TrojanPSW.Win32.Zbot_3d9c37bc7d – Adaware

Trojan.Win32.Inject.nptt (Kaspersky), Trojan.GenericKD.1707841 (AdAware), Trojan-PSW.Win32.Zbot.6.FD, GenericAutorunWorm.YR, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR, TrojanPSWZbot.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan, Backdoor, Worm, WormAutorun

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 3d9c37bc7dda48469b0cbc9b2ef761ba

SHA1: ce8615e5f30c037edc86e018032f810fb371bbcb

SHA256: 3d922578a8f014bc20e9b52d1e4a0ec076a6add423c6a358a70b66c7faf4d96d

SSDeep: 12288:DFszBhqS5mGcSj9ki9JIc0eOOQvgasvM 3wkrI6GUWi4z/VrQaTa1NTJ9G:DFszWS5RSi930JbgassAIlUWi4zh7TUw

Size: 648674 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2011-03-02 09:40:24

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan-PSW. Trojan program intended for stealing users passwords.

Dynamic Analysis

Payload

Behaviour	Description
WormAutorun	A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan-PSW's file once a user opens a drive's folder in Windows Explorer.

Process activity

The Trojan-PSW creates the following process(es):

%original file name%.exe:284
miku.exe:1464
miku.exe:1004
miku.exe:1572
dialected.exe:1920
dialected.exe:608

The Trojan-PSW injects its code into the following process(es):

dialected.exe:1156
cmd.exe:1836
Explorer.EXE:1852

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:284 makes changes in the file system.

The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\file.bin (2405 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\dialected.exe (6261 bytes)
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\Nueva imagen de mapa de bits.bmp (21153 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\Nueva imagen de mapa de bits.bmp (632092 bytes)

The Trojan-PSW deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\dialected.exe (0 bytes)

The process dialected.exe:1156 makes changes in the file system.

The Trojan-PSW creates and/or writes to the following file(s):

%WinDir%\file.bin (665 bytes)
C:\test\test.exe (521 bytes)
C:\test\file.bin (1330 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LHUMDMwjAHR.gif (660 bytes)

The process dialected.exe:608 makes changes in the file system.

The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmpf005af95.bat (201 bytes)
%Documents and Settings%\%current user%\Application Data\Gimera\miku.exe (1651 bytes)

Registry activity

The process %original file name%.exe:284 makes changes in the system registry.

The Trojan-PSW creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0]
"dialected.exe" = "dialected"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process miku.exe:1464 makes changes in the system registry.

The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FC B8 5A 55 06 D6 EE 77 71 28 8B AF B1 85 47 20"

The process miku.exe:1004 makes changes in the system registry.

The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE B7 E9 81 76 F0 64 03 72 D0 87 8D A6 AE DA 6A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process miku.exe:1572 makes changes in the system registry.

The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "13 4C EE 47 BF 2F 44 A7 01 17 73 24 45 80 B0 A4"

The process dialected.exe:1920 makes changes in the system registry.

The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 25 BB 6D AD E8 F9 06 F7 DA 32 9B 2E 59 F8 12"

The process dialected.exe:1156 makes changes in the system registry.

The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A1 01 C9 5D 68 38 85 69 13 D1 24 4E B9 8F D1 BF"

[HKCU\Software\Microsoft\Ybox]
"Ozacewmo" = "2D 10 7C 91 08 76 B4 C9 6E 47 08 AC 58 61 F0 F6"

The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The process dialected.exe:608 makes changes in the system registry.

The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9D 07 2D 39 50 0D 88 B1 E5 46 02 25 FE 13 BD E7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

Dropped PE files

MD5	File path
0469be88df0c847b69474e4fd85d138c	c:\Documents and Settings\"%CurrentUserName%"\Application Data\Gimera\miku.exe
3f06e949970454b76fa6e9166ca3f754	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RarSFX0\dialected.exe
3f06e949970454b76fa6e9166ca3f754	c:\test\test.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan-PSW installs the following user-mode hooks in WININET.dll:

HttpSendRequestExA
HttpSendRequestW
InternetReadFileExA
InternetQueryDataAvailable
HttpSendRequestExW
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
InternetCloseHandle

The Trojan-PSW installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Trojan-PSW installs the following user-mode hooks in USER32.dll:

SetCursorPos
DefMDIChildProcA
DefFrameProcA
DefDlgProcA
GetClipboardData
DefMDIChildProcW
DefFrameProcW
GetUpdateRgn
RegisterClassA
GetDCEx
ReleaseCapture
SetCapture
DefWindowProcA
CallWindowProcA
GetUpdateRect
PeekMessageA
CallWindowProcW
GetMessagePos
GetCursorPos
EndPaint
BeginPaint
DefWindowProcW
RegisterClassExA
GetMessageA
DefDlgProcW
SwitchDesktop
OpenInputDesktop
RegisterClassExW
RegisterClassW
GetCapture
PeekMessageW
GetMessageW
GetWindowDC
TranslateMessage
GetDC
ReleaseDC

The Trojan-PSW installs the following user-mode hooks in WS2_32.dll:

WSASend
send
closesocket

The Trojan-PSW installs the following user-mode hooks in kernel32.dll:

GetFileAttributesExW

The Trojan-PSW installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtCreateThread

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan-PSW's file once a user opens a drive's folder in Windows Explorer.

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Scan a system with an anti-rootkit tool.
Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:284
miku.exe:1464
miku.exe:1004
miku.exe:1572
dialected.exe:1920
dialected.exe:608
Delete the original Trojan-PSW file.
Delete or disinfect the following files created/modified by the Trojan-PSW:
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\file.bin (2405 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\dialected.exe (6261 bytes)
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\Nueva imagen de mapa de bits.bmp (21153 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\Nueva imagen de mapa de bits.bmp (632092 bytes)
%WinDir%\file.bin (665 bytes)
C:\test\test.exe (521 bytes)
C:\test\file.bin (1330 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LHUMDMwjAHR.gif (660 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpf005af95.bat (201 bytes)
%Documents and Settings%\%current user%\Application Data\Gimera\miku.exe (1651 bytes)
Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	71904	72192	4.54088	ead411693117dae8deb088f5bb4a85fa
.rdata	77824	7189	7680	3.37233	e70f56667b8e99a1ec239fd12b1640b4
.data	86016	65324	512	2.43883	11ffdfc240c81dfe9d957f6bf1761f00
.CRT	151552	16	512	0.147711	acdfc3df6b189cbcd09b1c888f95fe9a
.rsrc	155648	16504	16896	3.22639	07900c12e5057f1fe09434dd1b743c9f

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 64
80284946036519ada15d3ba9a34f1bf8
e954f2fc4e464a66ee967d173d2a85db
6b0c93ccaa4e3f99a3acf43b4b900af8
4cda024141dcf4233f8cd7f1c1923948
bc81fc0bee5c8979d6ef82fa61374777
fda2114164d8902234d4dd27273990b2
76140af5ae8a1961dff3fd30915b0f27
822f5c0e72416bb5644d55581b672573
9f43f96c68d367228938971f146bdc1c
4358512a2c3c9d8e5150994839fa0057
4b41f50b9d107bdd5859e7ab1d696c97
93c1a8de047c4e15d0dce2c1db30be73
c59d2c497b77017f479c653746575524
f6e4377fe07335db827eada25b2ff08c
fb3f8db6fdb68d089f87d6d0fdbc0436
2494fd433244a929f1b3059dc9a34dc4
cfaa4da5a435117e8ed02327ad055621
7ec89c5a1d65a146ad0e37a40574a0ec
590c989b7c8a8fd745f732effa3e644e
00de2b1be3b50e20ae4ebcfc058f404e
90b4923b887bac5bdef394b14536fc01
880fc72694f5567f942017f3c3847251
f2795d072c0dc4b23ce2141638f4c1d7
5a2fb3de1e4e1e484d799b257b548402
06528cef47c297713d0f635eabbb6da6

