Trojan.GenericKD.2967797 (B) (Emsisoft), Backdoor.Win32.PcClient.FD, Worm.Win32.Ainslot.VB.FD, GenericAutorunWorm.YR, WormAinslot_VariantOfZeus.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor, Worm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 17e40d5d1937ea630710308e541b7690
SHA1: bd0ae36453e4c4eed81f55fa7bdc2d69de52a84b
SHA256: 772575dce579745ef375bcf7fed0fd98e05057a11ee98423970103e221a0d7a0
SSDeep: 98304:RwenrjAKkQNyGkfohuqCcUZVAtTD9tMAOYPk0PDyrjcR/ojsXv:Rwu47Q4GkaPUZVKTD9dPk0mXuwjs
Size: 4783104 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-10-31 05:28:47
Analyzed on: WindowsXP SP3 32-bit
Summary: Worm. A program that is primarily replicating on networks or removable drives.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Worm creates the following process(es):
schtasks.exe:2012
rundll32.exe:1548
rundll32.exe:816
dumprep.exe:1980
dumprep.exe:596
%original file name%.exe:320
The Worm injects its code into the following process(es):
svchost.exe:1924
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process rundll32.exe:816 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\rundll32.exe (1813 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\z625.xml (1 bytes)
The Worm deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\z625.xml (0 bytes)
The process dumprep.exe:1980 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\WER8d3d.dir00\svchost.exe.mdmp (93289 bytes)
The process dumprep.exe:596 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\WER8d3d.dir00\svchost.exe.hdmp (191785 bytes)
The process %original file name%.exe:320 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\rundll32.exe (10448 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\TOTALC~1.EXE (70216 bytes)
Registry activity
The process schtasks.exe:2012 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "17 72 16 B7 60 D3 82 2A 20 0B 4F BB 68 C2 F7 65"
The process rundll32.exe:1548 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 C6 92 EE A2 91 8D 76 88 F7 48 11 EA D4 A8 E4"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"svchost.exe" = "Generic Host Process for Win32 Services"
[HKLM\System\CurrentControlSet\Control\Session Manager\AppCompatibility]
"AppCompatCache" = "EF BE AD DE 60 00 00 00 00 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\%System%]
"svchost.exe" = "EnableNXShowUI"
The process rundll32.exe:816 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 B5 25 DA D4 FA 04 4F 8C AB 0E D1 5C EA 3D 36"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"schtasks.exe" = "Schedule Tasks"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The process dumprep.exe:1980 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE 57 B2 CF C9 93 5D A6 D3 B5 94 62 C1 26 F5 DE"
The process dumprep.exe:596 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "67 B3 13 20 1F 9E 4F 54 F0 A5 C2 1E E1 FC 5E 23"
The process %original file name%.exe:320 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A 86 6F 8B 3B 42 2C 42 E3 0A 99 88 94 10 3D D0"
To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"
Dropped PE files
MD5 | File path |
---|---|
a3044d63d20fefb3e728823b69585b77 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\rundll32.exe |
27c6d03bcdb8cfeb96b716f3d8be3e18 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\svchost.exe |
b439967c0c3a35ca2cdbc39783f09fd9 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\IXP000.TMP\TOTALC~1.EXE |
a3044d63d20fefb3e728823b69585b77 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\IXP000.TMP\rundll32.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
schtasks.exe:2012
rundll32.exe:1548
rundll32.exe:816
dumprep.exe:1980
dumprep.exe:596
%original file name%.exe:320 - Delete the original Worm file.
