Skip to main content

Gen.Variant.Midie.6956_1c4574d8af


Trojan-Dropper.Win32.Daws.awfy (Kaspersky), Gen:Variant.Midie.6956 (B) (Emsisoft), Gen:Variant.Midie.6956 (AdAware), Virus.Win32.Sality.2.FD, VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan, Worm, Virus, WormAutorun

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 1c4574d8af783820e7eec1902d30c073

SHA1: 88b5a656a46fd9dca75eebfdab50ebf8b8fb0b26

SHA256: 9c2ec95628363b43f0083de9eae5a102a3a6ba7e34037043ba59dd4aa0830d09

SSDeep: 49152:WYBFbTCVBoxKCnFnQXBbrtgb/iQvu0UHOau:bF60xvWbrtUTrUHOl

Size: 2096940 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171, UPolyXv05_v6

Company: no certificate found

Created at: 2012-03-05 10:37:55

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Dynamic Analysis

Payload

Behaviour Description
WormAutorunA worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Trojan creates the following process(es):

%original file name%.exe:1232
wtmps.exe:2908
mscaps.exe:2960
@AE1.tmp.exe:1632
launch.exe:2824
WdExt.exe:2284

The Trojan injects its code into the following process(es):

service.exe:1496
EmangEloh.exe:1324
winlogon.exe:1512
Explorer.EXE:1140

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:1232 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Templates\O63746Z\winlogon.exe (1281 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\sql.cmd (1281 bytes)
%Documents and Settings%\%current user%\Templates\O63746Z\service.exe (1281 bytes)
%WinDir%\Ti645063ta.exe (1281 bytes)
%System%\X51334go\Z127387cie.cmd (1281 bytes)
%WinDir%\M35838\smss.exe (1281 bytes)
%WinDir%\M35838\Ja856821bLay.com (1281 bytes)
%System%\127387645063l.exe (1281 bytes)
%WinDir%\sa-755287.exe (1281 bytes)
%WinDir%\M35838\EmangEloh.exe (1281 bytes)
%WinDir%\system\msvbvm60.dll (8657 bytes)
%Documents and Settings%\%current user%\Templates\O63746Z\TuxO63746Z.exe (1281 bytes)

The process wtmps.exe:2908 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%System%\mscaps.exe (27349 bytes)

The process mscaps.exe:2960 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%System%\wtime32.dll (29045 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E.tmp (406 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\wtmps.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E.tmp (0 bytes)

The process @AE1.tmp.exe:1632 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\000808E2_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00080901_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FF6C_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000804EA_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000805D5_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FD69_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00080008_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00080400_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FA6B_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Messenger\Extension\WdExt.exe (244510 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008050A_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00080047_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F673_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008074C_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FEA1_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F700_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F8A6_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F599_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F6B2_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Sp3.tmp (1304 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F932_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FB36_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000808C3_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F952_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00080884_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000806FE_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F7DB_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FD0B_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F7BB_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000802C8_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00080613_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008044E_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F9BF_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F625_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00080671_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00080354_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\buxql.exe (561 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00080539_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000807AA_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000804CB_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F73E_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FCBD_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F80A_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00080690_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00080279_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FEE0_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FA1D_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00080325_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FBE2_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000807C9_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00080112_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FE63_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00080141_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F9CF_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F616_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F9FE_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F971_Rar\@AE1.tmp.exe (13122 bytes)
%WinDir%\system.ini (68 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000806DE_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000800E3_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FDE6_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008047D_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F79C_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FDA7_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00080076_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00080316_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F819_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F8E4_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000807E8_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000804AC_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008042F_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000803A2_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F4ED_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FD49_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FBC3_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00080567_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FC7E_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00080383_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000808A4_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F848_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FFAB_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008072D_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F654_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008046D_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp2.tmp (459254 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000808F2_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Application Data\Temp\mydll.dll (12549 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00080652_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000805B6_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp5.tmp (907 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FA8A_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000803C2_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FA4C_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FAC9_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Se4.tmp (1792 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FD88_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F5F6_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F78D_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008071D_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FC20_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F913_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F838_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00080548_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F867_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FB17_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F6D1_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Application Data\Temp\adm1.bat (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F990_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FAE8_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F4CD_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F7EA_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F644_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00080817_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F54A_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00080587_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F693_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F664_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FB75_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00080836_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000802A8_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FE43_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FE24_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FA2C_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000806B0_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000805F4_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00080865_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008023B_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00080633_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008076B_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Application Data\Temp\adm0.bat (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008078A_Rar\@AE1.tmp.exe (13122 bytes)

The Trojan deletes the following file(s):

%WinDir%\7f4cd (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Sp3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\buxql.exe (0 bytes)
%Documents and Settings%\%current user%\Application Data\Temp\mydll.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Se4.tmp (0 bytes)

The process service.exe:1496 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\pchealth\UploadLB\Gallery .scr (305 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\sql.cmd (1281 bytes)
%WinDir%\SoftwareDistribution\Download\TutoriaL HAcking .exe (305 bytes)
%WinDir%\ime\shared\Blink 182 .exe (305 bytes)
%Documents and Settings%\%current user%\Templates\O63746Z\TuxO63746Z.exe (1281 bytes)
%System%\X51334go\Z127387cie.cmd (1281 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\Titip Folder Jangan DiHapus .exe (305 bytes)
%WinDir%\system\msvbvm60.dll (8657 bytes)
%WinDir%\[TheMoonlight].txt (109 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\Network\Downloader\RaHasIA .exe (305 bytes)
%Program Files%\Movie Maker\Shared\Gallery .scr (305 bytes)
%WinDir%\Downloaded Program Files\THe Best Ungu .scr (305 bytes)
%Program Files%\Common Files\Microsoft Shared\Titip Folder Jangan DiHapus .exe (305 bytes)

The process launch.exe:2824 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Temp\adm0.bat (112 bytes)

The process WdExt.exe:2284 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\0008289F_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082C97_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083820_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082F27_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082F56_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082FF2_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000818C1_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082E2D_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000839D5_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000819AB_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008210E_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082F17_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000817D6_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008368A_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082294_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081D54_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083A33_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083273_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000834B5_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000826CA_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081892_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008192E_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081546_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000839B6_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082071_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083745_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081E9D_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082DDF_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083978_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000835CE_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000839A6_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082052_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082C87_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082285_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Application Data\Temp\mydll.dll (12549 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083B8B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081DB2_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\Addins\att.dll (18829 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082A64_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083BBA_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008290C_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpD.tmp (55476 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008314A_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081D16_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081FD5_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082FC3_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082042_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082C77_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000832C1_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081601_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000835AF_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Shared\Modules\fil.dll (10805 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008382F_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008331F_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000816FB_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081BCE_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082459_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081E8D_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081FC5_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Repairs\sha.dll (7589 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082B4F_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008260F_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082803_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081BBE_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083A43_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081815_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008293B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008148A_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008266D_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000832FF_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083BAA_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081E5E_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082544_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000834E4_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081EFA_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083774_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082841_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008146B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082747_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp7.tmp (48916 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008213C_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008312B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082E1D_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082524_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000835BE_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081FF4_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081B80_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083784_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008142D_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081D83_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082C29_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000821AA_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000819DA_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082822_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082E8B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081B12_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083BC9_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082515_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083707_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpB.tmp (21164 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000821C9_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082479_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008149A_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008240B_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082023_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000834D4_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008383F_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000823FC_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000830DC_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008217B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000822C3_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081AB5_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082A45_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000839C6_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp9.tmp (28924 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083179_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000818A1_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082330_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083447_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081640_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000815B3_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008165F_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082E5C_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081D74_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081882_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000826BB_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000825FF_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082F85_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081A76_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008361C_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083A14_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008330F_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008196C_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082DFE_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082FB4_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081EEB_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082F46_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081ECB_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008214C_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpC.tmp (36444 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083810_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082A93_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Defender\launch.exe (18077 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000814AA_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083726_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082C58_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081D06_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wtmps.exe (31581 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081B8F_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081AE3_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082CD5_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082B3F_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082062_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081F1A_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008241B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081B9F_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081517_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083438_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082488_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083409_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083428_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083457_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081A28_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081565_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008190F_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000839F5_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082B5E_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008198C_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083188_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081D26_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082B20_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008387E_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082E4C_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000831A8_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082BFA_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000818EF_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000819F9_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082E3D_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000832E0_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082DC0_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083159_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083282_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000837E1_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083476_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081FE5_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000824A7_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081E6E_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081798_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008143C_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000822E2_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081B41_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081B60_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083292_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081594_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082D62_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082469_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081F0A_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082AB2_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000832D0_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082709_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082728_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008333E_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008269B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083987_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008294B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083002_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082AE1_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000835FD_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081E4E_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008388D_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081D35_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008366A_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000828CE_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008367A_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp8.tmp (26548 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Identities\"%CurrentUserName%"\arc.dll (96316 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082861_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083B7B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082718_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081769_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008310B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082033_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008385E_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Common\Shared\dis.dll (10077 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081DA3_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000830CD_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082E0E_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000814F8_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082C49_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082FD3_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Application Data\Temp\adm1.bat (156 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008364B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000832A2_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000822D3_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082A35_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081507_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008172A_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082AD2_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083467_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081853_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081D93_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082498_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082E7B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082302_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082C39_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008386E_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000822A4_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000822F2_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008218B_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008311B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000816CD_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008215C_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008362C_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000835ED_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083A04_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083B5C_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081621_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Caches\Files\usd.dll (7933 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008166F_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081EDB_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000828DE_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083B3D_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082A26_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081650_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082014_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083755_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083263_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008390A_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000814C9_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082321_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpA.tmp (18508 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000821B9_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081EBC_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082F94_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000838AC_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008313A_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083198_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082311_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008212D_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081D64_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083486_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000814E8_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008291C_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082340_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000814B9_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008211D_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000828AF_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000834A5_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082F75_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000837F1_Rar\WdExt.exe (13122 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmp9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpC.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpB.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpD.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpA.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp8.tmp (0 bytes)
%Documents and Settings%\%current user%\Application Data\Temp\mydll.dll (0 bytes)

The process EmangEloh.exe:1324 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%System%\X51334go\Z127387cie.cmd (1281 bytes)
%WinDir%\[TheMoonlight].txt (109 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\sql.cmd (1281 bytes)
%Documents and Settings%\%current user%\Templates\O63746Z\TuxO63746Z.exe (1281 bytes)

