Trojan.Autoit.Agent.EZ_5553f3c235 – Adaware

Trojan.Win32.Autoit.bhd (Kaspersky), Trojan.Autoit.Agent.EZ (AdAware), Backdoor.Win32.Fynloski.FD, Trojan.Win32.Iconomon.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, BackdoorFynloski.YR, GenericDownloader.YR, GenericInjector.YR, TrojanDownloaderAndromeda.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan, Backdoor, VirTool

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 5553f3c235e4b9845647a5b79c4fa1f6

SHA1: 7f7fbde406028906fff0b5c43cc39ad654d36def

SHA256: ffe1726d5e600a61d375e8a2dec5d5d37bea4100e0162754889277251e2d2084

SSDeep: 49152:rJZoQrbTFZY1ia9YGA0ddUtgg8oNc3ycp/wn:rtrbTA16eddOF8lp/G

Size: 1849123 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: Firseria

Created at: 2012-01-29 23:32:28

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

tb2323xt.exe:1748
mscorsvw.exe:172
%original file name%.exe:1784
%original file name%.exe:1720
scvhost.exe:1872

The Trojan injects its code into the following process(es):

tb2323xt.exe:924
scvhost.exe:320

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process tb2323xt.exe:924 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\I929QL0X\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\URM7CBUB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CRQZ8ZQX\ga[1].js (2107 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S9YXQNK1\loader[1].htm (3 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@xconsoles[1].txt (1614 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S9YXQNK1\swfobject_modified[1].js (6822 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\URM7CBUB\us_usbv2[1].htm (1639 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CRQZ8ZQX\usbv2[1].jpg (1242 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (3892 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@x360usb[2].txt (1095 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S9YXQNK1\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CRQZ8ZQX\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\I929QL0X\projectf[1].htm (277 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\I929QL0X\projectf[2].htm (277 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@x360usb[1].txt (918 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@xconsoles[2].txt (1799 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130212 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021320130214\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021320130214 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021520130216\index.dat (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@x360usb[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@xconsoles[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130212\index.dat (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@x360usb[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021520130216 (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@xconsoles[2].txt (0 bytes)

The process %original file name%.exe:1784 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\m549576.png (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tb2323xt.exe (7337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\autB5.tmp (7185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\autB4.tmp (3929 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\autB5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\autB4.tmp (0 bytes)

The process %original file name%.exe:1720 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\vhost\scvhost.exe (13122 bytes)

Registry activity

The process tb2323xt.exe:1748 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "41 34 13 78 87 FD 52 B7 6B 63 F6 BD 7C C7 CE E3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process tb2323xt.exe:924 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014080120140802]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014080120140802\"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014080120140802]
"CacheOptions" = "11"
"CacheRepair" = "0"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\BurnerMax]
"auto" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014080120140802]
"CacheLimit" = "8192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 13 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 20 AA F1 8F C6 E3 48 42 83 30 C6 6F 04 31 AE"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014080120140802]
"CachePrefix" = ":2014080120140802:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021120130212]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021520130216]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021320130214]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process mscorsvw.exe:172 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "1260000"

The process %original file name%.exe:1784 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "58 24 09 51 08 82 0E 53 24 1D 58 0B 47 57 64 ED"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"tb2323xt.exe" = "BurnerMAX Payload Tool"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process %original file name%.exe:1720 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 10 3E 7A 95 D5 53 DC B2 D6 3C D5 1B 45 B3 1F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\vhost]
"scvhost.exe" = "scvhost"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\vhost\scvhost.exe"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Svchost" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\vhost\scvhost.exe"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The process scvhost.exe:320 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 BC 8F A1 39 A9 BD D3 13 1F 21 5D 27 B9 CC CA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process scvhost.exe:1872 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F 5F B5 BF 5F 0E F5 B1 96 CF EC 8D 40 48 3B 1C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Dropped PE files

MD5	File path
9d92961c39c2e630a7e43bed7ac6c9a4	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\tb2323xt.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
tb2323xt.exe:1748
mscorsvw.exe:172
%original file name%.exe:1784
%original file name%.exe:1720
scvhost.exe:1872
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\I929QL0X\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\URM7CBUB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CRQZ8ZQX\ga[1].js (2107 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S9YXQNK1\loader[1].htm (3 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@xconsoles[1].txt (1614 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S9YXQNK1\swfobject_modified[1].js (6822 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\URM7CBUB\us_usbv2[1].htm (1639 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CRQZ8ZQX\usbv2[1].jpg (1242 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (3892 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@x360usb[2].txt (1095 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S9YXQNK1\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CRQZ8ZQX\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\I929QL0X\projectf[1].htm (277 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\I929QL0X\projectf[2].htm (277 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@x360usb[1].txt (918 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@xconsoles[2].txt (1799 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\m549576.png (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tb2323xt.exe (7337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\autB5.tmp (7185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\autB4.tmp (3929 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vhost\scvhost.exe (13122 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Svchost" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\vhost\scvhost.exe"
Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\vhost\scvhost.exe"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 3, 3, 8, 1
File Description:
Comments:
Language: English (United Kingdom)

