sub_outside(): MSVCRT.strlen MSVCRT.strcpy MSVCRT.strncpy WININET.InternetOpenUrlA KERNEL32.CreateFileA WININET.InternetCloseHandle KERNEL32.ExitThread KERNEL32.GetTickCount MSVCRT.malloc MSVCRT.memset WININET.InternetReadFile KERNEL32.WriteFile MSVCRT.memcpy MSVCRT.free KERNEL32.CloseHandle SHLWAPI.PathRemoveFileSpecA NTDLL.RtlGetLastWin32Error KERNEL32.CreateProcessA KERNEL32.WaitForSingleObject MSVCRT.sprintf MSVCRT.strcat KERNEL32.Sleep WS2_32.WSACleanup KERNEL32.ExitProcess KERNEL32.CreateMutexA KERNEL32.SetFileAttributesA KERNEL32.DeleteFileA MSVCRT.srand WS2_32.WSAStartup WS2_32.gethostname WS2_32.gethostbyname WS2_32.inet_ntoa KERNEL32.CreateThread KERNEL32.ReleaseMutex MSVCRT._vsnprintf MSVCRT._strlwr WS2_32.getsockname MSVCRT.strcspn WS2_32.inet_addr WS2_32.gethostbyaddr KERNEL32.GetVersionExA MSVCRT.rand MSVCRT._ftol MSVCRT.strcmp KERNEL32.lstrcmpiA ADVAPI32.RegOpenKeyExA ADVAPI32.RegCloseKey ADVAPI32.RegQueryValueExA WS2_32.getpeername MSVCRT._stricmp MSVCRT.strtok MSVCRT.atoi MSVCRT._strdup MSVCRT.strstr MSVCRT.strncat KERNEL32.GetModuleFileNameA KERNEL32.GetShortPathNameA KERNEL32.GetEnvironmentVariableA KERNEL32.GetCurrentProcess KERNEL32.SetPriorityClass KERNEL32.GetCurrentThread KERNEL32.SetThreadPriority KERNEL32.SetProcessPriorityBoost DNSAPI.DnsFlushResolverCache IPHLPAPI.GetIpNetTable IPHLPAPI.DeleteIpNetEntry KERNEL32.OpenProcess ADVAPI32.OpenProcessToken ADVAPI32.ImpersonateLoggedOnUser ADVAPI32.OpenSCManagerA ADVAPI32.EnumServicesStatusA ADVAPI32.CloseServiceHandle MSVCRT.memcmp NTDLL.RtlEnterCriticalSection NTDLL.RtlLeaveCriticalSection KERNEL32.GetLogicalDriveStringsA KERNEL32.GetDriveTypeA WS2_32.socket MSVCRT.fopen WS2_32.select WSOCK32.recvfrom MSVCRT._snprintf MSVCRT.fseek MSVCRT.fread WS2_32.sendto MSVCRT.__set_app_type MSVCRT.__p__fmode MSVCRT.__p__commode MSVCRT.__setusermatherr MSVCRT._initterm MSVCRT.__getmainargs KERNEL32.GetStartupInfoA KERNEL32.GetModuleHandleA MSVCRT.exit MSVCRT._XcptFilter MSVCRT._exit |
sub_404D74(02f1): MSVCRT.memset KERNEL32.GetVersionExA MSVCRT.sprintf MSVCRT.strlen MSVCRT.rand "95-" "NT-" "98-" "ME-" "2K-" "XP-" "2K3-" "WIN-" |
sub_407E71(0304): MSVCRT.memset ADVAPI32.RegOpenKeyExA ADVAPI32.RegQueryValueExA ADVAPI32.RegCloseKey |
sub_404A3B(0321): "JOIN %s %s\r\n" |
sub_404C66(087f): MSVCRT.memset KERNEL32.GetComputerNameA MSVCRT.sprintf "Error" |
sub_40A587(0b48): WS2_32.socket MSVCRT.memset WS2_32.ntohs WS2_32.connect WS2_32.send WS2_32.closesocket WS2_32.recv MSVCRT.strcpy MSVCRT.strcmp "Windows Server 2003 *.*" "*Service Pack 1*" "*Service Pack 2*" "Windows 2000 LAN Manager*" |
sub_402C2A(0bdf): MSVCRT.strlen MSVCRT.memset |
sub_4128AD(0dc5): MSVCRT._acmdln |
