Trojan.Win32.Fsysna.bauc (Kaspersky), Generic.Sdbot.375F541B (B) (Emsisoft), Generic.Sdbot.375F541B (AdAware), GenericIRCBot.YR, TrojanDownloaderVundo.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan, IRCBot
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: f1fc12820944df9751ed3317c2d0285c
SHA1: 09378f3f2e7ad8f1249bc93e16f9f4937696ce70
SHA256: d71ff4c88c5381a9ed061d289328a52bb3e94361dd9d98499e27174b5f261f58
SSDeep: 1536:kST X1UBc/kaXEfNtVLUI WNaT5uidskKU2eTj6Umv:kE X2BWAdUItw57TmUm
Size: 57344 bytes
File type: PE32
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPXv0896v102v105v122Delphistub, UPolyXv05_v6
Company: no certificate found
Created at: 2014-11-26 06:27:30
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
IRCBot | A bot can communicate with command and control servers via IRC channel. |
Process activity
The Generic creates the following process(es):No processes have been created.The Generic injects its code into the following process(es):
%original file name%.exe:1832
Mutexes
The following mutexes were created/opened:
MAIN_-994442811ZonesLockedCacheCounterMutexZonesCacheCounterMutexZonesCounterMutex
File activity
The process %original file name%.exe:1832 makes changes in the file system.
The Generic creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\NTUSER.DAT (11692 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (12816 bytes)
%System%\config\software (3339 bytes)
%System%\config\SOFTWARE.LOG (8303 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\I-994442811.bat (23 bytes)
The Generic deletes the following file(s):
%WinDir%\-994442811\csrss.exe (0 bytes)
Registry activity
The process %original file name%.exe:1832 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "48 06 BB EE 83 6D 8B 3A A0 D4 C8 62 1A AF A0 81"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"I-994442811.bat" = "I-994442811"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software]
"-994442811" = "0ddb4b98fff2dd4d9cb88b80ed705baf93f7"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
To automatically run itself each time Windows is booted, the Generic adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"*-994442811" = "%WinDir%\-994442811\csrss.exe"
The Generic modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Generic modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Generic modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
To automatically run itself each time Windows is booted, the Generic adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"*-994442811" = "%WinDir%\-994442811\csrss.exe"
The Generic deletes the following value(s) in system registry:
The Generic disables automatic startup of the application by deleting the following autorun value:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"*-994442811"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Generic file.
- Delete or disinfect the following files created/modified by the Generic:
%Documents and Settings%\%current user%\NTUSER.DAT (11692 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (12816 bytes)
%System%\config\software (3339 bytes)
%System%\config\SOFTWARE.LOG (8303 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\I-994442811.bat (23 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"*-994442811" = "%WinDir%\-994442811\csrss.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"*-994442811" = "%WinDir%\-994442811\csrss.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
UPX0 | 4096 | 520192 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
UPX1 | 524288 | 57344 | 56320 | 5.4909 | d4c706fae2f398c345cfdd1a0530e99c |
UPX2 | 581632 | 4096 | 512 | 2.78187 | 50c49c2d281a27921209d47f55cc5e75 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
www.update.microsoft.com | 65.55.50.158 |
jueswooda.pw | 108.61.167.52 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Generic connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1832:
i.vr!
i.vr!
tL
tL
PNYwpky4C04U-gM-OwcaUKBs5dOOvC0Kncwpj0FU8PRNicGSVpgZeiHaK9ObPZXBAtQOIemRQZXLGDzjvsoH3bzqVYiL4YbTUMsdjiFg4GY0dBaryxiKfXsLRPv`Kcv-Ymol0AXw7dhjIiFztf`MD9AfoKIJyKxx7PRly7DZvg7otL6jtgOYr0CVQFee3qnN6RX2feTjgj4OFO6MndvtKZ5tFUieTqMTkNVgFincfNwf6fvxww33qeJmXynqEJ9VttRl1bibpvaoIpm1R5wGB4rfvHuk8ASqOGTx7laQ7nAM5UAzRnhAZDYzQ3hfMkUyWEhkM29TNUVfR0sxYTQ0YW8oekotVHwpRXloSnlGUHUmSU1zRyk0J3Mrbm15VydTZ2BTRThzfHNrWjI5bEFOZm9PfDdBU2FzY3F2M0xvdkNOcytnX3ZhWWpyWHNKdUxSKCcjd1Z2RzZKRUdySidvdnRnMyBNTXVlbnQyWEB0T35HcDQreS0gLUNxTHJCRHAmWTJ3K0AzcnZANVVtUGcgaHdDenRoemUyIE9FLVc1K0NzYFRndXhpWG4mRndIWEYuNU5QU2NLVHYnaUBKX0xY
PNYwpky4C04U-gM-OwcaUKBs5dOOvC0Kncwpj0FU8PRNicGSVpgZeiHaK9ObPZXBAtQOIemRQZXLGDzjvsoH3bzqVYiL4YbTUMsdjiFg4GY0dBaryxiKfXsLRPv`Kcv-Ymol0AXw7dhjIiFztf`MD9AfoKIJyKxx7PRly7DZvg7otL6jtgOYr0CVQFee3qnN6RX2feTjgj4OFO6MndvtKZ5tFUieTqMTkNVgFincfNwf6fvxww33qeJmXynqEJ9VttRl1bibpvaoIpm1R5wGB4rfvHuk8ASqOGTx7laQ7nAM5UAzRnhAZDYzQ3hfMkUyWEhkM29TNUVfR0sxYTQ0YW8oekotVHwpRXloSnlGUHUmSU1zRyk0J3Mrbm15VydTZ2BTRThzfHNrWjI5bEFOZm9PfDdBU2FzY3F2M0xvdkNOcytnX3ZhWWpyWHNKdUxSKCcjd1Z2RzZKRUdySidvdnRnMyBNTXVlbnQyWEB0T35HcDQreS0gLUNxTHJCRHAmWTJ3K0AzcnZANVVtUGcgaHdDenRoemUyIE9FLVc1K0NzYFRndXhpWG4mRndIWEYuNU5QU2NLVHYnaUBKX0xY
libgcj-13.dll
libgcj-13.dll
Mozilla/4.0 (compatible)
Mozilla/4.0 (compatible)
%s--%s
%s--%s
%s\B%i.tmp
%s\B%i.tmp
http.
