Trojan.GenericKD.1684739_312edbcc2f – Adaware

Susp_Dropper (Kaspersky), Trojan.GenericKD.1684739 (AdAware), GenericAutorunWorm.YR (Lavasoft MAS)Behaviour: Trojan, Worm, WormAutorun

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 312edbcc2f351952561a9a79463d172d

SHA1: cd1a506899cfbf5a490506de4f96a61a5add666a

SHA256: f587157f08365ff6deb31a26e3d08c6164de676b381c624e40435712fbdc6725

SSDeep: 24576:4yDULOT9eznCeyen7Mb5Ru l3HD 6s8VEiPUNkzxtmyASTgn/:/DE2levq5k fs/kzxtmyJM

Size: 1452032 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company:

Created at: 2009-07-14 02:42:43

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

Behaviour	Description
WormAutorun	A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

Process activity

The Trojan creates the following process(es):

583.exe:1868
%original file name%.exe:480
rundll32.exe:1348
rundll32.exe:212
rundll32.exe:596
rundll32.exe:1772
rundll32.exe:1784
rundll32.exe:1720
rundll32.exe:1568
rundll32.exe:240
rundll32.exe:488
rundll32.exe:280
rundll32.exe:1752
rundll32.exe:1672
QSSSSS~1.EXE:424
QSSSSS~1.EXE:772
qqq.exe:568
qqq.exe:324
DW20.EXE:1852

The Trojan injects its code into the following process(es):

rundll32.exe:1184
25.exe:840

File activity

The process 583.exe:1868 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aa.jpg (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qqq.exe (3727 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wwwwwwwww.jpg (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\a.jpg (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\z.jpg (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\images.jpg (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cc.jpg (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dd.jpg (17 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\w.jpg (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\x.jpg (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\s.jpg (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\g.jpg (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\v.jpg (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aaa.jpg (5 bytes)

The process %original file name%.exe:480 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\QSSSSS~1.EXE (21345 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\a.jpg (13 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\QSSSSS~1.EXE (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\a.jpg (0 bytes)

The process QSSSSS~1.EXE:424 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\25.exe (5442 bytes)

The process QSSSSS~1.EXE:772 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\583.exe (5442 bytes)

The process qqq.exe:568 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%WinDir%\Kurulum\Server.exe (4185 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\dummy.html (0 bytes)

The process qqq.exe:324 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%WinDir%\svchost.exe (1895 bytes)

The process DW20.EXE:1852 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1NX1M5O\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dw.log (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\8267C.dmp (272187 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QZDB4QO0\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\545QUVC9\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\A2MX3ODE\desktop.ini (67 bytes)

Registry activity

The process 583.exe:1868 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "19 C9 33 23 49 63 BF 2D 51 A6 E3 8A 07 F6 DC 4F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"shimgvw.dll" = "Windows Picture and Fax Viewer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"qqq.exe" = "qqq"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process %original file name%.exe:480 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 DD 8A 34 59 0C 51 99 88 3E E4 B2 3F 4B 07 BD"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

The Trojan deletes the following value(s) in system registry:

The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0"

The process rundll32.exe:1348 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "49 41 BA C7 A9 88 16 06 9A A9 54 6D 82 8A D1 93"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process rundll32.exe:212 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B3 2E F2 F8 77 EE A1 68 FB 1F 1B 6C 3C CD 3B 7F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process rundll32.exe:596 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "58 EE D3 BF 27 9B 29 10 52 6A 0D 6D C4 8F 75 EA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process rundll32.exe:1184 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CE 49 8F F8 06 7F 4E C2 BB 67 28 14 C2 BE DE 84"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process rundll32.exe:1772 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 FD 28 DC 10 AB FE E1 27 DE 54 BB 2A A1 C6 FB"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process rundll32.exe:1784 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 1A 26 41 FA 85 92 71 A7 DA 49 26 27 2F 04 F9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process rundll32.exe:1720 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF 72 91 8E 64 FF 39 D2 90 E2 51 F7 9A C1 DD A2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process rundll32.exe:1568 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 BE 04 58 1E C1 7C BB 25 0E 66 BD C4 03 4F 5E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process rundll32.exe:240 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F 7A E2 DC 1B B4 DF A7 22 0B AF A7 B9 0C B2 DA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process rundll32.exe:488 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B E2 82 04 84 39 F2 10 9D 7F 1E 8B 73 33 7C 9A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process rundll32.exe:280 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CB A3 1E 80 7C 65 D9 E4 41 74 74 FC 62 72 BC 50"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process rundll32.exe:1752 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 DB E8 00 76 A1 EC B6 BA 75 69 D3 82 7B 8F A1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process rundll32.exe:1672 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E8 FE C2 31 C6 F7 B9 A7 DD E2 67 A2 40 28 94 97"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process QSSSSS~1.EXE:424 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D 98 C7 75 8F D1 7C 3B 3B 72 05 04 38 12 A0 C9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process QSSSSS~1.EXE:772 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "07 C5 66 B9 5A 5D E2 7F 0D 3E 19 B5 ED 91 67 7D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process 25.exe:840 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E A3 10 28 DA 60 B2 D1 0C 40 D4 2A A3 5B E6 DB"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process qqq.exe:568 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 D1 2A E4 AD 1A D5 A7 52 5D AB BD E0 90 C5 08"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "0"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{392EE29C-9DB0-ADDF-AEDA-EC2FE7D42BAA}]
"StubPath" = "\7"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"HKCU" = "%WinDir%\Kurulum\Server.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HKLM" = "%WinDir%\Kurulum\Server.exe"

The process DW20.EXE:1852 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 73 79 B0 24 BA 1F 58 4D 5C 29 FD 28 F6 5F C1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5	File path
f1272bff9356e64c28b0db7d91af83d1	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\25.exe
f1272bff9356e64c28b0db7d91af83d1	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\583.exe
705fea8c2ef23e6b9567dc8f4f8aa148	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\qqq.exe
705fea8c2ef23e6b9567dc8f4f8aa148	c:\WINDOWS\Kurulum\Server.exe
9e3c13b6556d5636b745d3e466d47467	c:\WINDOWS\svchost.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
583.exe:1868
%original file name%.exe:480
rundll32.exe:1348
rundll32.exe:212
rundll32.exe:596
rundll32.exe:1772
rundll32.exe:1784
rundll32.exe:1720
rundll32.exe:1568
rundll32.exe:240
rundll32.exe:488
rundll32.exe:280
rundll32.exe:1752
rundll32.exe:1672
QSSSSS~1.EXE:424
QSSSSS~1.EXE:772
qqq.exe:568
qqq.exe:324
DW20.EXE:1852
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\aa.jpg (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qqq.exe (3727 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wwwwwwwww.jpg (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\a.jpg (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\z.jpg (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\images.jpg (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cc.jpg (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dd.jpg (17 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\w.jpg (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\x.jpg (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\s.jpg (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\g.jpg (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\v.jpg (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aaa.jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\QSSSSS~1.EXE (21345 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\a.jpg (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\25.exe (5442 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\583.exe (5442 bytes)
%WinDir%\Kurulum\Server.exe (4185 bytes)
%WinDir%\svchost.exe (1895 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1NX1M5O\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dw.log (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\8267C.dmp (272187 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QZDB4QO0\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\545QUVC9\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\A2MX3ODE\desktop.ini (67 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"HKCU" = "%WinDir%\Kurulum\Server.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HKLM" = "%WinDir%\Kurulum\Server.exe"
Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: Microsoft Corporation
Product Name: HD Player
Product Version: 8.00.7600.16385
Legal Copyright: (c) Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: WEXTRACT.EXE
Internal Name: Wextract
File Version: 8.00.7600.16385 (win7_rtm.090713-1255)
File Description: Win32 Cabinet Self-Extractor
Comments:
Language: English (United States)

Company Name: Microsoft CorporationProduct Name: HD Player Product Version: 8.00.7600.16385Legal Copyright: (c) Microsoft Corporation. All rights reserved.Legal Trademarks: Original Filename: WEXTRACT.EXE Internal Name: Wextract File Version: 8.00.7600.16385 (win7_rtm.090713-1255)File Description: Win32 Cabinet Self-Extractor Comments: Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	43748	44032	4.53606	3aeb6fb8fe8ab95f2462e3afb8b8acd3
.data	49152	8796	1536	4.57321	f3764284f4d25ed35f75b9c16e1ab608
.rsrc	61440	1404928	1401856	5.52627	3ad02c43911ebb5ab451f93e4ad20f61
.reloc	1466368	3480	3584	3.33168	bc74eb2a181cf1029262828db6ac5b5d

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

qqq.exe_568:

.text

`.data

.rsrc

MSVBVM60.DLL

ct1.vbProgram

ShellPipe

Program.Socket

Program.ShellPipe

sUrl

sPassword

lPort

bPassiveSemantic

sWebcam_Module

sKeylogger_Module

clsftp

modSocketSupport

%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB

TextCmd

FindExecutableA

ShellExecuteA

RegCloseKey

RegOpenKeyExA

advapi32.dll

RegCreateKeyA

RegDeleteKeyA

advpack.dll

kernel32.dll

GetWindowsDirectoryA

avicap32.dll

MsgWaitForMultipleObjects

shell32.dll

ntdll.dll

psapi.dll

wtsapi32.dll

version.dll

user32.dll

UnhookWindowsHookEx

SetWindowsHookExA

GetKeyState

GetAsyncKeyState

SHFileOperationA

keybd_event

WINMM.DLL

GDI32.DLL

VBA6.DLL

ws2_32.dll

gdiplus.dll

msvfw32.dll

GdiplusShutdown

%System%\MSVBVM60.DLL\3

RemotePort

LocalPort

RegCreateKeyExA

RegOpenKeyA

RegEnumKeyExA

ExitWindowsEx

olepro32.dll

CreatePipe

PeekNamedPipe

ClosePipe

wininet.dll

FtpGetCurrentDirectoryA

FtpSetCurrentDirectoryA

FtpCreateDirectoryA

FtpRemoveDirectoryA

FtpPutFileA

FtpGetFileA

FtpDeleteFileA

FtpRenameFileA

FtpFindFirstFileA

%Program Files%\Microsoft Visual Studio\VB98\VBA6.dll

msvbvm60.dll

comdlg32.dll

HelpKey

getservbyport

Webcam G

?8??8??8??8??8?

