HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Alureon.FD, Worm.Win32.Ainslot.VB.FD, GenericAutorunWorm.YR, WormAinslot_VariantOfZeus.YR, TrojanDropperVtimrun.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan, Worm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 66468df02a0b30400259109943a0682d
SHA1: 204419456becad0fc20cc228ef92a3e6a99e283f
SHA256: 0ac488a2d3c855b9e3985b788430d033376603c94733535d84ffcf41742170de
SSDeep: 98304:fa6BcJlh57t67 Ecd/M8xOFn1MusXtxA7tqzoMtE8TIkSza5akxa:faqEtj3d98MTXDApqdG8TSe5aG
Size: 5368832 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-07-14 02:42:43
Analyzed on: WindowsXP SP3 32-bit
Summary: Worm. A program that is primarily replicating on networks or removable drives.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Worm creates the following process(es):
MAGICZ~1.EXE:912
wscript.exe:2044
file.exe:464
%original file name%.exe:468
The Worm injects its code into the following process(es):
cvtres.exe:140
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process MAGICZ~1.EXE:912 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\DV1.tmp (98 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{C13C2459-F547-4158-9A74-6F46C4C5B098}\setup.msi (82162 bytes)
The Worm deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\DV1.tmp (0 bytes)
The process wscript.exe:2044 makes changes in the file system.
The Worm deletes the following file(s):
%Documents and Settings%\%current user%\Application Data\MyFolder\9345.txt (0 bytes)
The process cvtres.exe:140 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Khichiii.exe (35 bytes)
%Documents and Settings%\%current user%\Application Data\setup (34 bytes)
The process file.exe:464 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\MyFolder\ixpress.aan (1852 bytes)
%Documents and Settings%\%current user%\Application Data\MyFolder\9345.txt (1 bytes)
The process %original file name%.exe:468 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\file.exe (10504 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\MAGICZ~1.EXE (91182 bytes)
Registry activity
The process MAGICZ~1.EXE:912 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 0B E2 5C 4B 99 0A FB A7 DB 81 CB 9E BB 76 EE"
The process wscript.exe:2044 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C6 DA DB 72 16 6F F7 E7 EE F2 C2 2E 68 AA EE DA"
To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"ixpress" = "%Documents and Settings%\%current user%\Application Data\MyFolder\ixpress.exe"
The process cvtres.exe:140 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4B 32 C3 6D 41 97 59 FB F7 8B 8C 85 30 FC F4 A5"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\VB and VBA Program Settings\SrvID\ID]
"BLV9AIUA7T" = "Black"
[HKCU\Software\VB and VBA Program Settings\INSTALL\DATE]
"BLV9AIUA7T" = "December 25, 2015"
The process file.exe:464 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "13 B3 01 46 05 86 78 C7 AB C8 73 33 80 70 DF 3D"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"wscript.exe" = "Microsoft (R) Windows Based Script Host"
The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The process %original file name%.exe:468 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 6E C0 66 B3 13 FB 91 09 ED 46 AD 00 C0 44 D6"
To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"
Dropped PE files
MD5 | File path |
---|---|
e0d21bee6dae44a7c6e1896d7a8c7463 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\Khichiii.exe |
342c3700830edc86d51059d0ecf26306 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\MyFolder\ixpress.exe |
74d0cf0c36c435f01b33dd4a53d66010 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\IXP000.TMP\MAGICZ~1.EXE |
342c3700830edc86d51059d0ecf26306 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\IXP000.TMP\file.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
MAGICZ~1.EXE:912
wscript.exe:2044
file.exe:464
%original file name%.exe:468 - Delete the original Worm file.
- Delete or disinfect the following files created/modified by the Worm:
%Documents and Settings%\%current user%\Local Settings\Temp\DV1.tmp (98 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{C13C2459-F547-4158-9A74-6F46C4C5B098}\setup.msi (82162 bytes)
%Documents and Settings%\%current user%\Application Data\Khichiii.exe (35 bytes)
%Documents and Settings%\%current user%\Application Data\setup (34 bytes)
%Documents and Settings%\%current user%\Application Data\MyFolder\ixpress.aan (1852 bytes)
%Documents and Settings%\%current user%\Application Data\MyFolder\9345.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\file.exe (10504 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\MAGICZ~1.EXE (91182 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"ixpress" = "%Documents and Settings%\%current user%\Application Data\MyFolder\ixpress.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\" - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: Microsoft Corporation
Product Name: HD Player
Product Version: 8.00.7600.16385
Legal Copyright: (c) Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: WEXTRACT.EXE .MUI
Internal Name: Wextract
File Version: 8.00.7600.16385 (win7_rtm.090713-1255)
File Description: Win32 Cabinet Self-Extractor
Comments:
Language: English (United States)
