HEUR:Trojan.Win32.Generic (Kaspersky), Backdoor.Win32.PcClient.FD, Worm.Win32.Ainslot.VB.FD, Worm.Win32.AutoIt.FD, WormAutoItGen.YR, WormAinslot_VariantOfZeus.YR, GenericAutorunWorm.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor, Worm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 290b921acde9ecfdbdb50e3c5a7d2fe0
SHA1: f3f631ebd245cc62ddb0e93f6efb0c8259391087
SHA256: 015ee1e2f751e90fa861d427f332da01b360348a014600dfab36f014b21dd133
SSDeep: 24576:nUn1IgBTqyAQF9XjjmZO 0znC3lvlQ8aXeu68GGUEtUMefQMmNooMGv9q/c:8IDQFxa0zncvlQxXl68MMPOoP1yc
Size: 1333963 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: CBWGU
Created at: 2014-03-27 11:23:43
Analyzed on: WindowsXP SP3 32-bit
Summary: Worm. A program that is primarily replicating on networks or removable drives.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Worm creates the following process(es):
Picture.exe:2060
%original file name%.exe:348
The Worm injects its code into the following process(es):
RegSvcs.exe:2128
rundll32.exe:2068
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process RegSvcs.exe:2128 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\losvc.exe (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winseclog (33 bytes)
The process Picture.exe:2060 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\52apj8vsd4\run.vbs (89 bytes)
%Documents and Settings%\%current user%\52apj8vsd4\13189.vbs (172 bytes)
%Documents and Settings%\%current user%\52apj8vsd4\20042.cmd (68 bytes)
The process %original file name%.exe:348 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\52apj8vsd4\36436_1220530013657_3761244_n.jpg (11 bytes)
%Documents and Settings%\%current user%\52apj8vsd4\XmrBi.DRS (231165 bytes)
%Documents and Settings%\%current user%\52apj8vsd4\Picture.exe (31505 bytes)
%Documents and Settings%\%current user%\52apj8vsd4\ENoDVXVP.ZHU (550 bytes)
%Documents and Settings%\%current user%\52apj8vsd4\mgdVlp.MWL (143 bytes)
The Worm deletes the following file(s):
%Documents and Settings%\%current user%\52apj8vsd4\__tmp_rar_sfx_access_check_275687 (0 bytes)
Registry activity
The process RegSvcs.exe:2128 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "15 4C 78 57 8F 44 BB AA 7F 5A DF CF B2 88 AA 56"
[HKCU\Software\VB and VBA Program Settings\SrvID\ID]
"ZGKTN4Y24L" = "33333"
[HKCU\Software\VB and VBA Program Settings\INSTALL\DATE]
"ZGKTN4Y24L" = "October 1, 2015"
The process Picture.exe:2060 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DF 1A 28 DA 1D F6 65 A0 6C 7E 02 1D 01 5B 79 02"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoFolderOptions" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"
To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"52apj8vsd4" = "C:\DOCUME~1\"%CurrentUserName%"\52apj8vsd4\13189.vbs"
The process rundll32.exe:2068 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 FB 44 BD FC DC 1E EB 57 CB 86 54 93 B5 8C 6C"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process %original file name%.exe:348 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 B6 0B 97 F5 67 F7 A5 05 90 35 0D 7D AD E0 5B"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\52apj8vsd4]
"Picture.exe" = "AutoIt v3 Script"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"shimgvw.dll" = "Windows Picture and Fax Viewer"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Dropped PE files
MD5 | File path |
---|---|
e01ced5c12390ff5256694eda890b33a | c:\Documents and Settings\"%CurrentUserName%"\52apj8vsd4\Picture.exe |
faa8ea9027ed6b6c875c247e59285270 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\losvc.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
Picture.exe:2060
%original file name%.exe:348 - Delete the original Worm file.
- Delete or disinfect the following files created/modified by the Worm:
%Documents and Settings%\%current user%\Local Settings\Temp\losvc.exe (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winseclog (33 bytes)
%Documents and Settings%\%current user%\52apj8vsd4\run.vbs (89 bytes)
%Documents and Settings%\%current user%\52apj8vsd4\13189.vbs (172 bytes)
%Documents and Settings%\%current user%\52apj8vsd4\20042.cmd (68 bytes)
%Documents and Settings%\%current user%\52apj8vsd4\36436_1220530013657_3761244_n.jpg (11 bytes)