http.
hXXp://
hXXp://
hXXps://
hXXps://
%s@%s:%i
%s@%s:%i
%s:%i
%s:%i
%s\browser%li.html
%s\browser%li.html
%s "%s"
%s "%s"
%sX
%sX
Software\Microsoft\Windows NT\CurrentVersion\Windows\load
Software\Microsoft\Windows NT\CurrentVersion\Windows\load
%s(%s)
%s(%s)
%s\%s.exe
%s\%s.exe
%s %s
%s %s
127.0.0.1
127.0.0.1
%s\I%li.bat
%s\I%li.bat
Software\Microsoft\WindowsNT\CurrentVersion\SystemRestore
Software\Microsoft\WindowsNT\CurrentVersion\SystemRestore
NoWindowsUpdate
NoWindowsUpdate
%s:*:Enabled:%s
%s:*:Enabled:%s
%s\U%li.bat
%s\U%li.bat
%s\Google\Chrome\Application\chrome.exe
%s\Google\Chrome\Application\chrome.exe
%s\Internet Explorer\iexplore.exe
%s\Internet Explorer\iexplore.exe
%s\Opera\opera.exe
%s\Opera\opera.exe
%s\Mozilla Firefox\firefox.exe
%s\Mozilla Firefox\firefox.exe
%s\Maxthon3\Bin\Maxthon.exe
%s\Maxthon3\Bin\Maxthon.exe
Google Chrome
Google Chrome
Opera
Opera
Firefox
Firefox
chrome.exe
chrome.exe
opera.exe
opera.exe
firefox.exe
firefox.exe
iexplore.exe
iexplore.exe
Maxthon.exe
Maxthon.exe
JOIN :
JOIN :
376 %s
376 %s
422 %s
422 %s
332 %s
332 %s
@%s TOPIC %s :!
@%s TOPIC %s :!
@%s %s #
@%s %s #
@%s %s %s :!
@%s %s %s :!
%s[%s|%s|%s|%s|x%s|%ldc]%s
%s[%s|%s|%s|%s|x%s|%ldc]%s
PRIVMSG
PRIVMSG
:You need a registered nick to join that channel.
:You need a registered nick to join that channel.
:Cannot join channel
:Cannot join channel
:Nickname is already in use.
:Nickname is already in use.
flood.anope
flood.anope
kill.user
kill.user
.multi
.multi
xchat 2.8.8 Linux 3.2.0-4-amd64 [x86_64/1.10GHz/SMP]
xchat 2.8.8 Linux 3.2.0-4-amd64 [x86_64/1.10GHz/SMP]
irssi v0.8.15
irssi v0.8.15
hXXp://VVV.mibbit.com ajax IRC Client:3972:3972
hXXp://VVV.mibbit.com ajax IRC Client:3972:3972
HexChat 2.9.3 [x64] / Windows 7 [3.31GHz]
HexChat 2.9.3 [x64] / Windows 7 [3.31GHz]
ZNC 0.202 - hXXp://znc.in
ZNC 0.202 - hXXp://znc.in
lightIRC.com 1.3 Build 118, Okt 22 2012 12:07 on Windows 7
lightIRC.com 1.3 Build 118, Okt 22 2012 12:07 on Windows 7
nickserv
nickserv
:Your passcode is:
:Your passcode is:
NickServ PROCEED
NickServ PROCEED
%s :%s
%s :%s
%s %s%i
%s %s%i
INVITE %s %s%i
INVITE %s %s%i
NickServ :REGISTER
NickServ :REGISTER
gmail.com
gmail.com
yahoo.com
yahoo.com
hotmail.com
hotmail.com
facebook.com
facebook.com
live.com
live.com
QUIT :Windows is shutting down
QUIT :Windows is shutting down
autoruns.exe
autoruns.exe
wuauclt.exe
wuauclt.exe
explorer.exe
explorer.exe
%s@%s
%s@%s
SbieDll.dll
SbieDll.dll
snxhk.dll
snxhk.dll
dbghelp.dll
dbghelp.dll
SOFTWARE\Microsoft\Windows NT\CurrentVersion
SOFTWARE\Microsoft\Windows NT\CurrentVersion
76487-640-1457236-23837
76487-640-1457236-23837
76487-644-3177037-23510
76487-644-3177037-23510
55274-640-2673064-23950
55274-640-2673064-23950
76497-640-6308873-23835
76497-640-6308873-23835
Imagination is more important than knowledge.
Imagination is more important than knowledge.