lngRemotePort

lngLocalPort

sProxyBypass

sKey

lngPort

'Qmou&vtia}gk&fghljq%d`&tsh&lh&B@U&kmbd(

=w.Xv

B&.VP

%C]Y^\

}"&s%SUS

PSShx

<t%x><pre>@Yp.SoO</pre><pre>v.WlL</pre><pre>R".TWl</pre><pre>QSSh~</pre><pre>.4Q-336</pre><pre>PCICGP&isiaoh\pto*.`fqhjoYpqj*&pukqogldZ`ick`hq)%prdwkgkdYp`itc*&qdqrqnwb^cjdo`hu*%u`vuvmpbYpdlw`*&ulgkih^s`gjh)&baqc^etdaqcb%gwjk%joaoku</pre><pre>XZ%fY_\]Z</pre><pre>VCJCEQ&lb)&niurhgkc*/nr{vTcgjk,&`ithUsmkorS\I*&suc}kgkc@occg*&uauuqotj@o`ia*%chfw|vqfbPpfqjblc*#coeq</pre><pre>gohb%is&eimtkh&lhb`}&npq!ng.tghbc</pre><pre>gp~ljlgs|!bgr`dgvd%cjtkdq&cttjw</pre><pre>iofkmoa%svjpnljo</pre><pre>sqlir`Y}ehgheYtagia</pre><pre>.HPJI&</pre><pre>6=4<287550>:1113=6</pre><pre>T``ap`tkj% `%hwdcfu%cwik&SGJ%coj`&#w</pre><pre>OVK#bgilca vowk.OSJJ"tsgvgrce!rwgveocht</pre><pre>urtgha.iw&dbid%rio&moa</pre><pre>dbjwq%dr a%ia"^ v\?%#v</pre><pre>adl`a{$m~`k%vdseuilkq/(%STI%|qaq`igkqv"lk$uwjbp`vs</pre><pre>lfnko{.tiibdgem&{}gi|dlrfin"-/UWN"|zgrjcja{u%oi vr`b}gv|</pre><pre>VCI@DV&ldk`*%woirrga`."vvj&CWIK'"'t"/'v&UJERG'%u&MTACW%G_.wjuob</pre><pre>f`khjr%fnghac% v&rgk&hia`%cwik%roqnlk&g'qugkvgernjk</pre><pre>kous}c&`b.gaatjagrc&`shezoih&#(,|./</pre><pre>#w&#v&D\%r`wh&isu&i`&tghac&,%umisjb!c`&dcrqcck&7!dha& a</pre><pre>&qcthv&oh&JWBCW%D\%emdpuc</pre><pre>%enjshh%oh%tmc&|crpiq%ucr</pre><pre>qoj%lgh|%qetkv&ih%#v&D_%figpsc</pre><pre>d&IWISU.DV&mjgsvc&lu&r`tpow`a%mjcit`&MDPOHA</pre><pre>daivjabq`%cshftiokv%gtc%nkr%djhisab lk$qme$EVKPU%G\ gidswe</pre><pre>{`` hghv%cocukhv%ik" p</pre><pre>ud8'qthbfct!%DKB&. r(</pre><pre>sqllu`^</pre><pre>uglma%%u%kd|&hjrÜ%diqctca</pre><pre>PUADRC&$ q' #u%UKR&vti/8&vtjoqcY}jkdk`Pudtckq.|tj(& W./!S/$SJGPC"*v=</pre><pre>[VJGQG&'W( |&V@V&u~n&;"GGUG&RLKH%r|u`&8%"ptlab`w".QM@J%uuilq`[wahgb`Zrtobcct.vtj)&#T,JIVC%utjorkYwjagkcYqndic-utj*& T,&@HB*%qgiZkdkc&;%#W*.hake&;&EGUC UNCH&r|vc;!qodjc!&QNCH/*W"QN@H&ackc&JOMC&"u~jozcYgsriolbg~##!&GHB&q</pre><pre>vg;!ohdg~!%RHCK&!wqjlrcYgzvilhf`~]'%sz&#W&zz%usmurr.hnkc*#b-1>&&CNUC&hgkc/CHB&QNCTC&rdjYhdk`8#W DND&.r</pre><pre>PVDGRC%vtllre_r`kvQigvret&SCU%uwj&;&v</pre><pre>Eghhir&gbj g%UTLLOT\%KK_&ejlpkh</pre><pre>Edhnit.gbb%g&SHGWSC%eij{ch</pre><pre>Edkhir%gbb&o W@@@WKHM@V%eiiuk`&qorn&hih#HPII&bccgplr%sgisc</pre><pre>Egnhar&gad&g%HJQ&@SIJ.fojphh&wozn¼`dsjr%pglsc&NTJJ</pre><pre>WUEBV@!$'r-/&q"QCV"qrm"8&qzgqwt.qsm)3(#f sy&!#"%&~z&'S&~z&|wdpvq*uwj)#k,"UN@WC%q{rg%?%'qcgng"%NLF&mdbc"8/#T</pre><pre>yo}qsdi#tdmc`q"hdv&ajp"mg%ciqj}`f</pre><pre>Ldkkjv"dab"c%fkjpkk&qi%d%sl`r</pre><pre>A@I@QD%CWLH. _-&r%RM@WK#qgb; _</pre><pre>V@I@FQ%qgb*%ha})%vqdr%CTAH! T vtilq`Zvrdq?</pre><pre>adqdgduc% u&ov%git`db|.ok%p}c</pre><pre>`i&up`g.gbrgdgpf<#&u</pre><pre>igocfr%mdnf&wf|`ws`b%ei}%lhqftkbo%svf</#u</pre><pre>ve>##u!)$hgba8#T-%rgiZkdk`8 T)%tnnquda`<" b)&uti8#T%RMCWK.wayha8& b</pre><pre>udwdh`ra|v%ds`%kju%diiar`a%lo!slarv</pre><pre>rgcr&#v.kv.eksepjdti|%j`hok`a</pre><pre>ucgnk&'vÍ</pre><pre>%kir%d`%a|ju~`a</pre><pre>A@I@R@%CWJH& T( v%RNCTE&qbiZk`k`8 P.dnd zxvc$;!tribg`w"</pre><pre>A@LEQ@%CWJM! T,uwjiqc^qtdq7%RMCR@&rdj= _</pre><pre>sowqsdj%udgmcv"kd|%kjq%gg%okac}`e</pre><pre>lkaf}% v%ciw`df|%`~lvrv</pre><pre>zgljc& }/fos.ka.eib{mk&hgk`b% v</pre><pre>lkb`~%asujfoaq`b%ulrm%SHLTW@%mp%RTOHGPY%ME_!eihuqscilr&eanhjt gf apjuuca</pre><pre>FCJCRE @TIH #W.%u RHCWD!k`kc8#Q&DKA qype8!lnae}!</pre><pre>vkddj`&wi&hbdhrgh{&rfd!illcbu&po&dc&vcojbkweb</pre><pre>@VEDQ@!c~vwgurlih&ksvpÝ&d%rohbi`%fmgtgeuct</pre><pre>rgdjc&#U&ngu&#b%mkjskhu&dsr&#b&pgjscu.qct`&usvviocj</pre><pre>&ov#mit%shots`</pre><pre>pkuvvvjwr`a%con`%cjtngr</pre><pre>vmmkjvk&it%s`usvviwqca&lllh%qwuc<%#Q%#W v R</pre><pre>WIAMR%gha&@SLL%JPQER&OILHs gt`&kiq&fpwwf`ti|%sppujwqka</pre><pre>g%KATPWBI%oiok%hgy&kiq%ngpk gl&JL ir%SSJMG%elgusc</pre><pre>echhiz%maw`%dmrn&JN c`a [VHHA en`uqeu"gh rm`"}gke ojln</pre><pre>!g%uohal`&w`u{bq"gibiv`j&fju%a&SGICFQ&qngr&lu%vgvr&kc&ak%b}ttcvuojh</pre><pre>vwjmq`Ytpdwr`t|Z%uZ</pre><pre>q|vk;$z|lbbct)%O@B.hghc3" </pre><pre>ki%}scf.rtoia`t4. U</pre><pre>`i#up`núiscm4% u</pre><pre>mdk`at%PGMPSB%c|jh.qlqmlk.d%zwd`}deqjjo</pre><pre>mo``aq$PDMSTH& $VWI.wrgpkh``ru#l`.uwjbwc}u</pre><pre>EUPEFM/#(.GU&rees{bY`f=</pre><pre>UCJKEP&!EWADRC&RDGIJ/pgespmPbd !/zx&vsmvpw.vti*>2/&/%CWIB%vtblr`Zmeupcr&YHJRA%q|ve8!pg`c`#ªB%jgca#;#uujo{cZw`~qahg`"&/ÚB&vjjrvgbj85</pre><pre>VAJ@EP&"LVAEPJ.MJBC]/ynlssiYbd(&%zy&usduqs.uwb*71/&%@TIK%uwjordYkgrqcw&QNCTC&uwj&ILMC&!FTCDRJ%OHBC^%#!&</pre><pre>VCJCBR%!ETCGRC%PKOWSC&OHBC^&pgfpskYbd.!&zz&vsduqt.uwj*37/&%&CRIK&uwjoreYhdurct WNCTC uqi JOM@!!ETCGRC!SHIWPC&LKDC^&#!</pre><pre>SCJCER&!IHU@TQ&LHQN&pdespkYad('&z|&wsirc.hake/&zz&!$WCICFU%,&CTIH&kgoh(&&z}&tsirc.hgkd/&y}!"=!@S@K&kgoo uwmorcZkguq`t&RNDTC&q</pre><pre>UDMCL[%!F@JJQD&@SJK!wglsshZbd((!zz%~piqd'a`hc/&}y/!4!&CTJK.ynbzzkZjg vwbkrcYl`urjt/QNK]C/kgk`3!utcfrcPvcwsjkb`!%</pre><pre>VJC@LU&!LKUCTR&OHRI&pdfsskYbg(!&zz&wpiqa-hghc/%yz%!.UCJCFR&,%@TIK$keok(!&zy%</pre><pre>GHUC\Z%OJWM&rdepskYb`(uwiorcYlourct%&%UCJCER&r</pre><pre>vc;)rggj`".DHB.tiaruoac;5/</pre><pre>FW@ORC%XLTRSGJ%ROGI@&#Q</pre><pre>PUBGQC%#W(#v%V@R%r|uc;"qgdjc"*%hdc`8#W#.qgiZkgk`;#W)&qiir~ga`25)&uwj;#W&QNCTC&tiroa;% b</pre><pre>prgdjc%fonvtwperj}&bkd"kjq&b`ancwe"ufmekg<&%s</pre><pre>ni%upfh kjauj`:%%s</pre><pre>cdhnir&ps` okd`~?%%s</pre><pre>ugtset%sqacm jp`wfioq</pre><pre>h`gt " T"?%uyktd}&erwi|</pre><pre>tnc&NIR&OHBE^CB ejgusc iu&hor gjlixcb&ja&S_BNQ@&jt%A@JCT@%urgrch`h{u&wo{noh%rrlbbjtu</pre><pre>kd{dggv`%fj}vzvqlja/dv%claj& `/ab%]' 46uX</pre><pre>eg`hir%iu`h%cgbc&dr%blkc.#a%i`&]#(>6u[</pre><pre>AcrTdtchr</pre><pre>%%%& Âss`c`i|Ie`n{lq|%q{u`8'Xlk67' kah`8'Hlfwivjcq Rlkdjxv Fjhhjk(Fjkqwjiv'%scwvljk8'8 0 5 5$&</pre><pre>EbbZvpvp$@}q`whgh$EG.Wjjz6</pre><pre>>15353565<?6_</pre><pre><560=5451=6=_5</pre><pre>Rm`%SU@WRWSUQ&K`qrjwo7$6</pre><pre>kqqu8))if|v sqctqtzuq.com?</pre><pre>P[K-SUJWIl}vq"@gn`eu?</pre><pre>Atggvct.Kghgnc}vc|7</pre><pre>mruv;).vrr(suctqwtuu/enl0</pre><pre>006>4116656?\</pre><pre>416321712>59\6}7</pre><pre>LKHIBI%FN%Jiblrcd4'6</pre><pre>425<71616651_</pre><pre>@gt.Ua`ct5</pre><pre>5nrqu</*fwp.giikaagd fjk*GIHIAICj`cUlginj`EE7 ftq6</pre><pre>E@BJBI%FG&Iokoqde7.5</pre><pre>AIBIFM%Aiaj/Vlaklab%CN"4</pre><pre>42277945520;\6!