%Documents and Settings%\%current user%\52apj8vsd4\XmrBi.DRS (231165 bytes)
%Documents and Settings%\%current user%\52apj8vsd4\Picture.exe (31505 bytes)
%Documents and Settings%\%current user%\52apj8vsd4\ENoDVXVP.ZHU (550 bytes)
%Documents and Settings%\%current user%\52apj8vsd4\mgdVlp.MWL (143 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"52apj8vsd4" = "C:\DOCUME~1\"%CurrentUserName%"\52apj8vsd4\13189.vbs" - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 165443 | 165888 | 4.65539 | 7347ce1d323320f66e3fb3ff528cd4bb |
.rdata | 172032 | 20307 | 20480 | 3.71122 | 540d7f00105a76bf1774011f1d085053 |
.data | 192512 | 137468 | 5632 | 2.40566 | 476ccd1811246d0fb35182a2820d6c2c |
.rsrc | 331776 | 174784 | 175104 | 3.60712 | d4dcb9a3d04b27ee95980746d9a86765 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Worm connects to the servers at the folowing location(s):
Strings from Dumps
Picture.exe_2060:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
SSht:K
SSht:K
PSSSSSSh
PSSSSSSh
Gt.Ht$
Gt.Ht$
t.jGZf;
t.jGZf;
PSSSh
PSSSh
PVSSh
PVSSh
f;Crt
f;Crt
?#%X.y
?#%X.y
GetProcessWindowStation
GetProcessWindowStation
operator
operator
kernel32.dll
kernel32.dll
RegDeleteKeyExW
RegDeleteKeyExW
advapi32.dll
advapi32.dll
oleaut32.dll
oleaut32.dll
Error text not found (please report)
Error text not found (please report)
operand of unlimited repeat could match the empty string
operand of unlimited repeat could match the empty string
POSIX named classes are supported only within a class
POSIX named classes are supported only within a class
erroffset passed as NULL
erroffset passed as NULL
POSIX collating elements are not supported
POSIX collating elements are not supported
this version of PCRE is compiled without UTF support
this version of PCRE is compiled without UTF support
PCRE does not support \L, \l, \N{name}, \U, or \u
PCRE does not support \L, \l, \N{name}, \U, or \u
support for \P, \p, and \X has not been compiled
support for \P, \p, and \X has not been compiled
this version of PCRE is not compiled with Unicode property support
this version of PCRE is not compiled with Unicode property support
\N is not supported in a class
\N is not supported in a class
WSOCK32.dll
WSOCK32.dll
VERSION.dll
VERSION.dll
WINMM.dll
WINMM.dll
COMCTL32.dll
COMCTL32.dll
MPR.dll
MPR.dll
InternetCrackUrlW
InternetCrackUrlW
HttpQueryInfoW
HttpQueryInfoW
HttpOpenRequestW
HttpOpenRequestW
HttpSendRequestW
HttpSendRequestW
FtpOpenFileW
FtpOpenFileW
FtpGetFileSize
FtpGetFileSize
InternetOpenUrlW
InternetOpenUrlW
WININET.dll
WININET.dll
PSAPI.DLL
PSAPI.DLL
IPHLPAPI.DLL
IPHLPAPI.DLL
USERENV.dll
USERENV.dll
UxTheme.dll
UxTheme.dll
GetProcessHeap
GetProcessHeap
CreatePipe
CreatePipe
GetWindowsDirectoryW
GetWindowsDirectoryW
KERNEL32.dll
KERNEL32.dll
OpenWindowStationW
OpenWindowStationW
SetProcessWindowStation
SetProcessWindowStation
CloseWindowStation
CloseWindowStation
MapVirtualKeyW
MapVirtualKeyW
EnumChildWindows
EnumChildWindows
EnumWindows
EnumWindows
VkKeyScanW
VkKeyScanW
GetKeyState
GetKeyState
GetKeyboardState
GetKeyboardState
SetKeyboardState
SetKeyboardState
GetAsyncKeyState
GetAsyncKeyState
keybd_event
keybd_event
EnumThreadWindows
EnumThreadWindows
ExitWindowsEx
ExitWindowsEx
UnregisterHotKey
UnregisterHotKey
RegisterHotKey
RegisterHotKey
GetKeyboardLayoutNameW
GetKeyboardLayoutNameW
USER32.dll
USER32.dll
SetViewportOrgEx
SetViewportOrgEx
GDI32.dll
GDI32.dll
COMDLG32.dll
COMDLG32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
RegEnumKeyExW
RegEnumKeyExW
RegDeleteKeyW
RegDeleteKeyW
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteW
ShellExecuteW
SHFileOperationW
SHFileOperationW
ShellExecuteExW
ShellExecuteExW
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
GetCPInfo
GetCPInfo
zcÃ
zcÃ
UQ.WP
UQ.WP
mI.Us
mI.Us
\.gGL
\.gGL
.FFF
.FFF
,.bh9
,.bh9
].Whjj*
].Whjj*
4,555@5{5
4,555@5{5
;&<.>
;&<.>
2-262>2 3
2-262>2 3
7(797@7`7
7(797@7`7
mscoree.dll
mscoree.dll
combase.dll
combase.dll
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- floating point support not loaded
- floating point support not loaded
USER32.DLL
USER32.DLL
CMDLINERAW
CMDLINERAW
CMDLINE
CMDLINE
/AutoIt3ExecuteLine
/AutoIt3ExecuteLine
/AutoIt3ExecuteScript
/AutoIt3ExecuteScript
APPSKEY
APPSKEY
789:;?
789:;?
