Gen:Variant.Midie.6956 (BitDefender), VirTool:Win32/Injector.EG (Microsoft), Trojan-Dropper.Win32.Sysn.bpvb (Kaspersky), Trojan-Dropper.Win32.Daws.awfy (v) (not malicious) (VIPRE), Trojan.Inject1.10883 (DrWeb), Gen:Variant.Midie.6956 (B) (Emsisoft), PWSZbot-FIB!0046B07A550C (McAfee), W32.Faedevour!inf (Symantec), Trojan-Dropper.Win32.Daws (Ikarus), Gen:Variant.Midie.6956 (FSecure), SHeur4.ALPI (AVG), Win32:Malware-gen (Avast), PE_WINDEX.A (TrendMicro), Gen:Variant.Midie.6956 (AdAware), VirusVirut.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan, Virus, VirTool, Malware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 0046b07a550c79f4fac1bd6e99b598b8
SHA1: d6ca8882c027b875d05999977dc01dc10ed6fdf7
SHA256: e022979a8d2e4ad8c740b900658fdb1b56fd004225caef8a319bf273f7e7069b
SSDeep: 49152:lJY7XIlbTChxKCnFnQXBbrtgb/iQvu0UHOUk7:jY7Yl6hxvWbrtUTrUHOh7
Size: 2248324 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171, UPolyXv05_v6
Company: no certificate found
Created at: 2012-03-05 10:37:55
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
@AE1.tmp.exe:1856
%original file name%.exe:264
The Trojan injects its code into the following process(es):
%original file name%.exe:2000
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process @AE1.tmp.exe:1856 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Temp\mydll.dll (601 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Messenger\Extension\WdExt.exe (238392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp2.tmp (448824 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\tmp2.tmp (0 bytes)
Registry activity
The process @AE1.tmp.exe:1856 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 31 77 A5 63 5B 2C FD 41 FF 58 57 C0 32 F1 39"
The process %original file name%.exe:2000 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8A F9 F4 66 5D 4A 3B 27 5A C8 87 03 FB 47 35 63"
Dropped PE files
MD5 | File path |
---|---|
fe03cb7be5dcde81f82aeefcba68d773 | c:\%original file name%.exe |
db3bc1bd98028636fd692569219db3eb | c:\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Messenger\Extension\WdExt.exe |
2ccc474eb85ceaa3e1fa1726580a3e5a | c:\Documents and Settings\"%CurrentUserName%"\Application Data\Temp\mydll.dll |
496a6fba564240ce1512e7553f72ad87 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\@AE1.tmp.exe |
HOSTS file anomalies
The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 734 bytes in size. The following strings are added to the hosts file listed below:
127.0.0.1 | www.Brenz.pl |
Rootkit activity
The Trojan installs the following user-mode hooks in ntdll.dll:
NtQueryInformationProcess
ZwOpenFile
NtDeviceIoControlFile
NtCreateProcessEx
NtCreateProcess
NtCreateFile
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
@AE1.tmp.exe:1856
%original file name%.exe:264 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Application Data\Temp\mydll.dll (601 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Messenger\Extension\WdExt.exe (238392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp2.tmp (448824 bytes) - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: Iswise
Product Name: ????
