Trojan-Dropper.Win32.Injector.klzg (Kaspersky), GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 70bf7cba4f9118fd0e90d2654dcd08f6
SHA1: 198794856b1c4ae67d5de5dbbe52f57362ae0752
SHA256: 3b27e4c88adc1d3fc82a9ebdeac0ba3c8518ddce8c448f01204ab54eda427d64
SSDeep: 24576:zrnTI0/wMmCob/2jXsFjSguhiZgQPm3Aa0CTObnd0SHHH3Le2Q5YNiTD48oojvS4:zrD/mCoCXoWTAgGtdznK2UXTDxSfjs
Size: 1650276 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPXv0896v102v105v122Delphistub, UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan-Dropper creates the following process(es):No processes have been created.The Trojan-Dropper injects its code into the following process(es):
%original file name%.exe:740
source.exe:2040
Explorer.EXE:532
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:740 makes changes in the file system.
The Trojan-Dropper creates and/or writes to the following file(s):
%WinDir%\jestertb.dll (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\fscommand\.ds_store (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\jstart.exe (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\fscommand\ple_readme.app (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\fscommand\._readme.xml (82 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\source.exe (33272 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\fscommand\._ple_readme.app (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\fscommand\._software.app (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\fscommand\style.css (831 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\SHLLJG0.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\fscommand\software.app (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\fscommand\readme.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\fscommand\._license.xml (82 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\fscommand\license.xml (7 bytes)
Registry activity
The process %original file name%.exe:740 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB 9C C8 65 1B E0 33 2F E2 1A BC 3C 21 05 CB 69"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The Trojan-Dropper deletes the following value(s) in system registry:
The Trojan-Dropper disables automatic startup of the application by deleting the following autorun value:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"70bf7cba4f9118fd0e90d2654dcd08f6"
The process source.exe:2040 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 BF F0 6E E3 99 87 92 93 20 0A 5F 37 BA A5 F6"
Dropped PE files
MD5 | File path |
---|---|
a9a1d3c73835418cbd63b6dbbe9d6ad4 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Jgl_Rt\SHLLJG0.dll |
75b4412f2edc1394d7150cb0a1c63b3c | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Jgl_Rt\jstart.exe |
bc4d4d28816b5eedd640f94beec19552 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Jgl_Rt\source.exe |
56df1b6c087d4b9c0ab2318f226d3040 | c:\WINDOWS\jestertb.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan-Dropper file.
- Delete or disinfect the following files created/modified by the Trojan-Dropper:
%WinDir%\jestertb.dll (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\fscommand\.ds_store (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\jstart.exe (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\fscommand\ple_readme.app (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\fscommand\._readme.xml (82 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\source.exe (33272 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\fscommand\._ple_readme.app (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\fscommand\._software.app (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\fscommand\style.css (831 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\SHLLJG0.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\fscommand\software.app (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\fscommand\readme.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\fscommand\._license.xml (82 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Jgl_Rt\fscommand\license.xml (7 bytes) - Reboot the computer.
Static Analysis
VersionInfo
Company Name: Wiley Publishing, Inc.
Product Name: Advanced Maya Texturing and Lighting
Product Version: MD02835A
Legal Copyright: (c) Copyright Wiley Publishing, Inc.
Legal Trademarks:
Original Filename: Start.exe
Internal Name: Advanced Maya Texturing and Lighting
File Version: 1.0.0
File Description: Advanced Maya Texturing and Lighting
Comments: Visit our website http://www.wiley.com
Language: English (United States)