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan-PSW connects to the servers at the folowing location(s):

Strings from Dumps

dialected.exe_1156:

.text

`.data

.rsrc

MSVBVM60.DLL

RemoteExecution

%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB

MSVBVM60.dll

shell32.dll

ShellExecuteA

kernel32.dll

ntdll.dll

FindExecutableA

MsgboxFunction

UACx64_dumpandexecute

VBA6.DLL

advapi32.dll

RegOpenKeyExA

RegCloseKey

.code

`.text

`.rdata

@.data

@.reloc

Test.dll

MSVCRT.dll

KERNEL32.dll

CreatePipe

ShellExecuteExA

SHELL32.DLL

version="1.0.0.0"

name="CompanyName.ProductName.YourApp"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

.reloc

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

HTTP/1.1

http://hollywood.heartjohn.com/modules/holl.bin

Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 6.2)

pufjwdx.jvh

" !=%(>";;

=225;6%%7!=

3:6 1*7=$;-

*4*-0*1?7!

MK[(bocmdgs

15#77??68.

&'/( <99

$!*4,#)<:

mfh{g~amzgs.dgg

:; 1299;2

>.Rdd

<-?><pre>userenv.dll</pre><pre>del "%s"</pre><pre>if exist "%s" goto d</pre><pre>del /F "%s"</pre><pre>urlmon.dll</pre><pre>cabinet.dll</pre><pre>http://</pre><pre>https://</pre><pre>HTTP/1.</pre><pre>http://www.google.com/webhp</pre><pre>t7SSSh</pre><pre>t"SSSh</pre><pre>GetProcessHeap</pre><pre>MapVirtualKeyW</pre><pre>ExitWindowsEx</pre><pre>OpenWindowStationW</pre><pre>GetProcessWindowStation</pre><pre>CreateWindowStationW</pre><pre>CloseWindowStation</pre><pre>SetProcessWindowStation</pre><pre>SetKeyboardState</pre><pre>GetKeyboardState</pre><pre>MsgWaitForMultipleObjects</pre><pre>USER32.dll</pre><pre>RegOpenKeyExW</pre><pre>RegEnumKeyExW</pre><pre>RegCreateKeyExW</pre><pre>ADVAPI32.dll</pre><pre>UrlUnescapeA</pre><pre>SHDeleteKeyW</pre><pre>PathIsURLW</pre><pre>SHLWAPI.dll</pre><pre>ShellExecuteW</pre><pre>SHELL32.dll</pre><pre>Secur32.dll</pre><pre>SetViewportOrgEx</pre><pre>GDI32.dll</pre><pre>WS2_32.dll</pre><pre>CertDeleteCertificateFromStore</pre><pre>CertOpenSystemStoreW</pre><pre>CertCloseStore</pre><pre>PFXImportCertStore</pre><pre>CertEnumCertificatesInStore</pre><pre>CertDuplicateCertificateContext</pre><pre>PFXExportCertStoreEx</pre><pre>CRYPT32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetCrackUrlA</pre><pre>HttpOpenRequestA</pre><pre>HttpAddRequestHeadersA</pre><pre>HttpSendRequestA</pre><pre>HttpSendRequestExA</pre><pre>HttpSendRequestExW</pre><pre>HttpSendRequestW</pre><pre>GetUrlCacheEntryInfoW</pre><pre>HttpAddRequestHeadersW</pre><pre>WININET.dll</pre><pre>OLEAUT32.dll</pre><pre>NETAPI32.dll</pre><pre>=?>#?.?;?</pre><pre>9%9)9/939</pre><pre>urlmon</pre><pre>URLDownloadToFileA</pre><pre>.idata</pre><pre>KERNEL32.DLL</pre><pre>OLE32.DLL</pre><pre>MULTIPLEKEYSTARTUP</pre><pre>MULTIPLEKEYSTARTUP=N</pre><pre>user32.dll</pre><pre>RegCreateKeyExA</pre><pre>RegDeleteKeyA</pre><pre>`.rsrc</pre><pre>v2.0.50727</pre><pre>HelloWorld.exe</pre><pre>.ctor</pre><pre>System.Reflection</pre><pre>System.Runtime.InteropServices</pre><pre>System.Diagnostics</pre><pre>System.Runtime.CompilerServices</pre><pre>$6435476c-9335-4c58-9ec7-4b2c918b2541</pre><pre>1.0.0.0</pre><pre>_CorExeMain</pre><pre>mscoree.dll</pre><pre><assemblyIdentity version="1.0.0.0" name="MyApplication.app" /></pre><pre><requestedExecutionLevel level="asInvoker" uiAccess="false" /></pre><pre>%Xwh%N<S><pre>D%U|H</pre><pre>.BHn_</pre><pre>tIH>D8.hJ</pre><pre>;\T%dG</pre><pre>l.iX``A</pre><pre>I.ItANj</pre><pre>X %D,</pre><pre>ok).yRp</pre><pre>!"#$%&'()* ,-./</pre><pre>.xsa/</pre><pre>O%S!'</pre><pre>Gy.yN</pre><pre>H0My.y.PNpIy.y.</pre><pre>.txt/:GW</pre><pre>V:\OBERON</pre><pre>gdQgpi.TPO</pre><pre>zcÁ</pre><pre>Í Ra-x</pre><pre>*\AR:\OBERON CRYPTER PRO\VB6 MODULES\VB6 Modules-Unicode-Adapted-RECODED\Project1.vbp</pre><pre>\rtl70.bpl</pre><pre>Scripting.FileSystemObject</pre><pre>autorun.inf</pre><pre>Icon=%SystemRoot%\system32\SHELL32.dll,7</pre><pre>WScript.Shell</pre><pre>shell32.dll, 2</pre><pre>shell32.dll, 3</pre><pre>.fldr</pre><pre>shell32.dll, 0</pre><pre>\explorer.exe</pre><pre>vboxmrxnp.dll</pre><pre>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\</pre><pre>/f /v Debugger /t REG_SZ /d fadfjadfjddjx.exe</pre><pre>http://www.facebook.com</pre><pre>SendKeys</pre><pre>https://twitter.com</pre><pre>\conhost.exe</pre><pre>\SysWOW64\svchost.exe</pre><pre>\system32\svchost.exe</pre><pre>\ESET\ESET NOD32 Antivirus\x86\ekrn.exe</pre><pre>ekrn.exe</pre><pre>%Program Files%\ESET\ESET NOD32 Antivirus\x86\ekrn.exe</pre><pre>\file.bin</pre><pre>c:\test\file.bin</pre><pre>c:\windows\file.bin</pre><pre>\SysWOW64\explorer.exe</pre><pre>\system32\explorer.exe</pre><pre>\vbxac.tmp</pre><pre>SUPPORT</pre><pre>C:\test</pre><pre>C:\test\file.bin</pre><pre>C:\test\test.txt</pre><pre>C:\test\project1.exe</pre><pre>SbieCtrl.exe</pre><pre>sandboxie.exe</pre><pre>C:\windows\rtl70.bpl</pre><pre>c:\test\rtl70.bpl</pre><pre>msconfig.exe</pre><pre>rstrui.exe</pre><pre>BYPASSUAC=Y</pre><pre>NETSUPPORT=Y</pre><pre>x.exe</pre><pre>BYPASSUAC=N</pre><pre>C:\test\rtl70.bpl</pre><pre>c:\test</pre><pre>c:\test\test.exe</pre><pre>\media\ir_inter.wav</pre><pre>CRYPTBASE.dll</pre><pre>\System32\sysprep\CRYPTBASE.dll</pre><pre>Wscript.Shell</pre><pre>HKEY_CLASSES_ROOT\HTTP\shell\open\command\</pre><pre>c:\test\test.txt</pre><pre>c:\test\project1.exe</pre><pre>\System32\sysprep\sysprep.exe</pre><pre>Explorer.exe</pre><pre>aspnet_library.dll</pre><pre>uninstaller.ico</pre><pre>\Intel\OpenCL_SDK.dll</pre><pre>x.jpg</pre><pre>media.exe</pre><pre>Shell32.dll</pre><pre>ShellExecuteExW</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>@*\AR:\OBERON CRYPTER PRO\VB6 MODULES\VB6 Modules-Unicode-Adapted-RECODED\Project1.vbp</pre><pre>*\AR:\OBERON CRYPTER PRO\VB6 MODULES\VB6 Modules-Unicode-Adapted-RECODED\zzzAntibotkill.vbp</pre><pre>3.08.0002</pre><pre>zzzAntibotkill.exe</pre><pre>SysShadow</pre><pre>"%s" %s</pre><pre>/c "%s"</pre><pre>%sx.