Product Version: 8.01.0022
Legal Copyright:
Legal Trademarks:
Original Filename: Request_Service.exe
Internal Name: Request_Service
File Version: 8.01.0022
File Description:
Comments:
Language: Language Neutral
Company Name: IswiseProduct Name: ????Product Version: 8.01.0022Legal Copyright: Legal Trademarks: Original Filename: Request_Service.exeInternal Name: Request_ServiceFile Version: 8.01.0022File Description: Comments: Language: Language Neutral
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 2108 | 2560 | 3.76997 | 6dbb11cce72cc16b887018dd4c34d252 |
.rdata | 8192 | 1478 | 1536 | 3.36814 | 838666d924e8b6e9dfc84f930bd16733 |
.data | 12288 | 348160 | 512 | 0.377955 | 7d6dcdf3bcb22dca4957ddb77c1c8cbf |
.rsrc | 360448 | 32768 | 32768 | 5.15929 | b601eceaf8ddd492a58ff7f1460d2711 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_2000:
.text
.text
`.data
`.data
.rsrc
.rsrc
MSVBVM60.DLL
MSVBVM60.DLL
VB5!6&vb6chs.dll
VB5!6&vb6chs.dll
.cSysTray
.cSysTray
LayoutURL
LayoutURL
todg7.ocx
todg7.ocx
TrueOleDBGrid70.TDBGrid
TrueOleDBGrid70.TDBGrid
MSCOMCTL.OCX
MSCOMCTL.OCX
MSComctlLib.StatusBar
MSComctlLib.StatusBar
MSWINSCK.OCX
MSWINSCK.OCX
MSWinsockLib.Winsock
MSWinsockLib.Winsock
comctl32.ocx
comctl32.ocx
ComctlLib.StatusBar
ComctlLib.StatusBar
MSCOMCT2.OCX
MSCOMCT2.OCX
MSComCtl2.DTPicker
MSComCtl2.DTPicker
crystl32.ocx
crystl32.ocx
Crystal.CrystalReport
Crystal.CrystalReport
CrystalReport
CrystalReport
frmLogin
frmLogin
CmdPassWord
CmdPassWord
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
cmdCancel
cmdCancel
gC:\Windows\system32\COMCTL32.oca
gC:\Windows\system32\COMCTL32.oca
nC:\Windows\system32\MSWINSCK.oca
nC:\Windows\system32\MSWINSCK.oca
TxtServerPort
TxtServerPort
cmdOK
cmdOK
Pass_Encode
Pass_Encode
Pass_Decode
Pass_Decode
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
GetWindowsDirectoryA
GetWindowsDirectoryA
keybd_event
keybd_event
GetKeyState
GetKeyState
MapVirtualKeyA
MapVirtualKeyA
user32.dll
user32.dll
GetKeyboardState
GetKeyboardState
advapi32.dll
advapi32.dll
RegOpenKeyA
RegOpenKeyA
shell32.dll
shell32.dll
ShellExecuteA
ShellExecuteA
VBA6.DLL
VBA6.DLL
C:\Windows\system32\MSCOMCT2.oca
C:\Windows\system32\MSCOMCT2.oca
C:\Windows\system32\mscomctl.oca
C:\Windows\system32\mscomctl.oca
/R%Program Files%\Microsoft Visual Studio\VB98\todg7.oca
/R%Program Files%\Microsoft Visual Studio\VB98\todg7.oca
CmdSetPrn
CmdSetPrn
C:\Windows\system32\msvbvm60.dll\3
C:\Windows\system32\msvbvm60.dll\3
winmm.dll
winmm.dll
FC:\Windows\system32\stdole2.tlb
FC:\Windows\system32\stdole2.tlb
ServerPort
ServerPort
MsgBL
MsgBL
ADVAPI32.DLL
ADVAPI32.DLL
DSTAMP %ddd
DSTAMP %ddd
\USERINIT.EXE
\USERINIT.EXE
%s:*:enabled:@shell32.dll,-1
%s:*:enabled:@shell32.dll,-1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
ilo.brenz.pl
ilo.brenz.pl
ant.trenz.pl
ant.trenz.pl
NICK zecgxutc
NICK zecgxutc
SFC.DLL
SFC.DLL
SFC_OS.DLL
SFC_OS.DLL
USER32.DLL
USER32.DLL
SHLWAPI.DLL
SHLWAPI.DLL
WSOCK32.DLL
WSOCK32.DLL
WININET.DLL
WININET.DLL
%.6x . . :%c%.8x%x %s
%.6x . . :%c%.8x%x %s
JOIN
JOIN
127.0.0.1 VVV.Brenz.pl
127.0.0.1 VVV.Brenz.pl
