Virus.Win32.Cabres.a (Kaspersky), MemScan:Trojan.Generic.7421167 (B) (Emsisoft), MemScan:Trojan.Generic.7421167 (AdAware), Backdoor.Win32.PcClient.FD, Trojan.Win32.IEDummy.FD, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor, Worm, Virus, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: bd589e4994c9de573fcc44529bc9929e
SHA1: e5dfbed6a99e691438da2d9ed7236657f47b5904
SHA256: a27dad20a29b127b8fa3fb87516b6f2649aed202e8ed4f09fa1cc6468d28376e
SSDeep: 24576:uOZTeV6ao 6X9wYLkxI69xxNsKJ3duGbUFTfb3uEQvtcsWPvQ5G:RZiEaN6tw7xI69xxNsKpkGbUFbbkVcsK
Size: 1158656 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2004-08-04 09:01:37
Analyzed on: WindowsXP SP3 32-bit
Summary: Backdoor. Malware that enables a remote control of victim's machine.
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Backdoor's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Backdoor creates the following process(es):
%original file name%.exe:1624
taskkill.exe:1092
statcvs.exe:1744
statcvs.exe:236
statcvs.exe:1200
statcvs.exe:532
NvTaskbarInh.exe:1644
NvTaskbarInh.exe:868
l1rezerv.exe:1688
wuauclt.exe:540
7252550.exe:652
rundll32.exe:1804
foxit.exe:204
The Backdoor injects its code into the following process(es):
IEXPLORE.EXE:1964
rundll32.exe:1976
Explorer.EXE:1912
File activity
The process %original file name%.exe:1624 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\NvTaskbarInh.exe (17261 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\7252550.exe (4984 bytes)
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\NvTaskbarInh.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\7252550.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP (0 bytes)
The process statcvs.exe:236 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%WinDir%\statcvs.exe (2321 bytes)
The process NvTaskbarInh.exe:868 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%System%\statcvs.exe (14184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%System%\NvTaskbarInh.exe (7385 bytes)
%System%\foxit.exe (2392 bytes)
The Backdoor deletes the following file(s):
%System%\NvTaskbarInh.exe (0 bytes)
The process wuauclt.exe:540 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (2016 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
The Backdoor deletes the following file(s):
%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)
The process 7252550.exe:652 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%WinDir%\l1rezerv.exe (1281 bytes)
The process foxit.exe:204 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%WinDir%\morgr32.dll (79 bytes)
Registry activity
The process %original file name%.exe:1624 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 08 B1 28 2A 13 A4 6E 15 B1 C8 E4 29 FB 92 2E"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"
The Backdoor deletes the following value(s) in system registry:
The Backdoor disables automatic startup of the application by deleting the following autorun value:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0"
The process taskkill.exe:1092 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 63 CD 12 96 D5 74 B4 FC 70 BD EE 41 D9 1C 90"
The process statcvs.exe:1744 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 20 CA EF 07 11 1C 67 27 FC 50 FF 2D FE BD 80"
The process statcvs.exe:236 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD BF B5 6E A1 60 61 CB 63 A5 AA D3 81 2A A2 13"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%WinDir%]
"statcvs.exe" = "statcvs"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process statcvs.exe:1200 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 5A 94 E7 02 D0 8A 97 EC CE 0B 90 FE 0B 26 6E"
The process statcvs.exe:532 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D 7A 66 E8 5F DE 38 F6 0D 0D A3 20 30 70 E7 D9"
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{N5DKJK5H-5XG7-8421-4V52-B1QQ0LF833CU}]
"StubPath" = "%WinDir%\statcvs.exe"
[HKCU\Software\Microsoft\Windows NT\CurrentVersion]
"(Default)" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"IDT PC Audio" = "%WinDir%\statcvs.exe"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"IDT PC Audio" = "%WinDir%\statcvs.exe"
The process IEXPLORE.EXE:1964 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 A2 A2 1A 34 07 1E FE B9 74 3B 8F 3B 8D E3 64"
The process NvTaskbarInh.exe:1644 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B5 9B CC 91 2E 14 1E 22 84 7C 44 85 DD B8 82 88"
The process NvTaskbarInh.exe:868 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer]
"nvidia05" = "04"
"nvidia06" = "26"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 9B EE 42 B2 D2 A7 47 4A DD 99 36 1C 6C D9 AB"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Nvidia Control Center3" = "%System%\NvTaskbarInh.exe"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%WinDir%\System32]
"NvTaskbarInh.exe" = "%System%\NvTaskbarInh.exe:*:Enabled:Explorer"
The Backdoor deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"ProxyServer"
"AutoConfigURL"
The Backdoor disables automatic startup of the application by deleting the following autorun value:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OfficeScanNT Monitor"
"AVG8_TRAY"
"MskAgentexe"
"BDAgent"
"RavTask"
"avast!"
"sbamui"
"Windows Defender"
"K7TSStart"
"ISTray"
"CAVRID"
"SBAMTray"
"Spam Blocker for Outlook Express"
"SCANINICIO"
"AVP"
"F-PROT Antivirus Tray application"
"cctray"
"K7SystemTray"
"SpIDerMail"
"APVXDWIN"
"DrWebScheduler"
"egui"
"SpamBlocker"
"McENUI"
The process l1rezerv.exe:1688 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "14 47 F8 63 30 52 1A B7 7A 21 93 61 E4 DB D5 36"
The process 7252550.exe:652 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 8B 2D 16 B1 FD D1 4D E1 39 A3 1F 05 E0 AE AA"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%WinDir%]
"l1rezerv.exe" = "l1rezerv"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"taskkill.exe" = "Kill Process"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"l1rezerv.exe" = "%WinDir%\l1rezerv.exe"
The process rundll32.exe:1976 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B 4F E3 06 9D A4 4E 40 14 F1 CA E5 C8 03 F2 80"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Wtube]