- Delete or disinfect the following files created/modified by the Worm:
%Documents and Settings%\%current user%\Application Data\rundll32.exe (1813 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\z625.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WER8d3d.dir00\svchost.exe.mdmp (93289 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WER8d3d.dir00\svchost.exe.hdmp (191785 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\rundll32.exe (10448 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\TOTALC~1.EXE (70216 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\" - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: Microsoft Corporation
Product Name: Internet Explorer
Product Version: 11.00.9600.17416
Legal Copyright: (c) Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: WEXTRACT.EXE
Internal Name: Wextract
File Version: 11.00.9600.17416 (winblue_r4.141030-1500)
File Description: Win32 Cabinet Self-Extractor
Comments:
Language: English (United States)
Company Name: Microsoft CorporationProduct Name: Internet ExplorerProduct Version: 11.00.9600.17416Legal Copyright: (c) Microsoft Corporation. All rights reserved.Legal Trademarks: Original Filename: WEXTRACT.EXE Internal Name: Wextract File Version: 11.00.9600.17416 (winblue_r4.141030-1500)File Description: Win32 Cabinet Self-Extractor Comments: Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 26980 | 27136 | 4.40175 | 22c7cbc7745692002dbdf65a4bc48e63 |
.data | 32768 | 6796 | 1024 | 2.20139 | 317f8a934ee443eee01c2a315bde9ca1 |
.idata | 40960 | 4220 | 4608 | 3.49841 | a5d9b0c8d0d0e35bcbb5219dda1a3075 |
.rsrc | 49152 | 4746367 | 4746752 | 5.5438 | 2ce3d2e7070b3f48005928f13a3ff570 |
.reloc | 4796416 | 2240 | 2560 | 4.41763 | 7772c8e6ff71410862c324630aac5515 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Worm connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_320:
.text
.text
`.data
`.data
.idata
.idata
@.rsrc
@.rsrc
@.reloc
@.reloc
Invalid parameter passed to C runtime function.
Invalid parameter passed to C runtime function.
advapi32.dll
advapi32.dll
setupx.dll
setupx.dll
setupapi.dll
setupapi.dll
advpack.dll
advpack.dll
wininit.ini
wininit.ini
Software\Microsoft\Windows\CurrentVersion\App Paths
Software\Microsoft\Windows\CurrentVersion\App Paths
ADMQCMD
ADMQCMD
USRQCMD
USRQCMD
FINISHMSG
FINISHMSG
IXPd.TMP
IXPd.TMP
msdownld.tmp
msdownld.tmp
TMP4351$.TMP
TMP4351$.TMP
wextract.pdb
wextract.pdb
PSSSSSSh
PSSSSSSh
SSSh
SSSh
PSSShp
PSSShp
PSShp
PSShp
t.ShB
t.ShB
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"
System\CurrentControlSet\Control\Session Manager\FileRenameOperations
System\CurrentControlSet\Control\Session Manager\FileRenameOperations
wextract_cleanup%d
wextract_cleanup%d
Command.com /c %s
Command.com /c %s
rundll32.exe %s,InstallHinfSection %s 128 %s
rundll32.exe %s,InstallHinfSection %s 128 %s
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows\CurrentVersion\RunOnce
%s /D:%s
%s /D:%s
PendingFileRenameOperations
PendingFileRenameOperations
SHELL32.DLL
SHELL32.DLL
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryInfoKeyA
RegCloseKey
RegCloseKey
ADVAPI32.dll
ADVAPI32.dll
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
GDI32.dll
GDI32.dll
ExitWindowsEx
ExitWindowsEx
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
USER32.dll
USER32.dll
_amsg_exit
_amsg_exit
_acmdln
_acmdln
msvcrt.dll
msvcrt.dll
COMCTL32.dll
COMCTL32.dll
Cabinet.dll
Cabinet.dll
VERSION.dll
VERSION.dll
%C DF
%C DF
rundll32.exe
rundll32.exe
TOTALC~1.EXE
TOTALC~1.EXE
tcRt
tcRt
.evH^
.evH^
.wlkJ
.wlkJ
&Y-o}
&Y-o}
%sUP5
%sUP5
?_Gg@W.(>D)L8GSLeSh.MF
?_Gg@W.(>D)L8GSLeSh.MF
d@WI`%x
d@WI`%x
.GmY3
.GmY3
s.ZX^
s.ZX^
T.roy
T.roy
OY.TKc
OY.TKc
.bW&r
.bW&r
*2m%C
*2m%C
[.ED'wG
[.ED'wG
w.IC^
w.IC^
%FXPD
%FXPD
#N-Y}
#N-Y}
|.ta&`
|.ta&`
V..hM
V..hM
Aa.Fj
Aa.Fj
| \.nb00&
| \.nb00&
H.WP}j
H.WP}j
f-t}o
f-t}o
%S.D!
%S.D!
