Backdoor.Win32.PcClient_1b54b6b8d4

Dynamic Analysis

Payload

Behaviour	Description
WormAutorun	A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Backdoor's file once a user opens a drive's folder in Windows Explorer.

Process activity

The Backdoor creates the following process(es):

taskkill.exe:1300
taskkill.exe:1596
taskkill.exe:1072
taskkill.exe:1540
sc.exe:1256
sc.exe:2016
rundll32.exe:272
cacls.exe:1436
cacls.exe:452

The Backdoor injects its code into the following process(es):

%original file name%.exe:176

File activity

The process %original file name%.exe:176 makes changes in the file system.

The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\test.pml (94139 bytes)
C:\ (4 bytes)
%System%\killkb.dll (19943351 bytes)
%System%\CatRoot2 (96 bytes)
%System%\wbem\Repository\FS\INDEX.MAP (4 bytes)
%System%\wbem\Repository\FS\OBJECTS.MAP (12 bytes)
%System%\config\systemprofile\Application Data\Microsoft (4 bytes)
%System%\drivers\etc\hosts (5 bytes)
C:\$Directory (28 bytes)
%WinDir%\inf (400 bytes)
%WinDir%update.dll (35198910 bytes)
%System%\config\systemprofile (4 bytes)
%Program Files%\COMMON FILES (4 bytes)
%System%\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} (4 bytes)
%System%\drivers\pcidump.sys (5404535 bytes)
%System%\config (8 bytes)
%WinDir%\Temp\Perflib_Perfdata_7ac.dat (4 bytes)
%System%\wbem (480 bytes)
%System%\drivers (8 bytes)
%System%\wbem\Logs\wbemcore.log (344 bytes)
%System%\wbem\Repository\FS\INDEX.BTR (4543 bytes)
%System%\wbem\Repository\FS\MAPPING1.MAP (204 bytes)
%Documents and Settings%\%current user% (4 bytes)
%System% (1824 bytes)

The process rundll32.exe:272 makes changes in the file system.

The Backdoor creates and/or writes to the following file(s):

%System%\drivers\acpiec.sys (6 bytes)

Registry activity

The process taskkill.exe:1300 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "15 A9 6A 43 AF 19 D3 E9 AF 9C 9C FF 19 0A D2 72"

The process taskkill.exe:1596 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A2 80 10 18 AF 38 56 ED 50 3A 7C FE EC 38 63 93"

The process taskkill.exe:1072 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "99 EF CA 3F 8D 70 65 25 B4 45 B8 ED BB F6 2B 7B"

The process taskkill.exe:1540 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D7 2D CA E0 4C 1E 11 71 FA C7 E6 88 16 12 3B 00"

The process sc.exe:1256 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EC 13 DD 37 EA A9 C6 F7 47 32 40 95 29 03 72 66"

The process sc.exe:2016 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "41 5E 86 70 FC CC 7D CB A0 88 E8 81 0E D7 CE 2B"

The process rundll32.exe:272 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C 01 5C E1 AA A8 59 EA 8A D6 94 C7 FC 53 E3 B7"

The process cacls.exe:1436 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 31 7C DA 6B 50 11 E5 D3 F7 63 F5 EC B2 90 AC"

The process cacls.exe:452 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 53 CE C2 9A 51 17 40 46 D9 D9 85 68 C0 B8 4B"

Dropped PE files

MD5	File path
66a6875469fba08fceb005803f02dfd9	c:\WINDOWS\LastGood\system32\drivers\acpiec.sys
9859c0f6936e723e4892d7141b1327d5	c:\WINDOWS\system32\dllcache\acpiec.sys
66a6875469fba08fceb005803f02dfd9	c:\WINDOWS\system32\drivers\OLD3.tmp
601b3f2466bfa6989b9c7586b5ba54aa	c:\WINDOWS\system32\drivers\pcidump.sys
e49b7b5016e2e640eaaa577a71bf49d9	c:\WINDOWS\system32\killkb.dll
7e9e7ff32b342a744d98bfccf2242028	c:\WINDOWSupdate.dll