sub_4074A8(1803): MSVCRT.malloc MSVCRT.memset MSVCRT.rand MSVCRT.sprintf "0123456789abcdefghijklmnopqrstuvwxyz" "%c%c%c%c%c%c%c" |
sub_40186B(1c47): KERNEL32.GetModuleHandleA KERNEL32.GetProcAddress USER32.FindWindowA USER32.GetWindowThreadProcessId KERNEL32.OpenProcess KERNEL32.GetModuleFileNameA MSVCRT.strncpy KERNEL32.VirtualAllocEx KERNEL32.WriteProcessMemory KERNEL32.CreateRemoteThread KERNEL32.CloseHandle "kernel32.dll" "CloseHandle" "CreateFileA" "CreateMutexA" "GetLastError" "ReleaseMutex" "Sleep" "WinExec" |
sub_4037AE(1e57): KERNEL32.SetErrorMode KERNEL32.GetModuleHandleA KERNEL32.GetModuleFileNameA KERNEL32.ExpandEnvironmentStringsA MSVCRT.sprintf KERNEL32.ExitProcess ADVAPI32.StartServiceCtrlDispatcherA "%windir%\\system32" "%s\\%s" "Enabled:Microsoft Enabled" |
sub_403FFF(25a3): MSVCRT.memset |
sub_403F2A(2e52): MSVCRT.strcmp |
sub_403EB0(2e78): MSVCRT.strcpy |
sub_402EA5(308b): MSVCRT.strlen |
sub_4073C0(3183): "ERROR" "PRIVMSG" "KICK" "TOPIC" "001" "332" "366" "005" "376" "422" "433" |
sub_40814F(32cd): KERNEL32.Sleep WS2_32.WSACleanup KERNEL32.ExitProcess ADVAPI32.SetServiceStatus NTDLL.RtlGetLastWin32Error "System shutting down." |
sub_40AC0B(33a2): WS2_32.inet_ntoa MSVCRT.strcmp WS2_32.socket WS2_32.ntohs WS2_32.ioctlsocket WS2_32.connect WS2_32.select WS2_32.closesocket |
sub_401727(3718): ADVAPI32.GetUserNameA MSVCRT.strcmp KERNEL32.ExitProcess "CurrentUser" |
sub_403FAF(3720): MSVCRT.memset |
sub_406EA7(37a1): MSVCRT.strstr MSVCRT.strcmp "err! %s." |
sub_40AAF2(3b1d): MSVCRT.memcpy WS2_32.ntohl |
sub_404CEA(4325): MSVCRT.memset KERNEL32.GetLocaleInfoA MSVCRT.sprintf MSVCRT.strlen MSVCRT.rand "%s-" |
sub_401B8B(4534): KERNEL32.lstrcmpiA MSVCRT.strcpy KERNEL32.GetTempPathA MSVCRT.rand MSVCRT.sprintf KERNEL32.CreateThread KERNEL32.Sleep NTDLL.RtlGetLastWin32Error MSVCRT.atoi MSVCRT.strcmp KERNEL32.GetTickCount MSVCRT.srand MSVCRT._snprintf MSVCRT.strchr MSVCRT.strncpy WS2_32.getsockname WS2_32.inet_ntoa MSVCRT.strrchr WS2_32.WSACleanup KERNEL32.ExitProcess "l.out" "lo" "rm.die" "rm.now" "threads" "t" "ip.wget" "ip.download" "r0flz.updt" "r4wr.nb" "advscan" "asc" "sc" "up" "dl" "tlist" "l.out" "lo" "rm.die" "rm.now" "threads" "t" "ip.wget" "ip.download" "staticftp" "sftp" "http" "stop" "advscan" "asc" "r0flz.updt" "r4wr.nb" "u-cant-stop-us" "tt" "%s %s a run: <%d>." "%seme_%d%d%d%d%d.exe" "%s dling from: %s to: %s." "%s dling from: %s to: %s." "tt" "%s F to s %s, e: <%d>." "Already scanning with %d threads. Too m"... "Failed to start scan, port is invalid." "x.x.x.x" "%d.x.x.x" "Failed to start scan, no IP specified." "Could not parse external IP." "No subnet class specified, try \"-a\" or "... "Random" "Sequential" "%s Port Scan started on %s:%d with a de"... "Random" "Sequential" "Failed to start scan thread, error: <%d"... "tt" "%s DL URL: %s to: %s." "%s DL URL: %s to: %s." "kill" "k" "%s S: <%d> t(s)." "%s N." "%s K t: <%s>" "%s F to k t: <%s>" "tlist" "sub" "tlist" "%s S <%i> out." "%s No L: <%i>" "%s I: <%i>" "%s %s out." |