Company Name: Product Name: Product Version: Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: 3, 3, 8, 1File Description: Comments: Language: English (United Kingdom)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	525852	526336	4.63347	61ffce4768976fa0dd2a8f6a97b1417a
.rdata	532480	57280	57344	3.32693	0354bc5f2376b5e9a4a3ba38b682dff1
.data	589824	108376	26624	1.49032	8033f5a38941b4685bc2299e78f31221
.rsrc	700416	95568	95744	3.11661	6913d765bead9712b63ba495a63b8bd5

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://xconsoles.com/app/loader.html
hxxp://userlocation.com/swadharma/projectf.js?pcode=UL02a0e47a4afc46f3ad7feaa4e458f5af
hxxp://www-google-analytics.l.google.com/ga.js
hxxp://www-google-analytics.l.google.com/__utm.gif?utmwv=5.5.3&utms=1&utmn=194608661&utmhn=www.xconsoles.com&utmcs=utf-8&utmsr=1024x768&utmvp=482x150&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=GEO LOCATOR&utmhid=976439038&utmr=-&utmp=/app/loader.html&utmht=1406892444448&utmac=UA-13041870-4&utmcc=__utma=43369132.180759635.1406892444.1406892444.1406892444.1;+__utmz=43369132.1406892444.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none);&utmu=D~
hxxp://x360usb.com/app/us_usbv2.html	87.98.252.138
hxxp://x360usb.com/app/Scripts/swfobject_modified.js	87.98.252.138
hxxp://userlocation.com/swadharma/projectf.js?pcode=UL65975a141c0b22a72105ce1a664b39b5
hxxp://www-google-analytics.l.google.com/__utm.gif?utmwv=5.5.3&utms=1&utmn=977061144&utmhn=www.x360usb.com&utmcs=utf-8&utmsr=1024x768&utmvp=498x150&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Sponsor&utmhid=1806500170&utmr=-&utmp=/app/us_usbv2.html&utmht=1406892445792&utmac=UA-13041870-2&utmcc=__utma=140599483.509102869.1406892446.1406892446.1406892446.1;+__utmz=140599483.1406892446.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none);&utmu=D~
hxxp://x360usb.com/app/usbv2.jpg	87.98.252.138
hxxp://www.userlocation.com/swadharma/projectf.js?pcode=UL65975a141c0b22a72105ce1a664b39b5	74.220.222.239
hxxp://www.xconsoles.com/app/loader.html	46.246.94.116
hxxp://www.userlocation.com/swadharma/projectf.js?pcode=UL02a0e47a4afc46f3ad7feaa4e458f5af	74.220.222.239
hxxp://www.x360usb.com/app/Scripts/swfobject_modified.js	87.98.252.138
hxxp://www.x360usb.com/app/us_usbv2.html	87.98.252.138
hxxp://www.x360usb.com/app/usbv2.jpg	87.98.252.138
hxxp://www.google-analytics.com/ga.js	173.194.43.32
hxxp://www.google-analytics.com/__utm.gif?utmwv=5.5.3&utms=1&utmn=194608661&utmhn=www.xconsoles.com&utmcs=utf-8&utmsr=1024x768&utmvp=482x150&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=GEO LOCATOR&utmhid=976439038&utmr=-&utmp=/app/loader.html&utmht=1406892444448&utmac=UA-13041870-4&utmcc=__utma=43369132.180759635.1406892444.1406892444.1406892444.1;+__utmz=43369132.1406892444.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none);&utmu=D~	173.194.43.32
hxxp://www.google-analytics.com/__utm.gif?utmwv=5.5.3&utms=1&utmn=977061144&utmhn=www.x360usb.com&utmcs=utf-8&utmsr=1024x768&utmvp=498x150&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Sponsor&utmhid=1806500170&utmr=-&utmp=/app/us_usbv2.html&utmht=1406892445792&utmac=UA-13041870-2&utmcc=__utma=140599483.509102869.1406892446.1406892446.1406892446.1;+__utmz=140599483.1406892446.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none);&utmu=D~	173.194.43.32

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /app/us_usbv2.html HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.x360usb.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 01 Aug 2014 16:25:31 GMT

Server: Apache/2.4.10 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4

Last-Modified: Wed, 23 May 2012 08:18:59 GMT

ETag: "4601c0-667-4c0afc97c02c0"

Accept-Ranges: bytes

Content-Length: 1639

Connection: close

Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="hXXp://VVV.w3.org/1999/xhtml">.<META HTTP-EQUIV="Content-Type" content="text/html; charset=UTF-8" />.<META HTTP-EQUIV="Expires" CONTENT="-1">.<META HTTP-EQUIV="Pragma" CONTENT="no-cache">.<head>.<title>Sponsor</title>.<script src="Scripts/swfobject_modified.js" type="text/javascript"></script>..<script type="text/javascript" src="hXXp://VVV.userlocation.com/swadharma/projectf.js?pcode=UL65975a141c0b22a72105ce1a664b39b5"> </script>..<STYLE>.BODY {..border-style:none;.}.</STYLE>.</head>.<BODY TOPMARGIN="0" LEFTMARGIN="0" SCROLL="no">.<body>..<script type="text/javascript">...var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "hXXp://VVV.");...document.write(unescape(""));..</script>.<script type="text/javascript">...try {....var pageTracker = _gat._getTracker("UA-13041870-2");....pageTracker._trackPageview();...}...catch(err) {}..</script>. .. . <div> <a href="hXXp://VVV.xconsoles.com/products/xecuter-x360usbpro-v2.html" target="_blank". .onClick="java

