TrojanDropper.Win32.Injector.klzg_70bf7cba4f – Adaware

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan-Dropper creates the following process(es):No processes have been created.The Trojan-Dropper injects its code into the following process(es):

%original file name%.exe:740
source.exe:2040
Explorer.EXE:532

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:740 makes changes in the file system.

The Trojan-Dropper creates and/or writes to the following file(s):

%WinDir%\jestertb.dll (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\fscommand\.ds_store (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\jstart.exe (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\fscommand\ple_readme.app (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\fscommand\._readme.xml (82 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\source.exe (33272 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\fscommand\._ple_readme.app (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\fscommand\._software.app (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\fscommand\style.css (831 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\SHLLJG0.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\fscommand\software.app (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\fscommand\readme.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\fscommand\._license.xml (82 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\fscommand\license.xml (7 bytes)

Registry activity

The process %original file name%.exe:740 makes changes in the system registry.

The Trojan-Dropper creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB 9C C8 65 1B E0 33 2F E2 1A BC 3C 21 05 CB 69"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The Trojan-Dropper deletes the following value(s) in system registry:

The Trojan-Dropper disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"70bf7cba4f9118fd0e90d2654dcd08f6"

The process source.exe:2040 makes changes in the system registry.

The Trojan-Dropper creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 BF F0 6E E3 99 87 92 93 20 0A 5F 37 BA A5 F6"

Dropped PE files

MD5	File path
a9a1d3c73835418cbd63b6dbbe9d6ad4	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Jgl_Rt\SHLLJG0.dll
75b4412f2edc1394d7150cb0a1c63b3c	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Jgl_Rt\jstart.exe
bc4d4d28816b5eedd640f94beec19552	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Jgl_Rt\source.exe
56df1b6c087d4b9c0ab2318f226d3040	c:\WINDOWS\jestertb.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
Delete the original Trojan-Dropper file.
Delete or disinfect the following files created/modified by the Trojan-Dropper:
%WinDir%\jestertb.dll (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\fscommand\.ds_store (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\jstart.exe (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\fscommand\ple_readme.app (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\fscommand\._readme.xml (82 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\source.exe (33272 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\fscommand\._ple_readme.app (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\fscommand\._software.app (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\fscommand\style.css (831 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\SHLLJG0.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\fscommand\software.app (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\fscommand\readme.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\fscommand\._license.xml (82 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\fscommand\license.xml (7 bytes)
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: Wiley Publishing, Inc.
Product Name: Advanced Maya Texturing and Lighting
Product Version: MD02835A
Legal Copyright: (c) Copyright Wiley Publishing, Inc.
Legal Trademarks:
Original Filename: Start.exe
Internal Name: Advanced Maya Texturing and Lighting
File Version: 1.0.0
File Description: Advanced Maya Texturing and Lighting
Comments: Visit our website http://www.wiley.com
Language: English (United States)

Company Name: Wiley Publishing, Inc. Product Name: Advanced Maya Texturing and Lighting Product Version: MD02835A Legal Copyright: (c) Copyright Wiley Publishing, Inc. Legal Trademarks: Original Filename: Start.exeInternal Name: Advanced Maya Texturing and Lighting File Version: 1.0.0File Description: Advanced Maya Texturing and Lighting Comments: Visit our website http://www.wiley.com Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
UPX0	4096	409600	0	0	d41d8cd98f00b204e9800998ecf8427e
UPX1	413696	221184	218112	5.48684	094001284ac94f69b3caf5d2dd1bddf8
.rsrc	634880	16384	15360	1.91477	2350e9863641683412b1ab7271c272a7

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan-Dropper connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_740:

.rsrc

EInvalidOperation

%s_%d

EInvalidGraphicOperation

comctl32.dll

TWindowState

poProportional

KeyPreview

WindowState

OnKeyDown

OnKeyPressLAB

OnKeyUp

CTL3D32.DLL

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

TKeyEvent

TKeyPressEvent

crSQLWait

Ht.Ht

t.HtR

IMM32.DLL

:].tJ

1.0.4

Invalid stream operation

TKGSExeAppender

TKGSExeAppender\

KGSExeAppender

UseCurrentExeOnExtract

Key too long

c:\program files\borland\delphi 3\libshare\KGSFormEdge.pas

SetRunOnWindowsStartup

KGSExeAppenderExtractFile

KGSExeAppProgress

KGSExeAppProgressFile

DebugLog.txt

USER32.DLL

jtools.ini

JTOOL.SATELLITE:

kernel32.dll

Ãšys

\Shell32.dll

SHELL32.dll

jesterrun.dll

*.dat

RunOnWindowsStartup

.jtools.ini

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_CLASSES_ROOT

KeyDefaultValue

ReadReg.txt

EngineVars.txt

.html

\shell\open\ddeexec\Application

\shell\open\ddeexec\Topic

Software\Microsoft\Windows\CurrentVersion\Run

lbExpMsg

lbExpMsg_mailto

lbExpMsg_url

lbExpMsg_urlClick

lbExpMsg_mailtoClick

hXXp://

KeyboardInteraction

Windows_Startup

lbWindows_Startup$

lbKeyboardInteraction(

FormKeyDown

KeyboardInteractionClick

Windows_StartupClick

lbWindows_StartupClick!

lbKeyboardInteractionClick

VK_EXECUTE

VK_PROCESSKEY

Keyboard interaction Text

Run On Windows startup Text

ExpMessage_url

Password

Please enter password:

Wrong password!

Run On Windows startup

Right Click Menu Run On Windows startup Text

DisableW95Key

PassESC

TickerRecogniseWindows

RunOnWindowsStartupMenu

KeyInteraction

Keyboard interaction Initial Value

Run On Windows startup Initial Value

AnyKeyExit

SetupBoxWindowsStartupFontColor

SetupBoxWindowsStartupFontHeight

SetupBoxWindowsStartupFontName

SetupBoxWindowsStartupFontPitch

SetupBoxWindowsStartupFontSize

SetupBoxWindowsStartupFontBold

SetupBoxWindowsStartupFontItalic

SetupBoxWindowsStartupFontUnderline

SetupBoxWindowsStartupFontStrikeOut

SetupBoxKeyboardInteractionFontColor

SetupBoxKeyboardInteractionFontHeight

SetupBoxKeyboardInteractionFontName

SetupBoxKeyboardInteractionFontPitch

SetupBoxKeyboardInteractionFontSize

SetupBoxKeyboardInteractionFontBold

SetupBoxKeyboardInteractionFontItalic

SetupBoxKeyboardInteractionFontUnderline

SetupBoxKeyboardInteractionFontStrikeOut

user32.dll

3333333

HKEY_USERS

HKEY_CURRENT_CONFIG

HKEY_DYN_DATA

/DELETEEXE

/UNINSTALL /DELETEEXE "

FTPF0|

.idata

.edata

P.reloc

P.rsrc

GetKeyboardType

advapi32.dll

RegOpenKeyExA

RegCloseKey

oleaut32.dll

jestertb.dll

KWindows

Font.Charset

Font.Color

Font.Height

Font.Name

Font.Style

lbKeyboardInteraction

lbWindows_Startup

lbWindows_StartupClick

Run on Windows startup

Keyboard interaction

WinExec

GetWindowsDirectoryA

GetCPInfo

RegQueryInfoKeyA

RegFlushKey

RegEnumKeyExA

RegDeleteKeyA

RegCreateKeyExA

SetViewportOrgEx

ShellExecuteA

SHFileOperationA

keybd_event

UnregisterHotKey

UnhookWindowsHookEx

SetWindowsHookExA

RegisterHotKey

MapVirtualKeyA

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyState

GetKeyNameTextA

GetAsyncKeyState

EnumWindows

EnumThreadWindows

ActivateKeyboardLayout

.rdata

KERNEL32.DLL

gdi32.dll

ole32.dll

shell32.dll

version.dll

winmm.dll

Enter password

Password:

Value must be between %d and %d Clipboard does not support Icons

Invalid data type for '%s'

Failed to create key %s

Failed to set data for '%s'

Failed to get data for '%s'/Menu '%s' is already being used by another form&Cannot change the size of a JPEG image

JPEG error #%d

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window

%s property out of range

Ancestor for '%s' not found

Unsupported clipboard format

Class %s not found

Resource %s not found

List index out of bounds (%d) List capacity out of bounds (%d)

List count out of bounds (%d) Operation not allowed on sorted string list%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name

A class named %s already exists

Error reading %s.%s: %s

Cannot assign a %s to a %s

Cannot create file %s

Cannot open file %s

?Access violation at address %p in module '%s'. %s of address %p

Win32 Error. Code: %d.