HOSTS file anomalies

The Backdoor modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 5743 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1	v.onondown.com.cn
127.0.0.2	ymsdasdw1.cn
127.0.0.3	h96b.info
127.0.0.0	fuck.zttwp.cn
127.0.0.0	www.hackerbf.cn
127.0.0.0	geekbyfeng.cn
127.0.0.0	121.14.101.68
127.0.0.0	ppp.etimes888.com
127.0.0.0	www.bypk.com
127.0.0.0	CSC3-2004-crl.verisign.com
127.0.0.1	va9sdhun23.cn
127.0.0.0	udp.hjob123.com
127.0.0.2	bnasnd83nd.cn
127.0.0.0	www.gamehacker.com.cn
127.0.0.0	gamehacker.com.cn
127.0.0.3	adlaji.cn
127.0.0.1	858656.com
127.1.1.1	bnasnd83nd.cn
127.0.0.1	my123.com
127.0.0.0	user1.12-27.net
127.0.0.1	8749.com
127.0.0.0	fengent.cn
127.0.0.1	4199.com
127.0.0.1	user1.16-22.net
127.0.0.1	7379.com
127.0.0.1	2be37c5f.3f6e2cc5f0b.com
127.0.0.1	7255.com
127.0.0.1	user1.23-12.net
127.0.0.1	3448.com
127.0.0.1	www.guccia.net
127.0.0.1	7939.com
127.0.0.1	a.o1o1o1.nEt
127.0.0.1	8009.com
127.0.0.1	user1.12-73.cn
127.0.0.1	piaoxue.com
127.0.0.1	3n8nlasd.cn
127.0.0.1	kzdh.com
127.0.0.0	www.sony888.cn
127.0.0.1	about.blank.la
127.0.0.0	user1.asp-33.cn
127.0.0.1	6781.com
127.0.0.0	www.netkwek.cn
127.0.0.1	7322.com
127.0.0.0	ymsdkad6.cn
127.0.0.0	www.lkwueir.cn
127.0.0.1	06.jacai.com
127.0.1.1	user1.23-17.net
127.0.0.1	1.jopenkk.com
127.0.0.0	upa.luzhiai.net
127.0.0.1	1.jopenqc.com
127.0.0.0	www.guccia.net
127.0.0.1	1.joppnqq.com
127.0.0.0	4m9mnlmi.cn
127.0.0.1	1.xqhgm.com
127.0.0.0	mm119mkssd.cn
127.0.0.1	100.332233.com
127.0.0.0	61.128.171.115:8080
127.0.0.1	121.11.90.79
127.0.0.0	www.1119111.com
127.0.0.1	121565.net
127.0.0.0	win.nihao69.cn
127.0.0.1	125.90.88.38
127.0.0.1	16888.6to23.com
127.0.0.1	2.joppnqq.com
127.0.0.0	puc.lianxiac.net
127.0.0.1	204.177.92.68
127.0.0.0	pud.lianxiac.net
127.0.0.1	210.74.145.236
127.0.0.0	210.76.0.133
127.0.0.1	219.129.239.220
127.0.0.0	61.166.32.2
127.0.0.1	219.153.40.221
127.0.0.0	218.92.186.27
127.0.0.1	219.153.46.27
127.0.0.0	www.fsfsfag.cn
127.0.0.1	219.153.52.123
127.0.0.0	ovo.ovovov.cn
127.0.0.1	221.195.42.71
127.0.0.0	dw.com.com
127.0.0.1	222.73.218.115
127.0.0.1	203.110.168.233:80
127.0.0.1	3.joppnqq.com
127.0.0.1	203.110.168.221:80
127.0.0.1	363xx.com
127.0.0.1	www1.ip10086.com.cm
127.0.0.1	4199.com
127.0.0.1	blog.ip10086.com.cn
127.0.0.1	43242.com
127.0.0.1	www.ccji68.cn
