Trojan-Dropper.Win32.Mudrop.xfj (Kaspersky), Worm.Generic.228477 (B) (Emsisoft), Worm.Generic.228477 (AdAware), Backdoor.Win32.PcClient.FD, GenericAutorunWorm.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan, Backdoor, Worm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 82b072430d1842d2093bc56661d8f2d2
SHA1: 49ae0c58912671e08956422dad2f18d955f455b1
SHA256: d13cae34dea3044cb2d44eba19d0bf3228a62dcb5144dc10224a7ef77d145064
SSDeep: 12288:v1dcoCUyZtwAvAs4wTCyrPT0yq0VezaOvoJpaz/g/J/vVoS:vvfty/wAvN7lry0VeH8az/g/J/No
Size: 978432 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: MiniApp
Created at: 2009-07-04 18:42:17
Analyzed on: WindowsXP SP3 32-bit
Summary: Backdoor. Malware that enables a remote control of victim's machine.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Backdoor's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Backdoor creates the following process(es):
taskkill.exe:560
taskkill.exe:188
taskkill.exe:1480
sc.exe:548
rundll32.exe:1720
cacls.exe:348
cacls.exe:1584
The Backdoor injects its code into the following process(es):
%original file name%.exe:136
File activity
The process rundll32.exe:1720 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%System%\drivers\acpiec.sys (13 bytes)
The process %original file name%.exe:136 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
C:\ (4 bytes)
%System%\wbem\Logs (4 bytes)
C:\autorun.inf (21 bytes)
%WinDir%\WinSxS (12 bytes)
%System%\drivers\etc\hosts (5 bytes)
C:\$Directory (20 bytes)
%System%\dllcache (4 bytes)
%WinDir%\inf (400 bytes)
%System%\config\systemprofile\Application Data\Microsoft (4 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%System%\config\systemprofile (4 bytes)
%System%\drivers\pcidump.sys (5404535 bytes)
%System%\config (8 bytes)
%System%\drivers (296 bytes)
%WinDir%\phpq.dll (22141559 bytes)
%System%\func.dll (18378359 bytes)
%Documents and Settings%\%current user% (4 bytes)
C:\1.exe (7345 bytes)
Registry activity
The process taskkill.exe:560 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0B D1 EC BD 2A E6 41 B4 1C 52 8C 20 16 DE AC A7"
The process taskkill.exe:188 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E8 BD 7E 83 1F 47 74 D7 F6 AA CC 03 9A B4 47 3E"
The process taskkill.exe:1480 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 BF 9E F9 BA 09 05 C8 77 0E AD 91 05 17 71 D0"
The process sc.exe:548 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 D6 68 04 0D 13 B7 B4 FF 4D F0 1A D0 D7 34 7A"
The process rundll32.exe:1720 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D 10 83 5C EF 68 0B 48 2B 27 90 6F BC 5C 5D 04"
The process cacls.exe:348 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C 8D AB F2 94 F8 90 96 AA 04 4E FF 04 F2 55 6E"
The process cacls.exe:1584 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AE 28 58 1F 20 6A DA E8 90 47 40 C8 D6 06 F4 C8"
Dropped PE files
MD5 | File path |
---|---|
522afca05d2634a769adbe29d64cfa08 | c:\WINDOWS\LastGood\system32\drivers\acpiec.sys |