Registry activity

The process %original file name%.exe:1232 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\TUX\Path]
"1" = "M35838"
"3" = "X51334go"
"2" = "O63746Z"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Templates\O63746Z]
"winlogon.exe" = "winlogon"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\VB and VBA Program Settings\untukmu\version]
"me" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Templates\O63746Z]
"service.exe" = "service"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 35 A9 A9 AE 62 7A EF 51 4E 02 0B F8 C6 CE B7"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%WinDir%\M35838]
"smss.exe" = "smss"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\TUX\biang]
"4" = "856821"
"5" = "110343"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%WinDir%\M35838]
"EmangEloh.exe" = "EmangEloh"

[HKLM\SOFTWARE\Microsoft\TUX\biang]
"1" = "127387"
"2" = "755287"
"3" = "645063"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process mscaps.exe:2960 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{ef2b00e3-19da-4e78-b118-6b6451b719f2}]
"Locale" = "*"
"StubPath" = "%System%\mscaps.exe /s /n /i:U shell32.dll"
"Version" = "1,125,2406,1"
"ComponentID" = "DirectShow"

The process @AE1.tmp.exe:1632 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data\Temp]
"adm1.bat" = "adm1"
"adm0.bat" = "adm0"

[HKCU\Software\Stvncyfrlda]
"m2_8" = "997419746"

[HKCU\Software\Stvncyfrlda\168128873]
"-1648771660" = "30"

[HKCU\Software\Stvncyfrlda]
"m2_2" = "3470575367"
"m2_3" = "910905639"
"m2_0" = "6889"
"m2_1" = "1735293802"
"m2_6" = "1821804778"
"m2_7" = "3557105245"
"m2_4" = "2646190109"
"m2_5" = "86520731"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Stvncyfrlda\168128873]
"-737866757" = "1E5571E550EC6AC53AE13D3F7DC0CC8061CA44594227D6670DCDCEE4A123B745EEAD14A703C99DD3DBA2A4D607F69A83882C176653A4259F99BD6A9AA8EBC4B5A7028BF34E1C7C726DDA76137D0018A90E5CEFA084D0BB9F20D2346760CC5762EE70F3336E4A2BF1EC3D5E297DC79279B9237BA952F46582C5B90B54CE577E6852FFEDCF4C3AF6531535847E5DA8CDE9FB42AE7DAD10CECB5628D6CB3D14BE8454AD881D29EE50C7CACF782FDC3C2625A60E29DB5AF20451090ADA90C8E812FAF069C6194C2CA266BD6AA8911F3774E5030BA04C8A9D88FAC4EFE9901B2A630033F20048AF11A37D0019DA4E355233F7FB54DC18CA8FD6E270532510C72C472D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Stvncyfrlda]
"m4_0" = "0"
"m4_1" = "1735290733"
"m4_2" = "3470581466"
"m4_3" = "910904903"
"m4_4" = "2646195636"
"m4_5" = "86519073"
"m4_6" = "1821809806"
"m4_7" = "3557100539"
"m4_8" = "997423976"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Stvncyfrlda\168128873]
"910904903" = "0"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7F C2 CF 4B 97 50 F8 4A 55 08 3B F5 3B 00 C3 A3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Stvncyfrlda]
"m3_3" = "927474798"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Stvncyfrlda\168128873]
"-824385830" = "0"
"1821809806" = "0200687474703A2F2F7061647275702E636F6D2F736F62616B61312E67696600687474703A2F2F3139302E3132302E3232372E39313A383038302F736F62616B61766F6C6F732E676966"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"

[HKCU\Software\Stvncyfrlda]
"m3_2" = "3487544563"
"m3_1" = "1718420804"
"m3_0" = "17001001"
"m3_7" = "3573965266"
"m3_6" = "1838544551"
"m3_5" = "69945096"
"m3_4" = "2629490589"
"m3_8" = "980422977"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKCU\Software\Stvncyfrlda\168128873]
"1735290733" = "14"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Stvncyfrlda]
"m1_5" = "3898353818"
"m1_4" = "2161800132"
"m1_7" = "1991572934"
"m1_6" = "1482184409"
"m1_1" = "3902816932"
"m1_0" = "3576254676"
"m1_3" = "1738348942"
"m1_2" = "1341601299"

"m1_8" = "2910010173"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCU\Software\Stvncyfrlda\168128873]
"86519073" = "75"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"@AE1.tmp.exe" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\@AE1.tmp.exe:*:Enabled:ipsec"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Firewall notifications are disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process service.exe:1496 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\VB and VBA Program Settings\noGods\appActive]
"service.exe" = "ˆÕq Í‰W«"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"HideFileExt" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Control\SafeBoot]
"AlternateShell" = "127387645063l.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
"Common Startup" = "%System%\X51334go"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState]
"fullpath" = "1"

[HKCU\Software\VB and VBA Program Settings\untukmu\version]
"me" = "4"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe]
"debugger" = "%WinDir%\notepad.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe]
"debugger" = "%WinDir%\notepad.exe"

[HKCR\scrfile]
"(Default)" = "File Folder"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CE 19 3E 0F 60 F4 26 1B 85 EA CE C5 B6 12 D4 35"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden]
"UncheckedValue" = "0"

[HKLM\SYSTEM\ControlSet002\Control\SafeBoot]
"AlternateShell" = "127387645063l.exe"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"T46Z273" = "%WinDir%\sa-755287.exe"

The following driver will be automatically launched by the OS Loader:

[HKLM\System\CurrentControlSet\Services\SharedAccess]
"Start" = "0"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe , %WinDir%\M35838\Ja856821bLay.com"

"Shell" = "explorer.exe, %Documents and Settings%\%current user%\Templates\O63746Z\TuxO63746Z.exe"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"T1358287TT4" = "%System%\127387645063l.exe"

The Trojan deletes the following value(s) in system registry:


The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Bron-Spizaetus-cfirltrx"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"AllMyBallance"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YourUnintendes"

"Bron-Spizaetus-cgglmmrv"

"dkernel"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Tok-Cirrhatus-1101"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TryingToSpeak"

"YourUnintended"

"Bron-Spizaetus"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MomentEverComes"

"SaTRio ADie X"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ADie suka kamu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Tok-Cirrhatus"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"lexplorer"

The process launch.exe:2824 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "25 D1 DE CA EE 5C 3D 01 D9 13 A0 62 A3 8A EF E9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender Extension" = "%Documents and Settings%\%current user%\Application Data\Microsoft\Defender\launch.exe"

The process WdExt.exe:2284 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B AC FE 75 43 0E DC 57 E9 55 3E FF 06 E2 58 09"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process EmangEloh.exe:1324 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\VB and VBA Program Settings\noGods\appActive]
"EmangEloh.exe" = "¦»óŽ½ê§tÈ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"HideFileExt" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Control\SafeBoot]
"AlternateShell" = "127387645063l.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
"Common Startup" = "%System%\X51334go"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState]
"fullpath" = "1"

[HKCU\Software\VB and VBA Program Settings\untukmu\version]
"me" = "4"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe]
"debugger" = "%WinDir%\notepad.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe]
"debugger" = "%WinDir%\notepad.exe"

[HKCR\scrfile]
"(Default)" = "File Folder"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "0"

"ShowSuperHidden" = "0"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C 02 A5 F5 AC F5 3B D6 23 5D BF 14 8D 76 25 FB"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden]
"UncheckedValue" = "0"

[HKLM\SYSTEM\ControlSet002\Control\SafeBoot]
"AlternateShell" = "127387645063l.exe"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"T46Z273" = "%WinDir%\sa-755287.exe"

The following driver will be automatically launched by the OS Loader:

[HKLM\System\CurrentControlSet\Services\SharedAccess]
"Start" = "0"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe , %WinDir%\M35838\Ja856821bLay.com"

"Shell" = "explorer.exe, %Documents and Settings%\%current user%\Templates\O63746Z\TuxO63746Z.exe"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"T1358287TT4" = "%System%\127387645063l.exe"

The Trojan deletes the following value(s) in system registry:


The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Bron-Spizaetus-cfirltrx"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"AllMyBallance"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YourUnintendes"

"Bron-Spizaetus-cgglmmrv"

"dkernel"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Tok-Cirrhatus-1101"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TryingToSpeak"

"YourUnintended"

"Bron-Spizaetus"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MomentEverComes"

"SaTRio ADie X"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ADie suka kamu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Tok-Cirrhatus"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"lexplorer"