\.BGM
\.BGM
kØ-
kØ-
;.jHF
;.jHF
nudP
nudP
6T.Jx*
6T.Jx*
]>n%xiQ
]>n%xiQ
l.vR,i
l.vR,i
Z%f[r
Z%f[r
5].VU
5].VU
.WfG
.WfG
%,.ky
%,.ky
:1.fIR
:1.fIR
H.JGo
H.JGo
I.uvS
I.uvS
!eQ.MlM
!eQ.MlM
.Vpr2
.Vpr2
%y"C_.fS
%y"C_.fS
D.iNR
D.iNR
nm)%.s
nm)%.s
lP@.Lgi
lP@.Lgi
,&z%d
,&z%d
!.Hjn>
!.Hjn>
s_.MN
s_.MN
eT.gt
eT.gt
Hz.GN
Hz.GN
t%7UoJ
t%7UoJ
.rg}2
.rg}2
lT.NpB
lT.NpB
7l.bO`
7l.bO`
(.jBU
(.jBU
%S;f%b
%S;f%b
,k.Ib
,k.Ib
wÃ1T
wÃ1T
9nb$%s
9nb$%s
qUF %x;
qUF %x;
-^/.pXG]v
-^/.pXG]v
PEXe
PEXe
*IEJY%c
*IEJY%c
.ZLu,
.ZLu,
i/g%S
i/g%S
7~Q%c
7~Q%c
x.Ks)
x.Ks)
wk.yU
wk.yU
%U~}uv
%U~}uv
3.SWc
3.SWc
6Y%fR6
6Y%fR6
npY.yL
npY.yL
;%UB`
;%UB`
x%f_l
x%f_l
R%x('
R%x('
.AolK!
.AolK!
j~m.sQ."L9
j~m.sQ."L9
%x!zG,
%x!zG,
a!]%x
a!]%x
lK.Ql
lK.Ql
.Bb/L
.Bb/L
^.oI1[
^.oI1[
KeYip
KeYip
".SjL3j
".SjL3j
?XS%0U
?XS%0U
ML.LQ
ML.LQ
.Bq-)3
.Bq-)3
.lvMG
.lvMG
.MEdv
.MEdv
":.Yb:HU
":.Yb:HU
u9.fu
u9.fu
MsG4jUH\
MsG4jUH\
<.lc>
<.lc>
.xZ7@
.xZ7@
BDpL%D{
BDpL%D{
N%u&i
N%u&i
6.Fy2
6.Fy2
o%U8L
o%U8L
X.Lnt
X.Lnt
?.OvP
?.OvP
o%x`%
o%x`%
*'%Xws
*'%Xws
ie)%C
ie)%C
BuR%X
BuR%X
] %DhmD
] %DhmD
NM?.Tn
NM?.Tn
El0%U
El0%U
T.jLz
T.jLz
K.xZ|
K.xZ|
%U|>~
%U|>~
lQ.MR_
lQ.MR_
.Wj*@
.Wj*@
w.vRK
w.vRK
Q.hPSr
Q.hPSr
r8E%X;Dv
r8E%X;Dv
E.oac
E.oac
p9L8%c
p9L8%c
}.Crk
}.Crk
?%?.wI
?%?.wI
br%U6$
br%U6$
pOÇz0
pOÇz0
3:.bL
3:.bL
:>}-u}
:>}-u}
_k.DIIr
_k.DIIr
]K.CV
]K.CV
.Ekf4
.Ekf4
`0.WU
`0.WU
Ü-D
Ü-D
.IZwn
.IZwn
2kI.Skxy`qk
2kI.Skxy`qk
o:\O^p
o:\O^p
%XOV&_v
%XOV&_v
7=u
7=u
'.TC7
'.TC7
X .El
X .El
.PBkC
.PBkC
IpUE%f
IpUE%f
y14?.rN
y14?.rN
C|Y.LA
C|Y.LA
9.mP(
9.mP(
%Xn\
%Xn\
DsQl
DsQl
g.TjL
g.TjL
.RINJ
.RINJ
WTN.bZ
WTN.bZ
.tZV17
.tZV17
.OMd6
.OMd6
5%CyM?h
5%CyM?h
(.GGqMs{E
(.GGqMs{E
m.MD;
m.MD;
.RF.)xV
.RF.)xV
h".ONM
h".ONM
vIvl
vIvl
.bblW
.bblW
%f`RP[}
%f`RP[}
}3.nA{
}3.nA{
J].lN
J].lN
DG zK.PT
DG zK.PT
c>.adB
c>.adB
/[ý
/[ý
.TlW^_
.TlW^_
@%.Xb
@%.Xb
msgy
msgy
~vZ%s
~vZ%s
rT.Kz
rT.Kz
2z.KVq
2z.KVq
#H-Xi}V
#H-Xi}V
.wXAm
.wXAm
.QkR(
.QkR(
)l%Xz
)l%Xz
w.vVi
w.vVi
:I).MGs
:I).MGs
-f%FU
-f%FU
AGL{lP.gE
AGL{lP.gE
o?%.eS]
o?%.eS]
GN97Ftp
GN97Ftp
fL0.Xn
fL0.Xn
}i6h%u
}i6h%u
my.iX
my.iX
.JrpuF
.JrpuF
.Tz5@
.Tz5@
%uWl 0
%uWl 0
l%d_U
l%d_U
{M.FH=
{M.FH=
(-[,_[<.>
(-[,_[<.>
j3þ
j3þ
.lP.U
.lP.U
n:\,
n:\,
%sIE2
%sIE2
c.xko
c.xko
rA?.sZ
rA?.sZ
7.Upe4
7.Upe4
]Hj@B.iX
]Hj@B.iX
8.ok!.
