HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Zusy.193211 (B) (Emsisoft), Gen:Variant.Zusy.193211 (AdAware), Backdoor.Win32.PcClient.FD, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: c243065a8d53d757144c0e4fb4c30fab
SHA1: f04a32b17e431a76f3a295c95daa4afc092b95d1
SHA256: 02b5fbf13027314a2ce5b1a5b7de58952f120dcdc60ea6a93cac994dfd9d8719
SSDeep: 6144:5biDeTMxEZqYHobQ0jtl0I4HYEGQrz/bkRwOkOAT9eUWp8mkmN2O:5bseIihUkI42WQRwO0Y9gE
Size: 383488 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2011-11-02 04:47:02
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
dwwin.exe:1228
The Trojan injects its code into the following process(es):
rundll32.exe:1784
%original file name%.exe:1504
Mutexes
The following mutexes were created/opened:
ShimCacheMutex
File activity
The process dwwin.exe:1228 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\261FF2.dmp (75226 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
The process %original file name%.exe:1504 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\msirku32.dll (175 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\c7_appcompat.txt (6214 bytes)
Registry activity
The process dwwin.exe:1228 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4D F1 80 B3 01 6D 4A FE 17 77 65 97 B6 7C 46 DE"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process rundll32.exe:1784 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "29 CE 95 3B 1E 2B B3 89 8A 5F A5 3B 72 BE 57 60"
The process %original file name%.exe:1504 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB 7C 90 F4 E9 35 B9 7E 59 E3 8A CA 81 0E 27 DB"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:c243065a8d53d757144c0e4fb4c30fab"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MSIDLL" = "rundll32.exe msirku32.dll,UzEPTgVNpk"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]
"DWFileTreeRoot"
Dropped PE files
| MD5 | File path |
|---|---|
| 90b41535ed0ab3b62a2ed967a65ea166 | c:\WINDOWS\system32\msirku32.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
dwwin.exe:1228
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\261FF2.dmp (75226 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%System%\msirku32.dll (175 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\c7_appcompat.txt (6214 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MSIDLL" = "rundll32.exe msirku32.dll,UzEPTgVNpk" - Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 39033 | 39424 | 4.47406 | 00f1fdff6c730cdc079c576d71b74072 |
| .rdata | 45056 | 11588 | 11776 | 3.62586 | da51eff10052d9e5a546e77d2c9ddd2c |
| .data | 57344 | 334080 | 331264 | 5.49717 | 2d185f4bc166ee88ebb260f880adfef8 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1504:
.text
.text
`.rdata
`.rdata
@.data
@.data
winver.exe
winver.exe
ntdll.dll
ntdll.dll
Kernel32.dll
Kernel32.dll
Please contact the application's support team for more information.
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
operator
operator
GetProcessWindowStation
GetProcessWindowStation
USER32.DLL
USER32.DLL
KERNEL32.DLL
KERNEL32.DLL
GDI32.dll
GDI32.dll
USER32.dll
USER32.dll
GetCPInfo
GetCPInfo
T!.xy
T!.xy
TcPO
TcPO
.ROLR
.ROLR
7Nl%F
7Nl%F
.NlaUk
.NlaUk
fE%Ug
fE%Ug
.NFlQc
.NFlQc
.hfSDn
.hfSDn
yomsg
yomsg
.KC^[
.KC^[
i*Oa.vB3K
i*Oa.vB3K
w`h)GZb.sa`
w`h)GZb.sa`
(r.RJLR
(r.RJLR
hGSj%u
hGSj%u
~%X@^
~%X@^
%X@^u
%X@^u
KLz.GOK
KLz.GOK
@Qj vEU3NMR.IsBM|[bmHJrWaVD
@Qj vEU3NMR.IsBM|[bmHJrWaVD
.wsQZ,
.wsQZ,
QaOFzLC|.bufhGE|-rYHYJ]A
QaOFzLC|.bufhGE|-rYHYJ]A
.AJOG
.AJOG
k.bufh!
k.bufh!
