1	bally1.bally-bally.net
127.0.0.1	www.bao5605509.cn
127.0.0.1	www.rty456.cn
127.0.0.1	www.werqwer.cn
127.0.0.1	1.360-1.cn
127.0.0.1	user1.23-16.net
127.0.0.1	www.guccia.net
127.0.0.1	www.interoo.net
127.0.0.1	upa.netsool.net
127.0.0.1	js.users.51.la
127.0.0.1	vip2.51.la
127.0.0.1	web.51.la
127.0.0.1	qq.gong2008.com
127.0.0.1	2008tl.copyip.com
127.0.0.1	tla.laozihuolaile.cn
127.0.0.1	www.tx6868.cn
127.0.0.1	p001.tiloaiai.com
127.0.0.1	s1.tl8tl.com
127.0.0.1	s1.gong2008.com
127.0.0.1	4b3ce56f9g.3f6e2cc5f0b.com

Rootkit activity

The Backdoor installs the following kernel-mode hooks:

ZwQuerySystemInformation

Using the driver "%System%\drivers\pcidump.sys" the Backdoor substitutes IRP handlers in a file system driver (NTFS) to control operations with files:

MJ_CREATE

Using the driver "%System%\drivers\pcidump.sys" the Backdoor substitutes IRP handlers in a file system driver (FastFAT) to control operations with files:

MJ_CREATE

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Backdoor's file once a user opens a drive's folder in Windows Explorer.

Removals

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):

   taskkill.exe:560
   taskkill.exe:188
   taskkill.exe:1480
   sc.exe:548
   rundll32.exe:1720
   cacls.exe:348
   cacls.exe:1584

3. Delete the original Backdoor file.
   
4. Delete or disinfect the following files created/modified by the Backdoor:

   %System%\drivers\acpiec.sys (13 bytes)
   %System%\wbem\Logs (4 bytes)
   C:\autorun.inf (21 bytes)
   %WinDir%\WinSxS (12 bytes)
   %System%\drivers\etc\hosts (5 bytes)
   C:\$Directory (20 bytes)
   %System%\dllcache (4 bytes)
   %WinDir%\inf (400 bytes)
   %System%\config\systemprofile\Application Data\Microsoft (4 bytes)
   %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
   %System%\drivers\pcidump.sys (5404535 bytes)
   %WinDir%\phpq.dll (22141559 bytes)
   %System%\func.dll (18378359 bytes)
   C:\1.exe (7345 bytes)

5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
   
6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
7. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name: ????
Product Version: 4, 3, 1, 1
Legal Copyright: ???? (C) 2009
Legal Trademarks:
Original Filename: notepad.EXE
Internal Name: test
File Version: 1, 0, 0, 1
File Description: Microsoft ???????
Comments:
Language: English (United States)

Company Name: Product Name: ????Product Version: 4, 3, 1, 1Legal Copyright: ???? (C) 2009Legal Trademarks: Original Filename: notepad.EXEInternal Name: testFile Version: 1, 0, 0, 1File Description: Microsoft ???????Comments: Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
UPX0	4096	77824	0	0	d41d8cd98f00b204e9800998ecf8427e
UPX1	81920	32768	30720	5.46213	f31a4d2c191bb50deff8a3e381d5418b
.rsrc	114688	4096	1536	1.99209	c42b12aadc909baa46a4ceea8788a913

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Backdoor connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_136:

.rsrc

.rsrc

z.wxE

z.wxE

(Exec

(Exec

/1.html

/1.html

\phpq.dllvi

\phpq.dllvi

$\ 8cmd

$\ 8cmd

%}cls "%s"?pB

%}cls "%s"?pB

GetWindowsDirectoryA

GetWindowsDirectoryA

WinExec

WinExec

tp://localhost/1.html

tp://localhost/1.html

\phpq.dll

\phpq.dll

rundll32.exe func.dll, droqp

rundll32.exe func.dll, droqp

\system32\func.dll

\system32\func.dll

cmd /c taskkill /im ScanFrm.exe /f

cmd /c taskkill /im ScanFrm.exe /f

cmd /c taskkill /im egui.exe /f

cmd /c taskkill /im egui.exe /f

cmd /c taskkill /im ekrn.exe /f

cmd /c taskkill /im ekrn.exe /f

cmd /c sc config ekrn start= disabled

cmd /c sc config ekrn start= disabled

cmd /c cacls "%s" /e /p everyone:f

cmd /c cacls "%s" /e /p everyone:f

cmd /c cacls %s /e /p everyone:f

cmd /c cacls %s /e /p everyone:f

\temp\explorer.exe

\temp\explorer.exe

\drivers\gm.dls

\drivers\gm.dls

Explorer.EXE

Explorer.EXE

explorer.EXE

explorer.EXE

EXPLORER.EXE

EXPLORER.EXE

EXPLORER.exe

EXPLORER.exe

Explorer.exe

Explorer.exe

explorer.exe

explorer.exe

kjk.om\k)`s`

kjk.om\k)`s`

Ci=l_[n_Msg\ifc]Fche

Ci=l_[n_Msg\ifc]Fche

,-2) ) ),

,-2) ) ),

,-2) ) )-

,-2) ) )-

,-2) ) ).