<<< skipped >>>

GET /app/usbv2.jpg HTTP/1.1

Accept: */*

Referer: hXXp://VVV.x360usb.com/app/us_usbv2.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.x360usb.com

Connection: Keep-Alive

Cookie: __utma=140599483.509102869.1406892446.1406892446.1406892446.1; __utmb=140599483.1.10.1406892446; __utmc=140599483; __utmz=140599483.1406892446.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

HTTP/1.1 200 OK

Date: Fri, 01 Aug 2014 16:25:32 GMT

Server: Apache/2.4.10 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4

Last-Modified: Wed, 23 May 2012 08:19:00 GMT

ETag: "4601cb-34ad-4c0afc98b4500"

Accept-Ranges: bytes

Content-Length: 13485

Connection: close

Content-Type: image/jpeg

......JFIF.....`.`.....4Exif..II*.......1...............Adobe ImageReady.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...%...I.i.'.V.N .....B....)d..'Z.4.k...*.[.M.3Y.M. S.f$.URk..,.x8..N.F8.NYq....Y..`.......:II.Y.M.sS4..S.A.Z..=.0. ..9..l....z.~AS.........F...R...\.....I...D[.#T,k.w-Qj....*x4..'.n..ul...%.a.:..2...R.$...Y2:..6.Z....Zv.......h..9. %bG68....Z.39*Q......Y3N'"...9lC*...<U..Vd.k)..M)...1M.5bh.r*.....z......4f.........Hh..HCM.R.H.4.m>...wL.^q..v....y.8......V.......6.ReMV4I..u.........@i1.h.%.#.RQ.3....3Hi)...KL...,:.n.\.!i)(.....s.....f.4..n.v..L.sE!.Z)(...?:(.....I ...&*.......5)..<..k>i..M:i.SY.I..]..us..Vq.*.l.j68..%E$.)...Qm../Z..|..y9#5Fg..k...z.ab.2.N..g......[=.B......)Y.&j......<...4g.0..m....<.MR.z.mYI.t..F...H..mN.E...fO.......RG!...NG.5w..:..#...R.).MA......t......ee.c...Q.[Fg.J64I.TM..$..2.i..k..J."`...j..YJ'U)..F)3R...'.....%..4RQ....i(..aE...4.....%!.....4..JE....IH..Ph.bf.R.f..........Q@..Fi.P..Hi3FqH,.i)7Q...E&h.

<<< skipped >>>

GET /ga.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.xconsoles.com/app/loader.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google-analytics.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 01 Aug 2014 06:07:03 GMT

Expires: Fri, 01 Aug 2014 18:07:03 GMT

Last-Modified: Tue, 17 Jun 2014 01:05:58 GMT

X-Content-Type-Options: nosniff

Content-Type: text/javascript

Vary: Accept-Encoding

Content-Encoding: gzip

Server: Golfe2

Content-Length: 15810

Age: 37104

Cache-Control: public, max-age=43200

Alternate-Protocol: 80:quic

...........}kW.:..w~....c...pk..f..-mii..%...e9..q.........$[NB.s.Y.........h43v..Pd.d.z..|..y ."........(..a.B........1..Tf..K.L2....~...ep...&y....MS...t9.....&..2... .Q.N.(o....8..q..L.!...a..0...$.pX..N&..a. ..zB:l.8c9.p.....;l..x.$c.]BP\.....B...&..*pz.H.~......g...Ap..!....K......V;l.H.....V.a.....s.$p....5.39...a.a7P'9.b.[H>N.$..A..... ..^..;h.h...2l_......w9..d.@.`...N.....|....%.d.%........{.....&.A.I..:....F.;..c..{P*..~..JzP.Kl...F..y.U8(&.......}.BH@..ZC...Ty. u.Y...!..R.h.F..`./>5...*{P..(..:A.}..v.} ..u...k......w\..d....he.q..U.u..yE..J.Re.....Y.2!.J.a..i^R....p..LG4.d.6U..........E..%..5.kz<....[..!2o.tV.V.....|..p7o..?N&..].o>.|...../..a.\...vL3].._....q.....C.].JG..\.[9...hp....w.Y^1..>..`..Q..!w0.U..}x.;^.......w.I................R..aQ2R..<..%....A%|.E...j...L..j..\.\.D.<.g....^Y)...L.*D........2....-..%F.T..j..,F...C.....m_.$..2..2.g...B.{.....\c......*5..c..J.{@...Q.....j..........E..Z...#>.....>...g{...t.....i1..Yk..@m..v.Cf..)..7.....(.......$\.S.......>......a..r..N. ........o;>...A..>...U...J'.....X....B.q..E....()..3. .... A".uss.;.......W.....k-..zF.\`Qp?........\d..a..A.1....5......Z.H...M"tf.GM. .X[.YU...T.._.lH......n@=1.5N....?Z...V>&."..Q$.....&.sS..Kq....].UySz=..3..$."....".'.Iar\Y.WVt\....;k..h._.O..b...2....G=H9@...v0l)2!..xD7...T..Di.v.RC`.m.8.\....J....h..uss.....p..)..O3.W....5....k...y.`^ ....&1..f"..D.w.}.;D:d.F....p#... ......d...T..iU7n.;-hh..T..^P....U.....>...T..m.^..fM....>..>d..Q..!....P1......7L...[.........;.>_W.

