HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Symmi.37494 (B) (Emsisoft), Trojan.GenericKD.1709773 (AdAware), Backdoor.Win32.Farfli.FD, Backdoor.Win32.Xtrat.FD, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor, Worm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 5787cc139a006533b5eeffba829622cf
SHA1: 50513bf1328a7b62508350c817add3a0242c9555
SHA256: d8a9cab55f8ada84fa54345465712f9099b9b2dfa38e8ad51a51d1a37c8a73e9
SSDeep: 24576:B4GxvSihOxhZKJZfrFHs6AnaJ3wEK0sVaFJSTORUEXYNUkupGqHQ0/T EHAazAjG:B9qigxuLAnaJAER
Size: 6687934 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: App.install
Created at: 2013-11-18 22:50:57
Analyzed on: WindowsXP SP3 32-bit
Summary: Backdoor. Malware that enables a remote control of victim's machine.
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Backdoor's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Backdoor creates the following process(es):
%original file name%.exe:628
EB8D8F.exe:1572
EB8D8F.exe:812
The Backdoor injects its code into the following process(es):
DF8F8D.exe:948
Taskmgr.exe:780
svchost.exe:1072
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:628 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\EB8D8F.exe (15801 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DF8F8D.exe (1744 bytes)
The process EB8D8F.exe:812 makes changes in the file system.
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\~DF6950.tmp (0 bytes)
The process Taskmgr.exe:780 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8XUV0DUF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GLIJWH6B\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\TWVXfZtP3L.dat (322 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8PQFSLA3\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WHYV4XUR\desktop.ini (67 bytes)
%System%\Microsoft\svchost.exe (16582 bytes)
Registry activity
The process DF8F8D.exe:948 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 DF 9A C8 AF FD B6 73 47 19 AC CC 40 71 AB 3F"
The process %original file name%.exe:628 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "55 B9 FC 1C 5C 11 9E 23 4D DC 89 41 74 B4 23 16"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process EB8D8F.exe:1572 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 31 2A 82 E2 C3 27 46 43 8E 5A A9 E8 21 8F 2E"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\XtremeRAT]
"Mutex" = "TWVXfZtP3L"
The process EB8D8F.exe:812 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3E D1 F5 2A D7 46 03 78 63 FD B4 D6 F3 C0 48 DA"
The Backdoor deletes the following registry key(s):
[HKCU\Software\Microsoft\MediaPlayer\Health\{00AAE079-C6DE-40BA-A3E3-6201FCABDDE8}]
The process Taskmgr.exe:780 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 14 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\TWVXfZtP3L]
"ServerStarted" = "29/06/2014 06:24:02"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1208111732"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "Taskmgr.exe"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\TWVXfZtP3L]
"ServerName" = "%System%\Microsoft\svchost.exe"
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{13KD28X5-3D85-0JRE-75YT-VMMW03328833}]
"StubPath" = "%System%\Microsoft\svchost.exe restart"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 56 2F AD 17 77 84 F8 56 C3 3C 1A 47 3B 31 3D"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Java Runtime" = "%System%\Microsoft\svchost.exe"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe" = "%System%\Microsoft\svchost.exe"
The Backdoor deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
| MD5 | File path |
|---|---|
| f9b4dedf390aa772f996397c00cc054e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\DF8F8D.exe |
| 4e99d06e9c6051d06e252f4c08175650 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\EB8D8F.exe |
| 4e99d06e9c6051d06e252f4c08175650 | c:\WINDOWS\system32\Microsoft\svchost.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Backdoor's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:628
EB8D8F.exe:1572