Company Name: Wiley Publishing, Inc. Product Name: Advanced Maya Texturing and Lighting Product Version: MD02835A Legal Copyright: (c) Copyright Wiley Publishing, Inc. Legal Trademarks: Original Filename: Start.exeInternal Name: Advanced Maya Texturing and Lighting File Version: 1.0.0File Description: Advanced Maya Texturing and Lighting Comments: Visit our website http://www.wiley.com Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
UPX0 | 4096 | 409600 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
UPX1 | 413696 | 221184 | 218112 | 5.48684 | 094001284ac94f69b3caf5d2dd1bddf8 |
.rsrc | 634880 | 16384 | 15360 | 1.91477 | 2350e9863641683412b1ab7271c272a7 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan-Dropper connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_740:
.rsrc
.rsrc
Portions Copyright (c) 1983,97 Borland
Portions Copyright (c) 1983,97 Borland
EInvalidOperation
EInvalidOperation
%s_%d
%s_%d
EInvalidGraphicOperation
EInvalidGraphicOperation
comctl32.dll
comctl32.dll
TWindowState
TWindowState
poProportional
poProportional
KeyPreview
KeyPreview
WindowState
WindowState
OnKeyDown
OnKeyDown
OnKeyPressLAB
OnKeyPressLAB
OnKeyUp
OnKeyUp
CTL3D32.DLL
CTL3D32.DLL
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
vcltest3.dll
TKeyEvent
TKeyEvent
TKeyPressEvent
TKeyPressEvent
crSQLWait
crSQLWait
Ht.Ht
Ht.Ht
t.HtR
t.HtR
IMM32.DLL
IMM32.DLL
:].tJ
:].tJ
1.0.4
1.0.4
Invalid stream operation
Invalid stream operation
TKGSExeAppender
TKGSExeAppender
TKGSExeAppender\
TKGSExeAppender\
KGSExeAppender
KGSExeAppender
UseCurrentExeOnExtract
UseCurrentExeOnExtract
Key too long
Key too long
c:\program files\borland\delphi 3\libshare\KGSFormEdge.pas
c:\program files\borland\delphi 3\libshare\KGSFormEdge.pas
SetRunOnWindowsStartup
SetRunOnWindowsStartup
KGSExeAppenderExtractFile
KGSExeAppenderExtractFile
KGSExeAppProgress
KGSExeAppProgress
KGSExeAppProgressFile
KGSExeAppProgressFile
DebugLog.txt
DebugLog.txt
USER32.DLL
USER32.DLL
jtools.ini
jtools.ini
JTOOL.SATELLITE:
JTOOL.SATELLITE:
kernel32.dll
kernel32.dll
Úys
Úys
\Shell32.dll
\Shell32.dll
SHELL32.dll
SHELL32.dll
jesterrun.dll
jesterrun.dll
*.dat
*.dat
RunOnWindowsStartup
RunOnWindowsStartup
.jtools.ini
.jtools.ini
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
KeyDefaultValue
KeyDefaultValue
ReadReg.txt
ReadReg.txt
EngineVars.txt
EngineVars.txt
.html
.html
\shell\open\ddeexec\Application
\shell\open\ddeexec\Application
\shell\open\ddeexec\Topic
\shell\open\ddeexec\Topic
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
lbExpMsg
lbExpMsg
lbExpMsg_mailto
lbExpMsg_mailto
lbExpMsg_url
lbExpMsg_url
lbExpMsg_urlClick
lbExpMsg_urlClick
lbExpMsg_mailtoClick
lbExpMsg_mailtoClick
hXXp://
hXXp://
KeyboardInteraction
KeyboardInteraction
Windows_Startup
Windows_Startup
lbWindows_Startup$
lbWindows_Startup$
lbKeyboardInteraction(
lbKeyboardInteraction(
FormKeyDown
FormKeyDown
KeyboardInteractionClick
KeyboardInteractionClick
Windows_StartupClick
Windows_StartupClick
lbWindows_StartupClick!
lbWindows_StartupClick!
lbKeyboardInteractionClick
lbKeyboardInteractionClick
VK_EXECUTE
VK_EXECUTE
VK_PROCESSKEY
VK_PROCESSKEY
Keyboard interaction Text
Keyboard interaction Text
Run On Windows startup Text
Run On Windows startup Text
ExpMessage_url
ExpMessage_url
Password
Password
Please enter password:
Please enter password:
Wrong password!
Wrong password!
Run On Windows startup
Run On Windows startup
Right Click Menu Run On Windows startup Text
Right Click Menu Run On Windows startup Text
DisableW95Key
DisableW95Key
PassESC
PassESC
TickerRecogniseWindows
TickerRecogniseWindows
RunOnWindowsStartupMenu
RunOnWindowsStartupMenu
KeyInteraction
KeyInteraction
Keyboard interaction Initial Value
Keyboard interaction Initial Value
Run On Windows startup Initial Value
Run On Windows startup Initial Value
AnyKeyExit
AnyKeyExit
SetupBoxWindowsStartupFontColor
SetupBoxWindowsStartupFontColor
SetupBoxWindowsStartupFontHeight
SetupBoxWindowsStartupFontHeight
SetupBoxWindowsStartupFontName
SetupBoxWindowsStartupFontName
SetupBoxWindowsStartupFontPitch
SetupBoxWindowsStartupFontPitch
SetupBoxWindowsStartupFontSize
SetupBoxWindowsStartupFontSize
SetupBoxWindowsStartupFontBold
SetupBoxWindowsStartupFontBold
SetupBoxWindowsStartupFontItalic
SetupBoxWindowsStartupFontItalic
SetupBoxWindowsStartupFontUnderline
SetupBoxWindowsStartupFontUnderline
SetupBoxWindowsStartupFontStrikeOut
SetupBoxWindowsStartupFontStrikeOut
SetupBoxKeyboardInteractionFontColor
SetupBoxKeyboardInteractionFontColor
SetupBoxKeyboardInteractionFontHeight
SetupBoxKeyboardInteractionFontHeight
SetupBoxKeyboardInteractionFontName
SetupBoxKeyboardInteractionFontName
SetupBoxKeyboardInteractionFontPitch
SetupBoxKeyboardInteractionFontPitch
SetupBoxKeyboardInteractionFontSize
