Susp_Dropper (Kaspersky), Trojan.GenericKD.1684739 (AdAware), GenericAutorunWorm.YR (Lavasoft MAS)Behaviour: Trojan, Worm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 312edbcc2f351952561a9a79463d172d
SHA1: cd1a506899cfbf5a490506de4f96a61a5add666a
SHA256: f587157f08365ff6deb31a26e3d08c6164de676b381c624e40435712fbdc6725
SSDeep: 24576:4yDULOT9eznCeyen7Mb5Ru l3HD 6s8VEiPUNkzxtmyASTgn/:/DE2levq5k fs/kzxtmyJM
Size: 1452032 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company:
Created at: 2009-07-14 02:42:43
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Trojan creates the following process(es):
583.exe:1868
%original file name%.exe:480
rundll32.exe:1348
rundll32.exe:212
rundll32.exe:596
rundll32.exe:1772
rundll32.exe:1784
rundll32.exe:1720
rundll32.exe:1568
rundll32.exe:240
rundll32.exe:488
rundll32.exe:280
rundll32.exe:1752
rundll32.exe:1672
QSSSSS~1.EXE:424
QSSSSS~1.EXE:772
qqq.exe:568
qqq.exe:324
DW20.EXE:1852
The Trojan injects its code into the following process(es):
rundll32.exe:1184
25.exe:840
File activity
The process 583.exe:1868 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\aa.jpg (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qqq.exe (3727 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wwwwwwwww.jpg (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\a.jpg (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\z.jpg (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\images.jpg (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cc.jpg (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dd.jpg (17 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\w.jpg (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\x.jpg (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\s.jpg (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\g.jpg (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\v.jpg (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aaa.jpg (5 bytes)
The process %original file name%.exe:480 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\QSSSSS~1.EXE (21345 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\a.jpg (13 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\QSSSSS~1.EXE (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\a.jpg (0 bytes)
The process QSSSSS~1.EXE:424 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\25.exe (5442 bytes)
The process QSSSSS~1.EXE:772 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\583.exe (5442 bytes)
The process qqq.exe:568 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Kurulum\Server.exe (4185 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\dummy.html (0 bytes)
The process qqq.exe:324 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\svchost.exe (1895 bytes)
The process DW20.EXE:1852 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1NX1M5O\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dw.log (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\8267C.dmp (272187 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QZDB4QO0\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\545QUVC9\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\A2MX3ODE\desktop.ini (67 bytes)
Registry activity
The process 583.exe:1868 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "19 C9 33 23 49 63 BF 2D 51 A6 E3 8A 07 F6 DC 4F"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"shimgvw.dll" = "Windows Picture and Fax Viewer"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"qqq.exe" = "qqq"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process %original file name%.exe:480 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 DD 8A 34 59 0C 51 99 88 3E E4 B2 3F 4B 07 BD"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"
The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0"
The process rundll32.exe:1348 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "49 41 BA C7 A9 88 16 06 9A A9 54 6D 82 8A D1 93"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process rundll32.exe:212 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B3 2E F2 F8 77 EE A1 68 FB 1F 1B 6C 3C CD 3B 7F"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process rundll32.exe:596 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "58 EE D3 BF 27 9B 29 10 52 6A 0D 6D C4 8F 75 EA"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process rundll32.exe:1184 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CE 49 8F F8 06 7F 4E C2 BB 67 28 14 C2 BE DE 84"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process rundll32.exe:1772 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 FD 28 DC 10 AB FE E1 27 DE 54 BB 2A A1 C6 FB"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process rundll32.exe:1784 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 1A 26 41 FA 85 92 71 A7 DA 49 26 27 2F 04 F9"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process rundll32.exe:1720 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF 72 91 8E 64 FF 39 D2 90 E2 51 F7 9A C1 DD A2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process rundll32.exe:1568 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 BE 04 58 1E C1 7C BB 25 0E 66 BD C4 03 4F 5E"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process rundll32.exe:240 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F 7A E2 DC 1B B4 DF A7 22 0B AF A7 B9 0C B2 DA"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process rundll32.exe:488 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B E2 82 04 84 39 F2 10 9D 7F 1E 8B 73 33 7C 9A"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process rundll32.exe:280 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CB A3 1E 80 7C 65 D9 E4 41 74 74 FC 62 72 BC 50"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process rundll32.exe:1752 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 DB E8 00 76 A1 EC B6 BA 75 69 D3 82 7B 8F A1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process rundll32.exe:1672 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E8 FE C2 31 C6 F7 B9 A7 DD E2 67 A2 40 28 94 97"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process QSSSSS~1.EXE:424 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D 98 C7 75 8F D1 7C 3B 3B 72 05 04 38 12 A0 C9"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process QSSSSS~1.EXE:772 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "07 C5 66 B9 5A 5D E2 7F 0D 3E 19 B5 ED 91 67 7D"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process 25.exe:840 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E A3 10 28 DA 60 B2 D1 0C 40 D4 2A A3 5B E6 DB"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process qqq.exe:568 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 D1 2A E4 AD 1A D5 A7 52 5D AB BD E0 90 C5 08"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "0"
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{392EE29C-9DB0-ADDF-AEDA-EC2FE7D42BAA}]
"StubPath" = "\7"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"HKCU" = "%WinDir%\Kurulum\Server.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HKLM" = "%WinDir%\Kurulum\Server.exe"
The process DW20.EXE:1852 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 73 79 B0 24 BA 1F 58 4D 5C 29 FD 28 F6 5F C1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
MD5 | File path |
---|---|
f1272bff9356e64c28b0db7d91af83d1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\25.exe |
f1272bff9356e64c28b0db7d91af83d1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\583.exe |
705fea8c2ef23e6b9567dc8f4f8aa148 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\qqq.exe |
705fea8c2ef23e6b9567dc8f4f8aa148 | c:\WINDOWS\Kurulum\Server.exe |
9e3c13b6556d5636b745d3e466d47467 | c:\WINDOWS\svchost.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
583.exe:1868
%original file name%.exe:480
rundll32.exe:1348
rundll32.exe:212
rundll32.exe:596
rundll32.exe:1772
rundll32.exe:1784
rundll32.exe:1720
rundll32.exe:1568
rundll32.exe:240
rundll32.exe:488
rundll32.exe:280
rundll32.exe:1752
rundll32.exe:1672
QSSSSS~1.EXE:424
QSSSSS~1.EXE:772
qqq.exe:568
qqq.exe:324
DW20.EXE:1852 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\aa.jpg (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qqq.exe (3727 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wwwwwwwww.jpg (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\a.jpg (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\z.jpg (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\images.jpg (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cc.jpg (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dd.jpg (17 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\w.jpg (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\x.jpg (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\s.jpg (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\g.jpg (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\v.jpg (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aaa.jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\QSSSSS~1.EXE (21345 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\a.jpg (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\25.exe (5442 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\583.exe (5442 bytes)
%WinDir%\Kurulum\Server.exe (4185 bytes)
%WinDir%\svchost.exe (1895 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1NX1M5O\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dw.log (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\8267C.dmp (272187 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QZDB4QO0\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\545QUVC9\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\A2MX3ODE\desktop.ini (67 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"HKCU" = "%WinDir%\Kurulum\Server.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HKLM" = "%WinDir%\Kurulum\Server.exe" - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: Microsoft Corporation
Product Name: HD Player
Product Version: 8.00.7600.16385
Legal Copyright: (c) Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: WEXTRACT.EXE
Internal Name: Wextract
File Version: 8.00.7600.16385 (win7_rtm.090713-1255)
File Description: Win32 Cabinet Self-Extractor
Comments:
Language: English (United States)
Company Name: Microsoft CorporationProduct Name: HD Player Product Version: 8.00.7600.16385Legal Copyright: (c) Microsoft Corporation. All rights reserved.Legal Trademarks: Original Filename: WEXTRACT.EXE Internal Name: Wextract File Version: 8.00.7600.16385 (win7_rtm.090713-1255)File Description: Win32 Cabinet Self-Extractor Comments: Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 43748 | 44032 | 4.53606 | 3aeb6fb8fe8ab95f2462e3afb8b8acd3 |
.data | 49152 | 8796 | 1536 | 4.57321 | f3764284f4d25ed35f75b9c16e1ab608 |
.rsrc | 61440 | 1404928 | 1401856 | 5.52627 | 3ad02c43911ebb5ab451f93e4ad20f61 |
.reloc | 1466368 | 3480 | 3584 | 3.33168 | bc74eb2a181cf1029262828db6ac5b5d |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
qqq.exe_568:
.text
.text
`.data
`.data
.rsrc
.rsrc
MSVBVM60.DLL
MSVBVM60.DLL
ct1.vbProgram
ct1.vbProgram
ShellPipe
ShellPipe
Program.Socket
Program.Socket
Program.ShellPipe
Program.ShellPipe
sUrl
sUrl
sPassword
sPassword
lPort
lPort
bPassiveSemantic
bPassiveSemantic
sWebcam_Module
sWebcam_Module
sKeylogger_Module
sKeylogger_Module
clsftp
clsftp
modSocketSupport
modSocketSupport
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
TextCmd
TextCmd
FindExecutableA
FindExecutableA
ShellExecuteA
ShellExecuteA
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
advapi32.dll
advapi32.dll
RegCreateKeyA
RegCreateKeyA
RegDeleteKeyA
RegDeleteKeyA
advpack.dll
advpack.dll
kernel32.dll
kernel32.dll
GetWindowsDirectoryA
GetWindowsDirectoryA
avicap32.dll
avicap32.dll
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
shell32.dll
shell32.dll
ntdll.dll
ntdll.dll
psapi.dll
psapi.dll
wtsapi32.dll
wtsapi32.dll
version.dll
version.dll
user32.dll
user32.dll
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
GetKeyState
GetKeyState
GetAsyncKeyState
GetAsyncKeyState
SHFileOperationA
SHFileOperationA
keybd_event
keybd_event
WINMM.DLL
WINMM.DLL
GDI32.DLL
GDI32.DLL
VBA6.DLL
VBA6.DLL
ws2_32.dll
ws2_32.dll
gdiplus.dll
gdiplus.dll
msvfw32.dll
msvfw32.dll
GdiplusShutdown
GdiplusShutdown
%System%\MSVBVM60.DLL\3
%System%\MSVBVM60.DLL\3
RemotePort
RemotePort
LocalPort
LocalPort
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyA
RegOpenKeyA
RegEnumKeyExA
RegEnumKeyExA
ExitWindowsEx
ExitWindowsEx
olepro32.dll
olepro32.dll
CreatePipe
CreatePipe
PeekNamedPipe
PeekNamedPipe
ClosePipe
ClosePipe
wininet.dll
wininet.dll
FtpGetCurrentDirectoryA
FtpGetCurrentDirectoryA
FtpSetCurrentDirectoryA
FtpSetCurrentDirectoryA
FtpCreateDirectoryA
FtpCreateDirectoryA
FtpRemoveDirectoryA
FtpRemoveDirectoryA
FtpPutFileA
FtpPutFileA
FtpGetFileA
FtpGetFileA
FtpDeleteFileA
FtpDeleteFileA
FtpRenameFileA
FtpRenameFileA
FtpFindFirstFileA
FtpFindFirstFileA
%Program Files%\Microsoft Visual Studio\VB98\VBA6.dll
%Program Files%\Microsoft Visual Studio\VB98\VBA6.dll
msvbvm60.dll
msvbvm60.dll
comdlg32.dll
comdlg32.dll
HelpKey
HelpKey
getservbyport
getservbyport
Webcam G
Webcam G
?8??8??8??8??8?