.mrFJre
.mrFJre
\aOFzisNvbufhbuNurYHYomsLTYnvsQpBNzPNMKjwhUxYNIxodfSDnBlaUkxmTTnheraSvBAJOGVSJWjZKmtzdgVolASoKWZEHtkxfIhFSjPpGUSHORbOqByzYbMNHrGgTDfLNVRNrzkQInKvplbFJrerqDATgPOenvvFuajInVovFRKLRvDSMkfXnfOmZAhGELocBmIJSKCfaQcziVEYdTyUJxGdmgEskLnvyyuijLppWkcSutjfhdTCszYNlXbEPQTnJFLQCBWsqZBQwGyvBaoFRi[N^b]f@bUNUryHyoMslTynVsqpbNZPnMkjWhuxyNixOd.STnRlqU{x}TDnxebaCvRAZOWVCJGjJK
\aOFzisNvbufhbuNurYHYomsLTYnvsQpBNzPNMKjwhUxYNIxodfSDnBlaUkxmTTnheraSvBAJOGVSJWjZKmtzdgVolASoKWZEHtkxfIhFSjPpGUSHORbOqByzYbMNHrGgTDfLNVRNrzkQInKvplbFJrerqDATgPOenvvFuajInVovFRKLRvDSMkfXnfOmZAhGELocBmIJSKCfaQcziVEYdTyUJxGdmgEskLnvyyuijLppWkcSutjfhdTCszYNlXbEPQTnJFLQCBWsqZBQwGyvBaoFRi[N^b]f@bUNUryHyoMslTynVsqpbNZPnMkjWhuxyNixOd.STnRlqU{x}TDnxebaCvRAZOWVCJGjJK
VhUxYNIxo%F !
VhUxYNIxo%F !
oQv.OHO
oQv.OHO
_LrLfSIrFtpboDJrhpq
_LrLfSIrFtpboDJrhpq
532>2>5$
532>2>5$
5 5:5!#71;
5 5:5!#71;
?38&1$.cB>
?38&1$.cB>
!0?=.Wb[
!0?=.Wb[
/1
/1
6.dH#
6.dH#
6V="%x?7
6V="%x?7
.ha[nH#
.ha[nH#
p;>.DzbXr
p;>.DzbXr
~c{Ot/g-U5}
~c{Ot/g-U5}
J_]%x
J_]%x
WBS{G%x5B
WBS{G%x5B
RvW@nuRHH,i%x
RvW@nuRHH,i%x
%diagmEgnzBSojZykMhENzZWMPNUxjvhDzCJqMB
%diagmEgnzBSojZykMhENzZWMPNUxjvhDzCJqMB
c=vx\Jx.XOmY
c=vx\Jx.XOmY
ij%u2
ij%u2
Iy.HTy
Iy.HTy
(L%fP
(L%fP
qa%%ui
qa%%ui
G.KZd@
G.KZd@
oY.ri
oY.ri
g.ks6
g.ks6
a|[!
a|[!
QwW.zju_
QwW.zju_
0t$%f_Rk
0t$%f_Rk
`G%D>
`G%D>
88,.PF
88,.PF
;@'J.rK
;@'J.rK
fU.K.TA
fU.K.TA
.ZV 6
.ZV 6
U.bcUz
U.bcUz
.tA8J
.tA8J
.DKgF
.DKgF
h.xYjF
h.xYjF
Ap.sZm
Ap.sZm
CUnOuxS[oeIOSrurL[rwPXsnPS.J
CUnOuxS[oeIOSrurL[rwPXsnPS.J
tAmtcpGgIqAWj'GdtJ{p
tAmtcpGgIqAWj'GdtJ{p
a.NJHH9JbPYA
a.NJHH9JbPYA
wh^smsGc
wh^smsGc
b.KIH
b.KIH
ez%u-
ez%u-
S.DUV3
S.DUV3
%di{gnEfnzB&'
%di{gnEfnzB&'
KDvcsRWNfWCSnjDcjnVglXjYpLjEciIzmjQmEaQdWKfQbIFBbWIOQLMhuqUZqLUSwutabOYsBwWkCtoQjlRfZNmAlBAtWrtnAiTVHKPINrhmYGTeackRMwMwiKuNJZRyFzsxAOpnMIwqaarrrXCUBzTwdmnooRNHJevriQFGlLqqAfzULmBPFslUdPequWTsnvomHQVslNaKzamCiZGHnareeDverbfdEnwBYRqhIQeQQcihbrrFhyBgoWdPTLhUZaUuJHdwEKviaxomLPTVhhAjUfPDebJmmSITLnnOO
KDvcsRWNfWCSnjDcjnVglXjYpLjEciIzmjQmEaQdWKfQbIFBbWIOQLMhuqUZqLUSwutabOYsBwWkCtoQjlRfZNmAlBAtWrtnAiTVHKPINrhmYGTeackRMwMwiKuNJZRyFzsxAOpnMIwqaarrrXCUBzTwdmnooRNHJevriQFGlLqqAfzULmBPFslUdPequWTsnvomHQVslNaKzamCiZGHnareeDverbfdEnwBYRqhIQeQQcihbrrFhyBgoWdPTLhUZaUuJHdwEKviaxomLPTVhhAjUfPDebJmmSITLnnOO
c:\%original file name%.exe
c:\%original file name%.exe
mscoree.dll
mscoree.dll