Company Name: Microsoft CorporationProduct Name: HD Player Product Version: 8.00.7600.16385Legal Copyright: (c) Microsoft Corporation. All rights reserved.Legal Trademarks: Original Filename: WEXTRACT.EXE .MUIInternal Name: Wextract File Version: 8.00.7600.16385 (win7_rtm.090713-1255)File Description: Win32 Cabinet Self-Extractor Comments: Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 43748 | 44032 | 4.53606 | 3aeb6fb8fe8ab95f2462e3afb8b8acd3 |
.data | 49152 | 8796 | 1536 | 4.57321 | f3764284f4d25ed35f75b9c16e1ab608 |
.rsrc | 61440 | 5318271 | 5318656 | 5.54275 | dc5b32476a3f6fee97fb2bc0fc615319 |
.reloc | 5382144 | 3480 | 3584 | 3.33168 | bc74eb2a181cf1029262828db6ac5b5d |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Worm connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_468:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
GDI32.dll
GDI32.dll
USER32.dll
USER32.dll
msvcrt.dll
msvcrt.dll
COMCTL32.dll
COMCTL32.dll
VERSION.dll
VERSION.dll
advapi32.dll
advapi32.dll
wininit.ini
wininit.ini
advpack.dll
advpack.dll
Software\Microsoft\Windows\CurrentVersion\App Paths
Software\Microsoft\Windows\CurrentVersion\App Paths
setupapi.dll
setupapi.dll
setupx.dll
setupx.dll
IXPd.TMP
IXPd.TMP
TMP4351$.TMP
TMP4351$.TMP
FINISHMSG
FINISHMSG
USRQCMD
USRQCMD
ADMQCMD
ADMQCMD
msdownld.tmp
msdownld.tmp
wextract.pdb
wextract.pdb
PSSSSSSh
PSSSSSSh
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryInfoKeyA
RegCreateKeyExA
RegCreateKeyExA
GetWindowsDirectoryA
GetWindowsDirectoryA
ExitWindowsEx
ExitWindowsEx
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
_acmdln
_acmdln
_amsg_exit
_amsg_exit
rundll32.exe %s,InstallHinfSection %s 128 %s
rundll32.exe %s,InstallHinfSection %s 128 %s
SHELL32.DLL
SHELL32.DLL
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows\CurrentVersion\RunOnce
PendingFileRenameOperations
PendingFileRenameOperations
System\CurrentControlSet\Control\Session Manager\FileRenameOperations
System\CurrentControlSet\Control\Session Manager\FileRenameOperations
wextract_cleanup%d
wextract_cleanup%d
%s /D:%s
%s /D:%s
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"
Command.com /c %s
Command.com /c %s
zcÃ
zcÃ
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\
)%u]Q
)%u]Q
Bp.Dx
Bp.Dx
gA`0)%UJ
gA`0)%UJ
file.exe
file.exe
MAGICZ~1.EXE
MAGICZ~1.EXE
;.KHE
;.KHE
C~c8Lv.nD
C~c8Lv.nD
Cs\%F
Cs\%F
"/I%S
"/I%S
}.Myd
}.Myd
eH)*%Fr
eH)*%Fr
8].pP;~
8].pP;~
.SV1t
.SV1t
yiD%F
yiD%F
@U'fA.nr>
@U'fA.nr>
\!xGP.zT
\!xGP.zT
tJ.IY]
tJ.IY]
%cI]L
%cI]L
IC.wWX
IC.wWX
?y÷
?y÷
P'%dn
P'%dn
h=g%xD
h=g%xD
MCX%u
MCX%u
=jexe.h
=jexe.h
%c-1s
%c-1s
}.eYT
}.eYT
3%uVlOz
3%uVlOz
ULe%sy
ULe%sy
#5.oJ]!.Z
#5.oJ]!.Z
.cLS
.cLS
S.iZ~=t
S.iZ~=t
N%XTM
N%XTM
IY.jI
IY.jI
1@%u1v@x
1@%u1v@x
i3%j%C
i3%j%C
W%XZ&7
W%XZ&7
S.XzY
S.XzY
sAVG%U
sAVG%U
% B%c
% B%c
FX.pJ
FX.pJ
UßNQe~
UßNQe~
Iga{%s/
Iga{%s/
s.nWh
s.nWh
x.vs:rpg
x.vs:rpg
p2.Ew5f
p2.Ew5f
}`\ \
}`\ \
C;0%U
C;0%U
].Fg=
].Fg=
Q%c_y
Q%c_y
P.Hf=Q
P.Hf=Q
a.Biv
a.Biv
Z.qZ
Z.qZ
,5.Pu
,5.Pu
D.tQ2oA
D.tQ2oA
A|7%ua
A|7%ua
s%x\T
s%x\T
.Vh$Z
.Vh$Z
Zf%f
Zf%f
34L%f,
34L%f,
@Q%dw4
@Q%dw4
6[7.PY
6[7.PY
%DwJe
%DwJe
;R.Hf^
;R.Hf^
7%UcW
7%UcW
Çcb6
Çcb6
z.mS~
z.mS~
.ndjvy-n
.ndjvy-n
8%F&F~\ib
8%F&F~\ib
$.Kn}O
$.Kn}O
.aB5j
.aB5j
k.GpJ
k.GpJ
setup.msi
setup.msi
3.Zw!5
3.Zw!5
DÂavR
DÂavR
x.yoa
x.yoa
cJL:2.cw
cJL:2.cw
.CA'D
.CA'D
Sql?/
Sql?/
Ozvw-y}y
Ozvw-y}y
.tr9fG
.tr9fG
E.NU&O-c
E.NU&O-c
y1Iv%u
y1Iv%u
~!!.oo
~!!.oo
h.mX3w
h.mX3w
6S:o.sKKN^
6S:o.sKKN^
jKX_^.SHQhm
jKX_^.SHQhm
=C.lj
=C.lj
.GilG
.GilG
cWeB^
cWeB^
D/%cVE
D/%cVE
~%X$X
~%X$X
q6.Tyi
q6.Tyi
\
\
rd.sM
rd.sM
>.IT
>.IT
.FQw(k
.FQw(k
|.sT*d
|.sT*d
\n)%u
\n)%u
iH%Dn
iH%Dn
=_!.PI.}
=_!.PI.}
.YFab
.YFab
.Ef]-
.Ef]-
"J.Ml?
"J.Ml?
.VXc5g
.VXc5g
HH.iC
HH.iC
H%u,N
H%u,N
V/.jz
V/.jz
JxN~.%f
JxN~.%f
^N~.nQ1$
^N~.nQ1$
j]H.PUN
j]H.PUN
{%cg.
{%cg.
Y2.Dc
Y2.Dc
yv.hN
yv.hN
9.Ctm7
9.Ctm7
/5sSh~
/5sSh~
%s'?i*
%s'?i*
Gr.lLB
Gr.lLB
.rSaa.
.rSaa.
5Ti%Ft
5Ti%Ft
U?t%S
U?t%S
.gA!QU^=
.gA!QU^=
k(.GAn
k(.GAn
rt,%c.y
rt,%c.y
.Rhgq
.Rhgq
CE%F?
CE%F?
{;n.Nu
{;n.Nu
y-.np$
y-.np$
.fGbH&PnO*
.fGbH&PnO*
^|,%x
^|,%x
d.hqM
d.hqM
dBvJh.si
dBvJh.si
<.bu>
<.bu>
>U_%s
>U_%s
p%d"eq4
p%d"eq4
O.ll&
O.ll&
..YIw
..YIw
6".Mj
6".Mj
.dNeb
.dNeb
D%!.Dr6
D%!.Dr6
-.LMhO
-.LMhO
:G%Fvg
:G%Fvg
ii.qz/
ii.qz/
.CgN2|
.CgN2|
4K-%U[c|
4K-%U[c|
2.Bvu
2.Bvu
%Smmp
%Smmp
4.Qq/
4.Qq/
Fw%%sI9
Fw%%sI9
.se|`
.se|`
bP.hL
bP.hL
&Dj.qv
&Dj.qv
!dZ/
!dZ/
7;]%U
7;]%U
@&.qr
@&.qr
L)/.Fc
L)/.Fc
fO.Tko
fO.Tko
,L.Jd2
,L.Jd2
%F>GLf
%F>GLf
JsK%F
JsK%F
'4e%dLx,
'4e%dLx,
1AÀ
1AÀ
)Ê&a
)Ê&a
7Z.sZ#
7Z.sZ#
Z.wn&
Z.wn&
Uf}.WY
Uf}.WY
6y}
6y}
kEYE
kEYE
x.ZY"
x.ZY"
%u>mx
%u>mx
.Pl,B9
.Pl,B9
.wNuU=(
.wNuU=(
l.xhJ[#
l.xhJ[#
%cM_LX
%cM_LX
UMIs%F*;
UMIs%F*;
.CTwq
.CTwq
-Ww}G*
-Ww}G*
0J.cs
0J.cs
zM.pT
zM.pT
U.cqAa
U.cqAa
r.Wgn
r.Wgn
Yv%Sr
Yv%Sr
.Pe>#
.Pe>#
!i`b%U
!i`b%U
S.qoJ
S.qoJ
a.lP3
a.lP3
{/.FV
{/.FV
SG.iu.@
SG.iu.@
[.qId
[.qId
y#%U!
y#%U!
.Pvv:
.Pvv:
.8.DT
.8.DT
.Reef%;
.Reef%;
7mhx.WhF
7mhx.WhF
hnF.iv
hnF.iv
.jB/
.jB/
L.um/
L.um/
.Vl:#
.Vl:#
-4}}l1
-4}}l1
1Jl%s`
1Jl%s`
H.rsl
H.rsl
J;.Gs
J;.Gs
`R%C)Q
`R%C)Q
ep.Qf
ep.Qf
R=G%xsQ
R=G%xsQ
Rd.uL])
Rd.uL])
Ez1F.jS*
Ez1F.jS*
k4m%U
k4m%U
.DmrxSi~
.DmrxSi~
`(.Ua>
`(.Ua>
o<.uf>
o<.uf>
.Bz&a
.Bz&a
hv4%C
hv4%C
þ,I
þ,I
5%Cr }Th
5%Cr }Th
.Tx-'
.Tx-'
&U;/.SFR
&U;/.SFR
A.clgK
A.clgK
.OIKC
.OIKC
j.uvr
j.uvr
.pa,\
.pa,\
uguK-5E}[
uguK-5E}[
w=_.fe
w=_.fe
.TYi\
.TYi\
).xw>
).xw>
IW%s"
IW%s"
{%SXn
{%SXn
$.pR:|
$.pR:|
y%u$rx
y%u$rx
%1Xnh
%1Xnh
t.VbU4
t.VbU4
r.ot`
r.ot`
%cvXj
%cvXj
iH.%S
iH.%S
.uzKR
.uzKR
.tZhmu
.tZhmu
n-j}BoVE
n-j}BoVE
F.nd=C
F.nd=C
mwX.UtKB
mwX.UtKB
.grKRH!