8.ok!.
Sb.TvE
Sb.TvE
|6m%S
|6m%S
.gB,[
.gB,[
9J%XR
9J%XR
{Zbh.Fvt'
{Zbh.Fvt'
$.nJ3
$.nJ3
xL.EfY
xL.EfY
S5.OleL
S5.OleL
CS.yye
CS.yye
PÃZ
PÃZ
ayö
ayö
Frq;
Frq;
b
b
gv.EmY
gv.EmY
Ê$_9;
Ê$_9;
H^{x%%C|?
H^{x%%C|?
;U%dw
;U%dw
}4w
}4w
.aIHy
.aIHy
5P}%c&XjO
5P}%c&XjO
".DlV
".DlV
.zqAw&
.zqAw&
s%dPU
s%dPU
-n}rP
-n}rP
.vDo@!H=gOD
.vDo@!H=gOD
HPS%S
HPS%S
d\V.Cm
d\V.Cm
j %c'
j %c'
^kb.Kn
^kb.Kn
0ÜPn
0ÜPn
cG.mM
cG.mM
.fBY;
.fBY;
T
T
]"QF.bt5
]"QF.bt5
c0|'#~%d.
c0|'#~%d.
W.lw^
W.lw^
%u3.&
%u3.&
B.AL/
B.AL/
.DRO3
.DRO3
F%dQSL
F%dQSL
c.SW@DNN
c.SW@DNN
p?8jG
p?8jG
.wQ'Fw
.wQ'Fw
.ZW*e
.ZW*e
|=|=|=|=
|=|=|=|=
,`.twGo
,`.twGo
0eo!.tqY
0eo!.tqY
.xbcCI
.xbcCI
s.tuXs
s.tuXs
%uTQ[$
%uTQ[$
H.yEd
H.yEd
/-km}
/-km}
H[6%s
H[6%s
%}L
%}L
.odC?7H3
.odC?7H3
.lUbSn
.lUbSn
.Jh ?G2
.Jh ?G2
{x.Xd
{x.Xd
ZGt%S>
ZGt%S>
.tvYD
.tvYD
.cK~v
.cK~v
J_al.CAcT
J_al.CAcT
.eFlv
.eFlv
.Rdqe
.Rdqe
[%DM6
[%DM6
b\.Ew
b\.Ew
a.lah3
a.lah3
%xN{`n
%xN{`n
)%s:IR
)%s:IR
!\'.yc&
!\'.yc&
6v%8s
6v%8s
0\.vcD
0\.vcD
?8 .ci
?8 .ci
oQ-%DW
oQ-%DW
5B.FAw-
5B.FAw-
=.pMZ
=.pMZ
Z.ZA?
Z.ZA?
%u)r@
%u)r@
.he#r
.he#r
P2`.Jj/
P2`.Jj/
amSG
amSG
b}z%c
b}z%c
.tYEb
.tYEb
w%SiY
w%SiY
8&.wC
8&.wC
Yg.cj
Yg.cj
%U)nv
%U)nv
.DdC|
.DdC|
.As^{
.As^{
[%ut?:h
[%ut?:h
e%U,1
e%U,1
m.uqVw
m.uqVw
-;.uz~T$
-;.uz~T$
,F%dM
,F%dM
z#=%d
z#=%d
.nc#>ns
.nc#>ns
R5fq).BSVO
R5fq).BSVO
sr
sr
*!.zJm
*!.zJm
z-Q} o
z-Q} o
-z.DR
-z.DR
!/!/!/!/
!/!/!/!/
yeX%C
yeX%C
Ph.EtM
Ph.EtM
cl.AJU
cl.AJU
a.BL[d0
a.BL[d0
8%.bZ
8%.bZ
.Zxn[
.Zxn[
m.MVM#
m.MVM#
q\.Pt
q\.Pt
Xr.Qi
Xr.Qi
pÃ’
pÃ’
.g G%X
.g G%X
[.Meo"
[.Meo"
pcRtU
pcRtU
A.JN%
A.JN%
0[0{0{0{0{!