Dropped PE files

MD5 File path
6bba9e183cc0212f741c4a43130225d0c:\%original file name%.exe
6bba9e183cc0212f741c4a43130225d0c:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\RaHasIA .exe
6bba9e183cc0212f741c4a43130225d0c:\Documents and Settings\"%CurrentUserName%"\Application Data\Macromedia\Flash Player\#SharedObjects\Titip Folder Jangan DiHapus .exe
f1c9f4a1f92588aeb82be5d2d4c2c730c:\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Caches\Files\usd.dll
1fcc5b3ed6bc76d70cfa49d051e0dff6c:\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Common\Shared\dis.dll
bb3bb6e7fe14b92175c7bad897e221c7c:\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Defender\launch.exe
a92cb8491a1066e1f2de6eafff0df53ac:\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Messenger\Extension\WdExt.exe
6a9461f260ebb2556b8ae1d0ba93858ac:\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Repairs\sha.dll
d0c9ada173da923efabb53d5a9b28d54c:\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Shared\Modules\fil.dll
fffa05401511ad2a89283c52d0c86472c:\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Windows\Addins\att.dll
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007F4CD_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007F4ED_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007F54A_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007F599_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007F5F6_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007F616_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007F625_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007F644_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007F654_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007F664_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007F673_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007F693_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007F6B2_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007F6D1_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007F700_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007F73E_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007F78D_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007F79C_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007F7BB_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007F7DB_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007F7EA_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007F80A_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007F819_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007F838_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007F848_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007F867_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007F8A6_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007F8E4_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007F913_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007F932_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007F952_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007F971_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007F990_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007F9BF_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007F9CF_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007F9FE_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007FA1D_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007FA2C_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007FA4C_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007FA6B_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007FA8A_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007FAC9_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007FAE8_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007FB17_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007FB36_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007FB75_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007FBC3_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007FBE2_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007FC20_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007FC7E_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007FCBD_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007FD0B_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007FD49_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007FD69_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007FD88_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007FDA7_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007FDE6_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007FE24_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007FE43_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007FE63_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007FEA1_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007FEE0_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007FF6C_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007FFAB_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00080008_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00080047_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00080076_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000800E3_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00080112_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00080141_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008023B_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00080279_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000802A8_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000802C8_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00080316_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00080325_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00080354_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00080383_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000803A2_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000803C2_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00080400_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008042F_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008044E_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008046D_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008047D_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000804AC_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000804CB_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000804EA_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008050A_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00080539_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00080548_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00080567_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00080587_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000805B6_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000805D5_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000805F4_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00080613_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00080633_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00080652_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00080671_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00080690_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000806B0_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000806DE_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000806FE_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008071D_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008072D_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008074C_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008076B_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008078A_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000807AA_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000807C9_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000807E8_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00080817_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00080836_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00080865_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00080884_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000808A4_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000808C3_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000808E2_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000808F2_Rar\@AE1.tmp.exe
790c6356f71a379b8ae84a25d563b3b3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00080901_Rar\@AE1.tmp.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008142D_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008143C_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008146B_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008148A_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008149A_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000814AA_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000814B9_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000814C9_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000814E8_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000814F8_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081507_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081517_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081546_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081565_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081594_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000815B3_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081601_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081621_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081640_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081650_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008165F_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008166F_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000816CD_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000816FB_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008172A_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081769_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081798_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000817D6_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081815_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081853_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081882_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081892_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000818A1_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000818C1_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000818EF_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008190F_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008192E_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008196C_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008198C_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000819AB_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000819DA_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000819F9_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081A28_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081A76_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081AB5_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081AE3_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081B12_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081B41_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081B60_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081B80_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081B8F_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081B9F_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081BBE_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081BCE_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081D06_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081D16_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081D26_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081D35_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081D54_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081D64_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081D74_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081D83_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081D93_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081DA3_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081DB2_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081E4E_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081E5E_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081E6E_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081E8D_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081E9D_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081EBC_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081ECB_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081EDB_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081EEB_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081EFA_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081F0A_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081F1A_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081FC5_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081FD5_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081FE5_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081FF4_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082014_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082023_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082033_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082042_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082052_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082062_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082071_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008210E_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008211D_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008212D_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008213C_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008214C_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008215C_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008217B_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008218B_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000821AA_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000821B9_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000821C9_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082285_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082294_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000822A4_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000822C3_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000822D3_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000822E2_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000822F2_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082302_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082311_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082321_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082330_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082340_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000823FC_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008240B_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008241B_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082459_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082469_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082479_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082488_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082498_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000824A7_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082515_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082524_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082544_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000825FF_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008260F_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008266D_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008269B_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000826BB_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000826CA_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082709_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082718_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082728_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082747_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082803_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082822_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082841_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082861_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008289F_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000828AF_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000828CE_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000828DE_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008290C_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008291C_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008293B_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008294B_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082A26_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082A35_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082A45_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082A64_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082A93_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082AB2_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082AD2_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082AE1_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082B20_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082B3F_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082B4F_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082B5E_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082BFA_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082C29_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082C39_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082C49_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082C58_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082C77_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082C87_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082C97_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082CD5_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082D62_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082DC0_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082DDF_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082DFE_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082E0E_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082E1D_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082E2D_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082E3D_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082E4C_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082E5C_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082E7B_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082E8B_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082F17_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082F27_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082F46_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082F56_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082F75_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082F85_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082F94_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082FB4_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082FC3_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082FD3_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00082FF2_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00083002_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000830CD_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000830DC_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008310B_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008311B_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008312B_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008313A_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008314A_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00083159_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00083179_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00083188_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00083198_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000831A8_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00083263_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00083273_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00083282_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00083292_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000832A2_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000832C1_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000832D0_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000832E0_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000832FF_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008330F_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008331F_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008333E_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00083409_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00083428_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00083438_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00083447_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00083457_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00083467_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00083476_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00083486_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000834A5_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000834B5_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000834D4_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000834E4_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000835AF_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000835BE_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000835CE_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000835ED_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000835FD_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008361C_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008362C_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008364B_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008366A_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008367A_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008368A_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00083707_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00083726_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00083745_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00083755_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00083774_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00083784_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000837E1_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000837F1_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00083810_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00083820_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008382F_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008383F_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008385E_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008386E_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008387E_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008388D_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000838AC_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008390A_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00083978_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00083987_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000839A6_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000839B6_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000839C6_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000839D5_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000839F5_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00083A04_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00083A14_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00083A33_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00083A43_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00083B3D_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00083B5C_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00083B7B_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00083B8B_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00083BAA_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00083BBA_Rar\WdExt.exe
3fb2fbb07ad188aecc02144c37b362a7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00083BC9_Rar\WdExt.exe
6bba9e183cc0212f741c4a43130225d0c:\Documents and Settings\"%CurrentUserName%"\Start Menu\Programs\Startup\sql.cmd
6bba9e183cc0212f741c4a43130225d0c:\Documents and Settings\"%CurrentUserName%"\Templates\O63746Z\TuxO63746Z.exe
6bba9e183cc0212f741c4a43130225d0c:\Documents and Settings\"%CurrentUserName%"\Templates\O63746Z\service.exe
6bba9e183cc0212f741c4a43130225d0c:\Documents and Settings\"%CurrentUserName%"\Templates\O63746Z\winlogon.exe
6bba9e183cc0212f741c4a43130225d0c:\Perl\lib\auto\share\Blink 182 .exe
6bba9e183cc0212f741c4a43130225d0c:\Perl\lib\auto\threads\shared\Data DosenKu .exe
6bba9e183cc0212f741c4a43130225d0c:\Program Files\Common Files\Microsoft Shared\Titip Folder Jangan DiHapus .exe
6bba9e183cc0212f741c4a43130225d0c:\Program Files\Movie Maker\Shared\Gallery .scr
6bba9e183cc0212f741c4a43130225d0c:\WINDOWS\Downloaded Program Files\THe Best Ungu .scr
6bba9e183cc0212f741c4a43130225d0c:\WINDOWS\M35838\EmangEloh.exe
6bba9e183cc0212f741c4a43130225d0c:\WINDOWS\M35838\Ja856821bLay.com
6bba9e183cc0212f741c4a43130225d0c:\WINDOWS\M35838\smss.exe
6bba9e183cc0212f741c4a43130225d0c:\WINDOWS\SoftwareDistribution\Download\TutoriaL HAcking .exe
6bba9e183cc0212f741c4a43130225d0c:\WINDOWS\Ti645063ta.exe
6bba9e183cc0212f741c4a43130225d0c:\WINDOWS\ime\shared\Blink 182 .exe
6bba9e183cc0212f741c4a43130225d0c:\WINDOWS\pchealth\UploadLB\Gallery .scr
6bba9e183cc0212f741c4a43130225d0c:\WINDOWS\sa-755287.exe
6bba9e183cc0212f741c4a43130225d0c:\WINDOWS\system32\127387645063l.exe
6bba9e183cc0212f741c4a43130225d0c:\WINDOWS\system32\X51334go\Z127387cie.cmd
78d3c8705f8baf7d34e6a6737d1cfa18c:\WINDOWS\system32\mscaps.exe
978888892a1ed13e94d2fcb832a2a6b5c:\WINDOWS\system32\wtime32.dll
64b33cc5bf131def2721394cf9b3f8edc:\WINDOWS\system\msvbvm60.dll
a08fecd7705529a07032346ab85a5521c:\tmlslf.pif

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1232
    wtmps.exe:2908
    mscaps.exe:2960
    @AE1.tmp.exe:1632
    launch.exe:2824
    WdExt.exe:2284