?8??8??8??8??8?
lngRemotePort
lngRemotePort
lngLocalPort
lngLocalPort
sProxyBypass
sProxyBypass
sKey
sKey
lngPort
lngPort
'Qmou&vtia}gk&fghljq%d`&tsh&lh&B@U&kmbd(
'Qmou&vtia}gk&fghljq%d`&tsh&lh&B@U&kmbd(
=w.Xv
=w.Xv
B&.VP
B&.VP
%C]Y^\
%C]Y^\
}"&s%SUS
}"&s%SUS
PSShx
PSShx
<t%x><pre>@Yp.SoO</pre><pre>v.WlL</pre><pre>R".TWl</pre><pre>QSSh~</pre><pre>.4Q-336</pre><pre>PCICGP&isiaoh\pto*.`fqhjoYpqj*&pukqogldZ`ick`hq)%prdwkgkdYp`itc*&qdqrqnwb^cjdo`hu*%u`vuvmpbYpdlw`*&ulgkih^s`gjh)&baqc^etdaqcb%gwjk%joaoku</pre><pre>XZ%fY_\]Z</pre><pre>VCJCEQ&lb)&niurhgkc*/nr{vTcgjk,&`ithUsmkorS\I*&suc}kgkc@occg*&uauuqotj@o`ia*%chfw|vqfbPpfqjblc*#coeq</pre><pre>gohb%is&eimtkh&lhb`}&npq!ng.tghbc</pre><pre>gp~ljlgs|!bgr`dgvd%cjtkdq&cttjw</pre><pre>iofkmoa%svjpnljo</pre><pre>sqlir`Y}ehgheYtagia</pre><pre>.HPJI&</pre><pre>6=4<287550>:1113=6</pre><pre>T``ap`tkj% `%hwdcfu%cwik&SGJ%coj`&#w</pre><pre>OVK#bgilca vowk.OSJJ"tsgvgrce!rwgveocht</pre><pre>urtgha.iw&dbid%rio&moa</pre><pre>dbjwq%dr a%ia"^ v\?%#v</pre><pre>adl`a{$m~`k%vdseuilkq/(%STI%|qaq`igkqv"lk$uwjbp`vs</pre><pre>lfnko{.tiibdgem&{}gi|dlrfin"-/UWN"|zgrjcja{u%oi vr`b}gv|</pre><pre>VCI@DV&ldk`*%woirrga`."vvj&CWIK'"'t"/'v&UJERG'%u&MTACW%G_.wjuob</pre><pre>f`khjr%fnghac% v&rgk&hia`%cwik%roqnlk&g'qugkvgernjk</pre><pre>kous}c&`b.gaatjagrc&`shezoih&#(,|./</pre><pre>#w&#v&D\%r`wh&isu&i`&tghac&,%umisjb!c`&dcrqcck&7!dha& a</pre><pre>&qcthv&oh&JWBCW%D\%emdpuc</pre><pre>%enjshh%oh%tmc&|crpiq%ucr</pre><pre>qoj%lgh|%qetkv&ih%#v&D_%figpsc</pre><pre>d&IWISU.DV&mjgsvc&lu&r`tpow`a%mjcit`&MDPOHA</pre><pre>daivjabq`%cshftiokv%gtc%nkr%djhisab lk$qme$EVKPU%G\ gidswe</pre><pre>{`` hghv%cocukhv%ik" p</pre><pre>ud8'qthbfct!%DKB&. r(</pre><pre>sqllu`^</pre><pre>uglma%%u%kd|&hjrÜ%diqctca</pre><pre>PUADRC&$ q' #u%UKR&vti/8&vtjoqcY}jkdk`Pudtckq.|tj(& W./!S/$SJGPC"*v=</pre><pre>[VJGQG&'W( |&V@V&u~n&;"GGUG&RLKH%r|u`&8%"ptlab`w".QM@J%uuilq`[wahgb`Zrtobcct.vtj)&#T,JIVC%utjorkYwjagkcYqndic-utj*& T,&@HB*%qgiZkdkc&;%#W*.hake&;&EGUC UNCH&r|vc;!qodjc!&QNCH/*W"QN@H&ackc&JOMC&"u~jozcYgsriolbg~##!&GHB&q</pre><pre>vg;!ohdg~!%RHCK&!wqjlrcYgzvilhf`~]'%sz&#W&zz%usmurr.hnkc*#b-1>&&CNUC&hgkc/CHB&QNCTC&rdjYhdk`8#W DND&.r</pre><pre>PVDGRC%vtllre_r`kvQigvret&SCU%uwj&;&v</pre><pre>Eghhir&gbj g%UTLLOT\%KK_&ejlpkh</pre><pre>Edhnit.gbb%g&SHGWSC%eij{ch</pre><pre>Edkhir%gbb&o W@@@WKHM@V%eiiuk`&qorn&hih#HPII&bccgplr%sgisc</pre><pre>Egnhar&gad&g%HJQ&@SIJ.fojphh&wozn¼`dsjr%pglsc&NTJJ</pre><pre>WUEBV@!$'r-/&q"QCV"qrm"8&qzgqwt.qsm)3(#f sy&!#"%&~z&'S&~z&|wdpvq*uwj)#k,"UN@WC%q{rg%?%'qcgng"%NLF&mdbc"8/#T</pre><pre>yo}qsdi#tdmc`q"hdv&ajp"mg%ciqj}`f</pre><pre>Ldkkjv"dab"c%fkjpkk&qi%d%sl`r</pre><pre>A@I@QD%CWLH. _-&r%RM@WK#qgb; _</pre><pre>V@I@FQ%qgb*%ha})%vqdr%CTAH! T vtilq`Zvrdq?</pre><pre>adqdgduc% u&ov%git`db|.ok%p}c</pre><pre>`i&up`g.gbrgdgpf<#&u</pre><pre>igocfr%mdnf&wf|`ws`b%ei}%lhqftkbo%svf</#u</pre><pre>ve>##u!)$hgba8#T-%rgiZkdk`8 T)%tnnquda`<" b)&uti8#T%RMCWK.wayha8& b</pre><pre>udwdh`ra|v%ds`%kju%diiar`a%lo!slarv</pre><pre>rgcr&#v.kv.eksepjdti|%j`hok`a</pre><pre>ucgnk&'vÍ</pre><pre>%kir%d`%a|ju~`a</pre><pre>A@I@R@%CWJH& T( v%RNCTE&qbiZk`k`8 P.dnd zxvc$;!tribg`w"</pre><pre>A@LEQ@%CWJM! T,uwjiqc^qtdq7%RMCR@&rdj= _</pre><pre>sowqsdj%udgmcv"kd|%kjq%gg%okac}`e</pre><pre>lkaf}% v%ciw`df|%`~lvrv</pre><pre>zgljc& }/fos.ka.eib{mk&hgk`b% v</pre><pre>lkb`~%asujfoaq`b%ulrm%SHLTW@%mp%RTOHGPY%ME_!eihuqscilr&eanhjt gf apjuuca</pre><pre>FCJCRE @TIH #W.%u RHCWD!k`kc8#Q&DKA qype8!lnae}!</pre><pre>vkddj`&wi&hbdhrgh{&rfd!illcbu&po&dc&vcojbkweb</pre><pre>@VEDQ@!c~vwgurlih&ksvpÝ&d%rohbi`%fmgtgeuct</pre><pre>rgdjc&#U&ngu&#b%mkjskhu&dsr&#b&pgjscu.qct`&usvviocj</pre><pre>&ov#mit%shots`</pre><pre>pkuvvvjwr`a%con`%cjtngr</pre><pre>vmmkjvk&it%s`usvviwqca&lllh%qwuc<%#Q%#W v R</pre><pre>WIAMR%gha&@SLL%JPQER&OILHs gt`&kiq&fpwwf`ti|%sppujwqka</pre><pre>g%KATPWBI%oiok%hgy&kiq%ngpk gl&JL ir%SSJMG%elgusc</pre><pre>echhiz%maw`%dmrn&JN c`a [VHHA en`uqeu"gh rm`"}gke ojln</pre><pre>!g%uohal`&w`u{bq"gibiv`j&fju%a&SGICFQ&qngr&lu%vgvr&kc&ak%b}ttcvuojh</pre><pre>vwjmq`Ytpdwr`t|Z%uZ</pre><pre>q|vk;$z|lbbct)%O@B.hghc3" </pre><pre>ki%}scf.rtoia`t4. U</pre><pre>`i#up`núiscm4% u</pre><pre>mdk`at%PGMPSB%c|jh.qlqmlk.d%zwd`}deqjjo</pre><pre>mo``aq$PDMSTH& $VWI.wrgpkh``ru#l`.uwjbwc}u</pre><pre>EUPEFM/#(.GU&rees{bY`f=</pre><pre>UCJKEP&!EWADRC&RDGIJ/pgespmPbd !/zx&vsmvpw.vti*>2/&/%CWIB%vtblr`Zmeupcr&YHJRA%q|ve8!pg`c`#ªB%jgca#;#uujo{cZw`~qahg`"&/ÚB&vjjrvgbj85</pre><pre>VAJ@EP&"LVAEPJ.MJBC]/ynlssiYbd(&%zy&usduqs.uwb*71/&%@TIK%uwjordYkgrqcw&QNCTC&uwj&ILMC&!FTCDRJ%OHBC^%#!&</pre><pre>VCJCBR%!ETCGRC%PKOWSC&OHBC^&pgfpskYbd.!&zz&vsduqt.uwj*37/&%&CRIK&uwjoreYhdurct WNCTC uqi JOM@!!ETCGRC!SHIWPC&LKDC^&#!</pre><pre>SCJCER&!IHU@TQ&LHQN&pdespkYad('&z|&wsirc.hake/&zz&!$WCICFU%,&CTIH&kgoh(&&z}&tsirc.hgkd/&y}!"=!@S@K&kgoo uwmorcZkguq`t&RNDTC&q</pre><pre>UDMCL[%!F@JJQD&@SJK!wglsshZbd((!zz%~piqd'a`hc/&}y/!4!&CTJK.ynbzzkZjg vwbkrcYl`urjt/QNK]C/kgk`3!utcfrcPvcwsjkb`!%</pre><pre>VJC@LU&!LKUCTR&OHRI&pdfsskYbg(!&zz&wpiqa-hghc/%yz%!.UCJCFR&,%@TIK$keok(!&zy%</pre><pre>GHUC\Z%OJWM&rdepskYb`(uwiorcYlourct%&%UCJCER&r</pre><pre>vc;)rggj`".DHB.tiaruoac;5/</pre><pre>FW@ORC%XLTRSGJ%ROGI@&#Q</pre><pre>PUBGQC%#W(#v%V@R%r|uc;"qgdjc"*%hdc`8#W#.qgiZkgk`;#W)&qiir~ga`25)&uwj;#W&QNCTC&tiroa;% b</pre><pre>prgdjc%fonvtwperj}&bkd"kjq&b`ancwe"ufmekg<&%s</pre><pre>ni%upfh kjauj`:%%s</pre><pre>cdhnir&ps` okd`~?%%s</pre><pre>ugtset%sqacm jp`wfioq</pre><pre>h`gt " T"?%uyktd}&erwi|</pre><pre>tnc&NIR&OHBE^CB ejgusc iu&hor gjlixcb&ja&S_BNQ@&jt%A@JCT@%urgrch`h{u&wo{noh%rrlbbjtu</pre><pre>kd{dggv`%fj}vzvqlja/dv%claj& `/ab%]' 46uX</pre><pre>eg`hir%iu`h%cgbc&dr%blkc.#a%i`&]#(>6u[</pre><pre>AcrTdtchr</pre><pre>%%%& Âss`c`i|Ie`n{lq|%q{u`8'Xlk67' kah`8'Hlfwivjcq Rlkdjxv Fjhhjk(Fjkqwjiv'%scwvljk8'8 0 5 5$&</pre><pre>EbbZvpvp$@}q`whgh$EG.Wjjz6</pre><pre>>15353565<?6_</pre><pre><560=5451=6=_5</pre><pre>Rm`%SU@WRWSUQ&K`qrjwo7$6</pre><pre>kqqu8))if|v sqctqtzuq.com?