HEUR:Trojan.Script.Generic (Kaspersky), Trojan.Generic.10239673 (AdAware), Backdoor.Win32.Farfli.FD, Backdoor.Win32.Xtrat.FD, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor, Worm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 534929d7257c9bc4f62fcf3e8620c7d8
SHA1: b8ee86e2342c81f592602319ecc407625fd4faf5
SHA256: d768cb2b8f065c86fcdf702dc5375a25dd4f5558a190f2be499b39a0acd22e0c
SSDeep: 12288:waWzgMg7v3qnCiMErQohh0F4CCJ8lnyC8IJze68PvanRJkHVphYJGTaTFxfj5kMx:3aHMv6CorjqnyC8IJK007QGTojfjlyY
Size: 1074485 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: ICorporation
Created at: 2010-04-16 10:47:33
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Trojan creates the following process(es):
RSOP.exe:1336
RSOP.exe:136
RSOP.exe:468
%original file name%.exe:188
%original file name%.exe:1364
The Trojan injects its code into the following process(es):
taskmgr.exe:488
svchost.exe:444
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:188 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uzmvweb (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (2769 bytes)
%WinDir%\RSOP.exe (1425 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uzmvweb (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (0 bytes)
%WinDir%\RSOP.exe (0 bytes)
The process taskmgr.exe:488 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GZAXCZ41\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SJKR0F2D\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\YWHq0Sews.dat (322 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q37GRL1S\desktop.ini (67 bytes)
%System%\Microsoft\Protect\System.exe (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CNKX8HU1\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\YWHq0Sews.xtr (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GZAXCZ41\1234567890[1].htm (68015 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GZAXCZ41\1234567890[1].htm (0 bytes)
Registry activity
The process RSOP.exe:1336 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5F 67 BD D2 5E DE 9F BC 71 69 C1 2F 59 29 BC 6A"
The process RSOP.exe:136 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 CF BD 7C 3F B7 D3 68 3A ED 4F 42 CB 95 58 BC"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process RSOP.exe:468 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F9 0F F3 AA 9F 96 2C 2E 52 18 62 97 0F 5D 6C AF"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\XtremeRAT]
"Mutex" = "YWHq0Sews"
The process %original file name%.exe:188 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 13 A9 A1 41 54 A0 FB 6A FE 4F 5B 39 8C 80 75"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process %original file name%.exe:1364 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D EF 7C BF 37 A3 B7 53 DC 4E D3 B1 68 0D 9D D7"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
The process taskmgr.exe:488 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\YWHq0Sews]
"ServerStarted" = "22/05/2016 19:29:33"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1208111732"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "taskmgr.exe"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\YWHq0Sews]
"ServerName" = "%System%\Microsoft\Protect\System.exe"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 C3 3F 93 CB AF DE 82 17 E4 0D F6 CF DC 09 B5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Update" = "%System%\Microsoft\Protect\System.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HKLM" = "%System%\Microsoft\Protect\System.exe"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"HKCU" = "%System%\Microsoft\Protect\System.exe"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
| MD5 | File path |
|---|---|
| a87e455284d5aaf624c6c419fa7f9bed | c:\WINDOWS\RSOP.exe |
| a87e455284d5aaf624c6c419fa7f9bed | c:\WINDOWS\system32\Microsoft\Protect\System.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
RSOP.exe:1336
RSOP.exe:136
RSOP.exe:468
%original file name%.exe:188
%original file name%.exe:1364 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uzmvweb (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (2769 bytes)
%WinDir%\RSOP.exe (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GZAXCZ41\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SJKR0F2D\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\YWHq0Sews.dat (322 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q37GRL1S\desktop.ini (67 bytes)
%System%\Microsoft\Protect\System.exe (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CNKX8HU1\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\YWHq0Sews.xtr (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GZAXCZ41\1234567890[1].htm (68015 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Update" = "%System%\Microsoft\Protect\System.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HKLM" = "%System%\Microsoft\Protect\System.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"HKCU" = "%System%\Microsoft\Protect\System.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 524311 | 524800 | 4.59884 | be1208f841dc92012d5f6bbdd832e6d9 |