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Templates\O63746Z\winlogon.exe (1281 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Startup\sql.cmd (1281 bytes)
    %Documents and Settings%\%current user%\Templates\O63746Z\service.exe (1281 bytes)
    %WinDir%\Ti645063ta.exe (1281 bytes)
    %System%\X51334go\Z127387cie.cmd (1281 bytes)
    %WinDir%\M35838\smss.exe (1281 bytes)
    %WinDir%\M35838\Ja856821bLay.com (1281 bytes)
    %System%\127387645063l.exe (1281 bytes)
    %WinDir%\sa-755287.exe (1281 bytes)
    %WinDir%\M35838\EmangEloh.exe (1281 bytes)
    %WinDir%\system\msvbvm60.dll (8657 bytes)
    %Documents and Settings%\%current user%\Templates\O63746Z\TuxO63746Z.exe (1281 bytes)
    %System%\mscaps.exe (27349 bytes)
    %System%\wtime32.dll (29045 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\E.tmp (406 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000808E2_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00080901_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007FF6C_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000804EA_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000805D5_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007FD69_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00080008_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00080400_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007FA6B_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Messenger\Extension\WdExt.exe (244510 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008050A_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00080047_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007F673_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008074C_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007FEA1_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007F700_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007F8A6_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007F599_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007F6B2_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Sp3.tmp (1304 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007F932_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007FB36_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000808C3_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007F952_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00080884_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000806FE_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007F7DB_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007FD0B_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007F7BB_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000802C8_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00080613_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008044E_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007F9BF_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007F625_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00080671_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00080354_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\buxql.exe (561 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00080539_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000807AA_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000804CB_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007F73E_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007FCBD_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007F80A_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00080690_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00080279_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007FEE0_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007FA1D_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00080325_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007FBE2_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000807C9_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00080112_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007FE63_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00080141_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007F9CF_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007F616_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007F9FE_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007F971_Rar\@AE1.tmp.exe (13122 bytes)
    %WinDir%\system.ini (68 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000806DE_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000800E3_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007FDE6_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008047D_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007F79C_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007FDA7_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00080076_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00080316_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007F819_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007F8E4_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000807E8_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000804AC_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008042F_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000803A2_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007F4ED_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007FD49_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007FBC3_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00080567_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007FC7E_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00080383_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000808A4_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007F848_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007FFAB_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008072D_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007F654_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008046D_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmp2.tmp (459254 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000808F2_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Application Data\Temp\mydll.dll (12549 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00080652_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000805B6_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmp5.tmp (907 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007FA8A_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000803C2_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007FA4C_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007FAC9_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Se4.tmp (1792 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007FD88_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007F5F6_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007F78D_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008071D_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007FC20_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007F913_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007F838_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00080548_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007F867_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007FB17_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007F6D1_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Application Data\Temp\adm1.bat (196 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007F990_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007FAE8_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007F4CD_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007F7EA_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007F644_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00080817_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007F54A_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00080587_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007F693_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007F664_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007FB75_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00080836_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000802A8_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007FE43_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007FE24_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007FA2C_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000806B0_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000805F4_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00080865_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008023B_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00080633_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008076B_Rar\@AE1.tmp.exe (13122 bytes)
    %Documents and Settings%\%current user%\Application Data\Temp\adm0.bat (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008078A_Rar\@AE1.tmp.exe (13122 bytes)
    %WinDir%\pchealth\UploadLB\Gallery .scr (305 bytes)
    %WinDir%\SoftwareDistribution\Download\TutoriaL HAcking .exe (305 bytes)
    %WinDir%\ime\shared\Blink 182 .exe (305 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\Titip Folder Jangan DiHapus .exe (305 bytes)
    %WinDir%\[TheMoonlight].txt (109 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\Network\Downloader\RaHasIA .exe (305 bytes)
    %Program Files%\Movie Maker\Shared\Gallery .scr (305 bytes)
    %WinDir%\Downloaded Program Files\THe Best Ungu .scr (305 bytes)
    %Program Files%\Common Files\Microsoft Shared\Titip Folder Jangan DiHapus .exe (305 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008289F_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082C97_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00083820_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082F27_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082F56_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082FF2_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000818C1_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082E2D_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000839D5_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000819AB_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008210E_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082F17_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000817D6_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008368A_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082294_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081D54_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00083A33_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00083273_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000834B5_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000826CA_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081892_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008192E_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081546_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000839B6_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082071_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00083745_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081E9D_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082DDF_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00083978_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000835CE_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000839A6_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082052_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082C87_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082285_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00083B8B_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081DB2_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Windows\Addins\att.dll (18829 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082A64_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00083BBA_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008290C_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmpD.tmp (55476 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008314A_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081D16_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081FD5_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082FC3_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082042_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082C77_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000832C1_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081601_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000835AF_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Shared\Modules\fil.dll (10805 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008382F_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008331F_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000816FB_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081BCE_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082459_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081E8D_Rar\WdExt.exe (26244 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081FC5_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Repairs\sha.dll (7589 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082B4F_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008260F_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082803_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081BBE_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00083A43_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081815_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008293B_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008148A_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008266D_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000832FF_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00083BAA_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081E5E_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082544_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000834E4_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081EFA_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00083774_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082841_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008146B_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082747_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmp7.tmp (48916 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008213C_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008312B_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082E1D_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082524_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000835BE_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081FF4_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081B80_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00083784_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008142D_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081D83_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082C29_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000821AA_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000819DA_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082822_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082E8B_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081B12_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00083BC9_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082515_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00083707_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmpB.tmp (21164 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000821C9_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082479_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008149A_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008240B_Rar\WdExt.exe (26244 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082023_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000834D4_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008383F_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000823FC_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000830DC_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008217B_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000822C3_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081AB5_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082A45_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000839C6_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmp9.tmp (28924 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00083179_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000818A1_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082330_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00083447_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081640_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000815B3_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008165F_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082E5C_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081D74_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081882_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000826BB_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000825FF_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082F85_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081A76_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008361C_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00083A14_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008330F_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008196C_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082DFE_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082FB4_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081EEB_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082F46_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081ECB_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008214C_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmpC.tmp (36444 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00083810_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082A93_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Defender\launch.exe (18077 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000814AA_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00083726_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082C58_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081D06_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wtmps.exe (31581 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081B8F_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081AE3_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082CD5_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082B3F_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082062_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081F1A_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008241B_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081B9F_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081517_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00083438_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082488_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00083409_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00083428_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00083457_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081A28_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081565_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008190F_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000839F5_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082B5E_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008198C_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00083188_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081D26_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082B20_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008387E_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082E4C_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000831A8_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082BFA_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000818EF_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000819F9_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082E3D_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000832E0_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082DC0_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00083159_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00083282_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000837E1_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00083476_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081FE5_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000824A7_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081E6E_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081798_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008143C_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000822E2_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081B41_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081B60_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00083292_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081594_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082D62_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082469_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081F0A_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082AB2_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000832D0_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082709_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082728_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008333E_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008269B_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00083987_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008294B_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00083002_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082AE1_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000835FD_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081E4E_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008388D_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081D35_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008366A_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000828CE_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008367A_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmp8.tmp (26548 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Identities\"%CurrentUserName%"\arc.dll (96316 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082861_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00083B7B_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082718_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081769_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008310B_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082033_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008385E_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Common\Shared\dis.dll (10077 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081DA3_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000830CD_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082E0E_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000814F8_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082C49_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082FD3_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008364B_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000832A2_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000822D3_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082A35_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081507_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008172A_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082AD2_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00083467_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081853_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081D93_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082498_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082E7B_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082302_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082C39_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008386E_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000822A4_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000822F2_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008218B_Rar\WdExt.exe (26244 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008311B_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000816CD_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008215C_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008362C_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000835ED_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00083A04_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00083B5C_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081621_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Caches\Files\usd.dll (7933 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008166F_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081EDB_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000828DE_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00083B3D_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082A26_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081650_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082014_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00083755_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00083263_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008390A_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000814C9_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082321_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmpA.tmp (18508 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000821B9_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081EBC_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082F94_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000838AC_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008313A_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00083198_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082311_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008212D_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081D64_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00083486_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000814E8_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008291C_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082340_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000814B9_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008211D_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000828AF_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000834A5_Rar\WdExt.exe (26244 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00082F75_Rar\WdExt.exe (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000837F1_Rar\WdExt.exe (13122 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "T46Z273" = "%WinDir%\sa-755287.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "T1358287TT4" = "%System%\127387645063l.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Windows Defender Extension" = "%Documents and Settings%\%current user%\Application Data\Microsoft\Defender\launch.exe"

  5. Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "UserInit" = "%System%\userinit.exe , %WinDir%\M35838\Ja856821bLay.com"

    [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Shell" = "explorer.exe, %Documents and Settings%\%current user%\Templates\O63746Z\TuxO63746Z.exe"

  6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  7. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text4096210825603.769976dbb11cce72cc16b887018dd4c34d252
.rdata8192147815363.36814838666d924e8b6e9dfc84f930bd16733
.data12288860165120.3779557d6dcdf3bcb22dca4957ddb77c1c8cbf
.rsrc983041884161884164.008912b7c687262025c29b9cf4de80bca2c0d

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

service.exe_1496:

.text

.text

`.rsrc

`.rsrc

keylog

keylog

shell32.dll

shell32.dll

ShellExecuteA

ShellExecuteA

RasApi32.dll

RasApi32.dll

wininet.dll

wininet.dll

InternetOpenUrlA

InternetOpenUrlA

advapi32.dll

advapi32.dll

GetWindowsDirectoryA

GetWindowsDirectoryA

user32.dll

user32.dll

EnumWindows

EnumWindows

VBA6.DLL

VBA6.DLL

RegCloseKey

RegCloseKey

RegCreateKeyA

RegCreateKeyA

RegDeleteKeyA

RegDeleteKeyA

RegOpenKeyA

RegOpenKeyA

RegOpenKeyExA

RegOpenKeyExA

%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB

%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB

OpenUrl

OpenUrl

GetKeyState

GetKeyState

GetAsyncKeyState

GetAsyncKeyState

Kernel32.dll

Kernel32.dll

MSVBVM60.DLL

MSVBVM60.DLL

kernel32.dll

kernel32.dll

%sy5|l

%sy5|l

SSSSSh

SSSSSh

{6S%X

{6S%X

^.NrL

^.NrL

I.Mh|

I.Mh|

SHELL32.DLL

SHELL32.DLL

KERNEL32.DLL

KERNEL32.DLL

service.exe

service.exe

.rsrc

.rsrc

%Documents and Settings%\%current user%\Templates\O63746Z\service.exe

%Documents and Settings%\%current user%\Templates\O63746Z\service.exe

hXXp://padrup.com/sobaka1.gif

hXXp://padrup.com/sobaka1.gif

hXXp://190.120.227.91:8080/sobakavolos.gif

hXXp://190.120.227.91:8080/sobakavolos.gif

hXXp://89.11

hXXp://89.11

.info/home.gifIh

.info/home.gifIh

bW.text

bW.text

JKERNEL32.dll

JKERNEL32.dll

%x.exe

%x.exe

h.rdla&

h.rdla&

mH.MN8

mH.MN8

T4.At%

T4.At%

S.twa

S.twa

.klkjw:9fqwiBumW

.klkjw:9fqwiBumW

.sysa

.sysa

Zc.pBTa

Zc.pBTa

~%s:*:yd:

~%s:*:yd:

.!.VF*

.!.VF*

.d&?%x=

.d&?%x=

GUrlA'

GUrlA'

"\'Web%w}

"\'Web%w}

HTTP)s'PS

HTTP)s'PS

2GUARDCMD

2GUARDCMD

o.ENHCDM

o.ENHCDM

wWEBWUPD

wWEBWUPD

MM.PF

MM.PF

%xn'[

%xn'[

>>?456789:;

>>?456789:;

!"#$%&'()* ,-./4

!"#$%&'()* ,-./4

qn%CXf

qn%CXf

UP*dB.PPd@.

UP*dB.PPd@.

%FoAN-x

%FoAN-x

ÄEW

ÄEW

%F" *" a

%F" *" a

ADVAPI32.dll

ADVAPI32.dll

MSVCRT.dll

MSVCRT.dll

SHELL32.dll

SHELL32.dll

USER32.dll

USER32.dll

WS2_32.dll

WS2_32.dll

SHFileOperationA

SHFileOperationA

%sgkU

%sgkU

ei.sEI

ei.sEI

*\AD:\DataHellSpawn\WARING_VIRII_LABORATORY\Virus Ku\Moonlight.b\Project1.vbp

*\AD:\DataHellSpawn\WARING_VIRII_LABORATORY\Virus Ku\Moonlight.b\Project1.vbp

winlogon.exe

winlogon.exe

suport

suport

login

login

ZIPPED.zip

ZIPPED.zip

FILEATTACH.bz2

FILEATTACH.bz2

Doc.gz

Doc.gz

SMTP Server

SMTP Server

SMTP Email Address

SMTP Email Address

smtp.

smtp.

curriculum vittae.zip

curriculum vittae.zip

USE_RAR_To_Extract.ace

USE_RAR_To_Extract.ace

file.bz2

file.bz2

thisfile.gz

thisfile.gz

TITTA'S Picture.jar

TITTA'S Picture.jar

free screen saver romance for you
Please Visit Our Web Site hXXp://VVV.moonLight.com

free screen saver romance for you
Please Visit Our Web Site hXXp://VVV.moonLight.com

aku mahasiswa Bsi Margonda smt 3

aku mahasiswa Bsi Margonda smt 3

12050075

12050075


password lampiran 55132098


password lampiran 55132098

\regsvr32.exe

\regsvr32.exe

\twain32.dll

\twain32.dll


For security reasons attached file is password protected.
The password is 55132098


For security reasons attached file is password protected.
The password is 55132098