"Eqegaqojoqoka" = "168"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Ihoragiqinicim" = "rundll32.exe %WinDir%\morgr32.dll,Startup"
The process rundll32.exe:1804 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7D 69 65 2F 40 52 20 17 A5 F3 19 C6 01 7E 35 A0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Wtube]
"Bveqayeweci" = "43 01 38 03 58 05 51 07 41 09 44 0B 48 0D 41 0F"
The process foxit.exe:204 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 AD 00 37 3A 5F 77 2E 48 01 7B 4D 9D 44 88 80"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Wtube]
"Bveqayeweci" = "43 01 38 03 58 05 51 07 41 09 44 0B 48 0D 41 0F"
"Ydapup" = "43 01 46 03 32 05 45 07 38 09 4F 0B 4D 0D 39 0F"
Dropped PE files
| MD5 | File path |
|---|---|
| 5988f5eea2e0f6275a0f4232b4386bf9 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\IXP000.TMP\NvTaskbarInh.exe |
| 08fc8ce6c01ca575a62ac3b7faf1e750 | c:\WINDOWS\l1rezerv.exe |
| 3cd79b8e7d198f5fcff729911a0c0b42 | c:\WINDOWS\morgr32.dll |
| 5988f5eea2e0f6275a0f4232b4386bf9 | c:\WINDOWS\system32\NvTaskbarInh.exe |
| ff68d7e9435a7195144c09dc1d6c3fc0 | c:\WINDOWS\system32\foxit.exe |
| eaf07a44a7dcab1d1614e82518d93b67 | c:\WINDOWS\system32\statcvs.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Backdoor's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1624
taskkill.exe:1092
statcvs.exe:1744
statcvs.exe:236
statcvs.exe:1200
statcvs.exe:532
NvTaskbarInh.exe:1644
NvTaskbarInh.exe:868
l1rezerv.exe:1688
wuauclt.exe:540
7252550.exe:652
rundll32.exe:1804
foxit.exe:204 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\NvTaskbarInh.exe (17261 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\7252550.exe (4984 bytes)
%WinDir%\statcvs.exe (2321 bytes)
%System%\statcvs.exe (14184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%System%\NvTaskbarInh.exe (7385 bytes)
%System%\foxit.exe (2392 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (2016 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
%WinDir%\l1rezerv.exe (1281 bytes)
%WinDir%\morgr32.dll (79 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"IDT PC Audio" = "%WinDir%\statcvs.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Nvidia Control Center3" = "%System%\NvTaskbarInh.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"l1rezerv.exe" = "%WinDir%\l1rezerv.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Ihoragiqinicim" = "rundll32.exe %WinDir%\morgr32.dll,Startup" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: Microsoft Corporation
Product Name: HD Player
Product Version: 6.00.2900.2180
Legal Copyright: (c) Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: WEXTRACT.EXE
Internal Name: Wextract
File Version: 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
File Description: Win32 Cabinet Self-Extractor
Comments:
Language: English (United States)
Company Name: Microsoft CorporationProduct Name: HD Player Product Version: 6.00.2900.2180Legal Copyright: (c) Microsoft Corporation. All rights reserved.Legal Trademarks: Original Filename: WEXTRACT.EXE Internal Name: Wextract File Version: 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)File Description: Win32 Cabinet Self-Extractor Comments: Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 39212 | 39424 | 4.55052 | 17a6fbe18a834b6f3462304415675d36 |
| .data | 45056 | 7140 | 1024 | 2.94449 | 99858e86526942a66950c7139f78a725 |
| .rsrc | 53248 | 1118208 | 1117184 | 5.53603 | 64fbdfd9e0074f2a5d4700adf97b1435 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://www.whatismyip.com/automation/n09230945.asp | 141.101.120.15 |
| hxxp://whatismyip.com/automation/n09230945.asp | |
| ya.ru | 213.180.204.3 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /automation/n09230945.asp HTTP/1.1
Host: whatismyip.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.8) Ubuntu/9.10 (karmic) Firefox/3.5.8
HTTP/1.1 404 Not Found
Server: cloudflare-nginx
Date: Fri, 25 Apr 2014 22:51:48 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d96283314d40791fbdc43b66473c9ed531398466308234; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.whatismyip.com; HttpOnly
Vary: Accept-Encoding
CF-RAY: 120e1b7a770201b0-FRA
300..<html>.<head><title>404 Not Found</title><script type="text/javascript">.//<![CDATA[.try{if (!window.CloudFlare) {var CloudFlare=[{verbose:0,p:0,byc:0,owlid:"cf",bag2:1,mirage2:{profile:false},oracle:0,paths:{cloudflare:"/cdn-cgi/nexp/dok9v=02fcfa4f56/"},atok:"f54ba8708597c5e39b456fa57c5bf45b",petok:"bda2de89be0d80a06648cad4dedd1441fdb18d66-1398466308-1800",zone:"whatismyip.com",rocket:"0",apps:0}];!function(a,b){a=document.createElement("script"),b=document.getElementsByTagName("script")[0],a.async=!0,a.src="//ajax.cloudflare.com/cdn-cgi/nexp/dok9v=b064e16429/cloudflare.min.js",b.parentNode.insertBefore(a,b)}()}}catch(e){};.//]]>.</script>.</head>.<body bgcolor="white">.<center><h1>404 Not Found</h1></center>.<hr><center>nginx/1.4.7</center>.</body>.</html>..1.....0..HTTP/1.1 404 Not Found..Server: cloudflare-nginx..Date: Fri, 25 Apr 2014 22:51:48 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..Set-Cookie: __cfduid=d96283314d40791fbdc43b66473c9ed531398466308234; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.whatismyip.com; HttpOnly..Vary: Accept-Encoding..CF-RAY: 120e1b7a770201b0-FRA..300..<html>.<head><title>404 Not Found</title><script type="text/javascript">.//<![CDATA[.try{if (!window.CloudFlare) {var CloudFlare=[{verbose:0,p:0,byc:0,owlid:"cf",bag2:1,mirage2:{profile:false},oracle:0,paths:{cloudflare:"/cdn-cgi/nexp/dok9
<<
<<< skipped >>>
Map
Strings from Dumps
rundll32.exe_1976:
.text
.text
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
GDI32.dll
GDI32.dll
USER32.dll
USER32.dll
IMAGEHLP.dll
IMAGEHLP.dll
rundll32.pdb
rundll32.pdb
.....eZXnnnnnnnnnnnn3
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
O3$dS7"%U9
.manifest
.manifest
5.1.2600.5512 (xpsp.080413-2105)
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
RUNDLL.EXE
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
YThere is not enough memory to run the file %s.
YThere is not enough memory to run the file %s.