SetupBoxKeyboardInteractionFontSize
SetupBoxKeyboardInteractionFontBold
SetupBoxKeyboardInteractionFontBold
SetupBoxKeyboardInteractionFontItalic
SetupBoxKeyboardInteractionFontItalic
SetupBoxKeyboardInteractionFontUnderline
SetupBoxKeyboardInteractionFontUnderline
SetupBoxKeyboardInteractionFontStrikeOut
SetupBoxKeyboardInteractionFontStrikeOut
user32.dll
user32.dll
3333333
3333333
HKEY_USERS
HKEY_USERS
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
HKEY_DYN_DATA
/DELETEEXE
/DELETEEXE
/UNINSTALL /DELETEEXE "
/UNINSTALL /DELETEEXE "
FTPF0|
FTPF0|
inflate 1.0.4 Copyright 1995-1996 Mark Adler
inflate 1.0.4 Copyright 1995-1996 Mark Adler
.idata
.idata
.edata
.edata
P.reloc
P.reloc
P.rsrc
P.rsrc
Portions Copyright (c) 1983,99 Borland
Portions Copyright (c) 1983,99 Borland
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
oleaut32.dll
oleaut32.dll
jestertb.dll
jestertb.dll
KWindows
KWindows
Font.Charset
Font.Charset
Font.Color
Font.Color
Font.Height
Font.Height
Font.Name
Font.Name
Font.Style
Font.Style
lbKeyboardInteraction
lbKeyboardInteraction
lbWindows_Startup
lbWindows_Startup
lbWindows_StartupClick
lbWindows_StartupClick
Run on Windows startup
Run on Windows startup
Keyboard interaction
Keyboard interaction
WinExec
WinExec
GetWindowsDirectoryA
GetWindowsDirectoryA
GetCPInfo
GetCPInfo
RegQueryInfoKeyA
RegQueryInfoKeyA
RegFlushKey
RegFlushKey
RegEnumKeyExA
RegEnumKeyExA
RegDeleteKeyA
RegDeleteKeyA
RegCreateKeyExA
RegCreateKeyExA
SetViewportOrgEx
SetViewportOrgEx
ShellExecuteA
ShellExecuteA
SHFileOperationA
SHFileOperationA
keybd_event
keybd_event
UnregisterHotKey
UnregisterHotKey
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
RegisterHotKey
RegisterHotKey
MapVirtualKeyA
MapVirtualKeyA
GetKeyboardLayoutList
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyboardLayout
GetKeyState
GetKeyState
GetKeyNameTextA
GetKeyNameTextA
GetAsyncKeyState
GetAsyncKeyState
EnumWindows
EnumWindows
EnumThreadWindows
EnumThreadWindows
ActivateKeyboardLayout
ActivateKeyboardLayout
.rdata
.rdata
KERNEL32.DLL
KERNEL32.DLL
gdi32.dll
gdi32.dll
ole32.dll
ole32.dll
shell32.dll
shell32.dll
version.dll
version.dll
winmm.dll
winmm.dll
Enter password
Enter password
Password:
Password:
Value must be between %d and %d Clipboard does not support Icons
Value must be between %d and %d Clipboard does not support Icons
Invalid data type for '%s'
Invalid data type for '%s'
Failed to create key %s
Failed to create key %s
Failed to set data for '%s'
Failed to set data for '%s'
Failed to get data for '%s'/Menu '%s' is already being used by another form&Cannot change the size of a JPEG image
Failed to get data for '%s'/Menu '%s' is already being used by another form&Cannot change the size of a JPEG image
JPEG error #%d
JPEG error #%d
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
%s property out of range
%s property out of range
Ancestor for '%s' not found
Ancestor for '%s' not found
Unsupported clipboard format
Unsupported clipboard format
Class %s not found
Class %s not found
Resource %s not found
Resource %s not found
List index out of bounds (%d) List capacity out of bounds (%d)
List index out of bounds (%d) List capacity out of bounds (%d)
List count out of bounds (%d) Operation not allowed on sorted string list%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name
List count out of bounds (%d) Operation not allowed on sorted string list%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name
A class named %s already exists
A class named %s already exists
Error reading %s.%s: %s
Error reading %s.%s: %s
Cannot assign a %s to a %s
Cannot assign a %s to a %s
Cannot create file %s
Cannot create file %s
Cannot open file %s
Cannot open file %s
?Access violation at address %p in module '%s'. %s of address %p
?Access violation at address %p in module '%s'. %s of address %p
Win32 Error. Code: %d.
Win32 Error. Code: %d.
1Format '%s' invalid or incompatible with argument
1Format '%s' invalid or incompatible with argument
No argument for format '%s'
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
Invalid variant operation"Variant method calls not supported
External exception %x
External exception %x
Interface not supported
Interface not supported
%s (%s, line %d)
%s (%s, line %d)
Integer overflow Invalid floating point operation
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted%Exception %s in module %s at %p.
Operation aborted%Exception %s in module %s at %p.
!'%s' is not a valid integer value('%s' is not a valid floating point value
!'%s' is not a valid integer value('%s' is not a valid floating point value
'%s' is not a valid date
'%s' is not a valid date