4485601a5a45d10f44cd57c1f09048e0 | c:\WINDOWS\phpq.dll |
9859c0f6936e723e4892d7141b1327d5 | c:\WINDOWS\system32\dllcache\acpiec.sys |
522afca05d2634a769adbe29d64cfa08 | c:\WINDOWS\system32\drivers\OLD3.tmp |
601b3f2466bfa6989b9c7586b5ba54aa | c:\WINDOWS\system32\drivers\pcidump.sys |
e13f938795bc9fc449d0a7ef6deb2c8b | c:\WINDOWS\system32\func.dll |
HOSTS file anomalies
The Backdoor modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 5743 bytes in size. The following strings are added to the hosts file listed below:
127.0.0.1 | v.onondown.com.cn |
127.0.0.2 | ymsdasdw1.cn |
127.0.0.3 | h96b.info |
127.0.0.0 | fuck.zttwp.cn |
127.0.0.0 | www.hackerbf.cn |
127.0.0.0 | geekbyfeng.cn |
127.0.0.0 | 121.14.101.68 |
127.0.0.0 | ppp.etimes888.com |
127.0.0.0 | www.bypk.com |
127.0.0.0 | CSC3-2004-crl.verisign.com |
127.0.0.1 | va9sdhun23.cn |
127.0.0.0 | udp.hjob123.com |
127.0.0.2 | bnasnd83nd.cn |
127.0.0.0 | www.gamehacker.com.cn |
127.0.0.0 | gamehacker.com.cn |
127.0.0.3 | adlaji.cn |
127.0.0.1 | 858656.com |
127.1.1.1 | bnasnd83nd.cn |
127.0.0.1 | my123.com |
127.0.0.0 | user1.12-27.net |
127.0.0.1 | 8749.com |
127.0.0.0 | fengent.cn |
127.0.0.1 | 4199.com |
127.0.0.1 | user1.16-22.net |
127.0.0.1 | 7379.com |
127.0.0.1 | 2be37c5f.3f6e2cc5f0b.com |
127.0.0.1 | 7255.com |
127.0.0.1 | user1.23-12.net |
127.0.0.1 | 3448.com |
127.0.0.1 | www.guccia.net |
127.0.0.1 | 7939.com |
127.0.0.1 | a.o1o1o1.nEt |
127.0.0.1 | 8009.com |
127.0.0.1 | user1.12-73.cn |
127.0.0.1 | piaoxue.com |
127.0.0.1 | 3n8nlasd.cn |
127.0.0.1 | kzdh.com |
127.0.0.0 | www.sony888.cn |
127.0.0.1 | about.blank.la |
127.0.0.0 | user1.asp-33.cn |
127.0.0.1 | 6781.com |
127.0.0.0 | www.netkwek.cn |
127.0.0.1 | 7322.com |
127.0.0.0 | ymsdkad6.cn |
127.0.0.0 | www.lkwueir.cn |
127.0.0.1 | 06.jacai.com |
127.0.1.1 | user1.23-17.net |
127.0.0.1 | 1.jopenkk.com |
127.0.0.0 | upa.luzhiai.net |
127.0.0.1 | 1.jopenqc.com |
127.0.0.0 | www.guccia.net |
127.0.0.1 | 1.joppnqq.com |
127.0.0.0 | 4m9mnlmi.cn |
127.0.0.1 | 1.xqhgm.com |
127.0.0.0 | mm119mkssd.cn |
127.0.0.1 | 100.332233.com |
127.0.0.0 | 61.128.171.115:8080 |
127.0.0.1 | 121.11.90.79 |
127.0.0.0 | www.1119111.com |
127.0.0.1 | 121565.net |
127.0.0.0 | win.nihao69.cn |
127.0.0.1 | 125.90.88.38 |
127.0.0.1 | 16888.6to23.com |
127.0.0.1 | 2.joppnqq.com |
127.0.0.0 | puc.lianxiac.net |
127.0.0.1 | 204.177.92.68 |
127.0.0.0 | pud.lianxiac.net |
127.0.0.1 | 210.74.145.236 |
127.0.0.0 | 210.76.0.133 |
127.0.0.1 | 219.129.239.220 |
127.0.0.0 | 61.166.32.2 |
127.0.0.1 | 219.153.40.221 |
127.0.0.0 | 218.92.186.27 |
127.0.0.1 | 219.153.46.27 |
127.0.0.0 | www.fsfsfag.cn |
127.0.0.1 | 219.153.52.123 |
127.0.0.0 | ovo.ovovov.cn |
127.0.0.1 | 221.195.42.71 |
127.0.0.0 | dw.com.com |
127.0.0.1 | 222.73.218.115 |
127.0.0.1 | 203.110.168.233:80 |
127.0.0.1 | 3.joppnqq.com |
127.0.0.1 | 203.110.168.221:80 |
127.0.0.1 | 363xx.com |
127.0.0.1 | www1.ip10086.com.cm |
127.0.0.1 | 4199.com |