<<< skipped >>>

GET /__utm.gif?utmwv=5.5.3&utms=1&utmn=194608661&utmhn=VVV.xconsoles.com&utmcs=utf-8&utmsr=1024x768&utmvp=482x150&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=GEO LOCATOR&utmhid=976439038&utmr=-&utmp=/app/loader.html&utmht=1406892444448&utmac=UA-13041870-4&utmcc=__utma=43369132.180759635.1406892444.1406892444.1406892444.1;+__utmz=43369132.1406892444.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmu=D~ HTTP/1.1

Accept: */*

Referer: hXXp://VVV.xconsoles.com/app/loader.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google-analytics.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Pragma: no-cache

Expires: Wed, 19 Apr 2000 11:43:00 GMT

Last-Modified: Wed, 21 Jan 2004 19:51:30 GMT

X-Content-Type-Options: nosniff

Content-Type: image/gif

Date: Thu, 31 Jul 2014 06:07:04 GMT

Server: Golfe2

Content-Length: 35

Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate

Age: 123504

Alternate-Protocol: 80:quic

GIF89a.............,...........D..;....

GET /__utm.gif?utmwv=5.5.3&utms=1&utmn=977061144&utmhn=VVV.x360usb.com&utmcs=utf-8&utmsr=1024x768&utmvp=498x150&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Sponsor&utmhid=1806500170&utmr=-&utmp=/app/us_usbv2.html&utmht=1406892445792&utmac=UA-13041870-2&utmcc=__utma=140599483.509102869.1406892446.1406892446.1406892446.1;+__utmz=140599483.1406892446.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmu=D~ HTTP/1.1

Accept: */*

Referer: hXXp://VVV.x360usb.com/app/us_usbv2.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google-analytics.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Pragma: no-cache

Expires: Wed, 19 Apr 2000 11:43:00 GMT

Last-Modified: Wed, 21 Jan 2004 19:51:30 GMT

X-Content-Type-Options: nosniff

Content-Type: image/gif

Date: Thu, 31 Jul 2014 06:07:04 GMT

Server: Golfe2

Content-Length: 35

Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate

Age: 123505

Alternate-Protocol: 80:quic

GIF89a.............,...........D..;..

GET /app/loader.html HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.xconsoles.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 01 Aug 2014 16:22:48 GMT

Content-Type: text/html

Content-Length: 765

Connection: keep-alive

Last-Modified: Wed, 19 Jun 2013 01:06:29 GMT

ETag: "543ce0-bc3-4df7770896f40-gzip"

Vary: Accept-Encoding

Content-Encoding: gzip

Accept-Ranges: bytes

...........V[O.@.~...8......w.A..].V...D..P...t..1......d..M.fN.9....m...;.......0..u.;.....;..;......B.....P...!.0.{..D.h..$I..n....%...jiq.4.R..J...f.8....V.....-.....i...........:<.,....1.t...ds........&..sb."........@......X..................0..4h.....`1t9%.X.....}.a......a.."..T.s....,..DL.X2S=...I.....J...(.....y .#.]f...MRe... c......3f.4Xckw.E...M..z....j.,ts.M....N.>t.....l.EHk...Z....j.W.-.tOb..7q....t=. ..X.....j...h%Sr....B......`..!D....R...d.,d....h........l.....q... ..>H...k.(o..%.wJ..u[...T.TQ...~j....Q evD.c...;5..F....c2..h.6j.j...S5....R.9..b.".>K....VR........OK.>...A_..#.g..9J.W......[.^.3...T.?.....r%........Nb6VM.'9.oWg.&..D......~....9......*...5$6.W.#.(..uQHva.N..C.,...0...C*.>u.E!]..B.u.B..6....!......7.W>v.c.7_n..ce?.-....*.......

GET /swadharma/projectf.js?pcode=UL02a0e47a4afc46f3ad7feaa4e458f5af HTTP/1.1

Accept: */*

Referer: hXXp://VVV.xconsoles.com/app/loader.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.userlocation.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 01 Aug 2014 16:25:27 GMT