FTPSETPROXY
FTPSETPROXY
GUICTRLRECVMSG
GUICTRLRECVMSG
GUICTRLSENDMSG
GUICTRLSENDMSG
GUIGETMSG
GUIGETMSG
GUIREGISTERMSG
GUIREGISTERMSG
HOTKEYSET
HOTKEYSET
HTTPSETPROXY
HTTPSETPROXY
HTTPSETUSERAGENT
HTTPSETUSERAGENT
ISKEYWORD
ISKEYWORD
MSGBOX
MSGBOX
REGENUMKEY
REGENUMKEY
SHELLEXECUTE
SHELLEXECUTE
SHELLEXECUTEWAIT
SHELLEXECUTEWAIT
TCPACCEPT
TCPACCEPT
TCPCLOSESOCKET
TCPCLOSESOCKET
TCPCONNECT
TCPCONNECT
TCPLISTEN
TCPLISTEN
TCPNAMETOIP
TCPNAMETOIP
TCPRECV
TCPRECV
TCPSEND
TCPSEND
TCPSHUTDOWN
TCPSHUTDOWN
TCPSTARTUP
TCPSTARTUP
TRAYGETMSG
TRAYGETMSG
UDPBIND
UDPBIND
UDPCLOSESOCKET
UDPCLOSESOCKET
UDPOPEN
UDPOPEN
UDPRECV
UDPRECV
UDPSEND
UDPSEND
UDPSHUTDOWN
UDPSHUTDOWN
UDPSTARTUP
UDPSTARTUP
SendKeyDelay
SendKeyDelay
SendKeyDownDelay
SendKeyDownDelay
TCPTimeout
TCPTimeout
WINDOWSDIR
WINDOWSDIR
AUTOITEXE
AUTOITEXE
HOTKEYPRESSED
HOTKEYPRESSED
D%s (%d) : ==> %s.:
D%s (%d) : ==> %s.:
Line %d:
Line %d:
Line %d (File "%s"):
Line %d (File "%s"):
%s (%d) : ==> %s:
%s (%d) : ==> %s:
AutoIt script files (*.au3, *.a3x)
AutoIt script files (*.au3, *.a3x)
*.au3;*.a3x
*.au3;*.a3x
All files (*.*)
All files (*.*)
Line %d:
Line %d:
04090000
04090000
%u.%u.%u.%u
%u.%u.%u.%u
0.0.0.0
0.0.0.0
Mddddd
Mddddd
"%s" (%d) : ==> %s:
"%s" (%d) : ==> %s:
\??\%s
\??\%s
GUI_RUNDEFMSG
GUI_RUNDEFMSG
AUTOITCALLVARIABLE%d
AUTOITCALLVARIABLE%d
255.255.255.255
255.255.255.255
Keyword
Keyword
AUTOIT.ERROR
AUTOIT.ERROR
Null Object assignment in FOR..IN loop
Null Object assignment in FOR..IN loop
Incorrect Object type in FOR..IN loop
Incorrect Object type in FOR..IN loop
3, 3, 10, 2
3, 3, 10, 2
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_USERS
HKEY_USERS
%d/d/d
%d/d/d
%Documents and Settings%\%current user%\52apj8vsd4\Picture.exe
%Documents and Settings%\%current user%\52apj8vsd4\Picture.exe
%Documents and Settings%\%current user%\52apj8vsd4\XmrBi.DRS
%Documents and Settings%\%current user%\52apj8vsd4\XmrBi.DRS
hXXp://VVV.autoitscript.com/autoit3/
hXXp://VVV.autoitscript.com/autoit3/
AutoIt3.exe
AutoIt3.exe
AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention.
AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention.
Missing operator in expression."Unbalanced brackets in expression.
Missing operator in expression."Unbalanced brackets in expression.
>"Select" statement is missing "EndSelect" or "Case" statement. "If" statements must have a "Then" keyword. Badly formated Struct statement."Cannot assign values to constants..Cannot make existing variables into constants.9Only Object-type variables allowed in a "With" statement.v"long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead.-Object referenced outside a "With" statement.)Nested "With" statements are not allowed."Variable must be of type "Object".1The requested action with this object has failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array variable can not be used in this manner.
>"Select" statement is missing "EndSelect" or "Case" statement. "If" statements must have a "Then" keyword. Badly formated Struct statement."Cannot assign values to constants..Cannot make existing variables into constants.9Only Object-type variables allowed in a "With" statement.v"long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead.-Object referenced outside a "With" statement.)Nested "With" statements are not allowed."Variable must be of type "Object".1The requested action with this object has failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array variable can not be used in this manner.
Invalid file filter given.*Expected a variable in user function call.1"Do" statement has no matching "Until" statement.2"Until" statement with no matching "Do" statement.#"For" statement is badly formatted.2"Next" statement with no matching "For" statement.N"ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop.1"For" statement has no matching "Next" statement.@"Case" statement with no matching "Select"or "Switch" statement.:"EndSelect" statement with no matching "Select" statement.ORecursion level has been exceeded - AutoIt will quit to prevent stack overflow.&Cannot make existing variables static.4Cannot make static variables into regular variables.
Invalid file filter given.*Expected a variable in user function call.1"Do" statement has no matching "Until" statement.2"Until" statement with no matching "Do" statement.#"For" statement is badly formatted.2"Next" statement with no matching "For" statement.N"ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop.1"For" statement has no matching "Next" statement.@"Case" statement with no matching "Select"or "Switch" statement.:"EndSelect" statement with no matching "Select" statement.ORecursion level has been exceeded - AutoIt will quit to prevent stack overflow.&Cannot make existing variables static.4Cannot make static variables into regular variables.
3This keyword cannot be used after a "Then" keyword.
3This keyword cannot be used after a "Then" keyword.
0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line.
0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line.
Invalid element in a DllStruct.*Unknown option or bad parameter specified.&Unable to load the internet libraries./"Struct" statement has no matching "EndStruct".HUnable to open file, the maximum number of open files has been exceeded.K"ContinueLoop" statement with no matching "While", "Do" or "For" statement.0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>Illegal text at the end of statement (one statement per line).1"If" statement has no matching "EndIf" statement.1"Else" statement with no matching "If" statement.2"EndIf" statement with no matching "If" statement.7Too many "Else" statements for matching "If" statement.3"While" statement has no matching "Wend" statement.4"Wend" statement with no matching "While" statement.%Variable used without being declared.XArray variable has incorrect number of subscripts or subscript dimension range exceeded.#Variable subscript badly formatted.*Subscript used on non-accessible variable.&Too many subscripts used for an array.0Missing subscript dimensions in "Dim" statement.NNo variable given for "Dim", "Local", "Global", "Struct" or "Const" statement.
Invalid element in a DllStruct.*Unknown option or bad parameter specified.&Unable to load the internet libraries./"Struct" statement has no matching "EndStruct".HUnable to open file, the maximum number of open files has been exceeded.K"ContinueLoop" statement with no matching "While", "Do" or "For" statement.0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>Illegal text at the end of statement (one statement per line).1"If" statement has no matching "EndIf" statement.1"Else" statement with no matching "If" statement.2"EndIf" statement with no matching "If" statement.7Too many "Else" statements for matching "If" statement.3"While" statement has no matching "Wend" statement.4"Wend" statement with no matching "While" statement.%Variable used without being declared.XArray variable has incorrect number of subscripts or subscript dimension range exceeded.#Variable subscript badly formatted.*Subscript used on non-accessible variable.&Too many subscripts used for an array.0Missing subscript dimensions in "Dim" statement.NNo variable given for "Dim", "Local", "Global", "Struct" or "Const" statement.