sub_407FC9(4bcf): ADVAPI32.RegCreateKeyExA MSVCRT.strlen MSVCRT.strcpy ADVAPI32.RegSetValueExA ADVAPI32.RegCloseKey |
sub_40A9CB(5238): MSVCRT.time MSVCRT.srand MSVCRT.rand MSVCRT.strncpy KERNEL32.CreateThread KERNEL32.Sleep |
sub_4053A3(58a4): KERNEL32.GetModuleHandleA KERNEL32.GetProcAddress NTDLL.RtlGetLastWin32Error KERNEL32.LoadLibraryA WININET.InternetOpenA "kernel32.dll" "SetErrorMode" "CreateToolhelp32Snapshot" "Process32First" "GetDiskFreeSpaceExA" "GetLogicalDriveStringsA" "SearchPathA" "QueryPerformanceCounter" "QueryPerformanceFrequency" "GetComputerNameA" "RegisterServiceProcess" "user32.dll" "CloseWindow" "SendMessageA" "FindWindowA" "IsWindow" "GetClipboardData" "CloseClipboard" "EnumWindows" "GetWindowThreadProcessId" "ShowWindow" "IsWindowVisible" "advapi32.dll" "RegCreateKeyExA" "RegSetValueExA" "RegQueryValueExA" "RegDeleteValueA" "RegCloseKey" "RegQueryInfoKeyA" "OpenThreadToken" "OpenProcessToken" "LookupPrivilegeValueA" "AdjustTokenPrivileges" "LsaEnumerateAccountsWithUserRight" "LsaLookupNames2" "LsaAddAccountRights" "LsaRemoveAccountRights" "LsaClose" "LsaNtStatusToWinError" "OpenSCManagerA" "OpenServiceA" "ControlService" "CloseServiceHandle" "EnumServicesStatusA" "IsValidSecurityDescriptor" "CreateServiceA" "StartServiceCtrlDispatcherA" "ImpersonateLoggedOnUser" "LockServiceDatabase" "QueryServiceLockStatusA" "ChangeServiceConfig2A" "UnlockServiceDatabase" "RegisterServiceCtrlHandlerA" "SetServiceStatus" "gdi32.dll" "CreateDCA" "CreateDIBSection" "CreateCompatibleDC" "GetDIBColorTable" "SelectObject" "BitBlt" "DeleteDC" "DeleteObject" "ws2_32.dll" "WSAStartup" "WSASocketA" "WSAAsyncSelect" "__WSAFDIsSet" "WSAIoctl" "WSAGetLastError" "WSACleanup" "socket" "ioctlsocket" "connect" "inet_ntoa" "inet_addr" "htons" "htonl" "ntohs" "ntohl" "send" "sendto" "recv" "recvfrom" "bind" "select" "listen" "accept" "setsockopt" "getsockname" "gethostname" "getpeername" "closesocket" "shutdown" "wininet.dll" "InternetGetConnectedState" "InternetGetConnectedStateEx" "HttpOpenRequestA" "HttpSendRequestA" "FtpGetFileA" "FtpPutFileA" "InternetConnectA" "InternetOpenUrlA" "InternetCrackUrlA" "InternetReadFile" "InternetCloseHandle" "Mozilla/4.0 (compatible)" "icmp.dll" "IcmpCreateFile" "IcmpCloseHandle" "IcmpSendEcho" "netapi32.dll" "NetShareAdd" "NetShareDel" "NetShareEnum" "NetScheduleJobAdd" "NetApiBufferFree" "NetRemoteTOD" "NetUserAdd" "NetUserDel" "NetUserEnum" "NetUserGetInfo" "NetMessageBufferSend" "dnsapi.dll" "DnsFlushResolverCache" "DnsFlushResolverCacheEntry_A" "iphlpapi.dll" "DeleteIpNetEntry" "GetIfTable" "GetTcpTable" "GetUdpTable" "mpr.dll" "WNetAddConnection2A" "WNetAddConnection2W" "WNetCancelConnection2A" "WNetCancelConnection2W" "shell32.dll" "SHChangeNotify" "odbc32.dll" "SQLDriverConnect" "SQLAllocHandle" "psapi.dll" "GetModuleFileNameExA" "GetModuleBaseNameA" "EnumProcessModules" "GetProcessMemoryInfo" "shlwapi.dll" "PathRemoveFileSpecA" |
sub_40860A(5940): WS2_32.ntohs WSOCK32.setsockopt WS2_32.bind WS2_32.listen |
sub_40C23A(66cf): MSVCRT.free |
sub_40447B(682d): MSVCRT._vsnprintf "QUIT %s\r\n" "QUIT\r\n" |
sub_40443D(69b2): WS2_32.shutdown WS2_32.closesocket "Leaving" |
sub_408BBE(6a79): MSVCRT.atoi "%s %s t stp. (%d t(s) stp.)" "%s No %s t found." |
sub_408E28(6d80): MSVCRT.strtok " " |
sub_4079A2(7115): ADVAPI32.RegDeleteKeyA ADVAPI32.RegOpenKeyExA ADVAPI32.RegEnumKeyExA ADVAPI32.RegDeleteValueA ADVAPI32.RegCloseKey |
sub_408F96(7301): KERNEL32.GetModuleHandleA KERNEL32.GetModuleFileNameA MSVCRT._snprintf MSVCRT.strcpy SHLWAPI.PathRemoveFileSpecA KERNEL32.lstrcmpiA KERNEL32.GetFileAttributesA KERNEL32.SetFileAttributesA KERNEL32.CopyFileA NTDLL.RtlGetLastWin32Error KERNEL32.Sleep "%s\\%s" |
sub_408EA4(7522): KERNEL32.GetWindowsDirectoryA MSVCRT.strcat KERNEL32.CreateFileA KERNEL32.GetFileTime KERNEL32.CloseHandle KERNEL32.SetFileTime "Shell" "SOFTWARE\\Microsoft\\Windows NT\\CurrentVe"... |
sub_40483A(762e): MSVCRT.strcmp |
sub_40AB4C(7a17): MSVCRT.strlen MSVCRT.sscanf MSVCRT.rand "%d.%d.%d.%d" |
sub_40890C(7abb): KERNEL32.OpenProcess KERNEL32.TerminateProcess KERNEL32.CloseHandle |
sub_404EB9(7c5a): MSVCRT.memset KERNEL32.GetVersionExA MSVCRT.sprintf MSVCRT.strlen MSVCRT.rand "SP%i-" |
sub_406F72(7ffe): MSVCRT.strncpy MSVCRT.strcmp MSVCRT.strchr MSVCRT.strstr MSVCRT.strlen MSVCRT.strtok MSVCRT.sprintf KERNEL32.Sleep "$dec(" ")" "|" "topic" |
sub_40B47F(8337): KERNEL32.lstrcatA KERNEL32.CreateDirectoryA NTDLL.RtlGetLastWin32Error KERNEL32.SetFileAttributesA KERNEL32.CreateFileA KERNEL32.WriteFile KERNEL32.CloseHandle KERNEL32.lstrlenA KERNEL32.GetModuleFileNameA KERNEL32.CopyFileA "\\RECYCLER" "\\S-1-6-21-2434476501-1644491937-6000033"... "\\Desktop.ini" "[.ShellClassInfo]\r\nCLSID={645FF040-5081"... "[autorun]\r\nopen=" "\r\nicon=%SystemRoot%\\system32\\SHELL32.dl"... "\r\nshell\\open\\default=1" |
sub_408E8A(8491): KERNEL32.GetFileAttributesA |
sub_408424(84a2): ADVAPI32.OpenSCManagerA ADVAPI32.OpenServiceA ADVAPI32.LockServiceDatabase NTDLL.RtlGetLastWin32Error KERNEL32.LocalAlloc ADVAPI32.QueryServiceLockStatusA KERNEL32.LocalFree ADVAPI32.ChangeServiceConfig2A ADVAPI32.UnlockServiceDatabase ADVAPI32.CloseServiceHandle |