</pre><pre>[#AYARBASLANGIC#][#NOIP<<65066EF90B7603C0632DBF17DFC7C7612F47479EBC8581E6D1D03F35AEFB52DCF844F081F5A59D29103D7657F69C840B60F1715F755A1E8617CEDA2B016EBAE794B40A6F38FE693F65FEB847C8C6F8A30679F877A85532B19D687EE52295230CC48818200D0352DD018AF89C8C7242924591A9B212CBBB22B1BD16A29E8DBB4615DD87D2FFD0433FB03D2310D1FD5215EA98EF4B7E5561951E26CE9C8032EC10D28EC0829A002BE27D3364A0E34292E7C129F77FBBD21506B080D350959FA4290736F2AAECEFB341F68868480E1E6DC516616DCBD45CFD317227D17BE7F1108ABFF387883EFB09D965989C84DCED51EA751A7DE893D08B94F1F775D705031832>>#][#PORT<<32CE0060EF02755BD764A0C8A8871768DA588905866B72C5F4B8E193DAFA1EB02C6E6F6053EB7EBC0528E3957C96C4D2875CA1CD427B3231B186375C2D8154304263210861F3C83A39FF8D50E7C3F6D053A4122B1F8A188A0624F780CAC4B3150D9A33B207571EF49DA5A896138CB78069A9E73989D3316BE29170DCE0804878F9CDAF3B30934B439D174041AD2BD33F36A8AE54AA9087B171876D4DD9F1DF3773F9233F87635EC6A5D063AEE05C9766279E3098F181E9F75E02782E6213036F2798599A39022197214CDD7A1A1DCED467C7FDA2099F219AD4BEA19C666201B87EE9DFE9716E6153FDC7380085A9C562A29E1F0C1DA63B7641F73231D31AA3F3>>#][#KURBANID<<451272F4F97CA22B4FB824AE90EDB509B212CAA6699EF1EEB6295DE4493778200CA95AF601895DA951B6D613ADF86D9A55280B967C00398A928DCDC3E7B40A96F1294D80B479EAA1C8781E9B7DCE6313DFA9AC0AA44678DD672386251ACA2DF202C2156CE21A074E809A2406898C81311CB1987D2B0BDB6303887545B25691F0CDD0DEB596C81CEC8338D50CDFCE74AF989CB9ED9E684F18B096C561B9B4208C5DF054199D5F99385E6E5FEB4AEEE9099E063D530B3E7FF9FC2BE2B3FCBF45443E3CA39383B927EC5D586CA0D70B4C7CBC0C10AF3C66D701F121FB3985946FD1FB52F65E52367447CBD2AA65917F47033D085F793DBD442D5C9538AD230E47F1>>#][#BAGLANTISIFRE<<2BCF33C6CD44D99531F4517E084139EF9A7868474158328F995CDC0D0BA8F4717BE6B466E1C4483FFF54B500F9866018868AB45E4ACCA353CC12D41CC8BBA0FDAB5C03E6633F16191BFE40020C47F45E75B4194D304B12BCECDFE6787BC9BC9752C88F49D742E9085B5D0D606C81FDA192B1622EDE138CA7A5C01F3DD34D96599FA6272D6ACB4B66E96DA6B5C5EF097ACA3F5A5D005C5AB1A46E8DC8F8C378A03DB3956E8756CA12746A9A5D038CE54608988FF682A68CB416E878B59AE8AFC9D8E8E5689A5D71E5A70F72F51317DBA279FA8E5791ABEA0E24E8B1A0A2F7C96E1A846477CF9F8BBCAC9ABD595F8AB96849DEE11AD827849A7CAC41643EAC4D6D>>#][#KOPYALANANYAZILARIAL<<2A9DCEE98CE1A03C981369A7EBFEDD103B48EF6B970F2E925651C8426E76EFEF653A95879C7696840C4E70AA527532E15F9DB06BCF3AEF4718B6231F1B2E90AA19AA11A7059E73B1F3927E7C2CF411B31F40E868B482FBB9FD8CC4040BB81D811BD4C5FD2D6B3FB6B132D5529D4FFD3A9EC39A95287B969EAB2B71A6A5A71AE68FC836BDF7F2FA882902B91FC8187D2BBF7ECAE54F76046A46242E3ACB108C8F58DE275B86092B9BBF18EF56D2E4D23A2881BD0D4F8B0AD031CB7EF2234676F15B251DCB004096E11807BB2DE04882DA3D24B7824B0D2AC4D03567444F9D1CFC7B769CC187B03D51D6A2215794D88FBFE2F7BCB6660D2ABC07F6ABA3F569C2A9>>#][#USBDISKBULAS<<2A9DCEE98CE1A03C981369A7EBFEDD103B48EF6B970F2E925651C8426E76EFEF653A95879C7696840C4E70AA527532E15F9DB06BCF3AEF4718B6231F1B2E90AA19AA11A7059E73B1F3927E7C2CF411B31F40E868B482FBB9FD8CC4040BB81D811BD4C5FD2D6B3FB6B132D5529D4FFD3A9EC39A95287B969EAB2B71A6A5A71AE68FC836BDF7F2FA882902B91FC8187D2BBF7ECAE54F76046A46242E3ACB108C8F58DE275B86092B9BBF18EF56D2E4D23A2881BD0D4F8B0AD031CB7EF2234676F15B251DCB004096E11807BB2DE04882DA3D24B7824B0D2AC4D03567444F9D1CFC7B769CC187B03D51D6A2215794D88FBFE2F7BCB6660D2ABC07F6ABA3F569C2A9>>#][#WINDOWSFIREWALLKAPAT<<2A9DCEE98CE1A03C981369A7EBFEDD103B48EF6B970F2E925651C8426E76EFEF653A95879C7696840C4E70AA527532E15F9DB06BCF3AEF4718B6231F1B2E90AA19AA11A7059E73B1F3927E7C2CF411B31F40E868B482FBB9FD8CC4040BB81D811BD4C5FD2D6B3FB6B132D5529D4FFD3A9EC39A95287B969EAB2B71A6A5A71AE68FC836BDF7F2FA882902B91FC8187D2BBF7ECAE54F76046A46242E3ACB108C8F58DE275B86092B9BBF18EF56D2E4D23A2881BD0D4F8B0AD031CB7EF2234676F15B251DCB004096E11807BB2DE04882DA3D24B7824B0D2AC4D03567444F9D1CFC7B769CC187B03D51D6A2215794D88FBFE2F7BCB6660D2ABC07F6ABA3F569C2A9>>#][#SERVERKAYBOLSUN<<2A9DCEE98CE1A03C981369A7EBFEDD103B48EF6B970F2E925651C8426E76EFEF653A95879C7696840C4E70AA527532E15F9DB06BCF3AEF4718B6231F1B2E90AA19AA11A7059E73B1F3927E7C2CF411B31F40E868B482FBB9FD8CC4040BB81D811BD4C5FD2D6B3FB6B132D5529D4FFD3A9EC39A95287B969EAB2B71A6A5A71AE68FC836BDF7F2FA882902B91FC8187D2BBF7ECAE54F76046A46242E3ACB108C8F58DE275B86092B9BBF18EF56D2E4D23A2881BD0D4F8B0AD031CB7EF2234676F15B251DCB004096E11807BB2DE04882DA3D24B7824B0D2AC4D03567444F9D1CFC7B769CC187B03D51D6A2215794D88FBFE2F7BCB6660D2ABC07F6ABA3F569C2A9>>#][#KOPYALA<<1>>#][#KOPYALAMAISMI<<4D027208FD80D0C27029517E084139EF9A7868474158328F995CDC0D0BA8F4717BE6B466E1C4483FFF54B500F9866018868AB45E4ACCA353CC12D41CC8BBA0FDAB5C03E6633F16191BFE40020C47F45E75B4194D304B12BCECDFE6787BC9BC9752C88F49D742E9085B5D0D606C81FDA192B1622EDE138CA7A5C01F3DD34D96599FA6272D6ACB4B66E96DA6B5C5EF097ACA3F5A5D005C5AB1A46E8DC8F8C378A03DB3956E8756CA12746A9A5D038CE54608988FF682A68CB416E878B59AE8AFC9D8E8E5689A5D71E5A70F72F51317DBA279FA8E5791ABEA0E24E8B1A0A2F7C96E1A846477CF9F8BBCAC9ABD595F8AB96849DEE11AD827849A7CAC41643EAC4D6D>>#][#KOPYALAMAKLASORU<<4512720704830F5DC61B4583AF2C0640D3CF53E0C13D01885018B9287CD5DF395D15DE25C25091832A6D4BFBE5F1470D40522C286D28F87BF4000E06D14DDAAA2E3BA0443AA2A3B129D473F00614D022B3647BEFC17ADC072A8E8E42EBD3C5257E812102760CCDBC357410E5C778F4046027D53771D6C1B0A7E9CDE07F8DF7EF030BB7E3283221650171765D9A428936BA81CC43B2DF79FC1FF1DFE400DF83CB70FE356C457AB434426FB91E75D4A17DF614B518373D9C6C87CDD89223EC7C3E7A7B702001859A282C912E2B8D14919E0946E5FB36907A4711DF8D305B98F80B5369BB430E39E78AF3BC688993A66C1AE6F930AFE07DEB90B24CD1BEDD484878>>#][#KOPYALANACAKYOL<<71066EF60785155DC61B4583AF2C0640D3CF53E0C13D01885018B9287CD5DF395D15DE25C25091832A6D4BFBE5F1470D40522C286D28F87BF4000E06D14DDAAA2E3BA0443AA2A3B129D473F00614D022B3647BEFC17ADC072A8E8E42EBD3C5257E812102760CCDBC357410E5C778F4046027D53771D6C1B0A7E9CDE07F8DF7EF030BB7E3283221650171765D9A428936BA81CC43B2DF79FC1FF1DFE400DF83CB70FE356C457AB434426FB91E75D4A17DF614B518373D9C6C87CDD89223EC7C3E7A7B702001859A282C912E2B8D14919E0946E5FB36907A4711DF8D305B98F80B5369BB430E39E78AF3BC688993A66C1AE6F930AFE07DEB90B24CD1BEDD484878>>#][#BASLANGIC<<1>>#][#HKLM<<1>>#][#HKLMANAHTAR<<42E84CDF98DCF951CBC2305000655D2B6C4F38AFBAF4BD656B89E61344B70E631CF66A6E067BAA192559B6E2DAAB0F850A75887D9550E6B5DE09A0407ED0B9478C1203D1D2B079E417CE40CCCA52808455F5AAB90CB88BAFF4FE984B79FF7EB73720EBE62AE6E4BFBACF07DC2A466A7769BA986C7AD8EA5E4A950D4115F15C7FB9C91EB9274A2535A946C9DD5632CBA8A0334F62FD5AFC4E3BF9FBEF2B12CE6B6EBC59566748B95303E101DAACC21DA318C94C28EFAE81CC6456DC5F988E0FC932E29849440A1CE4620B2BE189A4DDF5ADEBCA8B6F7D7123A1982E5FF8D1DD621FA8559FDC80093523F0843C454387697B018616D6B38B200CEB6DB9E8863285>>#][#HKCU<<1>>#][#HKCUANAHTAR<<42E843E798DCF951CBC2305000655D2B6C4F38AFBAF4BD656B89E61344B70E631CF66A6E067BAA192559B6E2DAAB0F850A75887D9550E6B5DE09A0407ED0B9478C1203D1D2B079E417CE40CCCA52808455F5AAB90CB88BAFF4FE984B79FF7EB73720EBE62AE6E4BFBACF07DC2A466A7769BA986C7AD8EA5E4A950D4115F15C7FB9C91EB9274A2535A946C9DD5632CBA8A0334F62FD5AFC4E3BF9FBEF2B12CE6B6EBC59566748B95303E101DAACC21DA318C94C28EFAE81CC6456DC5F988E0FC932E29849440A1CE4620B2BE189A4DDF5ADEBCA8B6F7D7123A1982E5FF8D1DD621FA8559FDC80093523F0843C454387697B018616D6B38B200CEB6DB9E8863285>>#][#MSCONFIG<<0>>#][#ACTIVEX<<1>>#][#ACTIVEXANAHTAR<<75D039C4DD53D4963BF18AF4F37D9332FF1C5F5C8B63C559A721AF6915A03A08353C814B17A22D212BE458A85B605EC74C8C07EA69765E06D6557A6F4A12D1589F7D703831584E3BEA3FC5AFE280A8F4A904B5662CDAB14F3AEE18916D8DB89CEB58648D11120CB137CFF05C943D38AC0757AC663DB406B132ADEA38A1737CA73EBD9807E69023FE5E72C46DBD347C6B32A59868E75D88E84B2B1CA07261CA76248AF6E07AED3D5FEBC36DDBAAC05E