0[0{0{0{0{!
?fX T.Uv
?fX T.Uv
×.
×.
*M`s%c
*M`s%c
.kcHP
.kcHP
*%c`f
*%c`f
.DuP]
.DuP]
ÿ{g
ÿ{g
,.pw54
,.pw54
.dO|Y
.dO|Y
.NKC3
.NKC3
L{
L{
_n%Xn
_n%Xn
/0.Or
/0.Or
.jc[B
.jc[B
&.bjr
&.bjr
53.DB
53.DB
Ck)|
Ck)|
"O%F@w
"O%F@w
b.TsQr
b.TsQr
'x.sP1
'x.sP1
1%s",
1%s",
IMp
IMp
.syhGw
.syhGw
-w}!:qJ
-w}!:qJ
ti.Jru
ti.Jru
Y.YXF,T
Y.YXF,T
.RT]
.RT]
.PJSI Ox
.PJSI Ox
]%so3
]%so3
QÕ>A
QÕ>A
c6%UO
c6%UO
Fz}%d
Fz}%d
|T.cjjk
|T.cjjk
N.Swu
N.Swu
tJ
;u.XV
%sjuG
Vþ\3
..tU5
|:~$=~~>
6.Bd@
|öS
M%du^
r%U6e
vD.xY0
G%uTe
3/.jD
;f.Rb
FÛ&_
INSTALL.INF[Installation]
name="Microsoft.Windows.Common-Controls"version="6.0.0.0"publicKeyToken="6595b64144ccf1df"9 9$9Kernel32.dlll: %s.zenet: %s.&Egy szll %s KB szabad ternak kell lennie.JAdjon meg egy mappk be.BA tallges Shell32.dll nem tn: . Oka: %s/A rendszer szektorcsoportmlt.cA telepshez a Windows 95 vagy a Windows NT 4.0 2-es vagy magasabb szpett fel a(z) %s betsekor.bA GetProcAddress() sikertelen a(z) '%s' fnytelen advpack.dll verzishez Windows 95 vagy Windows NT 4.0 sztre: '%s'.hez %s KB szabad terg a(z) %s: meghajt&Hiba a Windows mappa leks: ExitWindowsEx hibajl.hA telept: %s.zenet: %s.tA Teleplt %s KB szabad terjra.OA telepKA(z) '%s' csomag m: %s.tezik: '%s'. Ltrehozza?cA(z) '%s' csomag m.=A(z) '%s' csomag nem kompatibilis a Windows ezen verzival.RA(z) '%s' csomag nem kompatibilis a(z) %s f11.00.9600.17416 (winblue_r4.141030-1500)WEXTRACT.EXE11.00.9600.1741611.00.9600.16384 (winblue_rtm.130821-1623)WEXTRACT.EXE .MUI11.00.9600.16384svchost.exe_1924:.text`.data.rsrcMSVBVM60.DLLbss_server.usrReverseRelaybss_server.usrRelaytmrWebHidebss_server.Socketmswinsck.ocxMSWinsockLib.WinsockmodLaunchWeb%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLBC:\Windows\SysWOW64\ieframe.dllwinmm.dlluser32.dlladvapi32.dllshell32.dllkernel32.dllavicap32.dlladvpack.dllGetAsyncKeyStateSetWindowsHookExAUnhookWindowsHookExGetKeyboardLayoutGetKeyboardStateGetKeyStateSHFileOperationACreatePipePSAPI.DLLGetTcpTableExitWindowsExEnumWindowsWinInet.dllDeleteUrlCacheEntryAurlmonURLDownloadToFileAShellExecuteAkeybd_eventCHAT_ADDMSGcmdShowfilesUDPSocketG%Program Files% (x86)\Microsoft Visual Studio\VB98\mswinsck.ocatmrTCPtmrUDPUDPFloodVBA6.DLLC:\Windows\SysWow64\msvbvm60.dll\3ws2_32.dllAddMsgGdiplusShutdownRemotePortLocalPortWSOCK32.DLLRegCloseKeyRegOpenKeyExAFtpUploadntdll.dllole32.dllcrypt32.dlloleaut32.dllRegOpenKeyAFindFirstUrlCacheEntryAFindNextUrlCacheEntryARegCreateKeyARegDeleteKeyARegEnumKeyExAgdi32.dllolepro32.dllInternetOpenUrlAFtpDownloadFtpGetFileAFtpPutFileAFtpSetCurrentDirectoryAFtpGetCurrentDirectoryAFtpOpenFileAFtpGetFileSizeFtpDeleteFileAFtpCreateDirectoryAFtpRemoveDirectoryAFtpRenameFileAFtpGetDirectoryHttp_DownloadFilemsvbvm60.dll?8??8??8??8??8?uMsgstrMsgMsgNumAllMsgslngPortPortPasswordWebURLReturns/Sets the port to be connected to on the remote computerReturns/Sets the port used on the local computerBinds socket to specific port and adapterOccurs after a send operation has completed*\AC:\Users\Admin\Desktop\Blackshades