#
#
KERNEL32.DLL
KERNEL32.DLL
windowsupdate
windowsupdate
drweb
drweb
9368265E-85FE-11d1-8BE3-0000F8754DA1
9368265E-85FE-11d1-8BE3-0000F8754DA1
2c49f800-c2dd-11cf-9ad6-0080c7e7b78d
2c49f800-c2dd-11cf-9ad6-0080c7e7b78d
e651A8940-87C5-11d1-8BE3-0000F8754DA1
e651A8940-87C5-11d1-8BE3-0000F8754DA1
Login
Login
EFSQL
EFSQL
SELECT password,ChineseName,RoleID,OwnerPwd FROM Users where Availability=1 and UserCode='
SELECT password,ChineseName,RoleID,OwnerPwd FROM Users where Availability=1 and UserCode='
server_port
server_port
ALTER TABLE dbo.Logs ADD ID int NOT NULL IDENTITY (1, 1),AppVersion varchar(20) NULL
ALTER TABLE dbo.Logs ADD ID int NOT NULL IDENTITY (1, 1),AppVersion varchar(20) NULL
insert into Logs (LoginTime,UserCode,Operate,AppVersion,CmptName) Values ('
insert into Logs (LoginTime,UserCode,Operate,AppVersion,CmptName) Values ('
update Logs set logouttime=getdate() where LoginTime='
update Logs set logouttime=getdate() where LoginTime='
Password=
Password=
Provider=SQLOLEDB.1;Trusted Connection=no;
Provider=SQLOLEDB.1;Trusted Connection=no;
Select Roles.HouTai,Roles.RoleId FROM Users INNER JOIN Roles ON Users.RoleID = Roles.RoleId
Select Roles.HouTai,Roles.RoleId FROM Users INNER JOIN Roles ON Users.RoleID = Roles.RoleId
Where Users.Usercode='
Where Users.Usercode='
ALTER TABLE dbo.Prices ADD Deliver_Enabled bit NULL
ALTER TABLE dbo.Prices ADD Deliver_Enabled bit NULL
ALTER TABLE dbo.Center_Orders ADD DeliverID int NULL
ALTER TABLE dbo.Center_Orders ADD DeliverID int NULL
ALTER TABLE dbo.Center_Orders ADD CONSTRAINT DF_Center_Orders_DeliverID DEFAULT 0 FOR DeliverID
ALTER TABLE dbo.Center_Orders ADD CONSTRAINT DF_Center_Orders_DeliverID DEFAULT 0 FOR DeliverID
CREATE TABLE dbo.DeliverList(
CREATE TABLE dbo.DeliverList(
ALTER TABLE dbo.Request_Service ADD CPTime datetime NULL,CPRequest bit NULL
ALTER TABLE dbo.Request_Service ADD CPTime datetime NULL,CPRequest bit NULL
ALTER TABLE dbo.Request_Service ADD CONSTRAINT DF_Request_Service_CPRequest DEFAULT 0 FOR CPRequest
ALTER TABLE dbo.Request_Service ADD CONSTRAINT DF_Request_Service_CPRequest DEFAULT 0 FOR CPRequest
ALTER TABLE dbo.Request_Service ADD OrderID int NULL,DeliverTime datetime NULL
ALTER TABLE dbo.Request_Service ADD OrderID int NULL,DeliverTime datetime NULL
ALTER TABLE dbo.Request_Service ADD Deliver_PlayTimes int NULL,Deliver_PlayVoiceTime datetime NULL
ALTER TABLE dbo.Request_Service ADD Deliver_PlayTimes int NULL,Deliver_PlayVoiceTime datetime NULL
ALTER TABLE dbo.Request_Service ADD PrintTimes int NULL
ALTER TABLE dbo.Request_Service ADD PrintTimes int NULL
SELECT password,ChineseName,RoleID,OwnerPwd FROM Users where Availability=1 and UserCode='
SELECT password,ChineseName,RoleID,OwnerPwd FROM Users where Availability=1 and UserCode='
\sys.ini
\sys.ini
PrinterPort
PrinterPort
or Prices.PriceType=
or Prices.PriceType=
Or Prices.PriceID Is Null )
Or Prices.PriceID Is Null )
And (Request_Service.PriceID'' or Request_Service.Remark'')
And (Request_Service.PriceID'' or Request_Service.Remark'')
\Report\Request.rpt
\Report\Request.rpt