</pre><pre>P[K-SUJWIl}vq"@gn`eu?</pre><pre>Atggvct.Kghgnc}vc|7</pre><pre>mruv;).vrr(suctqwtuu/enl0</pre><pre>006>4116656?\</pre><pre>416321712>59\6}7</pre><pre>LKHIBI%FN%Jiblrcd4'6</pre><pre>425<71616651_</pre><pre>@gt.Ua`ct5</pre><pre>5nrqu</*fwp.giikaagd fjk*GIHIAICj`cUlginj`EE7 ftq6</pre><pre>E@BJBI%FG&Iokoqde7.5</pre><pre>AIBIFM%Aiaj/Vlaklab%CN"4</pre><pre>42277945520;\6!</pre><pre>[#AYARBASLANGIC#][#NOIP<<65066EF90B7603C0632DBF17DFC7C7612F47479EBC8581E6D1D03F35AEFB52DCF844F081F5A59D29103D7657F69C840B60F1715F755A1E8617CEDA2B016EBAE794B40A6F38FE693F65FEB847C8C6F8A30679F877A85532B19D687EE52295230CC48818200D0352DD018AF89C8C7242924591A9B212CBBB22B1BD16A29E8DBB4615DD87D2FFD0433FB03D2310D1FD5215EA98EF4B7E5561951E26CE9C8032EC10D28EC0829A002BE27D3364A0E34292E7C129F77FBBD21506B080D350959FA4290736F2AAECEFB341F68868480E1E6DC516616DCBD45CFD317227D17BE7F1108ABFF387883EFB09D965989C84DCED51EA751A7DE893D08B94F1F775D705031832>>#][#PORT<<32CE0060EF02755BD764A0C8A8871768DA588905866B72C5F4B8E193DAFA1EB02C6E6F6053EB7EBC0528E3957C96C4D2875CA1CD427B3231B186375C2D8154304263210861F3C83A39FF8D50E7C3F6D053A4122B1F8A188A0624F780CAC4B3150D9A33B207571EF49DA5A896138CB78069A9E73989D3316BE29170DCE0804878F9CDAF3B30934B439D174041AD2BD33F36A8AE54AA9087B171876D4DD9F1DF3773F9233F87635EC6A5D063AEE05C9766279E3098F181E9F75E02782E6213036F2798599A39022197214CDD7A1A1DCED467C7FDA2099F219AD4BEA19C666201B87EE9DFE9716E6153FDC7380085A9C562A29E1F0C1DA63B7641F73231D31AA3F3>>#][#KURBANID<<451272F4F97CA22B4FB824AE90EDB509B212CAA6699EF1EEB6295DE4493778200CA95AF601895DA951B6D613ADF86D9A55280B967C00398A928DCDC3E7B40A96F1294D80B479EAA1C8781E9B7DCE6313DFA9AC0AA44678DD672386251ACA2DF202C2156CE21A074E809A2406898C81311CB1987D2B0BDB6303887545B25691F0CDD0DEB596C81CEC8338D50CDFCE74AF989CB9ED9E684F18B096C561B9B4208C5DF054199D5F99385E6E5FEB4AEEE9099E063D530B3E7FF9FC2BE2B3FCBF45443E3CA39383B927EC5D586CA0D70B4C7CBC0C10AF3C66D701F121FB3985946FD1FB52F65E52367447CBD2AA65917F47033D085F793DBD442D5C9538AD230E47F1>>#][#BAGLANTISIFRE<<2BCF33C6CD44D99531F4517E084139EF9A7868474158328F995CDC0D0BA8F4717BE6B466E1C4483FFF54B500F9866018868AB45E4ACCA353CC12D41CC8BBA0FDAB5C03E6633F16191BFE40020C47F45E75B4194D304B12BCECDFE6787BC9BC9752C88F49D742E9085B5D0D606C81FDA192B1622EDE138CA7A5C01F3DD34D96599FA6272D6ACB4B66E96DA6B5C5EF097ACA3F5A5D005C5AB1A46E8DC8F8C378A03DB3956E8756CA12746A9A5D038CE54608988FF682A68CB416E878B59AE8AFC9D8E8E5689A5D71E5A70F72F51317DBA279FA8E5791ABEA0E24E8B1A0A2F7C96E1A846477CF9F8BBCAC9ABD595F8AB96849DEE11AD827849A7CAC41643EAC4D6D>>#][#KOPYALANANYAZILARIAL<<2A9DCEE98CE1A03C981369A7EBFEDD103B48EF6B970F2E925651C8426E76EFEF653A95879C7696840C4E70AA527532E15F9DB06BCF3AEF4718B6231F1B2E90AA19AA11A7059E73B1F3927E7C2CF411B31F40E868B482FBB9FD8CC4040BB81D811BD4C5FD2D6B3FB6B132D5529D4FFD3A9EC39A95287B969EAB2B71A6A5A71AE68FC836BDF7F2FA882902B91FC8187D2BBF7ECAE54F76046A46242E3ACB108C8F58DE275B86092B9BBF18EF56D2E4D23A2881BD0D4F8B0AD031CB7EF2234676F15B251DCB004096E11807BB2DE04882DA3D24B7824B0D2AC4D03567444F9D1CFC7B769CC187B03D51D6A2215794D88FBFE2F7BCB6660D2ABC07F6ABA3F569C2A9>>#][#USBDISKBULAS<<2A9DCEE98CE1A03C981369A7EBFEDD103B48EF6B970F2E925651C8426E76EFEF653A95879C7696840C4E70AA527532E15F9DB06BCF3AEF4718B6231F1B2E90AA19AA11A7059E73B1F3927E7C2CF411B31F40E868B482FBB9FD8CC4040BB81D811BD4C5FD2D6B3FB6B132D5529D4FFD3A9EC39A95287B969EAB2B71A6A5A71AE68FC836BDF7F2FA882902B91FC8187D2BBF7ECAE54F76046A46242E3ACB108C8F58DE275B86092B9BBF18EF56D2E4D23A2881BD0D4F8B0AD031CB7EF2234676F15B251DCB004096E11807BB2DE04882DA3D24B7824B0D2AC4D03567444F9D1CFC7B769CC187B03D51D6A2215794D88FBFE2F7BCB6660D2ABC07F6ABA3F569C2A9>>#][#WINDOWSFIREWALLKAPAT<<2A9DCEE98CE1A03C981369A7EBFEDD103B48EF6B970F2E925651C8426E76EFEF653A95879C7696840C4E70AA527532E15F9DB06BCF3AEF4718B6231F1B2E90AA19AA11A7059E73B1F3927E7C2CF411B31F40E868B482FBB9FD8CC4040BB81D811BD4C5FD2D6B3FB6B132D5529D4FFD3A9EC39A95287B969EAB2B71A6A5A71AE68FC836BDF7F2FA882902B91FC8187D2BBF7ECAE54F76046A46242E3ACB108C8F58DE275B86092B9BBF18EF56D2E4D23A2881BD0D4F8B0AD031CB7EF2234676F15B251DCB004096E11807BB2DE04882DA3D24B7824B0D2AC4D03567444F9D1CFC7B769CC187B03D51D6A2215794D88FBFE2F7BCB6660D2ABC07F6ABA3F569C2A9>>#][#SERVERKAYBOLSUN<<2A9DCEE98CE1A03C981369A7EBFEDD103B48EF6B970F2E925651C8426E76EFEF653A95879C7696840C4E70AA527532E15F9DB06BCF3AEF4718B6231F1B2E90AA19AA11A7059E73B1F3927E7C2CF411B31F40E868B482FBB9FD8CC4040BB81D811BD4C5FD2D6B3FB6B132D5529D4FFD3A9EC39A95287B969EAB2B71A6A5A71AE68FC836BDF7F2FA882902B91FC8187D2BBF7ECAE54F76046A46242E3ACB108C8F58DE275B86092B9BBF18EF56D2E4D23A2881BD0D4F8B0AD031CB7EF2234676F15B251DCB004096E11807BB2DE04882DA3D24B7824B0D2AC4D03567444F9D1CFC7B769CC187B03D51D6A2215794D88FBFE2F7BCB6660D2ABC07F6ABA3F569C2A9>>#][#KOPYALA<<1>>#][#KOPYALAMAISMI<<4D027208FD80D0C27029517E084139EF9A7868474158328F995CDC0D0BA8F4717BE6B466E1C4483FFF54B500F9866018868AB45E4ACCA353CC12D41CC8BBA0FDAB5C03E6633F16191BFE40020C47F45E75B4194D304B12BCECDFE6787BC9BC9752C88F49D742E9085B5D0D606C81FDA192B1622EDE138CA7A5C01F3DD34D96599FA6272D6ACB4B66E96DA6B5C5EF097ACA3F5A5D005C5AB1A46E8DC8F8C378A03DB3956E8756CA12746A9A5D038CE54608988FF682A68CB416E878B59AE8AFC9D8E8E5689A5D71E5A70F72F51317DBA279FA8E5791ABEA0E24E8B1A0A2F7C96E1A846477CF9F8BBCAC9ABD595F8AB96849DEE11AD827849A7CAC41643EAC4D6D>>#][#KOPYALAMAKLASORU<<4512720704830F5DC61B4583AF2C0640D3CF53E0C13D01885018B9287CD5DF395D15DE25C25091832A6D4BFBE5F1470D40522C286D28F87BF4000E06D14DDAAA2E3BA0443AA2A3B129D473F00614D022B3647BEFC17ADC072A8E8E42EBD3C5257E812102760CCDBC357410E5C778F4046027D53771D6C1B0A7E9CDE07F8DF7EF030BB7E3283221650171765D9A428936BA81CC43B2DF79FC1FF1DFE400DF83CB70FE356C457AB434426FB91E75D4A17DF614B518373D9C6C87CDD89223EC7C3E7A7B702001859A282C912E2B8D14919E0946E5FB36907A4711DF8D305B98F80B5369BB430E39E78AF3BC688993A66C1AE6F930AFE07DEB90B24CD1BEDD484