| .rdata | 532480 | 55644 | 55808 | 3.15553 | 47a64a37213ad28510461b998d7032c7 |
| .data | 589824 | 107800 | 26624 | 1.52615 | e5d77411f751d28c6eee48a743606795 |
| .rsrc | 700416 | 16 | 512 | 0 | bf619eac0cdf3f68d496ea9344137e8b |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| alonedevil.no-ip.org | 204.95.99.193 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
svchost.exe_444:
.text
.text
`.data
`.data
.rsrc
.rsrc
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
RPCRT4.dll
RPCRT4.dll
NETAPI32.dll
NETAPI32.dll
ole32.dll
ole32.dll
ntdll.dll
ntdll.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
GetProcessHeap
GetProcessHeap
NtOpenKey
NtOpenKey
svchost.pdb
svchost.pdb
\PIPE\
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
svchost.exe
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
svchost.exe_444_rwx_10000000_0004D000:
`.rsrc
`.rsrc
ServerKeyloggerU
ServerKeyloggerU
789:;
789:;
%SERVER%
%SERVER%
URLMON.DLL
URLMON.DLL
shell32.dll
shell32.dll
hXXp://
hXXp://
advapi32.dll
advapi32.dll
kernel32.dll
kernel32.dll
mpr.dll
mpr.dll
version.dll
version.dll
comctl32.dll
comctl32.dll
gdi32.dll
gdi32.dll
opengl32.dll
opengl32.dll
user32.dll
user32.dll
wintrust.dll
wintrust.dll
msimg32.dll
msimg32.dll
KWindows
KWindows
TServerKeylogger
TServerKeylogger
GetWindowsDirectoryW
GetWindowsDirectoryW
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyW
RegCreateKeyW
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
FindExecutableW
FindExecutableW
ShellExecuteW
ShellExecuteW
SHDeleteKeyW
SHDeleteKeyW
URLDownloadToCacheFileW
URLDownloadToCacheFileW
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExW
SetWindowsHookExW
MapVirtualKeyW
MapVirtualKeyW
GetKeyboardLayout
GetKeyboardLayout
GetKeyState
GetKeyState
GetKeyboardType
GetKeyboardType
GetKeyboardState
GetKeyboardState
FtpPutFileW
FtpPutFileW
FtpSetCurrentDirectoryW
FtpSetCurrentDirectoryW
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
URLD
URLD
KERNEL32.DLL
KERNEL32.DLL
ntdll.dll
ntdll.dll
oleaut32.dll
oleaut32.dll
shlwapi.dll
shlwapi.dll
wininet.dll
wininet.dll
x.html
x.html
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
[Execute]
[Execute]
KeyDelBackspace
KeyDelBackspace
.html
.html
XtremeKeylogger
XtremeKeylogger
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
.functions
.functions
icon=shell32.dll,4
icon=shell32.dll,4
shellexecute=
shellexecute=
autorun.inf
autorun.inf
\Microsoft\Windows\
\Microsoft\Windows\
ÞFAULTBROWSER%
ÞFAULTBROWSER%
svchost.exe
svchost.exe
nerozhack.ddns.com.br
nerozhack.ddns.com.br
alonedevil.no-ip.org
alonedevil.no-ip.org
gameszero.dyndns.org
gameszero.dyndns.org
System.exe
System.exe
%System%\taskmgr.exe
%System%\taskmgr.exe
{4YBTO35S-O1AV-5TE3-5AUC-1PW370X4E08Q}
{4YBTO35S-O1AV-5TE3-5AUC-1PW370X4E08Q}
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
.HKCU
.HKCU
KeyScrambler Tray Icon %SERVER%
KeyScrambler Tray Icon %SERVER%
%WinDir%\WinSxS\x86_Microsoft.WinYWHq0SewsEXIT
%WinDir%\WinSxS\x86_Microsoft.WinYWHq0SewsEXIT
PTF.ftpserver.com
PTF.ftpserver.com
ftpuser
ftpuser
taskmgr.exe_488:
.text
.text
`.data
`.data
.rsrc
.rsrc
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
GDI32.dll
GDI32.dll
USER32.dll
USER32.dll
iphlpapi.dll
iphlpapi.dll
COMCTL32.dll
COMCTL32.dll
SHLWAPI.dll
SHLWAPI.dll
SHELL32.dll
SHELL32.dll
Secur32.dll
Secur32.dll
VDMDBG.dll
VDMDBG.dll
taskmgr.chm
taskmgr.chm
hhctrl.ocx
hhctrl.ocx
CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
WTSAPI32.dll
WTSAPI32.dll
WINSTA.dll
WINSTA.dll
MSGINA.dll
MSGINA.dll
NetGetJoinInformation
NetGetJoinInformation
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
UTILDLL.dll
UTILDLL.dll
ole32.dll
ole32.dll
taskmgr.pdb
taskmgr.pdb
SSSSh
SSSSh
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyExW
RegCreateKeyExW
GetProcessHeap
GetProcessHeap
SetProcessShutdownParameters
SetProcessShutdownParameters
GetKeyState
GetKeyState
ExitWindowsEx
ExitWindowsEx
GetAsyncKeyState
GetAsyncKeyState
EnumWindowStationsW
EnumWindowStationsW
EnumWindows
EnumWindows
CloseWindowStation
CloseWindowStation
SetProcessWindowStation
SetProcessWindowStation
GetProcessWindowStation
GetProcessWindowStation
OpenWindowStationW
OpenWindowStationW
CascadeWindows
CascadeWindows
TileWindows
TileWindows
ntdll.dll
ntdll.dll
RegOpenKeyExA
RegOpenKeyExA
Windows Shell
Windows Shell
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
Software\Microsoft\Windows NT\CurrentVersion\TaskManager
Software\Microsoft\Windows NT\CurrentVersion\TaskManager
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system
mcmd.exe
mcmd.exe
%ComSpec%
%ComSpec%
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
%d %%
%d %%
%s -p %ld
%s -p %ld
-%sd%sd
-%sd%sd
d %
d %
lsass.exe
lsass.exe
services.exe
services.exe
smss.exe
smss.exe
winlogon.exe
winlogon.exe
csrss.exe
csrss.exe
ntvdm.exe
ntvdm.exe
drwtsn32.exe
drwtsn32.exe
SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug
SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug
ShadowHotkeyShift
ShadowHotkeyShift
ShadowHotkeyKey
ShadowHotkeyKey
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
The Processor Affinity setting controls which CPUs the process will be allowed to execute on.