1Format '%s' invalid or incompatible with argument

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

External exception %x

Interface not supported

%s (%s, line %d)

Integer overflow Invalid floating point operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Operation aborted%Exception %s in module %s at %p.

!'%s' is not a valid integer value('%s' is not a valid floating point value

'%s' is not a valid date

'%s' is not a valid time!'%s' is not a valid date and time

I/O error %d

1.0.0

Start.exe

Visit our website hXXp://VVV.wiley.com

%original file name%.exe_740_rwx_00401000_00099000:

EInvalidOperation

%s_%d

EInvalidGraphicOperation

comctl32.dll

TWindowState

poProportional

KeyPreview

WindowState

OnKeyDown

OnKeyPressLAB

OnKeyUp

CTL3D32.DLL

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

TKeyEvent

TKeyPressEvent

crSQLWait

Ht.Ht

t.HtR

IMM32.DLL

:].tJ

1.0.4

Invalid stream operation

TKGSExeAppender

TKGSExeAppender\

KGSExeAppender

UseCurrentExeOnExtract

Key too long

c:\program files\borland\delphi 3\libshare\KGSFormEdge.pas

SetRunOnWindowsStartup

KGSExeAppenderExtractFile

KGSExeAppProgress

KGSExeAppProgressFile

DebugLog.txt

USER32.DLL

jtools.ini

JTOOL.SATELLITE:

kernel32.dll

Ãšys

\Shell32.dll

SHELL32.dll

jesterrun.dll

*.dat

RunOnWindowsStartup

.jtools.ini

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_CLASSES_ROOT

KeyDefaultValue

ReadReg.txt

EngineVars.txt

.html

\shell\open\ddeexec\Application

\shell\open\ddeexec\Topic

Software\Microsoft\Windows\CurrentVersion\Run

lbExpMsg

lbExpMsg_mailto

lbExpMsg_url

lbExpMsg_urlClick

lbExpMsg_mailtoClick

hXXp://

KeyboardInteraction

Windows_Startup

lbWindows_Startup$

lbKeyboardInteraction(

FormKeyDown

KeyboardInteractionClick

Windows_StartupClick

lbWindows_StartupClick!

lbKeyboardInteractionClick

VK_EXECUTE

VK_PROCESSKEY

Keyboard interaction Text

Run On Windows startup Text

ExpMessage_url

Password

Please enter password:

Wrong password!

Run On Windows startup

Right Click Menu Run On Windows startup Text

DisableW95Key

PassESC

TickerRecogniseWindows

RunOnWindowsStartupMenu

KeyInteraction

Keyboard interaction Initial Value

Run On Windows startup Initial Value

AnyKeyExit

SetupBoxWindowsStartupFontColor

SetupBoxWindowsStartupFontHeight

SetupBoxWindowsStartupFontName

SetupBoxWindowsStartupFontPitch

SetupBoxWindowsStartupFontSize

SetupBoxWindowsStartupFontBold

SetupBoxWindowsStartupFontItalic

SetupBoxWindowsStartupFontUnderline

SetupBoxWindowsStartupFontStrikeOut

SetupBoxKeyboardInteractionFontColor

SetupBoxKeyboardInteractionFontHeight

SetupBoxKeyboardInteractionFontName

SetupBoxKeyboardInteractionFontPitch

SetupBoxKeyboardInteractionFontSize

SetupBoxKeyboardInteractionFontBold

SetupBoxKeyboardInteractionFontItalic

SetupBoxKeyboardInteractionFontUnderline

SetupBoxKeyboardInteractionFontStrikeOut

user32.dll

3333333

HKEY_USERS

HKEY_CURRENT_CONFIG

HKEY_DYN_DATA

/DELETEEXE

/UNINSTALL /DELETEEXE "