6B36C763E8B873A7B0CF45D8052EF34D072A59ACD69C83494EAADD59E5A7FECCAADF5BBCE23D9289860B57CD231E0431D31948E4A4D6F12F09E69E72C63E4AF2A339BB0E127F9520268BBD67F650712219>>#][#INJECT<<1FE145D8D963EEB13A16A0070492B816BBA670231D1C60B8C9F4637180D2224471E07B57C7D2A72F494C904997AC3A1385A8D3399B5F1F68F8F3899885598E06DF384DD14AF535631B13D191A97CF88E75EA5B42A425327B5B730A0B02D6B478A0F59113152204B0FFC0BABC71CA9E2F9835A469713DB59E6F8283787596F184B1A2E589A4A53143F2E1E936EB2049A1A717C91A3E2E84BDAF6990CA5626E115CF8C621F318B9909B082BA6B144B56CFA11BE6C04A497C8359B60BADA5D0615B743EE7C23A5D17EBF42EC848681820A6C00E18CA8F58B61DE8B4D3CE1BE24CBE9DC50E9DBBAB8698BB72B078E111421282FBFB610A265277D7B043D83726BD2E>>#][#GIZLINITELIK<<0>>#][#MUTEX<<JOORX4V1Y20OSC6>>#][#OFFLINELOG<<1>>#][#FTP<<0>>#][#FTPHOST<<601170C0FE8212D05D36C715237BC96028D8E7863EF17FF71A2B842E090C7AE3817A15462316DACDB065E1B51BDBFBDAB982ACF010475761D26674C2A6EB7F2E9E29AF448B381FFCEB270EA3FC407EB72EFABC9EF97ABBC1C882DEC6D1BBD1AC041F547E1D3FD5B997F3367B7D6032215EA359435D1CF38AE255C7EEB250374F97EF89EAFC40FE7A58E01F71C44EDB0BAC904753DF7F3F31C4F0B2AF697CF58CF970D17A4B0EE03413C1CD79F59EFEEABC17CAC1A47CA769112A63BB1D958D5A91B17264303C3E182B28048735A59E72334AE70351E36C262DD62008F02E46E8400B2E5B4DA25C9C44AC088FA6F6FE15F53E234BC84A549EFCC7ECC9085C60EE>>#][#FTPUSER<<601170B203830EC95932BA131A4D3448AFAB170EEA6D990FB48DE3564FCBD9004EFBEC84B29A895E730B71D5E0F0652C1BA3BFA48254D93070BDACF4DA81B6F41922566384A2B842B871A8F436140664A8D8550F80E9702BBD159B3ACC21F22748BF011D1EB0306991795986557E78469BBAFF6068A08314E28B163BAA9FF3AD5F4591C9053B95A88297A79DC11F61A577BF9E6DBEEA74FF214F424D75715C9821A86A3B3CB6CC545080788FFE6D24D4C0DC580806806AFF7FD8C044B588D240D41B70C607D2B97E7FE62F70915BA5287C4492C7455446693F5878B3AB1B39B57955C73EEA48BF7D123EEF123DDF89342D2B2F7DBDD8EF9226454B2E9E1CF3CE>>#][#FTPPASS<<601170B20B7708CF5DC41F07A52064D05B27312684CFF837FA4C42731C4CB03EDD7F9B157540197E3820DB27421178E08DB0417320AB1162A453E3BA557A5D13128CEFA951EC5293F24530A1B0F29FD52F470A79757C2D9FB87BBCB510C19FC649305CCD1836537469979FAB92951E63A63E8FEA68D6D261DADAD29972F5FB8C684028F72FF21DD47F682D378C4EB8BF562AD33B1B49049D2D44A9599DA9F5591250565B7975776A594F9E790232B21B22E01B9E742EC78817CB052AF8F2D0A2ABB1EB2C5B90E467DB9C3626DA5550EC70B56C0A57D69E14FA456B80E465D29816FB2A1FB8DAA600A9277A3175CC956622B9CA71E7564EF7BC05DE0E87133CB3>>#][#FTPDK<<5>>#][#FTPSENDAFTERDELETE<<1>>#][#AYARBITIS#]P(</pre><pre>*\AE:\Projeler\Rat\Harmmy Rat v1.7\Stub\Project1.vbp</pre><pre>RAT_FTP_CLASS</pre><pre>{7BF80981-BF32-101A-8BBB-00AA00300CAB}</pre><pre>{557CF401-1A04-11D3-9A73-0000F81EF32E}</pre><pre>{557CF406-1A04-11D3-9A73-0000F81EF32E}</pre><pre>{1D5BE4B5-FA4A-452D-9CDD-5DB35105E7EB}</pre><pre>127.0.0.1</pre><pre>PORT</pre><pre>WINDOWSFIREWALLKAPAT</pre><pre>FTPHOST</pre><pre>FTPUSER</pre><pre>FTPPASS</pre><pre>FTPDK</pre><pre>FTPSENDAFTERDELETE</pre><pre>GUpdate.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon</pre><pre>\Userinit.exe,</pre><pre>ÞFAULTBROWSER%</pre><pre>\Userinit.exe,</pre><pre>[Webcam_Goruntusu]</pre><pre>notepad.exe</pre><pre>CALC.EXE</pre><pre>calc.exe</pre><pre>IEXPLORER.EXE</pre><pre>iexplorer.exe</pre><pre>NOTEPAD.EXE</pre><pre>[Ekran_Set_Keyboard]</pre><pre>[Online_Keylogger_Baslat]</pre><pre>[Online_Keylogger_Durdur]</pre><pre>[Offline_Keylogger_Loglarini_Gonder]</pre><pre>RegSvr.bat</pre><pre>del *.hy</pre><pre>Win32SysLogs.dat</pre><pre>dummy.html</pre><pre>winmgmts:\\.\root\SecurityCenter</pre><pre>2.6.0</pre><pre>WScript.Shell</pre><pre>HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz</pre><pre>SELECT * FROM Win32_OperatingSystem</pre><pre>\Internet Explorer\iexplore.exe</pre><pre>cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f</pre><pre>Webcam Penceresi Olusturuldu.!</pre><pre>cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "</pre><pre>:*:Enabled:Windows Messanger" /f</pre><pre>cmd.exe /c netsh firewall set opmode disable</pre><pre>[Webcam_Stream_Geldi]</pre><pre>[Webcam_Gonderme_Hata_Olustu]</pre><pre>Scripting.FileSystemObject</pre><pre>[Online_Keylogger_Verisi_Geldi]</pre><pre>[Offline_Keylogger_Dosyalari_Geldi]</pre><pre>[Keylogger_Logu_Geldi]</pre><pre>Keylogger Logu Gonderiliyor</pre><pre>[Keylogger_Logu_Transfer_Bitti]</pre><pre>Keylogger Logu Transfer Bitti</pre><pre>[Keylogger_Logu_Geldi_OKU]</pre><pre>[Keylogger_Logu_Transfer_Bitti_OKU]</pre><pre>%systemroot%</pre><pre>rundll32.exe shell32.dll,Control_RunDLL main.cpl,,0</pre><pre>windows</pre><pre>rundll32.exe shell32.dll,Control_RunDLL intl.cpl,,0</pre><pre>rundll32.exe shell32.dll,Control_RunDLL mmsys.cpl,,0</pre><pre>rundll32.exe shell32.dll,Control_RunDLL timedate.cpl,,0</pre><pre>rundll32.exe shell32.dll,Control_RunDLL netcpl.cpl,,0</pre><pre>rundll32.exe shell32.dll,Control_RunDLL desk.cpl,,0</pre><pre>rundll32.exe shell32.dll,Control_RunDLL inetcpl.cpl,,0</pre><pre>Shell.Application</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>Software\Microsoft\Windows\CurrentVersion\Uninstall</pre><pre>xWin32WB.exe</pre><pre>xWin32hr.txt</pre><pre>The operation was canceled.</pre><pre>modSocketSupport.RegisterSocket</pre><pre>modSocketSupport.ResolveHost</pre><pre>Address family not supported by protocol family.</pre><pre>Operation already in progress.</pre><pre>Operation now in progress.</pre><pre>Socket operation on nonsocket.</pre><pre>Operation not supported.</pre><pre>Protocol family not supported.</pre><pre>Protocol not supported.</pre><pre>Socket type not supported.</pre><pre>Winsock.dll version out of range.</pre><pre>The version of Windows Sockets API support</pre><pre>Windows Sockets implementation.</pre><pre>The Windows Sockets version specified by the</pre><pre>application is not supported by this DLL.</pre><pre>modSocketSupport.InitWinsockService</pre><pre>.ResolveMessage</pre><pre>.WinsockMessage</pre><pre>clsSocket.RemoteHost</pre><pre>clsSocket.PostGetHostEvent</pre><pre>ShellPipe.Interrupt.ConsoleCtrlEvent</pre><pre>ShellPipe.ReadData.ReadFile</pre><pre>ShellPipe.ReadData.PeekNamedPipe</pre><pre>ReadData PeeknamedPipe error</pre><pre>ShellPipe.WriteData.WriteFile</pre><pre>Invalid thunk type passed</pre><pre>autorun.inf</pre><pre>Icon=%SystemRoot%\system32\SHELL32.dll,7</pre><pre>shell32.dll, 2</pre><pre>shell32.dll, 3</pre><pre>.fldr</pre><pre>shell32.dll, 0</pre><pre>\explorer.exe</pre><pre>@*\AE:\Projeler\Rat\Harmmy Rat v1.7\Stub\Project1.vbp</pre><pre>1.exe</pre>rundll32.exe_1184:<pre>.text</pre><pre>`.data</pre><pre>.rsrc</pre><pre>msvcrt.dll</pre><pre>KERNEL32.dll</pre><pre>NTDLL.DLL</pre><pre>GDI32.dll</pre><pre>USER32.dll</pre><pre>IMAGEHLP.dll</pre><pre>rundll32.pdb</pre><pre>.....eZXnnnnnnnnnnnn3</pre><pre>....eDXnnnnnnnnnnnn3</pre><pre>...eDXnnnnnnnnnnnn,</pre><pre>.eDXnnnnnnnnnnnn,</pre><pre>%Xnnnnnnnnnnnnnnn1</pre><pre>O3$dS7"%U9</pre><pre>.manifest</pre><pre>5.1.2600.5512 (xpsp.080413-2105)</pre><pre>RUNDLL.EXE</pre><pre>Windows</pre><pre>Operating System</pre><pre>5.1.2600.5512</pre><pre>YThere is not enough memory to run the file %s.