Server: Apache

Cache-Control: max-age=1209600

Expires: Fri, 15 Aug 2014 16:25:27 GMT

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length: 2949

Keep-Alive: timeout=10, max=500

Connection: Keep-Alive

Content-Type: text/html

...........X.s........A.Lm.....Y...t..9.;q2.E..e..([.....[2v.2.>..\.....,..z..N.j.S.{..{~o^..e.....o.t\..#L..f...2...q..^6......h..J..E99........r.e..rql..t...M...,..G....5-.q.....~N..!..W..).B89.2.d..s3..!.....9.....T.-....J..e,g'.`s..P...~=/.............,./.Ge...3].......L. .?...........8.G.a..}............k.2.~.....g.,/.....v^../.'S......x.G..c~T.D.'...y..y=0....;..Lm..t..^...k.o..'...:.5.,.z/.q.:. 5...`.!..x[g...F.w.......2.:.....?m...w..v.....O..1........?....=<..).B..P=E[........^.n.W.e.O.#....:......6.{._?....z..6z L}k...B.....#.}`..p.~..z......;.\.5..3..-....6.E.X....>...y...H.....q.B...u..N.......poB...M.......o.3..Y_Q,}.k......*....^.....|...5>....&...DFA8..G...V..u.....lI...!4..8K..@T....../....0.Mk.[E|~.I...`W..fI.i.h_).Sd.T.Z...u.e{{.(..<x.I.3..A....U..);d..s..Kl./t......7#X........J./..R..-~JP.?......t$'.il_{...vN......l{...6Rd.....%."...%...J..j.>.........U........[........n$.....(..![...~.T..R ...L.l.cB..^..bn.#.d..g.g.&}.3.o.&}.3...I.$.T...c...s....g....6.....}............X.aO..h.k>..c7.=..v/...RMv...&.M..=.......Hi.b=6{mo......OeZ.1"vh...#.............) ..o......bo.....o....R....2m......%.>q..........-...g.b..}.#.."3 ..Bu9a|..9......k..;......Aq.qW....,.3.1>P.d<W..h.@..s.G...#...c.r.88.*...%..U...x!|......)q.#....q..(J..Vm.?..'{S....pw.2...../T....B..{.|<..G...3..*.....&..{........]h.&.....7.U..;L..<..L...M...A..'...T]...YvA......6 .]...YuA8.. .]...........X.....B......P.. D..b.Znd.L..H.h.....gL.................|.9...@d...u.(@....H$..']$8KHx...%d.........g..

<<< skipped >>>

GET /swadharma/projectf.js?pcode=UL65975a141c0b22a72105ce1a664b39b5 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.x360usb.com/app/us_usbv2.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.userlocation.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 01 Aug 2014 16:25:29 GMT

Server: Apache

Cache-Control: max-age=1209600

Expires: Fri, 15 Aug 2014 16:25:29 GMT

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length: 2949

Keep-Alive: timeout=10, max=499

Connection: Keep-Alive

Content-Type: text/html

...........X.s........A.Lm.....Y...t..9.;q2.E..e..([.....[2v.2.>..\.....,..z..N.j.S.{..{~o^..e.....o.t\..#L..f...2...q..^6......h..J..E99........r.e..rql...X.......( ...X...c..,..w.9....L.....Y"....W.L..na..=...!.z..<.j.e.W.Y........l._..v<...E...Z......{..e.E.....~..z_.r........a5.....|v..g.h6,../<..|......u}.OF./.....l...v..}.......d....}..O.H.|....h.D}.5..1............O....k?W|......T?Sg.F..E.e1NVg....}..7$..o..........v..WZ._........O...?....4....?f...w;v;...\.....=E[(....h.5.}..oZ. .-......b..?.R..X....F{.......Yo_.F...omaTX..X=.}D..l....o.[/....~vg.....w.V........(.......C.:..".ipA_.3n\(.|..p.)}...u...M.>...2...9...u..:. ...cm..A..@ep~.....z..O..............(..{.H.~..........-...=.F{.gI......X.`.EW.[...i.x...o4.5|.....,.8... %q....T..@.N.loo.%....4)v..5(....J.?e...{..b.m....R..!.f. ..6C..7C).%XR.W..O...g..|......5..k..x.....{.r.m..!.F.......dW$...$..Z.[W..g..W......j...1...s 4.;|.Y[..D.......4d .`...*1Tj.6.....tL.~. .S.-t...].L......&..../~&=.7......7r...x.U.w.,.6.....}]...12RZ....... 1..B..`...c....]..%.tT...6.........7.....).Z..f....7.....L "F..-..q...=...4.....1e%......Y.V.-...0.....[.x..Z....7W....'n.^.W..X.6.....lWL4./v..Td...R..'./.?g.....q.Rz...^q.>(.0.*!....x.<......J.....Bq..Hq.q.W2~.@N...W.!x....*.u./....R.=2%N`....#NQ.E.O..-.'..do.......U..s5....}.RC.W.o..'}...cb.CS...:...?b..8...73..M..8b...F...e.)..G...9...b6 .3.......b7 ......wA......5 .....p.....=.r........8..@....!...~....PL@.........-7R........3ws..=`b.......<g.a..L..................g.......L.... .....".......2N@..