%s</pre><pre>%sx</pre><pre>cGlobal\XXX</pre><pre>@021400-0</pre><pre>*\AR:\OBERON CRYPTER PRO\VB6 MODULES\VB6 Modules-Unicode-Adapted-RECODED\zDownloaderKiller.vbp</pre><pre>\testx64.exe -c -ctype service -cobject</pre><pre>\testx86.exe -c -ctype service -cobject</pre><pre>\testx86.exe -c -ctype process -cobject</pre><pre>\testx64.exe -c -ctype process -cobject</pre><pre>egui.exe</pre><pre>avastsvc.exe</pre><pre>avastui.exe</pre><pre>avp.exe</pre><pre>avpui.exe</pre><pre>mbamgui.exe</pre><pre>mbam.exe</pre><pre>GDSC.exe</pre><pre>McSvHost.exe</pre><pre>psksvc.exe</pre><pre>iface.exe</pre><pre>PavFnSvr.exe</pre><pre>pavsrvx86.exe</pre><pre>pavsrvx64.exe</pre><pre>AVENGINE.EXE</pre><pre>PsCtrlS.exe</pre><pre>SrvLoad.exe</pre><pre>PsImSvc.exe</pre><pre>ApVxdWin.exe</pre><pre>msseces.exe</pre><pre>MsMpeng.exe</pre><pre>cfp.exe</pre><pre>avguard.exe</pre><pre>avshadow.exe</pre><pre>avgnt.exe</pre><pre>avcenter.exe</pre><pre>avscan.exe</pre><pre>uiWatchDog.exe</pre><pre>uiWinMgr.exe</pre><pre>uiSeAgnt.exe</pre><pre>NAV.exe</pre><pre>bdagent.exe</pre><pre>seccenter.exe</pre><pre>updatesrv.exe</pre><pre>vsserv.exe</pre><pre>avgwdsvc.exe</pre><pre>avgnsa.exe</pre><pre>avgcsrva.exe</pre><pre>avgemca.exe</pre><pre>avgrsa.exe</pre><pre>avgfws.exe</pre><pre>avgidsagent.exe</pre><pre>avgui.exe</pre><pre>AdAwareUpdater.exe</pre><pre>AdAwareTray.exe</pre><pre>AdAwareDesktop.exe</pre><pre>LavasoftAdAwareService11.exe</pre><pre>op_mon.exe</pre><pre>\testx64.exe</pre><pre>http://centralstub.com/killer/testx64.exe</pre><pre>\wawilonasofter.sys</pre><pre>http://centralstub.com/killer/watx64.exe</pre><pre>AvastUI.exe</pre><pre>GDScan.exe</pre><pre>AVKWCtl.exe</pre><pre>AVKTray.exe</pre><pre>McItInfo.exe</pre><pre>McUICnt.exe</pre><pre>mcupdate.exe</pre><pre>McAPExe</pre><pre>AntiVirWebService</pre><pre>cmdHlp</pre><pre>cmdAgent</pre><pre>cmdGuard</pre><pre>\testx86.exe</pre><pre>http://centralstub.com/killer/testx86.exe</pre><pre>\wawiloniawowar.sys</pre><pre>http://centralstub.com/killer/watx86.exe</pre><pre>ZOZA.exe</pre><pre>Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}</pre><pre>@021400-000</pre><pre>*\AR:\OBERON CRYPTER PRO\VB6 MODULES\VB6 Modules-Unicode-Adapted-RECODED\zzStartups.vbp</pre><pre>{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}</pre><pre>{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}</pre><pre>MULTIPLEKEYSTARTUP=Y</pre><pre>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>/f /v WindowsUAC /t REG_SZ /d</pre><pre>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</pre><pre>HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run</pre><pre>HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce</pre><pre>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\BootExecute</pre><pre>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms</pre><pre>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell</pre><pre>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit</pre><pre>wscript.Shell</pre><pre>\conhost.lnk</pre><pre>STARTUP.exe</pre><pre>vb6stfunc.exe</pre>dialected.exe_1156_rwx_00400000_00067000:<pre>.text</pre><pre>`.data</pre><pre>.rsrc</pre><pre>MSVBVM60.DLL</pre><pre>RemoteExecution</pre><pre>%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB</pre><pre>MSVBVM60.dll</pre><pre>shell32.dll</pre><pre>ShellExecuteA</pre><pre>kernel32.dll</pre><pre>ntdll.dll</pre><pre>FindExecutableA</pre><pre>MsgboxFunction</pre><pre>UACx64_dumpandexecute</pre><pre>VBA6.DLL</pre><pre>advapi32.dll</pre><pre>RegOpenKeyExA</pre><pre>RegCloseKey</pre><pre>.code</pre><pre>`.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>@.reloc</pre><pre>Test.dll</pre><pre>MSVCRT.dll</pre><pre>KERNEL32.dll</pre><pre>CreatePipe</pre><pre>ShellExecuteExA</pre><pre>SHELL32.DLL</pre><pre>version="1.0.0.0"</pre><pre>name="CompanyName.ProductName.YourApp"</pre><pre>name="Microsoft.Windows.Common-Controls"</pre><pre>version="6.0.0.0"</pre><pre>publicKeyToken="6595b64144ccf1df"</pre><pre>.reloc</pre><pre>gdiplus.dll</pre><pre>GdiplusShutdown</pre><pre>ole32.dll</pre><pre>gdi32.dll</pre><pre>HTTP/1.1</pre><pre>http://hollywood.heartjohn.com/modules/holl.bin</pre><pre>Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 6.2)</pre><pre>pufjwdx.jvh</pre><pre>" !=%(>";;</pre><pre>=225;6%%7!=</pre><pre>3:6 1*7=$;-</pre><pre>*4*-0*1?7!</pre><pre>MK[(bocmdgs</pre><pre>15#77??68.</pre><pre>&'/( <99</pre><pre>$!*4,#)<:</pre><pre>mfh{g~amzgs.dgg</pre><pre>:; 1299;2</pre><pre>>.Rdd</pre><pre><-?><pre>userenv.dll</pre><pre>del "%s"</pre><pre>if exist "%s" goto d</pre><pre>del /F "%s"</pre><pre>urlmon.dll</pre><pre>cabinet.dll</pre><pre>http://</pre><pre>https://</pre><pre>HTTP/1.