Please close other windows and try again.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Error in %s
Missing entry:%s
Missing entry:%s
Error loading %s
Error loading %s
rundll32.exe_1976_rwx_00A80000_00010000:
hcc.dholea
hcc.dholea
rundll32.exe_1976_rwx_10000000_00001000:
.text
.text
`.data
`.data
.reloc
.reloc
IEXPLORE.EXE_1964:
%?9-*09,*19}*09
%?9-*09,*19}*09
.text
.text
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
USER32.dll
USER32.dll
SHLWAPI.dll
SHLWAPI.dll
SHDOCVW.dll
SHDOCVW.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
IE-X-X
IE-X-X
rsabase.dll
rsabase.dll
System\CurrentControlSet\Control\Windows
System\CurrentControlSet\Control\Windows
dw15 -x -s %u
dw15 -x -s %u
watson.microsoft.com
watson.microsoft.com
IEWatsonURL
IEWatsonURL
%s -h %u
%s -h %u
iedw.exe
iedw.exe
Iexplore.XPExceptionFilter
Iexplore.XPExceptionFilter
jscript.DLL
jscript.DLL
mshtml.dll
mshtml.dll
mlang.dll
mlang.dll
urlmon.dll
urlmon.dll
wininet.dll
wininet.dll
shdocvw.DLL
shdocvw.DLL
browseui.DLL
browseui.DLL
comctl32.DLL
comctl32.DLL
IEXPLORE.EXE
IEXPLORE.EXE
iexplore.pdb
iexplore.pdb
ADVAPI32.dll
ADVAPI32.dll
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
IExplorer.EXE
IExplorer.EXE
IIIIIB(II<.Fg
IIIIIB(II<.Fg
7?_____ZZSSH%
7?_____ZZSSH%
)z.UUUUUUUU
)z.UUUUUUUU
,....Qym
,....Qym
````2```
````2```
{.QLQIIIKGKGKGKGKGKG
{.QLQIIIKGKGKGKGKGKG
;33;33;0
;33;33;0
8888880
8888880
8887080
8887080
browseui.dll
browseui.dll
shdocvw.dll
shdocvw.dll
6.00.2900.5512 (xpsp.080413-2105)
6.00.2900.5512 (xpsp.080413-2105)
Windows
Windows
Operating System
Operating System
6.00.2900.5512
6.00.2900.5512
IEXPLORE.EXE_1964_rwx_00150000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_00290000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_002D0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_00310000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_00350000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_00390000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_00C50000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_00C90000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_00CD0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_00D10000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_00D50000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_00D90000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_00DD0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_00E10000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_00E50000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_00E90000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_00ED0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_00F10000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_00F50000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_00F90000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_00FD0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_01010000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_01050000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_01090000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_010D0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_01110000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_01150000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_01190000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_011D0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_01210000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_01250000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_01290000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_012D0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_01310000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_01350000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_01390000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_013C0000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_014F0000_00001000:
GetKeyboardType
GetKeyboardType
IEXPLORE.EXE_1964_rwx_01500000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_01540000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_01580000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_015B0000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_016F0000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_01720000_00001000:
RegOpenKeyExA
RegOpenKeyExA
IEXPLORE.EXE_1964_rwx_01730000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_01760000_00001000:
RegCloseKey
RegCloseKey
IEXPLORE.EXE_1964_rwx_01770000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_017A0000_00001000:
oleaut32.dll
oleaut32.dll
IEXPLORE.EXE_1964_rwx_018E0000_00001000:
oleaut32.dll
oleaut32.dll
IEXPLORE.EXE_1964_rwx_01920000_00001000:
oleaut32.dll
oleaut32.dll
IEXPLORE.EXE_1964_rwx_01960000_00001000:
oleaut32.dll
oleaut32.dll
IEXPLORE.EXE_1964_rwx_01990000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_01AD0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_01B10000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_01B50000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_01B90000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_01BD0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_01C10000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_01C40000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_01D80000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_01DC0000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_01DF0000_00001000:
RegQueryInfoKeyA
RegQueryInfoKeyA
IEXPLORE.EXE_1964_rwx_01E00000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_01E30000_00001000:
RegOpenKeyExA
RegOpenKeyExA
IEXPLORE.EXE_1964_rwx_01E40000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_01E70000_00001000:
RegFlushKey
RegFlushKey
IEXPLORE.EXE_1964_rwx_01E80000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_01EC0000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_01EF0000_00001000:
RegEnumKeyExA
RegEnumKeyExA
IEXPLORE.EXE_1964_rwx_01F00000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_01F40000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_01F70000_00001000:
RegDeleteKeyA
RegDeleteKeyA
IEXPLORE.EXE_1964_rwx_01F80000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_01FB0000_00001000:
RegCreateKeyExA
RegCreateKeyExA
IEXPLORE.EXE_1964_rwx_01FC0000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_01FF0000_00001000:
RegCreateKeyA
RegCreateKeyA
IEXPLORE.EXE_1964_rwx_02000000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_02030000_00001000:
RegCloseKey
RegCloseKey
IEXPLORE.EXE_1964_rwx_02040000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_02080000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_020C0000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_02100000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_02140000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_02180000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_021C0000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_02200000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_02240000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_02280000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_022C0000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_02300000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_02330000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_02470000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_024B0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_024E0000_00001000:
WinExec
WinExec
IEXPLORE.EXE_1964_rwx_024F0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_02530000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_02570000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_025B0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_025F0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_02630000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_02670000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_026B0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_026F0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_02730000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_02770000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_027B0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_027F0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_02830000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_02870000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_028B0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_028F0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_02930000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_02970000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_029B0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_029E0000_00001000:
PeekNamedPipe
PeekNamedPipe