HCan pass constants by reference only to parameters with "Const" keyword.*Can not initialize a variable with itself.$Incorrect way to use this parameter.:"EndSwitch" statement with no matching "Switch" statement.>"Switch" statement is missing "EndSwitch" or "Case" statement.H"ContinueCase" statement with no matching "Select"or "Switch" statement.
HCan pass constants by reference only to parameters with "Const" keyword.*Can not initialize a variable with itself.$Incorrect way to use this parameter.:"EndSwitch" statement with no matching "Switch" statement.>"Switch" statement is missing "EndSwitch" or "Case" statement.H"ContinueCase" statement with no matching "Select"or "Switch" statement.
String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword.
String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword.
rundll32.exe_2068:
.text
.text
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
GDI32.dll
GDI32.dll
USER32.dll
USER32.dll
IMAGEHLP.dll
IMAGEHLP.dll
rundll32.pdb
rundll32.pdb
.....eZXnnnnnnnnnnnn3
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
O3$dS7"%U9
.manifest
.manifest
5.1.2600.5512 (xpsp.080413-2105)
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
RUNDLL.EXE
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
YThere is not enough memory to run the file %s.
YThere is not enough memory to run the file %s.
Please close other windows and try again.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Error in %s
Missing entry:%s
Missing entry:%s
Error loading %s
Error loading %s
RegSvcs.exe_2128:
.text
.text
`.data
`.data
.rsrc
.rsrc
MSVBVM60.DLL
MSVBVM60.DLL
bss_server.usrReverseRelay
bss_server.usrReverseRelay
tmrWebHide
tmrWebHide
bss_server.Socket
bss_server.Socket
bss_server.usrRelay
bss_server.usrRelay
ieframe.dll
ieframe.dll
SHDocVwCtl.WebBrowser
SHDocVwCtl.WebBrowser
WebBrowser
WebBrowser
mswinsck.ocx
mswinsck.ocx
MSWinsockLib.Winsock
MSWinsockLib.Winsock
modLaunchWeb
modLaunchWeb
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
C:\Windows\SysWOW64\ieframe.dll
C:\Windows\SysWOW64\ieframe.dll
winmm.dll
winmm.dll
user32.dll
user32.dll
advapi32.dll
advapi32.dll
shell32.dll
shell32.dll
kernel32.dll
kernel32.dll
avicap32.dll
avicap32.dll
advpack.dll
advpack.dll
GetAsyncKeyState
GetAsyncKeyState
SetWindowsHookExA
SetWindowsHookExA
UnhookWindowsHookEx
UnhookWindowsHookEx
GetKeyboardLayout
GetKeyboardLayout
GetKeyboardState
GetKeyboardState
GetKeyState
GetKeyState
SHFileOperationA
SHFileOperationA
CreatePipe
CreatePipe
PSAPI.DLL
PSAPI.DLL
GetTcpTable
GetTcpTable
ExitWindowsEx
ExitWindowsEx
EnumWindows
EnumWindows
WinInet.dll
WinInet.dll
DeleteUrlCacheEntryA
DeleteUrlCacheEntryA
urlmon
urlmon
URLDownloadToFileA
URLDownloadToFileA
ShellExecuteA
ShellExecuteA
keybd_event
keybd_event
CHAT_ADDMSG
CHAT_ADDMSG
VBA6.DLL
VBA6.DLL
ws2_32.dll
ws2_32.dll
D:\Blackshades Project\bs_net\loginserver\msvbvm60.dll\3
D:\Blackshades Project\bs_net\loginserver\msvbvm60.dll\3
AddMsg
AddMsg
olepro32.dll
olepro32.dll
GdiplusShutdown
GdiplusShutdown
RemotePort
RemotePort
LocalPort
LocalPort
WSOCK32.DLL
WSOCK32.DLL
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
ntdll.dll
ntdll.dll
C:\Windows\SysWOW64\ieframe.oca
C:\Windows\SysWOW64\ieframe.oca
%Program Files% (x86)\Microsoft Visual Studio\VB98\mswinsck.oca
%Program Files% (x86)\Microsoft Visual Studio\VB98\mswinsck.oca
tmrTCP
tmrTCP
tmrUDP
tmrUDP
UDPSocket
UDPSocket
UDPFlood
UDPFlood
ole32.dll
ole32.dll
crypt32.dll
crypt32.dll
oleaut32.dll
oleaut32.dll
RegOpenKeyA
RegOpenKeyA
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
`txtPassword
`txtPassword
imgLoginPressed
imgLoginPressed
imgLogin
imgLogin
RegCreateKeyA
RegCreateKeyA
RegDeleteKeyA
RegDeleteKeyA
RegEnumKeyExA
RegEnumKeyExA
gdi32.dll
gdi32.dll
InternetOpenUrlA
InternetOpenUrlA
FtpGetFileA
FtpGetFileA
FtpPutFileA
FtpPutFileA
FtpSetCurrentDirectoryA
FtpSetCurrentDirectoryA
FtpGetCurrentDirectoryA
FtpGetCurrentDirectoryA
FtpOpenFileA
FtpOpenFileA
FtpGetFileSize
FtpGetFileSize
FtpDeleteFileA
FtpDeleteFileA
FtpCreateDirectoryA
FtpCreateDirectoryA
FtpRemoveDirectoryA
FtpRemoveDirectoryA
FtpRenameFileA
FtpRenameFileA
FtpDownload
FtpDownload
FtpUpload
FtpUpload
FtpGetDirectory
FtpGetDirectory
Http_DownloadFile
Http_DownloadFile
cmdShowfiles
cmdShowfiles
msvbvm60.dll
msvbvm60.dll
?8??8??8??8??8?