Windows Task Manager
Windows Task Manager
%s %s :%s MD5: [Hash: %s]
%s %s :%s MD5: [Hash: %s]
PTF.upload
PTF.upload
.output
.output
join
join
ctcp
ctcp
flood.channel
flood.channel
.hidden
.hidden
filesearch.stop
filesearch.stop
newnick
newnick
hosts.restore
hosts.restore
%s %s :||
%s %s :||
%s ||
%s ||
10Executed From:
10Executed From:
%s ||
%s ||
10Key:
10Key:
10.NET:
10.NET:
%s %s :%s Encrypted Command: Failed to decrypt
%s %s :%s Encrypted Command: Failed to decrypt
%s %s :%s Shell: Submitted [Command: %s]
%s %s :%s Shell: Submitted [Command: %s]
%s %s :%s Website Status [URL: %s | Result: %s]
%s %s :%s Website Status [URL: %s | Result: %s]
%s %s :%s File Search: Stopped [Param: %s]
%s %s :%s File Search: Stopped [Param: %s]
%s %s :%s File Search: Failed
%s %s :%s File Search: Failed
%s %s :%s File Search: Already Running
%s %s :%s File Search: Already Running
%s %s :%s File Search: [Searched Files: %li | Matches: %li | Param: %s]
%s %s :%s File Search: [Searched Files: %li | Matches: %li | Param: %s]
%s %s :%s File Search: [File: %s | Param: %s]
%s %s :%s File Search: [File: %s | Param: %s]
%s %s :%s Flood: Started [Type: %s | Host: %s | Port:
%s %s :%s Flood: Started [Type: %s | Host: %s | Port:
%s %s :%s Flood: Failed [Type: %s | Host: %s | Port:
%s %s :%s Flood: Failed [Type: %s | Host: %s | Port:
%s %s :%s HTTP Flood: Stopped [Total Packets: %ld | Rate: %ld Packets/Second]
%s %s :%s HTTP Flood: Stopped [Total Packets: %ld | Rate: %ld Packets/Second]
%s %s :%s HTTP Flood: Stopped
%s %s :%s HTTP Flood: Stopped
%s %s :%s UDP Flood: Stopped [Total Packets: %ld | Rate: %ld Packets/Second]
%s %s :%s UDP Flood: Stopped [Total Packets: %ld | Rate: %ld Packets/Second]
%s %s :%s ECF Flood: Stopped [Total Connections: %ld | Rate: %ld Connections/Second]
%s %s :%s ECF Flood: Stopped [Total Connections: %ld | Rate: %ld Connections/Second]
%s %s :%s Browser Based Flood: Started [Host: %s | Length: %ld seconds | Browser: %s]
%s %s :%s Browser Based Flood: Started [Host: %s | Length: %ld seconds | Browser: %s]
%s %s :%s Browser Based Flood: Stopped [Host: %s]
%s %s :%s Browser Based Flood: Stopped [Host: %s]
%s %s :%s Browser Based Flood: Failed [Host: %s]
%s %s :%s Browser Based Flood: Failed [Host: %s]
%s %s :%s Update Scheduled [File: %s | Wait Time: %ld Seconds]
%s %s :%s Update Scheduled [File: %s | Wait Time: %ld Seconds]
%s %s :%s Download and Execute Scheduled [File: %s | Wait Time: %ld Seconds]
%s %s :%s Download and Execute Scheduled [File: %s | Wait Time: %ld Seconds]
%s %s :%s Download and Execute: Failed [File: %s] (Could not not open file for writing)
%s %s :%s Download and Execute: Failed [File: %s] (Could not not open file for writing)
%s %s :%s Download and Execute: Success [File: %s | MD5: %s]
%s %s :%s Download and Execute: Success [File: %s | MD5: %s]
%s %s :%s MD5 Mismatch [%s != %s]
%s %s :%s MD5 Mismatch [%s != %s]
%s %s :%s MD5 Matches Current File [%s == %s]
%s %s :%s MD5 Matches Current File [%s == %s]
%s %s :%s Download and Execute: Success [File: %s | MD5: %s | Args: %s]
%s %s :%s Download and Execute: Success [File: %s | MD5: %s | Args: %s]
%s %s :%s Download and Execute: Failed [File: %s | MD5: %s] (Download Succeeded | Execute Failed)
%s %s :%s Download and Execute: Failed [File: %s | MD5: %s] (Download Succeeded | Execute Failed)
%s %s :%s MD5 Hash [File: %s | MD5: %s]
%s %s :%s MD5 Hash [File: %s | MD5: %s]
%s %s :%s Download and Execute: Failed [File: %s] (Download Failed)
%s %s :%s Download and Execute: Failed [File: %s] (Download Failed)
%s %s :%s Download and Execute: Aborted [File: %s | Remaining Time: %ld Seconds]
%s %s :%s Download and Execute: Aborted [File: %s | Remaining Time: %ld Seconds]
%s %s :%s Botkill: Started
%s %s :%s Botkill: Started
%s %s :%s Botkill: Cycled once: [Killed Processes: %ld | File Modifications: %ld | Deleted Registry Keys: %ld]
%s %s :%s Botkill: Cycled once: [Killed Processes: %ld | File Modifications: %ld | Deleted Registry Keys: %ld]
%s %s :%s Botkill: Stopped
%s %s :%s Botkill: Stopped
%s %s :%s Botkill: Counter: [Killed Processes: %ld | File Modifications: %ld | Deleted Registry Keys: %ld]
%s %s :%s Botkill: Counter: [Killed Processes: %ld | File Modifications: %ld | Deleted Registry Keys: %ld]
%s %s :%s Botkill: Counter: Cleared
%s %s :%s Botkill: Counter: Cleared
%s %s :%s Skype Mass Messenger: Sent message to %i contacts
%s %s :%s Skype Mass Messenger: Sent message to %i contacts
%s %s :%s Visit: Success [URL: %s | Mode: %s | Browser: %s]
%s %s :%s Visit: Success [URL: %s | Mode: %s | Browser: %s]
%s %s :%s Visit: Failed [URL: %s]
%s %s :%s Visit: Failed [URL: %s]
%s %s :%s SmartView: Opened [URL: %s | Waited: %i Seconds | Closing In: %i Seconds | Browser: %s]