IEXPLORE.EXE_1964_rwx_029F0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_02A30000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_02A70000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_02AB0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_02AF0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_02B30000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_02B70000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_02BB0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_02BF0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_02C30000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_02C70000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_02CB0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_02CF0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_02D30000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_02D70000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_02DA0000_00001000:
GetWindowsDirectoryA
GetWindowsDirectoryA
IEXPLORE.EXE_1964_rwx_02DB0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_02DF0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_02E30000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_02E70000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_02EB0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_02EF0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_02F30000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_02F70000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_02FB0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_02FE0000_00001000:
GetProcessHeap
GetProcessHeap
IEXPLORE.EXE_1964_rwx_02FF0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_03030000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_03070000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_030B0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_030F0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_03130000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_03170000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_031B0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_031F0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_03230000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_03270000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_032B0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_032F0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_03330000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_03370000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_033B0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_033F0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_03430000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_03470000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_034B0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_034F0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_03530000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_03570000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_035B0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_035F0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_03630000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_03670000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_036B0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_036F0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_03730000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_03770000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_037B0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_037F0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_03830000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_03870000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_038B0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_038E0000_00001000:
CreatePipe
CreatePipe
IEXPLORE.EXE_1964_rwx_038F0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_03930000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_03970000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_039B0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_039F0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_03A30000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_03A60000_00001000:
version.dll
version.dll
IEXPLORE.EXE_1964_rwx_03BA0000_00001000:
version.dll
version.dll
IEXPLORE.EXE_1964_rwx_03BE0000_00001000:
version.dll
version.dll
IEXPLORE.EXE_1964_rwx_03C20000_00001000:
version.dll
version.dll
IEXPLORE.EXE_1964_rwx_03C50000_00001000:
gdi32.dll
gdi32.dll
IEXPLORE.EXE_1964_rwx_03D90000_00001000:
gdi32.dll
gdi32.dll
IEXPLORE.EXE_1964_rwx_03DD0000_00001000:
gdi32.dll
gdi32.dll
IEXPLORE.EXE_1964_rwx_03E10000_00001000:
gdi32.dll
gdi32.dll
IEXPLORE.EXE_1964_rwx_03E50000_00001000:
gdi32.dll
gdi32.dll
IEXPLORE.EXE_1964_rwx_03E90000_00001000:
gdi32.dll
gdi32.dll
IEXPLORE.EXE_1964_rwx_03ED0000_00001000:
gdi32.dll
gdi32.dll
IEXPLORE.EXE_1964_rwx_03F10000_00001000:
gdi32.dll
gdi32.dll
IEXPLORE.EXE_1964_rwx_03F50000_00001000:
gdi32.dll
gdi32.dll
IEXPLORE.EXE_1964_rwx_03F90000_00001000:
gdi32.dll
gdi32.dll
IEXPLORE.EXE_1964_rwx_03FD0000_00001000:
gdi32.dll
gdi32.dll
IEXPLORE.EXE_1964_rwx_04010000_00001000:
gdi32.dll
gdi32.dll
IEXPLORE.EXE_1964_rwx_04050000_00001000:
gdi32.dll
gdi32.dll
IEXPLORE.EXE_1964_rwx_04090000_00001000:
gdi32.dll
gdi32.dll
IEXPLORE.EXE_1964_rwx_040D0000_00001000:
gdi32.dll
gdi32.dll
IEXPLORE.EXE_1964_rwx_04110000_00001000:
gdi32.dll
gdi32.dll
IEXPLORE.EXE_1964_rwx_04150000_00001000:
gdi32.dll
gdi32.dll
IEXPLORE.EXE_1964_rwx_04190000_00001000:
gdi32.dll
gdi32.dll
IEXPLORE.EXE_1964_rwx_041D0000_00001000:
gdi32.dll
gdi32.dll
IEXPLORE.EXE_1964_rwx_04210000_00001000:
gdi32.dll
gdi32.dll
IEXPLORE.EXE_1964_rwx_04250000_00001000:
gdi32.dll
gdi32.dll
IEXPLORE.EXE_1964_rwx_04290000_00001000:
gdi32.dll
gdi32.dll
IEXPLORE.EXE_1964_rwx_042D0000_00001000:
gdi32.dll
gdi32.dll
IEXPLORE.EXE_1964_rwx_04310000_00001000:
gdi32.dll
gdi32.dll
IEXPLORE.EXE_1964_rwx_04340000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_04480000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_044C0000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_04500000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_04530000_00001000:
keybd_event
keybd_event
IEXPLORE.EXE_1964_rwx_04540000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_04570000_00001000:
VkKeyScanA
VkKeyScanA
IEXPLORE.EXE_1964_rwx_04580000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_045C0000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_04600000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_04640000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_04680000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_046C0000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_04700000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_04740000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_04780000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_047B0000_00001000:
SetKeyboardState
SetKeyboardState
IEXPLORE.EXE_1964_rwx_047C0000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_04800000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_04840000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_04880000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_048C0000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_04900000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_04940000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_04980000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_049C0000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_04A00000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_04A40000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_04A80000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_04AB0000_00001000:
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
IEXPLORE.EXE_1964_rwx_04AC0000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_04B00000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_04B30000_00001000:
MapVirtualKeyA
MapVirtualKeyA
IEXPLORE.EXE_1964_rwx_04B40000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_04B80000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_04BC0000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_04C00000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_04C40000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_04C80000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_04CC0000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_04D00000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_04D40000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_04D80000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_04DC0000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_04E00000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_04E40000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_04E80000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_04EB0000_00001000:
GetKeyboardState
GetKeyboardState
IEXPLORE.EXE_1964_rwx_04EC0000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_04EF0000_00001000:
GetKeyState
GetKeyState
IEXPLORE.EXE_1964_rwx_04F00000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_04F40000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_04F80000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_04FC0000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_05000000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_05040000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_05080000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_050C0000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_050F0000_00001000:
ExitWindowsEx
ExitWindowsEx