.grKRH!
c"FBLs1%d
c"FBLs1%d
&%suN
&%suN
}16%F
}16%F
7SO.fb^
7SO.fb^
.oOd,s
.oOd,s
-8}1U
-8}1U
.qZ|l
.qZ|l
.zMDx
.zMDx
6Z^.dPH
6Z^.dPH
I.Pn>nZ
I.Pn>nZ
.yHU.7
.yHU.7
.bQ4_A
.bQ4_A
Xf4%s
Xf4%s
%CWGG
%CWGG
5%0U=
5%0U=
`jE%X
`jE%X
.qi)9
.qi)9
N%Xg*
N%Xg*
S.Uu[
S.Uu[
u-{%U,8
u-{%U,8
Qd= |.MR
Qd= |.MR
oi.np
oi.np
;ELq.Ys^.
;ELq.Ys^.
B~\.fM2
B~\.fM2
_fM%C
_fM%C
.LF>]
.LF>]
x.Oq&
x.Oq&
J.Vol
J.Vol
y%ur7
y%ur7
9_E.Mue
9_E.Mue
F H.yA$C
F H.yA$C
p@`ÃŽ
p@`ÃŽ
9%6udgS
9%6udgS
ICh=%f
ICh=%f
EH.bZ
EH.bZ
z%C>o
z%C>o
e-Ñ
e-Ñ
m.jI2
m.jI2
s{.Rf
s{.Rf
fd.hY
fd.hY
.qg{~
.qg{~
(gn.Ty
(gn.Ty
C.sz@
C.sz@
$n%f"
$n%f"
^VN.aA
^VN.aA
Y$.rE
Y$.rE
kA:h.ay
kA:h.ay
)]-q}?
)]-q}?
! s^.TLCGG
! s^.TLCGG
S=.SKLd|g
S=.SKLd|g
$9(%UY[9
$9(%UY[9
.TTad
.TTad
Rq.Vw~Vd}f
Rq.Vw~Vd}f
.INYA
.INYA
l.xCE
l.xCE
:.iOx
:.iOx
_?.aZ{
_?.aZ{
.cw1Q:'
.cw1Q:'
%u>v|u
%u>v|u
$^~.Uc
$^~.Uc
@%S=-
@%S=-
"{%s)
"{%s)
.DHs:W
.DHs:W
.siz'
.siz'
ry6-JHw}
ry6-JHw}
)
)
6;#>>~95
6;#>>~95
;*.qz
;*.qz
.sI|g
.sI|g
Jg.yo
Jg.yo
[c.awL
[c.awL
x^A%SX
x^A%SX
cMdo
cMdo
%FXwn
%FXwn
jp.Ic
jp.Ic
.-%dM
.-%dM
1065700
1065700
.YfNV
.YfNV
o.rnv
o.rnv
OO^%F
OO^%F
, t~%x`
, t~%x`
nu%CT
nu%CT
7;%Cw
7;%Cw
M4.BD
M4.BD
X&%cK
X&%cK
.RG>F
.RG>F
-k})|
-k})|
sek%f
sek%f
.RkSX
.RkSX
JE4%u,
JE4%u,
~;N k.oc
~;N k.oc
.mJh{
.mJh{
.wNh)`
.wNh)`
%c
%c
.LP!,B-
.LP!,B-
"Ê.)w
"Ê.)w
'3.Pw
'3.Pw
I$.hh
I$.hh
c.Qm2
c.Qm2
.ZdA9G
.ZdA9G
n.xa$H
n.xa$H
.kzNv
.kzNv
%u~yS
%u~yS
%F i?
%F i?
QV.XAL
QV.XAL
[d.Yq7j
[d.Yq7j
xX.NBR
xX.NBR
r.FCk_
r.FCk_
m%va%F
m%va%F
^&?.KS
^&?.KS
uE.PK
uE.PK
%UN>N
%UN>N
.nk|9
.nk|9
0.inm]:
0.inm]:
-.Qna
-.Qna
.mnGR
.mnGR
%C`3J
%C`3J
#`%U'
#`%U'
%uiXn
%uiXn
SS.RI
SS.RI
F@l%c
F@l%c
cy.qt
cy.qt
}(g%s
}(g%s
Nb.qW
Nb.qW
,_ÇA
,_ÇA
^>X%d
^>X%d
Gb.%sl
Gb.%sl
Egxw.vI
Egxw.vI
K$r'.At
K$r'.At
sV1%C
sV1%C
m-Q}0
m-Q}0
#v-uLenP}>)
.GjXH
.GjXH
Y`%f|o(
Y`%f|o(
\.bwm
\.bwm
(9%x0
(9%x0
_%dJ4
_%dJ4
g.hhc
g.hhc
.7.tK
.7.tK
]..RY`
]..RY`
{=D&%X:
{=D&%X:
[.BE2
[.BE2
332#232###
332#232###
R%s[H
R%s[H
.lb\x
.lb\x
.tJtp?F
.tJtp?F
%.D]6
%.D]6
8Vb{%d
8Vb{%d
.ytC
.ytC
m=%c-.b
m=%c-.b
C.aEK
C.aEK
*8Q%sS
*8Q%sS
.oN6j5
.oN6j5
hQ.WD
hQ.WD
aF.Yk
aF.Yk
.BH&B
.BH&B
.aeOX
.aeOX
%fS\_>
%fS\_>
.YCSX
.YCSX
L.cwG
L.cwG
'%FQF
'%FQF
f%f&%
f%f&%
# =) 50-%7/
# =) 50-%7/
k[Q;' ek}.Os
k[Q;' ek}.Os
X`|.P$hT:t`h.iYv
X`|.P$hT:t`h.iYv
Z5%X.
Z5%X.
7%Syu
7%Syu
W;!$.RCDT8
W;!$.RCDT8
.odXF
.odXF
.yKn,
.yKn,
%G%Dyt
%G%Dyt
eSDM.hF-
eSDM.hF-
-gB3m}
-gB3m}
5uz
5uz
.ELx#9
.ELx#9
.sIHx
.sIHx
rsQl;
rsQl;
.CEKsh
.CEKsh
r.WNe
r.WNe
&.QQe
&.QQe
%FH\c
%FH\c
Y.jPo
Y.jPo
$.zD3
$.zD3
GVF.mm
GVF.mm
ri;%fG
ri;%fG
3y%F"
3y%F"
MxV%x
MxV%x
?%C:(
?%C:(
Wp8uRlH
Wp8uRlH
.in9C
.in9C
QUDP
QUDP
/.QT"
/.QT"
/%D ~
/%D ~
m.oO*(
m.oO*(
.qq/)
.qq/)
V.gXdw
V.gXdw
.TwTl
.TwTl
H.SKv
H.SKv
O%D U
O%D U
.cU^]
.cU^]
fNQ%d
fNQ%d
-.iU[
-.iU[
cHf.dkhg
cHf.dkhg
Y 1 >.rAU
Y 1 >.rAU
Yy5.mZ
Yy5.mZ
r.yfr
r.yfr
5E-"
5E-"
~
~
.qv"K%^
.qv"K%^
.ey]#zT
.ey]#zT
=s%sh
=s%sh
Y&%S&
Y&%S&
>e.Yp
>e.Yp
pQ*%D
pQ*%D
zm%ST
zm%ST
%SH9v$
%SH9v$
H:\r5-
H:\r5-
wextract.manifest
wextract.manifest
Manifest to support IExpress WExtract.exe.