EB8D8F.exe:812 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%Documents and Settings%\%current user%\Local Settings\Temp\EB8D8F.exe (15801 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DF8F8D.exe (1744 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8XUV0DUF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GLIJWH6B\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\TWVXfZtP3L.dat (322 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8PQFSLA3\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WHYV4XUR\desktop.ini (67 bytes)
%System%\Microsoft\svchost.exe (16582 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Java Runtime" = "%System%\Microsoft\svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe" = "%System%\Microsoft\svchost.exe" - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name: MeckPix Loader
Product Version: 1.0.0.0
Legal Copyright: Copyright (c) 2013
Legal Trademarks:
Original Filename: MeckPix Loader.exe
Internal Name: MeckPix Loader.exe
File Version: 1.0.0.0
File Description: MeckPix Loader
Comments:
Language: English (Australia)
Company Name: Product Name: MeckPix LoaderProduct Version: 1.0.0.0Legal Copyright: Copyright (c) 2013Legal Trademarks: Original Filename: MeckPix Loader.exeInternal Name: MeckPix Loader.exeFile Version: 1.0.0.0File Description: MeckPix LoaderComments: Language: English (Australia)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 575868 | 576000 | 4.62967 | 82efa31be51e395077cee655cd8ee183 |
| .rdata | 581632 | 182098 | 182272 | 4.00776 | fa899eaaa8b1b9c5848304efbe7169ca |
| .data | 765952 | 40756 | 25088 | 1.39065 | 15fdb298b8d66a3218f66f46d7b0584b |
| .rsrc | 806912 | 15412 | 15872 | 3.49456 | 3705573ec855fb8f04cf1bc3157c66e0 |
| .reloc | 823296 | 41258 | 41472 | 3.60923 | 9ecb86eb52835d01a22e5f14ae244de1 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Backdoor connects to the servers at the folowing location(s):
Strings from Dumps
svchost.exe_1072:
.text
.text
`.data
`.data
.rsrc
.rsrc
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
RPCRT4.dll
RPCRT4.dll
NETAPI32.dll
NETAPI32.dll
ole32.dll
ole32.dll
ntdll.dll
ntdll.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
GetProcessHeap
GetProcessHeap
NtOpenKey
NtOpenKey
svchost.pdb
svchost.pdb
\PIPE\
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
svchost.exe
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
svchost.exe_1072_rwx_10000000_0004A000:
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
ServerKeyloggerU
ServerKeyloggerU
789:;<&'()* ,-./12345
789:;<&'()* ,-./12345
%SERVER%
%SERVER%
URLMON.DLL
URLMON.DLL
shell32.dll
shell32.dll
http://
http://
advapi32.dll
advapi32.dll
kernel32.dll
kernel32.dll
mpr.dll
mpr.dll
version.dll
version.dll
comctl32.dll
comctl32.dll
gdi32.dll
gdi32.dll
opengl32.dll
opengl32.dll
user32.dll
user32.dll
wintrust.dll
wintrust.dll
msimg32.dll
msimg32.dll
GetKeyboardType
GetKeyboardType
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
oleaut32.dll
oleaut32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyW
RegCreateKeyW
GetWindowsDirectoryW
GetWindowsDirectoryW
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExW
SetWindowsHookExW
MapVirtualKeyW
MapVirtualKeyW
GetKeyboardLayout
GetKeyboardLayout
GetKeyState
GetKeyState
shlwapi.dll
shlwapi.dll
SHDeleteKeyW
SHDeleteKeyW
FindExecutableW
FindExecutableW
URLDownloadToCacheFileW
URLDownloadToCacheFileW
wininet.dll
wininet.dll
FtpPutFileW
FtpPutFileW
FtpSetCurrentDirectoryW
FtpSetCurrentDirectoryW
GetKeyboardState
GetKeyboardState
ShellExecuteW
ShellExecuteW
ntdll.dll
ntdll.dll
1 1$1(1,10141
1 1$1(1,10141
KWindows
KWindows
TServerKeylogger
TServerKeylogger
x.html
x.html
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
[Execute]
[Execute]
KeyDelBackspace
KeyDelBackspace
<meta http-equiv="Content-Type" content="text/html;charset=UTF-8" />
<meta http-equiv="Content-Type" content="text/html;charset=UTF-8" />
.html
.html
XtremeKeylogger
XtremeKeylogger
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
.functions
.functions
icon=shell32.dll,4
icon=shell32.dll,4
shellexecute=
shellexecute=
autorun.inf
autorun.inf
\Microsoft\Windows\
\Microsoft\Windows\
ÞFAULTBROWSER%
ÞFAULTBROWSER%
svchost.exe
svchost.exe
spygbr.no-ip.org
spygbr.no-ip.org
Taskmgr.exe
Taskmgr.exe
OLEAUT32.dll
OLEAUT32.dll
{13KD28X5-3D85-0JRE-75YT-VMMW03328833}
{13KD28X5-3D85-0JRE-75YT-VMMW03328833}
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
r.exe
r.exe
OLE%SERVER%
OLE%SERVER%
C:\Windows
C:\Windows
ftp.ftpserver.com
ftp.ftpserver.com
