HEUR:Trojan.Win32.AntiAV (Kaspersky), Trojan.Generic.8118023 (B) (Emsisoft), Trojan.Generic.8118023 (AdAware), Monitor.Win32.PerfectKeylogger.FD, Trojan.Win32.Ransom.FD, GenericEmailWorm.YR (Lavasoft MAS)Behaviour: Keylogger, Ransom, Trojan, Worm, EmailWorm, Monitor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: d6a62ad9b22a846c6b7595b420d553ce
SHA1: 20af3e4fa5d0a15750f9dd1a281d398e50ecb8a2
SHA256: c7e5aedba89b72e2a97a05023d400a8b614d6455476949352290ad813d275c17
SSDeep: 98304:RJj4KU9ULx9ie T22S2LSaY0P4u62 EGKN2LgbIncinze44OxudvqWwI2Rqs :DjDOULx99 y2S2fP4u6tE/28cnciJPPs
Size: 4920351 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: WinRAR32bitSFXModule, UPolyXv05_v6
Company: no certificate found
Created at: 2001-03-02 20:25:22
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es):
bpk.exe:264
rinst.exe:3512
%original file name%.exe:2180
CF Modz Plus 2.1 [Setup].exe:3580
The Trojan injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process bpk.exe:264 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\System32\pk.bin (4 bytes)
C:\Windows\System32\bpkhk.dll (24 bytes)
C:\Windows\System32\bpkwb.dll (40 bytes)
The process rinst.exe:3512 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\System32\bpkhk.dll (784 bytes)
C:\Windows\System32\bpk.exe (15602 bytes)
C:\Windows\System32\rinst.exe (7 bytes)
C:\Windows\System32\pk.bin (4 bytes)
C:\Windows\System32\inst.dat (996 bytes)
C:\Windows\System32\bpkwb.dll (1552 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\bpkwb.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\bpk.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\inst.dat (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\bpkhk.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\pk.bin (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\rinst.exe (0 bytes)
The process %original file name%.exe:2180 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\CF Modz Plus 2.1 [Setup].exe (5398 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\bpkwb.dll (80 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\bpk.exe (868 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\inst.dat (1000 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\bpkhk.dll (48 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\pk.bin (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\rinst.exe (15 bytes)
Registry activity
The process bpk.exe:264 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Tracing\bpk_RASAPI32]
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\bpk_RASMANCS]
"EnableConsoleTracing" = "0"
[HKCR\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\VersionIndependentProgID]
"(Default)" = "PK.IE"
[HKCR\PK.IE\CurVer]
"(Default)" = "PK.IE.1"
[HKCR\PK.IE\CLSID]
"(Default)" = "{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}"
[HKLM\SOFTWARE\Microsoft\Tracing\bpk_RASAPI32]
"FileDirectory" = "%windir%\tracing"
[HKCR\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}]
"(Default)" = "IViewSource"
[HKCR\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0]
"(Default)" = "BPK IE Plugin Type Library"
[HKLM\SOFTWARE\Microsoft\Tracing\bpk_RASAPI32]
"EnableFileTracing" = "0"
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Tracing\bpk_RASMANCS]
"FileDirectory" = "%windir%\tracing"
[HKCR\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\PK.IE.1\CLSID]
"(Default)" = "{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}"
[HKCR\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0\win32]
"(Default)" = "C:\Windows\system32\bpkwb.dll"
[HKCR\PK.IE.1]
"(Default)" = "IE Plugin Class"
[HKCR\PK.IE]
"(Default)" = "IE Class"
[HKCR\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32]
"(Default)" = "C:\Windows\system32\bpkwb.dll"