Manifest to support IExpress WExtract.exe.
version="1.0.0.0"
version="1.0.0.0"
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
Kernel32.dll
Kernel32.dll
Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement.
Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement.
CFailed to get disk space information from: %s.
CFailed to get disk space information from: %s.
System Message: %s.&A required resource cannot be located. Are you sure you want to cancel?
System Message: %s.&A required resource cannot be located. Are you sure you want to cancel?
8Unable to retrieve operating system version information.!Memory allocation request failed.
8Unable to retrieve operating system version information.!Memory allocation request failed.
Filetable full.Ên not change to destination folder.
Filetable full.Ên not change to destination folder.
Setup could not find a drive with %s KB free disk space to install the program. Please free up some space first and press RETRY or press CANCEL to exit setup.KThat folder is invalid. Please make sure the folder exists and is writable.IYou must specify a folder with fully qualified pathname or choose Cancel.!Could not update folder edit box.5Could not load functions required for browser dialog.7Could not load Shell32.dll required for browser dialog.
Setup could not find a drive with %s KB free disk space to install the program. Please free up some space first and press RETRY or press CANCEL to exit setup.KThat folder is invalid. Please make sure the folder exists and is writable.IYou must specify a folder with fully qualified pathname or choose Cancel.!Could not update folder edit box.5Could not load functions required for browser dialog.7Could not load Shell32.dll required for browser dialog.
(Error creating process . Reason: %s1The cluster size in this system is not supported.,A required resource appears to be corrupted.QWindows 95 or Windows NT 4.0 Beta 2 or greater is required for this installation.
(Error creating process . Reason: %s1The cluster size in this system is not supported.,A required resource appears to be corrupted.QWindows 95 or Windows NT 4.0 Beta 2 or greater is required for this installation.
Error loading %shGetProcAddress() failed on function '%s'. Possible reason: incorrect version of advpack.dll being used./Windows 95 or Windows NT is required to install
Error loading %shGetProcAddress() failed on function '%s'. Possible reason: incorrect version of advpack.dll being used./Windows 95 or Windows NT is required to install
Could not create folder '%s'
Could not create folder '%s'
To install this program, you need %s KB disk space on drive %s. It is recommended that you free up the required disk space before you continue.
To install this program, you need %s KB disk space on drive %s. It is recommended that you free up the required disk space before you continue.
Error retrieving Windows folder
Error retrieving Windows folder
$NT Shutdown: OpenProcessToken error.)NT Shutdown: AdjustTokenPrivileges error.!NT Shutdown: ExitWindowsEx error.}Extracting file failed. It is most likely caused by low memory (low disk space for swapping file) or corrupted Cabinet file.aThe setup program could not retrieve the volume information for drive (%s) .
$NT Shutdown: OpenProcessToken error.)NT Shutdown: AdjustTokenPrivileges error.!NT Shutdown: ExitWindowsEx error.}Extracting file failed. It is most likely caused by low memory (low disk space for swapping file) or corrupted Cabinet file.aThe setup program could not retrieve the volume information for drive (%s) .
System message: %s.xSetup could not find a drive with %s KB free disk space to install the program. Please free up some space and try again.eThe installation program appears to be damaged or corrupted. Contact the vendor of this application.
System message: %s.xSetup could not find a drive with %s KB free disk space to install the program. Please free up some space and try again.eThe installation program appears to be damaged or corrupted. Contact the vendor of this application.
/C: -- Override Install Command defined by author.
/C: -- Override Install Command defined by author.
eAnother copy of the '%s' package is already running on your system. Do you want to run another copy?
eAnother copy of the '%s' package is already running on your system. Do you want to run another copy?
Could not find the file: %s.
Could not find the file: %s.
:The folder '%s' does not exist. Do you want to create it?hAnother copy of the '%s' package is already running on your system. You can only run one copy at a time.OThe '%s' package is not compatible with the version of Windows you are running.SThe '%s' package is not compatible with the version of the file: %s on your system.
:The folder '%s' does not exist. Do you want to create it?hAnother copy of the '%s' package is already running on your system. You can only run one copy at a time.OThe '%s' package is not compatible with the version of Windows you are running.SThe '%s' package is not compatible with the version of the file: %s on your system.
8.00.7600.16385 (win7_rtm.090713-1255)
8.00.7600.16385 (win7_rtm.090713-1255)
WEXTRACT.EXE .MUI
WEXTRACT.EXE .MUI
Windows
Windows
8.00.7600.16385
8.00.7600.16385
cvtres.exe_140:
.text
.text
`.data
`.data
.rsrc
.rsrc
MSVBVM60.DLL
MSVBVM60.DLL
bss_server.usrReverseRelay
bss_server.usrReverseRelay
tmrWebHide
tmrWebHide
bss_server.Socket
bss_server.Socket
bss_server.usrRelay
bss_server.usrRelay
mswinsck.ocx
mswinsck.ocx
MSWinsockLib.Winsock
MSWinsockLib.Winsock
ieframe.dll
ieframe.dll
SHDocVwCtl.WebBrowser
SHDocVwCtl.WebBrowser
WebBrowser
WebBrowser
modLaunchWeb
modLaunchWeb
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
C:\Windows\SysWOW64\ieframe.dll
C:\Windows\SysWOW64\ieframe.dll
winmm.dll
winmm.dll
user32.dll
user32.dll
advapi32.dll
advapi32.dll
shell32.dll
shell32.dll
kernel32.dll
kernel32.dll
avicap32.dll
avicap32.dll
advpack.dll
advpack.dll
GetAsyncKeyState
GetAsyncKeyState
SetWindowsHookExA
SetWindowsHookExA
UnhookWindowsHookEx
UnhookWindowsHookEx
GetKeyboardLayout
GetKeyboardLayout
GetKeyboardState
GetKeyboardState
GetKeyState
GetKeyState
SHFileOperationA
SHFileOperationA
CreatePipe
CreatePipe
PSAPI.DLL
PSAPI.DLL
GetTcpTable
GetTcpTable
ExitWindowsEx
ExitWindowsEx
EnumWindows
EnumWindows
WinInet.dll
WinInet.dll
DeleteUrlCacheEntryA
DeleteUrlCacheEntryA
urlmon
urlmon
URLDownloadToFileA
URLDownloadToFileA
ShellExecuteA
ShellExecuteA
keybd_event
keybd_event
AddMsg
AddMsg
CHAT_ADDMSG
CHAT_ADDMSG
VBA6.DLL
VBA6.DLL
C:\Windows\SysWow64\msvbvm60.dll\3
C:\Windows\SysWow64\msvbvm60.dll\3
ws2_32.dll
ws2_32.dll
olepro32.dll
olepro32.dll
GdiplusShutdown
GdiplusShutdown
RemotePort
RemotePort
LocalPort
LocalPort
WSOCK32.DLL
WSOCK32.DLL
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
ntdll.dll
ntdll.dll
C:\Windows\SysWOW64\ieframe.oca
C:\Windows\SysWOW64\ieframe.oca
6tmrTCP
6tmrTCP
%Program Files% (x86)\Microsoft Visual Studio\VB98\mswinsck.oca
%Program Files% (x86)\Microsoft Visual Studio\VB98\mswinsck.oca
tmrUDP
tmrUDP
UDPSocket
UDPSocket
UDPFlood
UDPFlood
ole32.dll
ole32.dll
crypt32.dll
crypt32.dll
oleaut32.dll
oleaut32.dll
RegOpenKeyA
RegOpenKeyA
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
txtPassword
txtPassword
imgLoginPressed
imgLoginPressed
imgLogin
imgLogin
RegCreateKeyA
RegCreateKeyA
RegDeleteKeyA
RegDeleteKeyA
RegEnumKeyExA
RegEnumKeyExA
gdi32.dll
gdi32.dll
FtpDownload
FtpDownload
InternetOpenUrlA
InternetOpenUrlA
FtpUpload
FtpUpload
FtpGetFileA
FtpGetFileA
FtpPutFileA
FtpPutFileA
FtpSetCurrentDirectoryA
FtpSetCurrentDirectoryA
FtpGetCurrentDirectoryA
FtpGetCurrentDirectoryA
FtpOpenFileA
FtpOpenFileA
FtpGetFileSize
FtpGetFileSize
FtpDeleteFileA
FtpDeleteFileA
FtpCreateDirectoryA
FtpCreateDirectoryA
FtpRemoveDirectoryA
FtpRemoveDirectoryA
FtpRenameFileA
FtpRenameFileA
FtpGetDirectory
FtpGetDirectory
Http_DownloadFile
Http_DownloadFile
cmdShowfiles
cmdShowfiles
msvbvm60.dll
msvbvm60.dll
tmrTCP
tmrTCP
?8??8??8??8??8?