'%s' is not a valid time!'%s' is not a valid date and time
'%s' is not a valid time!'%s' is not a valid date and time
I/O error %d
I/O error %d
1.0.0
1.0.0
Start.exe
Start.exe
Visit our website hXXp://VVV.wiley.com
Visit our website hXXp://VVV.wiley.com
%original file name%.exe_740_rwx_00401000_00099000:
Portions Copyright (c) 1983,97 Borland
Portions Copyright (c) 1983,97 Borland
EInvalidOperation
EInvalidOperation
%s_%d
%s_%d
EInvalidGraphicOperation
EInvalidGraphicOperation
comctl32.dll
comctl32.dll
TWindowState
TWindowState
poProportional
poProportional
KeyPreview
KeyPreview
WindowState
WindowState
OnKeyDown
OnKeyDown
OnKeyPressLAB
OnKeyPressLAB
OnKeyUp
OnKeyUp
CTL3D32.DLL
CTL3D32.DLL
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
vcltest3.dll
TKeyEvent
TKeyEvent
TKeyPressEvent
TKeyPressEvent
crSQLWait
crSQLWait
Ht.Ht
Ht.Ht
t.HtR
t.HtR
IMM32.DLL
IMM32.DLL
:].tJ
:].tJ
1.0.4
1.0.4
Invalid stream operation
Invalid stream operation
TKGSExeAppender
TKGSExeAppender
TKGSExeAppender\
TKGSExeAppender\
KGSExeAppender
KGSExeAppender
UseCurrentExeOnExtract
UseCurrentExeOnExtract
Key too long
Key too long
c:\program files\borland\delphi 3\libshare\KGSFormEdge.pas
c:\program files\borland\delphi 3\libshare\KGSFormEdge.pas
SetRunOnWindowsStartup
SetRunOnWindowsStartup
KGSExeAppenderExtractFile
KGSExeAppenderExtractFile
KGSExeAppProgress
KGSExeAppProgress
KGSExeAppProgressFile
KGSExeAppProgressFile
DebugLog.txt
DebugLog.txt
USER32.DLL
USER32.DLL
jtools.ini
jtools.ini
JTOOL.SATELLITE:
JTOOL.SATELLITE:
kernel32.dll
kernel32.dll
Úys
Úys
\Shell32.dll
\Shell32.dll
SHELL32.dll
SHELL32.dll
jesterrun.dll
jesterrun.dll
*.dat
*.dat
RunOnWindowsStartup
RunOnWindowsStartup
.jtools.ini
.jtools.ini
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
KeyDefaultValue
KeyDefaultValue
ReadReg.txt
ReadReg.txt
EngineVars.txt
EngineVars.txt
.html
.html
\shell\open\ddeexec\Application
\shell\open\ddeexec\Application
\shell\open\ddeexec\Topic
\shell\open\ddeexec\Topic
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
lbExpMsg
lbExpMsg
lbExpMsg_mailto
lbExpMsg_mailto
lbExpMsg_url
lbExpMsg_url
lbExpMsg_urlClick
lbExpMsg_urlClick
lbExpMsg_mailtoClick
lbExpMsg_mailtoClick
hXXp://
hXXp://
KeyboardInteraction
KeyboardInteraction
Windows_Startup
Windows_Startup
lbWindows_Startup$
lbWindows_Startup$
lbKeyboardInteraction(
lbKeyboardInteraction(
FormKeyDown
FormKeyDown
KeyboardInteractionClick
KeyboardInteractionClick
Windows_StartupClick
Windows_StartupClick
lbWindows_StartupClick!
lbWindows_StartupClick!
lbKeyboardInteractionClick
lbKeyboardInteractionClick
VK_EXECUTE
VK_EXECUTE
VK_PROCESSKEY
VK_PROCESSKEY
Keyboard interaction Text
Keyboard interaction Text
Run On Windows startup Text
Run On Windows startup Text
ExpMessage_url
ExpMessage_url
Password
Password
Please enter password:
Please enter password:
Wrong password!
Wrong password!
Run On Windows startup
Run On Windows startup
Right Click Menu Run On Windows startup Text
Right Click Menu Run On Windows startup Text
DisableW95Key
DisableW95Key
PassESC
PassESC
TickerRecogniseWindows
TickerRecogniseWindows
RunOnWindowsStartupMenu
RunOnWindowsStartupMenu
KeyInteraction
KeyInteraction
Keyboard interaction Initial Value
Keyboard interaction Initial Value
Run On Windows startup Initial Value
Run On Windows startup Initial Value
AnyKeyExit
AnyKeyExit
SetupBoxWindowsStartupFontColor
SetupBoxWindowsStartupFontColor
SetupBoxWindowsStartupFontHeight
SetupBoxWindowsStartupFontHeight
SetupBoxWindowsStartupFontName
SetupBoxWindowsStartupFontName
SetupBoxWindowsStartupFontPitch
SetupBoxWindowsStartupFontPitch
SetupBoxWindowsStartupFontSize
SetupBoxWindowsStartupFontSize
SetupBoxWindowsStartupFontBold
SetupBoxWindowsStartupFontBold
SetupBoxWindowsStartupFontItalic
SetupBoxWindowsStartupFontItalic
SetupBoxWindowsStartupFontUnderline
SetupBoxWindowsStartupFontUnderline
SetupBoxWindowsStartupFontStrikeOut
SetupBoxWindowsStartupFontStrikeOut
SetupBoxKeyboardInteractionFontColor
SetupBoxKeyboardInteractionFontColor
SetupBoxKeyboardInteractionFontHeight
SetupBoxKeyboardInteractionFontHeight
SetupBoxKeyboardInteractionFontName
SetupBoxKeyboardInteractionFontName
SetupBoxKeyboardInteractionFontPitch
SetupBoxKeyboardInteractionFontPitch
SetupBoxKeyboardInteractionFontSize
SetupBoxKeyboardInteractionFontSize
SetupBoxKeyboardInteractionFontBold
SetupBoxKeyboardInteractionFontBold
SetupBoxKeyboardInteractionFontItalic
SetupBoxKeyboardInteractionFontItalic
SetupBoxKeyboardInteractionFontUnderline
SetupBoxKeyboardInteractionFontUnderline
SetupBoxKeyboardInteractionFontStrikeOut
SetupBoxKeyboardInteractionFontStrikeOut
user32.dll
user32.dll
3333333
3333333
HKEY_USERS
HKEY_USERS