ftpuser
ftpuser
Taskmgr.exe_780:
.text
.text
`.data
`.data
.rsrc
.rsrc
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
GDI32.dll
GDI32.dll
USER32.dll
USER32.dll
iphlpapi.dll
iphlpapi.dll
COMCTL32.dll
COMCTL32.dll
SHLWAPI.dll
SHLWAPI.dll
SHELL32.dll
SHELL32.dll
Secur32.dll
Secur32.dll
VDMDBG.dll
VDMDBG.dll
taskmgr.chm
taskmgr.chm
hhctrl.ocx
hhctrl.ocx
CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
WTSAPI32.dll
WTSAPI32.dll
WINSTA.dll
WINSTA.dll
MSGINA.dll
MSGINA.dll
NetGetJoinInformation
NetGetJoinInformation
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
UTILDLL.dll
UTILDLL.dll
ole32.dll
ole32.dll
taskmgr.pdb
taskmgr.pdb
SSSSh
SSSSh
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyExW
RegCreateKeyExW
GetProcessHeap
GetProcessHeap
SetProcessShutdownParameters
SetProcessShutdownParameters
GetKeyState
GetKeyState
ExitWindowsEx
ExitWindowsEx
GetAsyncKeyState
GetAsyncKeyState
EnumWindowStationsW
EnumWindowStationsW
EnumWindows
EnumWindows
CloseWindowStation
CloseWindowStation
SetProcessWindowStation
SetProcessWindowStation
GetProcessWindowStation
GetProcessWindowStation
OpenWindowStationW
OpenWindowStationW
CascadeWindows
CascadeWindows
TileWindows
TileWindows
ntdll.dll
ntdll.dll
RegOpenKeyExA
RegOpenKeyExA
<assemblyIdentity name="WindowsShell" processorArchitecture="x86" version="5.1.0.0" type="win32" />
<assemblyIdentity name="WindowsShell" processorArchitecture="x86" version="5.1.0.0" type="win32" />
<description>Windows Shell</description>
<description>Windows Shell</description>
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
Software\Microsoft\Windows NT\CurrentVersion\TaskManager
Software\Microsoft\Windows NT\CurrentVersion\TaskManager
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system
mcmd.exe
mcmd.exe
%ComSpec%
%ComSpec%
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
%d %%
%d %%
%s -p %ld
%s -p %ld
-%sd%sd
-%sd%sd
d %
d %
lsass.exe
lsass.exe
services.exe
services.exe
smss.exe
smss.exe
winlogon.exe
winlogon.exe
csrss.exe
csrss.exe
ntvdm.exe
ntvdm.exe
drwtsn32.exe
drwtsn32.exe
SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug
SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug
ShadowHotkeyShift
ShadowHotkeyShift
ShadowHotkeyKey
ShadowHotkeyKey
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
The Processor Affinity setting controls which CPUs the process will be allowed to execute on.
The Processor Affinity setting controls which CPUs the process will be allowed to execute on.
Connect Password Required
Connect Password Required
Enter the selected User's password:
Enter the selected User's password:
Hot key
Hot key
To end a remote control session, press this key, plus the keys selected below:
To end a remote control session, press this key, plus the keys selected below:
To end a remote control session, press this key on the numeric keypad, plus the keys selected below:
To end a remote control session, press this key on the numeric keypad, plus the keys selected below:
&Windows
&Windows
&Log Off %s
&Log Off %s
WinKey L
WinKey L
Windows TaskManager
Windows TaskManager
5.1.2600.5512 (xpsp.080413-2105)
5.1.2600.5512 (xpsp.080413-2105)
taskmgr.exe
taskmgr.exe
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
;Brings a task to the foreground, switch focus to that task.BBrings a task to the front, but does not switch focus to that taskCTask Manager remains in front of all other windows unless minimized@Task Manager is minimized when a SwitchTo operation is performed$Minimizes the selected windows tasks0Maximizes the windows to the size of the desktop
;Brings a task to the foreground, switch focus to that task.BBrings a task to the front, but does not switch focus to that taskCTask Manager remains in front of all other windows unless minimized@Task Manager is minimized when a SwitchTo operation is performed$Minimizes the selected windows tasks0Maximizes the windows to the size of the desktop
4Restores the selected windows to their default state6Cascades the selected windows diagonally on the screen.Tiles the selected windowed tasks horizontally,Tiles the selected windowed tasks vertically#Displays tasks by using large icons
4Restores the selected windows to their default state6Cascades the selected windows diagonally on the screen.Tiles the selected windowed tasks horizontally,Tiles the selected windowed tasks vertically#Displays tasks by using large icons