</pre><pre>http://www.google.com/webhp</pre><pre>t7SSSh</pre><pre>t"SSSh</pre><pre>GetProcessHeap</pre><pre>MapVirtualKeyW</pre><pre>ExitWindowsEx</pre><pre>OpenWindowStationW</pre><pre>GetProcessWindowStation</pre><pre>CreateWindowStationW</pre><pre>CloseWindowStation</pre><pre>SetProcessWindowStation</pre><pre>SetKeyboardState</pre><pre>GetKeyboardState</pre><pre>MsgWaitForMultipleObjects</pre><pre>USER32.dll</pre><pre>RegOpenKeyExW</pre><pre>RegEnumKeyExW</pre><pre>RegCreateKeyExW</pre><pre>ADVAPI32.dll</pre><pre>UrlUnescapeA</pre><pre>SHDeleteKeyW</pre><pre>PathIsURLW</pre><pre>SHLWAPI.dll</pre><pre>ShellExecuteW</pre><pre>SHELL32.dll</pre><pre>Secur32.dll</pre><pre>SetViewportOrgEx</pre><pre>GDI32.dll</pre><pre>WS2_32.dll</pre><pre>CertDeleteCertificateFromStore</pre><pre>CertOpenSystemStoreW</pre><pre>CertCloseStore</pre><pre>PFXImportCertStore</pre><pre>CertEnumCertificatesInStore</pre><pre>CertDuplicateCertificateContext</pre><pre>PFXExportCertStoreEx</pre><pre>CRYPT32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetCrackUrlA</pre><pre>HttpOpenRequestA</pre><pre>HttpAddRequestHeadersA</pre><pre>HttpSendRequestA</pre><pre>HttpSendRequestExA</pre><pre>HttpSendRequestExW</pre><pre>HttpSendRequestW</pre><pre>GetUrlCacheEntryInfoW</pre><pre>HttpAddRequestHeadersW</pre><pre>WININET.dll</pre><pre>OLEAUT32.dll</pre><pre>NETAPI32.dll</pre><pre>=?>#?.?;?</pre><pre>9%9)9/939</pre><pre>urlmon</pre><pre>URLDownloadToFileA</pre><pre>.idata</pre><pre>KERNEL32.DLL</pre><pre>OLE32.DLL</pre><pre>MULTIPLEKEYSTARTUP</pre><pre>MULTIPLEKEYSTARTUP=N</pre><pre>user32.dll</pre><pre>RegCreateKeyExA</pre><pre>RegDeleteKeyA</pre><pre>`.rsrc</pre><pre>v2.0.50727</pre><pre>HelloWorld.exe</pre><pre>.ctor</pre><pre>System.Reflection</pre><pre>System.Runtime.InteropServices</pre><pre>System.Diagnostics</pre><pre>System.Runtime.CompilerServices</pre><pre>$6435476c-9335-4c58-9ec7-4b2c918b2541</pre><pre>1.0.0.0</pre><pre>_CorExeMain</pre><pre>mscoree.dll</pre><pre><assemblyIdentity version="1.0.0.0" name="MyApplication.app" /></pre><pre><requestedExecutionLevel level="asInvoker" uiAccess="false" /></pre><pre>%Xwh%N<S><pre>D%U|H</pre><pre>.BHn_</pre><pre>tIH>D8.hJ</pre><pre>;\T%dG</pre><pre>l.iX``A</pre><pre>I.ItANj</pre><pre>X %D,</pre><pre>ok).yRp</pre><pre>!"#$%&'()* ,-./</pre><pre>.xsa/</pre><pre>O%S!'</pre><pre>Gy.yN</pre><pre>H0My.y.PNpIy.y.</pre><pre>.txt/:GW</pre><pre>V:\OBERON</pre><pre>gdQgpi.TPO</pre><pre>zcÁ</pre><pre>Í Ra-x</pre><pre>*\AR:\OBERON CRYPTER PRO\VB6 MODULES\VB6 Modules-Unicode-Adapted-RECODED\Project1.vbp</pre><pre>\rtl70.bpl</pre><pre>Scripting.FileSystemObject</pre><pre>autorun.inf</pre><pre>Icon=%SystemRoot%\system32\SHELL32.dll,7</pre><pre>WScript.Shell</pre><pre>shell32.dll, 2</pre><pre>shell32.dll, 3</pre><pre>.fldr</pre><pre>shell32.dll, 0</pre><pre>\explorer.exe</pre><pre>vboxmrxnp.dll</pre><pre>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\</pre><pre>/f /v Debugger /t REG_SZ /d fadfjadfjddjx.exe</pre><pre>http://www.facebook.com</pre><pre>SendKeys</pre><pre>https://twitter.com</pre><pre>\conhost.exe</pre><pre>\SysWOW64\svchost.exe</pre><pre>\system32\svchost.exe</pre><pre>\ESET\ESET NOD32 Antivirus\x86\ekrn.exe</pre><pre>ekrn.exe</pre><pre>%Program Files%\ESET\ESET NOD32 Antivirus\x86\ekrn.exe</pre><pre>\file.bin</pre><pre>c:\test\file.bin</pre><pre>c:\windows\file.bin</pre><pre>\SysWOW64\explorer.exe</pre><pre>\system32\explorer.exe</pre><pre>\vbxac.tmp</pre><pre>SUPPORT</pre><pre>C:\test</pre><pre>C:\test\file.bin</pre><pre>C:\test\test.txt</pre><pre>C:\test\project1.exe</pre><pre>SbieCtrl.exe</pre><pre>sandboxie.exe</pre><pre>C:\windows\rtl70.bpl</pre><pre>c:\test\rtl70.bpl</pre><pre>msconfig.exe</pre><pre>rstrui.exe</pre><pre>BYPASSUAC=Y</pre><pre>NETSUPPORT=Y</pre><pre>x.exe</pre><pre>BYPASSUAC=N</pre><pre>C:\test\rtl70.bpl</pre><pre>c:\test</pre><pre>c:\test\test.exe</pre><pre>\media\ir_inter.wav</pre><pre>CRYPTBASE.dll</pre><pre>\System32\sysprep\CRYPTBASE.dll</pre><pre>Wscript.Shell</pre><pre>HKEY_CLASSES_ROOT\HTTP\shell\open\command\</pre><pre>c:\test\test.txt</pre><pre>c:\test\project1.exe</pre><pre>\System32\sysprep\sysprep.exe</pre><pre>Explorer.exe</pre><pre>aspnet_library.dll</pre><pre>uninstaller.ico</pre><pre>\Intel\OpenCL_SDK.dll</pre><pre>x.jpg</pre><pre>media.exe</pre><pre>Shell32.dll</pre><pre>ShellExecuteExW</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>@*\AR:\OBERON CRYPTER PRO\VB6 MODULES\VB6 Modules-Unicode-Adapted-RECODED\Project1.vbp</pre><pre>*\AR:\OBERON CRYPTER PRO\VB6 MODULES\VB6 Modules-Unicode-Adapted-RECODED\zzzAntibotkill.vbp</pre><pre>3.08.0002</pre><pre>zzzAntibotkill.exe</pre><pre>SysShadow</pre><pre>"%s" %s</pre><pre>/c "%s"</pre><pre>%sx.%s</pre><pre>%sx</pre><pre>cGlobal\XXX</pre><pre>@021400-0</pre><pre>*\AR:\OBERON CRYPTER PRO\VB6 MODULES\VB6 Modules-Unicode-Adapted-RECODED\zDownloaderKiller.vbp</pre><pre>\testx64.exe -c -ctype service -cobject</pre><pre>\testx86.exe -c -ctype service -cobject</pre><pre>\testx86.exe -c -ctype process -cobject</pre><pre>\testx64.exe -c -ctype process -cobject</pre><pre>egui.exe</pre><pre>avastsvc.exe</pre><pre>avastui.exe</pre><pre>avp.exe</pre><pre>avpui.exe</pre><pre>mbamgui.exe</pre><pre>mbam.exe</pre><pre>GDSC.exe</pre><pre>McSvHost.exe</pre><pre>psksvc.exe</pre><pre>iface.exe</pre><pre>PavFnSvr.exe</pre><pre>pavsrvx86.exe</pre><pre>pavsrvx64.exe</pre><pre>AVENGINE.EXE</pre><pre>PsCtrlS.exe</pre><pre>SrvLoad.exe</pre><pre>PsImSvc.exe</pre><pre>ApVxdWin.exe</pre><pre>msseces.exe</pre><pre>MsMpeng.exe</pre><pre>cfp.exe</pre><pre>avguard.exe</pre><pre>avshadow.exe</pre><pre>avgnt.exe</pre><pre>avcenter.exe</pre><pre>avscan.exe</pre><pre>uiWatchDog.exe</pre><pre>uiWinMgr.exe</pre><pre>uiSeAgnt.exe</pre><pre>NAV.exe</pre><pre>bdagent.exe</pre><pre>seccenter.exe</pre><pre>updatesrv.exe</pre><pre>vsserv.exe</pre><pre>avgwdsvc.exe</pre><pre>avgnsa.exe</pre><pre>avgcsrva.exe</pre><pre>avgemca.exe</pre><pre>avgrsa.exe</pre><pre>avgfws.exe</pre><pre>avgidsagent.exe</pre><pre>avgui.exe</pre><pre>AdAwareUpdater.exe</pre><pre>AdAwareTray.exe</pre><pre>AdAwareDesktop.exe</pre><pre>LavasoftAdAwareService11.exe</pre><pre>op_mon.exe</pre><pre>\testx64.exe</pre><pre>http://centralstub.com/killer/testx64.exe</pre><pre>\wawilonasofter.sys</pre><pre>http://centralstub.com/killer/watx64.exe</pre><pre>AvastUI.exe</pre><pre>GDScan.exe</pre><pre>AVKWCtl.exe</pre><pre>AVKTray.exe</pre><pre>McItInfo.exe</pre><pre>McUICnt.exe</pre><pre>mcupdate.exe</pre><pre>McAPExe</pre><pre>AntiVirWebService</pre><pre>cmdHlp</pre><pre>cmdAgent</pre><pre>cmdGuard</pre><pre>\testx86.exe</pre><pre>http://centralstub.com/killer/testx86.exe</pre><pre>\wawiloniawowar.sys</pre><pre>http://centralstub.com/killer/watx86.exe</pre><pre>ZOZA.exe</pre><pre>Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}</pre><pre>@021400-000</pre><pre>*\AR:\OBERON