%original file name%.exe_1504_rwx_009C0000_0005A000:
[%.2d/%.2d/%.4d %.2d:%.2d:%.2d] - %s %s
[%.2d/%.2d/%.4d %.2d:%.2d:%.2d] - %s %s
c:\boot.log
c:\boot.log
Profile: %s
Profile: %s
Port
Port
password
password
Software\FTPWare\COREFTP
Software\FTPWare\COREFTP
- password: %s
- password: %s
\Mozilla\Firefox\
\Mozilla\Firefox\
profiles.ini
profiles.ini
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe
%Program Files%\Mozilla Firefox\
%Program Files%\Mozilla Firefox\
\signons.txt
\signons.txt
\signons2.txt
\signons2.txt
\signons3.txt
\signons3.txt
nspr4.dll
nspr4.dll
plc4.dll
plc4.dll
plds4.dll
plds4.dll
softokn3.dll
softokn3.dll
nss3.dll
nss3.dll
PK11_GetInternalKeySlot
PK11_GetInternalKeySlot
PK11_CheckUserPassword
PK11_CheckUserPassword
port
port
Sites.dat
Sites.dat
\SmartFTP
\SmartFTP
/admin/getfile.php
/admin/getfile.php
madcapphotoworks.com
madcapphotoworks.com
/adv/getfile.php
/adv/getfile.php
arminpfluegl.ar.funpic.de
arminpfluegl.ar.funpic.de
i-p.perm.ru
i-p.perm.ru
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
opera.exe
opera.exe
chrome.exe
chrome.exe
kernel32.dll
kernel32.dll
CURL::Get: %s
CURL::Get: %s
CURL::Get(): trying to inject to ie and load...
CURL::Get(): trying to inject to ie and load...
CURL::Get(): %s
CURL::Get(): %s
CURL::Get(): trying to download directly...
CURL::Get(): trying to download directly...
CURL::Post: %s, %s
CURL::Post: %s, %s
CURL::GetIEProcessID
CURL::GetIEProcessID
CURL::GetIEProcessID(): findwindow returned 0x%X
CURL::GetIEProcessID(): findwindow returned 0x%X
CURL::GetIEProcessID(): GetWindowThreadProcessId returned 0x%X
CURL::GetIEProcessID(): GetWindowThreadProcessId returned 0x%X
CURL::GetIEProcessID(): 0x%X
CURL::GetIEProcessID(): 0x%X
mscoree.dll
mscoree.dll
- This application cannot run using the active version of the Microsoft .NET Runtime
- This application cannot run using the active version of the Microsoft .NET Runtime
Please contact the application's support team for more information.
Please contact the application's support team for more information.
GetProcessWindowStation
GetProcessWindowStation
user32.dll
user32.dll
internal state. The program cannot safely continue execution and must
internal state. The program cannot safely continue execution and must
continue execution and must now be terminated.
continue execution and must now be terminated.