project\Blackshades NET\server\server.vbp2c49f800-c2dd-11cf-9ad6-0080c7e7b78dMozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1) Gecko/20090612 Firefox/3.5{00020404-0000-0000-C000-000000000046}data.dat\nir_cmd.bss speak text\nir_cmd.bss setsysvolume 65535\nir_cmd.bss mutesysvolume 1\nir_cmd.bss mutesysvolume 0\nir_cmd.bss screensaver\nir_cmd.bss monitor off\nir_cmd.bss monitor onPORTTRANSFERPORTSOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\KeylogWscript.ShellHKEY_CLASSES_ROOT\HTTP\shell\open\command\\winlogon.exeiexplore.exehXXp://VVV.facebook.com/?ref=homehXXp://VVV.facebook.comADVAPI32.dllWindows Firewall/Internet Connection Sharing (ICS)WebCamCapture\Vuze\Azureus.exe\LimeWire\LimeWire.exe\uTorrent\uTorrent.exe\uTorrent\uTorrent.exe /HIDE\BitTorrent\bittorrent.exe\MSWINSCK.OCX\cmd.exedkey\data.datnkeyregsvr32.exe\pws_mail.bss\pws_mess.bss\pws_cdk.bss\nir_cmd.bsscmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /fcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v ":*:Enabled:Windows Messanger" /fwinmgmts:{impersonationLevel=Impersonate}!\\.\root\cimv200000000winmgmts:\\.\root\cimv2Select * from Win32_Keyboardapi.ipinfodb.comGET /v2/ip_query.php?key=&timezone=off HTTP/1.1Host: api.ipinfodb.comGET /v2/ip_query_country.php?key=Portablewinmgmts:\\.\root\SecurityCenter\wallpaper.bmp\wallpaper.jpgWScript.ShellWinServer 2003, Web EditionAutorun.iniHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName__oxFrame.class__Scripting.FileSystemObject{557CF401-1A04-11D3-9A73-0000F81EF32E}{1D5BE4B5-FA4A-452D-9CDD-5DB35105E7EB}Address family not supported by protocol family.Operation already in progress.Operation now in progress.Socket operation on nonsocket.Operation not supported.Protocol family not supported.Protocol not supported.Socket type not supported.Winsock.dll version out of range.CSocketMaster.SocketExistsCSocketMaster.PostSocketCSocketMaster.ConnectToIPCSocketMaster.ResolveIfHostnameCSocketMaster.SendBufferedDataUDPCSocketMaster.SendBufferedDatasqlite3.dllsqlite3_opensqlite3_closesqlite3_prepare_v2sqlite3_stepsqlite3_finalize\mail.datsqlite3_column_textabe2869f-9b47-4cd9-a358-c22904dba7f7/stext mess.dat\mess.dat/stext mail.datSOFTWARE\MICROSOFT\Windows NT\CurrentVersionWindowsSOFTWARE\Classes\Applications\iexplore.exe\shell\open\command\Mozilla Firefox\mozcrt19.dllnspr4.dllplc4.dllplds4.dllnssutil3.dllsoftokn3.dllnss3.dll\Mozilla\Firefox\profiles.ini\signons.sqliteselect * from moz_loginsPK11_GetInternalKeySlothttp\shell\open\command127.0.0.1\dump.txt\uTorrent\uTorrent.exe /DIRECTORY255.255.255.255finalizarprocessoportasdrvloadn.dllCONNECT %s:%i HTTP/1.0SOFTWARE\Classes\http\shell\open\commandSoftware\Classes\http\shell\open\commandSoftware\Microsoft\Windows NT\CurrentVersion\SystemRestorebnfa.execode.is.a.winnerSoftware\Microsoft\Windows\CurrentVersion\Uninstall\eMuleSOFTWARE\MICROSOFT\Windows