?8??8??8??8??8?
2>e%Xdq
2>e%Xdq
uMsg
uMsg
strMsg
strMsg
MsgNum
MsgNum
AllMsgs
AllMsgs
lngPort
lngPort
URL_TARGET
URL_TARGET
Port
Port
Password
Password
WebURL
WebURL
Returns/Sets the port to be connected to on the remote computer
Returns/Sets the port to be connected to on the remote computer
Returns/Sets the port used on the local computer
Returns/Sets the port used on the local computer
Binds socket to specific port and adapter
Binds socket to specific port and adapter
Occurs after a send operation has completed
Occurs after a send operation has completed
khichikhalid.no-ip.org
khichikhalid.no-ip.org
Khichiii.exe
Khichiii.exe
2c49f800-c2dd-11cf-9ad6-0080c7e7b78d
2c49f800-c2dd-11cf-9ad6-0080c7e7b78d
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1) Gecko/20090612 Firefox/3.5
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1) Gecko/20090612 Firefox/3.5
{00020404-0000-0000-C000-000000000046}
{00020404-0000-0000-C000-000000000046}
\nir_cmd.bss speak text
\nir_cmd.bss speak text
\nir_cmd.bss setsysvolume 65535
\nir_cmd.bss setsysvolume 65535
\nir_cmd.bss mutesysvolume 1
\nir_cmd.bss mutesysvolume 1
\nir_cmd.bss mutesysvolume 0
\nir_cmd.bss mutesysvolume 0
\nir_cmd.bss screensaver
\nir_cmd.bss screensaver
\nir_cmd.bss monitor off
\nir_cmd.bss monitor off
\nir_cmd.bss monitor on
\nir_cmd.bss monitor on
PORT
PORT
TRANSFERPORT
TRANSFERPORT
\rsout.tmp
\rsout.tmp
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\
Keylog
Keylog
Wscript.Shell
Wscript.Shell
HKEY_CLASSES_ROOT\HTTP\shell\open\command\
HKEY_CLASSES_ROOT\HTTP\shell\open\command\
\winlogon.exe
\winlogon.exe
iexplore.exe
iexplore.exe
ADVAPI32.dll
ADVAPI32.dll
hXXp://VVV.facebook.com/?ref=home
hXXp://VVV.facebook.com/?ref=home
hXXp://VVV.facebook.com
hXXp://VVV.facebook.com
Windows Firewall/Internet Connection Sharing (ICS)
Windows Firewall/Internet Connection Sharing (ICS)
WebCamCapture
WebCamCapture
\Vuze\Azureus.exe
\Vuze\Azureus.exe
\LimeWire\LimeWire.exe
\LimeWire\LimeWire.exe
\uTorrent\uTorrent.exe
\uTorrent\uTorrent.exe
\uTorrent\uTorrent.exe /HIDE
\uTorrent\uTorrent.exe /HIDE
\BitTorrent\bittorrent.exe
\BitTorrent\bittorrent.exe
\MSWINSCK.OCX
\MSWINSCK.OCX
\cmd.exe
\cmd.exe
\data.dat
\data.dat
\steam\steam.exe
\steam\steam.exe
nkey
nkey
dkey
dkey
regsvr32.exe
regsvr32.exe
\pws_mail.bss
\pws_mail.bss
\pws_mess.bss
\pws_mess.bss
\pws_cdk.bss
\pws_cdk.bss
\pws_ff.bss
\pws_ff.bss
\pws_chro.bss
\pws_chro.bss
\nir_cmd.bss
\nir_cmd.bss
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "
:*:Enabled:Windows Messanger" /f
:*:Enabled:Windows Messanger" /f
winmgmts:{impersonationLevel=Impersonate}!\\.\root\cimv2
winmgmts:{impersonationLevel=Impersonate}!\\.\root\cimv2
00000000
00000000
winmgmts:\\.\root\cimv2
winmgmts:\\.\root\cimv2
Select * from Win32_Keyboard
Select * from Win32_Keyboard
api.ipinfodb.com
api.ipinfodb.com
GET /v2/ip_query.php?key=
GET /v2/ip_query.php?key=
&timezone=off HTTP/1.1
&timezone=off HTTP/1.1
Host: api.ipinfodb.com
Host: api.ipinfodb.com
GET /v2/ip_query_country.php?key=
GET /v2/ip_query_country.php?key=
Portable
Portable
WScript.Shell
WScript.Shell
winmgmts:\\.\root\SecurityCenter
winmgmts:\\.\root\SecurityCenter
\wallpaper.bmp
\wallpaper.bmp
\wallpaper.jpg
\wallpaper.jpg
WinServer 2003, Web Edition
WinServer 2003, Web Edition
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName
__oxFrame.class__
__oxFrame.class__
Scripting.FileSystemObject
Scripting.FileSystemObject
Autorun.ini
Autorun.ini
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{1D5BE4B5-FA4A-452D-9CDD-5DB35105E7EB}
{1D5BE4B5-FA4A-452D-9CDD-5DB35105E7EB}
Address family not supported by protocol family.
Address family not supported by protocol family.
Operation already in progress.
Operation already in progress.
Operation now in progress.
Operation now in progress.
Socket operation on nonsocket.
Socket operation on nonsocket.
Operation not supported.
Operation not supported.
Protocol family not supported.
Protocol family not supported.
Protocol not supported.
Protocol not supported.
Socket type not supported.
Socket type not supported.
Winsock.dll version out of range.
Winsock.dll version out of range.