IEXPLORE.EXE_1964_rwx_05100000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_05130000_00001000:
EnumWindows
EnumWindows
IEXPLORE.EXE_1964_rwx_05140000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_05180000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_051C0000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_051F0000_00001000:
EnumChildWindows
EnumChildWindows
IEXPLORE.EXE_1964_rwx_05200000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_05240000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_05280000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_052C0000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_05300000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_05340000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_05380000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_053C0000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_05400000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_05440000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_05480000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_054C0000_00001000:
user32.dll
user32.dll
IEXPLORE.EXE_1964_rwx_054F0000_00001000:
wsock32.dll
wsock32.dll
IEXPLORE.EXE_1964_rwx_05630000_00001000:
wsock32.dll
wsock32.dll
IEXPLORE.EXE_1964_rwx_05670000_00001000:
wsock32.dll
wsock32.dll
IEXPLORE.EXE_1964_rwx_056B0000_00001000:
wsock32.dll
wsock32.dll
IEXPLORE.EXE_1964_rwx_056F0000_00001000:
wsock32.dll
wsock32.dll
IEXPLORE.EXE_1964_rwx_05730000_00001000:
wsock32.dll
wsock32.dll
IEXPLORE.EXE_1964_rwx_05770000_00001000:
wsock32.dll
wsock32.dll
IEXPLORE.EXE_1964_rwx_057B0000_00001000:
wsock32.dll
wsock32.dll
IEXPLORE.EXE_1964_rwx_057F0000_00001000:
wsock32.dll
wsock32.dll
IEXPLORE.EXE_1964_rwx_05830000_00001000:
wsock32.dll
wsock32.dll
IEXPLORE.EXE_1964_rwx_05870000_00001000:
wsock32.dll
wsock32.dll
IEXPLORE.EXE_1964_rwx_058B0000_00001000:
wsock32.dll
wsock32.dll
IEXPLORE.EXE_1964_rwx_058F0000_00001000:
wsock32.dll
wsock32.dll
IEXPLORE.EXE_1964_rwx_05930000_00001000:
wsock32.dll
wsock32.dll
IEXPLORE.EXE_1964_rwx_05970000_00001000:
wsock32.dll
wsock32.dll
IEXPLORE.EXE_1964_rwx_059B0000_00001000:
wsock32.dll
wsock32.dll
IEXPLORE.EXE_1964_rwx_059F0000_00001000:
wsock32.dll
wsock32.dll
IEXPLORE.EXE_1964_rwx_05A30000_00001000:
wsock32.dll
wsock32.dll
IEXPLORE.EXE_1964_rwx_05A70000_00001000:
wsock32.dll
wsock32.dll
IEXPLORE.EXE_1964_rwx_05AB0000_00001000:
wsock32.dll
wsock32.dll
IEXPLORE.EXE_1964_rwx_05AF0000_00001000:
wsock32.dll
wsock32.dll
IEXPLORE.EXE_1964_rwx_05B30000_00001000:
wsock32.dll
wsock32.dll
IEXPLORE.EXE_1964_rwx_05B70000_00001000:
wsock32.dll
wsock32.dll
IEXPLORE.EXE_1964_rwx_05BB0000_00001000:
wsock32.dll
wsock32.dll
IEXPLORE.EXE_1964_rwx_05BF0000_00001000:
wsock32.dll
wsock32.dll
IEXPLORE.EXE_1964_rwx_05C30000_00001000:
wsock32.dll
wsock32.dll
IEXPLORE.EXE_1964_rwx_05C60000_00001000:
shell32.dll
shell32.dll
IEXPLORE.EXE_1964_rwx_05D90000_00001000:
ShellExecuteA
ShellExecuteA
IEXPLORE.EXE_1964_rwx_05DA0000_00001000:
shell32.dll
shell32.dll
IEXPLORE.EXE_1964_rwx_05DE0000_00001000:
shell32.dll
shell32.dll
IEXPLORE.EXE_1964_rwx_05E10000_00001000:
SHFileOperationA
SHFileOperationA
IEXPLORE.EXE_1964_rwx_05E20000_00001000:
shell32.dll
shell32.dll
IEXPLORE.EXE_1964_rwx_05E60000_00001000:
shell32.dll
shell32.dll
IEXPLORE.EXE_1964_rwx_05E90000_00001000:
ntdll.dll
ntdll.dll
IEXPLORE.EXE_1964_rwx_05EE0000_00001000:
ntdll.dll
ntdll.dll
IEXPLORE.EXE_1964_rwx_05F10000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_05F50000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_061A0000_00001000:
kernel32.dll
kernel32.dll
IEXPLORE.EXE_1964_rwx_061D0000_00001000:
wininet.dll
wininet.dll
IEXPLORE.EXE_1964_rwx_06310000_00001000:
wininet.dll
wininet.dll
IEXPLORE.EXE_1964_rwx_06350000_00001000:
wininet.dll
wininet.dll
IEXPLORE.EXE_1964_rwx_06380000_00001000:
InternetOpenUrlA
InternetOpenUrlA
IEXPLORE.EXE_1964_rwx_06390000_00001000:
wininet.dll
wininet.dll
IEXPLORE.EXE_1964_rwx_063D0000_00001000:
wininet.dll
wininet.dll
IEXPLORE.EXE_1964_rwx_06410000_00001000:
wininet.dll
wininet.dll
IEXPLORE.EXE_1964_rwx_06450000_00001000:
wininet.dll
wininet.dll
IEXPLORE.EXE_1964_rwx_06480000_00001000:
HttpQueryInfoA
HttpQueryInfoA
IEXPLORE.EXE_1964_rwx_06490000_00001000:
wininet.dll
wininet.dll
IEXPLORE.EXE_1964_rwx_064C0000_00001000:
FtpSetCurrentDirectoryA
FtpSetCurrentDirectoryA
IEXPLORE.EXE_1964_rwx_064D0000_00001000:
wininet.dll
wininet.dll
IEXPLORE.EXE_1964_rwx_06500000_00001000:
FtpPutFileA
FtpPutFileA
IEXPLORE.EXE_1964_rwx_06510000_00001000:
wininet.dll
wininet.dll
IEXPLORE.EXE_1964_rwx_06540000_00001000:
FtpOpenFileA
FtpOpenFileA
IEXPLORE.EXE_1964_rwx_06550000_00001000:
wininet.dll
wininet.dll
IEXPLORE.EXE_1964_rwx_06580000_00001000:
FtpFindFirstFileA
FtpFindFirstFileA
IEXPLORE.EXE_1964_rwx_06590000_00001000:
wininet.dll
wininet.dll
IEXPLORE.EXE_1964_rwx_065C0000_00001000:
FindCloseUrlCache
FindCloseUrlCache
IEXPLORE.EXE_1964_rwx_065D0000_00001000:
wininet.dll
wininet.dll
IEXPLORE.EXE_1964_rwx_06600000_00001000:
wininet.dll
wininet.dll
IEXPLORE.EXE_1964_rwx_06630000_00001000:
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
IEXPLORE.EXE_1964_rwx_06640000_00001000:
wininet.dll
wininet.dll
IEXPLORE.EXE_1964_rwx_06670000_00001000:
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
IEXPLORE.EXE_1964_rwx_06680000_00001000:
wininet.dll
wininet.dll
IEXPLORE.EXE_1964_rwx_066B0000_00001000:
crypt32.dll
crypt32.dll
IEXPLORE.EXE_1964_rwx_06900000_00001000:
crypt32.dll
crypt32.dll
IEXPLORE.EXE_1964_rwx_06930000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_06A70000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_06AB0000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_06AF0000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_06B30000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_06B70000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_06BB0000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_06BF0000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_06C20000_00001000:
URLMON.DLL
URLMON.DLL
IEXPLORE.EXE_1964_rwx_06D50000_00001000:
URLDownloadToFileA
URLDownloadToFileA
IEXPLORE.EXE_1964_rwx_06D60000_00001000:
URLMON.DLL
URLMON.DLL
IEXPLORE.EXE_1964_rwx_06E40000_00001000:
AVICAP32.DLL
AVICAP32.DLL
IEXPLORE.EXE_1964_rwx_06E80000_00001000:
AVICAP32.DLL
AVICAP32.DLL
IEXPLORE.EXE_1964_rwx_06ED0000_00001000:
AVICAP32.DLL
AVICAP32.DLL
IEXPLORE.EXE_1964_rwx_06F00000_00001000:
secur32.dll
secur32.dll
IEXPLORE.EXE_1964_rwx_07250000_00001000:
secur32.dll
secur32.dll
IEXPLORE.EXE_1964_rwx_07290000_00001000:
secur32.dll
secur32.dll
IEXPLORE.EXE_1964_rwx_072D0000_00001000:
secur32.dll
secur32.dll
IEXPLORE.EXE_1964_rwx_07300000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_07440000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_07470000_00001000:
netapi32.dll
netapi32.dll
IEXPLORE.EXE_1964_rwx_075B0000_00001000:
netapi32.dll
netapi32.dll
IEXPLORE.EXE_1964_rwx_075F0000_00001000:
netapi32.dll
netapi32.dll
IEXPLORE.EXE_1964_rwx_07620000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_07760000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_077A0000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_077E0000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_07820000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_07860000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_078A0000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_078E0000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_07920000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_07960000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_079A0000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_079E0000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_07A10000_00001000:
iphlpapi.dll
iphlpapi.dll
IEXPLORE.EXE_1964_rwx_07B50000_00001000:
iphlpapi.dll
iphlpapi.dll
IEXPLORE.EXE_1964_rwx_07B80000_00001000:
ntdll.dll
ntdll.dll
IEXPLORE.EXE_1964_rwx_07BC0000_00001000:
ntdll.dll
ntdll.dll
IEXPLORE.EXE_1964_rwx_07C00000_00001000:
ntdll.dll
ntdll.dll
IEXPLORE.EXE_1964_rwx_07C30000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_07C70000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_07EC0000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_07F00000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_07F40000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_07F70000_00001000:
RegEnumKeyExA
RegEnumKeyExA
IEXPLORE.EXE_1964_rwx_07F80000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_07FB0000_00001000:
RegCreateKeyExA
RegCreateKeyExA
IEXPLORE.EXE_1964_rwx_07FC0000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_07FF0000_00001000:
RegOpenKeyExA
RegOpenKeyExA
IEXPLORE.EXE_1964_rwx_08000000_00001000:
advapi32.dll
advapi32.dll
IEXPLORE.EXE_1964_rwx_10410000_00045000:
.idata
.idata
.reloc
.reloc
P.rsrc
P.rsrc
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
%sysdir%\
%sysdir%\
%serverexe%
%serverexe%
%serverexe%\
%serverexe%\
%serverpath%\
%serverpath%\
Ht.HtZ
Ht.HtZ
Software\Microsoft\Windows\CurrentVersion\
Software\Microsoft\Windows\CurrentVersion\
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\
MSG|Can't Access Drive !
MSG|Can't Access Drive !
MSG|Directory Doesn't Exist !
MSG|Directory Doesn't Exist !