The Processor Affinity setting controls which CPUs the process will be allowed to execute on.
Connect Password Required
Connect Password Required
Enter the selected User's password:
Enter the selected User's password:
Hot key
Hot key
To end a remote control session, press this key, plus the keys selected below:
To end a remote control session, press this key, plus the keys selected below:
To end a remote control session, press this key on the numeric keypad, plus the keys selected below:
To end a remote control session, press this key on the numeric keypad, plus the keys selected below:
&Windows
&Windows
&Log Off %s
&Log Off %s
WinKey L
WinKey L
Windows TaskManager
Windows TaskManager
5.1.2600.5512 (xpsp.080413-2105)
5.1.2600.5512 (xpsp.080413-2105)
taskmgr.exe
taskmgr.exe
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
;Brings a task to the foreground, switch focus to that task.BBrings a task to the front, but does not switch focus to that taskCTask Manager remains in front of all other windows unless minimized@Task Manager is minimized when a SwitchTo operation is performed$Minimizes the selected windows tasks0Maximizes the windows to the size of the desktop
;Brings a task to the foreground, switch focus to that task.BBrings a task to the front, but does not switch focus to that taskCTask Manager remains in front of all other windows unless minimized@Task Manager is minimized when a SwitchTo operation is performed$Minimizes the selected windows tasks0Maximizes the windows to the size of the desktop
4Restores the selected windows to their default state6Cascades the selected windows diagonally on the screen.Tiles the selected windowed tasks horizontally,Tiles the selected windowed tasks vertically#Displays tasks by using large icons
4Restores the selected windows to their default state6Cascades the selected windows diagonally on the screen.Tiles the selected windowed tasks horizontally,Tiles the selected windowed tasks vertically#Displays tasks by using large icons
Graph bytes received.-Graph the sum of the bytes sent and received.Graph bytes received.-Graph the sum of the bytes sent and received.
;Displays program information, version number, and copyright$Updates the display twice per second%Updates the display every two seconds&Updates the display every four seconds%Display does not automatically update
;Displays program information, version number, and copyright$Updates the display twice per second%Updates the display every two seconds&Updates the display every four seconds%Display does not automatically update
8Select which columns will be visible on the Process pageDForce Task Manager to update now, regardless of Update Speed setting'Provides access to point and click help?Controls which processors the process will be allowed to run on.Displays kernel time in the performance graphs;The process must have affinity with at least one processor.
8Select which columns will be visible on the Process pageDForce Task Manager to update now, regardless of Update Speed setting'Provides access to point and click help?Controls which processors the process will be allowed to run on.Displays kernel time in the performance graphs;The process must have affinity with at least one processor.
CPU %d
CPU %d
Create New TaskeType the name of a program, folder, document, or Internet resource, and Windows will open it for you.
Create New TaskeType the name of a program, folder, document, or Internet resource, and Windows will open it for you.
Windows Task Manager
Windows Task Manager
Non Operational
Non Operational
Operational
Operational
'The operation could not be completed.
'The operation could not be completed.
Unable to Change Priority,The operation is not valid for this process.
Unable to Change Priority,The operation is not valid for this process.