%s %s :%s SmartView: Opened [URL: %s | Waited: %i Seconds | Closing In: %i Seconds | Browser: %s]
%s %s :%s SmartView: Closed [URL: %s | Waited: %i Seconds]
%s %s :%s SmartView: Closed [URL: %s | Waited: %i Seconds]
%s %s :%s SmartView: Scheduled [URL: %s | Wait Time: %i Seconds]
%s %s :%s SmartView: Scheduled [URL: %s | Wait Time: %i Seconds]
%s %s :%s SmartView: Cleared [Entries Cleared: %i]
%s %s :%s SmartView: Cleared [Entries Cleared: %i]
%s %s :%s SmartView: Deleted Entry [URL: %s]
%s %s :%s SmartView: Deleted Entry [URL: %s]
%s %s :%s FTP Upload: Failed (Could not open an internet connection)
%s %s :%s FTP Upload: Failed (Could not open an internet connection)
%s %s :%s FTP Upload: Success [Original File: %s | New File: %s]
%s %s :%s FTP Upload: Success [Original File: %s | New File: %s]
%s %s :%s FTP Upload: Failed
%s %s :%s FTP Upload: Failed
%s %s :%s FTP Upload: Failed (Could not connect)
%s %s :%s FTP Upload: Failed (Could not connect)
%s %s :%s Failed to Create Thread
%s %s :%s Failed to Create Thread
%s %s :%s Invalid Parameter(s)
%s %s :%s Invalid Parameter(s)
%s %s :%s Hosts file restored
%s %s :%s Hosts file restored
%s %s :%s Host Blocked [Param: %s]
%s %s :%s Host Blocked [Param: %s]
%s %s :%s Host Redirected [Original: %s | Redirect: %s]
%s %s :%s Host Redirected [Original: %s | Redirect: %s]
%s %s :%s FTP Recovered: %s [Host: %s | User: %s | Pass: %s]
%s %s :%s FTP Recovered: %s [Host: %s | User: %s | Pass: %s]
%s %s :%s IM Recovered: %s [User: %s | Pass: %s]
%s %s :%s IM Recovered: %s [User: %s | Pass: %s]
%s %s :%s Browser Recovered: %s [URL: %s | User: %s | Pass: %s]
%s %s :%s Browser Recovered: %s [URL: %s | User: %s | Pass: %s]
%s %s :%s IRC War: Connecting [Host: %s | Port: %ld]
%s %s :%s IRC War: Connecting [Host: %s | Port: %ld]
%s %s :%s IRC War: Disconnecting [Host: %s | Port: %ld]
%s %s :%s IRC War: Disconnecting [Host: %s | Port: %ld]
%s %s :%s IRC War: Command submitted [Type: %s]
%s %s :%s IRC War: Command submitted [Type: %s]
%s %s :%s IRC War: Flood started [Type: %s | Target: %s]
%s %s :%s IRC War: Flood started [Type: %s | Target: %s]
%s %s :%s IRC War: Flood stopped [Type: %s | Target: %s]
%s %s :%s IRC War: Flood stopped [Type: %s | Target: %s]
%s %s :%s IRC War: [Validated Connections: %ld | Status: %s]
%s %s :%s IRC War: [Validated Connections: %ld | Status: %s]
%s %s :%s IRC War: Kill User [Target: %s]
%s %s :%s IRC War: Kill User [Target: %s]
%s %s :%s IRC War: Kill Multiple Users [Targets: %s]
%s %s :%s IRC War: Kill Multiple Users [Targets: %s]
%s %s :%s IRC War: Stopped Kill Multiple Users
%s %s :%s IRC War: Stopped Kill Multiple Users
%s %s :%s IRC War: Successfully registered with NickServ [Socket: %ld]
%s %s :%s IRC War: Successfully registered with NickServ [Socket: %ld]
%s %s :%s IRC War: Aborted registration with NickServ
%s %s :%s IRC War: Aborted registration with NickServ
%s\FileZilla\recentservers.xml
%s\FileZilla\recentservers.xml
%s\.purple\accounts.xml
%s\.purple\accounts.xml
%s%s%i%s%s%s%s%s
%s%s%i%s%s%s%s%s
%s\System32\drivers\etc\protocol
%s\System32\drivers\etc\protocol
%s\Microsoft.NET\Framework\
%s\Microsoft.NET\Framework\
v4.0.30319
v4.0.30319
v2.0.50727
v2.0.50727
\explorer.exe
\explorer.exe
HTTP/1.
HTTP/1.
text/html, application/xml;q=0.9, application/xhtml xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
text/html, application/xml;q=0.9, application/xhtml xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
application/x-www-form-urlencoded
application/x-www-form-urlencoded
HTTP/1.
HTTP/1.
dnsapi.dll
dnsapi.dll
update.microsoft.com
update.microsoft.com
VVV.update.microsoft.com
VVV.update.microsoft.com
windowsupdate.microsoft.com
windowsupdate.microsoft.com
VVV.microsoft.com
VVV.microsoft.com
microsoft.com
microsoft.com
%s & %s
%s & %s
Software\Microsoft\Windows\CurrentVersion\
Software\Microsoft\Windows\CurrentVersion\
\Microsoft\Windows
\Microsoft\Windows
%s%s%s%s%i%s%s
%s%s%s%s%i%s%s
:Zone.Identifier
:Zone.Identifier
%s\K%li.bat
%s\K%li.bat
document.write(unescape('%s'));
document.write(unescape('%s'));
operator
operator
operator
operator
global constructors keyed to
global constructors keyed to
global destructors keyed to
global destructors keyed to
operator""
operator""
VirtualQuery failed for %d bytes at address %p
VirtualQuery failed for %d bytes at address %p
Unknown pseudo relocation protocol version %d.
Unknown pseudo relocation protocol version %d.
Unknown pseudo relocation bit size %d.
Unknown pseudo relocation bit size %d.
fc_key
fc_key
use_fc_key
use_fc_key
jueswooda.pw
jueswooda.pw
Flow (v2.5.0)
Flow (v2.5.0)
@auth PRIVMSG n[USA|A|D|W_XP|x86|1c]gghebefc :!
@auth PRIVMSG n[USA|A|D|W_XP|x86|1c]gghebefc :!