$000000.tmp
$000000.tmp
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
127.0.0.1 localhost #Redirects^To^Local^IP
127.0.0.1 localhost #Redirects^To^Local^IP
MSG|Settings Change was Successful
MSG|Settings Change was Successful
MSG|The Computer Must Be Rebooted To Apply Changes
MSG|The Computer Must Be Rebooted To Apply Changes
MSG|An Invalid Set of Flags Was Passed
MSG|An Invalid Set of Flags Was Passed
MSG|The Display Driver Failed the Specified Graphics Mode
MSG|The Display Driver Failed the Specified Graphics Mode
MSG|Graphics Mode Not Supported
MSG|Graphics Mode Not Supported
MSG|Unable to Write Settings to Registry
MSG|Unable to Write Settings to Registry
MSG|Frequency Changed To
MSG|Frequency Changed To
MSG|Error Changing Frequency
MSG|Error Changing Frequency
MSG|Error, Frequency Not Supported
MSG|Error, Frequency Not Supported
MSG|Clipboard Monitoring Started
MSG|Clipboard Monitoring Started
kernel32.dll
kernel32.dll
PSAPI.dll
PSAPI.dll
\\StringFileInfo\\%.4x%.4x\\%s
\\StringFileInfo\\%.4x%.4x\\%s
ntdll.dll
ntdll.dll
|Key|-|
|Key|-|
TPortScannerThread
TPortScannerThread
PORTOPEND|
PORTOPEND|
MSG|Port Scan Completed
MSG|Port Scan Completed
MSG|Port Scanning Stopped
MSG|Port Scanning Stopped
TMemoryExecute
TMemoryExecute
|File Executed In Memory, PID :
|File Executed In Memory, PID :
|Error Executing File In Memory|
|Error Executing File In Memory|
http://
http://
HTTP/1.1
HTTP/1.1
|Error, Can't Execute File|
|Error, Can't Execute File|
avesvc.exe
avesvc.exe
ashdisp.exe
ashdisp.exe
avgrsx.exe
avgrsx.exe
bdss.exe
bdss.exe
spider.exe
spider.exe
avp.exe
avp.exe
nod32krn.exe
nod32krn.exe
cclaw.exe
cclaw.exe
dvpapi.exe
dvpapi.exe
ewidoctrl.exe
ewidoctrl.exe
mcshield.exe
mcshield.exe
pavfires.exe
pavfires.exe
almon.exe
almon.exe
ccapp.exe
ccapp.exe
pccntmon.exe
pccntmon.exe
fssm32.exe
fssm32.exe
Dr.Web
Dr.Web
issvc.exe
issvc.exe
vsmon.exe
vsmon.exe
cpf.exe
cpf.exe
ca.exe
ca.exe
tnbutil.exe
tnbutil.exe
mpfservice.exe
mpfservice.exe
npfmsg.exe
npfmsg.exe
outpost.exe
outpost.exe
tpsrv.exe
tpsrv.exe
kpf4ss.exe
kpf4ss.exe
persfw.exe
persfw.exe
vsserv.exe
vsserv.exe
smc.exe
smc.exe
Windows NT 4.0
Windows NT 4.0
Windows 2000
Windows 2000
Windows XP
Windows XP
Windows Server 2003
Windows Server 2003
Windows Vista
Windows Vista
Windows 95
Windows 95
Windows 98
Windows 98
Windows Me
Windows Me
rpcrt4.dll
rpcrt4.dll
Explorer.exe
Explorer.exe
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
userinit.exe,
userinit.exe,
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows\CurrentVersion\WindowsName
Software\Microsoft\Windows\CurrentVersion\WindowsName
Software\Microsoft\Windows\CurrentVersion\WindowsName\
Software\Microsoft\Windows\CurrentVersion\WindowsName\
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
UnitPasswords
UnitPasswords
** Password Unknown **
** Password Unknown **
Password
Password
mozcrt19.dll
mozcrt19.dll
sqlite3.dll
sqlite3.dll
nspr4.dll
nspr4.dll
plc4.dll
plc4.dll
plds4.dll
plds4.dll
nssutil3.dll
nssutil3.dll
softokn3.dll
softokn3.dll
nss3.dll
nss3.dll
PK11_GetInternalKeySlot
PK11_GetInternalKeySlot
userenv.dll
userenv.dll
\Application Data\Mozilla\Firefox\profiles.ini
\Application Data\Mozilla\Firefox\profiles.ini
\Application Data\Mozilla\Firefox\
\Application Data\Mozilla\Firefox\
\signons3.txt
\signons3.txt
MSG|Failed To Get Firefox Passwords
MSG|Failed To Get Firefox Passwords
\signons2.txt
\signons2.txt
MSG|Firefox Not Found On Remote PC
MSG|Firefox Not Found On Remote PC
SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command\
SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command\
firefox.exe
firefox.exe
BCAST|FIREFOX|
BCAST|FIREFOX|
FIREFOXPASSWORDS|
FIREFOXPASSWORDS|
-|-|-|-|
-|-|-|-|
password
password
aim.ini
aim.ini
yahoo.ini
yahoo.ini
msn.ini
msn.ini
TRILLIANPASSWORDS|
TRILLIANPASSWORDS|
Trillian.SkinZip\DefaultIcon
Trillian.SkinZip\DefaultIcon
BCAST|TRILLIANPASSWORDS|
BCAST|TRILLIANPASSWORDS|
LoginName
LoginName
\*.dat
\*.dat
MIRANDAPASSWORDS|
MIRANDAPASSWORDS|
BCAST|MIRANDAPASSWORDS|
BCAST|MIRANDAPASSWORDS|
PIDGINPASSWORDS|
PIDGINPASSWORDS|
GAIMPASSWORDS|
GAIMPASSWORDS|
\.purple\accounts.xml
\.purple\accounts.xml
\.gaim\accounts.xml
\.gaim\accounts.xml
<password></password>
<password></password>
** Password Unknown **|
** Password Unknown **|
@rapidshare[1].txt
@rapidshare[1].txt
\Mozilla\Firefox\profiles.ini
\Mozilla\Firefox\profiles.ini
\Mozilla\Firefox\
\Mozilla\Firefox\
\cookies.sqlite
\cookies.sqlite
\cookies.txt
\cookies.txt
BCAST|RSPASSWORDS|
BCAST|RSPASSWORDS|
RSPASSWORDS|
RSPASSWORDS|
[t]Password-Protected Web Site$|[l]
[t]Password-Protected Web Site$|[l]
BCAST|INTERNETEXPLORERPASSWORDS|
BCAST|INTERNETEXPLORERPASSWORDS|
INTERNETEXPLORERPASSWORDS|
INTERNETEXPLORERPASSWORDS|
TWebDownloader
TWebDownloader
TFTPUploader
TFTPUploader
TFTPDownloader
TFTPDownloader
DOWNSTARTED|HTTP Download|
DOWNSTARTED|HTTP Download|
|Download Complete, Executed|
|Download Complete, Executed|
|Download Complete, Error Executing !|
|Download Complete, Error Executing !|
ftp://
ftp://
DOWNSTARTED|FTP Download|
DOWNSTARTED|FTP Download|
|Download Complete, Error Executing|
|Download Complete, Error Executing|
MSG|Updating Server...
MSG|Updating Server...
MSG|Server Downloaded, Executing...
MSG|Server Downloaded, Executing...