878>>#][#KOPYALANACAKYOL<<71066EF60785155DC61B4583AF2C0640D3CF53E0C13D01885018B9287CD5DF395D15DE25C25091832A6D4BFBE5F1470D40522C286D28F87BF4000E06D14DDAAA2E3BA0443AA2A3B129D473F00614D022B3647BEFC17ADC072A8E8E42EBD3C5257E812102760CCDBC357410E5C778F4046027D53771D6C1B0A7E9CDE07F8DF7EF030BB7E3283221650171765D9A428936BA81CC43B2DF79FC1FF1DFE400DF83CB70FE356C457AB434426FB91E75D4A17DF614B518373D9C6C87CDD89223EC7C3E7A7B702001859A282C912E2B8D14919E0946E5FB36907A4711DF8D305B98F80B5369BB430E39E78AF3BC688993A66C1AE6F930AFE07DEB90B24CD1BEDD484878>>#][#BASLANGIC<<1>>#][#HKLM<<1>>#][#HKLMANAHTAR<<42E84CDF98DCF951CBC2305000655D2B6C4F38AFBAF4BD656B89E61344B70E631CF66A6E067BAA192559B6E2DAAB0F850A75887D9550E6B5DE09A0407ED0B9478C1203D1D2B079E417CE40CCCA52808455F5AAB90CB88BAFF4FE984B79FF7EB73720EBE62AE6E4BFBACF07DC2A466A7769BA986C7AD8EA5E4A950D4115F15C7FB9C91EB9274A2535A946C9DD5632CBA8A0334F62FD5AFC4E3BF9FBEF2B12CE6B6EBC59566748B95303E101DAACC21DA318C94C28EFAE81CC6456DC5F988E0FC932E29849440A1CE4620B2BE189A4DDF5ADEBCA8B6F7D7123A1982E5FF8D1DD621FA8559FDC80093523F0843C454387697B018616D6B38B200CEB6DB9E8863285>>#][#HKCU<<1>>#][#HKCUANAHTAR<<42E843E798DCF951CBC2305000655D2B6C4F38AFBAF4BD656B89E61344B70E631CF66A6E067BAA192559B6E2DAAB0F850A75887D9550E6B5DE09A0407ED0B9478C1203D1D2B079E417CE40CCCA52808455F5AAB90CB88BAFF4FE984B79FF7EB73720EBE62AE6E4BFBACF07DC2A466A7769BA986C7AD8EA5E4A950D4115F15C7FB9C91EB9274A2535A946C9DD5632CBA8A0334F62FD5AFC4E3BF9FBEF2B12CE6B6EBC59566748B95303E101DAACC21DA318C94C28EFAE81CC6456DC5F988E0FC932E29849440A1CE4620B2BE189A4DDF5ADEBCA8B6F7D7123A1982E5FF8D1DD621FA8559FDC80093523F0843C454387697B018616D6B38B200CEB6DB9E8863285>>#][#MSCONFIG<<0>>#][#ACTIVEX<<1>>#][#ACTIVEXANAHTAR<<75D039C4DD53D4963BF18AF4F37D9332FF1C5F5C8B63C559A721AF6915A03A08353C814B17A22D212BE458A85B605EC74C8C07EA69765E06D6557A6F4A12D1589F7D703831584E3BEA3FC5AFE280A8F4A904B5662CDAB14F3AEE18916D8DB89CEB58648D11120CB137CFF05C943D38AC0757AC663DB406B132ADEA38A1737CA73EBD9807E69023FE5E72C46DBD347C6B32A59868E75D88E84B2B1CA07261CA76248AF6E07AED3D5FEBC36DDBAAC05E6B36C763E8B873A7B0CF45D8052EF34D072A59ACD69C83494EAADD59E5A7FECCAADF5BBCE23D9289860B57CD231E0431D31948E4A4D6F12F09E69E72C63E4AF2A339BB0E127F9520268BBD67F650712219>>#][#INJECT<<1FE145D8D963EEB13A16A0070492B816BBA670231D1C60B8C9F4637180D2224471E07B57C7D2A72F494C904997AC3A1385A8D3399B5F1F68F8F3899885598E06DF384DD14AF535631B13D191A97CF88E75EA5B42A425327B5B730A0B02D6B478A0F59113152204B0FFC0BABC71CA9E2F9835A469713DB59E6F8283787596F184B1A2E589A4A53143F2E1E936EB2049A1A717C91A3E2E84BDAF6990CA5626E115CF8C621F318B9909B082BA6B144B56CFA11BE6C04A497C8359B60BADA5D0615B743EE7C23A5D17EBF42EC848681820A6C00E18CA8F58B61DE8B4D3CE1BE24CBE9DC50E9DBBAB8698BB72B078E111421282FBFB610A265277D7B043D83726BD2E>>#][#GIZLINITELIK<<0>>#][#MUTEX<<JOORX4V1Y20OSC6>>#][#OFFLINELOG<<1>>#][#FTP<<0>>#][#FTPHOST<<601170C0FE8212D05D36C715237BC96028D8E7863EF17FF71A2B842E090C7AE3817A15462316DACDB065E1B51BDBFBDAB982ACF010475761D26674C2A6EB7F2E9E29AF448B381FFCEB270EA3FC407EB72EFABC9EF97ABBC1C882DEC6D1BBD1AC041F547E1D3FD5B997F3367B7D6032215EA359435D1CF38AE255C7EEB250374F97EF89EAFC40FE7A58E01F71C44EDB0BAC904753DF7F3F31C4F0B2AF697CF58CF970D17A4B0EE03413C1CD79F59EFEEABC17CAC1A47CA769112A63BB1D958D5A91B17264303C3E182B28048735A59E72334AE70351E36C262DD62008F02E46E8400B2E5B4DA25C9C44AC088FA6F6FE15F53E234BC84A549EFCC7ECC9085C60EE>>#][#FTPUSER<<601170B203830EC95932BA131A4D3448AFAB170EEA6D990FB48DE3564FCBD9004EFBEC84B29A895E730B71D5E0F0652C1BA3BFA48254D93070BDACF4DA81B6F41922566384A2B842B871A8F436140664A8D8550F80E9702BBD159B3ACC21F22748BF011D1EB0306991795986557E78469BBAFF6068A08314E28B163BAA9FF3AD5F4591C9053B95A88297A79DC11F61A577BF9E6DBEEA74FF214F424D75715C9821A86A3B3CB6CC545080788FFE6D24D4C0DC580806806AFF7FD8C044B588D240D41B70C607D2B97E7FE62F70915BA5287C4492C7455446693F5878B3AB1B39B57955C73EEA48BF7D123EEF123DDF89342D2B2F7DBDD8EF9226454B2E9E1CF3CE>>#][#FTPPASS<<601170B20B7708CF5DC41F07A52064D05B27312684CFF837FA4C42731C4CB03EDD7F9B157540197E3820DB27421178E08DB0417320AB1162A453E3BA557A5D13128CEFA951EC5293F24530A1B0F29FD52F470A79757C2D9FB87BBCB510C19FC649305CCD1836537469979FAB92951E63A63E8FEA68D6D261DADAD29972F5FB8C684028F72FF21DD47F682D378C4EB8BF562AD33B1B49049D2D44A9599DA9F5591250565B7975776A594F9E790232B21B22E01B9E742EC78817CB052AF8F2D0A2ABB1EB2C5B90E467DB9C3626DA5550EC70B56C0A57D69E14FA456B80E465D29816FB2A1FB8DAA600A9277A3175CC956622B9CA71E7564EF7BC05DE0E87133CB3>>#][#FTPDK<<5>>#][#FTPSENDAFTERDELETE<<1>>#][#AYARBITIS#]P(</pre><pre>*\AE:\Projeler\Rat\Harmmy Rat v1.7\Stub\Project1.vbp</pre><pre>RAT_FTP_CLASS</pre><pre>{7BF80981-BF32-101A-8BBB-00AA00300CAB}</pre><pre>{557CF401-1A04-11D3-9A73-0000F81EF32E}</pre><pre>{557CF406-1A04-11D3-9A73-0000F81EF32E}</pre><pre>{1D5BE4B5-FA4A-452D-9CDD-5DB35105E7EB}</pre><pre>127.0.0.1</pre><pre>PORT</pre><pre>WINDOWSFIREWALLKAPAT</pre><pre>FTPHOST</pre><pre>FTPUSER</pre><pre>FTPPASS</pre><pre>FTPDK</pre><pre>FTPSENDAFTERDELETE</pre><pre>GUpdate.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon</pre><pre>\Userinit.exe,</pre><pre>ÞFAULTBROWSER%</pre><pre>\Userinit.exe,</pre><pre>[Webcam_Goruntusu]</pre><pre>notepad.exe</pre><pre>CALC.EXE</pre><pre>calc.exe</pre><pre>IEXPLORER.EXE</pre><pre>iexplorer.exe</pre><pre>NOTEPAD.EXE</pre><pre>[Ekran_Set_Keyboard]</pre><pre>[Online_Keylogger_Baslat]</pre><pre>[Online_Keylogger_Durdur]</pre><pre>[Offline_Keylogger_Loglarini_Gonder]</pre><pre>RegSvr.bat</pre><pre>del *.hy</pre><pre>Win32SysLogs.dat</pre><pre>dummy.html</pre><pre>winmgmts:\\.\root\SecurityCenter</pre><pre>2.6.0</pre><pre>WScript.Shell</pre><pre>HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz</pre><pre>SELECT * FROM Win32_OperatingSystem</pre><pre>\Internet Explorer\iexplore.exe</pre><pre>cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f</pre><pre>Webcam Penceresi Olusturuldu.!