CRYPTER PRO\VB6 MODULES\VB6 Modules-Unicode-Adapted-RECODED\zzStartups.vbp</pre><pre>{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}</pre><pre>{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}</pre><pre>MULTIPLEKEYSTARTUP=Y</pre><pre>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>/f /v WindowsUAC /t REG_SZ /d</pre><pre>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</pre><pre>HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run</pre><pre>HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce</pre><pre>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\BootExecute</pre><pre>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms</pre><pre>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell</pre><pre>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit</pre><pre>wscript.Shell</pre><pre>\conhost.lnk</pre><pre>STARTUP.exe</pre><pre>vb6stfunc.exe</pre>dialected.exe_1156_rwx_00E30000_00001000:<pre>.reloc</pre>dialected.exe_1156_rwx_00E80000_0002C000:<pre>.text</pre><pre>`.data</pre><pre>.reloc</pre><pre>gdiplus.dll</pre><pre>GdiplusShutdown</pre><pre>ole32.dll</pre><pre>gdi32.dll</pre><pre>HTTP/1.1</pre><pre>http://hollywood.heartjohn.com/modules/holl.bin</pre><pre>Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 6.2)</pre><pre>pufjwdx.jvh</pre><pre>" !=%(>";;</pre><pre>=225;6%%7!=</pre><pre>3:6 1*7=$;-</pre><pre>*4*-0*1?7!</pre><pre>MK[(bocmdgs</pre><pre>15#77??68.</pre><pre>&'/( <99</pre><pre>$!*4,#)<:</pre><pre>mfh{g~amzgs.dgg</pre><pre>:; 1299;2</pre><pre>>.Rdd</pre><pre><-?><pre>userenv.dll</pre><pre>del "%s"</pre><pre>if exist "%s" goto d</pre><pre>del /F "%s"</pre><pre>urlmon.dll</pre><pre>cabinet.dll</pre><pre>http://</pre><pre>https://</pre><pre>HTTP/1.</pre><pre>http://www.google.com/webhp</pre><pre>t7SSSh</pre><pre>t"SSSh</pre><pre>GetProcessHeap</pre><pre>KERNEL32.dll</pre><pre>MapVirtualKeyW</pre><pre>ExitWindowsEx</pre><pre>OpenWindowStationW</pre><pre>GetProcessWindowStation</pre><pre>CreateWindowStationW</pre><pre>CloseWindowStation</pre><pre>SetProcessWindowStation</pre><pre>SetKeyboardState</pre><pre>GetKeyboardState</pre><pre>MsgWaitForMultipleObjects</pre><pre>USER32.dll</pre><pre>RegOpenKeyExW</pre><pre>RegEnumKeyExW</pre><pre>RegCloseKey</pre><pre>RegCreateKeyExW</pre><pre>ADVAPI32.dll</pre><pre>UrlUnescapeA</pre><pre>SHDeleteKeyW</pre><pre>PathIsURLW</pre><pre>SHLWAPI.dll</pre><pre>ShellExecuteW</pre><pre>SHELL32.dll</pre><pre>Secur32.dll</pre><pre>SetViewportOrgEx</pre><pre>GDI32.dll</pre><pre>WS2_32.dll</pre><pre>CertDeleteCertificateFromStore</pre><pre>CertOpenSystemStoreW</pre><pre>CertCloseStore</pre><pre>PFXImportCertStore</pre><pre>CertEnumCertificatesInStore</pre><pre>CertDuplicateCertificateContext</pre><pre>PFXExportCertStoreEx</pre><pre>CRYPT32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetCrackUrlA</pre><pre>HttpOpenRequestA</pre><pre>HttpAddRequestHeadersA</pre><pre>HttpSendRequestA</pre><pre>HttpSendRequestExA</pre><pre>HttpSendRequestExW</pre><pre>HttpSendRequestW</pre><pre>GetUrlCacheEntryInfoW</pre><pre>HttpAddRequestHeadersW</pre><pre>WININET.dll</pre><pre>OLEAUT32.dll</pre><pre>NETAPI32.dll</pre><pre>=?>#?.?;?</pre><pre>9%9)9/939</pre><pre>SysShadow</pre><pre>kernel32.dll</pre><pre>"%s" %s</pre><pre>/c "%s"</pre><pre>%sx.%s</pre><pre>%sx</pre><pre>cGlobal\XXX</pre><pre>Global\{A4046B38-BFBA-AD62-880A-CFE035797B74}</pre><pre>%Documents and Settings%\%current user%\Application Data</pre><pre>{9C299170-5427-1343-B5A2-D98D6C76A4CD}</pre><pre>:\Documents and Settings\"%CurrentUserName%"\Application Data\Zoym\irwac.seq</pre><pre>%Documents and Settings%\%current user%\Application Data\Zoym</pre><pre>irwac.seq</pre>cmd.exe_1836:<pre>.text</pre><pre>`.data</pre><pre>.rsrc</pre><pre>KERNEL32.dll</pre><pre>NTDLL.DLL</pre><pre>msvcrt.dll</pre><pre>USER32.dll</pre><pre>SetConsoleInputExeNameW</pre><pre>APerformUnaryOperation: '%c'</pre><pre>APerformArithmeticOperation: '%c'</pre><pre>ADVAPI32.dll</pre><pre>SHELL32.dll</pre><pre>MPR.dll</pre><pre>RegEnumKeyW</pre><pre>RegDeleteKeyW</pre><pre>RegCloseKey</pre><pre>RegOpenKeyW</pre><pre>RegCreateKeyExW</pre><pre>RegOpenKeyExW</pre><pre>ShellExecuteExW</pre><pre>CmdBatNotification</pre><pre>GetWindowsDirectoryW</pre><pre>GetProcessHeap</pre><pre>GetCPInfo</pre><pre>GetConsoleOutputCP</pre><pre>_pipe</pre><pre>GetProcessWindowStation</pre><pre>cmd.pdb</pre><pre>del "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\dialected.exe"</pre><pre>f exist "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\dialected.exe" goto d</pre><pre>del /F "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\tmpf005af95.bat"</pre><pre>af95.bat"</pre><pre>CMD Internal Error %s</pre><pre>)(&&())))(&))</pre><pre>)&((&)&))&())</pre><pre>)&((&)&)&()))</pre><pre>)(&&()))&))))</pre><pre>CMD.EXE</pre><pre>()|&=,;"</pre><pre>COPYCMD</pre><pre>\XCOPY.EXE</pre><pre>CMDCMDLINE</pre><pre>WKERNEL32.DLL</pre><pre>Software\Policies\Microsoft\Windows\System</pre><pre>0123456789</pre><pre>cmd.exe</pre><pre>DIRCMD</pre><pre>%d.