@auth PRIVMSG #
@auth PRIVMSG #
%WinDir%
%WinDir%
%Program Files%
%Program Files%
%Documents and Settings%\All Users
%Documents and Settings%\All Users
%Documents and Settings%\%current user%
%Documents and Settings%\%current user%
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
%Documents and Settings%\%current user%\Application Data
%Documents and Settings%\%current user%\Application Data
%Documents and Settings%\%current user%\Start Menu\Programs\Startup
%Documents and Settings%\%current user%\Start Menu\Programs\Startup
%Documents and Settings%\All Users\Start Menu\Programs\Startup
%Documents and Settings%\All Users\Start Menu\Programs\Startup
%Program Files%\Internet Explorer\iexplore.exe
%Program Files%\Internet Explorer\iexplore.exe
%Program Files%\Opera\opera.exe
%Program Files%\Opera\opera.exe
%Program Files%\Mozilla Firefox\firefox.exe
%Program Files%\Mozilla Firefox\firefox.exe
%Program Files%\Maxthon3\Bin\Maxthon.exe
%Program Files%\Maxthon3\Bin\Maxthon.exe
axthon.exe
axthon.exe
e.exe
e.exe
ull)jnfhuwsdjueswooda.pw10000#botsFlow (v2.5.0)
ull)jnfhuwsdjueswooda.pw10000#botsFlow (v2.5.0)
-994442811
-994442811
c:\%original file name%.exe
c:\%original file name%.exe
%WinDir%\-994442811
%WinDir%\-994442811
%WinDir%\-994442811\csrss.exe
%WinDir%\-994442811\csrss.exe
NICK
NICK
JOIN
JOIN
PRIVMSG
PRIVMSG
spoolsv.exe
spoolsv.exe
GetProcessHeap
GetProcessHeap
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegFlushKey
RegFlushKey
RegOpenKeyExA
RegOpenKeyExA
ShellExecuteA
ShellExecuteA
FtpPutFileA
FtpPutFileA
InternetOpenUrlA
InternetOpenUrlA
.text
.text
P`.data
P`.data
.rdata
.rdata
`@.eh_fram
`@.eh_fram
0@.bss
0@.bss
.idata
.idata
Y.rS
Y.rS
?@.eh_
?@.eh_
KERNEL32.DLL
KERNEL32.DLL
ADVAPI32.DLL
ADVAPI32.DLL
msvcrt.dll
msvcrt.dll
SHELL32.DLL
SHELL32.DLL
USER32.dll
USER32.dll
WININET.DLL
WININET.DLL
WS2_32.dll
WS2_32.dll
kernel32.dll
kernel32.dll
advapi32.dll
advapi32.dll
Aicmp.dll
Aicmp.dll
surlmon.dll
surlmon.dll
gws2_32.dll
gws2_32.dll
rpcrt4.dll
rpcrt4.dll
%original file name%.exe_1832_rwx_00401000_0008D000:
tL
tL
PNYwpky4C04U-gM-OwcaUKBs5dOOvC0Kncwpj0FU8PRNicGSVpgZeiHaK9ObPZXBAtQOIemRQZXLGDzjvsoH3bzqVYiL4YbTUMsdjiFg4GY0dBaryxiKfXsLRPv`Kcv-Ymol0AXw7dhjIiFztf`MD9AfoKIJyKxx7PRly7DZvg7otL6jtgOYr0CVQFee3qnN6RX2feTjgj4OFO6MndvtKZ5tFUieTqMTkNVgFincfNwf6fvxww33qeJmXynqEJ9VttRl1bibpvaoIpm1R5wGB4rfvHuk8ASqOGTx7laQ7nAM5UAzRnhAZDYzQ3hfMkUyWEhkM29TNUVfR0sxYTQ0YW8oekotVHwpRXloSnlGUHUmSU1zRyk0J3Mrbm15VydTZ2BTRThzfHNrWjI5bEFOZm9PfDdBU2FzY3F2M0xvdkNOcytnX3ZhWWpyWHNKdUxSKCcjd1Z2RzZKRUdySidvdnRnMyBNTXVlbnQyWEB0T35HcDQreS0gLUNxTHJCRHAmWTJ3K0AzcnZANVVtUGcgaHdDenRoemUyIE9FLVc1K0NzYFRndXhpWG4mRndIWEYuNU5QU2NLVHYnaUBKX0xY
PNYwpky4C04U-gM-OwcaUKBs5dOOvC0Kncwpj0FU8PRNicGSVpgZeiHaK9ObPZXBAtQOIemRQZXLGDzjvsoH3bzqVYiL4YbTUMsdjiFg4GY0dBaryxiKfXsLRPv`Kcv-Ymol0AXw7dhjIiFztf`MD9AfoKIJyKxx7PRly7DZvg7otL6jtgOYr0CVQFee3qnN6RX2feTjgj4OFO6MndvtKZ5tFUieTqMTkNVgFincfNwf6fvxww33qeJmXynqEJ9VttRl1bibpvaoIpm1R5wGB4rfvHuk8ASqOGTx7laQ7nAM5UAzRnhAZDYzQ3hfMkUyWEhkM29TNUVfR0sxYTQ0YW8oekotVHwpRXloSnlGUHUmSU1zRyk0J3Mrbm15VydTZ2BTRThzfHNrWjI5bEFOZm9PfDdBU2FzY3F2M0xvdkNOcytnX3ZhWWpyWHNKdUxSKCcjd1Z2RzZKRUdySidvdnRnMyBNTXVlbnQyWEB0T35HcDQreS0gLUNxTHJCRHAmWTJ3K0AzcnZANVVtUGcgaHdDenRoemUyIE9FLVc1K0NzYFRndXhpWG4mRndIWEYuNU5QU2NLVHYnaUBKX0xY
libgcj-13.dll
libgcj-13.dll
Mozilla/4.0 (compatible)
Mozilla/4.0 (compatible)
%s--%s
%s--%s
%s\B%i.tmp
%s\B%i.tmp
http.
http.
hXXp://
hXXp://
hXXps://
hXXps://
%s@%s:%i
%s@%s:%i
%s:%i
%s:%i
%s\browser%li.html
%s\browser%li.html
%s "%s"
%s "%s"
%sX
%sX
Software\Microsoft\Windows NT\CurrentVersion\Windows\load
Software\Microsoft\Windows NT\CurrentVersion\Windows\load
%s(%s)
%s(%s)
%s\%s.exe
%s\%s.exe
%s %s
%s %s
127.0.0.1
127.0.0.1
%s\I%li.bat
%s\I%li.bat
Software\Microsoft\WindowsNT\CurrentVersion\SystemRestore
Software\Microsoft\WindowsNT\CurrentVersion\SystemRestore
NoWindowsUpdate
NoWindowsUpdate
%s:*:Enabled:%s
%s:*:Enabled:%s
%s\U%li.bat
%s\U%li.bat
%s\Google\Chrome\Application\chrome.exe
%s\Google\Chrome\Application\chrome.exe
%s\Internet Explorer\iexplore.exe
%s\Internet Explorer\iexplore.exe
%s\Opera\opera.exe
%s\Opera\opera.exe
%s\Mozilla Firefox\firefox.exe
%s\Mozilla Firefox\firefox.exe
%s\Maxthon3\Bin\Maxthon.exe
%s\Maxthon3\Bin\Maxthon.exe
Google Chrome
Google Chrome
Opera
Opera
Firefox
Firefox
chrome.exe
chrome.exe
opera.exe
opera.exe
firefox.exe
firefox.exe
iexplore.exe
iexplore.exe
Maxthon.exe
Maxthon.exe
JOIN :
JOIN :
376 %s
376 %s
422 %s
422 %s
332 %s
332 %s
@%s TOPIC %s :!