</pre><pre>cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "</pre><pre>:*:Enabled:Windows Messanger" /f</pre><pre>cmd.exe /c netsh firewall set opmode disable</pre><pre>[Webcam_Stream_Geldi]</pre><pre>[Webcam_Gonderme_Hata_Olustu]</pre><pre>Scripting.FileSystemObject</pre><pre>[Online_Keylogger_Verisi_Geldi]</pre><pre>[Offline_Keylogger_Dosyalari_Geldi]</pre><pre>[Keylogger_Logu_Geldi]</pre><pre>Keylogger Logu Gonderiliyor</pre><pre>[Keylogger_Logu_Transfer_Bitti]</pre><pre>Keylogger Logu Transfer Bitti</pre><pre>[Keylogger_Logu_Geldi_OKU]</pre><pre>[Keylogger_Logu_Transfer_Bitti_OKU]</pre><pre>%systemroot%</pre><pre>rundll32.exe shell32.dll,Control_RunDLL main.cpl,,0</pre><pre>windows</pre><pre>rundll32.exe shell32.dll,Control_RunDLL intl.cpl,,0</pre><pre>rundll32.exe shell32.dll,Control_RunDLL mmsys.cpl,,0</pre><pre>rundll32.exe shell32.dll,Control_RunDLL timedate.cpl,,0</pre><pre>rundll32.exe shell32.dll,Control_RunDLL netcpl.cpl,,0</pre><pre>rundll32.exe shell32.dll,Control_RunDLL desk.cpl,,0</pre><pre>rundll32.exe shell32.dll,Control_RunDLL inetcpl.cpl,,0</pre><pre>Shell.Application</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>Software\Microsoft\Windows\CurrentVersion\Uninstall</pre><pre>xWin32WB.exe</pre><pre>xWin32hr.txt</pre><pre>The operation was canceled.</pre><pre>modSocketSupport.RegisterSocket</pre><pre>modSocketSupport.ResolveHost</pre><pre>Address family not supported by protocol family.</pre><pre>Operation already in progress.</pre><pre>Operation now in progress.</pre><pre>Socket operation on nonsocket.</pre><pre>Operation not supported.</pre><pre>Protocol family not supported.</pre><pre>Protocol not supported.</pre><pre>Socket type not supported.</pre><pre>Winsock.dll version out of range.</pre><pre>The version of Windows Sockets API support</pre><pre>Windows Sockets implementation.</pre><pre>The Windows Sockets version specified by the</pre><pre>application is not supported by this DLL.</pre><pre>modSocketSupport.InitWinsockService</pre><pre>.ResolveMessage</pre><pre>.WinsockMessage</pre><pre>clsSocket.RemoteHost</pre><pre>clsSocket.PostGetHostEvent</pre><pre>ShellPipe.Interrupt.ConsoleCtrlEvent</pre><pre>ShellPipe.ReadData.ReadFile</pre><pre>ShellPipe.ReadData.PeekNamedPipe</pre><pre>ReadData PeeknamedPipe error</pre><pre>ShellPipe.WriteData.WriteFile</pre><pre>Invalid thunk type passed</pre><pre>autorun.inf</pre><pre>Icon=%SystemRoot%\system32\SHELL32.dll,7</pre><pre>shell32.dll, 2</pre><pre>shell32.dll, 3</pre><pre>.fldr</pre><pre>shell32.dll, 0</pre><pre>\explorer.exe</pre><pre>@*\AE:\Projeler\Rat\Harmmy Rat v1.7\Stub\Project1.vbp</pre><pre>1.exe</pre><b>rundll32.exe_1184:</b><pre>.text</pre><pre>`.data</pre><pre>.rsrc</pre><pre>msvcrt.dll</pre><pre>KERNEL32.dll</pre><pre>NTDLL.DLL</pre><pre>GDI32.dll</pre><pre>USER32.dll</pre><pre>IMAGEHLP.dll</pre><pre>rundll32.pdb</pre><pre>.....eZXnnnnnnnnnnnn3</pre><pre>....eDXnnnnnnnnnnnn3</pre><pre>...eDXnnnnnnnnnnnn,</pre><pre>.eDXnnnnnnnnnnnn,</pre><pre>%Xnnnnnnnnnnnnnnn1</pre><pre>O3$dS7"%U9</pre><pre>.manifest</pre><pre>5.1.2600.5512 (xpsp.080413-2105)</pre><pre>RUNDLL.EXE</pre><pre>Windows</pre><pre>Operating System</pre><pre>5.1.2600.5512</pre><pre>YThere is not enough memory to run the file %s.</pre><pre>Please close other windows and try again.</pre><pre>9The file %s or one of its components could not be opened.</pre><pre>0The file %s or one of its components cannot run.</pre><pre>MThe file %s or one of its components requires a different version of Windows.</pre><pre>UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"</pre><pre>Error in %s</pre><pre>Missing entry:%s</pre><pre>Error loading %s</pre><b>DW20.EXE_1852:</b><pre>.text</pre><pre>`.data</pre><pre>.cdata</pre><pre>.rsrc</pre><pre>watson.microsoft.com</pre><pre>.mdmp</pre><pre>%s?szAppName=%S&szAppVer=%S&szAppStamp=%S&szModName=%S&szModVer=%S&szModStamp=%S&fDebug=%S&offset=%S</pre><pre>/dw/stagetwo.asp</pre><pre>%s/%S/%S/%S/%S/%S/%S/%S/%S.htm</pre><pre>Failed to fill report params from generic params</pre><pre>Not offering reporting</pre><pre>%s Mode</pre><pre>Failed to get a reporting destination</pre><pre>Nothing to report from queue</pre><pre>No reports left to send. Removing queue triggers and bailing.</pre><pre>Failed to plug UI; LCID=%u</pre><pre>Ignoring %S due to unknown queue version</pre><pre>Reporting is disabled</pre><pre>SignOff queue reporting is disabled</pre><pre>Queued Reporting Mode called but still want to report to the queue</pre><pre>Bad queue type to report from</pre><pre>No reports for given queue mask - %u</pre><pre>Invalid queue mask - %u</pre><pre>Suspending: Force cancel to queued reporting</pre><pre>Suspending: Force cancel to network reporting</pre><pre>CreateWindowExA failed with %d.</pre><pre>Application Error Reporting %d</pre><pre>WatsonQueuedReportingInstanceVerification</pre><pre>riched20.dll</pre><pre>qMicrosoft\PCHealth\ErrorReporting\DW</pre><pre>msaccess.exe</pre><pre>http://watson.microsoft.com/dw/dcp.asp</pre><pre>http://watson.microsoft.com/dw/watsoninfo.asp</pre><pre>dwintl20.dll</pre><pre>Launching lightweight browser with URL</pre><pre>mshtml.dll</pre><pre>Not reporting</pre><pre>Reporting</pre><pre>DWBypassQueue</pre><pre>DWExplainerURL</pre><pre>DWNoSignOffQueueReporting</pre><pre>DWAlwaysReport</pre><pre>DWReporteeName</pre><pre>DWURLLaunch</pre><pre>DWNoExternalURL</pre><pre>DWStressReport</pre><pre>ole32.dll</pre><pre>imm32.dll</pre><pre>BTLog.dll</pre><pre>Microsoft\PCHealth\ErrorReporting\DW</pre><pre>HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger</pre><pre>http://</pre><pre>https://</pre><pre>Software\Microsoft\PCHealth\ErrorReporting\DW\Debug</pre><pre>%s\%s</pre><pre>https</pre><pre>DwBTLog.log</pre><pre>Failed to get minidump for %S!</pre><pre>szAppName=%s</pre><pre>szAppVer=%d.