OSSMTP.SMTPSession

OSSMTP.SMTPSession

*.html

*.html

TutoriaL HAcking .exe

TutoriaL HAcking .exe

Lagu - Server .scr

Lagu - Server .scr

Data DosenKu .exe

Data DosenKu .exe

Titip Folder Jangan DiHapus .exe

Titip Folder Jangan DiHapus .exe

Love Song .scr

Love Song .scr

New mp3 BaraT !! .exe

New mp3 BaraT !! .exe

THe Best Ungu .scr

THe Best Ungu .scr

Blink 182 .exe

Blink 182 .exe

Norman virus Control 5.18 .exe

Norman virus Control 5.18 .exe

Windows Vista setup .scr

Windows Vista setup .scr

Gallery .scr

Gallery .scr

RaHasIA .exe

RaHasIA .exe

smss.exe

smss.exe

EmangEloh.exe

EmangEloh.exe

\msvbvm60.dll

\msvbvm60.dll

\system\msvbvm60.dll

\system\msvbvm60.dll

\service.exe

\service.exe

\smss.exe

\smss.exe

\EmangEloh.exe

\EmangEloh.exe

\winlogon.exe

\winlogon.exe

cie.cmd

cie.cmd

ta.exe

ta.exe

bLay.com

bLay.com

l.exe

l.exe

\sql.cmd

\sql.cmd

Software\Microsoft\Windows\CurrentVersion

Software\Microsoft\Windows\CurrentVersion

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

explorer.exe,

explorer.exe,

\userinit.exe ,

\userinit.exe ,

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

msconfig.exe

msconfig.exe

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

\notepad.exe

\notepad.exe

regedit.exe

regedit.exe

Software\Microsoft\Windows\CurrentVersion\run

Software\Microsoft\Windows\CurrentVersion\run

\*.pif

\*.pif

*.htm

*.htm

hXXp://VVV.geocities.com/m00nL19ht2006/

hXXp://VVV.geocities.com/m00nL19ht2006/

\MYpIC.zip

\MYpIC.zip

zipfile.txt

zipfile.txt

dll.txt

dll.txt

payload.txt

payload.txt

\payload.vbs

\payload.vbs

update1.txt

update1.txt

\untk.com

\untk.com

hXXp://VVV.apasajalah.host.sk/testms.php?mod=save&bkd=0&klog=

hXXp://VVV.apasajalah.host.sk/testms.php?mod=save&bkd=0&klog=

\[TheMoonlight].txt

\[TheMoonlight].txt

@*\AD:\DataHellSpawn\WARING_VIRII_LABORATORY\Virus Ku\Moonlight.b\Project1.vbp

@*\AD:\DataHellSpawn\WARING_VIRII_LABORATORY\Virus Ku\Moonlight.b\Project1.vbp

Moonlight.exe

Moonlight.exe

service.exe_1496_rwx_00350000_00002000:

The procedure %s could not be located in the DLL %s.

The procedure %s could not be located in the DLL %s.

The ordinal %d could not be located in the DLL %s.

The ordinal %d could not be located in the DLL %s.

service.exe_1496_rwx_00401000_00017000:

keylog

keylog

shell32.dll

shell32.dll

ShellExecuteA

ShellExecuteA

RasApi32.dll

RasApi32.dll

wininet.dll

wininet.dll

InternetOpenUrlA

InternetOpenUrlA

advapi32.dll

advapi32.dll

GetWindowsDirectoryA

GetWindowsDirectoryA

user32.dll

user32.dll

EnumWindows

EnumWindows

VBA6.DLL

VBA6.DLL

RegCloseKey

RegCloseKey

RegCreateKeyA

RegCreateKeyA

RegDeleteKeyA

RegDeleteKeyA

RegOpenKeyA

RegOpenKeyA

RegOpenKeyExA

RegOpenKeyExA

%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB

%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB

OpenUrl

OpenUrl

GetKeyState

GetKeyState

GetAsyncKeyState

GetAsyncKeyState

Kernel32.dll

Kernel32.dll

MSVBVM60.DLL

MSVBVM60.DLL

*\AD:\DataHellSpawn\WARING_VIRII_LABORATORY\Virus Ku\Moonlight.b\Project1.vbp

*\AD:\DataHellSpawn\WARING_VIRII_LABORATORY\Virus Ku\Moonlight.b\Project1.vbp

winlogon.exe

winlogon.exe

suport

suport

login

login

ZIPPED.zip

ZIPPED.zip

FILEATTACH.bz2

FILEATTACH.bz2

Doc.gz

Doc.gz

SMTP Server

SMTP Server

SMTP Email Address

SMTP Email Address

smtp.

smtp.

curriculum vittae.zip

curriculum vittae.zip

USE_RAR_To_Extract.ace

USE_RAR_To_Extract.ace

file.bz2

file.bz2

thisfile.gz

thisfile.gz

TITTA'S Picture.jar

TITTA'S Picture.jar

free screen saver romance for you
Please Visit Our Web Site hXXp://VVV.moonLight.com

free screen saver romance for you
Please Visit Our Web Site hXXp://VVV.moonLight.com

aku mahasiswa Bsi Margonda smt 3

aku mahasiswa Bsi Margonda smt 3

12050075

12050075


password lampiran 55132098


password lampiran 55132098

\regsvr32.exe

\regsvr32.exe

\twain32.dll

\twain32.dll


For security reasons attached file is password protected.
The password is 55132098


For security reasons attached file is password protected.
The password is 55132098

OSSMTP.SMTPSession

OSSMTP.SMTPSession

*.html

*.html

TutoriaL HAcking .exe

TutoriaL HAcking .exe

Lagu - Server .scr

Lagu - Server .scr

Data DosenKu .exe

Data DosenKu .exe

Titip Folder Jangan DiHapus .exe

Titip Folder Jangan DiHapus .exe

Love Song .scr

Love Song .scr

New mp3 BaraT !! .exe

New mp3 BaraT !! .exe

THe Best Ungu .scr

THe Best Ungu .scr

Blink 182 .exe

Blink 182 .exe

Norman virus Control 5.18 .exe

Norman virus Control 5.18 .exe

Windows Vista setup .scr

Windows Vista setup .scr

Gallery .scr

Gallery .scr

RaHasIA .exe

RaHasIA .exe

service.exe

service.exe

smss.exe

smss.exe

EmangEloh.exe

EmangEloh.exe

\msvbvm60.dll

\msvbvm60.dll

\system\msvbvm60.dll

\system\msvbvm60.dll

\service.exe

\service.exe

\smss.exe

\smss.exe

\EmangEloh.exe

\EmangEloh.exe

\winlogon.exe

\winlogon.exe

cie.cmd

cie.cmd

ta.exe

ta.exe

bLay.com

bLay.com

l.exe

l.exe

\sql.cmd

\sql.cmd

Software\Microsoft\Windows\CurrentVersion

Software\Microsoft\Windows\CurrentVersion

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

explorer.exe,

explorer.exe,

\userinit.exe ,

\userinit.exe ,

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

msconfig.exe

msconfig.exe

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

\notepad.exe

\notepad.exe

regedit.exe

regedit.exe

Software\Microsoft\Windows\CurrentVersion\run

Software\Microsoft\Windows\CurrentVersion\run

\*.pif

\*.pif

*.htm

*.htm

hXXp://VVV.geocities.com/m00nL19ht2006/

hXXp://VVV.geocities.com/m00nL19ht2006/

\MYpIC.zip

\MYpIC.zip

zipfile.txt

zipfile.txt

dll.txt

dll.txt

payload.txt

payload.txt

\payload.vbs

\payload.vbs

update1.txt

update1.txt

\untk.com

\untk.com

hXXp://VVV.apasajalah.host.sk/testms.php?mod=save&bkd=0&klog=

hXXp://VVV.apasajalah.host.sk/testms.php?mod=save&bkd=0&klog=

\[TheMoonlight].txt

\[TheMoonlight].txt

@*\AD:\DataHellSpawn\WARING_VIRII_LABORATORY\Virus Ku\Moonlight.b\Project1.vbp

@*\AD:\DataHellSpawn\WARING_VIRII_LABORATORY\Virus Ku\Moonlight.b\Project1.vbp

Moonlight.exe

Moonlight.exe

service.exe_1496_rwx_0041A000_00005000:

kernel32.dll

kernel32.dll

%sy5|l

%sy5|l

SSSSSh

SSSSSh

{6S%X

{6S%X

service.exe_1496_rwx_0042B000_00004000:

^.NrL

^.NrL

service.exe_1496_rwx_00435000_0000F000:

SHELL32.DLL

SHELL32.DLL

ShellExecuteA

ShellExecuteA

KERNEL32.DLL

KERNEL32.DLL

service.exe

service.exe

.rsrc

.rsrc

%Documents and Settings%\%current user%\Templates\O63746Z\service.exe

%Documents and Settings%\%current user%\Templates\O63746Z\service.exe

hXXp://padrup.com/sobaka1.gif

hXXp://padrup.com/sobaka1.gif

hXXp://190.120.227.91:8080/sobakavolos.gif

hXXp://190.120.227.91:8080/sobakavolos.gif

hXXp://89.11

hXXp://89.11

.info/home.gifIh

.info/home.gifIh

bW.text

bW.text

JKERNEL32.dll

JKERNEL32.dll

%x.exe

%x.exe

h.rdla&

h.rdla&

mH.MN8

mH.MN8

T4.At%

T4.At%

S.twa

S.twa

.klkjw:9fqwiBumW

.klkjw:9fqwiBumW

.sysa

.sysa

Zc.pBTa

Zc.pBTa

~%s:*:yd:

~%s:*:yd:

.!.VF*

.!.VF*

.d&?%x=

.d&?%x=

GUrlA'

GUrlA'

"\'Web%w}

"\'Web%w}

HTTP)s'PS

HTTP)s'PS

2GUARDCMD

2GUARDCMD

o.ENHCDM

o.ENHCDM

wWEBWUPD

wWEBWUPD

MM.PF

MM.PF

%xn'[

%xn'[

>>?456789:;

>>?456789:;

!"#$%&'()* ,-./4

!"#$%&'()* ,-./4

qn%CXf

qn%CXf

UP*dB.PPd@.

UP*dB.PPd@.