And isnull(Request_Service.CPRequest,0)=0
And isnull(Request_Service.CPRequest,0)=0
Case When Request_Service.DeliverTime '' or IsNull(Prices.Deliver_Enabled,0)=0 Then Null Else
Case When Request_Service.DeliverTime '' or IsNull(Prices.Deliver_Enabled,0)=0 Then Null Else
\wave\Pause.wav
\wave\Pause.wav
SELECT Request_Service.*,Case When Request_Service.Affirm_ModiTime Is Null Then 0 Else 1 End as AffirmBL
SELECT Request_Service.*,Case When Request_Service.Affirm_ModiTime Is Null Then 0 Else 1 End as AffirmBL
,Case When Request_Service.SortGroup>0 Then Request_Service.SortGroup Else Request_Service.ID End As SortNo
,Case When Request_Service.SortGroup>0 Then Request_Service.SortGroup Else Request_Service.ID End As SortNo
,Case When Request_Service.PrintTimes Is Null Then 0 Else Request_Service.PrintTimes End as PrintCount
,Case When Request_Service.PrintTimes Is Null Then 0 Else Request_Service.PrintTimes End as PrintCount
Datediff(s,Request_Service.Request_ModiTime,GetDate()) as SendSecond,Prices.PriceType, Prices.PriceName
Datediff(s,Request_Service.Request_ModiTime,GetDate()) as SendSecond,Prices.PriceType, Prices.PriceName
FROM Request_Service LEFT OUTER JOIN Prices ON Request_Service.PriceId = Prices.PriceID
FROM Request_Service LEFT OUTER JOIN Prices ON Request_Service.PriceId = Prices.PriceID
SELECT Request_Service.ID,Request_Service.HouseCode,Request_Service.Request_ModiTime,Request_Service.SortGroup
SELECT Request_Service.ID,Request_Service.HouseCode,Request_Service.Request_ModiTime,Request_Service.SortGroup
And IsNull(Request_Service.HouseCode,'')'' And Request_Service.Affirm_ModiTime Is Null
And IsNull(Request_Service.HouseCode,'')'' And Request_Service.Affirm_ModiTime Is Null
And (Request_Service.PlayVoiceTime
And (Request_Service.PlayVoiceTime
,GetDate()) or Request_Service.PlayVoiceTime Is Null)
,GetDate()) or Request_Service.PlayVoiceTime Is Null)
And IsNull(Request_Service.PlayTimes, 0)
And IsNull(Request_Service.PlayTimes, 0)
Select Distinct Request_Service.HouseCode,Request_Service.PriceID,Request_Service.ReMark,Request_Service.ItemNum
Select Distinct Request_Service.HouseCode,Request_Service.PriceID,Request_Service.ReMark,Request_Service.ItemNum
\Wave\RINGIN.WAV
\Wave\RINGIN.WAV
\wave\10.wav
\wave\10.wav
{Request_Service.PrintNo}=
{Request_Service.PrintNo}=
ALTER TABLE dbo.Request_Service ADD PlayTimes int NULL
ALTER TABLE dbo.Request_Service ADD PlayTimes int NULL
CREATE TABLE dbo.PricesType (
CREATE TABLE dbo.PricesType (
ALTER TABLE dbo.Request_Service ADD SortGroup int NULL
ALTER TABLE dbo.Request_Service ADD SortGroup int NULL
ALTER TABLE dbo.Request_Service ADD PlayVoiceTime datetime NULL
ALTER TABLE dbo.Request_Service ADD PlayVoiceTime datetime NULL
SELECT Request_Service.*,Prices.PriceName
SELECT Request_Service.*,Prices.PriceName
And CPTime Is Null And IsNull(CPRequest,0)=0 And Request_Service.HouseCode'' Order by Request_Service.HouseCode
And CPTime Is Null And IsNull(CPRequest,0)=0 And Request_Service.HouseCode'' Order by Request_Service.HouseCode
&Password:
&Password:
8.01.0022
8.01.0022