%d.d</pre><pre>Ungetting: '%s'</pre><pre>DisableCMD</pre><pre>GeToken: (%x) '%s'</pre><pre>%s\Shell\Open\Command</pre><pre>%x %c</pre><pre>*** Unknown type: %x</pre><pre>Args: `%s'</pre><pre>Cmd: %s Type: %x</pre><pre>%s (%s) %s</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\dialected.exe"</pre><pre>1\Temp\tmpf005af95.bat"</pre><pre>.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH</pre><pre>%WinDir%;%WinDir%\System32\Wbem;c:\Program Files\Wireshark</pre><pre>if exist "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\dialected.exe" goto d</pre><pre>CMDEXTVERSION</pre><pre>KEYS</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\dialected.exe</pre><pre>LS~1\Temp\RarSFX0\dialected.exe</pre><pre>%s %s</pre><pre>(%s) %s</pre><pre>%s %s%s</pre><pre>&()[]{}^=;!%' ,`~</pre><pre>d%sd%s</pre><pre>-%sd%sd%sd</pre><pre>d%sd%sd</pre><pre>%s=%s</pre><pre>X-X</pre><pre>.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS</pre><pre><> -*/%()|^&=,</pre><pre>\CMD.EXE</pre><pre>Windows Command Processor</pre><pre>5.1.2600.5512 (xpsp.080413-2111)</pre><pre>Cmd.Exe</pre><pre>Windows</pre><pre>Operating System</pre><pre>5.1.2600.5512</pre><pre>Press any key to continue . . . %0</pre><pre>operable program or batch file.</pre><pre>The system cannot execute the specified program.</pre><pre>and press any key when ready. %0</pre><pre>Microsoft Windows XP [Version %1]%0</pre><pre>a pipe operation.</pre><pre>KEYS is on.</pre><pre>KEYS is off.</pre><pre>The process tried to write to a nonexistent pipe.</pre><pre>The switch /Y may be preset in the COPYCMD environment variable.</pre><pre>to prompt on overwrites unless COPY command is being executed from</pre><pre>Switches may be preset in the DIRCMD environment variable. Override</pre><pre>Quits the CMD.EXE program (command interpreter) or the current batch</pre><pre>CMD.EXE. If executed from outside a batch script, it</pre><pre>will quit CMD.EXE</pre><pre>ERRORLEVEL that number. If quitting CMD.EXE, sets the process</pre><pre>Displays or sets a search path for executable files.</pre><pre>Type PATH ; to clear all search-path settings and direct cmd.exe to search</pre><pre>Changes the cmd.exe command prompt.</pre><pre>$B | (pipe)</pre><pre>$V Windows XP version number</pre><pre>Displays, sets, or removes cmd.exe environment variables.</pre><pre>Displays the Windows XP version.</pre><pre>Tells cmd.exe whether to verify that your files are written correctly to a</pre><pre>Records comments (remarks) in a batch file or CONFIG.SYS.</pre><pre>Press any key to continue . . . %0</pre><pre>Directs cmd.exe to a labeled line in a batch program.</pre><pre>NOT Specifies that Windows XP should carry out</pre><pre>will execute the command after the ELSE keyword if the</pre><pre>I The new environment will be the original environment passed</pre><pre>to the cmd.exe and not the current environment.</pre><pre>SEPARATE Start 16-bit Windows program in separate memory space</pre><pre>SHARED Start 16-bit Windows program in shared memory space</pre><pre>If it is an internal cmd command or a batch file then</pre><pre>the command processor is run with the /K switch to cmd.exe.</pre><pre>If it is not an internal cmd command or batch file then</pre><pre>parameters These are the parameters passed to the command/program</pre><pre>under Windows XP.</pre><pre>Starts a new instance of the Windows XP command interpreter</pre><pre>CMD [/A | /U] [/Q] [/D] [/E:ON | /E:OFF] [/F:ON | /F:OFF] [/V:ON | /V:OFF]</pre><pre>/D Disable execution of AutoRun commands from registry (see below)</pre><pre>/A Causes the output of internal commands to a pipe or file to be ANSI</pre><pre>/U Causes the output of internal commands to a pipe or file to be</pre><pre>variable var at execution time. The %var% syntax expands variables</pre><pre>of an executable file.</pre><pre>If /D was NOT specified on the command line, then when CMD.EXE starts, it</pre><pre>either or both are present, they are executed first.</pre><pre>HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun</pre><pre>HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun</pre><pre>can enable or disable extensions for all invocations of CMD.EXE on a</pre><pre>following REG_DWORD values in the registry using REGEDT32.EXE:</pre><pre>HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\EnableExtensions</pre><pre>HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions</pre><pre>particular invocation of CMD.EXE with the /V:ON or /V:OFF switch. You</pre><pre>can enable or disable completion for all invocations of CMD.EXE on a</pre><pre>HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DelayedExpansion</pre><pre>HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion</pre><pre>at execution time.</pre><pre>CMD.EXE with the /F:ON or /F:OFF switch. You can enable or disable</pre><pre>completion for all invocations of CMD.EXE on a machine and/or user logon</pre><pre>the registry using REGEDT32.EXE:</pre><pre>HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\CompletionChar</pre><pre>HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\PathCompletionChar</pre><pre>HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar</pre><pre>HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar</pre><pre>Shift key with the control character will move through the list</pre><pre>&()[]{}^=;!%' ,`~</pre><pre>Command Processor Extensions enabled by default. Use CMD /? for details.