@%s TOPIC %s :!
@%s %s #
@%s %s #
@%s %s %s :!
@%s %s %s :!
%s[%s|%s|%s|%s|x%s|%ldc]%s
%s[%s|%s|%s|%s|x%s|%ldc]%s
PRIVMSG
PRIVMSG
:You need a registered nick to join that channel.
:You need a registered nick to join that channel.
:Cannot join channel
:Cannot join channel
:Nickname is already in use.
:Nickname is already in use.
flood.anope
flood.anope
kill.user
kill.user
.multi
.multi
xchat 2.8.8 Linux 3.2.0-4-amd64 [x86_64/1.10GHz/SMP]
xchat 2.8.8 Linux 3.2.0-4-amd64 [x86_64/1.10GHz/SMP]
irssi v0.8.15
irssi v0.8.15
hXXp://VVV.mibbit.com ajax IRC Client:3972:3972
hXXp://VVV.mibbit.com ajax IRC Client:3972:3972
HexChat 2.9.3 [x64] / Windows 7 [3.31GHz]
HexChat 2.9.3 [x64] / Windows 7 [3.31GHz]
ZNC 0.202 - hXXp://znc.in
ZNC 0.202 - hXXp://znc.in
lightIRC.com 1.3 Build 118, Okt 22 2012 12:07 on Windows 7
lightIRC.com 1.3 Build 118, Okt 22 2012 12:07 on Windows 7
nickserv
nickserv
:Your passcode is:
:Your passcode is:
NickServ PROCEED
NickServ PROCEED
%s :%s
%s :%s
%s %s%i
%s %s%i
INVITE %s %s%i
INVITE %s %s%i
NickServ :REGISTER
NickServ :REGISTER
gmail.com
gmail.com
yahoo.com
yahoo.com
hotmail.com
hotmail.com
facebook.com
facebook.com
live.com
live.com
QUIT :Windows is shutting down
QUIT :Windows is shutting down
autoruns.exe
autoruns.exe
wuauclt.exe
wuauclt.exe
explorer.exe
explorer.exe
%s@%s
%s@%s
SbieDll.dll
SbieDll.dll
snxhk.dll
snxhk.dll
dbghelp.dll
dbghelp.dll
SOFTWARE\Microsoft\Windows NT\CurrentVersion
SOFTWARE\Microsoft\Windows NT\CurrentVersion
76487-640-1457236-23837
76487-640-1457236-23837
76487-644-3177037-23510
76487-644-3177037-23510
55274-640-2673064-23950
55274-640-2673064-23950
76497-640-6308873-23835
76497-640-6308873-23835
Imagination is more important than knowledge.
Imagination is more important than knowledge.
Windows Task Manager
Windows Task Manager
%s %s :%s MD5: [Hash: %s]
%s %s :%s MD5: [Hash: %s]
PTF.upload
PTF.upload
.output
.output
join
join
ctcp
ctcp
flood.channel
flood.channel
.hidden
.hidden
filesearch.stop
filesearch.stop
newnick
newnick
hosts.restore
hosts.restore
%s %s :||
%s %s :||
%s ||
%s ||
10Executed From:
10Executed From:
%s ||
%s ||
10Key:
10Key:
10.NET:
10.NET:
%s %s :%s Encrypted Command: Failed to decrypt
%s %s :%s Encrypted Command: Failed to decrypt
%s %s :%s Shell: Submitted [Command: %s]
%s %s :%s Shell: Submitted [Command: %s]
%s %s :%s Website Status [URL: %s | Result: %s]
%s %s :%s Website Status [URL: %s | Result: %s]
%s %s :%s File Search: Stopped [Param: %s]
%s %s :%s File Search: Stopped [Param: %s]
%s %s :%s File Search: Failed
%s %s :%s File Search: Failed
%s %s :%s File Search: Already Running
%s %s :%s File Search: Already Running
%s %s :%s File Search: [Searched Files: %li | Matches: %li | Param: %s]
%s %s :%s File Search: [Searched Files: %li | Matches: %li | Param: %s]
%s %s :%s File Search: [File: %s | Param: %s]
%s %s :%s File Search: [File: %s | Param: %s]
%s %s :%s Flood: Started [Type: %s | Host: %s | Port:
%s %s :%s Flood: Started [Type: %s | Host: %s | Port:
%s %s :%s Flood: Failed [Type: %s | Host: %s | Port:
%s %s :%s Flood: Failed [Type: %s | Host: %s | Port:
%s %s :%s HTTP Flood: Stopped [Total Packets: %ld | Rate: %ld Packets/Second]
%s %s :%s HTTP Flood: Stopped [Total Packets: %ld | Rate: %ld Packets/Second]
%s %s :%s HTTP Flood: Stopped
%s %s :%s HTTP Flood: Stopped
%s %s :%s UDP Flood: Stopped [Total Packets: %ld | Rate: %ld Packets/Second]
%s %s :%s UDP Flood: Stopped [Total Packets: %ld | Rate: %ld Packets/Second]
%s %s :%s ECF Flood: Stopped [Total Connections: %ld | Rate: %ld Connections/Second]
%s %s :%s ECF Flood: Stopped [Total Connections: %ld | Rate: %ld Connections/Second]
%s %s :%s Browser Based Flood: Started [Host: %s | Length: %ld seconds | Browser: %s]
%s %s :%s Browser Based Flood: Started [Host: %s | Length: %ld seconds | Browser: %s]
%s %s :%s Browser Based Flood: Stopped [Host: %s]
%s %s :%s Browser Based Flood: Stopped [Host: %s]
%s %s :%s Browser Based Flood: Failed [Host: %s]
%s %s :%s Browser Based Flood: Failed [Host: %s]
%s %s :%s Update Scheduled [File: %s | Wait Time: %ld Seconds]
%s %s :%s Update Scheduled [File: %s | Wait Time: %ld Seconds]
%s %s :%s Download and Execute Scheduled [File: %s | Wait Time: %ld Seconds]
%s %s :%s Download and Execute Scheduled [File: %s | Wait Time: %ld Seconds]
%s %s :%s Download and Execute: Failed [File: %s] (Could not not open file for writing)
%s %s :%s Download and Execute: Failed [File: %s] (Could not not open file for writing)
%s %s :%s Download and Execute: Success [File: %s | MD5: %s]
%s %s :%s Download and Execute: Success [File: %s | MD5: %s]
%s %s :%s MD5 Mismatch [%s != %s]
%s %s :%s MD5 Mismatch [%s != %s]
%s %s :%s MD5 Matches Current File [%s == %s]
%s %s :%s MD5 Matches Current File [%s == %s]
%s %s :%s Download and Execute: Success [File: %s | MD5: %s | Args: %s]
%s %s :%s Download and Execute: Success [File: %s | MD5: %s | Args: %s]