,-2) ) ).

,-2) ) )

,-2) ) )

,-,),/), ,)13

,-,),/), ,)13

,-2),),),

,-2),),),

,-2) ),),

,-2) ),),

1,),-3),2,),,053 3

1,),-3),2,),,053 3

,-,),,)4 )24

,-,),,)4 )24

,-0)4 )33).3

,-0)4 )33).3

- /),22)4-)13

- /),22)4-)13

-, )2/),/0)-.1

-, )2/),/0)-.1

-, )21) ),..

-, )21) ),..

-,4),-4)-.4)--

-,4),-4)-.4)--

1,),11).-)-

1,),11).-)-

-,4),0.)/ )--,

-,4),0.)/ )--,

-,3)4-),31)-2

-,3)4-),31)-2

-,4),0.)/1)-2

-,4),0.)/1)-2

-,4),0.)0-),-.

-,4),0.)0-),-.

--,),40)/-)2,

--,),40)/-)2,

---)2.)-,3),,0

---)2.)-,3),,0

- .),, ),13)-..53

- .),, ),13)-..53

- .),, ),13)--,53

- .),, ),13)--,53

.1.ss)^jh

.1.ss)^jh

04)./),.,)0/

04)./),.,)0/

-, )0,)/0)0

-, )0,)/0)0

04)./),43)--3

04)./),43)--3

04)./),43)33

04)./),43)33

04)./),43)42

04)./),43)42

1 ),4 ),,/), ,

1 ),4 ),,/), ,

1 ),4 )-,3)./

1 ),4 )-,3)./

1 ),4,),-/)-0-

1 ),4,),-/)-0-

1,),/0),,2)-,-

1,),/0),,2)-,-

1,),02), 4)---

1,),02), 4)---

20),-1).)-,1

20),-1).)-,1

20),-1).)-,2

20),-1).)-,2

20),-1).)-,3

20),-1).)-,3

04),-0)-.,),225,2222

04),-0)-.,),225,2222

20),-1).)--

20),-1).)--

20),-1).)--,

20),-1).)--,

20),-1).)---

20),-1).)---

.text

.text

`.rdata

`.rdata

@.data

@.data

r4.Tq:]du

r4.Tq:]du

7'7,71767<</pre><pre>a .Mt</pre><pre>B .rd</pre><pre>KERNEL32.DLL</pre><pre>MSVCRT.dll</pre><pre>1, 0, 0, 1</pre><pre>notepad.EXE</pre><pre>4, 3, 1, 1</pre><b>%original file name%.exe_136_rwx_00401000_0001A000:</b><pre>GetWindowsDirectoryA</pre><pre>WinExec</pre><pre>tp://localhost/1.html</pre><pre>\phpq.dll</pre><pre>rundll32.exe func.dll, droqp</pre><pre>\system32\func.dll</pre><pre>cmd /c taskkill /im ScanFrm.exe /f</pre><pre>cmd /c taskkill /im egui.exe /f</pre><pre>cmd /c taskkill /im ekrn.exe /f</pre><pre>cmd /c sc config ekrn start= disabled</pre><pre>cmd /c cacls "%s" /e /p everyone:f</pre><pre>cmd /c cacls %s /e /p everyone:f</pre><pre>\temp\explorer.exe</pre><pre>\drivers\gm.dls</pre><pre>Explorer.EXE</pre><pre>explorer.EXE</pre><pre>EXPLORER.EXE</pre><pre>EXPLORER.exe</pre><pre>Explorer.exe</pre><pre>explorer.exe</pre><pre>kjk.om\k)`s`</pre><pre>Ci=l_[n_Msg\ifc]Fche</pre><pre>,-2) ) ),</pre><pre>,-2) ) )-</pre><pre>,-2) ) ).</pre><pre>,-2) ) ) </pre><pre>,-,),/), ,)13</pre><pre>,-2),),),</pre><pre>,-2) ),),</pre><pre>1,),-3),2,),,053 3 </pre><pre>,-,),,)4 )24</pre><pre>,-0)4 )33).3</pre><pre>- /),22)4-)13</pre><pre>-, )2/),/0)-.1</pre><pre>-, )21) ),..</pre><pre>-,4),-4)-.4)-- </pre><pre>1,),11).-)-</pre><pre>-,4),0.)/ )--,</pre><pre>-,3)4-),31)-2</pre><pre>-,4),0.)/1)-2</pre><pre>-,4),0.)0-),-.</pre><pre>--,),40)/-)2,</pre><pre>---)2.)