</pre><pre>ASSOC [.ext[=[fileType]]]</pre><pre>.ext Specifies the file extension to associate the file type with</pre><pre>ASSOC .pl=PerlScript</pre><pre>FTYPE PerlScript=perl.exe %%1 %%*</pre><pre>script.pl 1 2 3</pre><pre>set PATHEXT=.pl;%%PATHEXT%%</pre><pre>The restartable option to the COPY command is not supported by</pre><pre>this version of the operating system.</pre><pre>The following usage of the path operator in batch-parameter</pre><pre>The unicode output option to CMD.EXE is not supported by this</pre><pre>version of the operating system.</pre><pre>If Command Extensions are enabled the DATE command supports</pre><pre>If Command Extensions are enabled the TIME command supports</pre><pre>If Command Extensions are enabled the PROMPT command supports</pre><pre>is pretty simple and supports the following operations, in decreasing</pre><pre>! ~ - - unary operators</pre><pre>* / %% - arithmetic operators</pre><pre> - - arithmetic operators</pre><pre>&= ^= |= <<= >>=</pre><pre>If you use any of the logical or modulus operators, you will need to</pre><pre>values. If SET /A is executed from the command line outside of a</pre><pre>assignment operator requires an environment variable name to the left of</pre><pre>the assignment operator. Numeric values are decimal numbers, unless</pre><pre>occurrence of the remaining portion of str1.</pre><pre>Finally, support for delayed environment variable expansion has been</pre><pre>added. This support is always disabled by default, but may be</pre><pre>enabled/disabled via the /V command line switch to CMD.EXE. See CMD /?</pre><pre>of text is read, not when it is executed. The following example</pre><pre>So the actual FOR loop we are executing is:</pre><pre>%Í%% - expands to the current directory string.</pre><pre>%ÚTE%% - expands to current date using same format as DATE command.</pre><pre>%%CMDEXTVERSION%% - expands to the current Command Processor Extensions</pre><pre>%%CMDCMDLINE%% - expands to the original command line that invoked the</pre><pre>If Command Extensions are enabled the SHIFT command supports</pre><pre>control is passed to the statement after the label specified. You must</pre><pre>%%4 %%5 ...)</pre><pre>CMD /? for details.</pre><pre>This works because on old versions of CMD.EXE, SETLOCAL does NOT</pre><pre>command execution.</pre><pre>non-executable files may be invoked through their file association just</pre><pre>by typing the name of the file as a command. (e.g. WORD.DOC would</pre><pre>launch the application associated with the .DOC file extension).</pre><pre>When executing an application that is a 32-bit GUI application, CMD.EXE</pre><pre>the command prompt. This new behavior does NOT occur if executing</pre><pre>When executing a command line whose first token is the string "CMD "</pre><pre>without an extension or path qualifier, then "CMD" is replaced with</pre><pre>the value of the COMSPEC variable. This prevents picking up CMD.EXE</pre><pre>When executing a command line whose first token does NOT contain an</pre><pre>extension, then CMD.EXE uses the value of the PATHEXT</pre><pre>.COM;.EXE;.BAT;.CMD</pre><pre>When searching for an executable, if there is no match on any extension,</pre><pre>If Command Extensions are enabled, and running on the Windows XP</pre><pre>forms of the FOR command are supported:</pre><pre>Walks the directory tree rooted at [drive:]path, executing the FOR</pre><pre>passes the first blank separated token from each line of each file.</pre><pre>is a quoted string which contains one or more keywords to specify</pre><pre>different parsing options. The keywords are:</pre><pre>be passed to the for body for each iteration.</pre><pre>where a back quoted string is executed as a</pre><pre>FOR /F "eol=; tokens=2,3* delims=, " %%i in (myfile.txt) do @echo %%i %%j %%k</pre><pre>would parse each line in myfile.txt, ignoring lines that begin with</pre><pre>a semicolon, passing the 2nd and 3rd token from each line to the for</pre><pre>line, which is passed to a child CMD.EXE and the output is captured</pre><pre>IF CMDEXTVERSION number command</pre><pre>The CMDEXTVERSION conditional works just like ERRORLEVEL, except it is</pre><pre>CMDEXTVERSION conditional is never true when Command Extensions are</pre><pre>%%CMDCMDLINE%% will expand into the original command line passed to</pre><pre>CMD.EXE prior to any processing by CMD.EXE, provided that there is not</pre><pre>already an environment variable with the name CMDCMDLINE, in which case</pre><pre>%%CMDEXTVERSION%% will expand into a string representation of the</pre><pre>current value of CMDEXTVERSION, provided that there is not already</pre><pre>an environment variable with the name CMDEXTVERSION, in which case you</pre><pre>under Windows XP, as command line editing is always enabled.</pre><pre>CMD.EXE was started with the above path as the current directory.</pre><pre>UNC paths are not supported. Defaulting to Windows directory.</pre><pre>CMD does not support UNC paths as current directories.</pre><pre>UNC paths not supported for current directory. Using</pre><pre>to create temporary drive letter to support UNC current</pre><pre>Missing operand.</pre><pre>Missing operator.</pre><pre>The COMSPEC environment variable does not point to CMD.EXE.</pre><pre>The FAT File System only support Last Write Times</pre><pre>of a batch script is reached, an implied ENDLOCAL is executed for any</pre><pre>application execution.</pre><pre>The switch /Y may be present in the COPYCMD environment variable.