"ThreadingModel" = "Apartment"
[HKLM\SOFTWARE\Microsoft\Tracing\bpk_RASAPI32]
"EnableConsoleTracing" = "0"
[HKCR\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ProgID]
"(Default)" = "PK.IE.1"
[HKLM\SOFTWARE\Microsoft\Tracing\bpk_RASMANCS]
"EnableFileTracing" = "0"
[HKCR\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib]
"Version" = "1.0"
[HKCR\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib]
"(Default)" = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}"
[HKLM\SOFTWARE\Microsoft\Tracing\bpk_RASAPI32]
"FileTracingMask" = "4294901760"
[HKCR\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\TypeLib]
"(Default)" = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}"
[HKLM\SOFTWARE\Microsoft\Tracing\bpk_RASMANCS]
"ConsoleTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3D 00 00 00 09 00 00 00 00 00 00 00"
[HKCR\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\HELPDIR]
"(Default)" = "C:\Windows\system32\"
[HKLM\SOFTWARE\Microsoft\Tracing\bpk_RASMANCS]
"FileTracingMask" = "4294901760"
[HKCR\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}]
"(Default)" = "IE Plugin Class"
[HKLM\SOFTWARE\Microsoft\Tracing\bpk_RASMANCS]
"MaxFileSize" = "1048576"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"bpk" = "C:\Windows\system32\bpk.exe"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}]
"(Default)" = "PK IE Plugin"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"bpk"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"bpk"
The process rinst.exe:3512 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
The process %original file name%.exe:2180 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
The process CF Modz Plus 2.1 [Setup].exe:3580 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Tracing\CF Modz Plus 2_RASAPI32]
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\Tracing\CF Modz Plus 2_RASMANCS]
"FileDirectory" = "%windir%\tracing"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\CF Modz Plus 2_RASAPI32]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\CF Modz Plus 2_RASMANCS]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\CF Modz Plus 2_RASAPI32]
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\CF Modz Plus 2_RASMANCS]
"FileTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\CF Modz Plus 2_RASMANCS]
"MaxFileSize" = "1048576"
"EnableConsoleTracing" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Tracing\CF Modz Plus 2_RASAPI32]
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\CF Modz Plus 2_RASMANCS]
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\CF Modz Plus 2_RASAPI32]
"EnableConsoleTracing" = "0"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Internet Explorer\LowRegistry]
"AddToFavoritesInitialSelection"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
[HKCU\Software\Microsoft\Internet Explorer\LowRegistry]
"AddToFeedsInitialSelection"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
Dropped PE files
| MD5 | File path |
|---|---|
| 540dce4cab23fb30b02d88d634e5e284 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\CF Modz Plus 2.1 [Setup].exe |
| fbe4bab53f74d3049ef4b306d4cd8742 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\rinst.exe |
| 994ffae187f4e567c6efee378af66ad0 | c:\Windows\System32\bpk.exe |
| 9ac9028338d1b353a7cacb563bb91df7 | c:\Windows\System32\bpkhk.dll |
| fbe4bab53f74d3049ef4b306d4cd8742 | c:\Windows\System32\bpkr.exe |
| 21d4e01f38b5efd64ad6816fa0b44677 | c:\Windows\System32\bpkwb.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
bpk.exe:264
rinst.exe:3512
%original file name%.exe:2180
CF Modz Plus 2.1 [Setup].exe:3580 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Windows\System32\pk.bin (4 bytes)
C:\Windows\System32\bpkhk.dll (24 bytes)