%d.%d.%d</pre><pre>szAppStamp=x</pre><pre>szModName=%s</pre><pre>szModVer=%d.%d.%d.%d</pre><pre>szModStamp=x</pre><pre>fDebug=%s</pre><pre>offset=x</pre><pre>microsoft.com</pre><pre>.msn.com</pre><pre>.microsoft.com</pre><pre>d:d:d d-d-d</pre><pre>/dw/generictwo.asp</pre><pre>kernel32.dll</pre><pre>psapi.dll</pre><pre>mso.dll</pre><pre>MsoDWRecover%x</pre><pre>MsoDWHang%x</pre><pre>Launching browser with URL</pre><pre>shell32.dll</pre><pre>%d.%d.%d.%d</pre><pre>%d.%d.%d.%d.x.%d.%d</pre><pre>shfolder.dll</pre><pre>unknown.sig</pre><pre>%s dw20.exe %d.%d.%d.%d</pre><pre>RegKey=</pre><pre>ResponseURL=</pre><pre>URLLaunch=</pre><pre>NoExternalURL=</pre><pre>%s:(%s) XX</pre><pre>%s:(%s) X</pre><pre>%s:(%s)</pre><pre>%s:(%s) %s</pre><pre>registry.txt</pre><pre>wql.txt</pre><pre>Windows NT Version %d.%d Build: %d</pre><pre>Stage 1 server response: %s</pre><pre>Stage 2 server response: %s</pre><pre>Stage 4 server response: %s</pre><pre>StatusCode: %d</pre><pre>Opening server: %s</pre><pre>HttpOpen failed.</pre><pre>Opening %s Request:</pre><pre>HTTPS</pre><pre>HttpSend Failed.</pre><pre>HttpWrite Failed, GLE=%d.</pre><pre>HttpEndReq failed.</pre><pre>Count filename length greater than MAX_PATH, can't report.</pre><pre>Filesystem reporting: count file updated</pre><pre>FReportToQueue: GetLastError=%u</pre><pre>FReportToQueue: File Tree Root does not exist: %S</pre><pre>Failed to add heap file to cab: %S</pre><pre>memory.dmp</pre><pre>mdmpmem.hdmp</pre><pre>version.txt</pre><pre>Network reporting complete.</pre><pre>Network reporting failed.</pre><pre>Application Error Reporting Transfer %d</pre><pre>Filesystem reporting complete</pre><pre>Filesystem reporting: cab successfully written</pre><pre>Filesystem reporting: could not find/create directory for cab/count</pre><pre>Filesystem reporting: redirection failure, too many redirects</pre><pre>Filesystem reporting: redirection failure, no previous roots</pre><pre>Filesystem reporting: improper file tree root</pre><pre>Filesystem reporting cancelled</pre><pre>Filesystem reporting: file tree root is too long</pre><pre>Record: 0xxx</pre><pre>Address: 0xxx</pre><pre>Code: 0xx</pre><pre>Flags: 0xx</pre><pre>x:x</pre><pre>(%d.%d:%d.%d)</pre><pre>Checksum: 0xx</pre><pre>Time Stamp: 0xx</pre><pre>Image Base: 0xx</pre><pre>Image Size: 0xx</pre><pre>Module %d</pre><pre>Windows NT %d.%d Build: %d</pre><pre>CPU AMD Feature Code: X</pre><pre>CPU Version: X CPU Feature Code: X</pre><pre>CPU Vendor Code: X - X - X</pre><pre>0xx:</pre><pre>0xx: x x x x</pre><pre>EFlags: 0xx ESP: 0xx SegSs: 0xx</pre><pre>EIP: 0xx EBP: 0xx SegCs: 0xx</pre><pre>EBX: 0xx ECX: 0xx EDX: 0xx</pre><pre>EDI: 0xx ESI: 0xx EAX: 0xx</pre><pre>Thread ID: 0xx</pre><pre>Thread %d</pre><pre>Memory Range %d</pre><pre>Software\Microsoft\PCHealth\ErrorReporting\DW</pre><pre>OkToReportFromTheseQueues</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Run</pre><pre>Failed to obtain queue mutex. GetLastError=%u</pre><pre>FGetQueueMutex: WaitForSingleObject returned %u</pre><pre>Failed to open or create queue mutex. GetLastError=%u</pre><pre>Failed queued reporting pester check</pre><pre>Failed to create run reg key</pre><pre>Persistent run key is set.</pre><pre>CoInitializeEx() returned 0x%x.</pre><pre>Reporting to Admin Queue</pre><pre>Reporting to Regular Queue</pre><pre>Reporting to SignOff Queue</pre><pre>Reporting to Headless Queue</pre><pre>Reporting from Regular Queue</pre><pre>Reporting from SignOff Queue</pre><pre>Reporting from Headless Queue</pre><pre>OOM Failed to alloc QueuedReportData</pre><pre>FAllocSD: GetLastError=%u</pre><pre>%s%s%s</pre><pre>FEnsureQueueDirW: GetLastError=%u</pre><pre>Failed to write snt. GLE: %u</pre><pre>Failed to create snt. GLE: %u</pre><pre>Failed to set info; bad queue type: %u</pre><pre>Failed to open reg key for queue</pre><pre>Failed to get windows folder path for queue: %u</pre><pre>Failed to move instr file from queue A to queue B - %u</pre><pre>Failed to move cab file from queue A to queue B - %u</pre><pre>Did not move any reports from admin q to user q</pre><pre>Did not move any reports from user q to headless q</pre><pre>Queue types that have reports: %u</pre><pre>Setting triggerAtConnectionMade to: %u</pre><pre>Setting triggerAtLogon to: %u</pre><pre>Setting the queue trigger based upon: %u</pre><pre>SUCCESS adding report to queue</pre><pre>Launched (%S)</pre><pre>Failed to store the SensSubscription. hr: %d</pre><pre>failed to allocate PROGID string: %S</pre><pre>Failed putting SubscriberInterface. hr: %d</pre><pre>Failed putting PerUser. hr: %d</pre><pre>Failed putting Enabled. hr: %d</pre><pre>Failed putting MachineName. hr: %d</pre><pre>Failed putting OwnerSID. hr: %d</pre><pre>Failed putting Description. hr: %d</pre><pre>Failed putting InterfaceID. hr: %d</pre><pre>Failed putting EventClassID. hr: %d</pre><pre>Failed putting MethodName. hr: %d</pre><pre>Failed putting SubscriptionName. hr: %d</pre><pre>Failed putting PublisherID. hr: %d</pre><pre>Failed putting SubscriberCLSID. hr: %d</pre><pre>Failed putting SubscriptionID. hr: %d</pre><pre>Failed CoCreateInstance on EventSubscription. hr: %d</pre><pre>Failed to remove the SensSubscription. hr: %d</pre><pre>failed to allocate query string: %S</pre><pre>Failed CoCreateInstance on EventSystem. hr: %d</pre><pre>SENS: StringFromIID() returned <%x></pre><pre>DWSHARED: SysAllocString(%s) failed!