127.0.0.1 | blog.ip10086.com.cn |
127.0.0.1 | 43242.com |
127.0.0.1 | www.ccji68.cn |
127.0.0.1 | 5.xqhgm.com |
127.0.0.0 | t.myblank.cn |
127.0.0.1 | 520.mm5208.com |
127.0.0.0 | x.myblank.cn |
127.0.0.1 | 59.34.131.54 |
127.0.0.1 | 210.51.45.5 |
127.0.0.1 | 59.34.198.228 |
127.0.0.1 | www.ew1q.cn |
127.0.0.1 | 59.34.198.88 |
127.0.0.1 | 59.34.198.97 |
127.0.0.1 | 60.190.114.101 |
127.0.0.1 | 60.190.218.34 |
127.0.0.0 | qq-xing.com.cn |
127.0.0.1 | 60.191.124.252 |
127.0.0.1 | 61.145.117.212 |
127.0.0.1 | 61.157.109.222 |
127.0.0.1 | 75.126.3.216 |
127.0.0.1 | 75.126.3.217 |
127.0.0.1 | 75.126.3.218 |
127.0.0.0 | 59.125.231.177:17777 |
127.0.0.1 | 75.126.3.220 |
127.0.0.1 | 75.126.3.221 |
127.0.0.1 | 75.126.3.222 |
127.0.0.1 | 772630.com |
127.0.0.1 | 832823.cn |
127.0.0.1 | 8749.com |
127.0.0.1 | 888.jopenqc.com |
127.0.0.1 | 89382.cn |
127.0.0.1 | 8v8.biz |
127.0.0.1 | 97725.com |
127.0.0.1 | 9gg.biz |
127.0.0.1 | www.9000music.com |
127.0.0.1 | test.591jx.com |
127.0.0.1 | a.topxxxx.cn |
127.0.0.1 | picon.chinaren.com |
127.0.0.1 | www.5566.net |
127.0.0.1 | p.qqkx.com |
127.0.0.1 | news.netandtv.com |
127.0.0.1 | z.neter888.cn |
127.0.0.1 | b.myblank.cn |
127.0.0.1 | wvw.wokutu.com |
127.0.0.1 | unionch.qyule.com |
127.0.0.1 | www.qyule.com |
127.0.0.1 | it.itjc.cn |
127.0.0.1 | www.linkwww.com |
127.0.0.1 | vod.kaicn.com |
127.0.0.1 | www.tx8688.com |
127.0.0.1 | b.neter888.cn |
127.0.0.1 | promote.huanqiu.com |
127.0.0.1 | www.huanqiu.com |
127.0.0.1 | www.haokanla.com |
127.0.0.1 | play.unionsky.cn |
127.0.0.1 | www.52v.com |
127.0.0.1 | www.gghka.cn |
127.0.0.1 | icon.ajiang.net |
127.0.0.1 | new.ete.cn |
127.0.0.1 | www.stiae.cn |
127.0.0.1 | o.neter888.cn |
127.0.0.1 | comm.jinti.com |
127.0.0.1 | www.google-analytics.com |
127.0.0.1 | hz.mmstat.com |
127.0.0.1 | www.game175.cn |
127.0.0.1 | x.neter888.cn |
127.0.0.1 | z.neter888.cn |
127.0.0.1 | p.etimes888.com |
127.0.0.1 | hx.etimes888.com |
127.0.0.1 | abc.qqkx.com |
127.0.0.1 | dm.popdm.cn |
127.0.0.1 | www.yl9999.com |
127.0.0.1 | www.dajiadoushe.cn |
127.0.0.1 | v.onondown.com.cn |
127.0.0.1 | www.interoo.net |
127.0.0.1 | bally1.bally-bally.net |
127.0.0.1 | www.bao5605509.cn |
127.0.0.1 | www.rty456.cn |
127.0.0.1 | www.werqwer.cn |
127.0.0.1 | 1.360-1.cn |
127.0.0.1 | user1.23-16.net |
127.0.0.1 | www.guccia.net |
127.0.0.1 | www.interoo.net |
127.0.0.1 | upa.netsool.net |
127.0.0.1 | js.users.51.la |
127.0.0.1 | vip2.51.la |
127.0.0.1 | web.51.la |
127.0.0.1 | qq.gong2008.com |
127.0.0.1 | 2008tl.copyip.com |
127.0.0.1 | tla.laozihuolaile.cn |
127.0.0.1 | www.tx6868.cn |
127.0.0.1 | p001.tiloaiai.com |
127.0.0.1 | s1.tl8tl.com |
127.0.0.1 | s1.gong2008.com |
127.0.0.1 | 4b3ce56f9g.3f6e2cc5f0b.com |
Rootkit activity
The Backdoor installs the following kernel-mode hooks:
ZwQuerySystemInformation
Using the driver "%System%\drivers\pcidump.sys" the Backdoor substitutes IRP handlers in a file system driver (NTFS) to control operations with files:
MJ_CREATE
Using the driver "%System%\drivers\pcidump.sys" the Backdoor substitutes IRP handlers in a file system driver (FastFAT) to control operations with files:
MJ_CREATE
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Backdoor's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
taskkill.exe:560
taskkill.exe:188
taskkill.exe:1480
sc.exe:548
rundll32.exe:1720
cacls.exe:348
cacls.exe:1584 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%System%\drivers\acpiec.sys (13 bytes)
%System%\wbem\Logs (4 bytes)
C:\autorun.inf (21 bytes)
%WinDir%\WinSxS (12 bytes)
%System%\drivers\etc\hosts (5 bytes)
C:\$Directory (20 bytes)
%System%\dllcache (4 bytes)
%WinDir%\inf (400 bytes)
%System%\config\systemprofile\Application Data\Microsoft (4 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%System%\drivers\pcidump.sys (5404535 bytes)
%WinDir%\phpq.dll (22141559 bytes)
%System%\func.dll (18378359 bytes)
C:\1.exe (7345 bytes) - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name: ????
Product Version: 4, 3, 1, 1
Legal Copyright: ???? (C) 2009
Legal Trademarks:
Original Filename: notepad.EXE
Internal Name: test
File Version: 1, 0, 0, 1
File Description: Microsoft ???????
Comments:
Language: English (United States)
Company Name: Product Name: ????Product Version: 4, 3, 1, 1Legal Copyright: ???? (C) 2009Legal Trademarks: Original Filename: notepad.EXEInternal Name: testFile Version: 1, 0, 0, 1File Description: Microsoft ???????Comments: Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
UPX0 | 4096 | 77824 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
UPX1 | 81920 | 32768 | 30720 | 5.46213 | f31a4d2c191bb50deff8a3e381d5418b |
.rsrc | 114688 | 4096 | 1536 | 1.99209 | c42b12aadc909baa46a4ceea8788a913 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Backdoor connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_136:
.rsrc
.rsrc
z.wxE
z.wxE
(Exec
(Exec
/1.html
/1.html
\phpq.dllvi
\phpq.dllvi
$\ 8cmd
$\ 8cmd
%}cls "%s"?pB
%}cls "%s"?pB
GetWindowsDirectoryA
GetWindowsDirectoryA
WinExec
WinExec
tp://localhost/1.html
tp://localhost/1.html
\phpq.dll
\phpq.dll
rundll32.exe func.dll, droqp
rundll32.exe func.dll, droqp
\system32\func.dll
\system32\func.dll
cmd /c taskkill /im ScanFrm.exe /f
cmd /c taskkill /im ScanFrm.exe /f
cmd /c taskkill /im egui.exe /f
cmd /c taskkill /im egui.exe /f
cmd /c taskkill /im ekrn.exe /f
cmd /c taskkill /im ekrn.exe /f
cmd /c sc config ekrn start= disabled
cmd /c sc config ekrn start= disabled
cmd /c cacls "%s" /e /p everyone:f
cmd /c cacls "%s" /e /p everyone:f
cmd /c cacls %s /e /p everyone:f
cmd /c cacls %s /e /p everyone:f
\temp\explorer.exe
\temp\explorer.exe
\drivers\gm.dls
\drivers\gm.dls
Explorer.EXE
Explorer.EXE
explorer.EXE
explorer.EXE
EXPLORER.EXE
EXPLORER.EXE
EXPLORER.exe
EXPLORER.exe
Explorer.exe
Explorer.exe
explorer.exe
explorer.exe
kjk.om\k)`s`
kjk.om\k)`s`
Ci=l_[n_Msg\ifc]Fche
Ci=l_[n_Msg\ifc]Fche
,-2) ) ),
,-2) ) ),
,-2) ) )-
,-2) ) )-
,-2) ) ).