?8??8??8??8??8?
txtPassword
txtPassword
2>e%Xdq
2>e%Xdq
uMsg
uMsg
strMsg
strMsg
MsgNum
MsgNum
AllMsgs
AllMsgs
lngPort
lngPort
URL_TARGET
URL_TARGET
Port
Port
Password
Password
WebURL
WebURL
Returns/Sets the port to be connected to on the remote computer
Returns/Sets the port to be connected to on the remote computer
Returns/Sets the port used on the local computer
Returns/Sets the port used on the local computer
Binds socket to specific port and adapter
Binds socket to specific port and adapter
Occurs after a send operation has completed
Occurs after a send operation has completed
*\AD:\Blackshades Project\bs_net\server\server.vbp
*\AD:\Blackshades Project\bs_net\server\server.vbp
2c49f800-c2dd-11cf-9ad6-0080c7e7b78d
2c49f800-c2dd-11cf-9ad6-0080c7e7b78d
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1) Gecko/20090612 Firefox/3.5
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1) Gecko/20090612 Firefox/3.5
{00020404-0000-0000-C000-000000000046}
{00020404-0000-0000-C000-000000000046}
5.5.1
5.5.1
\nir_cmd.bss speak text
\nir_cmd.bss speak text
\nir_cmd.bss setsysvolume 65535
\nir_cmd.bss setsysvolume 65535
\nir_cmd.bss mutesysvolume 1
\nir_cmd.bss mutesysvolume 1
\nir_cmd.bss mutesysvolume 0
\nir_cmd.bss mutesysvolume 0
\nir_cmd.bss screensaver
\nir_cmd.bss screensaver
\nir_cmd.bss monitor off
\nir_cmd.bss monitor off
\nir_cmd.bss monitor on
\nir_cmd.bss monitor on
PORT
PORT
TRANSFERPORT
TRANSFERPORT
\rsout.tmp
\rsout.tmp
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\
Keylog
Keylog
Wscript.Shell
Wscript.Shell
HKEY_CLASSES_ROOT\HTTP\shell\open\command\
HKEY_CLASSES_ROOT\HTTP\shell\open\command\
\winlogon.exe
\winlogon.exe
iexplore.exe
iexplore.exe
hXXp://VVV.facebook.com/?ref=home
hXXp://VVV.facebook.com/?ref=home
hXXp://VVV.facebook.com
hXXp://VVV.facebook.com
ADVAPI32.dll
ADVAPI32.dll
Windows Firewall/Internet Connection Sharing (ICS)
Windows Firewall/Internet Connection Sharing (ICS)
WebCamCapture
WebCamCapture
\Vuze\Azureus.exe
\Vuze\Azureus.exe
\LimeWire\LimeWire.exe
\LimeWire\LimeWire.exe
\uTorrent\uTorrent.exe
\uTorrent\uTorrent.exe
\uTorrent\uTorrent.exe /HIDE
\uTorrent\uTorrent.exe /HIDE
\BitTorrent\bittorrent.exe
\BitTorrent\bittorrent.exe
\MSWINSCK.OCX
\MSWINSCK.OCX
hXXp://
hXXp://
HTTP/1.1
HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1
\cmd.exe
\cmd.exe
\data.dat
\data.dat
\steam\steam.exe
\steam\steam.exe
nkey
nkey
dkey
dkey
regsvr32.exe
regsvr32.exe
\pws_mail.bss
\pws_mail.bss
\pws_mess.bss
\pws_mess.bss
\pws_cdk.bss
\pws_cdk.bss
\pws_ff.bss
\pws_ff.bss
\pws_chro.bss
\pws_chro.bss
\nir_cmd.bss
\nir_cmd.bss
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "
:*:Enabled:Windows Messanger" /f
:*:Enabled:Windows Messanger" /f
winmgmts:{impersonationLevel=Impersonate}!\\.\root\cimv2
winmgmts:{impersonationLevel=Impersonate}!\\.\root\cimv2
00000000
00000000
winmgmts:\\.\root\cimv2
winmgmts:\\.\root\cimv2
api.ipinfodb.com
api.ipinfodb.com
Select * from Win32_Keyboard
Select * from Win32_Keyboard
GET /v2/ip_query.php?key=
GET /v2/ip_query.php?key=
&timezone=off HTTP/1.1
&timezone=off HTTP/1.1
Host: api.ipinfodb.com
Host: api.ipinfodb.com
GET /v2/ip_query_country.php?key=
GET /v2/ip_query_country.php?key=
Portable
Portable
winmgmts:\\.\root\SecurityCenter
winmgmts:\\.\root\SecurityCenter
\wallpaper.bmp
\wallpaper.bmp
\wallpaper.jpg
\wallpaper.jpg
WScript.Shell
WScript.Shell
WinServer 2003, Web Edition
WinServer 2003, Web Edition
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName
__oxFrame.class__
__oxFrame.class__
Scripting.FileSystemObject
Scripting.FileSystemObject
Autorun.ini
Autorun.ini
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{1D5BE4B5-FA4A-452D-9CDD-5DB35105E7EB}
{1D5BE4B5-FA4A-452D-9CDD-5DB35105E7EB}
Address family not supported by protocol family.
Address family not supported by protocol family.
Operation already in progress.
Operation already in progress.
Operation now in progress.
Operation now in progress.
Socket operation on nonsocket.
Socket operation on nonsocket.
Operation not supported.
Operation not supported.
Protocol family not supported.
Protocol family not supported.