%s %s :%s Download and Execute: Failed [File: %s | MD5: %s] (Download Succeeded | Execute Failed)
%s %s :%s Download and Execute: Failed [File: %s | MD5: %s] (Download Succeeded | Execute Failed)
%s %s :%s MD5 Hash [File: %s | MD5: %s]
%s %s :%s MD5 Hash [File: %s | MD5: %s]
%s %s :%s Download and Execute: Failed [File: %s] (Download Failed)
%s %s :%s Download and Execute: Failed [File: %s] (Download Failed)
%s %s :%s Download and Execute: Aborted [File: %s | Remaining Time: %ld Seconds]
%s %s :%s Download and Execute: Aborted [File: %s | Remaining Time: %ld Seconds]
%s %s :%s Botkill: Started
%s %s :%s Botkill: Started
%s %s :%s Botkill: Cycled once: [Killed Processes: %ld | File Modifications: %ld | Deleted Registry Keys: %ld]
%s %s :%s Botkill: Cycled once: [Killed Processes: %ld | File Modifications: %ld | Deleted Registry Keys: %ld]
%s %s :%s Botkill: Stopped
%s %s :%s Botkill: Stopped
%s %s :%s Botkill: Counter: [Killed Processes: %ld | File Modifications: %ld | Deleted Registry Keys: %ld]
%s %s :%s Botkill: Counter: [Killed Processes: %ld | File Modifications: %ld | Deleted Registry Keys: %ld]
%s %s :%s Botkill: Counter: Cleared
%s %s :%s Botkill: Counter: Cleared
%s %s :%s Skype Mass Messenger: Sent message to %i contacts
%s %s :%s Skype Mass Messenger: Sent message to %i contacts
%s %s :%s Visit: Success [URL: %s | Mode: %s | Browser: %s]
%s %s :%s Visit: Success [URL: %s | Mode: %s | Browser: %s]
%s %s :%s Visit: Failed [URL: %s]
%s %s :%s Visit: Failed [URL: %s]
%s %s :%s SmartView: Opened [URL: %s | Waited: %i Seconds | Closing In: %i Seconds | Browser: %s]
%s %s :%s SmartView: Opened [URL: %s | Waited: %i Seconds | Closing In: %i Seconds | Browser: %s]
%s %s :%s SmartView: Closed [URL: %s | Waited: %i Seconds]
%s %s :%s SmartView: Closed [URL: %s | Waited: %i Seconds]
%s %s :%s SmartView: Scheduled [URL: %s | Wait Time: %i Seconds]
%s %s :%s SmartView: Scheduled [URL: %s | Wait Time: %i Seconds]
%s %s :%s SmartView: Cleared [Entries Cleared: %i]
%s %s :%s SmartView: Cleared [Entries Cleared: %i]
%s %s :%s SmartView: Deleted Entry [URL: %s]
%s %s :%s SmartView: Deleted Entry [URL: %s]
%s %s :%s FTP Upload: Failed (Could not open an internet connection)
%s %s :%s FTP Upload: Failed (Could not open an internet connection)
%s %s :%s FTP Upload: Success [Original File: %s | New File: %s]
%s %s :%s FTP Upload: Success [Original File: %s | New File: %s]
%s %s :%s FTP Upload: Failed
%s %s :%s FTP Upload: Failed
%s %s :%s FTP Upload: Failed (Could not connect)
%s %s :%s FTP Upload: Failed (Could not connect)
%s %s :%s Failed to Create Thread
%s %s :%s Failed to Create Thread
%s %s :%s Invalid Parameter(s)
%s %s :%s Invalid Parameter(s)
%s %s :%s Hosts file restored
%s %s :%s Hosts file restored
%s %s :%s Host Blocked [Param: %s]
%s %s :%s Host Blocked [Param: %s]
%s %s :%s Host Redirected [Original: %s | Redirect: %s]
%s %s :%s Host Redirected [Original: %s | Redirect: %s]
%s %s :%s FTP Recovered: %s [Host: %s | User: %s | Pass: %s]
%s %s :%s FTP Recovered: %s [Host: %s | User: %s | Pass: %s]
%s %s :%s IM Recovered: %s [User: %s | Pass: %s]
%s %s :%s IM Recovered: %s [User: %s | Pass: %s]
%s %s :%s Browser Recovered: %s [URL: %s | User: %s | Pass: %s]
%s %s :%s Browser Recovered: %s [URL: %s | User: %s | Pass: %s]
%s %s :%s IRC War: Connecting [Host: %s | Port: %ld]
%s %s :%s IRC War: Connecting [Host: %s | Port: %ld]
%s %s :%s IRC War: Disconnecting [Host: %s | Port: %ld]
%s %s :%s IRC War: Disconnecting [Host: %s | Port: %ld]
%s %s :%s IRC War: Command submitted [Type: %s]
%s %s :%s IRC War: Command submitted [Type: %s]
%s %s :%s IRC War: Flood started [Type: %s | Target: %s]
%s %s :%s IRC War: Flood started [Type: %s | Target: %s]
%s %s :%s IRC War: Flood stopped [Type: %s | Target: %s]
%s %s :%s IRC War: Flood stopped [Type: %s | Target: %s]
%s %s :%s IRC War: [Validated Connections: %ld | Status: %s]
%s %s :%s IRC War: [Validated Connections: %ld | Status: %s]
%s %s :%s IRC War: Kill User [Target: %s]
%s %s :%s IRC War: Kill User [Target: %s]
%s %s :%s IRC War: Kill Multiple Users [Targets: %s]
%s %s :%s IRC War: Kill Multiple Users [Targets: %s]
%s %s :%s IRC War: Stopped Kill Multiple Users
%s %s :%s IRC War: Stopped Kill Multiple Users
%s %s :%s IRC War: Successfully registered with NickServ [Socket: %ld]
%s %s :%s IRC War: Successfully registered with NickServ [Socket: %ld]
%s %s :%s IRC War: Aborted registration with NickServ
%s %s :%s IRC War: Aborted registration with NickServ
%s\FileZilla\recentservers.xml
%s\FileZilla\recentservers.xml
%s\.purple\accounts.xml
%s\.purple\accounts.xml
%s%s%i%s%s%s%s%s
%s%s%i%s%s%s%s%s
%s\System32\drivers\etc\protocol
%s\System32\drivers\etc\protocol
%s\Microsoft.NET\Framework\
%s\Microsoft.NET\Framework\
v4.0.30319
v4.0.30319
v2.0.50727
v2.0.50727
\explorer.exe
\explorer.exe
HTTP/1.