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
HKEY_DYN_DATA
/DELETEEXE
/DELETEEXE
/UNINSTALL /DELETEEXE "
/UNINSTALL /DELETEEXE "
FTPF0|
FTPF0|
inflate 1.0.4 Copyright 1995-1996 Mark Adler
inflate 1.0.4 Copyright 1995-1996 Mark Adler
.idata
.idata
.edata
.edata
P.reloc
P.reloc
P.rsrc
P.rsrc
Portions Copyright (c) 1983,99 Borland
Portions Copyright (c) 1983,99 Borland
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
oleaut32.dll
oleaut32.dll
jestertb.dll
jestertb.dll
KWindows
KWindows
Font.Charset
Font.Charset
Font.Color
Font.Color
Font.Height
Font.Height
Font.Name
Font.Name
Font.Style
Font.Style
lbKeyboardInteraction
lbKeyboardInteraction
lbWindows_Startup
lbWindows_Startup
lbWindows_StartupClick
lbWindows_StartupClick
Run on Windows startup
Run on Windows startup
Keyboard interaction
Keyboard interaction
WinExec
WinExec
GetWindowsDirectoryA
GetWindowsDirectoryA
GetCPInfo
GetCPInfo
RegQueryInfoKeyA
RegQueryInfoKeyA
RegFlushKey
RegFlushKey
RegEnumKeyExA
RegEnumKeyExA
RegDeleteKeyA
RegDeleteKeyA
RegCreateKeyExA
RegCreateKeyExA
SetViewportOrgEx
SetViewportOrgEx
ShellExecuteA
ShellExecuteA
SHFileOperationA
SHFileOperationA
keybd_event
keybd_event
UnregisterHotKey
UnregisterHotKey
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
RegisterHotKey
RegisterHotKey
MapVirtualKeyA
MapVirtualKeyA
GetKeyboardLayoutList
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyboardLayout
GetKeyState
GetKeyState
GetKeyNameTextA
GetKeyNameTextA
GetAsyncKeyState
GetAsyncKeyState
EnumWindows
EnumWindows
EnumThreadWindows
EnumThreadWindows
ActivateKeyboardLayout
ActivateKeyboardLayout
.rdata
.rdata
Enter password
Enter password
Password:
Password:
Value must be between %d and %d Clipboard does not support Icons
Value must be between %d and %d Clipboard does not support Icons
Invalid data type for '%s'
Invalid data type for '%s'
Failed to create key %s
Failed to create key %s
Failed to set data for '%s'
Failed to set data for '%s'
Failed to get data for '%s'/Menu '%s' is already being used by another form&Cannot change the size of a JPEG image
Failed to get data for '%s'/Menu '%s' is already being used by another form&Cannot change the size of a JPEG image
JPEG error #%d
JPEG error #%d
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
%s property out of range
%s property out of range
Ancestor for '%s' not found
Ancestor for '%s' not found
Unsupported clipboard format
Unsupported clipboard format
Class %s not found
Class %s not found
Resource %s not found
Resource %s not found
List index out of bounds (%d) List capacity out of bounds (%d)
List index out of bounds (%d) List capacity out of bounds (%d)
List count out of bounds (%d) Operation not allowed on sorted string list%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name
List count out of bounds (%d) Operation not allowed on sorted string list%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name
A class named %s already exists
A class named %s already exists
Error reading %s.%s: %s
Error reading %s.%s: %s
Cannot assign a %s to a %s
Cannot assign a %s to a %s
Cannot create file %s
Cannot create file %s
Cannot open file %s
Cannot open file %s
?Access violation at address %p in module '%s'. %s of address %p
?Access violation at address %p in module '%s'. %s of address %p
Win32 Error. Code: %d.
Win32 Error. Code: %d.
1Format '%s' invalid or incompatible with argument
1Format '%s' invalid or incompatible with argument
No argument for format '%s'
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
Invalid variant operation"Variant method calls not supported
External exception %x
External exception %x
Interface not supported
Interface not supported
%s (%s, line %d)
%s (%s, line %d)
Integer overflow Invalid floating point operation
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted%Exception %s in module %s at %p.
Operation aborted%Exception %s in module %s at %p.
!'%s' is not a valid integer value('%s' is not a valid floating point value
!'%s' is not a valid integer value('%s' is not a valid floating point value
'%s' is not a valid date
'%s' is not a valid date
'%s' is not a valid time!'%s' is not a valid date and time
'%s' is not a valid time!'%s' is not a valid date and time
I/O error %d
I/O error %d
%original file name%.exe_740_rwx_00971000_00013000:
Portions Copyright (c) 1983,99 Borland
Portions Copyright (c) 1983,99 Borland
kernel32.dll
kernel32.dll
DELPHI32.EXE
DELPHI32.EXE
DDraw.dll
DDraw.dll
shell32.dll
shell32.dll
WinExec
WinExec
ShellExecuteA
ShellExecuteA
ShellExecuteExA
ShellExecuteExA
ShellExecuteW
ShellExecuteW
ShellExecuteExW
ShellExecuteExW
user32.dll
user32.dll
GetKeyState
GetKeyState
winmm.dll
winmm.dll
USER32.DLL
USER32.DLL