Protocol not supported.
Protocol not supported.
Socket type not supported.
Socket type not supported.
Winsock.dll version out of range.
Winsock.dll version out of range.
CSocketMaster.SocketExists
CSocketMaster.SocketExists
CSocketMaster.PostSocket
CSocketMaster.PostSocket
CSocketMaster.ConnectToIP
CSocketMaster.ConnectToIP
CSocketMaster.ResolveIfHostname
CSocketMaster.ResolveIfHostname
CSocketMaster.SendBufferedDataUDP
CSocketMaster.SendBufferedDataUDP
CSocketMaster.SendBufferedData
CSocketMaster.SendBufferedData
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1
$('#jschl_answer').val(
$('#jschl_answer').val(
application/x-www-form-urlencoded
application/x-www-form-urlencoded
abe2869f-9b47-4cd9-a358-c22904dba7f7
abe2869f-9b47-4cd9-a358-c22904dba7f7
/stext mess.dat
/stext mess.dat
\mess.dat
\mess.dat
/stext mail.dat
/stext mail.dat
\mail.dat
\mail.dat
/stext ffpw.dat
/stext ffpw.dat
\ffpw.dat
\ffpw.dat
Web Site
Web Site
Password
Password
/stext chro.dat
/stext chro.dat
\chro.dat
\chro.dat
Action URL
Action URL
SOFTWARE\MICROSOFT\Windows NT\CurrentVersion
SOFTWARE\MICROSOFT\Windows NT\CurrentVersion
Windows
Windows
SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command
SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command
http\shell\open\command
http\shell\open\command
127.0.0.1
127.0.0.1
\dump.txt
\dump.txt
\uTorrent\uTorrent.exe /DIRECTORY
\uTorrent\uTorrent.exe /DIRECTORY
255.255.255.255
255.255.255.255
finalizarprocessoportas
finalizarprocessoportas
CONNECT %s:%i HTTP/1.0
CONNECT %s:%i HTTP/1.0
SOFTWARE\Classes\http\shell\open\command
SOFTWARE\Classes\http\shell\open\command
Software\Classes\http\shell\open\command
Software\Classes\http\shell\open\command
Software\Microsoft\Windows NT\CurrentVersion\SystemRestore
Software\Microsoft\Windows NT\CurrentVersion\SystemRestore
code.is.a.winner
code.is.a.winner
Software\Microsoft\Windows\CurrentVersion\Uninstall\eMule
Software\Microsoft\Windows\CurrentVersion\Uninstall\eMule
SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\DigitalProductId
SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\DigitalProductId
bps1.exe
bps1.exe
bhookpl.dll
bhookpl.dll
bnfa.exe
bnfa.exe
drvloadn.dll
drvloadn.dll
drvloadx.dll
drvloadx.dll
VNCHooks.dll
VNCHooks.dll
xr4tdwa.exe
xr4tdwa.exe
\rspad.dat
\rspad.dat
shutdown.exe
shutdown.exe
TCnRawKeyBoard
TCnRawKeyBoard
HuntHTTPDownload
HuntHTTPDownload
autorun.inf
autorun.inf
explorer.exe
explorer.exe
hXXps://onlineeast#.bankofamerica.com
hXXps://onlineeast#.bankofamerica.com
winlogon.exe
winlogon.exe
moz_logins
moz_logins
WEBCAMLIVE
WEBCAMLIVE
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
\system32\userinit.exe,
\system32\userinit.exe,
notepad.exe
notepad.exe
\system32\userinit.exe
\system32\userinit.exe
steam.exe
steam.exe
hl.exe
hl.exe
@*\AD:\Blackshades Project\bs_net\server\server.vbp
@*\AD:\Blackshades Project\bs_net\server\server.vbp
RegSvcs.exe_2128_rwx_00400000_0007A000:
.text
.text
`.data
`.data
.rsrc
.rsrc
MSVBVM60.DLL
MSVBVM60.DLL
bss_server.usrReverseRelay
bss_server.usrReverseRelay
tmrWebHide
tmrWebHide
bss_server.Socket
bss_server.Socket
bss_server.usrRelay
bss_server.usrRelay
ieframe.dll
ieframe.dll
SHDocVwCtl.WebBrowser
SHDocVwCtl.WebBrowser
WebBrowser
WebBrowser
mswinsck.ocx
mswinsck.ocx
MSWinsockLib.Winsock
MSWinsockLib.Winsock
modLaunchWeb
modLaunchWeb
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
C:\Windows\SysWOW64\ieframe.dll
C:\Windows\SysWOW64\ieframe.dll
winmm.dll
winmm.dll
user32.dll
user32.dll
advapi32.dll
advapi32.dll
shell32.dll
shell32.dll
kernel32.dll
kernel32.dll
avicap32.dll
avicap32.dll
advpack.dll
advpack.dll
GetAsyncKeyState
GetAsyncKeyState
SetWindowsHookExA
SetWindowsHookExA
UnhookWindowsHookEx
UnhookWindowsHookEx
GetKeyboardLayout
GetKeyboardLayout
GetKeyboardState
GetKeyboardState
GetKeyState
GetKeyState
SHFileOperationA
SHFileOperationA
CreatePipe
CreatePipe
PSAPI.DLL
PSAPI.DLL
GetTcpTable
GetTcpTable
ExitWindowsEx
ExitWindowsEx
EnumWindows
EnumWindows
WinInet.dll
WinInet.dll
DeleteUrlCacheEntryA
DeleteUrlCacheEntryA
urlmon
urlmon
URLDownloadToFileA
URLDownloadToFileA
ShellExecuteA
ShellExecuteA
keybd_event
keybd_event
CHAT_ADDMSG
CHAT_ADDMSG
VBA6.DLL
VBA6.DLL
ws2_32.dll
ws2_32.dll