sub_403DB3(882b): MSVCRT.strlen MSVCRT.strcpy |
sub_409D61(8ab8): WS2_32.WSAStartup WS2_32.socket WS2_32.inet_addr WS2_32.ntohs WS2_32.connect WS2_32.send WS2_32.recv MSVCRT.memcpy MSVCRT.sprintf MSVCRT.strlen MSVCRT.malloc WS2_32.closesocket |
sub_40731E(8bf4): MSVCRT.strcmp |
sub_4086B2(8fa9): MSVCRT.strcpy WS2_32.gethostbyname WS2_32.inet_ntoa WS2_32.inet_addr WS2_32.gethostbyaddr |
sub_404B21(9131): "MODE %s %s\r\n" "MODE %s %s %s\r\n" |
sub_4066DC(9506): WS2_32.inet_addr WS2_32.gethostbyname |
sub_4048F0(9637): MSVCRT._vsnprintf KERNEL32.Sleep "PRIVMSG %s :%s\r\n" |
sub_4081D8(9788): ADVAPI32.RegisterServiceCtrlHandlerA ADVAPI32.SetServiceStatus KERNEL32.CreateThread KERNEL32.WaitForSingleObject KERNEL32.CloseHandle |
sub_40B30A(9885): MSVCRT.memcpy |
sub_40AD1A(99df): WS2_32.inet_addr NTDLL.RtlDeleteCriticalSection KERNEL32.InitializeCriticalSectionAndSpinCount NTDLL.RtlGetLastWin32Error KERNEL32.CreateThread KERNEL32.Sleep WS2_32.inet_ntoa KERNEL32.ExitThread "Failed to initialize critical section, "... "-%s:%d, Scan thread: %d, Sub-thread: %d"... "Finished at %s:%d after %d minute(s) of"... |
sub_4088DC(9a64): ADVAPI32.AdjustTokenPrivileges KERNEL32.CloseHandle |
sub_40C6AC(9c9a): MSVCRT._controlfp |
sub_408A19(9fca): KERNEL32.TerminateThread WS2_32.closesocket |
sub_40836C(a315): ADVAPI32.OpenSCManagerA ADVAPI32.OpenServiceA ADVAPI32.StartServiceA ADVAPI32.CloseServiceHandle |
sub_40BC82(a86c): WS2_32.WSAStartup WS2_32.socket WSOCK32.setsockopt WS2_32.ioctlsocket WS2_32.ntohs WS2_32.bind WS2_32.listen MSVCRT.sprintf KERNEL32.GetModuleFileNameA KERNEL32.CreateFileA KERNEL32.GetFileSize KERNEL32.CloseHandle KERNEL32.GetDateFormatA KERNEL32.GetTimeFormatA WS2_32.select WS2_32.__WSAFDIsSet WS2_32.accept WSOCK32.recv WS2_32.closesocket MSVCRT.strstr WS2_32.getpeername MSVCRT.strlen WS2_32.send MSVCRT.memset KERNEL32.SetFilePointer KERNEL32.ReadFile WS2_32.WSAGetLastError "application/octet-stream" "ddd, dd MMM yyyy" "HH:mm:ss" "GET " "HTTP/1.0 200 OK\r\nServer: private\r\nCache"... |
sub_403D53(abf3): MSVCRT._vsnprintf MSVCRT.strlen WS2_32.send |
sub_404F82(b0d6): MSVCRT.memset KERNEL32.GetVersionExA KERNEL32.GetLocaleInfoA MSVCRT.strcat MSVCRT.rand MSVCRT.sprintf "95" "NT" "98" "ME" "2K" "XP" "2K3" "WIN" "|" "%i" "]" |
sub_40965C(b11d): ADVAPI32.OpenSCManagerA ADVAPI32.OpenServiceA ADVAPI32.DeleteService KERNEL32.ReleaseMutex |
sub_40B179(b227): KERNEL32.lstrcmpiA MSVCRT.strncpy MSVCRT.strcpy KERNEL32.CreateThread KERNEL32.Sleep "s" "Random" "Sequential" "%s -AutoScan- started on %s:%d with a d"... |