Request_Service.exe
Request_Service.exe
%original file name%.exe_2000_rwx_00459000_00007000:
ADVAPI32.DLL
ADVAPI32.DLL
DSTAMP %ddd
DSTAMP %ddd
\USERINIT.EXE
\USERINIT.EXE
%s:*:enabled:@shell32.dll,-1
%s:*:enabled:@shell32.dll,-1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
ilo.brenz.pl
ilo.brenz.pl
ant.trenz.pl
ant.trenz.pl
NICK zecgxutc
NICK zecgxutc
SFC.DLL
SFC.DLL
SFC_OS.DLL
SFC_OS.DLL
USER32.DLL
USER32.DLL
SHLWAPI.DLL
SHLWAPI.DLL
WSOCK32.DLL
WSOCK32.DLL
WININET.DLL
WININET.DLL
%.6x . . :%c%.8x%x %s
%.6x . . :%c%.8x%x %s
JOIN
JOIN
127.0.0.1 VVV.Brenz.pl
127.0.0.1 VVV.Brenz.pl
#
#
KERNEL32.DLL
KERNEL32.DLL
windowsupdate
windowsupdate
drweb
drweb
%original file name%.exe_2000_rwx_00D20000_00008000:
ADVAPI32.DLL
ADVAPI32.DLL
DSTAMP %ddd
DSTAMP %ddd
\USERINIT.EXE
\USERINIT.EXE
%s:*:enabled:@shell32.dll,-1
%s:*:enabled:@shell32.dll,-1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Qoyilo.brenz.pl
Qoyilo.brenz.pl
ant.trenz.pl
ant.trenz.pl
NICK osgcgrzj
NICK osgcgrzj
SFC.DLL
SFC.DLL
SFC_OS.DLL
SFC_OS.DLL
USER32.DLL
USER32.DLL
SHLWAPI.DLL
SHLWAPI.DLL
WSOCK32.DLL
WSOCK32.DLL
WININET.DLL
WININET.DLL
%.6x . . :%c%.8x%x %s
%.6x . . :%c%.8x%x %s
JOIN
JOIN
127.0.0.1 VVV.Brenz.pl
127.0.0.1 VVV.Brenz.pl
#
#
KERNEL32.DLL
KERNEL32.DLL
windowsupdate
windowsupdate
drweb
drweb
\??\%System%\winlogon.exe:*:enabled:@shell32.dll,-1
\??\%System%\winlogon.exe:*:enabled:@shell32.dll,-1
UNC\192.168.50.163\SANDBOXOUTPUT\2016-08-14\0046B07A550C79F4FAC1BD6E99B598B8\DUMPS\0046B07A550C79F4FAC1BD6E99B598B8.EXE_2000_RWX_00459000_00007000.DMP
UNC\192.168.50.163\SANDBOXOUTPUT\2016-08-14\0046B07A550C79F4FAC1BD6E99B598B8\DUMPS\0046B07A550C79F4FAC1BD6E99B598B8.EXE_2000_RWX_00459000_00007000.DMP
C:\PERL\BIN\PERL.EXE
C:\PERL\BIN\PERL.EXE
C1BD6E99B598B8.EXE
C1BD6E99B598B8.EXE
imqwjs.com
imqwjs.com
xruqot.com
xruqot.com
csunym.com
csunym.com
lgqcll.com
lgqcll.com
yinyyw.com
yinyyw.com
colqla.com
colqla.com
ocnutu.com
ocnutu.com
jswxci.com
jswxci.com
ebasnl.com
ebasnl.com
uvrzea.com
uvrzea.com
odiuag.com
odiuag.com
aejwaz.com
aejwaz.com
nkqlqf.com
nkqlqf.com
agkkxg.com
agkkxg.com
xyofce.com
xyofce.com
smpcjz.com
smpcjz.com
iicpdi.com
iicpdi.com
mgyaaq.com
mgyaaq.com
aajpne.com
aajpne.com
vwytja.com
vwytja.com
fwicii.com
fwicii.com
iuksau.com
iuksau.com
fitsvj.com
fitsvj.com
svavqk.com
svavqk.com
aphrhk.com
aphrhk.com
wxzqtv.com
wxzqtv.com
jlhuki.com
jlhuki.com
llnixs.com
llnixs.com
uxgmhe.com
uxgmhe.com
fyhjuy.com
fyhjuy.com
qkoaui.com
qkoaui.com
ogpdit.com
ogpdit.com
dwuhya.com
dwuhya.com
sfbdvl.com
sfbdvl.com
ivjepu.com
ivjepu.com
yaaodl.com
yaaodl.com
unkejf.com
unkejf.com
kjbaxs.com
kjbaxs.com
ybvsps.com
ybvsps.com
uegjzv.com
uegjzv.com
uvzgcj.com
uvzgcj.com
huials.com
huials.com
lejeuz.com
lejeuz.com
eiqfoq.com
eiqfoq.com
tyoiya.com
tyoiya.com
szeyuq.com
szeyuq.com
glxuui.com
glxuui.com
yxakex.com
yxakex.com
mwpkvq.com
mwpkvq.com
eslifu.com
eslifu.com
onlees.com
onlees.com
yfhval.com
yfhval.com
vouuos.com
vouuos.com
cbbiyd.com
cbbiyd.com
jamzaf.com
jamzaf.com
yshuak.com
yshuak.com
yoyymq.com
yoyymq.com
brryye.com
brryye.com
xyaiuo.com
xyaiuo.com