%FoAN-x

%FoAN-x

ÄEW

ÄEW

%F" *" a

%F" *" a

ADVAPI32.dll

ADVAPI32.dll

MSVCRT.dll

MSVCRT.dll

SHELL32.dll

SHELL32.dll

USER32.dll

USER32.dll

WS2_32.dll

WS2_32.dll

RegCloseKey

RegCloseKey

SHFileOperationA

SHFileOperationA

service.exe_1496_rwx_00F70000_00002000:

SHELL32.DLL

SHELL32.DLL

ShellExecuteA

ShellExecuteA

KERNEL32.DLL

KERNEL32.DLL

.rsrc

.rsrc

.text

.text

service.exe_1496_rwx_00F80000_00001000:

|service.exeM_1496_

|service.exeM_1496_

EmangEloh.exe_1324:

.text

.text

`.rsrc

`.rsrc

keylog

keylog

shell32.dll

shell32.dll

ShellExecuteA

ShellExecuteA

RasApi32.dll

RasApi32.dll

wininet.dll

wininet.dll

InternetOpenUrlA

InternetOpenUrlA

advapi32.dll

advapi32.dll

GetWindowsDirectoryA

GetWindowsDirectoryA

user32.dll

user32.dll

EnumWindows

EnumWindows

VBA6.DLL

VBA6.DLL

RegCloseKey

RegCloseKey

RegCreateKeyA

RegCreateKeyA

RegDeleteKeyA

RegDeleteKeyA

RegOpenKeyA

RegOpenKeyA

RegOpenKeyExA

RegOpenKeyExA

%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB

%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB

OpenUrl

OpenUrl

GetKeyState

GetKeyState

GetAsyncKeyState

GetAsyncKeyState

Kernel32.dll

Kernel32.dll

MSVBVM60.DLL

MSVBVM60.DLL

kernel32.dll

kernel32.dll

%sy5|l

%sy5|l

SSSSSh

SSSSSh

{6S%X

{6S%X

^.NrL

^.NrL

I.Mh|

I.Mh|

SHELL32.DLL

SHELL32.DLL

KERNEL32.DLL

KERNEL32.DLL

EmangEloh.exe

EmangEloh.exe

.rsrc

.rsrc

%WinDir%\M35838\EmangEloh.exe

%WinDir%\M35838\EmangEloh.exe

hXXp://padrup.com/sobaka1.gif

hXXp://padrup.com/sobaka1.gif

hXXp://190.120.227.91:8080/sobakavolos.gif

hXXp://190.120.227.91:8080/sobakavolos.gif

hXXp://89.11

hXXp://89.11

.info/home.gifIh

.info/home.gifIh

bW.text

bW.text

JKERNEL32.dll

JKERNEL32.dll

%x.exe

%x.exe

h.rdla&

h.rdla&

mH.MN8

mH.MN8

T4.At%

T4.At%

S.twa

S.twa

.klkjw:9fqwiBumW

.klkjw:9fqwiBumW

.sysa

.sysa

Zc.pBTa

Zc.pBTa

~%s:*:yd:

~%s:*:yd:

.!.VF*

.!.VF*

.d&?%x=

.d&?%x=

GUrlA'

GUrlA'

"\'Web%w}

"\'Web%w}

HTTP)s'PS

HTTP)s'PS

2GUARDCMD

2GUARDCMD

o.ENHCDM

o.ENHCDM

wWEBWUPD

wWEBWUPD

MM.PF

MM.PF

%xn'[

%xn'[

>>?456789:;

>>?456789:;

!"#$%&'()* ,-./4

!"#$%&'()* ,-./4

qn%CXf

qn%CXf

UP*dB.PPd@.

UP*dB.PPd@.

%FoAN-x

%FoAN-x

ÄEW

ÄEW

%F" *" a

%F" *" a

ADVAPI32.dll

ADVAPI32.dll

MSVCRT.dll

MSVCRT.dll

SHELL32.dll

SHELL32.dll

USER32.dll

USER32.dll

WS2_32.dll

WS2_32.dll

SHFileOperationA

SHFileOperationA

%sgkU

%sgkU

ei.sEI

ei.sEI

*\AD:\DataHellSpawn\WARING_VIRII_LABORATORY\Virus Ku\Moonlight.b\Project1.vbp

*\AD:\DataHellSpawn\WARING_VIRII_LABORATORY\Virus Ku\Moonlight.b\Project1.vbp

winlogon.exe

winlogon.exe

suport

suport

login

login

ZIPPED.zip

ZIPPED.zip

FILEATTACH.bz2

FILEATTACH.bz2

Doc.gz

Doc.gz

SMTP Server

SMTP Server

SMTP Email Address

SMTP Email Address

smtp.

smtp.

curriculum vittae.zip

curriculum vittae.zip

USE_RAR_To_Extract.ace

USE_RAR_To_Extract.ace

file.bz2

file.bz2

thisfile.gz

thisfile.gz

TITTA'S Picture.jar

TITTA'S Picture.jar

free screen saver romance for you
Please Visit Our Web Site hXXp://VVV.moonLight.com

free screen saver romance for you
Please Visit Our Web Site hXXp://VVV.moonLight.com

aku mahasiswa Bsi Margonda smt 3

aku mahasiswa Bsi Margonda smt 3

12050075

12050075


password lampiran 55132098


password lampiran 55132098

\regsvr32.exe

\regsvr32.exe

\twain32.dll

\twain32.dll


For security reasons attached file is password protected.
The password is 55132098


For security reasons attached file is password protected.
The password is 55132098

OSSMTP.SMTPSession

OSSMTP.SMTPSession

*.html

*.html

TutoriaL HAcking .exe

TutoriaL HAcking .exe

Lagu - Server .scr

Lagu - Server .scr

Data DosenKu .exe

Data DosenKu .exe

Titip Folder Jangan DiHapus .exe

Titip Folder Jangan DiHapus .exe

Love Song .scr

Love Song .scr

New mp3 BaraT !! .exe

New mp3 BaraT !! .exe

THe Best Ungu .scr

THe Best Ungu .scr

Blink 182 .exe

Blink 182 .exe

Norman virus Control 5.18 .exe

Norman virus Control 5.18 .exe

Windows Vista setup .scr

Windows Vista setup .scr

Gallery .scr

Gallery .scr

RaHasIA .exe

RaHasIA .exe

service.exe

service.exe

smss.exe

smss.exe

\msvbvm60.dll

\msvbvm60.dll

\system\msvbvm60.dll

\system\msvbvm60.dll

\service.exe

\service.exe

\smss.exe

\smss.exe

\EmangEloh.exe

\EmangEloh.exe

\winlogon.exe

\winlogon.exe

cie.cmd

cie.cmd

ta.exe

ta.exe

bLay.com

bLay.com

l.exe

l.exe

\sql.cmd

\sql.cmd

Software\Microsoft\Windows\CurrentVersion

Software\Microsoft\Windows\CurrentVersion

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

explorer.exe,

explorer.exe,

\userinit.exe ,

\userinit.exe ,

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

msconfig.exe

msconfig.exe

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

\notepad.exe

\notepad.exe

regedit.exe

regedit.exe

Software\Microsoft\Windows\CurrentVersion\run

Software\Microsoft\Windows\CurrentVersion\run

\*.pif

\*.pif

*.htm

*.htm

hXXp://VVV.geocities.com/m00nL19ht2006/

hXXp://VVV.geocities.com/m00nL19ht2006/

\MYpIC.zip

\MYpIC.zip

zipfile.txt

zipfile.txt

dll.txt

dll.txt

payload.txt

payload.txt

\payload.vbs

\payload.vbs

update1.txt

update1.txt

\untk.com

\untk.com

hXXp://VVV.apasajalah.host.sk/testms.php?mod=save&bkd=0&klog=

hXXp://VVV.apasajalah.host.sk/testms.php?mod=save&bkd=0&klog=

\[TheMoonlight].txt

\[TheMoonlight].txt

@*\AD:\DataHellSpawn\WARING_VIRII_LABORATORY\Virus Ku\Moonlight.b\Project1.vbp

@*\AD:\DataHellSpawn\WARING_VIRII_LABORATORY\Virus Ku\Moonlight.b\Project1.vbp

Moonlight.exe

Moonlight.exe

EmangEloh.exe_1324_rwx_00350000_00002000:

The procedure %s could not be located in the DLL %s.

The procedure %s could not be located in the DLL %s.

The ordinal %d could not be located in the DLL %s.

The ordinal %d could not be located in the DLL %s.

winlogon.exe_1512:

.text

.text

`.rsrc

`.rsrc

keylog

keylog

shell32.dll

shell32.dll

ShellExecuteA

ShellExecuteA

RasApi32.dll

RasApi32.dll

wininet.dll

wininet.dll

InternetOpenUrlA

InternetOpenUrlA

advapi32.dll

advapi32.dll

GetWindowsDirectoryA

GetWindowsDirectoryA

user32.dll

user32.dll

EnumWindows

EnumWindows

VBA6.DLL

VBA6.DLL

RegCloseKey

RegCloseKey

RegCreateKeyA

RegCreateKeyA

RegDeleteKeyA

RegDeleteKeyA

RegOpenKeyA

RegOpenKeyA

RegOpenKeyExA

RegOpenKeyExA

%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB

%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB

OpenUrl

OpenUrl

GetKeyState

GetKeyState

GetAsyncKeyState

GetAsyncKeyState

Kernel32.dll

Kernel32.dll

MSVBVM60.DLL

MSVBVM60.DLL

kernel32.dll

kernel32.dll

%sy5|l

%sy5|l

SSSSSh

SSSSSh

{6S%X

{6S%X

^.NrL

^.NrL

I.Mh|

I.Mh|

SHELL32.DLL

SHELL32.DLL

KERNEL32.DLL

KERNEL32.DLL

winlogon.exe

winlogon.exe

.rsrc

.rsrc

%Documents and Settings%\%current user%\Templates\O63746Z\winlogon.exe

%Documents and Settings%\%current user%\Templates\O63746Z\winlogon.exe

hXXp://padrup.com/sobaka1.gif

hXXp://padrup.com/sobaka1.gif

hXXp://190.120.227.91:8080/sobakavolos.gif

hXXp://190.120.227.91:8080/sobakavolos.gif

hXXp://89.11

hXXp://89.11

.info/home.gifIh

.info/home.gifIh

bW.text

bW.text

JKERNEL32.dll

JKERNEL32.dll

%x.exe

%x.exe

h.rdla&

h.rdla&

mH.MN8

mH.MN8

T4.At%

T4.At%

S.twa

S.twa

.klkjw:9fqwiBumW

.klkjw:9fqwiBumW

.sysa

.sysa

Zc.pBTa

Zc.pBTa

~%s:*:yd:

~%s:*:yd:

.!.VF*

.!.VF*

.d&?%x=

.d&?%x=

GUrlA'

GUrlA'

"\'Web%w}

"\'Web%w}

HTTP)s'PS

HTTP)s'PS

2GUARDCMD

2GUARDCMD

o.ENHCDM

o.ENHCDM

wWEBWUPD

wWEBWUPD

MM.PF

MM.PF

%xn'[

%xn'[

>>?456789:;

>>?456789:;

!"#$%&'()* ,-./4

!"#$%&'()* ,-./4

qn%CXf

qn%CXf

UP*dB.PPd@.

UP*dB.PPd@.