SHELL32.DLL
SHELL32.DLL
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Jgl_Rt\SHLLJG0.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Jgl_Rt\SHLLJG0.dll
KWindows
KWindows
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
GetKeyboardType
GetKeyboardType
.idata
.idata
.edata
.edata
P.reloc
P.reloc
P.rsrc
P.rsrc
source.exe_2040:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
F%:G%u7
F%:G%u7
JWx%f
JWx%f
t%f=-
t%f=-
>%u
>%u
~%UVW
~%UVW
flash.filters.DropShadowFilter
flash.filters.DropShadowFilter
@flash.filters.GlowFilter
@flash.filters.GlowFilter
flash.filters.BlurFilter
flash.filters.BlurFilter
flash.filters.BevelFilter
flash.filters.BevelFilter
flash.filters.ConvolutionFilter
flash.filters.ConvolutionFilter
flash.filters.DisplacementMapFilter
flash.filters.DisplacementMapFilter
flash.filters.GradientGlowFilter
flash.filters.GradientGlowFilter
flash.filters.GradientBevelFilter
flash.filters.GradientBevelFilter
flash.filters.ColorMatrixFilter
flash.filters.ColorMatrixFilter
application/x-www-form-urlencoded
application/x-www-form-urlencoded
flash.geom.Rectangle
flash.geom.Rectangle
flash.geom.Point
flash.geom.Point
flash.geom.Transform
flash.geom.Transform
flash.display.BitmapData
flash.display.BitmapData
flash.geom.Matrix
flash.geom.Matrix
flash.geom.ColorTransform
flash.geom.ColorTransform
portrait
portrait
ProductDownloadBaseUrl
ProductDownloadBaseUrl
CodeSignRootCert
CodeSignRootCert
AutoUpdateVersionUrl
AutoUpdateVersionUrl
.macromedia.com
.macromedia.com
hXXp://
hXXp://
.macromedia.com/support/flashplayer/sys/
.macromedia.com/support/flashplayer/sys/
hXXps://
hXXps://
mms.cfg
mms.cfg
hXXp://VVV.macromedia.com
hXXp://VVV.macromedia.com
hXXps://VVV.macromedia.com/support/flashplayer/sys/
hXXps://VVV.macromedia.com/support/flashplayer/sys/
FlashAuthor.cfg
FlashAuthor.cfg
%3 %3 %d %2:%2:%2 GMT%c%2%2 %d
%3 %3 %d %2:%2:%2 GMT%c%2%2 %d
0 1 2 3 4 5 6 7
0 1 2 3 4 5 6 7
!%),.?]}
!%),.?]}
for (var i=0; i
for (var i=0; i
for (var i=index; i
for (var i=index; i
return s.replace(/&/g, "&").replace(/, "/g, ">").replace(/"/g, """).replace(/'/g, "'");
return s.replace(/&/g, "&").replace(/, "/g, ">").replace(/"/g, """).replace(/'/g, "'");
_global.System
_global.System
Client.Header.MustUnderstand
Client.Header.MustUnderstand
NetConnection.Call.BadVersion
NetConnection.Call.BadVersion
flash.net.FileReference
flash.net.FileReference
hXXps://VVV.macromedia.com/bin/flashdownload.cgi
hXXps://VVV.macromedia.com/bin/flashdownload.cgi
H@%s?product=%s&signed=true&%s
H@%s?product=%s&signed=true&%s
%s&product=%s&signed=true&%s
%s&product=%s&signed=true&%s
macromedia.com
macromedia.com
VVV.macromedia.com
VVV.macromedia.com
Download.Complete
Download.Complete
Download.Cancelled
Download.Cancelled
Download.Failed
Download.Failed
https:
https:
>1.2.3
>1.2.3
Webdings
Webdings
Curlz MT
Curlz MT
http:
http:
$@.maxscroll
$@.maxscroll
.scroll
.scroll
PTF://
PTF://
A=%b&SA=%b&SV=%b&EV=%b&MP3=%b&AE=%b&VE=%b&ACC=%b&PR=%b&SP=%b&SB=%b&DEB=%b&V=%s%s&PT=%s&AVD=%b&LFD=%b&WD=%b
A=%b&SA=%b&SV=%b&EV=%b&MP3=%b&AE=%b&VE=%b&ACC=%b&PR=%b&SP=%b&SB=%b&DEB=%b&V=%s%s&PT=%s&AVD=%b&LFD=%b&WD=%b
hXXp://%s/
hXXp://%s/
Sweeps: %d
Sweeps: %d
Marking increments: %d
Marking increments: %d
Items marked: %d
Items marked: %d
Average item size: %d bytes
Average item size: %d bytes
Mark rate: %d mb/s
Mark rate: %d mb/s
.AGC Pause (%s): %d millis
.AGC Pause (%s): %d millis
gcstats.txt
gcstats.txt
/crossdomain.xml
/crossdomain.xml
to-ports
to-ports
NetConnection.Call.Failed
NetConnection.Call.Failed
HTTP:
HTTP:
onKeyUp
onKeyUp
onKeyDown
onKeyDown
?NetConnection.Call.Prohibited
?NetConnection.Call.Prohibited
password
password
vnd.ms.wmhtml:
vnd.ms.wmhtml:
URLNotFound
URLNotFound
onHTTPStatus
onHTTPStatus
127.0.0.1
127.0.0.1
imm32.dll
imm32.dll
System.IME
System.IME
,,0,0,,,
,,0,0,,,
WWW_OpenURL
WWW_OpenURL
\shell\open\ddeexec\Application
\shell\open\ddeexec\Application
Windows 95
Windows 95
Windows 98/ME
Windows 98/ME
Windows NT
Windows NT
Windows 2000
Windows 2000
Windows XP
Windows XP
Windows
Windows
kernel32.dll
kernel32.dll
Macromedia Windows
Macromedia Windows
&M=%s&R=%dx%d&DP=%d&COL=%s&AR=%s&OS=%s&L=%s&IME=%b
&M=%s&R=%dx%d&DP=%d&COL=%s&AR=%s&OS=%s&L=%s&IME=%b
*.exe
*.exe
*.swf
*.swf
W@\\?\
W@\\?\
z>https
z>https
onHTTPError
onHTTPError
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
&Macromedia Flash Certificate Authority1
&Macromedia Flash Certificate Authority1
secure@macromedia.com1
secure@macromedia.com1
VVV.macromedia.com/bin
VVV.macromedia.com/bin
update.bat
update.bat
VerifyMessage : Second CertVerifySubjectCertificateContext() failed.
VerifyMessage : Second CertVerifySubjectCertificateContext() failed.