MSG|Server Updated Successfully
MSG|Server Updated Successfully
MSG|Server Update Failed, Error Executing
MSG|Server Update Failed, Error Executing
MSG|Server Update Failed, Error Downloading
MSG|Server Update Failed, Error Downloading
UPSTARTED|FTP Upload|
UPSTARTED|FTP Upload|
|Error !, Unable To Connect To FTP Server|
|Error !, Unable To Connect To FTP Server|
SetupApi.dll
SetupApi.dll
cfgmgr32.dll
cfgmgr32.dll
SetupDiOpenClassRegKey
SetupDiOpenClassRegKey
MSG|Device Enabled
MSG|Device Enabled
MSG|Error Enabling Device
MSG|Error Enabling Device
MSG|Device Disabled
MSG|Device Disabled
MSG|Error Disabling Device
MSG|Error Disabling Device
PowrProf.dll
PowrProf.dll
BCASTSEARCHWINDOWS
BCASTSEARCHWINDOWS
WEBCAMCAP
WEBCAMCAP
MSG|Error Capturing Webcam
MSG|Error Capturing Webcam
00-00-00-00-00-00
00-00-00-00-00-00
IP: %s, SubNetMask : %s
IP: %s, SubNetMask : %s
0.0.0.0
0.0.0.0
127.0.0.1
127.0.0.1
%d.%d.%d.%d
%d.%d.%d.%d
iphlpapi.dll
iphlpapi.dll
AllocateAndGetTcpExTableFromStack
AllocateAndGetTcpExTableFromStack
AllocateAndGetUdpExTableFromStack
AllocateAndGetUdpExTableFromStack
autorun.inf
autorun.inf
MSG|Can't Find File To Copy To USB !
MSG|Can't Find File To Copy To USB !
MSG|File Copied To USB Successfully
MSG|File Copied To USB Successfully
MSG|Error Copying File To USB !
MSG|Error Copying File To USB !
Connected Device/Port :
Connected Device/Port :
Operation Unidentified:
Operation Unidentified:
GetAsyncKeyState
GetAsyncKeyState
user32.dll
user32.dll
GetKeyState
GetKeyState
TskMultiChatForm.UnicodeClass
TskMultiChatForm.UnicodeClass
%WinDir%\log.txt
%WinDir%\log.txt
MSG|Server Accepted Hello, Controlling Started
MSG|Server Accepted Hello, Controlling Started
FIREFOX
FIREFOX
INTERNETEXPLORERPASSWORDS
INTERNETEXPLORERPASSWORDS
MIRANDAPASSWORDS
MIRANDAPASSWORDS
TRILLIANPASSWORDS
TRILLIANPASSWORDS
PIDGINPASSWORDS
PIDGINPASSWORDS
GAIMPASSWORDS
GAIMPASSWORDS
RSPASSWORDS
RSPASSWORDS
cmd.exe /k
cmd.exe /k
MSG|Registry Search Started...
MSG|Registry Search Started...
MSG|Registry Key Doesn't Exists !
MSG|Registry Key Doesn't Exists !
STARTPORTSCAN
STARTPORTSCAN
MSG|Port Scanning Started...
MSG|Port Scanning Started...
STOPPORTSCAN
STOPPORTSCAN
SEARCHWINDOWS
SEARCHWINDOWS
MSG|Process
MSG|Process
MSG|Error Setting Process Priority
MSG|Error Setting Process Priority
MSG|DLL Unloaded
MSG|DLL Unloaded
MSG|Error Unloading DLL
MSG|Error Unloading DLL
MSG|Process Terminated - PID :
MSG|Process Terminated - PID :
MSG|Error Terminating Process - PID :
MSG|Error Terminating Process - PID :
MSG|Process Restarted
MSG|Process Restarted
MSG|Couldn't Restart Process
MSG|Couldn't Restart Process
MSG|Process Suspended - PID :
MSG|Process Suspended - PID :
MSG|Error Suspending Process - PID :
MSG|Error Suspending Process - PID :
MSG|Process Resumed - PID
MSG|Process Resumed - PID
MSG|Error Resuming Process - PID :
MSG|Error Resuming Process - PID :
NOIPPASSWORDS
NOIPPASSWORDS
NOIPPASSWORDS|
NOIPPASSWORDS|
MSG|No No-IP Passwords Found
MSG|No No-IP Passwords Found
MSNPASSWORDS
MSNPASSWORDS
MSNPASSWORDS|
MSNPASSWORDS|
FIREFOXPASSWORDS
FIREFOXPASSWORDS
SOCKSSTATUS|Socks Server Already Active on Port :
SOCKSSTATUS|Socks Server Already Active on Port :
MSG|Uninstaller Executed
MSG|Uninstaller Executed
MSG|Could't Execute Uninstaller
MSG|Could't Execute Uninstaller
CDKEYS
CDKEYS
CDKEYS|
CDKEYS|
ACTIVEPORTS
ACTIVEPORTS
ACTIVEPORTS|
ACTIVEPORTS|
MSG|Error Listing Active Ports
MSG|Error Listing Active Ports
MSG|Host Removed
MSG|Host Removed
MSG|Error Removing Host
MSG|Error Removing Host
MSG|Host Added
MSG|Host Added
MSG|Error Adding Host
MSG|Error Adding Host
MSG|Window Closed - Handel :
MSG|Window Closed - Handel :
MSG|Window Diabled - Handel :
MSG|Window Diabled - Handel :
MSG|Window Enabled - Handel :
MSG|Window Enabled - Handel :
MSG|Window Maximized - Handel :
MSG|Window Maximized - Handel :
MSG|Window Minimized - Handel :
MSG|Window Minimized - Handel :
MSG|Window Hided - Handel :
MSG|Window Hided - Handel :
MSG|Window Showed - Handel :
MSG|Window Showed - Handel :
MSG|Close Button On Window With Handel :
MSG|Close Button On Window With Handel :
MSG|Close Button on Window With Handel :
MSG|Close Button on Window With Handel :
MSG|Window Title Changed To :
MSG|Window Title Changed To :
MSG|Can't Change Window Title To :
MSG|Can't Change Window Title To :
SENDKEYS
SENDKEYS
MSG|Text Sent To Window With Handel :
MSG|Text Sent To Window With Handel :
MSG|Error Sending Text To Window - Handel :
MSG|Error Sending Text To Window - Handel :
MSG|Script Created and Executed
MSG|Script Created and Executed
MSG|Erorr Creating/Executing Script
MSG|Erorr Creating/Executing Script
MSG|User Clicked : OK
MSG|User Clicked : OK
MSG|User Clicked : Cancel
MSG|User Clicked : Cancel
MSG|User Clicked : Retry
MSG|User Clicked : Retry
MSG|User Clicked : Yes
MSG|User Clicked : Yes
MSG|User Clicked : No
MSG|User Clicked : No
MSG|User Clicked : Abort
MSG|User Clicked : Abort
MSG|User Clicked : Ignore
MSG|User Clicked : Ignore
MSG|Clipboard Enabled
MSG|Clipboard Enabled
MSG|Clipboard Disabled
MSG|Clipboard Disabled
MSG|This Directory Doesn't Exist
MSG|This Directory Doesn't Exist
MSG|Desktop Wallpaper Set To "
MSG|Desktop Wallpaper Set To "
MSG|Error Changing Desktop Wallpaper
MSG|Error Changing Desktop Wallpaper
winlogon.exe
winlogon.exe
MSG|Application Executed as System
MSG|Application Executed as System
MSG|Error Executiong Application as System