CSocketMaster.SocketExists
CSocketMaster.SocketExists
CSocketMaster.PostSocket
CSocketMaster.PostSocket
CSocketMaster.ConnectToIP
CSocketMaster.ConnectToIP
CSocketMaster.ResolveIfHostname
CSocketMaster.ResolveIfHostname
CSocketMaster.SendBufferedDataUDP
CSocketMaster.SendBufferedDataUDP
CSocketMaster.SendBufferedData
CSocketMaster.SendBufferedData
abe2869f-9b47-4cd9-a358-c22904dba7f7
abe2869f-9b47-4cd9-a358-c22904dba7f7
/stext mess.dat
/stext mess.dat
\mess.dat
\mess.dat
/stext mail.dat
/stext mail.dat
\mail.dat
\mail.dat
/stext ffpw.dat
/stext ffpw.dat
\ffpw.dat
\ffpw.dat
Web Site
Web Site
Password
Password
/stext chro.dat
/stext chro.dat
\chro.dat
\chro.dat
Action URL
Action URL
SOFTWARE\MICROSOFT\Windows NT\CurrentVersion
SOFTWARE\MICROSOFT\Windows NT\CurrentVersion
Windows
Windows
SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command
SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command
http\shell\open\command
http\shell\open\command
127.0.0.1
127.0.0.1
\dump.txt
\dump.txt
\uTorrent\uTorrent.exe /DIRECTORY
\uTorrent\uTorrent.exe /DIRECTORY
255.255.255.255
255.255.255.255
finalizarprocessoportas
finalizarprocessoportas
CONNECT %s:%i HTTP/1.0
CONNECT %s:%i HTTP/1.0
SOFTWARE\Classes\http\shell\open\command
SOFTWARE\Classes\http\shell\open\command
Software\Classes\http\shell\open\command
Software\Classes\http\shell\open\command
Software\Microsoft\Windows NT\CurrentVersion\SystemRestore
Software\Microsoft\Windows NT\CurrentVersion\SystemRestore
code.is.a.winner
code.is.a.winner
Software\Microsoft\Windows\CurrentVersion\Uninstall\eMule
Software\Microsoft\Windows\CurrentVersion\Uninstall\eMule
SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\DigitalProductId
SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\DigitalProductId
bps1.exe
bps1.exe
bhookpl.dll
bhookpl.dll
bnfa.exe
bnfa.exe
drvloadn.dll
drvloadn.dll
drvloadx.dll
drvloadx.dll
VNCHooks.dll
VNCHooks.dll
xr4tdwa.exe
xr4tdwa.exe
shutdown.exe
shutdown.exe
TCnRawKeyBoard
TCnRawKeyBoard
HuntHTTPDownload
HuntHTTPDownload
autorun.inf
autorun.inf
hXXps://onlineeast#.bankofamerica.com
hXXps://onlineeast#.bankofamerica.com
winlogon.exe
winlogon.exe
moz_logins
moz_logins
WEBCAMLIVE
WEBCAMLIVE
explorer.exe
explorer.exe
\system32\userinit.exe
\system32\userinit.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
\system32\userinit.exe,
\system32\userinit.exe,
notepad.exe
notepad.exe
steam.exe
steam.exe
hl.exe
hl.exe
\rspad.dat
\rspad.dat
cvtres.exe_140_rwx_00400000_00078000:
.text
.text
`.data
`.data
.rsrc
.rsrc
MSVBVM60.DLL
MSVBVM60.DLL
bss_server.usrReverseRelay
bss_server.usrReverseRelay
tmrWebHide
tmrWebHide
bss_server.Socket
bss_server.Socket
bss_server.usrRelay
bss_server.usrRelay
mswinsck.ocx
mswinsck.ocx
MSWinsockLib.Winsock
MSWinsockLib.Winsock
ieframe.dll
ieframe.dll
SHDocVwCtl.WebBrowser
SHDocVwCtl.WebBrowser
WebBrowser
WebBrowser
modLaunchWeb
modLaunchWeb
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
C:\Windows\SysWOW64\ieframe.dll
C:\Windows\SysWOW64\ieframe.dll
winmm.dll
winmm.dll
user32.dll
user32.dll
advapi32.dll
advapi32.dll
shell32.dll
shell32.dll
kernel32.dll
kernel32.dll
avicap32.dll
avicap32.dll
advpack.dll
advpack.dll
GetAsyncKeyState
GetAsyncKeyState
SetWindowsHookExA
SetWindowsHookExA
UnhookWindowsHookEx
UnhookWindowsHookEx
GetKeyboardLayout
GetKeyboardLayout
GetKeyboardState
GetKeyboardState
GetKeyState
GetKeyState
SHFileOperationA
SHFileOperationA
CreatePipe
CreatePipe
PSAPI.DLL
PSAPI.DLL
GetTcpTable
GetTcpTable
ExitWindowsEx
ExitWindowsEx
EnumWindows
EnumWindows
WinInet.dll
WinInet.dll
DeleteUrlCacheEntryA
DeleteUrlCacheEntryA
urlmon
urlmon
URLDownloadToFileA
URLDownloadToFileA
ShellExecuteA
ShellExecuteA
keybd_event
keybd_event
AddMsg
AddMsg
CHAT_ADDMSG
CHAT_ADDMSG
VBA6.DLL
VBA6.DLL
C:\Windows\SysWow64\msvbvm60.dll\3
C:\Windows\SysWow64\msvbvm60.dll\3
ws2_32.dll
ws2_32.dll
olepro32.dll
olepro32.dll
GdiplusShutdown
GdiplusShutdown
RemotePort
RemotePort
LocalPort
LocalPort
WSOCK32.DLL
WSOCK32.DLL
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
ntdll.dll
ntdll.dll
C:\Windows\SysWOW64\ieframe.oca
C:\Windows\SysWOW64\ieframe.oca
6tmrTCP
6tmrTCP
%Program Files% (x86)\Microsoft Visual Studio\VB98\mswinsck.oca
%Program Files% (x86)\Microsoft Visual Studio\VB98\mswinsck.oca
tmrUDP
tmrUDP
UDPSocket
UDPSocket
UDPFlood
UDPFlood
ole32.dll
ole32.dll
crypt32.dll
crypt32.dll
oleaut32.dll
oleaut32.dll
RegOpenKeyA
RegOpenKeyA
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
txtPassword
txtPassword
imgLoginPressed
imgLoginPressed
imgLogin
imgLogin
RegCreateKeyA
RegCreateKeyA
RegDeleteKeyA
RegDeleteKeyA
RegEnumKeyExA
RegEnumKeyExA
gdi32.dll
gdi32.dll
FtpDownload
FtpDownload
InternetOpenUrlA
InternetOpenUrlA
FtpUpload
FtpUpload
FtpGetFileA
FtpGetFileA
FtpPutFileA
FtpPutFileA
FtpSetCurrentDirectoryA
FtpSetCurrentDirectoryA
FtpGetCurrentDirectoryA
FtpGetCurrentDirectoryA
FtpOpenFileA
FtpOpenFileA
FtpGetFileSize
FtpGetFileSize
FtpDeleteFileA
FtpDeleteFileA
FtpCreateDirectoryA
FtpCreateDirectoryA
FtpRemoveDirectoryA
FtpRemoveDirectoryA
FtpRenameFileA
FtpRenameFileA
FtpGetDirectory
FtpGetDirectory
Http_DownloadFile
Http_DownloadFile
cmdShowfiles
cmdShowfiles
msvbvm60.dll
msvbvm60.dll
tmrTCP
tmrTCP
?8??8??8??8??8?
?8??8??8??8??8?