C:\Windows\System32\bpkwb.dll (40 bytes)
C:\Windows\System32\bpk.exe (15602 bytes)
C:\Windows\System32\rinst.exe (7 bytes)
C:\Windows\System32\inst.dat (996 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\CF Modz Plus 2.1 [Setup].exe (5398 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\bpkwb.dll (80 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\bpk.exe (868 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\inst.dat (1000 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\bpkhk.dll (48 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\pk.bin (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\rinst.exe (15 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"bpk" = "C:\Windows\system32\bpk.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 24576 | 24576 | 4.43127 | 79d0c4738e2ba91323af1ca1575ba325 |
| .data | 28672 | 28672 | 2560 | 2.31744 | b802ddae73456f8f70d9b2a2d90b7cf0 |
| .idata | 57344 | 4096 | 2560 | 2.88029 | 510f703c8c3427675b39c0e9557a5d0e |
| .rsrc | 61440 | 10452 | 10752 | 3.05346 | 7cb6f2d2c884263ec915d7789fe07098 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 1
457932818ebecf46832679db91b4167e
Network Activity
URLs
| URL | IP |
|---|---|
| gmail-smtp-in.l.google.com | 173.194.222.26 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
CF Modz Plus 2.1 [Setup].exe_3580:
.text
.text
`.data
`.data
.idata
.idata
@.rsrc
@.rsrc
shlwapi.dll
shlwapi.dll
%s %s %s
%s %s %s
GETPASSWORD1
GETPASSWORD1
sfxcmd
sfxcmd
__tmp_rar_sfx_access_check_%u
__tmp_rar_sfx_access_check_%u
-el -s2 "-d%s" "-p%s" "-sp%s"
-el -s2 "-d%s" "-p%s" "-sp%s"
%s.%d.tmp
%s.%d.tmp
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
%s%s%d
%s%s%d
riched32.dll
riched32.dll
riched20.dll
riched20.dll
COMCTL32.DLL
COMCTL32.DLL
%.*s(%d)%s
%.*s(%d)%s
rtmp%d
rtmp%d
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\CF Modz Plus 2.1 [Setup].exe
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\CF Modz Plus 2.1 [Setup].exe
d%Program Files%\CF Modz Plus 2.1.0
d%Program Files%\CF Modz Plus 2.1.0
lu2.iu
lu2.iu
ADVAPI32.DLL
ADVAPI32.DLL
KERNEL32.DLL
KERNEL32.DLL
COMDLG32.DLL
COMDLG32.DLL
GDI32.DLL
GDI32.DLL
SHELL32.DLL
SHELL32.DLL
USER32.DLL
USER32.DLL
OLE32.DLL
OLE32.DLL
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
GetCPInfo
GetCPInfo
GetProcessHeap
GetProcessHeap
SHFileOperationA
SHFileOperationA
ShellExecuteExA
ShellExecuteExA
:(,4;;?@
:(,4;;?@
3,45657879
3,45657879
8888888888887
8888888888887
version="1.0.0.0"
version="1.0.0.0"
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
Shell.Explorer
Shell.Explorer
Enter password
Enter password
&Enter password for the encrypted file:
&Enter password for the encrypted file:
Extracting %s
Extracting %s
Skipping %s
Skipping %s
The file "%s" header is corrupt%The archive comment header is corrupt
The file "%s" header is corrupt%The archive comment header is corrupt
Unknown method in %s
Unknown method in %s
Cannot open %s
Cannot open %s
Cannot create %s
Cannot create %s
Cannot create folder %s6CRC failed in the encrypted file %s (wrong password ?)
Cannot create folder %s6CRC failed in the encrypted file %s (wrong password ?)
CRC failed in %s
CRC failed in %s
Packed data CRC failed in %s
Packed data CRC failed in %s
Wrong password for %s5Write error in the file %s. Probably the disk is full
Wrong password for %s5Write error in the file %s. Probably the disk is full
Read error in the file %s
Read error in the file %s
Extracting from %s
Extracting from %s
ErroraErrors encountered while performing the operation
ErroraErrors encountered while performing the operation
Please close all applications, reboot Windows and restart this installation\Some installation files are corrupt.