,-2) ) ).
,-2) ) )
,-2) ) )
,-,),/), ,)13
,-,),/), ,)13
,-2),),),
,-2),),),
,-2) ),),
,-2) ),),
1,),-3),2,),,053 3
1,),-3),2,),,053 3
,-,),,)4 )24
,-,),,)4 )24
,-0)4 )33).3
,-0)4 )33).3
- /),22)4-)13
- /),22)4-)13
-, )2/),/0)-.1
-, )2/),/0)-.1
-, )21) ),..
-, )21) ),..
-,4),-4)-.4)--
-,4),-4)-.4)--
1,),11).-)-
1,),11).-)-
-,4),0.)/ )--,
-,4),0.)/ )--,
-,3)4-),31)-2
-,3)4-),31)-2
-,4),0.)/1)-2
-,4),0.)/1)-2
-,4),0.)0-),-.
-,4),0.)0-),-.
--,),40)/-)2,
--,),40)/-)2,
---)2.)-,3),,0
---)2.)-,3),,0
- .),, ),13)-..53
- .),, ),13)-..53
- .),, ),13)--,53
- .),, ),13)--,53
.1.ss)^jh
.1.ss)^jh
04)./),.,)0/
04)./),.,)0/
-, )0,)/0)0
-, )0,)/0)0
04)./),43)--3
04)./),43)--3
04)./),43)33
04)./),43)33
04)./),43)42
04)./),43)42
1 ),4 ),,/), ,
1 ),4 ),,/), ,
1 ),4 )-,3)./
1 ),4 )-,3)./
1 ),4,),-/)-0-
1 ),4,),-/)-0-
1,),/0),,2)-,-
1,),/0),,2)-,-
1,),02), 4)---
1,),02), 4)---
20),-1).)-,1
20),-1).)-,1
20),-1).)-,2
20),-1).)-,2
20),-1).)-,3
20),-1).)-,3
04),-0)-.,),225,2222
04),-0)-.,),225,2222
20),-1).)--
20),-1).)--
20),-1).)--,
20),-1).)--,
20),-1).)---
20),-1).)---
.text
.text
`.rdata
`.rdata
@.data
@.data
r4.Tq:]du
r4.Tq:]du
7'7,71767<</pre><pre>a .Mt</pre><pre>B .rd</pre><pre>KERNEL32.DLL</pre><pre>MSVCRT.dll</pre><pre>1, 0, 0, 1</pre><pre>notepad.EXE</pre><pre>4, 3, 1, 1</pre><b>%original file name%.exe_136_rwx_00401000_0001A000:</b><pre>GetWindowsDirectoryA</pre><pre>WinExec</pre><pre>tp://localhost/1.html</pre><pre>\phpq.dll</pre><pre>rundll32.exe func.dll, droqp</pre><pre>\system32\func.dll</pre><pre>cmd /c taskkill /im ScanFrm.exe /f</pre><pre>cmd /c taskkill /im egui.exe /f</pre><pre>cmd /c taskkill /im ekrn.exe /f</pre><pre>cmd /c sc config ekrn start= disabled</pre><pre>cmd /c cacls "%s" /e /p everyone:f</pre><pre>cmd /c cacls %s /e /p everyone:f</pre><pre>\temp\explorer.exe</pre><pre>\drivers\gm.dls</pre><pre>Explorer.EXE</pre><pre>explorer.EXE</pre><pre>EXPLORER.EXE</pre><pre>EXPLORER.exe</pre><pre>Explorer.exe</pre><pre>explorer.exe</pre><pre>kjk.om\k)`s`</pre><pre>Ci=l_[n_Msg\ifc]Fche</pre><pre>,-2) ) ),</pre><pre>,-2) ) )-</pre><pre>,-2) ) ).</pre><pre>,-2) ) ) </pre><pre>,-,),/), ,)13</pre><pre>,-2),),),</pre><pre>,-2) ),),</pre><pre>1,),-3),2,),,053 3 </pre><pre>,-,),,)4 )24</pre><pre>,-0)4 )33).3</pre><pre>- /),22)4-)13</pre><pre>-, )2/),/0)-.1</pre><pre>-, )21) ),..</pre><pre>-,4),-4)-.4)-- </pre><pre>1,),11).-)-</pre><pre>-,4),0.)/ )--,</pre><pre>-,3)4-),31)-2</pre><pre>-,4),0.)/1)-2</pre><pre>-,4),0.)0-),-.</pre><pre>--,),40)/-)2,</pre><pre>---)2.)