127.0.0.1	5.xqhgm.com
127.0.0.0	t.myblank.cn
127.0.0.1	520.mm5208.com
127.0.0.0	x.myblank.cn
127.0.0.1	59.34.131.54
127.0.0.1	210.51.45.5
127.0.0.1	59.34.198.228
127.0.0.1	www.ew1q.cn
127.0.0.1	59.34.198.88
127.0.0.1	59.34.198.97
127.0.0.1	60.190.114.101
127.0.0.1	60.190.218.34
127.0.0.0	qq-xing.com.cn
127.0.0.1	60.191.124.252
127.0.0.1	61.145.117.212
127.0.0.1	61.157.109.222
127.0.0.1	75.126.3.216
127.0.0.1	75.126.3.217
127.0.0.1	75.126.3.218
127.0.0.0	59.125.231.177:17777
127.0.0.1	75.126.3.220
127.0.0.1	75.126.3.221
127.0.0.1	75.126.3.222
127.0.0.1	772630.com
127.0.0.1	832823.cn
127.0.0.1	8749.com
127.0.0.1	888.jopenqc.com
127.0.0.1	89382.cn
127.0.0.1	8v8.biz
127.0.0.1	97725.com
127.0.0.1	9gg.biz
127.0.0.1	www.9000music.com
127.0.0.1	test.591jx.com
127.0.0.1	a.topxxxx.cn
127.0.0.1	picon.chinaren.com
127.0.0.1	www.5566.net
127.0.0.1	p.qqkx.com
127.0.0.1	news.netandtv.com
127.0.0.1	z.neter888.cn
127.0.0.1	b.myblank.cn
127.0.0.1	wvw.wokutu.com
127.0.0.1	unionch.qyule.com
127.0.0.1	www.qyule.com
127.0.0.1	it.itjc.cn
127.0.0.1	www.linkwww.com
127.0.0.1	vod.kaicn.com
127.0.0.1	www.tx8688.com
127.0.0.1	b.neter888.cn
127.0.0.1	promote.huanqiu.com
127.0.0.1	www.huanqiu.com
127.0.0.1	www.haokanla.com
127.0.0.1	play.unionsky.cn
127.0.0.1	www.52v.com
127.0.0.1	www.gghka.cn
127.0.0.1	icon.ajiang.net
127.0.0.1	new.ete.cn
127.0.0.1	www.stiae.cn
127.0.0.1	o.neter888.cn
127.0.0.1	comm.jinti.com
127.0.0.1	www.google-analytics.com
127.0.0.1	hz.mmstat.com
127.0.0.1	www.game175.cn
127.0.0.1	x.neter888.cn
127.0.0.1	z.neter888.cn
127.0.0.1	p.etimes888.com
127.0.0.1	hx.etimes888.com
127.0.0.1	abc.qqkx.com
127.0.0.1	dm.popdm.cn
127.0.0.1	www.yl9999.com
127.0.0.1	www.dajiadoushe.cn
127.0.0.1	v.onondown.com.cn
127.0.0.1	www.interoo.net
127.0.0.1	bally1.bally-bally.net
127.0.0.1	www.bao5605509.cn
127.0.0.1	www.rty456.cn
127.0.0.1	www.werqwer.cn
127.0.0.1	1.360-1.cn
127.0.0.1	user1.23-16.net
127.0.0.1	www.guccia.net
127.0.0.1	www.interoo.net
127.0.0.1	upa.netsool.net
127.0.0.1	js.users.51.la
127.0.0.1	vip2.51.la
127.0.0.1	web.51.la
127.0.0.1	qq.gong2008.com
127.0.0.1	2008tl.copyip.com
127.0.0.1	tla.laozihuolaile.cn
127.0.0.1	www.tx6868.cn
127.0.0.1	p001.tiloaiai.com
127.0.0.1	s1.tl8tl.com
127.0.0.1	s1.gong2008.com
127.0.0.1	4b3ce56f9g.3f6e2cc5f0b.com