NT\CurrentVersion\DigitalProductIdbps1.exebhookpl.dlldrvloadx.dllVNCHooks.dllxr4tdwa.exeshutdown.exeTCnRawKeyBoardHuntHTTPDownloadautorun.infhXXps://onlineeast#.bankofamerica.comwinlogon.exeexplorer.exeSOFTWARE\Microsoft\Windows\CurrentVersion\RunSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer\runSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\system32\userinit.exe,@*\AC:\Users\Admin\Desktop\Blackshades project\Blackshades NET\server\server.vbpsvchost.exe_1924_rwx_00400000_0005A000:.text`.data.rsrcMSVBVM60.DLLbss_server.usrReverseRelaybss_server.usrRelaytmrWebHidebss_server.Socketmswinsck.ocxMSWinsockLib.WinsockmodLaunchWeb%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLBC:\Windows\SysWOW64\ieframe.dllwinmm.dlluser32.dlladvapi32.dllshell32.dllkernel32.dllavicap32.dlladvpack.dllGetAsyncKeyStateSetWindowsHookExAUnhookWindowsHookExGetKeyboardLayoutGetKeyboardStateGetKeyStateSHFileOperationACreatePipePSAPI.DLLGetTcpTableExitWindowsExEnumWindowsWinInet.dllDeleteUrlCacheEntryAurlmonURLDownloadToFileAShellExecuteAkeybd_eventCHAT_ADDMSGcmdShowfilesUDPSocketG%Program Files% (x86)\Microsoft Visual Studio\VB98\mswinsck.ocatmrTCPtmrUDPUDPFloodVBA6.DLLC:\Windows\SysWow64\msvbvm60.dll\3ws2_32.dllAddMsgGdiplusShutdownRemotePortLocalPortWSOCK32.DLLRegCloseKeyRegOpenKeyExAFtpUploadntdll.dllole32.dllcrypt32.dlloleaut32.dllRegOpenKeyAFindFirstUrlCacheEntryAFindNextUrlCacheEntryARegCreateKeyARegDeleteKeyARegEnumKeyExAgdi32.dllolepro32.dllInternetOpenUrlAFtpDownloadFtpGetFileAFtpPutFileAFtpSetCurrentDirectoryAFtpGetCurrentDirectoryAFtpOpenFileAFtpGetFileSizeFtpDeleteFileAFtpCreateDirectoryAFtpRemoveDirectoryAFtpRenameFileAFtpGetDirectoryHttp_DownloadFilemsvbvm60.dll?8??8??8??8??8?uMsgstrMsgMsgNumAllMsgslngPortPortPasswordWebURLReturns/Sets the port to be connected to on the remote computerReturns/Sets the port used on the local computerBinds socket to specific port and adapterOccurs after a send operation has completed*\AC:\Users\Admin\Desktop\Blackshades project\Blackshades NET\server\server.vbp2c49f800-c2dd-11cf-9ad6-0080c7e7b78dMozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1) Gecko/20090612 Firefox/3.5{00020404-0000-0000-C000-000000000046}data.dat\nir_cmd.bss speak text\nir_cmd.bss setsysvolume 65535\nir_cmd.bss mutesysvolume 1\nir_cmd.bss mutesysvolume 0\nir_cmd.bss screensaver\nir_cmd.bss monitor off\nir_cmd.bss monitor onPORTTRANSFERPORTSOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\KeylogWscript.ShellHKEY_CLASSES_ROOT\HTTP\shell\open\command\\winlogon.exeiexplore.exehXXp://VVV.facebook.com/?ref=homehXXp://VVV.facebook.comADVAPI32.dllWindows Firewall/Internet Connection Sharing (ICS)WebCamCapture\Vuze\Azureus.exe\LimeWire\LimeWire.exe\uTorrent\uTorrent.exe\uTorrent\uTorrent.exe /HIDE\BitTorrent\bittorrent.exe\MSWINSCK.OCX\cmd.exedkey\data.datnkeyregsvr32.exe\pws_mail.bss\pws_mess.bss\pws_cdk.bss\nir_cmd.bsscmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /fcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v ":*:Enabled:Windows Messanger" /fwinmgmts:{impersonationLevel=Impersonate}!