Please close all applications, reboot Windows and restart this installation\Some installation files are corrupt.
bpk.exe_264:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
0WSSh
0WSSh
SSSSh
SSSSh
YSSSh
YSSSh
SSSSh4
SSSSh4
ujSSh
ujSSh
tn9.uc
tn9.uc
tq9.uf
tq9.uf
!"#$%&'()* ,-./012
!"#$%&'()* ,-./012
!"#$%&'()* ,-./012345678
!"#$%&'()* ,-./012345678
kw.dat
kw.dat
mc.dat
mc.dat
Software\Blazing Tools\Perfect Keylogger\1.2
Software\Blazing Tools\Perfect Keylogger\1.2
readme.txt
readme.txt
inst.dat
inst.dat
rinst.exe
rinst.exe
pk.bin
pk.bin
inst.bin
inst.bin
inst.tmp
inst.tmp
bpk.dat
bpk.dat
$#$#$#$#$#$#$#$#$#$#$#$#$#$
$#$#$#$#$#$#$#$#$#$#$#$#$#$
web.dat
web.dat
bpkch.dat
bpkch.dat
keystrokes.html
keystrokes.html
websites.html
websites.html
chats.html
chats.html
Logs.zip
Logs.zip
bpk.chm
bpk.chm
apps.dat
apps.dat
titles.dat
titles.dat
temporary.bmp
temporary.bmp
th_temp.bmp
th_temp.bmp
report.txt
report.txt
hXXp://VVV.blazingtools.com/
hXXp://VVV.blazingtools.com/
update.tmp
update.tmp
updates/bpk.dat
updates/bpk.dat
install.log
install.log
hhctrl.ocx
hhctrl.ocx
CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
FtpPutFileA
FtpPutFileA
FtpCreateDirectoryA
FtpCreateDirectoryA
FtpSetCurrentDirectoryA
FtpSetCurrentDirectoryA
WININET.dll
WININET.dll
MFC42.DLL
MFC42.DLL
MSVCRT.dll
MSVCRT.dll
_acmdln
_acmdln
KERNEL32.dll
KERNEL32.dll
EnumChildWindows
EnumChildWindows
GetKeyNameTextA
GetKeyNameTextA
MapVirtualKeyA
MapVirtualKeyA
MapVirtualKeyExA
MapVirtualKeyExA
GetKeyboardLayout
GetKeyboardLayout
GetKeyboardLayoutNameA
GetKeyboardLayoutNameA
GetKeyboardLayoutList
GetKeyboardLayoutList
RegisterHotKey
RegisterHotKey
UnregisterHotKey
UnregisterHotKey
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
comdlg32.dll
comdlg32.dll
RegCloseKey
RegCloseKey
RegCreateKeyA
RegCreateKeyA
RegOpenKeyExA
RegOpenKeyExA
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyA
RegOpenKeyA
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteA
ShellExecuteA
SHFileOperationA
SHFileOperationA
SHELL32.dll
SHELL32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
URLDownloadToFileA
URLDownloadToFileA
urlmon.dll
urlmon.dll
WSOCK32.dll
WSOCK32.dll
MSVCP60.dll
MSVCP60.dll
RPCRT4.dll
RPCRT4.dll
.PAVCFileException@@
.PAVCFileException@@
.PAVCException@@
.PAVCException@@
.PAVCObject@@
.PAVCObject@@
0xx %d
0xx %d
%u 0xx
%u 0xx
%d %d
%d %d
%d %d %d
%d %d %d
Ss=%d, Se=%d, Ah=%d, Al=%d
Ss=%d, Se=%d, Ah=%d, Al=%d
%d: dc=%d ac=%d
%d: dc=%d ac=%d
%d: %dhx%dv q=%d
%d: %dhx%dv q=%d
0xx: %u, %u, =%d
0xx: %u, %u, =%d
RST%d
RST%d
0xx, %d
0xx, %d
to %d
to %d
%d = %d*%d*%d
%d = %d*%d*%d
%4u %4u %4u %4u %4u %4u %4u %4u
%4u %4u %4u %4u %4u %4u %4u %4u
0xx, length %u
0xx, length %u
%d x %d
%d x %d
%d.d
%d.d
%dx%d %d
%dx%d %d
= = = = = = = =
= = = = = = = =
%d precision %d
%d precision %d
0xx: 0xx
0xx: 0xx
Ãxx 0xx, %d
Ãxx 0xx, %d
0xx 0xx
0xx 0xx
0xx
0xx
Ss=%d Se=%d Ah=%d Al=%d
Ss=%d Se=%d Ah=%d Al=%d
.PAVCOXJPEGException@@
.PAVCOXJPEGException@@
options_alerts.htm
options_alerts.htm
%d-%d-%d %d:%d:%d
%d-%d-%d %d:%d:%d
%d-%d-%d %d:%d
%d-%d-%d %d:%d
options_PTF.htm
options_PTF.htm
OLEACC.DLL
OLEACC.DLL
oleacc.dll
oleacc.dll
TskMultiChatForm.UnicodeClass
TskMultiChatForm.UnicodeClass
TMsgForm
TMsgForm
__oxFrame.class__
__oxFrame.class__
options_notification.htm
options_notification.htm
The .EXE file is invalid
The .EXE file is invalid
(non-Win32 .EXE or error in .EXE image).
(non-Win32 .EXE or error in .EXE image).
%s action failed!
%s action failed!
Failed to execute unknown action!
Failed to execute unknown action!
The operating system is out
The operating system is out
The operating system denied
The operating system denied
There was not enough memory to complete the operation.
There was not enough memory to complete the operation.