FTPF0|

.idata

.edata

P.reloc

P.rsrc

GetKeyboardType

advapi32.dll

RegOpenKeyExA

RegCloseKey

oleaut32.dll

jestertb.dll

KWindows

Font.Charset

Font.Color

Font.Height

Font.Name

Font.Style

lbKeyboardInteraction

lbWindows_Startup

lbWindows_StartupClick

Run on Windows startup

Keyboard interaction

WinExec

GetWindowsDirectoryA

GetCPInfo

RegQueryInfoKeyA

RegFlushKey

RegEnumKeyExA

RegDeleteKeyA

RegCreateKeyExA

SetViewportOrgEx

ShellExecuteA

SHFileOperationA

keybd_event

UnregisterHotKey

UnhookWindowsHookEx

SetWindowsHookExA

RegisterHotKey

MapVirtualKeyA

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyState

GetKeyNameTextA

GetAsyncKeyState

EnumWindows

EnumThreadWindows

ActivateKeyboardLayout

.rdata

Enter password

Password:

Value must be between %d and %d Clipboard does not support Icons

Invalid data type for '%s'

Failed to create key %s

Failed to set data for '%s'

Failed to get data for '%s'/Menu '%s' is already being used by another form&Cannot change the size of a JPEG image

JPEG error #%d

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window

%s property out of range

Ancestor for '%s' not found

Unsupported clipboard format

Class %s not found

Resource %s not found

List index out of bounds (%d) List capacity out of bounds (%d)

List count out of bounds (%d) Operation not allowed on sorted string list%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name

A class named %s already exists

Error reading %s.%s: %s

Cannot assign a %s to a %s

Cannot create file %s

Cannot open file %s

?Access violation at address %p in module '%s'. %s of address %p

Win32 Error. Code: %d.

1Format '%s' invalid or incompatible with argument

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

External exception %x

Interface not supported

%s (%s, line %d)

Integer overflow Invalid floating point operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Operation aborted%Exception %s in module %s at %p.

!'%s' is not a valid integer value('%s' is not a valid floating point value

'%s' is not a valid date

'%s' is not a valid time!'%s' is not a valid date and time

I/O error %d

%original file name%.exe_740_rwx_00971000_00013000:

kernel32.dll

DELPHI32.EXE

DDraw.dll

shell32.dll

WinExec

ShellExecuteA

ShellExecuteExA

ShellExecuteW

ShellExecuteExW

user32.dll

GetKeyState

winmm.dll

USER32.DLL

SHELL32.DLL

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Jgl_Rt\SHLLJG0.dll

KWindows

RegOpenKeyExA

RegCloseKey

UnhookWindowsHookEx

SetWindowsHookExA

GetKeyboardType

.idata

.edata

P.reloc

P.rsrc

source.exe_2040:

.text

`.rdata

@.data

.rsrc

F%:G%u7

JWx%f

t%f=-

>%u

~%UVW

flash.filters.DropShadowFilter

@flash.filters.GlowFilter

flash.filters.BlurFilter

flash.filters.BevelFilter

flash.filters.ConvolutionFilter

flash.filters.DisplacementMapFilter

flash.filters.GradientGlowFilter

flash.filters.GradientBevelFilter

flash.filters.ColorMatrixFilter

application/x-www-form-urlencoded

flash.geom.Rectangle

flash.geom.Point

flash.geom.Transform

flash.display.BitmapData

flash.geom.Matrix

flash.geom.ColorTransform

portrait

ProductDownloadBaseUrl

CodeSignRootCert

AutoUpdateVersionUrl

.macromedia.com

hXXp://

.macromedia.com/support/flashplayer/sys/

hXXps://

mms.cfg

hXXp://VVV.macromedia.com

hXXps://VVV.macromedia.com/support/flashplayer/sys/

FlashAuthor.cfg

%3 %3 %d %2:%2:%2 GMT%c%2%2 %d

0 1 2 3 4 5 6 7

!%),.?]}

for (var i=0; i

for (var i=index; i

return s.replace(/&/g, "&").replace(/, "/g, ">").replace(/"/g, """).replace(/'/g, "'");