VerifyMessage : CertVerifySubjectCertificateContext() failed.
VerifyMessage : CertVerifySubjectCertificateContext() failed.
VerifyMessage : Certificate chain is too long.
VerifyMessage : Certificate chain is too long.
VerifyMessage : CertCreateCertificateContext() failed.
VerifyMessage : CertCreateCertificateContext() failed.
VerifyMessage : CryptGetMessageCertificates() failed.
VerifyMessage : CryptGetMessageCertificates() failed.
VerifyMessage : Unable to read external root certificate specified in MMS.CFG by CodeSignRootCert.
VerifyMessage : Unable to read external root certificate specified in MMS.CFG by CodeSignRootCert.
%d.%d.%d.%d
%d.%d.%d.%d
advapi32.dll
advapi32.dll
trapallkeys
trapallkeys
WSOCK32.DLL
WSOCK32.DLL
.jpeg
.jpeg
8,0,22,0
8,0,22,0
FtpOpenFileA
FtpOpenFileA
HttpQueryInfoA
HttpQueryInfoA
HttpSendRequestA
HttpSendRequestA
HttpOpenRequestA
HttpOpenRequestA
wininet.dll
wininet.dll
FlashVideo.FlashVideo
FlashVideo.FlashVideo
FlashVideo.FlashVideo\DefaultIcon
FlashVideo.FlashVideo\DefaultIcon
FlashVideo.FlashVideo\shell\open\command
FlashVideo.FlashVideo\shell\open\command
ShockwaveFlash.ShockwaveFlash
ShockwaveFlash.ShockwaveFlash
ShockwaveFlash.ShockwaveFlash\DefaultIcon
ShockwaveFlash.ShockwaveFlash\DefaultIcon
ShockwaveFlash.ShockwaveFlash\shell\open\command
ShockwaveFlash.ShockwaveFlash\shell\open\command
keyFrameInterval
keyFrameInterval
255.255.255.255
255.255.255.255
tag=%s;timestamp=%d;zone=%d;uri=%s
tag=%s;timestamp=%d;zone=%d;uri=%s
fpadPort
fpadPort
.Unmuted
.Unmuted
.Muted
.Muted
/bin/flashhelp.cgi
/bin/flashhelp.cgi
~&\;:"',? #
~&\;:"',? #
/support/flashplayer/sys/
/support/flashplayer/sys/
SharedObject.Failed
SharedObject.Failed
SharedObject.Flush.Failed
SharedObject.Flush.Failed
SharedObject.Flush.Success
SharedObject.Flush.Success
hXXp://%s
hXXp://%s
hXXp://a.
hXXp://a.
SharedObject.BadPersistence
SharedObject.BadPersistence
SharedObject.UriMismatch
SharedObject.UriMismatch
NetConnection.Connect.Failed
NetConnection.Connect.Failed
NetConnection.Connect.Success
NetConnection.Connect.Success
NetConnection.Connect.Closed
NetConnection.Connect.Closed
port
port
pageUrl
pageUrl
tcUrl
tcUrl
swfUrl
swfUrl
@NetStream.Buffer.Flush
@NetStream.Buffer.Flush
NetStream.Buffer.Full
NetStream.Buffer.Full
NetStream.Buffer.Empty
NetStream.Buffer.Empty
NetStream.Play.Stop
NetStream.Play.Stop
NetStream.Seek.Notify
NetStream.Seek.Notify
NetStream.Seek.InvalidTime
NetStream.Seek.InvalidTime
NetStream.Play.StreamNotFound
NetStream.Play.StreamNotFound
NetStream.Play.Start
NetStream.Play.Start
NetStream.Publish.BadName
NetStream.Publish.BadName
NetStream.Play.Failed
NetStream.Play.Failed
HttpEndRequestA
HttpEndRequestA
HttpSendRequestExA
HttpSendRequestExA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HTTP/1.0
HTTP/1.0
OleAut32.dll
OleAut32.dll
q.CUN3C
q.CUN3C
WSOCK32.dll
WSOCK32.dll
WININET.dll
WININET.dll
CertVerifySubjectCertificateContext
CertVerifySubjectCertificateContext
CertFindCertificateInStore
CertFindCertificateInStore
CertCreateCertificateContext
CertCreateCertificateContext
CryptGetMessageCertificates
CryptGetMessageCertificates
CertCloseStore
CertCloseStore
CertFreeCertificateContext
CertFreeCertificateContext
CRYPT32.dll
CRYPT32.dll
VERSION.dll
VERSION.dll
WINMM.dll
WINMM.dll
GetCPInfo
GetCPInfo
KERNEL32.dll
KERNEL32.dll
GetKeyboardLayout
GetKeyboardLayout
GetKeyState
GetKeyState
MapVirtualKeyA
MapVirtualKeyA
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
comdlg32.dll
comdlg32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyA
RegCreateKeyA
ADVAPI32.dll
ADVAPI32.dll
SHLLJG0.dll
SHLLJG0.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
GetProcessHeap
GetProcessHeap
WEBZ}H
WEBZ}H
%8UH^D
%8UH^D
4%.ay
4%.ay
4.aJ$
4.aJ$
.Hc/
.Hc/
%sAu*
%sAu*
N~a.YI
N~a.YI
((('&%$#"!
((('&%$#"!
22222222
22222222
!),.:;?]}
!),.:;?]}
control.tlb
control.tlb
Macromedia Flash Player has stopped a potentially unsafe operation.
Macromedia Flash Player has stopped a potentially unsafe operation.
Macromedia Flash Player ha interrotto un'operazione potenzialmente pericolosa.