D:\Blackshades Project\bs_net\loginserver\msvbvm60.dll\3
D:\Blackshades Project\bs_net\loginserver\msvbvm60.dll\3
AddMsg
AddMsg
olepro32.dll
olepro32.dll
GdiplusShutdown
GdiplusShutdown
RemotePort
RemotePort
LocalPort
LocalPort
WSOCK32.DLL
WSOCK32.DLL
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
ntdll.dll
ntdll.dll
C:\Windows\SysWOW64\ieframe.oca
C:\Windows\SysWOW64\ieframe.oca
%Program Files% (x86)\Microsoft Visual Studio\VB98\mswinsck.oca
%Program Files% (x86)\Microsoft Visual Studio\VB98\mswinsck.oca
tmrTCP
tmrTCP
tmrUDP
tmrUDP
UDPSocket
UDPSocket
UDPFlood
UDPFlood
ole32.dll
ole32.dll
crypt32.dll
crypt32.dll
oleaut32.dll
oleaut32.dll
RegOpenKeyA
RegOpenKeyA
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
`txtPassword
`txtPassword
imgLoginPressed
imgLoginPressed
imgLogin
imgLogin
RegCreateKeyA
RegCreateKeyA
RegDeleteKeyA
RegDeleteKeyA
RegEnumKeyExA
RegEnumKeyExA
gdi32.dll
gdi32.dll
InternetOpenUrlA
InternetOpenUrlA
FtpGetFileA
FtpGetFileA
FtpPutFileA
FtpPutFileA
FtpSetCurrentDirectoryA
FtpSetCurrentDirectoryA
FtpGetCurrentDirectoryA
FtpGetCurrentDirectoryA
FtpOpenFileA
FtpOpenFileA
FtpGetFileSize
FtpGetFileSize
FtpDeleteFileA
FtpDeleteFileA
FtpCreateDirectoryA
FtpCreateDirectoryA
FtpRemoveDirectoryA
FtpRemoveDirectoryA
FtpRenameFileA
FtpRenameFileA
FtpDownload
FtpDownload
FtpUpload
FtpUpload
FtpGetDirectory
FtpGetDirectory
Http_DownloadFile
Http_DownloadFile
cmdShowfiles
cmdShowfiles
msvbvm60.dll
msvbvm60.dll
?8??8??8??8??8?
?8??8??8??8??8?
txtPassword
txtPassword
2>e%Xdq
2>e%Xdq
uMsg
uMsg
strMsg
strMsg
MsgNum
MsgNum
AllMsgs
AllMsgs
lngPort
lngPort
URL_TARGET
URL_TARGET
Port
Port
Password
Password
WebURL
WebURL
Returns/Sets the port to be connected to on the remote computer
Returns/Sets the port to be connected to on the remote computer
Returns/Sets the port used on the local computer
Returns/Sets the port used on the local computer
Binds socket to specific port and adapter
Binds socket to specific port and adapter
Occurs after a send operation has completed
Occurs after a send operation has completed
*\AD:\Blackshades Project\bs_net\server\server.vbp
*\AD:\Blackshades Project\bs_net\server\server.vbp
2c49f800-c2dd-11cf-9ad6-0080c7e7b78d
2c49f800-c2dd-11cf-9ad6-0080c7e7b78d
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1) Gecko/20090612 Firefox/3.5
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1) Gecko/20090612 Firefox/3.5
{00020404-0000-0000-C000-000000000046}
{00020404-0000-0000-C000-000000000046}
5.5.1
5.5.1
\nir_cmd.bss speak text
\nir_cmd.bss speak text
\nir_cmd.bss setsysvolume 65535
\nir_cmd.bss setsysvolume 65535
\nir_cmd.bss mutesysvolume 1
\nir_cmd.bss mutesysvolume 1
\nir_cmd.bss mutesysvolume 0
\nir_cmd.bss mutesysvolume 0
\nir_cmd.bss screensaver
\nir_cmd.bss screensaver
\nir_cmd.bss monitor off
\nir_cmd.bss monitor off
\nir_cmd.bss monitor on
\nir_cmd.bss monitor on
PORT
PORT
TRANSFERPORT
TRANSFERPORT
\rsout.tmp
\rsout.tmp
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\
Keylog
Keylog
Wscript.Shell
Wscript.Shell
HKEY_CLASSES_ROOT\HTTP\shell\open\command\
HKEY_CLASSES_ROOT\HTTP\shell\open\command\
\winlogon.exe
\winlogon.exe
iexplore.exe
iexplore.exe
hXXp://VVV.facebook.com/?ref=home
hXXp://VVV.facebook.com/?ref=home
hXXp://VVV.facebook.com
hXXp://VVV.facebook.com
ADVAPI32.dll
ADVAPI32.dll
Windows Firewall/Internet Connection Sharing (ICS)
Windows Firewall/Internet Connection Sharing (ICS)
WebCamCapture
WebCamCapture
\Vuze\Azureus.exe
\Vuze\Azureus.exe
\LimeWire\LimeWire.exe
\LimeWire\LimeWire.exe
\uTorrent\uTorrent.exe
\uTorrent\uTorrent.exe
\uTorrent\uTorrent.exe /HIDE
\uTorrent\uTorrent.exe /HIDE
\BitTorrent\bittorrent.exe
\BitTorrent\bittorrent.exe
\MSWINSCK.OCX
\MSWINSCK.OCX
hXXp://
hXXp://
HTTP/1.1
HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1
\cmd.exe
\cmd.exe
\data.dat
\data.dat
\steam\steam.exe
\steam\steam.exe
nkey
nkey
dkey
dkey
regsvr32.exe
regsvr32.exe
\pws_mail.bss
\pws_mail.bss
\pws_mess.bss
\pws_mess.bss
\pws_cdk.bss
\pws_cdk.bss
\pws_ff.bss
\pws_ff.bss
\pws_chro.bss
\pws_chro.bss
\nir_cmd.bss
\nir_cmd.bss
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "
:*:Enabled:Windows Messanger" /f
:*:Enabled:Windows Messanger" /f
winmgmts:{impersonationLevel=Impersonate}!\\.\root\cimv2