_global.System

Client.Header.MustUnderstand

NetConnection.Call.BadVersion

flash.net.FileReference

hXXps://VVV.macromedia.com/bin/flashdownload.cgi

H@%s?product=%s&signed=true&%s

%s&product=%s&signed=true&%s

macromedia.com

VVV.macromedia.com

Download.Complete

Download.Cancelled

Download.Failed

https:

>1.2.3

Webdings

Curlz MT

http:

$@.maxscroll

.scroll

PTF://

A=%b&SA=%b&SV=%b&EV=%b&MP3=%b&AE=%b&VE=%b&ACC=%b&PR=%b&SP=%b&SB=%b&DEB=%b&V=%s%s&PT=%s&AVD=%b&LFD=%b&WD=%b

hXXp://%s/

Sweeps: %d

Marking increments: %d

Items marked: %d

Average item size: %d bytes

Mark rate: %d mb/s

.AGC Pause (%s): %d millis

gcstats.txt

/crossdomain.xml

to-ports

NetConnection.Call.Failed

HTTP:

onKeyUp

onKeyDown

?NetConnection.Call.Prohibited

password

vnd.ms.wmhtml:

URLNotFound

onHTTPStatus

127.0.0.1

imm32.dll

System.IME

,,0,0,,,

WWW_OpenURL

\shell\open\ddeexec\Application

Windows 95

Windows 98/ME

Windows NT

Windows 2000

Windows XP

Windows

kernel32.dll

Macromedia Windows

&M=%s&R=%dx%d&DP=%d&COL=%s&AR=%s&OS=%s&L=%s&IME=%b

*.exe

*.swf

W@\\?\

z>https

onHTTPError

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

&Macromedia Flash Certificate Authority1

secure@macromedia.com1

VVV.macromedia.com/bin

update.bat

VerifyMessage : Second CertVerifySubjectCertificateContext() failed.

VerifyMessage : CertVerifySubjectCertificateContext() failed.

VerifyMessage : Certificate chain is too long.

VerifyMessage : CertCreateCertificateContext() failed.

VerifyMessage : CryptGetMessageCertificates() failed.

VerifyMessage : Unable to read external root certificate specified in MMS.CFG by CodeSignRootCert.

%d.%d.%d.%d

advapi32.dll

trapallkeys

WSOCK32.DLL

.jpeg

8,0,22,0

FtpOpenFileA

HttpQueryInfoA

HttpSendRequestA

HttpOpenRequestA

wininet.dll

FlashVideo.FlashVideo

FlashVideo.FlashVideo\DefaultIcon

FlashVideo.FlashVideo\shell\open\command

ShockwaveFlash.ShockwaveFlash

ShockwaveFlash.ShockwaveFlash\DefaultIcon

ShockwaveFlash.ShockwaveFlash\shell\open\command

keyFrameInterval

255.255.255.255

tag=%s;timestamp=%d;zone=%d;uri=%s

fpadPort

.Unmuted

.Muted

/bin/flashhelp.cgi

~&\;:"',? #

/support/flashplayer/sys/

SharedObject.Failed

SharedObject.Flush.Failed

SharedObject.Flush.Success

hXXp://%s

hXXp://a.