<<< skipped >>>

GET /app/Scripts/swfobject_modified.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.x360usb.com/app/us_usbv2.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.x360usb.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 01 Aug 2014 16:25:31 GMT

Server: Apache/2.4.10 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4

Last-Modified: Tue, 08 Mar 2011 11:19:02 GMT

ETag: "4601bb-575d-49df6c788f580"

Accept-Ranges: bytes

Content-Length: 22365

Connection: close

Content-Type: application/javascript

/*!.SWFObject v2.0 <hXXp://code.google.com/p/swfobject/>...Copyright (c) 2007 Geoff Stearns, Michael Williams, and Bobby van der Sluis...This software is released under the MIT License <hXXp://VVV.opensource.org/licenses/mit-license.php>..*/..var swfobject = function() {......var UNDEF = "undefined",....OBJECT = "object",....SHOCKWAVE_FLASH = "Shockwave Flash",....SHOCKWAVE_FLASH_AX = "ShockwaveFlash.ShockwaveFlash",....FLASH_MIME_TYPE = "application/x-shockwave-flash",....EXPRESS_INSTALL_ID = "SWFObjectExprInst",........win = window,....doc = document,....nav = navigator,........domLoadFnArr = [],....regObjArr = [],....timer = null,....storedAltContent = null,....storedAltContentId = null,....isDomLoaded = false,....isExpressInstallActive = false;....../* Centralized function for browser feature detection....- Proprietary feature detection (conditional compiling) is used to detect Internet Explorer's features....- User agent string detection is only used when no alternative is possible....- Is executed directly for optimal performance...*/....var ua = function() {....var w3cdom = typeof doc.getElementById != UNDEF && typeof doc.getElementsByTagName != UNDEF && typeof doc.createElement != UNDEF && typeof doc.appendChild != UNDEF && typeof doc.replaceChild != UNDEF && typeof doc.removeChild != UNDEF && typeof doc.cloneNode != UNDEF,.....playerVersion = [0,0,0],.....d = null;....if (typeof nav.plugins != UNDEF && typeof nav.plugins[SHOCKWAVE_FLASH] == OBJECT) {.....d = nav.plugins[SHOCKWAVE_FLASH].des

<<< skipped >>>

GET /app/us_usbv2.html HTTP/1.1

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: x360usb.com

Connection: Keep-Alive

HTTP/1.1 301 Moved Permanently

Date: Fri, 01 Aug 2014 16:25:31 GMT

Server: Apache/2.4.10 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4

Location: hXXp://VVV.x360usb.com/app/us_usbv2.html

Content-Length: 248

Connection: close

Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>301 Moved Permanently</title>.</head><body>.<h1>Moved Permanently</h1>.<p>The document has moved <a href="hXXp://VVV.x360usb.com/app/us_usbv2.html">here</a>.</p>.</body></html>...

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

tb2323xt.exe_924:

.text

`.rdata

@.data

.rsrc

@.reloc

B.odata

{94374E65-3577-4fde-ABBD-4E943E70E8E8}

WindowsForms10.Window.8.app4

WindowsForms10.Window.8.app.0.378734a

notepad.exe

\\.\%c:

("Unexpected return from _amsg_exit",FALSE)

Load failed due to incompatible .NET Runtime version

mscoree.dll

%s(%d) : %s

_CrtDbgReport: String too long or IO Error

Second Chance Assertion Failed: File %s, Line %d

user32.dll

Debug %s!

Program: %s%s%s%s%s%s%s%s%s%s%s

kernel32.dll

- This application cannot run using the active version of the Microsoft .NET Runtime

Please contact the application's support team for more information.

Client hook allocation failure at file %hs line %d.

_CrtCheckMemory()

_CrtIsValidHeapPointer(pUserData)

Client hook re-allocation failure at file %hs line %d.

DAMAGE: after %hs block (#%d) at 0x%p.

DAMAGE: before %hs block (#%d) at 0x%p.

%hs allocated at file %hs(%d).

_CrtMemCheckPoint: NULL state pointer.

_CrtMemDifference: NULL state pointer.

crt block at 0x%p, subtype %x, %Iu bytes long.

client block at 0x%p, subtype %x, %Iu bytes long.

%hs(%d) :

#File Error#(%d) :

Data: <%s> %s

f:\vs70builds\3077\vc\crtbld\crt\src\sprintf.c

f:\vs70builds\3077\vc\crtbld\crt\src\vsprintf.c

GetProcessWindowStation

internal state. The program cannot safely continue execution and must

continue execution and must now be terminated.

("Invalid MBCS character sequence passed to strftime",0)

("Zero length output buffer passed to strftime",0)

("Invalid MBCS character sequence passed into strftime",0)