HTTP/1.
text/html, application/xml;q=0.9, application/xhtml xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
text/html, application/xml;q=0.9, application/xhtml xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
application/x-www-form-urlencoded
application/x-www-form-urlencoded
HTTP/1.
HTTP/1.
dnsapi.dll
dnsapi.dll
update.microsoft.com
update.microsoft.com
VVV.update.microsoft.com
VVV.update.microsoft.com
windowsupdate.microsoft.com
windowsupdate.microsoft.com
VVV.microsoft.com
VVV.microsoft.com
microsoft.com
microsoft.com
%s & %s
%s & %s
Software\Microsoft\Windows\CurrentVersion\
Software\Microsoft\Windows\CurrentVersion\
\Microsoft\Windows
\Microsoft\Windows
%s%s%s%s%i%s%s
%s%s%s%s%i%s%s
:Zone.Identifier
:Zone.Identifier
%s\K%li.bat
%s\K%li.bat
document.write(unescape('%s'));
document.write(unescape('%s'));
operator
operator
operator
operator
global constructors keyed to
global constructors keyed to
global destructors keyed to
global destructors keyed to
operator""
operator""
VirtualQuery failed for %d bytes at address %p
VirtualQuery failed for %d bytes at address %p
Unknown pseudo relocation protocol version %d.
Unknown pseudo relocation protocol version %d.
Unknown pseudo relocation bit size %d.
Unknown pseudo relocation bit size %d.
fc_key
fc_key
use_fc_key
use_fc_key
jueswooda.pw
jueswooda.pw
Flow (v2.5.0)
Flow (v2.5.0)
@auth PRIVMSG n[USA|A|D|W_XP|x86|1c]gghebefc :!
@auth PRIVMSG n[USA|A|D|W_XP|x86|1c]gghebefc :!
@auth PRIVMSG #
@auth PRIVMSG #
%WinDir%
%WinDir%
%Program Files%
%Program Files%
%Documents and Settings%\All Users
%Documents and Settings%\All Users
%Documents and Settings%\%current user%
%Documents and Settings%\%current user%
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
%Documents and Settings%\%current user%\Application Data
%Documents and Settings%\%current user%\Application Data
%Documents and Settings%\%current user%\Start Menu\Programs\Startup
%Documents and Settings%\%current user%\Start Menu\Programs\Startup
%Documents and Settings%\All Users\Start Menu\Programs\Startup
%Documents and Settings%\All Users\Start Menu\Programs\Startup
%Program Files%\Internet Explorer\iexplore.exe
%Program Files%\Internet Explorer\iexplore.exe
%Program Files%\Opera\opera.exe
%Program Files%\Opera\opera.exe
%Program Files%\Mozilla Firefox\firefox.exe
%Program Files%\Mozilla Firefox\firefox.exe
%Program Files%\Maxthon3\Bin\Maxthon.exe
%Program Files%\Maxthon3\Bin\Maxthon.exe
axthon.exe
axthon.exe
e.exe
e.exe
ull)jnfhuwsdjueswooda.pw10000#botsFlow (v2.5.0)
ull)jnfhuwsdjueswooda.pw10000#botsFlow (v2.5.0)
-994442811
-994442811
c:\%original file name%.exe
c:\%original file name%.exe
%WinDir%\-994442811
%WinDir%\-994442811
%WinDir%\-994442811\csrss.exe
%WinDir%\-994442811\csrss.exe
NICK
NICK
JOIN
JOIN
PRIVMSG
PRIVMSG
spoolsv.exe
spoolsv.exe
GetProcessHeap
GetProcessHeap
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegFlushKey
RegFlushKey
RegOpenKeyExA
RegOpenKeyExA
ShellExecuteA
ShellExecuteA
FtpPutFileA
FtpPutFileA
InternetOpenUrlA
InternetOpenUrlA
.text
.text
P`.data
P`.data
.rdata
.rdata
`@.eh_fram
`@.eh_fram
0@.bss
0@.bss
.idata
.idata
Y.rS
Y.rS
?@.eh_
?@.eh_
kernel32.dll
kernel32.dll
advapi32.dll
advapi32.dll
Aicmp.dll
Aicmp.dll
surlmon.dll
surlmon.dll
gws2_32.dll
gws2_32.dll
rpcrt4.dll
rpcrt4.dll