sub_408696(b51e): WS2_32.shutdown WS2_32.closesocket |
sub_406B46(b7b0): MSVCRT.strcpy MSVCRT.strcmp MSVCRT._snprintf KERNEL32.lstrcmpiA "%s %s!%s@%s (Tried: %s)" "%s ." "%s [+]." |
sub_40829C(bcbb): MSVCRT.sprintf ADVAPI32.OpenSCManagerA ADVAPI32.CreateServiceA NTDLL.RtlGetLastWin32Error ADVAPI32.CloseServiceHandle "\"%s\"" |
sub_4069AE(bd1c): MSVCRT.memset |
sub_40C2C0(c12a): MSVCRT._onexit MSVCRT.__dllonexit |
sub_407BCA(c96d): ADVAPI32.RegOpenKeyExA ADVAPI32.RegQueryInfoKeyA ADVAPI32.RegEnumKeyExA ADVAPI32.RegEnumValueA MSVCRT.strcmp MSVCRT.sprintf ADVAPI32.RegCloseKey "(%.2d) %s\\%s" "(Default)" "(%.2d) %s\\%s (%s)" |
sub_40487C(cabf): MSVCRT._vsnprintf KERNEL32.Sleep "NOTICE %s :%s\r\n" |
sub_4045CE(ced5): MSVCRT.strchr MSVCRT.strcmp MSVCRT.strlen MSVCRT.strcpy "JOIN" "PART" "QUIT" "NOTICE" "PRIVMSG" "NICK" "PING" "PONG %s\r\n" |
sub_402E76(cf35): MSVCRT.strlen |
sub_408812(d100): KERNEL32.GetCurrentThread ADVAPI32.OpenThreadToken KERNEL32.GetCurrentProcess ADVAPI32.OpenProcessToken ADVAPI32.LookupPrivilegeValueA ADVAPI32.AdjustTokenPrivileges NTDLL.RtlGetLastWin32Error KERNEL32.CloseHandle "SeDebugPrivilege" |
sub_405186(d40d): MSVCRT.memset KERNEL32.QueryPerformanceCounter KERNEL32.QueryPerformanceFrequency MSVCRT.sprintf USER32.FindWindowA MSVCRT.strcat WININET.InternetGetConnectedStateExA "[" "MSNHiddenWindowClass" "M" "|" "AIM_CSignOnWnd" "A" "D" "%.2I64u" "|" |
sub_407273(d535): MSVCRT.strtok MSVCRT.strchr KERNEL32.CreateThread " " |
sub_40419B(d6ff): MSVCRT._vsnprintf |
sub_401613(db8a): KERNEL32.GetVersionExA MSVCRT.strstr MSVCRT._snprintf "2" "%s:*:%s" "SYSTEM\\CurrentControlSet\\Services\\Share"... |
sub_40176D(e0cf): KERNEL32.GetModuleHandleA KERNEL32.GetModuleFileNameA MSVCRT._snprintf |
sub_406776(e176): MSVCRT.strcmp MSVCRT.strncpy MSVCRT.strtok "." "10" "172" "16" "192" "168" "90" "0" |
sub_404069(ea9d): MSVCRT.strcmp |
sub_40457E(ec76): MSVCRT.strstr "\r\n" |
sub_404C0F(ec96): MSVCRT.memset MSVCRT.rand |
sub_404A11(efe2): "JOIN %s\r\n" |
sub_401A85(f227): MSVCRT.strcpy |
sub_408976(f280): MSVCRT._vsnprintf MSVCRT.strncpy |
sub_4042A3(f48e): WININET.InternetGetConnectedState KERNEL32.Sleep WS2_32.socket WS2_32.gethostbyname MSVCRT.memcpy WS2_32.ntohs WS2_32.connect WS2_32.closesocket KERNEL32.GetTickCount MSVCRT.strlen MSVCRT.strcpy MSVCRT.strcmp "PASS %s\r\n" "NICK %s\r\n" "USER %s * 0 :%s\r\n" |
sub_4044FE(f769): WS2_32.recv KERNEL32.GetTickCount |
sub_40670F(fb1d): MSVCRT.strchr MSVCRT.strlen |
sub_4052FB(fd80): "NICK %s\r\n" |
sub_40A87B(fe99): MSVCRT.memset MSVCRT.strncpy MSVCRT.strtok MSVCRT.sprintf "." "0" "0" "0" |
sub_409897(feec): MSVCRT.strcpy KERNEL32.OpenProcess KERNEL32.lstrcmpiA "unknown" "Explorer.exe" |