GetWindowsDirectoryA
GetWindowsDirectoryA
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
RegCloseKey
RegCloseKey
RegEnumKeyExA
RegEnumKeyExA
RegOpenKeyA
RegOpenKeyA
RegOpenKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptDestroyKey
CryptDeriveKey
CryptDeriveKey
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
shlwapi.dll
shlwapi.dll
WSOCK32.dll
WSOCK32.dll
GetCPInfo
GetCPInfo
pr_ni.dll
pr_ni.dll
\p_sys.dll
\p_sys.dll
\sysclos.exe
\sysclos.exe
\*.dat
\*.dat
db Xh
db Xh
.data
.data
%sLen equ %lu
%sLen equ %lu
SOFTWARE\Microsoft\Windows\ShellNoRoam\MUICache
SOFTWARE\Microsoft\Windows\ShellNoRoam\MUICache
SSSSkernel32.dll
SSSSkernel32.dll
|shfolder.dll
|shfolder.dll
psapi.dll
psapi.dll
P:\Projects\password_recovery\cinch\tools\out.bin
P:\Projects\password_recovery\cinch\tools\out.bin
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
\account.cfg
\account.cfg
\account.cfn
\account.cfn
%s Database
%s Database
Password
Password
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\&RQ
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\&RQ
\&RQ.exe
\&RQ.exe
crypted-password
crypted-password
\andrq.ini
\andrq.ini
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian\
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian\
\aim.ini
\aim.ini
\users\global\profiles.ini
\users\global\profiles.ini
Software\Ghisler\Windows Commander
Software\Ghisler\Windows Commander
FtpIniName
FtpIniName
\wcx_PTF.ini
\wcx_PTF.ini
\Mailbox.ini
\Mailbox.ini
PassWd
PassWd
INETCOMM Server Passwords
INETCOMM Server Passwords
Outlook Account Manager Passwords
Outlook Account Manager Passwords
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
%s\%s\%s
%s\%s\%s
%s\%s
%s\%s
SMTP Email Address
SMTP Email Address
POP3 Password
POP3 Password
POP3 Password2
POP3 Password2
IMAP Password
IMAP Password
IMAP Password2
IMAP Password2
pstorec.dll
pstorec.dll
crypt32.dll
crypt32.dll
w\GlobalSCAPE\CuteFTP\
w\GlobalSCAPE\CuteFTP\
\GlobalSCAPE\CuteFTP Pro\
\GlobalSCAPE\CuteFTP Pro\
\cutftp32.exe
\cutftp32.exe
%Program Files%\CuteFTP\
%Program Files%\CuteFTP\
sm.dat
sm.dat
tree.dat
tree.dat
smdata.dat
smdata.dat
SOFTWARE\Far\Plugins\FTP\Hosts
SOFTWARE\Far\Plugins\FTP\Hosts
WS_FTP
WS_FTP
\*.ini
\*.ini
\Ipswitch\WS_FTP\Sites
\Ipswitch\WS_FTP\Sites
\Ipswitch\WS_FTP Home\Sites
\Ipswitch\WS_FTP Home\Sites
\win.ini
\win.ini
\ws_PTF.ini
\ws_PTF.ini
\ws_PTF.exe
\ws_PTF.exe
\Opera
\Opera
\Mail\accounts.ini
\Mail\accounts.ini
\profile\wand.dat
\profile\wand.dat
Software\Opera Software
Software\Opera Software
Incoming Password
Incoming Password
\Mozilla\Profiles
\Mozilla\Profiles
urlmon.dll
urlmon.dll
wininet.dll
wininet.dll
URLDownloadToCacheFileA
URLDownloadToCacheFileA
URLDownloadToFileA
URLDownloadToFileA
HttpOpenRequestA
HttpOpenRequestA
HttpSendRequestA
HttpSendRequestA
.ar.funpic.de
.ar.funpic.de
Googlebot/2.1 ( hXXp://VVV.google.com/bot.html)
Googlebot/2.1 ( hXXp://VVV.google.com/bot.html)
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
More information: hXXp://VVV.ibsensoftware.com/
More information: hXXp://VVV.ibsensoftware.com/
zcÃ
zcÃ
c:\c243065a8d53d757144c0e4fb4c30fab
c:\c243065a8d53d757144c0e4fb4c30fab
c:\%original file name%.exe:*:Enabled:c243065a8d53d757144c0e4fb4c30fab
c:\%original file name%.exe:*:Enabled:c243065a8d53d757144c0e4fb4c30fab
c:\%original file name%.exe
c:\%original file name%.exe
%Documents and Settings%\%current user%\Start Menu\Programs\Startup
%Documents and Settings%\%current user%\Start Menu\Programs\Startup
A2C-196E-4210-9C04-2B1BC21F07EF}
A2C-196E-4210-9C04-2B1BC21F07EF}
8.3.2.1593
8.3.2.1593
%Documents and Settings%\%current user%\Application Data\The Bat!\*.*
%Documents and Settings%\%current user%\Application Data\The Bat!\*.*
d:\Procmon.exe
d:\Procmon.exe
ec.exe
ec.exe
t.dll,-331
t.dll,-331
es.dll,-1646
es.dll,-1646
.dll,-20003
.dll,-20003
%Documents and Settings%\%current user%\Trillian\User Settings\
%Documents and Settings%\%current user%\Trillian\User Settings\