Rootkit activity

The Backdoor installs the following kernel-mode hooks:

ZwQuerySystemInformation

Using the driver "%System%\drivers\pcidump.sys" the Backdoor substitutes IRP handlers in a file system driver (NTFS) to control operations with files:

MJ_CREATE

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Backdoor's file once a user opens a drive's folder in Windows Explorer.

Removals

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):

   taskkill.exe:1300
   taskkill.exe:1596
   taskkill.exe:1072
   taskkill.exe:1540
   sc.exe:1256
   sc.exe:2016
   rundll32.exe:272
   cacls.exe:1436
   cacls.exe:452

3. Delete the original Backdoor file.
   
4. Delete or disinfect the following files created/modified by the Backdoor:

   %Documents and Settings%\%current user%\Local Settings\Temp\test.pml (94139 bytes)
   %System%\killkb.dll (19943351 bytes)
   %System%\CatRoot2 (96 bytes)
   %System%\wbem\Repository\FS\INDEX.MAP (4 bytes)
   %System%\wbem\Repository\FS\OBJECTS.MAP (12 bytes)
   %System%\config\systemprofile\Application Data\Microsoft (4 bytes)
   %System%\drivers\etc\hosts (5 bytes)
   C:\$Directory (28 bytes)
   %WinDir%\inf (400 bytes)
   %WinDir%update.dll (35198910 bytes)
   %Program Files%\COMMON FILES (4 bytes)
   %System%\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} (4 bytes)
   %System%\drivers\pcidump.sys (5404535 bytes)
   %WinDir%\Temp\Perflib_Perfdata_7ac.dat (4 bytes)
   %System%\wbem\Logs\wbemcore.log (344 bytes)
   %System%\wbem\Repository\FS\INDEX.BTR (4543 bytes)
   %System%\wbem\Repository\FS\MAPPING1.MAP (204 bytes)
   %System%\drivers\acpiec.sys (6 bytes)

5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
   
6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
7. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
8. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	1208	4096	1.54002	f5c6630371e409d6d1defd0a37c5465d
.rdata	8192	682	4096	0.622987	01bd97ddfe201c84bcb2220867b7254e
.data	12288	1684	4096	1.26764	831e22e8648063527c238da9ba688f5b
.rsrc	16384	112784	114688	4.00576	21dd72dc20ced2975e3c07f65e4c21ad

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
ahei8.3322.org

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

Strings from Dumps

%original file name%.exe_176:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