d-d-%d d:d:d
d-d-%d d:d:d
WININET.DLL
WININET.DLL
%s
%s
Content-Location: %s
Content-Location: %s
Content-ID: %s
Content-ID: %s
Content-Base: %s
Content-Base: %s
Content-Type: %s; charset=%s
Content-Type: %s; charset=%s
Content-Type: %s; charset=%s; Boundary="%s"
Content-Type: %s; charset=%s; Boundary="%s"
Content-Type: %s; charset=%s; name=%s
Content-Type: %s; charset=%s; name=%s
Content-Disposition: attachment; filename="%s"
Content-Disposition: attachment; filename="%s"
Content-Type: %s; charset=%s; name=%s; Boundary="%s"
Content-Type: %s; charset=%s; name=%s; Boundary="%s"
--%s--
--%s--
Microsoft Outlook Express 6.00.2800.1437
Microsoft Outlook Express 6.00.2800.1437
Reply-To: %s
Reply-To: %s
Content-Type: %s;
Content-Type: %s;
charset=%s
charset=%s
Content-Type: %s
Content-Type: %s
Content-Type: %s; boundary="%s"
Content-Type: %s; boundary="%s"
Subject: %s
Subject: %s
Date: %s
Date: %s
X-Mailer: %s
X-Mailer: %s
Cc: %s
Cc: %s
From: %s
From: %s
To: %s
To: %s
%a, %d %b %Y %H:%M:%S
%a, %d %b %Y %H:%M:%S
=?%s?q?
=?%s?q?
EHLO %s
EHLO %s
HELO %s
HELO %s
MAIL FROM:
MAIL FROM:
RCPT TO:
RCPT TO:
Password:
Password:
AUTH LOGIN
AUTH LOGIN
AUTH LOGIN PLAIN
AUTH LOGIN PLAIN
Opera
Opera
Mozilla
Mozilla
Firefox
Firefox
code %d bits %d->%d
code %d bits %d->%d
gen_codes: max_code %d
gen_codes: max_code %d
bl code -
bl code -
opt %lu(%lu) stat %lu(%lu) stored %lu lit %u dist %u
opt %lu(%lu) stat %lu(%lu) stored %lu lit %u dist %u
last_lit %u, last_dist %u, in %ld, out ~%ld(%ld%%)
last_lit %u, last_dist %u, in %ld, out ~%ld(%ld%%)
Build 1.6.8.0
Build 1.6.8.0
version.dll
version.dll
options_common.htm
options_common.htm
options_diary.htm
options_diary.htm
options_title.htm
options_title.htm
options_email.htm
options_email.htm
Perfect Keylogger Test
Perfect Keylogger Test
KERNEL32.DLL
KERNEL32.DLL
Setup=rinst.exe
Setup=rinst.exe
Program files (*.exe)
Program files (*.exe)
*.exe
*.exe
All files (*.*)
All files (*.*)
explorer.exe
explorer.exe
\shell32.dll
\shell32.dll
-$!.#"%&'(
-$!.#"%&'(
d-d-%d d:d
d-d-%d d:d
user32.dll
user32.dll
EnableSpecialKeysLogging
EnableSpecialKeysLogging
main.htm
main.htm
Windows
Windows
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Perfect Keylogger
Perfect Keylogger
%d-%d-%d_%d-%d-%d
%d-%d-%d_%d-%d-%d
th_%d-%d-%d_%d-%d-%d
th_%d-%d-%d_%d-%d-%d
th_%d-d-d_d-d-d-%d
th_%d-d-d_d-d-d-%d
%d-d-d_d-d-d-%d
%d-d-d_d-d-d-%d
nopass
nopass
d-d-d-d-d-d
d-d-d-d-d-d
CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32
CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32
i.dll
i.dll
un.exe
un.exe
vw.exe
vw.exe
wb.dll
wb.dll
hk.dll
hk.dll
r.exe
r.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
psapi.dll
psapi.dll
%s, %s
%s
%s, %s
%s
 %s
 %s
%d/%d/%d %d:%d:%d
%d/%d/%d %d:%d:%d
%s %s
%s
%s %s
%s
%s, %s
%s, %s
%s - %s, %s
%s
%s - %s, %s
%s
advapi32.dll
advapi32.dll
\StringFileInfo\XX\FileDescription
\StringFileInfo\XX\FileDescription
Application files (*.exe)
Application files (*.exe)
options_ex_programs.htm
options_ex_programs.htm
options_screenshots.htm
options_screenshots.htm
%ld%c
%ld%c
00000409
00000409
##.kkJ
##.kkJ
):76666'$
):76666'$
33
33
33
33
8833773333
8833773333
11
11
))
))
;)77))))
;)77))))
''
''
#!
#!
111111111111111
111111111111111
11111111111111111111
11111111111111111111
#-5874.*'&&()('#
#-5874.*'&&()('#
'-.,(%&)0686.&
'-.,(%&)0686.&
#-5874.*'&&()('"
#-5874.*'&&()('"
& .010.- (%!
& .010.- (%!
(17=
(17=
fdUD2(( -.CA*7
fdUD2(( -.CA*7
"(.67420' !'