-,3),,0</pre><pre>- .),, ),13)-..53 </pre><pre>- .),, ),13)--,53 </pre><pre>.1.ss)^jh</pre><pre>04)./),.,)0/</pre><pre>-, )0,)/0)0</pre><pre>04)./),43)--3</pre><pre>04)./),43)33</pre><pre>04)./),43)42</pre><pre>1 ),4 ),,/), ,</pre><pre>1 ),4 )-,3)./</pre><pre>1 ),4,),-/)-0-</pre><pre>1,),/0),,2)-,-</pre><pre>1,),02), 4)---</pre><pre>20),-1).)-,1</pre><pre>20),-1).)-,2</pre><pre>20),-1).)-,3</pre><pre>04),-0)-.,),225,2222</pre><pre>20),-1).)-- </pre><pre>20),-1).)--,</pre><pre>20),-1).)---</pre><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.rsrc</pre><pre>r4.Tq:]du</pre><pre>7'7,71767<</pre><b>%original file name%.exe_136_rwx_10000000_00001000:</b><pre>.data</pre><pre>.rsrc</pre><pre>@.reloc</pre><pre>psapi.dll</pre><pre>\patch.exe</pre><pre>\dstdisk.exe</pre><pre>\defence.exe</pre><pre>192yuioealdjfiefjsdfas.txt</pre><pre>%SystemRoot%\System32\DRIVERS\puid.sys</pre><pre>\drivers\pcidump.sys</pre><pre>System32\DRIVERS\pcidump.sys</pre><pre>%SystemRoot%\system32\drivers\puid.sys</pre><pre>\\.\pcidump</pre><pre>\drivers\gm.dls</pre><pre>Windows</pre><pre>1.exe</pre><pre>autorun.inf</pre><pre>Open=1.exe</pre><pre>urlmon</pre><pre>\setup.exe</pre><pre>?mac=%s&ver=%s&key=%d&os=windows</pre><pre>.html</pre><pre>.hhqg</pre><pre>qq.exe</pre><pre>360safe.exe</pre><pre>\explorer.exe</pre><pre>\temp\explorer.exe</pre><pre>nfect_exe</pre><b>%original file name%.exe_136_rwx_10005000_00001000:</b><pre>\??\c:\%original file name%.exe</pre><pre>\??\%WinDir%\explorer.exe</pre><pre>ers\gm.dls</pre><pre>WinExec</pre><pre>CreatePipe</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>ADVAPI32.dll</pre><pre>InternetOpenUrlA</pre><pre>WININET.dll</pre><b>rundll32.exe_1720:</b><pre>.text</pre><pre>`.data</pre><pre>.rsrc</pre><pre>msvcrt.dll</pre><pre>KERNEL32.dll</pre><pre>NTDLL.DLL</pre><pre>GDI32.dll</pre><pre>USER32.dll</pre><pre>IMAGEHLP.dll</pre><pre>rundll32.pdb</pre><pre>.....eZXnnnnnnnnnnnn3</pre><pre>....eDXnnnnnnnnnnnn3</pre><pre>...eDXnnnnnnnnnnnn,</pre><pre>.eDXnnnnnnnnnnnn,</pre><pre>%Xnnnnnnnnnnnnnnn1</pre><pre>O3$dS7"%U9</pre><pre>.manifest</pre><pre>5.1.2600.5512 (xpsp.080413-2105)</pre><pre>RUNDLL.EXE</pre><pre>Windows</pre><pre>Operating System</pre><pre>5.1.2600.5512</pre><pre>YThere is not enough memory to run the file %s.</pre><pre>Please close other windows and try again.</pre><pre>9The file %s or one of its components could not be opened.</pre><pre>0The file %s or one of its components cannot run.</pre><pre>MThe file %s or one of its components requires a different version of Windows.</pre><pre>UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"</pre><pre>Error in %s</pre><pre>Missing entry:%s</pre><pre>Error loading %s</pre></pre>