%FoAN-x

%FoAN-x

ÄEW

ÄEW

%F" *" a

%F" *" a

ADVAPI32.dll

ADVAPI32.dll

MSVCRT.dll

MSVCRT.dll

SHELL32.dll

SHELL32.dll

USER32.dll

USER32.dll

WS2_32.dll

WS2_32.dll

SHFileOperationA

SHFileOperationA

%sgkU

%sgkU

ei.sEI

ei.sEI

*\AD:\DataHellSpawn\WARING_VIRII_LABORATORY\Virus Ku\Moonlight.b\Project1.vbp

*\AD:\DataHellSpawn\WARING_VIRII_LABORATORY\Virus Ku\Moonlight.b\Project1.vbp

suport

suport

login

login

ZIPPED.zip

ZIPPED.zip

FILEATTACH.bz2

FILEATTACH.bz2

Doc.gz

Doc.gz

SMTP Server

SMTP Server

SMTP Email Address

SMTP Email Address

smtp.

smtp.

curriculum vittae.zip

curriculum vittae.zip

USE_RAR_To_Extract.ace

USE_RAR_To_Extract.ace

file.bz2

file.bz2

thisfile.gz

thisfile.gz

TITTA'S Picture.jar

TITTA'S Picture.jar

free screen saver romance for you
Please Visit Our Web Site hXXp://VVV.moonLight.com

free screen saver romance for you
Please Visit Our Web Site hXXp://VVV.moonLight.com

aku mahasiswa Bsi Margonda smt 3

aku mahasiswa Bsi Margonda smt 3

12050075

12050075


password lampiran 55132098


password lampiran 55132098

\regsvr32.exe

\regsvr32.exe

\twain32.dll

\twain32.dll


For security reasons attached file is password protected.
The password is 55132098


For security reasons attached file is password protected.
The password is 55132098

OSSMTP.SMTPSession

OSSMTP.SMTPSession

*.html

*.html

TutoriaL HAcking .exe

TutoriaL HAcking .exe

Lagu - Server .scr

Lagu - Server .scr

Data DosenKu .exe

Data DosenKu .exe

Titip Folder Jangan DiHapus .exe

Titip Folder Jangan DiHapus .exe

Love Song .scr

Love Song .scr

New mp3 BaraT !! .exe

New mp3 BaraT !! .exe

THe Best Ungu .scr

THe Best Ungu .scr

Blink 182 .exe

Blink 182 .exe

Norman virus Control 5.18 .exe

Norman virus Control 5.18 .exe

Windows Vista setup .scr

Windows Vista setup .scr

Gallery .scr

Gallery .scr

RaHasIA .exe

RaHasIA .exe

service.exe

service.exe

smss.exe

smss.exe

EmangEloh.exe

EmangEloh.exe

\msvbvm60.dll

\msvbvm60.dll

\system\msvbvm60.dll

\system\msvbvm60.dll

\service.exe

\service.exe

\smss.exe

\smss.exe

\EmangEloh.exe

\EmangEloh.exe

\winlogon.exe

\winlogon.exe

cie.cmd

cie.cmd

ta.exe

ta.exe

bLay.com

bLay.com

l.exe

l.exe

\sql.cmd

\sql.cmd

Software\Microsoft\Windows\CurrentVersion

Software\Microsoft\Windows\CurrentVersion

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

explorer.exe,

explorer.exe,

\userinit.exe ,

\userinit.exe ,

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

msconfig.exe

msconfig.exe

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

\notepad.exe

\notepad.exe

regedit.exe

regedit.exe

Software\Microsoft\Windows\CurrentVersion\run

Software\Microsoft\Windows\CurrentVersion\run

\*.pif

\*.pif

*.htm

*.htm

hXXp://VVV.geocities.com/m00nL19ht2006/

hXXp://VVV.geocities.com/m00nL19ht2006/

\MYpIC.zip

\MYpIC.zip

zipfile.txt

zipfile.txt

dll.txt

dll.txt

payload.txt

payload.txt

\payload.vbs

\payload.vbs

update1.txt

update1.txt

\untk.com

\untk.com

hXXp://VVV.apasajalah.host.sk/testms.php?mod=save&bkd=0&klog=

hXXp://VVV.apasajalah.host.sk/testms.php?mod=save&bkd=0&klog=

\[TheMoonlight].txt

\[TheMoonlight].txt

@*\AD:\DataHellSpawn\WARING_VIRII_LABORATORY\Virus Ku\Moonlight.b\Project1.vbp

@*\AD:\DataHellSpawn\WARING_VIRII_LABORATORY\Virus Ku\Moonlight.b\Project1.vbp

Moonlight.exe

Moonlight.exe

EmangEloh.exe_1324_rwx_00401000_00017000:

keylog

keylog

shell32.dll

shell32.dll

ShellExecuteA

ShellExecuteA

RasApi32.dll

RasApi32.dll

wininet.dll

wininet.dll

InternetOpenUrlA

InternetOpenUrlA

advapi32.dll

advapi32.dll

GetWindowsDirectoryA

GetWindowsDirectoryA

user32.dll

user32.dll

EnumWindows

EnumWindows

VBA6.DLL

VBA6.DLL

RegCloseKey

RegCloseKey

RegCreateKeyA

RegCreateKeyA

RegDeleteKeyA

RegDeleteKeyA

RegOpenKeyA

RegOpenKeyA

RegOpenKeyExA

RegOpenKeyExA

%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB

%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB

OpenUrl

OpenUrl

GetKeyState

GetKeyState

GetAsyncKeyState

GetAsyncKeyState

Kernel32.dll

Kernel32.dll

MSVBVM60.DLL

MSVBVM60.DLL

*\AD:\DataHellSpawn\WARING_VIRII_LABORATORY\Virus Ku\Moonlight.b\Project1.vbp

*\AD:\DataHellSpawn\WARING_VIRII_LABORATORY\Virus Ku\Moonlight.b\Project1.vbp

winlogon.exe

winlogon.exe

suport

suport

login

login

ZIPPED.zip

ZIPPED.zip

FILEATTACH.bz2

FILEATTACH.bz2

Doc.gz

Doc.gz

SMTP Server

SMTP Server

SMTP Email Address

SMTP Email Address

smtp.

smtp.

curriculum vittae.zip

curriculum vittae.zip

USE_RAR_To_Extract.ace

USE_RAR_To_Extract.ace

file.bz2

file.bz2

thisfile.gz

thisfile.gz

TITTA'S Picture.jar

TITTA'S Picture.jar

free screen saver romance for you
Please Visit Our Web Site hXXp://VVV.moonLight.com

free screen saver romance for you
Please Visit Our Web Site hXXp://VVV.moonLight.com

aku mahasiswa Bsi Margonda smt 3

aku mahasiswa Bsi Margonda smt 3

12050075

12050075


password lampiran 55132098


password lampiran 55132098

\regsvr32.exe

\regsvr32.exe

\twain32.dll

\twain32.dll


For security reasons attached file is password protected.
The password is 55132098


For security reasons attached file is password protected.
The password is 55132098

OSSMTP.SMTPSession

OSSMTP.SMTPSession

*.html

*.html

TutoriaL HAcking .exe

TutoriaL HAcking .exe

Lagu - Server .scr

Lagu - Server .scr

Data DosenKu .exe

Data DosenKu .exe

Titip Folder Jangan DiHapus .exe

Titip Folder Jangan DiHapus .exe

Love Song .scr

Love Song .scr

New mp3 BaraT !! .exe

New mp3 BaraT !! .exe

THe Best Ungu .scr

THe Best Ungu .scr

Blink 182 .exe

Blink 182 .exe

Norman virus Control 5.18 .exe

Norman virus Control 5.18 .exe

Windows Vista setup .scr

Windows Vista setup .scr

Gallery .scr

Gallery .scr

RaHasIA .exe

RaHasIA .exe

service.exe

service.exe

smss.exe

smss.exe

EmangEloh.exe

EmangEloh.exe

\msvbvm60.dll

\msvbvm60.dll

\system\msvbvm60.dll

\system\msvbvm60.dll

\service.exe

\service.exe

\smss.exe

\smss.exe

\EmangEloh.exe

\EmangEloh.exe

\winlogon.exe

\winlogon.exe

cie.cmd

cie.cmd

ta.exe

ta.exe

bLay.com

bLay.com

l.exe

l.exe

\sql.cmd

\sql.cmd

Software\Microsoft\Windows\CurrentVersion

Software\Microsoft\Windows\CurrentVersion

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

explorer.exe,

explorer.exe,

\userinit.exe ,

\userinit.exe ,

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

msconfig.exe

msconfig.exe

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

\notepad.exe

\notepad.exe

regedit.exe

regedit.exe

Software\Microsoft\Windows\CurrentVersion\run

Software\Microsoft\Windows\CurrentVersion\run

\*.pif

\*.pif

*.htm

*.htm

hXXp://VVV.geocities.com/m00nL19ht2006/

hXXp://VVV.geocities.com/m00nL19ht2006/

\MYpIC.zip

\MYpIC.zip

zipfile.txt

zipfile.txt

dll.txt

dll.txt

payload.txt

payload.txt

\payload.vbs

\payload.vbs

update1.txt

update1.txt

\untk.com

\untk.com

hXXp://VVV.apasajalah.host.sk/testms.php?mod=save&bkd=0&klog=

hXXp://VVV.apasajalah.host.sk/testms.php?mod=save&bkd=0&klog=

\[TheMoonlight].txt

\[TheMoonlight].txt

@*\AD:\DataHellSpawn\WARING_VIRII_LABORATORY\Virus Ku\Moonlight.b\Project1.vbp

@*\AD:\DataHellSpawn\WARING_VIRII_LABORATORY\Virus Ku\Moonlight.b\Project1.vbp

Moonlight.exe

Moonlight.exe

EmangEloh.exe_1324_rwx_0041A000_00005000:

kernel32.dll

kernel32.dll

%sy5|l

%sy5|l

SSSSSh

SSSSSh

{6S%X

{6S%X

EmangEloh.exe_1324_rwx_0042B000_00004000:

^.NrL

^.NrL

EmangEloh.exe_1324_rwx_00435000_0000F000:

SHELL32.DLL

SHELL32.DLL

ShellExecuteA

ShellExecuteA

KERNEL32.DLL

KERNEL32.DLL

EmangEloh.exe

EmangEloh.exe

.rsrc

.rsrc

%WinDir%\M35838\EmangEloh.exe

%WinDir%\M35838\EmangEloh.exe

hXXp://padrup.com/sobaka1.gif

hXXp://padrup.com/sobaka1.gif

hXXp://190.120.227.91:8080/sobakavolos.gif

hXXp://190.120.227.91:8080/sobakavolos.gif

hXXp://89.11

hXXp://89.11

.info/home.gifIh

.info/home.gifIh

bW.text

bW.text

JKERNEL32.dll

JKERNEL32.dll

%x.exe

%x.exe

h.rdla&

h.rdla&

mH.MN8

mH.MN8

T4.At%

T4.At%

S.twa

S.twa

.klkjw:9fqwiBumW

.klkjw:9fqwiBumW

.sysa

.sysa

Zc.pBTa

Zc.pBTa

~%s:*:yd:

~%s:*:yd:

.!.VF*

.!.VF*

.d&?%x=

.d&?%x=

GUrlA'

GUrlA'

"\'Web%w}

"\'Web%w}

HTTP)s'PS

HTTP)s'PS

2GUARDCMD

2GUARDCMD

o.ENHCDM

o.ENHCDM

wWEBWUPD

wWEBWUPD

MM.PF

MM.PF

%xn'[

%xn'[

>>?456789:;

>>?456789:;

!"#$%&'()* ,-./4

!"#$%&'()* ,-./4

qn%CXf

qn%CXf

UP*dB.PPd@.