"(.67420' !'
%,27>=:97/)).
%,27>=:97/)).
(.3431/...148
(.3431/...148
@?940.04
@?940.04
@?:5/,,.
@?:5/,,.
%(()))** -.
%(()))** -.
, (! "#
, (! "#
(""#
(""#
}@"7>>7&$
}@"7>>7&$
LOGIN PLAIN
LOGIN PLAIN
version="1.0.0.0"
version="1.0.0.0"
name="Microsoft.Windows.Manifest"
name="Microsoft.Windows.Manifest"
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
Password
Password
Password required
Password required
Enter the password:
Enter the password:
Perfect Keylogger can carry out visual surveillance. It means the screen capturing every time when the specified interval is elapsed and storing the compressed images on a disk. You can review it later using Log Viewer.
Perfect Keylogger can carry out visual surveillance. It means the screen capturing every time when the specified interval is elapsed and storing the compressed images on a disk. You can review it later using Log Viewer.
&Web log (websites visited)
&Web log (websites visited)
&Also hide keylogger's icon when it will start next time
&Also hide keylogger's icon when it will start next time
Please notice, that "Run on Windows startup" option is checked. This means, that keylogger's startup screen will appear after PC reboot. To remove that screen and use keylogger in the absolutely invisible mode, please buy it now.
Please notice, that "Run on Windows startup" option is checked. This means, that keylogger's startup screen will appear after PC reboot. To remove that screen and use keylogger in the absolutely invisible mode, please buy it now.
&SMTP server:
&SMTP server:
Example: smtp.aol.com
Example: smtp.aol.com
&Port number:
&Port number:
&Password:
&Password:
Text log (&keystrokes)
Text log (&keystrokes)
Password protection
Password protection
&Try to upload logs by FTP every
&Try to upload logs by FTP every
HTML (can be viewed with a web browser)
HTML (can be viewed with a web browser)
Example: PTF.prohosting.com
Example: PTF.prohosting.com
Remote dir is the directory on the FTP server where you want to store log files. You can leave it blank to store logs at the initial directory.
Remote dir is the directory on the FTP server where you want to store log files. You can leave it blank to store logs at the initial directory.
Use passive &mode (this may be necessary for some firewalls)
Use passive &mode (this may be necessary for some firewalls)
T&est FTP
T&est FTP
Capture mouse clicks &only in the following windows:
Capture mouse clicks &only in the following windows:
This software may be installed and evaluated for 5 days to ensure that it meets your needs. This screen will appear every time when keylogger starts until you buy the program.
This software may be installed and evaluated for 5 days to ensure that it meets your needs. This screen will appear every time when keylogger starts until you buy the program.
Days remaining: %d.
Days remaining: %d.
Perfect Keylogger's Registration
Perfect Keylogger's Registration
Enter &old password:
Enter &old password:
Enter &new password:
Enter &new password:
&Repeat new password:
&Repeat new password:
To remove the password, leave the fields blank.
To remove the password, leave the fields blank.
To set or change the password for using keylogger, click Password button.
To set or change the password for using keylogger, click Password button.
&Password...
&Password...
&Monitor only online activity (disable keylogger when computer is offline)
&Monitor only online activity (disable keylogger when computer is offline)
&Use progressive method of keystroke interception
&Use progressive method of keystroke interception
(flip this option if you have problems with keyboard logging)
(flip this option if you have problems with keyboard logging)
&Include non-character keys in the log
&Include non-character keys in the log
Perfect Keylogger's Home Page
Perfect Keylogger's Home Page
About Perfect Keylogger
About Perfect Keylogger
VVV.blazingtools.com
VVV.blazingtools.com
support@blazingtools.com
support@blazingtools.com
Use the newest solution in the visual surveillance and keyboard monitoring!
Use the newest solution in the visual surveillance and keyboard monitoring!
&Run on Windows startup
&Run on Windows startup
Hotkeys
Hotkeys
msctls_hotkey32
msctls_hotkey32
HotKey1
HotKey1
&Make the program invisible in the Windows startup list
&Make the program invisible in the Windows startup list
Click here to uninstall keylogger
Click here to uninstall keylogger
Welcome to the Remote Installation Wizard! This wizard will help you to create compact deployment package for Perfect Keylogger
Welcome to the Remote Installation Wizard! This wizard will help you to create compact deployment package for Perfect Keylogger
The wizard will combine Perfect Keylogger and any other specified program. When somebody will run that program, keylogger will be immediately installed on the computer in the absolutely stealth mode.