</pre><pre>to prompt on overwrites unless MOVE command is being executed from</pre><pre>when CMD.EXE started. This value either comes from the current console</pre><pre>The COLOR command sets ERRORLEVEL to 1 if an attempt is made to execute</pre>cmd.exe_1836_rwx_00910000_0002C000:<pre>.text</pre><pre>`.data</pre><pre>.reloc</pre><pre>gdiplus.dll</pre><pre>GdiplusShutdown</pre><pre>ole32.dll</pre><pre>gdi32.dll</pre><pre>HTTP/1.1</pre><pre>http://hollywood.heartjohn.com/modules/holl.bin</pre><pre>Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 6.2)</pre><pre>pufjwdx.jvh</pre><pre>" !=%(>";;</pre><pre>=225;6%%7!=</pre><pre>3:6 1*7=$;-</pre><pre>*4*-0*1?7!</pre><pre>MK[(bocmdgs</pre><pre>15#77??68.</pre><pre>&'/( <99</pre><pre>$!*4,#)<:</pre><pre>mfh{g~amzgs.dgg</pre><pre>:; 1299;2</pre><pre>>.Rdd</pre><pre><-?><pre>userenv.dll</pre><pre>del "%s"</pre><pre>if exist "%s" goto d</pre><pre>del /F "%s"</pre><pre>urlmon.dll</pre><pre>cabinet.dll</pre><pre>http://</pre><pre>https://</pre><pre>HTTP/1.</pre><pre>http://www.google.com/webhp</pre><pre>t7SSSh</pre><pre>t"SSSh</pre><pre>GetProcessHeap</pre><pre>KERNEL32.dll</pre><pre>MapVirtualKeyW</pre><pre>ExitWindowsEx</pre><pre>OpenWindowStationW</pre><pre>GetProcessWindowStation</pre><pre>CreateWindowStationW</pre><pre>CloseWindowStation</pre><pre>SetProcessWindowStation</pre><pre>SetKeyboardState</pre><pre>GetKeyboardState</pre><pre>MsgWaitForMultipleObjects</pre><pre>USER32.dll</pre><pre>RegOpenKeyExW</pre><pre>RegEnumKeyExW</pre><pre>RegCloseKey</pre><pre>RegCreateKeyExW</pre><pre>ADVAPI32.dll</pre><pre>UrlUnescapeA</pre><pre>SHDeleteKeyW</pre><pre>PathIsURLW</pre><pre>SHLWAPI.dll</pre><pre>ShellExecuteW</pre><pre>SHELL32.dll</pre><pre>Secur32.dll</pre><pre>SetViewportOrgEx</pre><pre>GDI32.dll</pre><pre>WS2_32.dll</pre><pre>CertDeleteCertificateFromStore</pre><pre>CertOpenSystemStoreW</pre><pre>CertCloseStore</pre><pre>PFXImportCertStore</pre><pre>CertEnumCertificatesInStore</pre><pre>CertDuplicateCertificateContext</pre><pre>PFXExportCertStoreEx</pre><pre>CRYPT32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetCrackUrlA</pre><pre>HttpOpenRequestA</pre><pre>HttpAddRequestHeadersA</pre><pre>HttpSendRequestA</pre><pre>HttpSendRequestExA</pre><pre>HttpSendRequestExW</pre><pre>HttpSendRequestW</pre><pre>GetUrlCacheEntryInfoW</pre><pre>HttpAddRequestHeadersW</pre><pre>WININET.dll</pre><pre>OLEAUT32.dll</pre><pre>NETAPI32.dll</pre><pre>=?>#?.?;?</pre><pre>9%9)9/939</pre><pre>SysShadow</pre><pre>kernel32.dll</pre><pre>"%s" %s</pre><pre>/c "%s"</pre><pre>%sx.%s</pre><pre>%sx</pre><pre>cGlobal\XXX</pre><pre>Global\{A4046B38-BFBA-AD62-880A-CFE035797B74}</pre><pre>%Documents and Settings%\%current user%\Application Data</pre><pre>{9C299170-5427-1343-B5A2-D98D6C76A4CD}</pre><pre>:\Documents and Settings\"%CurrentUserName%"\Application Data\Zoym\irwac.seq</pre><pre>%Documents and Settings%\%current user%\Application Data\Zoym</pre><pre>irwac.seq</pre>Explorer.EXE_1852_rwx_00E30000_0002C000:<pre>.text</pre><pre>`.data</pre><pre>.reloc</pre><pre>gdiplus.dll</pre><pre>GdiplusShutdown</pre><pre>ole32.dll</pre><pre>gdi32.dll</pre><pre>HTTP/1.1</pre><pre>http://hollywood.heartjohn.com/modules/holl.bin</pre><pre>Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 6.2)</pre><pre>pufjwdx.jvh</pre><pre>" !=%(>";;</pre><pre>=225;6%%7!=</pre><pre>3:6 1*7=$;-</pre><pre>*4*-0*1?7!</pre><pre>MK[(bocmdgs</pre><pre>15#77??68.</pre><pre>&'/( <99</pre><pre>$!*4,#)<:</pre><pre>mfh{g~amzgs.dgg</pre><pre>:; 1299;2</pre><pre>>.Rdd</pre><pre><-?><pre>userenv.dll</pre><pre>del "%s"</pre><pre>if exist "%s" goto d</pre><pre>del /F "%s"</pre><pre>urlmon.dll</pre><pre>cabinet.dll</pre><pre>http://</pre><pre>https://</pre><pre>HTTP/1.</pre><pre>http://www.google.com/webhp</pre><pre>t7SSSh</pre><pre>t"SSSh</pre><pre>GetProcessHeap</pre><pre>KERNEL32.dll</pre><pre>MapVirtualKeyW</pre><pre>ExitWindowsEx</pre><pre>OpenWindowStationW</pre><pre>GetProcessWindowStation</pre><pre>CreateWindowStationW</pre><pre>CloseWindowStation</pre><pre>SetProcessWindowStation</pre><pre>SetKeyboardState</pre><pre>GetKeyboardState</pre><pre>MsgWaitForMultipleObjects</pre><pre>USER32.dll</pre><pre>RegOpenKeyExW</pre><pre>RegEnumKeyExW</pre><pre>RegCloseKey</pre><pre>RegCreateKeyExW</pre><pre>ADVAPI32.dll</pre><pre>UrlUnescapeA</pre><pre>SHDeleteKeyW</pre><pre>PathIsURLW</pre><pre>SHLWAPI.dll</pre><pre>ShellExecuteW</pre><pre>SHELL32.dll</pre><pre>Secur32.dll</pre><pre>SetViewportOrgEx</pre><pre>GDI32.dll</pre><pre>WS2_32.dll</pre><pre>CertDeleteCertificateFromStore</pre><pre>CertOpenSystemStoreW</pre><pre>CertCloseStore</pre><pre>PFXImportCertStore</pre><pre>CertEnumCertificatesInStore</pre><pre>CertDuplicateCertificateContext</pre><pre>PFXExportCertStoreEx</pre><pre>CRYPT32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetCrackUrlA</pre><pre>HttpOpenRequestA</pre><pre>HttpAddRequestHeadersA</pre><pre>HttpSendRequestA</pre><pre>HttpSendRequestExA</pre><pre>HttpSendRequestExW</pre><pre>HttpSendRequestW</pre><pre>GetUrlCacheEntryInfoW</pre><pre>HttpAddRequestHeadersW</pre><pre>WININET.dll</pre><pre>OLEAUT32.dll</pre><pre>NETAPI32.dll</pre><pre>=?>#?.?;?</pre><pre>9%9)9/939</pre><pre>SysShadow</pre><pre>kernel32.dll</pre><pre>"%s" %s</pre><pre>/c "%s"</pre><pre>%sx.%s</pre><pre>%sx</pre><pre>cGlobal\XXX</pre><pre>Global\{A4046B38-BFBA-AD62-880A-CFE035797B74}</pre><pre>%Documents and Settings%\%current user%\Application Data</pre><pre>{9C299170-5427-1343-B5A2-D98D6C76A4CD}</pre><pre>%Documents and Settings%\%current user%\Application Data\Zoym\irwac.seq</pre><pre>%Documents and Settings%\%current user%\Application Data\Zoym</pre><pre>irwac.seq</pre></-?></pre></-?></pre></-?></pre></S></pre></-?></pre></S></pre></-?>