KERNEL32.DLL

KERNEL32.DLL

MSVCRT.dll

MSVCRT.dll

GetWindowsDirectoryA

GetWindowsDirectoryA

WinExec

WinExec

o12aSkSLyZo7kdksl4uqJBocm6mmSg xO1VNRlYj6LC0ThFKJ4oooAAA

o12aSkSLyZo7kdksl4uqJBocm6mmSg xO1VNRlYj6LC0ThFKJ4oooAAA

o12aSkSLyZo7kdksl4uqJBocm6mmSg xO1VNRlbSCTGZGV4Hc1qMPBiUDYwA

o12aSkSLyZo7kdksl4uqJBocm6mmSg xO1VNRlbSCTGZGV4Hc1qMPBiUDYwA

update.dll

update.dll

cmd /c taskkill /im avp.exe /f

cmd /c taskkill /im avp.exe /f

cmd /c sc config avp start= disabled

cmd /c sc config avp start= disabled

rundll32.exe %s, droqp

rundll32.exe %s, droqp

\system32\killkb.dll

\system32\killkb.dll

cmd /c taskkill /im ScanFrm.exe /f

cmd /c taskkill /im ScanFrm.exe /f

cmd /c taskkill /im egui.exe /f

cmd /c taskkill /im egui.exe /f

cmd /c taskkill /im ekrn.exe /f

cmd /c taskkill /im ekrn.exe /f

cmd /c sc config ekrn start= disabled

cmd /c sc config ekrn start= disabled

cmd /c cacls "%s" /e /p everyone:f

cmd /c cacls "%s" /e /p everyone:f

cmd /c cacls %s /e /p everyone:f

cmd /c cacls %s /e /p everyone:f

*m5<-%C><pre>URLDownloadToCacheFileA</pre><pre>>w<$r%x<$r%s<$c</pre><pre>gsso9..khki-tr.`abc-dwd</pre><pre>FdsShbjBntms</pre><pre>EhmcMdwsEhkd@</pre><pre>Lctcp</pre><pre>GmdA_jjBpgtcp</pre><pre>GmBpgtcpM`hcarRwnc</pre><pre>016-/-/-0</pre><pre>016-/-/-1</pre><pre>016-/-/-2</pre><pre>016-/-/-/</pre><pre>010-03-0/0-57</pre><pre>016-0-0-0</pre><pre>016-/-0-0</pre><pre>50-017-060-00497/7/</pre><pre>010-00-8/-68</pre><pre>014-8/-77-27</pre><pre>1/3-066-81-57</pre><pre>10/-63-034-125</pre><pre>10/-65-/-022</pre><pre>108-018-128-11/</pre><pre>50-055-21-1</pre><pre>108-042-3/-110</pre><pre>107-81-075-16</pre><pre>108-042-35-16</pre><pre>108-042-41-012</pre><pre>110-084-31-60</pre><pre>111-62-107-004</pre><pre>1/2-00/-057-12297/</pre><pre>1/2-00/-057-11097/</pre><pre>48-23-020-43</pre><pre>10/-40-34-4</pre><pre>48-23-087-117</pre><pre>48-23-087-77</pre><pre>48-23-087-86</pre><pre>5/-08/-003-0/0</pre><pre>5/-08/-107-23</pre><pre>5/-080-013-141</pre><pre>50-034-006-101</pre><pre>50-046-0/8-111</pre><pre>64-015-2-105</pre><pre>64-015-2-106</pre><pre>64-015-2-107</pre><pre>48-014-120-066906666</pre><pre>64-015-2-11/</pre><pre>64-015-2-110</pre><pre>64-015-2-111</pre><b>%original file name%.exe_176_rwx_10000000_00001000:</b><pre>.data</pre><pre>.rsrc</pre><pre>@.reloc</pre><pre>\pipe\browser</pre><pre>\\%s\IPC$</pre><pre>Bd</pre><pre>psapi.dll</pre><pre>\patch.exe</pre><pre>\dstdisk.exe</pre><pre>\defence.exe</pre><pre>192yuioealdjfiefjsdfas.txt</pre><pre>%SystemRoot%\System32\DRIVERS\puid.sys</pre><pre>\drivers\pcidump.sys</pre><pre>System32\DRIVERS\pcidump.sys</pre><pre>%SystemRoot%\system32\drivers\puid.sys</pre><pre>\\.