MSG|Error Executiong Application as System
MSG|File Executed Visiblly
MSG|File Executed Visiblly
MSG|Error While Trying to Run File
MSG|Error While Trying to Run File
MSG|File Executed Hidden
MSG|File Executed Hidden
MSG|Error Executing File
MSG|Error Executing File
MSG|File Secure-Deleted
MSG|File Secure-Deleted
MSG|Error Secure-Deleting File
MSG|Error Secure-Deleting File
MSG|File Doesn't Exist
MSG|File Doesn't Exist
MSG|File Deleted
MSG|File Deleted
MSG|Error Deleting File
MSG|Error Deleting File
MSG|Folder Deleted Succesfully
MSG|Folder Deleted Succesfully
MSG|Error Deleting Folder
MSG|Error Deleting Folder
MSG|Folder Doesn't Exist
MSG|Folder Doesn't Exist
MSG|File/Folder Renamed
MSG|File/Folder Renamed
MSG|Can't Rename File/Folder
MSG|Can't Rename File/Folder
MSG|File/Folder Doesn't Exist
MSG|File/Folder Doesn't Exist
MSG|Folder Created
MSG|Folder Created
MSG|Can't Creat Folder
MSG|Can't Creat Folder
MSG|Folder Already Exist, Choose another name
MSG|Folder Already Exist, Choose another name
LISTKEYS
LISTKEYS
LISTKEYS|
LISTKEYS|
MSG|Key Renamed
MSG|Key Renamed
MSG|Error Renaming Key
MSG|Error Renaming Key
DELETEKEY
DELETEKEY
MSG|Key/Value Deleted
MSG|Key/Value Deleted
MSG|Error Deleting Key/Value
MSG|Error Deleting Key/Value
NEWKEY
NEWKEY
MSG|Key Created
MSG|Key Created
MSG|Error Creating Key
MSG|Error Creating Key
MSG|Value Added
MSG|Value Added
MSG|Error Adding Value
MSG|Error Adding Value
MSG|USB Monitor is Already Active
MSG|USB Monitor is Already Active
MSG|USB Monitoring Started
MSG|USB Monitoring Started
MSG|USB Monitor is Not Active
MSG|USB Monitor is Not Active
MSG|USB Monitoring Stopped
MSG|USB Monitoring Stopped
MSG|Can't Stop USB Monitoring
MSG|Can't Stop USB Monitoring
MSG|Clipboard Monitor is Already Active
MSG|Clipboard Monitor is Already Active
MSG|Clipboard Monitor is Not Active
MSG|Clipboard Monitor is Not Active
MSG|Clipboard Monitoring Stopped
MSG|Clipboard Monitoring Stopped
|Error, Target File or File To Execute Doesn't Exists|
|Error, Target File or File To Execute Doesn't Exists|
DOWNLOADFROMFTP
DOWNLOADFROMFTP
UPLOADTOFTP
UPLOADTOFTP
MSG|Offline Key Logger Is Disabled !
MSG|Offline Key Logger Is Disabled !
MSG|Error, Log Doesn't Exists !
MSG|Error, Log Doesn't Exists !
MSG|Offline Log Cleared !
MSG|Offline Log Cleared !
MSG|Error Clearing Log File !
MSG|Error Clearing Log File !
LISTWEBCAMS
LISTWEBCAMS
LISTWEBCAMS|
LISTWEBCAMS|
MSG|Error, File Not Found
MSG|Error, File Not Found
MSG|Service Stopped
MSG|Service Stopped
MSG|Service Started
MSG|Service Started
MSG|Service "
MSG|Service "
MSG|Error Deleting Service
MSG|Error Deleting Service
MSG|Service Created
MSG|Service Created
MSG|Error Creating Service
MSG|Error Creating Service
MSG|Logoff Command Executed
MSG|Logoff Command Executed
MSG|Restart Command Executed
MSG|Restart Command Executed
MSG|Shutdown Command Executed
MSG|Shutdown Command Executed
MSG|Standby Command Executed
MSG|Standby Command Executed
MSG|Hibernate Command Executed
MSG|Hibernate Command Executed
MSG|Power Off Command Executed
MSG|Power Off Command Executed
?456789:;<=
?456789:;<=
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
abe2869f-9b47-4cd9-a358-c22904dba7f7
abe2869f-9b47-4cd9-a358-c22904dba7f7
Unable to resolve HTTP prox
Unable to resolve HTTP prox
$#&(%'!"-.
$#&(%'!"-.
&{N5DKJK5H-5XG7-8421-4V52-B1QQ0LF833CU}
&{N5DKJK5H-5XG7-8421-4V52-B1QQ0LF833CU}
wiki.dyndns-wiki.com
wiki.dyndns-wiki.com
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
oleaut32.dll
oleaut32.dll
RegQueryInfoKeyA
RegQueryInfoKeyA
RegFlushKey
RegFlushKey
RegEnumKeyExA
RegEnumKeyExA
RegDeleteKeyA
RegDeleteKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCreateKeyA
RegCreateKeyA
WinExec
WinExec
PeekNamedPipe
PeekNamedPipe
GetWindowsDirectoryA
GetWindowsDirectoryA
GetProcessHeap
GetProcessHeap
CreatePipe
CreatePipe
version.dll
version.dll
gdi32.dll
gdi32.dll
keybd_event
keybd_event
VkKeyScanA
VkKeyScanA
SetKeyboardState
SetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
MapVirtualKeyA
MapVirtualKeyA
GetKeyboardState
GetKeyboardState
ExitWindowsEx
ExitWindowsEx
EnumWindows
EnumWindows
EnumChildWindows
EnumChildWindows
wsock32.dll
wsock32.dll
shell32.dll
shell32.dll
ShellExecuteA
ShellExecuteA
SHFileOperationA
SHFileOperationA
wininet.dll
wininet.dll
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoA
HttpQueryInfoA
FtpSetCurrentDirectoryA
FtpSetCurrentDirectoryA
FtpPutFileA
FtpPutFileA
FtpOpenFileA
FtpOpenFileA
FtpFindFirstFileA
FtpFindFirstFileA
FindCloseUrlCache
FindCloseUrlCache
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
crypt32.dll
crypt32.dll
URLMON.DLL
URLMON.DLL
URLDownloadToFileA
URLDownloadToFileA
AVICAP32.DLL
AVICAP32.DLL
secur32.dll
secur32.dll
netapi32.dll
netapi32.dll
303C3K3p3x3
303C3K3p3x3
6 6$6(6,6064686
6 6$6(6,6064686
? ?6?\?{?
? ?6?\?{?
1,2j2}2
1,2j2}2
:.|Port=
:.|Port=
=wiki.dy
=wiki.dy
vs.exe
vs.exe
vKeylo
vKeylo
1&{N5DKJK5H-5XG7-8421-4V52-B1QQ0LF833CU}F833CU}|
1&{N5DKJK5H-5XG7-8421-4V52-B1QQ0LF833CU}F833CU}|
InjectInto=Þfaultbrows(
InjectInto=Þfaultbrows(
InjectInto=Þfaultbrowser%
InjectInto=Þfaultbrowser%
wiki.dyndns-wiki.comleSafeMode
wiki.dyndns-wiki.comleSafeMode
{4MO5UU47-M7LK-842G-7GS7-USY8J431PHRF}
{4MO5UU47-M7LK-842G-7GS7-USY8J431PHRF}
Explorer.EXE_1912_rwx_00EF0000_00001000:
.text
.text
`.data
`.data
.reloc
.reloc
Explorer.EXE_1912_rwx_02050000_00010000:
hcc.dholea
hcc.dholea