UP*dB.PPd@.

%FoAN-x

%FoAN-x

ÄEW

ÄEW

%F" *" a

%F" *" a

ADVAPI32.dll

ADVAPI32.dll

MSVCRT.dll

MSVCRT.dll

SHELL32.dll

SHELL32.dll

USER32.dll

USER32.dll

WS2_32.dll

WS2_32.dll

RegCloseKey

RegCloseKey

SHFileOperationA

SHFileOperationA

EmangEloh.exe_1324_rwx_00F60000_00002000:

SHELL32.DLL

SHELL32.DLL

ShellExecuteA

ShellExecuteA

KERNEL32.DLL

KERNEL32.DLL

.rsrc

.rsrc

.text

.text

EmangEloh.exe_1324_rwx_00F70000_00001000:

|emangeloh.exeM_1324_

|emangeloh.exeM_1324_

winlogon.exe_1512_rwx_00350000_00002000:

The procedure %s could not be located in the DLL %s.

The procedure %s could not be located in the DLL %s.

The ordinal %d could not be located in the DLL %s.

The ordinal %d could not be located in the DLL %s.

winlogon.exe_1512_rwx_00401000_00017000:

keylog

keylog

shell32.dll

shell32.dll

ShellExecuteA

ShellExecuteA

RasApi32.dll

RasApi32.dll

wininet.dll

wininet.dll

InternetOpenUrlA

InternetOpenUrlA

advapi32.dll

advapi32.dll

GetWindowsDirectoryA

GetWindowsDirectoryA

user32.dll

user32.dll

EnumWindows

EnumWindows

VBA6.DLL

VBA6.DLL

RegCloseKey

RegCloseKey

RegCreateKeyA

RegCreateKeyA

RegDeleteKeyA

RegDeleteKeyA

RegOpenKeyA

RegOpenKeyA

RegOpenKeyExA

RegOpenKeyExA

%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB

%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB

OpenUrl

OpenUrl

GetKeyState

GetKeyState

GetAsyncKeyState

GetAsyncKeyState

Kernel32.dll

Kernel32.dll

MSVBVM60.DLL

MSVBVM60.DLL

*\AD:\DataHellSpawn\WARING_VIRII_LABORATORY\Virus Ku\Moonlight.b\Project1.vbp

*\AD:\DataHellSpawn\WARING_VIRII_LABORATORY\Virus Ku\Moonlight.b\Project1.vbp

winlogon.exe

winlogon.exe

suport

suport

login

login

ZIPPED.zip

ZIPPED.zip

FILEATTACH.bz2

FILEATTACH.bz2

Doc.gz

Doc.gz

SMTP Server

SMTP Server

SMTP Email Address

SMTP Email Address

smtp.

smtp.

curriculum vittae.zip

curriculum vittae.zip

USE_RAR_To_Extract.ace

USE_RAR_To_Extract.ace

file.bz2

file.bz2

thisfile.gz

thisfile.gz

TITTA'S Picture.jar

TITTA'S Picture.jar

free screen saver romance for you
Please Visit Our Web Site hXXp://VVV.moonLight.com

free screen saver romance for you
Please Visit Our Web Site hXXp://VVV.moonLight.com

aku mahasiswa Bsi Margonda smt 3

aku mahasiswa Bsi Margonda smt 3

12050075

12050075


password lampiran 55132098


password lampiran 55132098

\regsvr32.exe

\regsvr32.exe

\twain32.dll

\twain32.dll


For security reasons attached file is password protected.
The password is 55132098


For security reasons attached file is password protected.
The password is 55132098

OSSMTP.SMTPSession

OSSMTP.SMTPSession

*.html

*.html

TutoriaL HAcking .exe

TutoriaL HAcking .exe

Lagu - Server .scr

Lagu - Server .scr

Data DosenKu .exe

Data DosenKu .exe

Titip Folder Jangan DiHapus .exe

Titip Folder Jangan DiHapus .exe

Love Song .scr

Love Song .scr

New mp3 BaraT !! .exe

New mp3 BaraT !! .exe

THe Best Ungu .scr

THe Best Ungu .scr

Blink 182 .exe

Blink 182 .exe

Norman virus Control 5.18 .exe

Norman virus Control 5.18 .exe

Windows Vista setup .scr

Windows Vista setup .scr

Gallery .scr

Gallery .scr

RaHasIA .exe

RaHasIA .exe

service.exe

service.exe

smss.exe

smss.exe

EmangEloh.exe

EmangEloh.exe

\msvbvm60.dll

\msvbvm60.dll

\system\msvbvm60.dll

\system\msvbvm60.dll

\service.exe

\service.exe

\smss.exe

\smss.exe

\EmangEloh.exe

\EmangEloh.exe

\winlogon.exe

\winlogon.exe

cie.cmd

cie.cmd

ta.exe

ta.exe

bLay.com

bLay.com

l.exe

l.exe

\sql.cmd

\sql.cmd

Software\Microsoft\Windows\CurrentVersion

Software\Microsoft\Windows\CurrentVersion

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

explorer.exe,

explorer.exe,

\userinit.exe ,

\userinit.exe ,

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

msconfig.exe

msconfig.exe

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

\notepad.exe

\notepad.exe

regedit.exe

regedit.exe

Software\Microsoft\Windows\CurrentVersion\run

Software\Microsoft\Windows\CurrentVersion\run

\*.pif

\*.pif

*.htm

*.htm

hXXp://VVV.geocities.com/m00nL19ht2006/

hXXp://VVV.geocities.com/m00nL19ht2006/

\MYpIC.zip

\MYpIC.zip

zipfile.txt

zipfile.txt

dll.txt

dll.txt

payload.txt

payload.txt

\payload.vbs

\payload.vbs

update1.txt

update1.txt

\untk.com

\untk.com

hXXp://VVV.apasajalah.host.sk/testms.php?mod=save&bkd=0&klog=

hXXp://VVV.apasajalah.host.sk/testms.php?mod=save&bkd=0&klog=

\[TheMoonlight].txt

\[TheMoonlight].txt

@*\AD:\DataHellSpawn\WARING_VIRII_LABORATORY\Virus Ku\Moonlight.b\Project1.vbp

@*\AD:\DataHellSpawn\WARING_VIRII_LABORATORY\Virus Ku\Moonlight.b\Project1.vbp

Moonlight.exe

Moonlight.exe

winlogon.exe_1512_rwx_0041A000_00005000:

kernel32.dll

kernel32.dll

%sy5|l

%sy5|l

SSSSSh

SSSSSh

{6S%X

{6S%X

winlogon.exe_1512_rwx_0042B000_00004000:

^.NrL

^.NrL

winlogon.exe_1512_rwx_00435000_0000F000:

SHELL32.DLL

SHELL32.DLL

ShellExecuteA

ShellExecuteA

KERNEL32.DLL

KERNEL32.DLL

winlogon.exe

winlogon.exe

.rsrc

.rsrc

%Documents and Settings%\%current user%\Templates\O63746Z\winlogon.exe

%Documents and Settings%\%current user%\Templates\O63746Z\winlogon.exe

hXXp://padrup.com/sobaka1.gif

hXXp://padrup.com/sobaka1.gif

hXXp://190.120.227.91:8080/sobakavolos.gif

hXXp://190.120.227.91:8080/sobakavolos.gif

hXXp://89.11

hXXp://89.11

.info/home.gifIh

.info/home.gifIh

bW.text

bW.text

JKERNEL32.dll

JKERNEL32.dll

%x.exe

%x.exe

h.rdla&

h.rdla&

mH.MN8

mH.MN8

T4.At%

T4.At%

S.twa

S.twa

.klkjw:9fqwiBumW

.klkjw:9fqwiBumW

.sysa

.sysa

Zc.pBTa

Zc.pBTa

~%s:*:yd:

~%s:*:yd:

.!.VF*

.!.VF*

.d&?%x=

.d&?%x=

GUrlA'

GUrlA'

"\'Web%w}

"\'Web%w}

HTTP)s'PS

HTTP)s'PS

2GUARDCMD

2GUARDCMD

o.ENHCDM

o.ENHCDM

wWEBWUPD

wWEBWUPD

MM.PF

MM.PF

%xn'[

%xn'[

>>?456789:;

>>?456789:;

!"#$%&'()* ,-./4

!"#$%&'()* ,-./4

qn%CXf

qn%CXf

UP*dB.PPd@.

UP*dB.PPd@.

%FoAN-x

%FoAN-x

ÄEW

ÄEW

%F" *" a

%F" *" a

ADVAPI32.dll

ADVAPI32.dll

MSVCRT.dll

MSVCRT.dll

SHELL32.dll

SHELL32.dll

USER32.dll

USER32.dll

WS2_32.dll

WS2_32.dll

RegCloseKey

RegCloseKey

SHFileOperationA

SHFileOperationA

winlogon.exe_1512_rwx_00F60000_00002000:

SHELL32.DLL

SHELL32.DLL

ShellExecuteA

ShellExecuteA

KERNEL32.DLL

KERNEL32.DLL

.rsrc

.rsrc

.text

.text

winlogon.exe_1512_rwx_00F70000_00001000:

|winlogon.exeM_1512_

|winlogon.exeM_1512_

Explorer.EXE_1140_rwx_00FF0000_00002000:

SHELL32.DLL

SHELL32.DLL

ShellExecuteA

ShellExecuteA

KERNEL32.DLL

KERNEL32.DLL

.rsrc

.rsrc

.text

.text

Explorer.EXE_1140_rwx_01E20000_00001000:

|explorer.exeM_1140_

|explorer.exeM_1140_