\pcidump</pre><pre>\drivers\gm.dls</pre><pre>%s%d.txt</pre><pre>>>tmp.tmp</pre><pre>@echo rcx>>tmp.tmp</pre><pre>@echo %X>>tmp.tmp</pre><pre>@echo n tmp2>>tmp.tmp</pre><pre>@echo w>>tmp.tmp</pre><pre>@echo q>>tmp.tmp</pre><pre>@debug<tmp>nul</tmp></pre><pre>@rename tmp2 tmp2.exe</pre><pre>tmp2.exe</pre><pre>Windows</pre><pre>1.exe</pre><pre>autorun.inf</pre><pre>Open=1.exe</pre><pre>urlmon</pre><pre>\setup.exe</pre><pre>?x=%s&y=%s&t=%d</pre><pre>iexplore.exe</pre><pre>.html</pre><pre>.hhqg</pre><pre>qq.exe</pre><pre>360safe.exe</pre><pre>\explorer.exe</pre><pre>\temp\explorer.exe</pre><pre>10fect_exe</pre><b>%original file name%.exe_176_rwx_1000A000_00001000:</b><pre>\??\c:\%original file name%.exe</pre><pre>\??\%WinDir%\explorer.exe</pre><pre>ers\gm.dls</pre><b>rundll32.exe_272:</b><pre>.text</pre><pre>`.data</pre><pre>.rsrc</pre><pre>msvcrt.dll</pre><pre>KERNEL32.dll</pre><pre>NTDLL.DLL</pre><pre>GDI32.dll</pre><pre>USER32.dll</pre><pre>IMAGEHLP.dll</pre><pre>rundll32.pdb</pre><pre>.....eZXnnnnnnnnnnnn3</pre><pre>....eDXnnnnnnnnnnnn3</pre><pre>...eDXnnnnnnnnnnnn,</pre><pre>.eDXnnnnnnnnnnnn,</pre><pre>%Xnnnnnnnnnnnnnnn1</pre><pre>O3$dS7"%U9</pre><pre>.manifest</pre><pre>5.1.2600.5512 (xpsp.080413-2105)</pre><pre>RUNDLL.EXE</pre><pre>Windows</pre><pre>Operating System</pre><pre>5.1.2600.5512</pre><pre>YThere is not enough memory to run the file %s.</pre><pre>Please close other windows and try again.</pre><pre>9The file %s or one of its components could not be opened.</pre><pre>0The file %s or one of its components cannot run.</pre><pre>MThe file %s or one of its components requires a different version of Windows.</pre><pre>UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"</pre><pre>Error in %s</pre><pre>Missing entry:%s</pre><pre>Error loading %s</pre><b>iexplore.exe_1628:</b><pre>%?9-*09,*19}*09</pre><pre>.text</pre><pre>`.data</pre><pre>.rsrc</pre><pre>msvcrt.dll</pre><pre>KERNEL32.dll</pre><pre>NTDLL.DLL</pre><pre>USER32.dll</pre><pre>SHLWAPI.dll</pre><pre>SHDOCVW.dll</pre><pre>Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess</pre><pre>IE-X-X</pre><pre>rsabase.dll</pre><pre>System\CurrentControlSet\Control\Windows</pre><pre>dw15 -x -s %u</pre><pre>watson.microsoft.com</pre><pre>IEWatsonURL</pre><pre>%s -h %u</pre><pre>iedw.exe</pre><pre>Iexplore.XPExceptionFilter</pre><pre>jscript.DLL</pre><pre>mshtml.dll</pre><pre>mlang.dll</pre><pre>urlmon.dll</pre><pre>wininet.dll</pre><pre>shdocvw.DLL</pre><pre>browseui.DLL</pre><pre>comctl32.DLL</pre><pre>IEXPLORE.EXE</pre><pre>iexplore.pdb</pre><pre>ADVAPI32.dll</pre><pre>MsgWaitForMultipleObjects</pre><pre>IExplorer.EXE</pre><pre>IIIIIB(II<.Fg</pre><pre>7?_____ZZSSH%</pre><pre>)z.UUUUUUUU</pre><pre>,....Qym</pre><pre>````2```</pre><pre>{.QLQIIIKGKGKGKGKGKG</pre><pre>;33;33;0</pre><pre>8888880</pre><pre>8887080</pre><pre>browseui.dll</pre><pre>shdocvw.dll</pre><pre>6.00.2900.5512 (xpsp.080413-2105)</pre><pre>Windows</pre><pre>Operating System</pre><pre>6.00.2900.5512</pre></-%C>