SharedObject.BadPersistence

SharedObject.UriMismatch

NetConnection.Connect.Failed

NetConnection.Connect.Success

NetConnection.Connect.Closed

port

pageUrl

tcUrl

swfUrl

@NetStream.Buffer.Flush

NetStream.Buffer.Full

NetStream.Buffer.Empty

NetStream.Play.Stop

NetStream.Seek.Notify

NetStream.Seek.InvalidTime

NetStream.Play.StreamNotFound

NetStream.Play.Start

NetStream.Publish.BadName

NetStream.Play.Failed

HttpEndRequestA

HttpSendRequestExA

HttpAddRequestHeadersA

HTTP/1.0

OleAut32.dll

q.CUN3C

WSOCK32.dll

WININET.dll

CertVerifySubjectCertificateContext

CertFindCertificateInStore

CertCreateCertificateContext

CryptGetMessageCertificates

CertCloseStore

CertFreeCertificateContext

CRYPT32.dll

VERSION.dll

WINMM.dll

GetCPInfo

KERNEL32.dll

GetKeyboardLayout

GetKeyState

MapVirtualKeyA

MsgWaitForMultipleObjects

USER32.dll

GDI32.dll

comdlg32.dll

RegCloseKey

RegOpenKeyExA

RegOpenKeyExW

RegCreateKeyA

ADVAPI32.dll

SHLLJG0.dll

ole32.dll

OLEAUT32.dll

GetProcessHeap

WEBZ}H

%8UH^D

4%.ay

4.aJ$

.Hc/

%sAu*

N~a.YI

((('&%$#"!

22222222

!),.:;?]}

control.tlb

Macromedia Flash Player has stopped a potentially unsafe operation.

Macromedia Flash Player ha interrotto un'operazione potenzialmente pericolosa.

Macromedia Flash Player ha detenido una operaci

SAFlashPlayer.exe

Enter the World Wide Web location (URL) or specify the local file you would like to open.

Geben Sie die Internetadresse (URL) oder eine lokale Datei an, die Sie

cifiez l'adresse URL (World Wide Web) ou le fichier local

Passo &avanti

Specificare l'indirizzo (URL) dell'elemento da aprire.

n Web (URL) o especifique el archivo local que desee abrir.

World Wide Web

(URL)

Macromedia Flash Player 8@Macromedia Flash movie (*.swf)|*.swf;*.spl|All Files (*.*)|*.*||

Projector (*.exe)|*.exe||

Macromedia Flash Player 8CMacromedia Flash movie (*.swf)|*.swf;*.spl|Alle Dateien (*.*)|*.*||

Projektor (*.exe)|*.exe||

Macromedia Flash Player 8HMacromedia Flash movie (*.swf)|*.swf;*.spl|Tous les fichiers (*.*)|*.*||

Projection (*.exe)|*.exe||

Macromedia Flash Player 8CMacromedia Flash movie (*.swf)|*.swf;*.spl|Tutti i file (*.*)|*.*||

Proiettore (*.exe)|*.exe||

Macromedia Flash Player 8IMacromedia Flash movie (*.swf)|*.swf;*.spl|Todos los archivos (*.*)|*.*||

Proyector (*.exe)|*.exe||

Macromedia Flash Player 8?Macromedia Flash movie (*.swf)|*.swf;*.spl|

(*.*)|*.*||

(*.exe)|*.exe||

Macromedia Flash Player 8;Macromedia Flash movie (*.swf)|*.swf;*.spl|

(*.*)|*.*||

source.exe_2040_rwx_00331000_00013000:

kernel32.dll

DELPHI32.EXE

DDraw.dll

shell32.dll

WinExec

ShellExecuteA

ShellExecuteExA

ShellExecuteW

ShellExecuteExW

user32.dll

GetKeyState

winmm.dll

USER32.DLL

SHELL32.DLL

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Jgl_Rt\SHLLJG0.dll

KWindows

RegOpenKeyExA

RegCloseKey

UnhookWindowsHookEx

SetWindowsHookExA

GetKeyboardType

.idata

.edata

P.reloc

P.rsrc

Explorer.EXE_532_rwx_01E11000_00013000:

kernel32.dll

DELPHI32.EXE

DDraw.dll

shell32.dll

WinExec

ShellExecuteA

ShellExecuteExA

ShellExecuteW

ShellExecuteExW

user32.dll

GetKeyState

winmm.dll

USER32.DLL

SHELL32.DLL

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Jgl_Rt\SHLLJG0.dll

KWindows

RegOpenKeyExA

RegCloseKey

UnhookWindowsHookEx

SetWindowsHookExA

GetKeyboardType

.idata

.edata

P.reloc

P.rsrc

Summary

Dynamic Analysis

Removals

Static Analysis

Network Activity

Map

Strings from Dumps