</pre><pre>Failed to subscribe subscription %u. hr: %d</pre><pre>Failed to get data for subscription %u. hr: %d</pre><pre>Failed to query install reg key</pre><pre>Failed to open install reg key</pre><pre>Software\Microsoft\PCHealth\ErrorReporting\DW\Installed</pre><pre>HKEY_USERS\</pre><pre>HKEY_CURRENT_CONFIG\</pre><pre>HKEY_CLASSES_ROOT\</pre><pre>HKEY_LOCAL_MACHINE\</pre><pre>HKEY_CURRENT_USER\</pre><pre>initing CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d</pre><pre>freeing CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d</pre><pre>0addref CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d</pre><pre>QIing CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d</pre><pre>releasing CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d</pre><pre>deleting CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d</pre><pre>creating CDwAccessible: hwnd %x, idc %d</pre><pre>WriteAtOffset.Write(0x%x) failed, 0xx</pre><pre>WriteAtOffset.Seek(0x%x) failed, 0xx</pre><pre>WriteMemoryFromProcess.Read(0x%I64x, 0x%x) failed, 0xx</pre><pre>WriteStringToPool.Write(0x%x) failed, 0xx</pre><pre>WriteFunctionTable.RawEntries.Write(0x%x) failed, 0xx</pre><pre>WriteFunctionTable.RawTable.Write(0x%x) failed, 0xx</pre><pre>WriteFunctionTableList.DumpTable.Write(0x%x) failed, 0xx</pre><pre>WriteFunctionTableList.Seek(0x%x) failed, 0xx</pre><pre>WriteDirectoryEntry.Write(0x%x) failed, 0xx</pre><pre>Thread(0x%x) callback returned FALSE</pre><pre>WriteSystemInfo.GetOsCsdString failed, 0xx</pre><pre>WriteSystemInfo.GetCpuInfo failed, 0xx</pre><pre>CalculateSizeForSystemInfo.GetOsCsdString failed, 0xx</pre><pre>WriteHeader.GetCurrentTimeDate failed, 0xx</pre><pre>WriteDirectoryTable.Seek(0x%x) failed, 0xx</pre><pre>WriteMemoryInfo.Write(0x%x) failed, 0xx</pre><pre>WriteMemoryInfo.QueryVirtual(0x%I64x) failed, 0xx</pre><pre>WriteFullMemory virtual memory layout changed, retries %d, 0x%I64x (0x%I64x:0x%I64x) vs. 0x%I64x (0x%I64x:0x%I64x)</pre><pre>WriteFullMemory.Memory.Write(0x%x) failed, 0xx</pre><pre>WriteFullMemory.Memory.Read(0x%I64x, 0x%x) failed, retries %d, 0xx</pre><pre>WriteFullMemory.QueryVirtual(0x%I64x) for data failed, 0xx</pre><pre>WriteFullMemory.Desc.Write(0x%x) failed, 0xx</pre><pre>WriteFullMemory.QueryVirtual(0x%I64x) for info failed, 0xx</pre><pre>Kernel minidump write failed, 0xx</pre><pre>MarshalExceptionPointers.CxRecord.Read(0x%I64x, 0x%x) failed, 0xx</pre><pre>MarshalExceptionPointers.ExRecord.Read(0x%I64x, 0x%x) failed, 0xx</pre><pre>Invalid exception record parameter count (0x%x)</pre><pre>Invalid exception record size (0x%x)</pre><pre>Invalid CPU type (0x%x)</pre><pre>Invalid function table size (0x%x)</pre><pre>GetSystemType.GetOsInfo failed, 0xx</pre><pre>GetSystemType.GetCpuType failed, 0xx</pre><pre>Write.Start failed, 0xx</pre><pre>Dump type requires streaming but output provider does not support streaming</pre><pre>Invalid dump type 0x%x</pre><pre>dbghelp.dll</pre><pre>Alloc(0x%x) failed</pre><pre>Thread(0x%x) will not be included</pre><pre>GenGetImageSections.Section.Read(0x%I64x, 0x%x) failed, 0xx</pre><pre>GenGetImageSections.GenImageNtHeader(0x%I64x) failed</pre><pre>GenGetImageSections.Read(0x%I64x, 0x%x) failed, 0xx</pre><pre>0GenAllocateThreadObject.GetTebInfo(0x%x) failed, 0xx</pre><pre>GenAllocateThreadObject.GetContext(0x%x) failed, 0xx</pre><pre>GenAllocateThreadObject.Open(0x%x) failed, 0xx</pre><pre>GenReadTlsDirectory.Index(0x%I64x, %ws) failed, 0xx</pre><pre>GenReadTlsDirectory(0x%I64x, %ws) unknown machine 0x%x</pre><pre>GenReadTlsDirectory.Read(0x%I64x, %ws) failed, 0xx</pre><pre>GenAllocateModuleObject.GenDebugRecord(0x%I64x, %ws) failed, 0xx</pre><pre>GenAllocateModuleObject.GenImageNtHeader(0x%I64x, %ws) failed, 0xx</pre><pre>GenAllocateModuleObject.GetImageHeaderInfo(0x%I64x, %ws) failed, 0xx</pre><pre>GenAllocateModuleObject.GetVersion(0x%I64x, %ws) failed, 0xx</pre><pre>GenAllocateProcessObject.GetPeb(0x%x) failed, 0xx</pre><pre>GenIncludeUnwindInfoMemory.Enum(0x%I64x, 0x%x) failed, 0xx</pre><pre>GenGenTebMemory.TLS(0x%I64x) failed, 0xx</pre><pre>GenScanAddressSpace.QueryVirtual(0x%I64x) failed, 0xx</pre><pre>0GenGetAuxMemory(%ws) failed, 0xx</pre><pre>GenGetProcessInfo.EnumUnloadedModules(0x%x) failed, 0xx</pre><pre>GenGetProcessInfo.EnumUnloadedModules(0x%x) looped</pre><pre>GenGetProcessInfo.EnumFunctionTableEntries(0x%I64x, 0x%x) failed, 0xx</pre><pre>GenGetProcessInfo.EnumFunctionTables(0x%x) failed, 0xx</pre><pre>GenGetProcessInfo.EnumFunctionTables(0x%x) looped</pre><pre>GenGetProcessInfo.EnumModules(0x%x) failed, 0xx</pre><pre>GenGetProcessInfo.EnumModules(0x%x) looped</pre><pre>GenGetProcessInfo.EnumThreads(0x%x) failed, 0xx</pre><pre>GenGetProcessInfo.EnumThreads(0x%x) looped</pre><pre>GenGetProcessInfo.Start(0x%x) failed, 0xx</pre><pre>GenWriteHandleData.Desc.Write(0x%x) failed, 0xx</pre><pre>GenWriteHandleData.Header.Write(0x%x) failed, 0xx</pre><pre>GenWriteHandleData.ObjectName.Write(0x%x) failed, 0xx</pre><pre>GenWriteHandleData.ObjectNameLen.Write(0x%x) failed, 0xx</pre><pre>GenWriteHandleData.TypeName.Write(0x%x) failed, 0xx</pre><pre>GenWriteHandleData.TypeNameLen.Write(0x%x) failed, 0xx</pre><pre>GenWriteHandleData.Start(0x%x) failed, 0xx</pre><pre>GenWriteHandleData.Seek(0x%x) failed, 0xx</pre><pre>Software\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDlls</pre><pre>Software\Microsoft\Windows NT\CurrentVersion\KnownManagedDebuggingDlls</pre><pre>version.dll</pre><pre>ntdll.dll</pre><pre>%$%,%4%<%</pre><pre>S%T%U%V%W%X%Y%Z%[%\%]%^%_%`%a%</pre><pre>b%c%d%e%f%g%h%i%j%k%l%</pre><pre>!"#$%&'()* ,-./0123456789:;<=</pre><pre>!!!!2222</pre><pre>%%%f||||</pre><pre>!!!!2222||||</pre><pre>!"#$%&'(</pre><pre>'()* ,-./0</pre><pre>&'()* ,-./</pre><pre>&'()* ,-./012345</pre><pre>3456789</pre><pre>.ASex</pre><pre>!"#$%&'()* ,-./012</pre><pre>!"