vgtoks.com
vgtoks.com
aorjfb.com
aorjfb.com
exsinu.com
exsinu.com
zhreow.com
zhreow.com
zrrene.com
zrrene.com
uxeyjr.com
uxeyjr.com
ipgyfe.com
ipgyfe.com
qpikkx.com
qpikkx.com
vkoiea.com
vkoiea.com
iacxaz.com
iacxaz.com
luzhsb.com
luzhsb.com
ytpufi.com
ytpufi.com
judzog.com
judzog.com
evlsue.com
evlsue.com
uqckre.com
uqckre.com
pcsvla.com
pcsvla.com
bywerz.com
bywerz.com
wnxxjo.com
wnxxjo.com
toblcr.com
toblcr.com
oivoqo.com
oivoqo.com
ihtvyy.com
ihtvyy.com
ouaqbd.com
ouaqbd.com
vbbgmo.com
vbbgmo.com
pgznad.com
pgznad.com
doukyi.com
doukyi.com
fsilzy.com
fsilzy.com
yeanui.com
yeanui.com
kxyoom.com
kxyoom.com
riizik.com
riizik.com
zheoio.com
zheoio.com
yvmimg.com
yvmimg.com
vpjjyf.com
vpjjyf.com
mryjkc.com
mryjkc.com
hjiiyp.com
hjiiyp.com
anarry.com
anarry.com
fazgvi.com
fazgvi.com
moczdu.com
moczdu.com
niggmp.com
niggmp.com
ikoyqo.com
ikoyqo.com
niuiep.com
niuiep.com
vreead.com
vreead.com
WdExt.exe_216:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
jmWjcj.jejljgWWjgj.jwjwjw
jmWjcj.jejljgWWjgj.jwjwjw
jmWjcj.jtjfWjsWjrjcjijmj.jejtjajdjpjujsjwWjdjnjijw
jmWjcj.jtjfWjsWjrjcjijmj.jejtjajdjpjujsjwWjdjnjijw
jljdj.jtf
jljdj.jtf
user32.dll
user32.dll
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
ADVAPI32.dll
ADVAPI32.dll
iphlpapi.dll
iphlpapi.dll
VERSION.dll
VERSION.dll
WS2_32.dll
WS2_32.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
/i %d
/i %d
/u %d
/u %d
Incorrect key length
Incorrect key length
Empty key
Empty key
zcÃ
zcÃ
*`%u'
*`%u'
J.iNF
J.iNF
#j'%cu
#j'%cu
.COTI$GQt
.COTI$GQt
]%1sFH
]%1sFH
.zD'(p
.zD'(p
kernel32.dll
kernel32.dll
%s%s%s
%s%s%s
TTL: %d (initial:%d)
TTL: %d (initial:%d)
-> IP: %s/%s %s
-> IP: %s/%s %s
-> MAC: X-X-X-X-X-X
-> MAC: X-X-X-X-X-X
Adapter: %s
Adapter: %s
OS: %s (language:0x%X)
OS: %s (language:0x%X)
UserName: %s
UserName: %s
ComputerName: %s
ComputerName: %s
Time(UTC): %s
Time(UTC): %s
%Y/%m/%d %H:%M:%S
%Y/%m/%d %H:%M:%S
(build %d)
(build %d)
Windows 2000
Windows 2000
Windows XP
Windows XP
Web Edition
Web Edition
Windows Server 2003,
Windows Server 2003,
Windows XP Professional x64 Edition
Windows XP Professional x64 Edition
Windows Home Server
Windows Home Server
Windows Storage Server 2003
Windows Storage Server 2003
Windows Server 2003 R2,
Windows Server 2003 R2,
Web Server Edition
Web Server Edition
Windows Server 2008 R2
Windows Server 2008 R2
Windows 7
Windows 7
Windows Server 2008
Windows Server 2008
Windows Vista
Windows Vista
Cfailed to open %s
Cfailed to open %s
%Documents and Settings%\%current user%\Application Data\Microsoft\Messenger\Extension\WdExt.exe
%Documents and Settings%\%current user%\Application Data\Microsoft\Messenger\Extension\WdExt.exe
iexplore.exe;ieuser.exe;firefox.exe;chrome.exe;msimn.exe;outlook.exe;winmail.exe;wlmail.exe;msnmsgr.exe;yahoomessenger.exe;PTF.exe;
iexplore.exe;ieuser.exe;firefox.exe;chrome.exe;msimn.exe;outlook.exe;winmail.exe;wlmail.exe;msnmsgr.exe;yahoomessenger.exe;PTF.exe;
Windows Defender Extension
Windows Defender Extension
6.1.7600.16385
6.1.7600.16385
WdExt.exe
WdExt.exe
Windows
Windows
Operating System
Operating System