</pre><pre>Please close other windows and try again.</pre><pre>9The file %s or one of its components could not be opened.</pre><pre>0The file %s or one of its components cannot run.</pre><pre>MThe file %s or one of its components requires a different version of Windows.</pre><pre>UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"</pre><pre>Error in %s</pre><pre>Missing entry:%s</pre><pre>Error loading %s</pre>DW20.EXE_1852:<pre>.text</pre><pre>`.data</pre><pre>.cdata</pre><pre>.rsrc</pre><pre>watson.microsoft.com</pre><pre>.mdmp</pre><pre>%s?szAppName=%S&szAppVer=%S&szAppStamp=%S&szModName=%S&szModVer=%S&szModStamp=%S&fDebug=%S&offset=%S</pre><pre>/dw/stagetwo.asp</pre><pre>%s/%S/%S/%S/%S/%S/%S/%S/%S.htm</pre><pre>Failed to fill report params from generic params</pre><pre>Not offering reporting</pre><pre>%s Mode</pre><pre>Failed to get a reporting destination</pre><pre>Nothing to report from queue</pre><pre>No reports left to send. Removing queue triggers and bailing.</pre><pre>Failed to plug UI; LCID=%u</pre><pre>Ignoring %S due to unknown queue version</pre><pre>Reporting is disabled</pre><pre>SignOff queue reporting is disabled</pre><pre>Queued Reporting Mode called but still want to report to the queue</pre><pre>Bad queue type to report from</pre><pre>No reports for given queue mask - %u</pre><pre>Invalid queue mask - %u</pre><pre>Suspending: Force cancel to queued reporting</pre><pre>Suspending: Force cancel to network reporting</pre><pre>CreateWindowExA failed with %d.</pre><pre>Application Error Reporting %d</pre><pre>WatsonQueuedReportingInstanceVerification</pre><pre>riched20.dll</pre><pre>qMicrosoft\PCHealth\ErrorReporting\DW</pre><pre>msaccess.exe</pre><pre>http://watson.microsoft.com/dw/dcp.asp</pre><pre>http://watson.microsoft.com/dw/watsoninfo.asp</pre><pre>dwintl20.dll</pre><pre>Launching lightweight browser with URL</pre><pre>mshtml.dll</pre><pre>Not reporting</pre><pre>Reporting</pre><pre>DWBypassQueue</pre><pre>DWExplainerURL</pre><pre>DWNoSignOffQueueReporting</pre><pre>DWAlwaysReport</pre><pre>DWReporteeName</pre><pre>DWURLLaunch</pre><pre>DWNoExternalURL</pre><pre>DWStressReport</pre><pre>ole32.dll</pre><pre>imm32.dll</pre><pre>BTLog.dll</pre><pre>Microsoft\PCHealth\ErrorReporting\DW</pre><pre>HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger</pre><pre>http://</pre><pre>https://</pre><pre>Software\Microsoft\PCHealth\ErrorReporting\DW\Debug</pre><pre>%s\%s</pre><pre>https</pre><pre>DwBTLog.log</pre><pre>Failed to get minidump for %S!</pre><pre>szAppName=%s</pre><pre>szAppVer=%d.%d.%d.%d</pre><pre>szAppStamp=x</pre><pre>szModName=%s</pre><pre>szModVer=%d.%d.%d.%d</pre><pre>szModStamp=x</pre><pre>fDebug=%s</pre><pre>offset=x</pre><pre>microsoft.com</pre><pre>.msn.com</pre><pre>.microsoft.com</pre><pre>d:d:d d-d-d</pre><pre>/dw/generictwo.asp</pre><pre>kernel32.dll</pre><pre>psapi.dll</pre><pre>mso.dll</pre><pre>MsoDWRecover%x</pre><pre>MsoDWHang%x</pre><pre>Launching browser with URL</pre><pre>shell32.dll</pre><pre>%d.%d.%d.%d</pre><pre>%d.%d.%d.%d.x.%d.%d</pre><pre>shfolder.dll</pre><pre>unknown.sig</pre><pre>%s dw20.exe %d.%d.%d.%d</pre><pre>RegKey=</pre><pre>ResponseURL=</pre><pre>URLLaunch=</pre><pre>NoExternalURL=</pre><pre>%s:(%s) XX</pre><pre>%s:(%s) X</pre><pre>%s:(%s)</pre><pre>%s:(%s) %s</pre><pre>registry.txt</pre><pre>wql.txt</pre><pre>Windows NT Version %d.%d Build: %d</pre><pre>Stage 1 server response: %s</pre><pre>Stage 2 server response: %s</pre><pre>Stage 4 server response: %s</pre><pre>StatusCode: %d</pre><pre>Opening server: %s</pre><pre>HttpOpen failed.</pre><pre>Opening %s Request:</pre><pre>HTTPS</pre><pre>HttpSend Failed.</pre><pre>HttpWrite Failed, GLE=%d.</pre><pre>HttpEndReq failed.</pre><pre>Count filename length greater than MAX_PATH, can't report.</pre><pre>Filesystem reporting: count file updated</pre><pre>FReportToQueue: GetLastError=%u</pre><pre>FReportToQueue: File Tree Root does not exist: %S</pre><pre>Failed to add heap file to cab: %S</pre><pre>memory.dmp</pre><pre>mdmpmem.hdmp</pre><pre>version.txt</pre><pre>Network reporting complete.</pre><pre>Network reporting failed.</pre><pre>Application Error Reporting Transfer %d</pre><pre>Filesystem reporting complete</pre><pre>Filesystem reporting: cab successfully written</pre><pre>Filesystem reporting: could not find/create directory for cab/count</pre><pre>Filesystem reporting: redirection failure, too many redirects</pre><pre>Filesystem reporting: redirection failure, no previous roots</pre><pre>Filesystem reporting: improper file tree root</pre><pre>Filesystem reporting cancelled</pre><pre>Filesystem reporting: file tree root is too long</pre><pre>Record: 0xxx</pre><pre>Address: 0xxx</pre><pre>Code: 0xx</pre><pre>Flags: 0xx</pre><pre>x:x</pre><pre>(%d.%d:%d.%d)</pre><pre>Checksum: 0xx</pre><pre>Time Stamp: 0xx</pre><pre>Image Base: 0xx</pre><pre>Image Size: 0xx</pre><pre>Module %d</pre><pre>Windows NT %d.%d Build: %d</pre><pre>CPU AMD Feature Code: X</pre><pre>CPU Version: X CPU Feature Code: X</pre><pre>CPU Vendor Code: X - X - X</pre><pre>0xx:</pre><pre>0xx: x x x x</pre><pre>EFlags: 0xx ESP: 0xx SegSs: 0xx</pre><pre>EIP: 0xx EBP: 0xx SegCs: 0xx</pre><pre>EBX: 0xx ECX: 0xx EDX: 0xx</pre><pre>EDI: 0xx ESI: 0xx EAX: 0xx</pre><pre>Thread ID: 0xx</pre><pre>Thread %d</pre><pre>Memory Range %d</pre><pre>Software\Microsoft\PCHealth\ErrorReporting\DW</pre><pre>OkToReportFromTheseQueues</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Run</pre><pre>Failed to obtain queue mutex. GetLastError=%u</pre><pre>FGetQueueMutex: WaitForSingleObject returned %u</pre><pre>Failed to open or create queue mutex. GetLastError=%u</pre><pre>Failed queued reporting pester check</pre><pre>Failed to create run reg key</pre><pre>Persistent run key is set.</pre><pre>CoInitializeEx() returned 0x%x.