portuguese-brazilian

convrtcp.c

`.rsrc

v1.1.4322

IWebBrowser

DWebBrowserEvents

IWebBrowserApp

IWebBrowser2

OLECMDID

OLECMDF

OLECMDEXECOPT

DWebBrowserEvents2

WebBrowser_V1Class

DWebBrowserEvents2_Event

DWebBrowserEvents2_StatusTextChangeEventHandler

DWebBrowserEvents2_ProgressChangeEventHandler

DWebBrowserEvents2_CommandStateChangeEventHandler

DWebBrowserEvents2_DownloadBeginEventHandler

DWebBrowserEvents2_DownloadCompleteEventHandler

DWebBrowserEvents2_TitleChangeEventHandler

DWebBrowserEvents2_PropertyChangeEventHandler

DWebBrowserEvents2_BeforeNavigate2EventHandler

DWebBrowserEvents2_NewWindow2EventHandler

DWebBrowserEvents2_NavigateComplete2EventHandler

DWebBrowserEvents2_DocumentCompleteEventHandler

DWebBrowserEvents2_OnQuitEventHandler

DWebBrowserEvents2_OnVisibleEventHandler

DWebBrowserEvents2_OnToolBarEventHandler

DWebBrowserEvents2_OnMenuBarEventHandler

DWebBrowserEvents2_OnStatusBarEventHandler

DWebBrowserEvents2_OnFullScreenEventHandler

DWebBrowserEvents2_OnTheaterModeEventHandler

DWebBrowserEvents2_WindowSetResizableEventHandler

DWebBrowserEvents2_WindowSetLeftEventHandler

DWebBrowserEvents2_WindowSetTopEventHandler

DWebBrowserEvents2_WindowSetWidthEventHandler

DWebBrowserEvents2_WindowSetHeightEventHandler

DWebBrowserEvents2_WindowClosingEventHandler

DWebBrowserEvents2_ClientToHostWindowEventHandler

DWebBrowserEvents2_SetSecureLockIconEventHandler

DWebBrowserEvents2_FileDownloadEventHandler

DWebBrowserEvents2_NavigateErrorEventHandler

DWebBrowserEvents2_PrintTemplateInstantiationEventHandler

DWebBrowserEvents2_PrintTemplateTeardownEventHandler

DWebBrowserEvents2_UpdatePageStatusEventHandler

DWebBrowserEvents2_PrivacyImpactedStateChangeEventHandler

DWebBrowserEvents2_NewWindow3EventHandler

DWebBrowserEvents_Event

DWebBrowserEvents_BeforeNavigateEventHandler

DWebBrowserEvents_NavigateCompleteEventHandler

DWebBrowserEvents_StatusTextChangeEventHandler

DWebBrowserEvents_ProgressChangeEventHandler

DWebBrowserEvents_DownloadCompleteEventHandler

DWebBrowserEvents_CommandStateChangeEventHandler

DWebBrowserEvents_DownloadBeginEventHandler

DWebBrowserEvents_NewWindowEventHandler

DWebBrowserEvents_TitleChangeEventHandler

DWebBrowserEvents_FrameBeforeNavigateEventHandler

DWebBrowserEvents_FrameNavigateCompleteEventHandler

DWebBrowserEvents_FrameNewWindowEventHandler

DWebBrowserEvents_QuitEventHandler

DWebBrowserEvents_WindowMoveEventHandler

DWebBrowserEvents_WindowResizeEventHandler

DWebBrowserEvents_WindowActivateEventHandler

DWebBrowserEvents_PropertyChangeEventHandler

WebBrowser_V1

WebBrowserClass

WebBrowser

DShellWindowsEvents

IShellWindows

ShellWindowsClass

DShellWindowsEvents_Event

DShellWindowsEvents_WindowRegisteredEventHandler

DShellWindowsEvents_WindowRevokedEventHandler

ShellWindows

DShellWindowsEvents_SinkHelper

DShellWindowsEvents_EventProvider

DWebBrowserEvents_SinkHelper

DWebBrowserEvents_EventProvider

DWebBrowserEvents2_SinkHelper

DWebBrowserEvents2_EventProvider

System.Runtime.InteropServices

System.Reflection

System.Collections

System.Threading

ImportedFromTypeLibAttribute

get_LocationURL

LocationURL

cmdID

cmdexecopt

OLECMDID_OPEN

OLECMDID_NEW

OLECMDID_SAVE

OLECMDID_SAVEAS

OLECMDID_SAVECOPYAS

OLECMDID_PRINT

OLECMDID_PRINTPREVIEW

OLECMDID_PAGESETUP

OLECMDID_SPELL

OLECMDID_PROPERTIES

OLECMDID_CUT

OLECMDID_COPY

OLECMDID_PASTE

OLECMDID_PASTESPECIAL

OLECMDID_UNDO

OLECMDID_REDO

OLECMDID_SELECTALL

OLECMDID_CLEARSELECTION

OLECMDID_ZOOM

OLECMDID_GETZOOMRANGE

OLECMDID_UPDATECOMMANDS

OLECMDID_REFRESH

OLECMDID_STOP

OLECMDID_HIDETOOLBARS

OLECMDID_SETPROGRESSMAX

OLECMDID_SETPROGRESSPOS

OLECMDID_SETPROGRESSTEXT

OLECMDID_SETTITLE

OLECMDID_SETDOWNLOADSTATE

OLECMDID_STOPDOWNLOAD

OLECMDID_ONTOOLBARACTIVATED

OLECMDID_FIND