2>e%Xdq
2>e%Xdq
uMsg
uMsg
strMsg
strMsg
MsgNum
MsgNum
AllMsgs
AllMsgs
lngPort
lngPort
URL_TARGET
URL_TARGET
Port
Port
Password
Password
WebURL
WebURL
Returns/Sets the port to be connected to on the remote computer
Returns/Sets the port to be connected to on the remote computer
Returns/Sets the port used on the local computer
Returns/Sets the port used on the local computer
Binds socket to specific port and adapter
Binds socket to specific port and adapter
Occurs after a send operation has completed
Occurs after a send operation has completed
khichikhalid.no-ip.org
khichikhalid.no-ip.org
Khichiii.exe
Khichiii.exe
2c49f800-c2dd-11cf-9ad6-0080c7e7b78d
2c49f800-c2dd-11cf-9ad6-0080c7e7b78d
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1) Gecko/20090612 Firefox/3.5
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1) Gecko/20090612 Firefox/3.5
{00020404-0000-0000-C000-000000000046}
{00020404-0000-0000-C000-000000000046}
\nir_cmd.bss speak text
\nir_cmd.bss speak text
\nir_cmd.bss setsysvolume 65535
\nir_cmd.bss setsysvolume 65535
\nir_cmd.bss mutesysvolume 1
\nir_cmd.bss mutesysvolume 1
\nir_cmd.bss mutesysvolume 0
\nir_cmd.bss mutesysvolume 0
\nir_cmd.bss screensaver
\nir_cmd.bss screensaver
\nir_cmd.bss monitor off
\nir_cmd.bss monitor off
\nir_cmd.bss monitor on
\nir_cmd.bss monitor on
PORT
PORT
TRANSFERPORT
TRANSFERPORT
\rsout.tmp
\rsout.tmp
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\
Keylog
Keylog
Wscript.Shell
Wscript.Shell
HKEY_CLASSES_ROOT\HTTP\shell\open\command\
HKEY_CLASSES_ROOT\HTTP\shell\open\command\
\winlogon.exe
\winlogon.exe
iexplore.exe
iexplore.exe
ADVAPI32.dll
ADVAPI32.dll
hXXp://VVV.facebook.com/?ref=home
hXXp://VVV.facebook.com/?ref=home
hXXp://VVV.facebook.com
hXXp://VVV.facebook.com
Windows Firewall/Internet Connection Sharing (ICS)
Windows Firewall/Internet Connection Sharing (ICS)
WebCamCapture
WebCamCapture
\Vuze\Azureus.exe
\Vuze\Azureus.exe
\LimeWire\LimeWire.exe
\LimeWire\LimeWire.exe
\uTorrent\uTorrent.exe
\uTorrent\uTorrent.exe
\uTorrent\uTorrent.exe /HIDE
\uTorrent\uTorrent.exe /HIDE
\BitTorrent\bittorrent.exe
\BitTorrent\bittorrent.exe
\MSWINSCK.OCX
\MSWINSCK.OCX
\cmd.exe
\cmd.exe
\data.dat
\data.dat
\steam\steam.exe
\steam\steam.exe
nkey
nkey
dkey
dkey
regsvr32.exe
regsvr32.exe
\pws_mail.bss
\pws_mail.bss
\pws_mess.bss
\pws_mess.bss
\pws_cdk.bss
\pws_cdk.bss
\pws_ff.bss
\pws_ff.bss
\pws_chro.bss
\pws_chro.bss
\nir_cmd.bss
\nir_cmd.bss
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "
:*:Enabled:Windows Messanger" /f
:*:Enabled:Windows Messanger" /f
winmgmts:{impersonationLevel=Impersonate}!\\.\root\cimv2
winmgmts:{impersonationLevel=Impersonate}!\\.\root\cimv2
00000000
00000000
winmgmts:\\.\root\cimv2
winmgmts:\\.\root\cimv2
Select * from Win32_Keyboard
Select * from Win32_Keyboard
api.ipinfodb.com
api.ipinfodb.com
GET /v2/ip_query.php?key=
GET /v2/ip_query.php?key=
&timezone=off HTTP/1.1
&timezone=off HTTP/1.1
Host: api.ipinfodb.com
Host: api.ipinfodb.com
GET /v2/ip_query_country.php?key=
GET /v2/ip_query_country.php?key=
Portable
Portable
WScript.Shell
WScript.Shell
winmgmts:\\.\root\SecurityCenter
winmgmts:\\.\root\SecurityCenter
\wallpaper.bmp
\wallpaper.bmp
\wallpaper.jpg
\wallpaper.jpg
WinServer 2003, Web Edition
WinServer 2003, Web Edition
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName
__oxFrame.class__
__oxFrame.class__
Scripting.FileSystemObject
Scripting.FileSystemObject
Autorun.ini
Autorun.ini
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{1D5BE4B5-FA4A-452D-9CDD-5DB35105E7EB}
{1D5BE4B5-FA4A-452D-9CDD-5DB35105E7EB}
Address family not supported by protocol family.
Address family not supported by protocol family.
Operation already in progress.
Operation already in progress.
Operation now in progress.
Operation now in progress.
Socket operation on nonsocket.
Socket operation on nonsocket.
Operation not supported.
Operation not supported.
Protocol family not supported.
Protocol family not supported.
Protocol not supported.
Protocol not supported.
Socket type not supported.
Socket type not supported.
Winsock.dll version out of range.
Winsock.dll version out of range.
CSocketMaster.SocketExists
CSocketMaster.SocketExists
CSocketMaster.PostSocket
CSocketMaster.PostSocket
CSocketMaster.ConnectToIP
CSocketMaster.ConnectToIP
CSocketMaster.ResolveIfHostname
CSocketMaster.ResolveIfHostname
CSocketMaster.SendBufferedDataUDP
CSocketMaster.SendBufferedDataUDP
CSocketMaster.SendBufferedData
CSocketMaster.SendBufferedData
abe2869f-9b47-4cd9-a358-c22904dba7f7
abe2869f-9b47-4cd9-a358-c22904dba7f7
/stext mess.dat
/stext mess.dat
\mess.dat
\mess.dat
/stext mail.dat
/stext mail.dat
\mail.dat
\mail.dat
/stext ffpw.dat
/stext ffpw.dat
\ffpw.dat
\ffpw.dat
Web Site
Web Site
Password
Password
/stext chro.dat
/stext chro.dat
\chro.dat
\chro.dat
Action URL
Action URL
SOFTWARE\MICROSOFT\Windows NT\CurrentVersion
SOFTWARE\MICROSOFT\Windows NT\CurrentVersion
Windows
Windows
SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command
SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command
http\shell\open\command
http\shell\open\command
127.0.0.1
127.0.0.1
\dump.txt
\dump.txt
\uTorrent\uTorrent.exe /DIRECTORY
\uTorrent\uTorrent.exe /DIRECTORY
255.255.255.255
255.255.255.255
finalizarprocessoportas
finalizarprocessoportas
CONNECT %s:%i HTTP/1.0
CONNECT %s:%i HTTP/1.0
SOFTWARE\Classes\http\shell\open\command
SOFTWARE\Classes\http\shell\open\command
Software\Classes\http\shell\open\command
Software\Classes\http\shell\open\command
Software\Microsoft\Windows NT\CurrentVersion\SystemRestore
Software\Microsoft\Windows NT\CurrentVersion\SystemRestore
code.is.a.winner
code.is.a.winner
Software\Microsoft\Windows\CurrentVersion\Uninstall\eMule
Software\Microsoft\Windows\CurrentVersion\Uninstall\eMule
SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\DigitalProductId
SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\DigitalProductId
bps1.exe
bps1.exe
bhookpl.dll
bhookpl.dll
bnfa.exe
bnfa.exe
drvloadn.dll
drvloadn.dll
drvloadx.dll
drvloadx.dll
VNCHooks.dll
VNCHooks.dll
xr4tdwa.exe
xr4tdwa.exe
shutdown.exe
shutdown.exe
TCnRawKeyBoard
TCnRawKeyBoard
HuntHTTPDownload
HuntHTTPDownload
autorun.inf
autorun.inf
hXXps://onlineeast#.bankofamerica.com
hXXps://onlineeast#.bankofamerica.com
winlogon.exe
winlogon.exe
moz_logins
moz_logins
WEBCAMLIVE
WEBCAMLIVE
explorer.exe
explorer.exe
\system32\userinit.exe
\system32\userinit.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
\system32\userinit.exe,
\system32\userinit.exe,
notepad.exe
notepad.exe
steam.exe
steam.exe
hl.exe
hl.exe
\rspad.dat
\rspad.dat
MAGICZ~1.EXE_912:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
v SSh
v SSh
FtPh
FtPh
PSSSSSSh
PSSSSSSh
u$SShe
u$SShe
s%j.Zf
s%j.Zf
vSSSh
vSSSh
tGHt.Ht&
tGHt.Ht&
FTPjK
FTPjK
FtPj;
FtPj;
C.PjRV
C.PjRV
gdi32.dll
gdi32.dll
user32.dll
user32.dll
kernel32.dll
kernel32.dll
shell32.dll
shell32.dll
setupapi.dll
setupapi.dll
msvfw32.dll
msvfw32.dll
sensapi.dll
sensapi.dll
oledlg.dll
oledlg.dll
oleacc.dll
oleacc.dll
secur32.dll
secur32.dll
avicap32.dll
avicap32.dll
winspool.drv
winspool.drv
winmm.dll
winmm.dll
rasapi32.dll
rasapi32.dll
mpr.dll
mpr.dll
version.dll
version.dll
comdlg32.dll
comdlg32.dll
advapi32.dll
advapi32.dll
unicows.dll
unicows.dll
security.dll
security.dll
ntdll.dll
ntdll.dll
GetCPInfo
GetCPInfo
%s>
%s>
X;
X;
%s='%s'
%s='%s'
%s="%s"
%s="%s"
standalone="%s"
standalone="%s"
encoding="%s"
encoding="%s"
version="%s"
version="%s"
GDI32.DLL
GDI32.DLL
hhctrl.ocx
hhctrl.ocx
CCmdTarget
CCmdTarget
CNotSupportedException
CNotSupportedException
Please contact the application's support team for more information.