</pre><pre>Reporting to Admin Queue</pre><pre>Reporting to Regular Queue</pre><pre>Reporting to SignOff Queue</pre><pre>Reporting to Headless Queue</pre><pre>Reporting from Regular Queue</pre><pre>Reporting from SignOff Queue</pre><pre>Reporting from Headless Queue</pre><pre>OOM Failed to alloc QueuedReportData</pre><pre>FAllocSD: GetLastError=%u</pre><pre>%s%s%s</pre><pre>FEnsureQueueDirW: GetLastError=%u</pre><pre>Failed to write snt. GLE: %u</pre><pre>Failed to create snt. GLE: %u</pre><pre>Failed to set info; bad queue type: %u</pre><pre>Failed to open reg key for queue</pre><pre>Failed to get windows folder path for queue: %u</pre><pre>Failed to move instr file from queue A to queue B - %u</pre><pre>Failed to move cab file from queue A to queue B - %u</pre><pre>Did not move any reports from admin q to user q</pre><pre>Did not move any reports from user q to headless q</pre><pre>Queue types that have reports: %u</pre><pre>Setting triggerAtConnectionMade to: %u</pre><pre>Setting triggerAtLogon to: %u</pre><pre>Setting the queue trigger based upon: %u</pre><pre>SUCCESS adding report to queue</pre><pre>Launched (%S)</pre><pre>Failed to store the SensSubscription. hr: %d</pre><pre>failed to allocate PROGID string: %S</pre><pre>Failed putting SubscriberInterface. hr: %d</pre><pre>Failed putting PerUser. hr: %d</pre><pre>Failed putting Enabled. hr: %d</pre><pre>Failed putting MachineName. hr: %d</pre><pre>Failed putting OwnerSID. hr: %d</pre><pre>Failed putting Description. hr: %d</pre><pre>Failed putting InterfaceID. hr: %d</pre><pre>Failed putting EventClassID. hr: %d</pre><pre>Failed putting MethodName. hr: %d</pre><pre>Failed putting SubscriptionName. hr: %d</pre><pre>Failed putting PublisherID. hr: %d</pre><pre>Failed putting SubscriberCLSID. hr: %d</pre><pre>Failed putting SubscriptionID. hr: %d</pre><pre>Failed CoCreateInstance on EventSubscription. hr: %d</pre><pre>Failed to remove the SensSubscription. hr: %d</pre><pre>failed to allocate query string: %S</pre><pre>Failed CoCreateInstance on EventSystem. hr: %d</pre><pre>SENS: StringFromIID() returned <%x></pre><pre>DWSHARED: SysAllocString(%s) failed!</pre><pre>Failed to subscribe subscription %u. hr: %d</pre><pre>Failed to get data for subscription %u. hr: %d</pre><pre>Failed to query install reg key</pre><pre>Failed to open install reg key</pre><pre>Software\Microsoft\PCHealth\ErrorReporting\DW\Installed</pre><pre>HKEY_USERS\</pre><pre>HKEY_CURRENT_CONFIG\</pre><pre>HKEY_CLASSES_ROOT\</pre><pre>HKEY_LOCAL_MACHINE\</pre><pre>HKEY_CURRENT_USER\</pre><pre>initing CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d</pre><pre>freeing CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d</pre><pre>0addref CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d</pre><pre>QIing CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d</pre><pre>releasing CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d</pre><pre>deleting CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d</pre><pre>creating CDwAccessible: hwnd %x, idc %d</pre><pre>WriteAtOffset.Write(0x%x) failed, 0xx</pre><pre>WriteAtOffset.Seek(0x%x) failed, 0xx</pre><pre>WriteMemoryFromProcess.Read(0x%I64x, 0x%x) failed, 0xx</pre><pre>WriteStringToPool.Write(0x%x) failed, 0xx</pre><pre>WriteFunctionTable.RawEntries.Write(0x%x) failed, 0xx</pre><pre>WriteFunctionTable.RawTable.Write(0x%x) failed, 0xx</pre><pre>WriteFunctionTableList.DumpTable.Write(0x%x) failed, 0xx</pre><pre>WriteFunctionTableList.Seek(0x%x) failed, 0xx</pre><pre>WriteDirectoryEntry.Write(0x%x) failed, 0xx</pre><pre>Thread(0x%x) callback returned FALSE</pre><pre>WriteSystemInfo.GetOsCsdString failed, 0xx</pre><pre>WriteSystemInfo.GetCpuInfo failed, 0xx</pre><pre>CalculateSizeForSystemInfo.GetOsCsdString failed, 0xx</pre><pre>WriteHeader.GetCurrentTimeDate failed, 0xx</pre><pre>WriteDirectoryTable.Seek(0x%x) failed, 0xx</pre><pre>WriteMemoryInfo.Write(0x%x) failed, 0xx</pre><pre>WriteMemoryInfo.QueryVirtual(0x%I64x) failed, 0xx</pre><pre>WriteFullMemory virtual memory layout changed, retries %d, 0x%I64x (0x%I64x:0x%I64x) vs. 0x%I64x (0x%I64x:0x%I64x)</pre><pre>WriteFullMemory.Memory.Write(0x%x) failed, 0xx</pre><pre>WriteFullMemory.Memory.Read(0x%I64x, 0x%x) failed, retries %d, 0xx</pre><pre>WriteFullMemory.QueryVirtual(0x%I64x) for data failed, 0xx</pre><pre>WriteFullMemory.Desc.Write(0x%x) failed, 0xx</pre><pre>WriteFullMemory.QueryVirtual(0x%I64x) for info failed, 0xx</pre><pre>Kernel minidump write failed, 0xx</pre><pre>MarshalExceptionPointers.CxRecord.Read(0x%I64x, 0x%x) failed, 0xx</pre><pre>MarshalExceptionPointers.ExRecord.Read(0x%I64x, 0x%x) failed, 0xx</pre><pre>Invalid exception record parameter count (0x%x)</pre><pre>Invalid exception record size (0x%x)</pre><pre>Invalid CPU type (0x%x)</pre><pre>Invalid function table size (0x%x)</pre><pre>GetSystemType.GetOsInfo failed, 0xx</pre><pre>GetSystemType.GetCpuType failed, 0xx</pre><pre>Write.Start failed, 0xx</pre><pre>Dump type requires streaming but output provider does not support streaming</pre><pre>Invalid dump type 0x%x</pre><pre>dbghelp.dll</pre><pre>Alloc(0x%x) failed</pre><pre>Thread(0x%x) will not be included</pre><pre>GenGetImageSections.Section.Read(0x%I64x, 0x%x) failed, 0xx</pre><pre>GenGetImageSections.GenImageNtHeader(0x%I64x) failed</pre><pre>GenGetImageSections.Read(0x%I64x, 0x%x) failed, 0xx</pre><pre>0GenAllocateThreadObject.GetTebInfo(0x%x) failed, 0xx</pre><pre>GenAllocateThreadObject.GetContext(0x%x) failed, 0xx</pre><pre>GenAllocateThreadObject.Open(0x%x) failed, 0xx</pre><pre>GenReadTlsDirectory.Index(0x%I64x, %ws) failed, 0xx</pre><pre>GenReadTlsDirectory(0x%I64x, %ws) unknown machine 0x%x</pre><pre>GenReadTlsDirectory.Read(0x%I64x, %ws) failed, 0xx</pre><pre>GenAllocateModuleObject.GenDebugRecord(0x%I64x, %ws) failed, 0xx</pre><pre>GenAllocateModuleObject.GenImageNtHeader(0x%I64x, %ws) failed, 0xx</pre><pre>GenAllocateModuleObject.GetImageHeaderInfo(0x%I64x, %ws) failed, 0xx</pre><pre>GenAllocateModuleObject.GetVersion(0x%I64x, %ws) failed, 0xx</pre><pre>GenAllocateProcessObject.GetPeb(0x%x) failed, 0xx</pre><pre>GenIncludeUnwindInfoMemory.Enum(0x%I64x, 0x%x) failed, 0xx</pre><pre>GenGenTebMemory.TLS(0x%I64x) failed, 0xx</pre><pre>GenScanAddressSpace.QueryVirtual(0x%I64x) failed, 0xx</pre><pre>0GenGetAuxMemory(%ws) failed, 0xx</pre><pre>GenGetProcessInfo.EnumUnloadedModules(0x%x) failed, 0xx</pre><pre>GenGetProcessInfo.EnumUnloadedModules(0x%x) looped</pre><pre>GenGetProcessInfo.EnumFunctionTableEntries(0x%I64x, 0x%x) failed, 0xx</pre><pre>GenGetProcessInfo.EnumFunctionTables(0x%x) failed, 0xx</pre><pre>GenGetProcessInfo.EnumFunctionTables(0x%x) looped</pre><pre>GenGetProcessInfo.EnumModules(0x%x) failed, 0xx</pre><pre>GenGetProcessInfo.EnumModules(0x%x) looped</pre><pre>GenGetProcessInfo.EnumThreads(0x%x) failed, 0xx</pre><pre>GenGetProcessInfo.EnumThreads(0x%x) looped</pre><pre>GenGetProcessInfo.Start(0x%x) failed, 0xx</pre><pre>GenWriteHandleData.Desc.Write(0x%x) failed, 0xx</pre><pre>GenWriteHandleData.Header.Write(0x%x) failed, 0xx</pre><pre>GenWriteHandleData.ObjectName.Write(0x%x) failed, 0xx</pre><pre>GenWriteHandleData.ObjectNameLen.Write(0x%x) failed, 0xx</pre><pre>GenWriteHandleData.TypeName.Write(0x%x) failed, 0xx</pre><pre>GenWriteHandleData.TypeNameLen.Write(0x%x) failed, 0xx</pre><pre>GenWriteHandleData.Start(0x%x) failed, 0xx</pre><pre>GenWriteHandleData.Seek(0x%x) failed, 0xx</pre><pre>Software\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDlls</pre><pre>Software\Microsoft\Windows NT\CurrentVersion\KnownManagedDebuggingDlls</pre><pre>version.dll</pre><pre>ntdll.dll</pre><pre>%$%,%4%<%</pre><pre>S%T%U%V%W%X%Y%Z%[%\%]%^%_%`%a%</pre><pre>b%c%d%e%f%g%h%i%j%k%l%</pre><pre>!"