The wizard will combine Perfect Keylogger and any other specified program. When somebody will run that program, keylogger will be immediately installed on the computer in the absolutely stealth mode.
Please configure keylogger before creating installation package. All current settings will be applied immediately after the stealth installation.
Please configure keylogger before creating installation package. All current settings will be applied immediately after the stealth installation.
The wizard can also create package for removal of the installed keylogger.
The wizard can also create package for removal of the installed keylogger.
&Automatically uninstall remote keylogger after
&Automatically uninstall remote keylogger after
Now you can use this package to install keylogger on the another PC. You can copy it to the floppy disk or send by e-mail. When somebody will run this program, keylogger will be installed and activated in the stealth mode.
Now you can use this package to install keylogger on the another PC. You can copy it to the floppy disk or send by e-mail. When somebody will run this program, keylogger will be installed and activated in the stealth mode.
Keylogger will be installed into the following folder:
Keylogger will be installed into the following folder:
&Install new or update existing keylogger on the remote computer
&Install new or update existing keylogger on the remote computer
Uninstall existing copy of the Perfect Keylogger on the remote computer
Uninstall existing copy of the Perfect Keylogger on the remote computer
By FTP
By FTP
Create a list of "on alert" words or phrases and Perfect Keylogger will continually monitor keyboard typing and web pages for these words.
Create a list of "on alert" words or phrases and Perfect Keylogger will continually monitor keyboard typing and web pages for these words.
When a keyword or phrase will be detected, Perfect Keylogger can immediately send you an instant alert via e-mail.
When a keyword or phrase will be detected, Perfect Keylogger can immediately send you an instant alert via e-mail.
&Add keyword
&Add keyword
Keyword detection action
Keyword detection action
BlazingTools Perfect Keylogger
BlazingTools Perfect Keylogger
PathYFile PSAPI.DLL not found in your system. Target applications feature will be unavailable.
PathYFile PSAPI.DLL not found in your system. Target applications feature will be unavailable.
Targets.Enter window title or its part (any substring)ASpecify an applications where you want Perfect Keylogger enabled:\Specify window titles or their parts (substrings), where you want Perfect Keylogger enabled:&Error writing program-exceptions file.#Error writing windows titles file.
Targets.Enter window title or its part (any substring)ASpecify an applications where you want Perfect Keylogger enabled:\Specify window titles or their parts (substrings), where you want Perfect Keylogger enabled:&Error writing program-exceptions file.#Error writing windows titles file.
This is a Perfect Keylogger report for computer "%s", IP address %s, user "%s".
This is a Perfect Keylogger report for computer "%s", IP address %s, user "%s".
support@blazingtools.comnYou haven't specified the hotkey to put keylogger into the visible mode. Do you really want to disable hotkey?/Please, specify the destination e-mail address.
support@blazingtools.comnYou haven't specified the hotkey to put keylogger into the visible mode. Do you really want to disable hotkey?/Please, specify the destination e-mail address.
Perfect Keylogger report:
Perfect Keylogger report:
Keylogger is ready to work! Type any text in any application, then double click on Perfect Keylogger's icon to view the log. To hide the icon, right click on it and select "Hide program icon" from the context menu. Thank you for installing Perfect Keylogger!
Keylogger is ready to work! Type any text in any application, then double click on Perfect Keylogger's icon to view the log. To hide the icon, right click on it and select "Hide program icon" from the context menu. Thank you for installing Perfect Keylogger!
Invalid password!
Invalid password!
5An error occured on saving file "%s". Error code = %u
5An error occured on saving file "%s". Error code = %u
An error has occurred while creating the package. The wizard will be closed. Please make sure that keylogger is running from the original location.CType folder path here or click "Next" to install to "System" folder;"System" folder (path will be detected during installation)
An error has occurred while creating the package. The wizard will be closed. Please make sure that keylogger is running from the original location.CType folder path here or click "Next" to install to "System" folder;"System" folder (path will be detected during installation)
VVV.blazingtools.com/bpk.html
VVV.blazingtools.com/bpk.html
VVV.blazingtools.comVPlease, first specify the hotkey to show the icon next time. Do you want to do it now?TYou're about to hide the program icon.
VVV.blazingtools.comVPlease, first specify the hotkey to show the icon next time. Do you want to do it now?TYou're about to hide the program icon.