#$%&'()</pre><pre>?msodatad.dat</pre><pre>msodatalast.dat</pre><pre>Unicows.dll</pre><pre>Kernel32.dll</pre><pre>SHLWAPI.DLL</pre><pre>GDI32.DLL</pre><pre>wintrust.dll</pre><pre>1108160</pre><pre>0u.hN</pre><pre>0SSh </pre><pre>t.WWWj</pre><pre>PSSh07</pre><pre>t5SSh(</pre><pre>PSSSSSSh</pre><pre>0SSSSh</pre><pre>ADVAPI32.dll</pre><pre>COMCTL32.dll</pre><pre>GDI32.dll</pre><pre>KERNEL32.dll</pre><pre>OLEACC.dll</pre><pre>OLEAUT32.dll</pre><pre>MSVCRT.dll</pre><pre>RPCRT4.dll</pre><pre>SHELL32.dll</pre><pre>SHLWAPI.dll</pre><pre>urlmon.dll</pre><pre>USER32.dll</pre><pre>VERSION.dll</pre><pre>WININET.dll</pre><pre>RegCloseKey</pre><pre>RegOpenKeyExA</pre><pre>RegCreateKeyExA</pre><pre>ReportEventA</pre><pre>ReportEventW</pre><pre>RegEnumKeyExA</pre><pre>RegQueryInfoKeyA</pre><pre>RegQueryInfoKeyW</pre><pre>GetProcessHeap</pre><pre>GetSystemWindowsDirectoryW</pre><pre>_amsg_exit</pre><pre>_acmdln</pre><pre>ShellExecuteExA</pre><pre>UrlGetPartA</pre><pre>CreateURLMoniker</pre><pre>CreateDialogIndirectParamA</pre><pre>EnumWindows</pre><pre>HttpQueryInfoA</pre><pre>HttpSendRequestExA</pre><pre>HttpOpenRequestA</pre><pre>InternetCanonicalizeUrlA</pre><pre>InternetCrackUrlA</pre><pre>HttpEndRequestA</pre><pre>dw20.pdb</pre><pre>\devsplab1\otools\BBT_TEMP\DW20O.pdb</pre><pre>winword.exe</pre><pre>wwordlt.exe</pre><pre>excel.exe</pre><pre>excellt.exe</pre><pre>mspub.exe</pre><pre>frontpg.exe</pre><pre>outlook.exe</pre><pre>powerpnt.exe</pre><pre>powpntlt.exe</pre><pre>onenote.exe</pre><pre>infopath.exe</pre><pre>winproj.exe</pre><pre>ois.exe</pre><pre>visio.exe</pre><pre>`!`'`)` `</pre><pre>e%f-f|3 f'f/f</pre><pre>]!^"^#^ ^$^</pre><pre>t.uGuHu</pre><pre>x4x7x%x-x x</pre><pre>h&h(h.hMh:h%h h,k/k-k1k4kmk</pre><pre>k%lzmcmdmvm</pre><pre>^Q]Q~NzP}P\PGPCPLPZPIPePvPNPUPuPtPwPOP</pre><pre>]8^6^3^7^</pre><pre>ichczc]eVeQeYeWe_UOeXeUeTe</pre><pre>{1{ {-{/{2{8{</pre><pre>r6s%s4s)s:t*t3t"t%t5t6t4t/t</pre><pre>t&t(t%u&ukuju</pre><pre>WHX%X</pre><pre>`IaJa aEa6a2a.aFa/aOa)a@a bh</pre><pre>d@d%d'd</pre><pre>duewexei</pre><pre>kCpDpJpHpIpEpFp</pre><pre>S$S%S&S'S(S)S S,S.S2S3S5S6S8S:S;SBSFSKSNSOSPSUSVSXSYS[S]S_SbSdSeSgShSiSjSkSmStSvSzS}S~S</pre><pre>U U!U"U#U$U%U(U)U U:U=U?UBUGUIULUSUTUXUYUZU[U]U`UgUhUiUkUlUmUnUoUpUqUrUsUtUxUyUzU</pre><pre>c c!c"c#c$c%c&c'c.c0c1c5c7c?cRcSc[c\c]c^c_c`cacbcccdcfcjclcsctcyc~c</pre><pre>m!m#m$m&mCmDmEmFmGmHmImJmKmLmMmNmOmPmQmRmSmTmUmVmWm[m\m]mkmqmrmsm</pre><pre>nRsSsh</pre><pre>evg%f</pre><pre>m.tRa</pre><pre>gtr%x</pre><pre>Q%SKg</pre><pre>f.ebp>QI</pre><pre>y.yxT</pre><pre>fn:q%uN</pre><pre>aw.Toiz</pre><pre>RMeXe</pre><pre>S#S$S%S;ScSdSrSsStSuS</pre><pre>`!`"`&`'`)`*` `,`-`.`/`0`2`3`4`5`6`:`=`>`?`</pre><pre>^ ^!^"^#^$^%^&^'^.^}^</pre><pre>c c!c"c#c$c%c&c'c*c7c:c;cSc[c1e?e@eAeBeCeDeEe</pre><pre>f f!f"f#f$f%f&f'f(f)f*f f,f-f</pre><pre>m m!m"m#m$m%m&m'm(m)m*m m,m-m.m1m2m3m4m5m6m7m8m9m:m;m<m>m?m@mBmCmDmGmHmImJmKmLmMmNmOmPmQmRmSmTmUm</m></pre><pre>u u-u.uFuGuHuIuJuKuLuMuNuOuPuQuRuSu</pre><pre>U U!U"U#U$U%U&U'U(U4UJU</pre><pre>](^)^*^ ^,^-^/^0^1^</pre><pre>m/mAmFmVmWmXmYmZm[m\m]m^m_m`mambmcmdmemfmgmhmimjmkmlmmmnmompmqmrmsmtmumvmwmxmymzm{m|m}m~m</pre><pre>x x!x"x#x$x%x'x(x)x*x x,x.x/x0x1x2x3x4x5x6x7x8x9x:x;x<x>x?x@xAxXy_yaycydyeygyiyjykylynyoy</x></pre><pre>} }!}"}#}$}%}&}'}</pre><pre>] ]!]"]#]$]%]&]'](])]*] ],]-].]/]0]</pre><pre>]2^3^4^5^6^7^8^9^:^;^<^>^</pre><pre>cMeNeOePeQeReSeTeUeWeXeYeZe[e]ebe</pre><pre>X X!X"X#X$X%X&X'X(X)X*X X,X-X.X/X0X1X3X4X6X7X8X9X:X;X<X>X?X@XAXBXCXDXEXFXGXHXJXTX_X`XfXmX</X></pre><pre>d%d-d0d=dRdad2e\e^e_e`eaecedeeefegeheiejele</pre><pre>s"s#s$s%s&s(s)s,s-s/s0s1s2s3s4s5s6s8s9s>s@sGs</pre><pre>u$u%u&u/ujukulumunuouqurusutu</pre><pre>duewexeyeze{e</pre><pre>~ ~!~"~#~$~%~&~'~(~*~ ~-~8~:~0</pre><pre>| |!|"|#|$|%|&|(|)|*|-|.|/|0|1|2|6|</pre><pre>{3~3}3|3</pre><pre>eZl%u</pre><pre>Q.YeY</pre><pre>R:\Sg|p5rL</pre><pre>e$e#e e4e5e7e6e8eKuHeVeUeMeXe^e]erexei</pre><pre>s4s/s)s%s>sNsOs</pre><pre>s&t*t)t.tbt</pre><pre>2%2.bx</pre><pre>{ | }9},</pre><pre>d6exe9j</pre><pre>]%sOu4](n</pre><pre>m.t.zB}</pre><pre>w%xIyWy</pre><pre>^vcÓv</pre><pre>%f?iCt</pre><pre>U>_.lE</pre><pre>f.ebp</pre><pre>.nrR=</pre><pre>{fn:q%uN</pre><pre>25.exe</pre><pre>name="Microsoft.Windows.ErrorReporter"</pre><pre>version="5.1.0.0"</pre><pre>publicKeyToken="6595b64144ccf1df" /></pre><pre><description>Windows Error Reporting</description></pre><pre>name="Microsoft.Windows.Common-Controls"</pre><pre>version="6.0.0.0"</pre><pre>publicKeyToken="6595b64144ccf1df"</pre><pre>1%s\%s\%s\%s\%s\%s\%s\%s</pre><pre>AppName: %s AppVer: %s AppStamp:%s</pre><pre>ModName: %s ModVer: %s ModStamp:%s</pre><pre>fDebug: %s Offset: %s</pre><pre>Main_AlwaysReportBtn=</pre><pre>Main_NoReportBtn=</pre><pre>Main_ReportBtn=</pre><pre>General_Reportee=</pre><pre>CheckBoxRegKey=</pre><pre>ReportingFlags=</pre><pre>Stage1URL=</pre><pre>Stage2URL=</pre><pre>%General_Reportee%</pre><pre>%u %s</pre><pre>%u.%u %s</pre><pre>%s %s %s %s in %s %s %s fDebug %s at offset %s</pre><pre>Bucket: d</pre><pre>BucketTable %d</pre><pre>%s, %s, %s, %s, %s, %s, %s, %s, %s, %s %s</pre><pre>\dw.log</pre><pre>policy.txt</pre><pre>crash.log</pre><pre>status.txt</pre><pre>hits.log</pre><pre>count.txt</pre><pre>%s\%s\%s</pre><pre>%s\%s\%s\%s</pre><pre>eDWQueuedReporting</pre><pre>DWPersistentQueuedReporting</pre><pre>"%s\%s" -%c</pre><pre>dwtrig20.exe</pre><pre>ReportSize=</pre><pre>\*.cab</pre><pre>dwq.snt</pre><pre>"%s" -%c %u</pre><pre>SEventSystem.EventSubscription</pre><pre>SubscriptionID=%s</pre><pre>#$%&%&'(</pre><pre>Comctl32.dll</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\8267C.dmp</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp</pre><pre>.NET Runtime 2.0 Error Reporting</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\dw.log</pre><pre>Microsoft Application Error Reporting</pre><pre>11.0.8160</pre><pre>Windows</pre><pre>DW20.Exe</pre><b>svchost.exe_1480:</b><pre>.text</pre><pre>`.data</pre><pre>.idata</pre><pre>.rsrc</pre><pre>RegCloseKey</pre><pre>RegCreateKeyExA</pre><pre>GetWindowsDirectoryA</pre><pre>ADVAPI32.DLL</pre><pre>KERNEL32.dll</pre><pre>msvcrt.dll</pre><pre>5.1.0.0</pre><pre>svchost.exe</pre><pre>Windows</pre><pre>Operating System</pre></t%x>