\\.\root\cimv200000000winmgmts:\\.\root\cimv2Select * from Win32_Keyboardapi.ipinfodb.comGET /v2/ip_query.php?key=&timezone=off HTTP/1.1Host: api.ipinfodb.comGET /v2/ip_query_country.php?key=Portablewinmgmts:\\.\root\SecurityCenter\wallpaper.bmp\wallpaper.jpgWScript.ShellWinServer 2003, Web EditionAutorun.iniHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName__oxFrame.class__Scripting.FileSystemObject{557CF401-1A04-11D3-9A73-0000F81EF32E}{1D5BE4B5-FA4A-452D-9CDD-5DB35105E7EB}Address family not supported by protocol family.Operation already in progress.Operation now in progress.Socket operation on nonsocket.Operation not supported.Protocol family not supported.Protocol not supported.Socket type not supported.Winsock.dll version out of range.CSocketMaster.SocketExistsCSocketMaster.PostSocketCSocketMaster.ConnectToIPCSocketMaster.ResolveIfHostnameCSocketMaster.SendBufferedDataUDPCSocketMaster.SendBufferedDatasqlite3.dllsqlite3_opensqlite3_closesqlite3_prepare_v2sqlite3_stepsqlite3_finalize\mail.datsqlite3_column_textabe2869f-9b47-4cd9-a358-c22904dba7f7/stext mess.dat\mess.dat/stext mail.datSOFTWARE\MICROSOFT\Windows NT\CurrentVersionWindowsSOFTWARE\Classes\Applications\iexplore.exe\shell\open\command\Mozilla Firefox\mozcrt19.dllnspr4.dllplc4.dllplds4.dllnssutil3.dllsoftokn3.dllnss3.dll\Mozilla\Firefox\profiles.ini\signons.sqliteselect * from moz_loginsPK11_GetInternalKeySlothttp\shell\open\command127.0.0.1\dump.txt\uTorrent\uTorrent.exe /DIRECTORY255.255.255.255finalizarprocessoportasdrvloadn.dllCONNECT %s:%i HTTP/1.0SOFTWARE\Classes\http\shell\open\commandSoftware\Classes\http\shell\open\commandSoftware\Microsoft\Windows NT\CurrentVersion\SystemRestorebnfa.execode.is.a.winnerSoftware\Microsoft\Windows\CurrentVersion\Uninstall\eMuleSOFTWARE\MICROSOFT\Windows NT\CurrentVersion\DigitalProductIdbps1.exebhookpl.dlldrvloadx.dllVNCHooks.dllxr4tdwa.exeshutdown.exeTCnRawKeyBoardHuntHTTPDownloadautorun.infhXXps://onlineeast#.bankofamerica.comwinlogon.exeexplorer.exeSOFTWARE\Microsoft\Windows\CurrentVersion\RunSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer\runSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\system32\userinit.exe,@*\AC:\Users\Admin\Desktop\Blackshades project\Blackshades NET\server\server.vbprundll32.exe_1548:.text`.data.rsrcmsvcrt.dllKERNEL32.dllNTDLL.DLLGDI32.dllUSER32.dllIMAGEHLP.dllrundll32.pdb.....eZXnnnnnnnnnnnn3....eDXnnnnnnnnnnnn3...eDXnnnnnnnnnnnn,.eDXnnnnnnnnnnnn,%Xnnnnnnnnnnnnnnn1O3$dS7"%U9.manifest5.1.2600.5512 (xpsp.080413-2105)RUNDLL.EXEWindowsOperating System5.1.2600.5512YThere is not enough memory to run the file %s.Please close other windows and try again.9The file %s or one of its components could not be opened.0The file %s or one of its components cannot run.MThe file %s or one of its components requires a different version of Windows.UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"Error in %sMissing entry:%sError loading %s