Attention: use %s to show the icon next time.
Attention: use %s to show the icon next time.
FTP server
FTP server
OError while connecting to site. Please make sure that FTP settings are correct.
OError while connecting to site. Please make sure that FTP settings are correct.
Unable to set FTP directory.
Unable to set FTP directory.
Incorrect hook DLL version.ZCan't to set hotkey combination #%d (already in use). Please, specify another combination.
Incorrect hook DLL version.ZCan't to set hotkey combination #%d (already in use). Please, specify another combination.
Enter re&gistration code...ETo remove this screen and other trial limitations, please buy it now.)hXXp://VVV.blazingtools.com/orderbpk.html_This is a Perfect Keylogger test message. If you've received it, all mail settings are correct.6Test message was sent succesfully. Check your mailbox.$COPYING TO THE CLIPBOARD WAS LOGGED:$Test file was uploaded successfully!HCongratulations! If you are reading this file, FTP settings are correct.5&Specify the program to combine with the uninstaller:6&Specify the program to combine it with the keylogger:
Enter re&gistration code...ETo remove this screen and other trial limitations, please buy it now.)hXXp://VVV.blazingtools.com/orderbpk.html_This is a Perfect Keylogger test message. If you've received it, all mail settings are correct.6Test message was sent succesfully. Check your mailbox.$COPYING TO THE CLIPBOARD WAS LOGGED:$Test file was uploaded successfully!HCongratulations! If you are reading this file, FTP settings are correct.5&Specify the program to combine with the uninstaller:6&Specify the program to combine it with the keylogger:
YA new version of Perfect Keylogger is available. Do you want to download the new version?
YA new version of Perfect Keylogger is available. Do you want to download the new version?
When somebody will run this package, it will stop running keylogger and remove it.
When somebody will run this package, it will stop running keylogger and remove it.
Attention: Perfect Keylogger version 1.45 or higher is required..Perfect Keylogger was installed successfully: ZPerfect Keylogger was installed on the computer %s, with IP address %s, user %s at %s, %s.KLog upload date: %s
Attention: Perfect Keylogger version 1.45 or higher is required..Perfect Keylogger was installed successfully: ZPerfect Keylogger was installed on the computer %s, with IP address %s, user %s at %s, %s.KLog upload date: %s
Time: %s
Time: %s
Computer: %s
Computer: %s
IP address: %s
IP address: %s
User: %s
User: %s
Please notice, that keylogger's startup screen will appear when installation package will be launched. To remove that screen and use keylogger in the absolutely invisible mode, please buy it now.
Please notice, that keylogger's startup screen will appear when installation package will be launched. To remove that screen and use keylogger in the absolutely invisible mode, please buy it now.
Perfect Keylogger Alert: ePerfect Keylogger has detected that keyword "%s" was typed by user %s at the computer %s.
Perfect Keylogger Alert: ePerfect Keylogger has detected that keyword "%s" was typed by user %s at the computer %s.
Context: %s
Context: %s
Error launching Log Viewer.zPefect Keylogger has detected that web page %s contains keyword "%s". This page was visited by user %s at the computer %s.
Error launching Log Viewer.zPefect Keylogger has detected that web page %s contains keyword "%s". This page was visited by user %s at the computer %s.
AttentionARegistration succeeded. Thank you for choosing Perfect Keylogger!
AttentionARegistration succeeded. Thank you for choosing Perfect Keylogger!
Hide program &icon "Set new Perfect Keylogger password!Change Perfect Keylogger password
Hide program &icon "Set new Perfect Keylogger password!Change Perfect Keylogger password
Wrong old password.
Wrong old password.
Passwords do not match.*hXXp://VVV.blazingtools.com/downloads.html
Passwords do not match.*hXXp://VVV.blazingtools.com/downloads.html
Perfect Keylogger Test Message
Perfect Keylogger Test Message
This option forces the keylogger to delete itself from the Windows Startup to make it more stealth.
This option forces the keylogger to delete itself from the Windows Startup to make it more stealth.
If you choose it, the keylogger won't run at Startup after the power failure or incorrect PC shutdown.
If you choose it, the keylogger won't run at Startup after the power failure or incorrect PC shutdown.
Password captured: %Where do you want to store your logs?3Select the folder where you want to store the logs:
Password captured: %Where do you want to store your logs?3Select the folder where you want to store the logs:
Change ZIP file password
Change ZIP file password
Set ZIP file password
Set ZIP file password