%APPDATA%\GHISLER\wcx_PTF.ini
%APPDATA%\GHISLER\wcx_PTF.ini
Identities\{37E80C13-CB45-4DCE-A438-545B791476AC}\Software\Microsoft\Internet Account Manager\Accounts
Identities\{37E80C13-CB45-4DCE-A438-545B791476AC}\Software\Microsoft\Internet Account Manager\Accounts
^d:\Procmon.exe
^d:\Procmon.exe
Pro\6.0\sm.dat
Pro\6.0\sm.dat
e\Sites\*.ini
e\Sites\*.ini
%WinDir%\win.ini
%WinDir%\win.ini
%Documents and Settings%\%current user%\Application Data\Opera\*.*\Mail\accounts.ini
%Documents and Settings%\%current user%\Application Data\Opera\*.*\Mail\accounts.ini
%Documents and Settings%\%current user%\Application Data\Mozilla\Profiles\*.*
%Documents and Settings%\%current user%\Application Data\Mozilla\Profiles\*.*
7p7C7l7x7
7p7C7l7x7
3=3N3_3m3
3=3N3_3m3
SmartFTP
SmartFTP
x86 9.0.30729.4148
x86 9.0.30729.4148
iER\wcx_PTF.ini
iER\wcx_PTF.ini
%original file name%.exe_1504_rwx_00A50000_00087000:
vSSSh
vSSSh
FTPjK
FTPjK
FtPj;
FtPj;
C.PjRV
C.PjRV
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
yahoo.com
yahoo.com
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpSendRequestA
HttpSendRequestA
HttpOpenRequestA
HttpOpenRequestA
wininet.dll
wininet.dll
Chrome_WidgetWin_0
Chrome_WidgetWin_0
kernel32.dll
kernel32.dll
rundll32.exe
rundll32.exe
Please contact the application's support team for more information.
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
portuguese-brazilian
portuguese-brazilian
operator
operator
GetProcessWindowStation
GetProcessWindowStation
USER32.DLL
USER32.DLL
unsupported version
unsupported version
'8 77, .
'8 77, .
0'(8:>""
0'(8:>""
"1%.'8"8
"1%.'8"8
.?AV?$oserializer@Vxml_oarchive@archive@boost@@VMCmdList@@@detail@archive@boost@@
.?AV?$oserializer@Vxml_oarchive@archive@boost@@VMCmdList@@@detail@archive@boost@@
.?AV?$singleton_wrapper@V?$oserializer@Vxml_oarchive@archive@boost@@VMCmdList@@@detail@archive@boost@@@detail@serialization@boost@@
.?AV?$singleton_wrapper@V?$oserializer@Vxml_oarchive@archive@boost@@VMCmdList@@@detail@archive@boost@@@detail@serialization@boost@@
.?AV?$singleton_wrapper@V?$extended_type_info_typeid@VMCmdList@@@serialization@boost@@@detail@serialization@boost@@
.?AV?$singleton_wrapper@V?$extended_type_info_typeid@VMCmdList@@@serialization@boost@@@detail@serialization@boost@@
.?AV?$extended_type_info_typeid@VMCmdList@@@serialization@boost@@
.?AV?$extended_type_info_typeid@VMCmdList@@@serialization@boost@@
.?AV?$singleton@V?$extended_type_info_typeid@VMCmdList@@@serialization@boost@@@serialization@boost@@
.?AV?$singleton@V?$extended_type_info_typeid@VMCmdList@@@serialization@boost@@@serialization@boost@@
.?AVMCmdList@@
.?AVMCmdList@@
.?AV?$iserializer@Vxml_iarchive@archive@boost@@VMCmdList@@@detail@archive@boost@@
.?AV?$iserializer@Vxml_iarchive@archive@boost@@VMCmdList@@@detail@archive@boost@@
.?AV?$singleton_wrapper@V?$iserializer@Vxml_iarchive@archive@boost@@VMCmdList@@@detail@archive@boost@@@detail@serialization@boost@@
.?AV?$singleton_wrapper@V?$iserializer@Vxml_iarchive@archive@boost@@VMCmdList@@@detail@archive@boost@@@detail@serialization@boost@@
2=,2%*2&
2=,2%*2&
0.HM{
0.HM{
zcÃ
zcÃ
c:\%original file name%.exe
c:\%original file name%.exe
GetProcessHeap
GetProcessHeap
GetConsoleOutputCP
GetConsoleOutputCP
GetCPInfo
GetCPInfo
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
.,.EA
.,.EA
KERNEL32.DLL
KERNEL32.DLL
ADVAPI32.dll
ADVAPI32.dll
GDI32.dll
GDI32.dll
SHLWAPI.dll
SHLWAPI.dll
USER32.dll
USER32.dll
uHxcZGgLZd.dll
uHxcZGgLZd.dll
mscoree.dll
mscoree.dll
rundll32.exe_1784:
.text
.text
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
GDI32.dll
GDI32.dll
USER32.dll
USER32.dll
IMAGEHLP.dll
IMAGEHLP.dll
rundll32.pdb
rundll32.pdb
.....eZXnnnnnnnnnnnn3
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
O3$dS7"%U9
.manifest
.manifest
5.1.2600.5512 (xpsp.080413-2105)
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
RUNDLL.EXE
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
YThere is not enough memory to run the file %s.