Graph bytes received.-Graph the sum of the bytes sent and received.<Select which columns will be visible on the Networking page><pre>;Displays program information, version number, and copyright$Updates the display twice per second%Updates the display every two seconds&Updates the display every four seconds%Display does not automatically update</pre><pre>8Select which columns will be visible on the Process pageDForce Task Manager to update now, regardless of Update Speed setting'Provides access to point and click help?Controls which processors the process will be allowed to run on.Displays kernel time in the performance graphs;The process must have affinity with at least one processor.</pre><pre>CPU %d</pre><pre>Create New TaskeType the name of a program, folder, document, or Internet resource, and Windows will open it for you.</pre><pre>Windows Task Manager</pre><pre>Non Operational</pre><pre>Operational</pre><pre>'The operation could not be completed.</pre><pre>Unable to Change Priority,The operation is not valid for this process.</pre><pre>Minimizes the windows</pre><pre>Maximizes the windows.Cascades the windows diagonally on the desktop-Tiles the windows horizontally on the desktop</pre><pre>9Shows 16-bit Windows tasks under the associated ntvdm.exe</pre><pre>This operation will attempt to terminate this process and any</pre><pre>be ended. The operation was not fully successful.6Select which columns will be visible on the Users page</pre><pre>Message from %s - %s2Unhandled error occurred while connecting.</pre><pre>#%u %s#Enter the selected User's password.'Session (ID %lu) remote control failed.YCan't remote control Session (ID %lu) because Remote control is disabled on that Session.iCan't remote control Session (ID %lu) because it is disconnected with user's required permission enabled.</pre><pre>&The password was incorrect. Try again.</pre><pre>Tasks: %d</pre><pre>Processes: %d</pre><pre>CPU Usage: %d%%</pre><pre> Tiles the windows vertically on the desktop</pre><pre>;Your message to user %s (SessionId=%d) could not be sent. 1User %s (SessionId=%d) could not be logged off. 3User %s (SessionId=%d) could not be disconnected.</pre><b>Taskmgr.exe_780_rwx_10000000_0004A000:</b><pre>.idata</pre><pre>.rdata</pre><pre>P.reloc</pre><pre>P.rsrc</pre><pre>ServerKeyloggerU</pre><pre>789:;<&'()* ,-./12345</pre><pre>%SERVER%</pre><pre>URLMON.DLL</pre><pre>shell32.dll</pre><pre>http://</pre><pre>advapi32.dll</pre><pre>kernel32.dll</pre><pre>mpr.dll</pre><pre>version.dll</pre><pre>comctl32.dll</pre><pre>gdi32.dll</pre><pre>opengl32.dll</pre><pre>user32.dll</pre><pre>wintrust.dll</pre><pre>msimg32.dll</pre><pre>GetKeyboardType</pre><pre>RegOpenKeyExA</pre><pre>RegCloseKey</pre><pre>oleaut32.dll</pre><pre>RegOpenKeyExW</pre><pre>RegCreateKeyW</pre><pre>GetWindowsDirectoryW</pre><pre>UnhookWindowsHookEx</pre><pre>SetWindowsHookExW</pre><pre>MapVirtualKeyW</pre><pre>GetKeyboardLayout</pre><pre>GetKeyState</pre><pre>shlwapi.dll</pre><pre>SHDeleteKeyW</pre><pre>FindExecutableW</pre><pre>URLDownloadToCacheFileW</pre><pre>wininet.dll</pre><pre>FtpPutFileW</pre><pre>FtpSetCurrentDirectoryW</pre><pre>GetKeyboardState</pre><pre>ShellExecuteW</pre><pre>ntdll.dll</pre><pre>1 1$1(1,10141</pre><pre>KWindows</pre><pre>TServerKeylogger</pre><pre>x.html</pre><pre>HKEY_CLASSES_ROOT</pre><pre>HKEY_CURRENT_USER</pre><pre>HKEY_LOCAL_MACHINE</pre><pre>HKEY_USERS</pre><pre>HKEY_CURRENT_CONFIG</pre><pre>[Execute]</pre><pre>KeyDelBackspace</pre><pre><meta http-equiv="Content-Type" content="text/html;charset=UTF-8" /></pre><pre>.html</pre><pre>XtremeKeylogger</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>.functions</pre><pre>icon=shell32.dll,4</pre><pre>shellexecute=</pre><pre>autorun.inf</pre><pre>\Microsoft\Windows\</pre><pre>ÞFAULTBROWSER%</pre><pre>svchost.exe</pre><pre>spygbr.no-ip.org</pre><pre>Taskmgr.exe</pre><pre>OLEAUT32.dll</pre><pre>{13KD28X5-3D85-0JRE-75YT-VMMW03328833}</pre><pre>HKCU\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>r.exe</pre><pre>OLE%SERVER%</pre><pre>C:\Windows</pre><pre>ftp.ftpserver.com</pre><pre>ftpuser</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\EB8D8F.exe</pre></Select>