-,3),,0</pre><pre>- .),, ),13)-..53 </pre><pre>- .),, ),13)--,53 </pre><pre>.1.ss)^jh</pre><pre>04)./),.,)0/</pre><pre>-, )0,)/0)0</pre><pre>04)./),43)--3</pre><pre>04)./),43)33</pre><pre>04)./),43)42</pre><pre>1 ),4 ),,/), ,</pre><pre>1 ),4 )-,3)./</pre><pre>1 ),4,),-/)-0-</pre><pre>1,),/0),,2)-,-</pre><pre>1,),02), 4)---</pre><pre>20),-1).)-,1</pre><pre>20),-1).)-,2</pre><pre>20),-1).)-,3</pre><pre>04),-0)-.,),225,2222</pre><pre>20),-1).)-- </pre><pre>20),-1).)--,</pre><pre>20),-1).)---</pre><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.rsrc</pre><pre>r4.Tq:]du</pre><pre>7'7,71767<</pre><b>%original file name%.exe_136_rwx_10000000_00001000:</b><pre>.data</pre><pre>.rsrc</pre><pre>@.reloc</pre><pre>psapi.dll</pre><pre>\patch.exe</pre><pre>\dstdisk.exe</pre><pre>\defence.exe</pre><pre>192yuioealdjfiefjsdfas.txt</pre><pre>%SystemRoot%\System32\DRIVERS\puid.sys</pre><pre>\drivers\pcidump.sys</pre><pre>System32\DRIVERS\pcidump.sys</pre><pre>%SystemRoot%\system32\drivers\puid.sys</pre><pre>\\.\pcidump</pre><pre>\drivers\gm.dls</pre><pre>Windows</pre><pre>1.exe</pre><pre>autorun.inf</pre><pre>Open=1.exe</pre><pre>urlmon</pre><pre>\setup.exe</pre><pre>?mac=%s&ver=%s&key=%d&os=windows</pre><pre>.html</pre><pre>.hhqg</pre><pre>qq.exe</pre><pre>360safe.exe</pre><pre>\explorer.exe</pre><pre>\temp\explorer.exe</pre><pre>nfect_exe</pre><b>%original file name%.exe_136_rwx_10005000_00001000:</b><pre>\??\c:\%original file name%.exe</pre><pre>\??\%WinDir%\explorer.exe</pre><pre>ers\gm.dls</pre><pre>WinExec</pre><pre>CreatePipe</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>ADVAPI32.dll</pre><pre>InternetOpenUrlA</pre><pre>WININET.dll</pre><b>rundll32.exe_1720:</b><pre>.text</pre><pre>`.data</pre><pre>.rsrc</pre><pre>msvcrt.dll</pre><pre>KERNEL32.dll</pre><pre>NTDLL.DLL</pre><pre>GDI32.dll</pre><pre>USER32.dll</pre><pre>IMAGEHLP.dll</pre><pre>rundll32.pdb</pre><pre>.....eZXnnnnnnnnnnnn3</pre><pre>....eDXnnnnnnnnnnnn3</pre><pre>...eDXnnnnnnnnnnnn,</pre><pre>.eDXnnnnnnnnnnnn,</pre><pre>%Xnnnnnnnnnnnnnnn1</pre><pre>O3$dS7"%U9</pre><pre>.manifest</pre><pre>5.1.2600.5512 (xpsp.080413-2105)</pre><pre>RUNDLL.EXE</pre><pre>Windows</pre><pre>Operating System</pre><pre>5.1.2600.5512</pre><pre>YThere is not enough memory to run the file %s.</pre><pre>Please close other windows and try again.</pre><pre>9The file %s or one of its components could not be opened.</pre><pre>0The file %s or one of its components cannot run.</pre><pre>MThe file %s or one of its components requires a different version of Windows.</pre><pre>UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"</pre><pre>Error in %s</pre><pre>Missing entry:%s</pre><pre>Error loading %s</pre></pre>