#$%&'()* ,-./0123456789:;<=</pre><pre>!!!!2222</pre><pre>%%%f||||</pre><pre>!!!!2222||||</pre><pre>!"#$%&'(</pre><pre>'()* ,-./0</pre><pre>&'()* ,-./</pre><pre>&'()* ,-./012345</pre><pre>3456789</pre><pre>.ASex</pre><pre>!"#$%&'()* ,-./012</pre><pre>!"#$%&'()</pre><pre>?msodatad.dat</pre><pre>msodatalast.dat</pre><pre>Unicows.dll</pre><pre>Kernel32.dll</pre><pre>SHLWAPI.DLL</pre><pre>GDI32.DLL</pre><pre>wintrust.dll</pre><pre>1108160</pre><pre>0u.hN</pre><pre>0SSh </pre><pre>t.WWWj</pre><pre>PSSh07</pre><pre>t5SSh(</pre><pre>PSSSSSSh</pre><pre>0SSSSh</pre><pre>ADVAPI32.dll</pre><pre>COMCTL32.dll</pre><pre>GDI32.dll</pre><pre>KERNEL32.dll</pre><pre>OLEACC.dll</pre><pre>OLEAUT32.dll</pre><pre>MSVCRT.dll</pre><pre>RPCRT4.dll</pre><pre>SHELL32.dll</pre><pre>SHLWAPI.dll</pre><pre>urlmon.dll</pre><pre>USER32.dll</pre><pre>VERSION.dll</pre><pre>WININET.dll</pre><pre>RegCloseKey</pre><pre>RegOpenKeyExA</pre><pre>RegCreateKeyExA</pre><pre>ReportEventA</pre><pre>ReportEventW</pre><pre>RegEnumKeyExA</pre><pre>RegQueryInfoKeyA</pre><pre>RegQueryInfoKeyW</pre><pre>GetProcessHeap</pre><pre>GetSystemWindowsDirectoryW</pre><pre>_amsg_exit</pre><pre>_acmdln</pre><pre>ShellExecuteExA</pre><pre>UrlGetPartA</pre><pre>CreateURLMoniker</pre><pre>CreateDialogIndirectParamA</pre><pre>EnumWindows</pre><pre>HttpQueryInfoA</pre><pre>HttpSendRequestExA</pre><pre>HttpOpenRequestA</pre><pre>InternetCanonicalizeUrlA</pre><pre>InternetCrackUrlA</pre><pre>HttpEndRequestA</pre><pre>dw20.pdb</pre><pre>\devsplab1\otools\BBT_TEMP\DW20O.pdb</pre><pre>winword.exe</pre><pre>wwordlt.exe</pre><pre>excel.exe</pre><pre>excellt.exe</pre><pre>mspub.exe</pre><pre>frontpg.exe</pre><pre>outlook.exe</pre><pre>powerpnt.exe</pre><pre>powpntlt.exe</pre><pre>onenote.exe</pre><pre>infopath.exe</pre><pre>winproj.exe</pre><pre>ois.exe</pre><pre>visio.exe</pre><pre>`!`'`)` `</pre><pre>e%f-f|3 f'f/f</pre><pre>]!^"^#^ ^$^</pre><pre>t.uGuHu</pre><pre>x4x7x%x-x x</pre><pre>h&h(h.hMh:h%h h,k/k-k1k4kmk</pre><pre>k%lzmcmdmvm</pre><pre>^Q]Q~NzP}P\PGPCPLPZPIPePvPNPUPuPtPwPOP</pre><pre>]8^6^3^7^</pre><pre>ichczc]eVeQeYeWe_UOeXeUeTe</pre><pre>{1{ {-{/{2{8{</pre><pre>r6s%s4s)s:t*t3t"t%t5t6t4t/t</pre><pre>t&t(t%u&ukuju</pre><pre>WHX%X</pre><pre>`IaJa aEa6a2a.aFa/aOa)a@a bh</pre><pre>d@d%d'd</pre><pre>duewexei</pre><pre>kCpDpJpHpIpEpFp</pre><pre>S$S%S&S'S(S)S S,S.S2S3S5S6S8S:S;SBSFSKSNSOSPSUSVSXSYS[S]S_SbSdSeSgShSiSjSkSmStSvSzS}S~S</pre><pre>U U!U"U#U$U%U(U)U U:U=U?UBUGUIULUSUTUXUYUZU[U]U`UgUhUiUkUlUmUnUoUpUqUrUsUtUxUyUzU</pre><pre>c c!c"c#c$c%c&c'c.c0c1c5c7c?cRcSc[c\c]c^c_c`cacbcccdcfcjclcsctcyc~c</pre><pre>m!m#m$m&mCmDmEmFmGmHmImJmKmLmMmNmOmPmQmRmSmTmUmVmWm[m\m]mkmqmrmsm</pre><pre>nRsSsh</pre><pre>evg%f</pre><pre>m.tRa</pre><pre>gtr%x</pre><pre>Q%SKg</pre><pre>f.ebp>QI</pre><pre>y.yxT</pre><pre>fn:q%uN</pre><pre>aw.Toiz</pre><pre>RMeXe</pre><pre>S#S$S%S;ScSdSrSsStSuS</pre><pre>`!`"`&`'`)`*` `,`-`.`/`0`2`3`4`5`6`:`=`>`?`</pre><pre>^ ^!^"^#^$^%^&^'^.^}^</pre><pre>c c!c"c#c$c%c&c'c*c7c:c;cSc[c1e?e@eAeBeCeDeEe</pre><pre>f f!f"f#f$f%f&f'f(f)f*f f,f-f</pre><pre>m m!m"m#m$m%m&m'm(m)m*m m,m-m.m1m2m3m4m5m6m7m8m9m:m;m<m>m?m@mBmCmDmGmHmImJmKmLmMmNmOmPmQmRmSmTmUm</m></pre><pre>u u-u.uFuGuHuIuJuKuLuMuNuOuPuQuRuSu</pre><pre>U U!U"U#U$U%U&U'U(U4UJU</pre><pre>](^)^*^ ^,^-^/^0^1^</pre><pre>m/mAmFmVmWmXmYmZm[m\m]m^m_m`mambmcmdmemfmgmhmimjmkmlmmmnmompmqmrmsmtmumvmwmxmymzm{m|m}m~m</pre><pre>x x!x"x#x$x%x'x(x)x*x x,x.x/x0x1x2x3x4x5x6x7x8x9x:x;x<x>x?x@xAxXy_yaycydyeygyiyjykylynyoy</x></pre><pre>} }!}"}#}$}%}&}'}</pre><pre>] ]!]"]#]$]%]&]'](])]*] ],]-].]/]0]</pre><pre>]2^3^4^5^6^7^8^9^:^;^<^>^</pre><pre>cMeNeOePeQeReSeTeUeWeXeYeZe[e]ebe</pre><pre>X X!X"X#X$X%X&X'X(X)X*X X,X-X.X/X0X1X3X4X6X7X8X9X:X;X<X>X?X@XAXBXCXDXEXFXGXHXJXTX_X`XfXmX</X></pre><pre>d%d-d0d=dRdad2e\e^e_e`eaecedeeefegeheiejele</pre><pre>s"s#s$s%s&s(s)s,s-s/s0s1s2s3s4s5s6s8s9s>s@sGs</pre><pre>u$u%u&u/ujukulumunuouqurusutu</pre><pre>duewexeyeze{e</pre><pre>~ ~!~"~#~$~%~&~'~(~*~ ~-~8~:~0</pre><pre>| |!|"|#|$|%|&|(|)|*|-|.|/|0|1|2|6|</pre><pre>{3~3}3|3</pre><pre>eZl%u</pre><pre>Q.YeY</pre><pre>R:\Sg|p5rL</pre><pre>e$e#e e4e5e7e6e8eKuHeVeUeMeXe^e]erexei</pre><pre>s4s/s)s%s>sNsOs</pre><pre>s&t*t)t.tbt</pre><pre>2%2.bx</pre><pre>{ | }9},</pre><pre>d6exe9j</pre><pre>]%sOu4](n</pre><pre>m.t.zB}</pre><pre>w%xIyWy</pre><pre>^vcÓv</pre><pre>%f?iCt</pre><pre>U>_.lE</pre><pre>f.ebp</pre><pre>.nrR=</pre><pre>{fn:q%uN</pre><pre>25.exe</pre><pre>name="Microsoft.Windows.ErrorReporter"</pre><pre>version="5.1.0.0"</pre><pre>publicKeyToken="6595b64144ccf1df" /></pre><pre><description>Windows Error Reporting</description></pre><pre>name="Microsoft.Windows.Common-Controls"</pre><pre>version="6.0.0.0"</pre><pre>publicKeyToken="6595b64144ccf1df"</pre><pre>1%s\%s\%s\%s\%s\%s\%s\%s</pre><pre>AppName: %s AppVer: %s AppStamp:%s</pre><pre>ModName: %s ModVer: %s ModStamp:%s</pre><pre>fDebug: %s Offset: %s</pre><pre>Main_AlwaysReportBtn=</pre><pre>Main_NoReportBtn=</pre><pre>Main_ReportBtn=</pre><pre>General_Reportee=</pre><pre>CheckBoxRegKey=</pre><pre>ReportingFlags=</pre><pre>Stage1URL=</pre><pre>Stage2URL=</pre><pre>%General_Reportee%</pre><pre>%u %s</pre><pre>%u.%u %s</pre><pre>%s %s %s %s in %s %s %s fDebug %s at offset %s</pre><pre>Bucket: d</pre><pre>BucketTable %d</pre><pre>%s, %s, %s, %s, %s, %s, %s, %s, %s, %s %s</pre><pre>\dw.log</pre><pre>policy.txt</pre><pre>crash.log</pre><pre>status.txt</pre><pre>hits.log</pre><pre>count.txt</pre><pre>%s\%s\%s</pre><pre>%s\%s\%s\%s</pre><pre>eDWQueuedReporting</pre><pre>DWPersistentQueuedReporting</pre><pre>"%s\%s" -%c</pre><pre>dwtrig20.exe</pre><pre>ReportSize=</pre><pre>\*.cab</pre><pre>dwq.snt</pre><pre>"%s" -%c %u</pre><pre>SEventSystem.EventSubscription</pre><pre>SubscriptionID=%s</pre><pre>#$%&%&'(</pre><pre>Comctl32.dll</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\8267C.dmp</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp</pre><pre>.NET Runtime 2.0 Error Reporting</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\dw.log</pre><pre>Microsoft Application Error Reporting</pre><pre>11.0.8160</pre><pre>Windows</pre><pre>DW20.Exe</pre>svchost.exe_1480:<pre>.text</pre><pre>`.data</pre><pre>.idata</pre><pre>.rsrc</pre><pre>RegCloseKey</pre><pre>RegCreateKeyExA</pre><pre>GetWindowsDirectoryA</pre><pre>ADVAPI32.DLL</pre><pre>KERNEL32.dll</pre><pre>msvcrt.dll</pre><pre>5.1.0.0</pre><pre>svchost.exe</pre><pre>Windows</pre><pre>Operating System</pre></t%x>

Summary

Dynamic Analysis

Removals

Static Analysis

Network Activity

Map

Strings from Dumps

Related articles