Macromedia Flash Player ha interrotto un'operazione potenzialmente pericolosa.
Macromedia Flash Player ha detenido una operaci
Macromedia Flash Player ha detenido una operaci
SAFlashPlayer.exe
SAFlashPlayer.exe
Enter the World Wide Web location (URL) or specify the local file you would like to open.
Enter the World Wide Web location (URL) or specify the local file you would like to open.
Geben Sie die Internetadresse (URL) oder eine lokale Datei an, die Sie
Geben Sie die Internetadresse (URL) oder eine lokale Datei an, die Sie
cifiez l'adresse URL (World Wide Web) ou le fichier local
cifiez l'adresse URL (World Wide Web) ou le fichier local
Passo &avanti
Passo &avanti
Specificare l'indirizzo (URL) dell'elemento da aprire.
Specificare l'indirizzo (URL) dell'elemento da aprire.
n Web (URL) o especifique el archivo local que desee abrir.
n Web (URL) o especifique el archivo local que desee abrir.
World Wide Web
World Wide Web
(URL)
(URL)
Macromedia Flash Player 8@Macromedia Flash movie (*.swf)|*.swf;*.spl|All Files (*.*)|*.*||
Macromedia Flash Player 8@Macromedia Flash movie (*.swf)|*.swf;*.spl|All Files (*.*)|*.*||
Projector (*.exe)|*.exe||
Projector (*.exe)|*.exe||
Macromedia Flash Player 8CMacromedia Flash movie (*.swf)|*.swf;*.spl|Alle Dateien (*.*)|*.*||
Macromedia Flash Player 8CMacromedia Flash movie (*.swf)|*.swf;*.spl|Alle Dateien (*.*)|*.*||
Projektor (*.exe)|*.exe||
Projektor (*.exe)|*.exe||
Macromedia Flash Player 8HMacromedia Flash movie (*.swf)|*.swf;*.spl|Tous les fichiers (*.*)|*.*||
Macromedia Flash Player 8HMacromedia Flash movie (*.swf)|*.swf;*.spl|Tous les fichiers (*.*)|*.*||
Projection (*.exe)|*.exe||
Projection (*.exe)|*.exe||
Macromedia Flash Player 8CMacromedia Flash movie (*.swf)|*.swf;*.spl|Tutti i file (*.*)|*.*||
Macromedia Flash Player 8CMacromedia Flash movie (*.swf)|*.swf;*.spl|Tutti i file (*.*)|*.*||
Proiettore (*.exe)|*.exe||
Proiettore (*.exe)|*.exe||
Macromedia Flash Player 8IMacromedia Flash movie (*.swf)|*.swf;*.spl|Todos los archivos (*.*)|*.*||
Macromedia Flash Player 8IMacromedia Flash movie (*.swf)|*.swf;*.spl|Todos los archivos (*.*)|*.*||
Proyector (*.exe)|*.exe||
Proyector (*.exe)|*.exe||
Macromedia Flash Player 8?Macromedia Flash movie (*.swf)|*.swf;*.spl|
Macromedia Flash Player 8?Macromedia Flash movie (*.swf)|*.swf;*.spl|
(*.*)|*.*||
(*.*)|*.*||
(*.exe)|*.exe||
(*.exe)|*.exe||
Macromedia Flash Player 8;Macromedia Flash movie (*.swf)|*.swf;*.spl|
Macromedia Flash Player 8;Macromedia Flash movie (*.swf)|*.swf;*.spl|
(*.*)|*.*||
(*.*)|*.*||
source.exe_2040_rwx_00331000_00013000:
Portions Copyright (c) 1983,99 Borland
Portions Copyright (c) 1983,99 Borland
kernel32.dll
kernel32.dll
DELPHI32.EXE
DELPHI32.EXE
DDraw.dll
DDraw.dll
shell32.dll
shell32.dll
WinExec
WinExec
ShellExecuteA
ShellExecuteA
ShellExecuteExA
ShellExecuteExA
ShellExecuteW
ShellExecuteW
ShellExecuteExW
ShellExecuteExW
user32.dll
user32.dll
GetKeyState
GetKeyState
winmm.dll
winmm.dll
USER32.DLL
USER32.DLL
SHELL32.DLL
SHELL32.DLL
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Jgl_Rt\SHLLJG0.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Jgl_Rt\SHLLJG0.dll
KWindows
KWindows
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
GetKeyboardType
GetKeyboardType
.idata
.idata
.edata
.edata
P.reloc
P.reloc
P.rsrc
P.rsrc
Explorer.EXE_532_rwx_01E11000_00013000:
Portions Copyright (c) 1983,99 Borland
Portions Copyright (c) 1983,99 Borland
kernel32.dll
kernel32.dll
DELPHI32.EXE
DELPHI32.EXE
DDraw.dll
DDraw.dll
shell32.dll
shell32.dll
WinExec
WinExec
ShellExecuteA
ShellExecuteA
ShellExecuteExA
ShellExecuteExA
ShellExecuteW
ShellExecuteW
ShellExecuteExW
ShellExecuteExW
user32.dll
user32.dll
GetKeyState
GetKeyState
winmm.dll
winmm.dll
USER32.DLL
USER32.DLL
SHELL32.DLL
SHELL32.DLL
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Jgl_Rt\SHLLJG0.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Jgl_Rt\SHLLJG0.dll
KWindows
KWindows
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
GetKeyboardType
GetKeyboardType
.idata
.idata
.edata
.edata
P.reloc
P.reloc
P.rsrc
P.rsrc