YThere is not enough memory to run the file %s.
Please close other windows and try again.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Error in %s
Missing entry:%s
Missing entry:%s
Error loading %s
Error loading %s
rundll32.exe_1784_rwx_10001000_00083000:
vSSSh
vSSSh
FTPjK
FTPjK
FtPj;
FtPj;
C.PjRV
C.PjRV
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
yahoo.com
yahoo.com
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpSendRequestA
HttpSendRequestA
HttpOpenRequestA
HttpOpenRequestA
wininet.dll
wininet.dll
Chrome_WidgetWin_0
Chrome_WidgetWin_0
kernel32.dll
kernel32.dll
rundll32.exe
rundll32.exe
Please contact the application's support team for more information.
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
portuguese-brazilian
portuguese-brazilian
operator
operator
GetProcessWindowStation
GetProcessWindowStation
USER32.DLL
USER32.DLL
unsupported version
unsupported version
'8 77, .
'8 77, .
0'(8:>""
0'(8:>""
"1%.'8"8
"1%.'8"8
.?AV?$oserializer@Vxml_oarchive@archive@boost@@VMCmdList@@@detail@archive@boost@@
.?AV?$oserializer@Vxml_oarchive@archive@boost@@VMCmdList@@@detail@archive@boost@@
.?AV?$singleton_wrapper@V?$oserializer@Vxml_oarchive@archive@boost@@VMCmdList@@@detail@archive@boost@@@detail@serialization@boost@@
.?AV?$singleton_wrapper@V?$oserializer@Vxml_oarchive@archive@boost@@VMCmdList@@@detail@archive@boost@@@detail@serialization@boost@@
.?AV?$singleton_wrapper@V?$extended_type_info_typeid@VMCmdList@@@serialization@boost@@@detail@serialization@boost@@
.?AV?$singleton_wrapper@V?$extended_type_info_typeid@VMCmdList@@@serialization@boost@@@detail@serialization@boost@@
.?AV?$extended_type_info_typeid@VMCmdList@@@serialization@boost@@
.?AV?$extended_type_info_typeid@VMCmdList@@@serialization@boost@@
.?AV?$singleton@V?$extended_type_info_typeid@VMCmdList@@@serialization@boost@@@serialization@boost@@
.?AV?$singleton@V?$extended_type_info_typeid@VMCmdList@@@serialization@boost@@@serialization@boost@@
.?AVMCmdList@@
.?AVMCmdList@@
.?AV?$iserializer@Vxml_iarchive@archive@boost@@VMCmdList@@@detail@archive@boost@@
.?AV?$iserializer@Vxml_iarchive@archive@boost@@VMCmdList@@@detail@archive@boost@@
.?AV?$singleton_wrapper@V?$iserializer@Vxml_iarchive@archive@boost@@VMCmdList@@@detail@archive@boost@@@detail@serialization@boost@@
.?AV?$singleton_wrapper@V?$iserializer@Vxml_iarchive@archive@boost@@VMCmdList@@@detail@archive@boost@@@detail@serialization@boost@@
2=,2%*2&
2=,2%*2&
0.HM{
0.HM{
zcÃ
zcÃ
%System%\rundll32.exe
%System%\rundll32.exe
GetProcessHeap
GetProcessHeap
GetConsoleOutputCP
GetConsoleOutputCP
GetCPInfo
GetCPInfo
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
KERNEL32.DLL
KERNEL32.DLL
mscoree.dll
mscoree.dll