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
GetProcessWindowStation
GetProcessWindowStation
USER32.DLL
USER32.DLL
operator
operator
portuguese-brazilian
portuguese-brazilian
SetWindowsHookExW
SetWindowsHookExW
GetWindowsDirectoryW
GetWindowsDirectoryW
GetSystemWindowsDirectoryW
GetSystemWindowsDirectoryW
ShellExecuteW
ShellExecuteW
ShellExecuteExW
ShellExecuteExW
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyExW
RegCreateKeyExW
RegDeleteKeyW
RegDeleteKeyW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegEnumKeyExW
RegEnumKeyExW
CreateDialogIndirectParamW
CreateDialogIndirectParamW
RegEnumKeyW
RegEnumKeyW
RegOpenKeyW
RegOpenKeyW
GetKeyNameTextW
GetKeyNameTextW
MapVirtualKeyW
MapVirtualKeyW
RegCreateKeyW
RegCreateKeyW
OLEACC.dll
OLEACC.dll
Unsupported dialog_default_button:
Unsupported dialog_default_button:
failed_exec_command_continue
failed_exec_command_continue
supports_install
supports_install
supports_uninstall
supports_uninstall
reboot_cmd
reboot_cmd
%Y-%m-%d %H:%M:%S
%Y-%m-%d %H:%M:%S
Configuration supports neither install nor uninstall.
Configuration supports neither install nor uninstall.
Configuration doesn't support uninstall.
Configuration doesn't support uninstall.
Configuration doesn't support install.
Configuration doesn't support install.
and rebooting Windows.
and rebooting Windows.
Skipping complete command, not all components reported installed.
Skipping complete command, not all components reported installed.
installedcheckoperator
installedcheckoperator
Invalid check operator "
Invalid check operator "
cmdparameters
cmdparameters
cmdparameters_silent
cmdparameters_silent
cmdparameters_basic
cmdparameters_basic
uninstall_cmdparameters
uninstall_cmdparameters
uninstall_cmdparameters_silent
uninstall_cmdparameters_silent
uninstall_cmdparameters_basic
uninstall_cmdparameters_basic
uninstall_executable
uninstall_executable
uninstall_executable_silent
uninstall_executable_silent
uninstall_executable_basic
uninstall_executable_basic
uninstall_exeparameters
uninstall_exeparameters
uninstall_exeparameters_silent
uninstall_exeparameters_silent
uninstall_exeparameters_basic
uninstall_exeparameters_basic
sourceurl
sourceurl
sourceurl64
sourceurl64
DeleteUrlCacheEntryW
DeleteUrlCacheEntryW
rootkey
rootkey
Unsupported registry type:
Unsupported registry type:
Unknown HKEY:
Unknown HKEY:
f:\Workspace\Deployment\dotnetinstaller\dotNetInstaller\Release\dotNetInstaller.pdb
f:\Workspace\Deployment\dotnetinstaller\dotNetInstaller\Release\dotNetInstaller.pdb
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHELL32.dll
SHELL32.dll
COMCTL32.dll
COMCTL32.dll
SHLWAPI.dll
SHLWAPI.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
URLDownloadToFileW
URLDownloadToFileW
urlmon.dll
urlmon.dll
GetConsoleOutputCP
GetConsoleOutputCP
GetProcessHeap
GetProcessHeap
RegCloseKey
RegCloseKey
ADVAPI32.dll
ADVAPI32.dll
UnhookWindowsHookEx
UnhookWindowsHookEx
ExitWindowsEx
ExitWindowsEx
GetKeyState
GetKeyState
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
WINSPOOL.DRV
WINSPOOL.DRV
msi.dll
msi.dll
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCObject@@
.PAVCObject@@
.PAVCUserException@@
.PAVCUserException@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.PAVCOleException@@
.PAVCOleException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCArchiveException@@
.PAVCArchiveException@@
zcÃ
zcÃ
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.PAVCException@@
.PAVCException@@
.?AVIExecuteCallback@@
.?AVIExecuteCallback@@
.?AVInstalledCheckOperator@@
.?AVInstalledCheckOperator@@
.?AVCmdComponent@@
.?AVCmdComponent@@
.?AVExeComponent@@
.?AVExeComponent@@
"#CABPATH\setup.msi"" nonadmin_complete_command_args="INSTALLDIR="#LOCALAPPDATA\Magic Zip Password Recovery"" complete_command_silent="" complete_command_basic="" wait_for_complete_command="True" hide_when_complete_command="True" auto_close_if_installed="True" auto_close_on_error="False" reload_on_error="True" dialog_show_installed="False" dialog_show_uninstalled="True" dialog_show_required="True" cab_dialog_message="%s" cab_cancelled_message="" cab_dialog_caption="" cab_path="#TEMPPATH\#GUID" cab_path_autodelete="True" dialog_default_button="install" dialog_position="" dialog_components_list_position="" dialog_message_position="" dialog_bitmap_position="" dialog_otherinfo_link_position="" dialog_osinfo_position="" dialog_install_button_position="" dialog_cancel_button_position="" dialog_skip_button_position="" auto_start="True" auto_continue_on_reboot="False" reboot_cmd="" show_progress_dialog="False" show_cab_dialog="True" disable_wow64_fs_redirection="False" administrator_required="False" administrator_required_message="Magic Zip Password Recovery installation requires administration rights." type="install" lcid_filter="" language_id="" language="" os_filter="" os_filter_min="" os_filter_max="" processor_architecture_filter="" supports_install="True" supports_uninstall="False">
"#CABPATH\setup.msi"" nonadmin_complete_command_args="INSTALLDIR="#LOCALAPPDATA\Magic Zip Password Recovery"" complete_command_silent="" complete_command_basic="" wait_for_complete_command="True" hide_when_complete_command="True" auto_close_if_installed="True" auto_close_on_error="False" reload_on_error="True" dialog_show_installed="False" dialog_show_uninstalled="True" dialog_show_required="True" cab_dialog_message="%s" cab_cancelled_message="" cab_dialog_caption="" cab_path="#TEMPPATH\#GUID" cab_path_autodelete="True" dialog_default_button="install" dialog_position="" dialog_components_list_position="" dialog_message_position="" dialog_bitmap_position="" dialog_otherinfo_link_position="" dialog_osinfo_position="" dialog_install_button_position="" dialog_cancel_button_position="" dialog_skip_button_position="" auto_start="True" auto_continue_on_reboot="False" reboot_cmd="" show_progress_dialog="False" show_cab_dialog="True" disable_wow64_fs_redirection="False" administrator_required="False" administrator_required_message="Magic Zip Password Recovery installation requires administration rights." type="install" lcid_filter="" language_id="" language="" os_filter="" os_filter_min="" os_filter_max="" processor_architecture_filter="" supports_install="True" supports_uninstall="False">