winmgmts:{impersonationLevel=Impersonate}!\\.\root\cimv2
00000000
00000000
winmgmts:\\.\root\cimv2
winmgmts:\\.\root\cimv2
api.ipinfodb.com
api.ipinfodb.com
Select * from Win32_Keyboard
Select * from Win32_Keyboard
GET /v2/ip_query.php?key=
GET /v2/ip_query.php?key=
&timezone=off HTTP/1.1
&timezone=off HTTP/1.1
Host: api.ipinfodb.com
Host: api.ipinfodb.com
GET /v2/ip_query_country.php?key=
GET /v2/ip_query_country.php?key=
Portable
Portable
winmgmts:\\.\root\SecurityCenter
winmgmts:\\.\root\SecurityCenter
\wallpaper.bmp
\wallpaper.bmp
\wallpaper.jpg
\wallpaper.jpg
WScript.Shell
WScript.Shell
WinServer 2003, Web Edition
WinServer 2003, Web Edition
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName
__oxFrame.class__
__oxFrame.class__
Scripting.FileSystemObject
Scripting.FileSystemObject
Autorun.ini
Autorun.ini
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{1D5BE4B5-FA4A-452D-9CDD-5DB35105E7EB}
{1D5BE4B5-FA4A-452D-9CDD-5DB35105E7EB}
Address family not supported by protocol family.
Address family not supported by protocol family.
Operation already in progress.
Operation already in progress.
Operation now in progress.
Operation now in progress.
Socket operation on nonsocket.
Socket operation on nonsocket.
Operation not supported.
Operation not supported.
Protocol family not supported.
Protocol family not supported.
Protocol not supported.
Protocol not supported.
Socket type not supported.
Socket type not supported.
Winsock.dll version out of range.
Winsock.dll version out of range.
CSocketMaster.SocketExists
CSocketMaster.SocketExists
CSocketMaster.PostSocket
CSocketMaster.PostSocket
CSocketMaster.ConnectToIP
CSocketMaster.ConnectToIP
CSocketMaster.ResolveIfHostname
CSocketMaster.ResolveIfHostname
CSocketMaster.SendBufferedDataUDP
CSocketMaster.SendBufferedDataUDP
CSocketMaster.SendBufferedData
CSocketMaster.SendBufferedData
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1
$('#jschl_answer').val(
$('#jschl_answer').val(
application/x-www-form-urlencoded
application/x-www-form-urlencoded
abe2869f-9b47-4cd9-a358-c22904dba7f7
abe2869f-9b47-4cd9-a358-c22904dba7f7
/stext mess.dat
/stext mess.dat
\mess.dat
\mess.dat
/stext mail.dat
/stext mail.dat
\mail.dat
\mail.dat
/stext ffpw.dat
/stext ffpw.dat
\ffpw.dat
\ffpw.dat
Web Site
Web Site
Password
Password
/stext chro.dat
/stext chro.dat
\chro.dat
\chro.dat
Action URL
Action URL
SOFTWARE\MICROSOFT\Windows NT\CurrentVersion
SOFTWARE\MICROSOFT\Windows NT\CurrentVersion
Windows
Windows
SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command
SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command
http\shell\open\command
http\shell\open\command
127.0.0.1
127.0.0.1
\dump.txt
\dump.txt
\uTorrent\uTorrent.exe /DIRECTORY
\uTorrent\uTorrent.exe /DIRECTORY
255.255.255.255
255.255.255.255
finalizarprocessoportas
finalizarprocessoportas
CONNECT %s:%i HTTP/1.0
CONNECT %s:%i HTTP/1.0
SOFTWARE\Classes\http\shell\open\command
SOFTWARE\Classes\http\shell\open\command
Software\Classes\http\shell\open\command
Software\Classes\http\shell\open\command
Software\Microsoft\Windows NT\CurrentVersion\SystemRestore
Software\Microsoft\Windows NT\CurrentVersion\SystemRestore
code.is.a.winner
code.is.a.winner
Software\Microsoft\Windows\CurrentVersion\Uninstall\eMule
Software\Microsoft\Windows\CurrentVersion\Uninstall\eMule
SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\DigitalProductId
SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\DigitalProductId
bps1.exe
bps1.exe
bhookpl.dll
bhookpl.dll
bnfa.exe
bnfa.exe
drvloadn.dll
drvloadn.dll
drvloadx.dll
drvloadx.dll
VNCHooks.dll
VNCHooks.dll
xr4tdwa.exe
xr4tdwa.exe
\rspad.dat
\rspad.dat
shutdown.exe
shutdown.exe
TCnRawKeyBoard
TCnRawKeyBoard
HuntHTTPDownload
HuntHTTPDownload
autorun.inf
autorun.inf
explorer.exe
explorer.exe
hXXps://onlineeast#.bankofamerica.com
hXXps://onlineeast#.bankofamerica.com
winlogon.exe
winlogon.exe
moz_logins
moz_logins
WEBCAMLIVE
WEBCAMLIVE
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
\system32\userinit.exe,
\system32\userinit.exe,
notepad.exe
notepad.exe
\system32\userinit.exe
\system32\userinit.exe
steam.exe
steam.exe
hl.exe
hl.exe
@*\AD:\Blackshades Project\bs_net\server\server.vbp
@*\AD:\Blackshades Project\bs_net\server\server.vbp