Minimizes the windows
Minimizes the windows
Maximizes the windows.Cascades the windows diagonally on the desktop-Tiles the windows horizontally on the desktop
Maximizes the windows.Cascades the windows diagonally on the desktop-Tiles the windows horizontally on the desktop
9Shows 16-bit Windows tasks under the associated ntvdm.exe
9Shows 16-bit Windows tasks under the associated ntvdm.exe
This operation will attempt to terminate this process and any
This operation will attempt to terminate this process and any
be ended. The operation was not fully successful.6Select which columns will be visible on the Users page
be ended. The operation was not fully successful.6Select which columns will be visible on the Users page
Message from %s - %s2Unhandled error occurred while connecting.
Message from %s - %s2Unhandled error occurred while connecting.
#%u %s#Enter the selected User's password.'Session (ID %lu) remote control failed.YCan't remote control Session (ID %lu) because Remote control is disabled on that Session.iCan't remote control Session (ID %lu) because it is disconnected with user's required permission enabled.
#%u %s#Enter the selected User's password.'Session (ID %lu) remote control failed.YCan't remote control Session (ID %lu) because Remote control is disabled on that Session.iCan't remote control Session (ID %lu) because it is disconnected with user's required permission enabled.
&The password was incorrect. Try again.
&The password was incorrect. Try again.
Tasks: %d
Tasks: %d
Processes: %d
Processes: %d
CPU Usage: %d%%
CPU Usage: %d%%
Tiles the windows vertically on the desktop
Tiles the windows vertically on the desktop
;Your message to user %s (SessionId=%d) could not be sent. 1User %s (SessionId=%d) could not be logged off. 3User %s (SessionId=%d) could not be disconnected.
;Your message to user %s (SessionId=%d) could not be sent. 1User %s (SessionId=%d) could not be logged off. 3User %s (SessionId=%d) could not be disconnected.
taskmgr.exe_488_rwx_10000000_0004D000:
`.rsrc
`.rsrc
ServerKeyloggerU
ServerKeyloggerU
789:;
789:;
%SERVER%
%SERVER%
URLMON.DLL
URLMON.DLL
shell32.dll
shell32.dll
hXXp://
hXXp://
advapi32.dll
advapi32.dll
kernel32.dll
kernel32.dll
mpr.dll
mpr.dll
version.dll
version.dll
comctl32.dll
comctl32.dll
gdi32.dll
gdi32.dll
opengl32.dll
opengl32.dll
user32.dll
user32.dll
wintrust.dll
wintrust.dll
msimg32.dll
msimg32.dll
KWindows
KWindows
TServerKeylogger
TServerKeylogger
GetWindowsDirectoryW
GetWindowsDirectoryW
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyW
RegCreateKeyW
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
FindExecutableW
FindExecutableW
ShellExecuteW
ShellExecuteW
SHDeleteKeyW
SHDeleteKeyW
URLDownloadToCacheFileW
URLDownloadToCacheFileW
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExW
SetWindowsHookExW
MapVirtualKeyW
MapVirtualKeyW
GetKeyboardLayout
GetKeyboardLayout
GetKeyState
GetKeyState
GetKeyboardType
GetKeyboardType
GetKeyboardState
GetKeyboardState
FtpPutFileW
FtpPutFileW
FtpSetCurrentDirectoryW
FtpSetCurrentDirectoryW
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
URLD
URLD
KERNEL32.DLL
KERNEL32.DLL
ntdll.dll
ntdll.dll
oleaut32.dll
oleaut32.dll
shlwapi.dll
shlwapi.dll
wininet.dll
wininet.dll
x.html
x.html
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
[Execute]
[Execute]
KeyDelBackspace
KeyDelBackspace
.html
.html
XtremeKeylogger
XtremeKeylogger
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
.functions
.functions
icon=shell32.dll,4
icon=shell32.dll,4
shellexecute=
shellexecute=
autorun.inf
autorun.inf
\Microsoft\Windows\
\Microsoft\Windows\
ÞFAULTBROWSER%
ÞFAULTBROWSER%
svchost.exe
svchost.exe
nerozhack.ddns.com.br
nerozhack.ddns.com.br
alonedevil.no-ip.org
alonedevil.no-ip.org
gameszero.dyndns.org
gameszero.dyndns.org
System.exe
System.exe
%System%\taskmgr.exe
%System%\taskmgr.exe
{4YBTO35S-O1AV-5TE3-5AUC-1PW370X4E08Q}
{4YBTO35S-O1AV-5TE3-5AUC-1PW370X4E08Q}
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
.HKCU
.HKCU
KeyScrambler Tray Icon %SERVER%
KeyScrambler Tray Icon %SERVER%
%WinDir%\WinSxS\x86_Microsoft.WinYWHq0SewsEXIT
%WinDir%\WinSxS\x86_Microsoft.WinYWHq0SewsEXIT
PTF.ftpserver.com
PTF.ftpserver.com
ftpuser
ftpuser
%WinDir%\RSOP.exe
%WinDir%\RSOP.exe