OLECMDID_DELETE

OLECMDID_HTTPEQUIV

OLECMDID_HTTPEQUIV_DONE

OLECMDID_ENABLE_INTERACTION

OLECMDID_ONUNLOAD

OLECMDID_PROPERTYBAG2

OLECMDID_PREREFRESH

OLECMDID_SHOWSCRIPTERROR

OLECMDID_SHOWMESSAGE

OLECMDID_SHOWFIND

OLECMDID_SHOWPAGESETUP

OLECMDID_SHOWPRINT

OLECMDID_CLOSE

OLECMDID_ALLOWUILESSSAVEAS

OLECMDID_DONTDOWNLOADCSS

OLECMDID_UPDATEPAGESTATUS

OLECMDID_PRINT2

OLECMDID_PRINTPREVIEW2

OLECMDID_SETPRINTTEMPLATE

OLECMDID_GETPRINTTEMPLATE

OLECMDID_PAGEACTIONBLOCKED

OLECMDID_PAGEACTIONUIQUERY

OLECMDID_FOCUSVIEWCONTROLS

OLECMDID_FOCUSVIEWCONTROLSQUERY

OLECMDID_SHOWPAGEACTIONMENU

OLECMDF_SUPPORTED

OLECMDF_ENABLED

OLECMDF_LATCHED

OLECMDF_NINCHED

OLECMDF_INVISIBLE

OLECMDF_DEFHIDEONCTXTMENU

OLECMDEXECOPT_DODEFAULT

OLECMDEXECOPT_PROMPTUSER

OLECMDEXECOPT_DONTPROMPTUSER

OLECMDEXECOPT_SHOWHELP

WindowSetResizable

WindowSetLeft

WindowSetTop

WindowSetWidth

WindowSetHeight

bstrUrlContext

bstrUrl

.ctor

IWebBrowser2_GoBack

IWebBrowser2_GoForward

IWebBrowser2_GoHome

IWebBrowser2_GoSearch

IWebBrowser2_Navigate

IWebBrowser2_Refresh

IWebBrowser2_Refresh2

IWebBrowser2_Stop

IWebBrowser2_get_Application

IWebBrowser2_get_Parent

IWebBrowser2_get_Container

IWebBrowser2_get_Document

IWebBrowser2_get_TopLevelContainer

IWebBrowser2_get_Type

IWebBrowser2_get_Left

IWebBrowser2_set_Left

IWebBrowser2_get_Top

IWebBrowser2_set_Top

IWebBrowser2_get_Width

IWebBrowser2_set_Width

IWebBrowser2_get_Height

IWebBrowser2_set_Height

IWebBrowser2_get_LocationName

IWebBrowser2_get_LocationURL

IWebBrowser2_get_Busy

DWebBrowserEvents2_Event_add_StatusTextChange

DWebBrowserEvents2_Event_remove_StatusTextChange

DWebBrowserEvents2_Event_add_ProgressChange

DWebBrowserEvents2_Event_remove_ProgressChange

DWebBrowserEvents2_Event_add_CommandStateChange

DWebBrowserEvents2_Event_remove_CommandStateChange

DWebBrowserEvents2_Event_add_DownloadBegin

DWebBrowserEvents2_Event_remove_DownloadBegin

DWebBrowserEvents2_Event_add_DownloadComplete

DWebBrowserEvents2_Event_remove_DownloadComplete

DWebBrowserEvents2_Event_add_TitleChange

DWebBrowserEvents2_Event_remove_TitleChange

DWebBrowserEvents2_Event_add_PropertyChange

DWebBrowserEvents2_Event_remove_PropertyChange

add_WindowSetResizable

remove_WindowSetResizable

add_WindowSetLeft

remove_WindowSetLeft

add_WindowSetTop

remove_WindowSetTop

add_WindowSetWidth

remove_WindowSetWidth

add_WindowSetHeight

remove_WindowSetHeight

DWebBrowserEvents_Event_Quit

DWebBrowserEvents2_Event_StatusTextChange

DWebBrowserEvents2_Event_ProgressChange

DWebBrowserEvents2_Event_CommandStateChange

DWebBrowserEvents2_Event_DownloadBegin

DWebBrowserEvents2_Event_DownloadComplete

DWebBrowserEvents2_Event_TitleChange

DWebBrowserEvents2_Event_PropertyChange

IWebBrowser2_Application

IWebBrowser2_Parent

IWebBrowser2_Container

IWebBrowser2_Document

IWebBrowser2_TopLevelContainer

IWebBrowser2_Type

IWebBrowser2_Left

IWebBrowser2_Top

IWebBrowser2_Width

IWebBrowser2_Height

IWebBrowser2_LocationName

IWebBrowser2_LocationURL

IWebBrowser2_Busy

IWebBrowser_GoBack

IWebBrowser_GoForward

IWebBrowser_GoHome

IWebBrowser_GoSearch

IWebBrowser_Navigate

IWebBrowser_Refresh

IWebBrowser_Refresh2

IWebBrowser_Stop

IWebBrowser_get_Application

IWebBrowser_get_Parent

IWebBrowser_get_Container

IWebBrowser_get_Document

IWebBrowser_get_TopLevelContainer

IWebBrowser_get_Type

IWebBrowser_get_Left

IWebBrowser_set_Left

IWebBrowser_get_Top

IWebBrowser_set_Top

IWebBrowser_get_Width

IWebBrowser_set_Width

IWebBrowser_get_Height

IWebBrowser_set_Height

IWebBrowser_get_LocationName

IWebBrowser_get_LocationURL

IWebBrowser_get_Busy

DWebBrowserEvents_Event_add_StatusTextChange

DWebBrowserEvents_Event_remove_StatusTextChange

DWebBrowserEvents_Event_add_ProgressChange

DWebBrowserEvents_Event_remove_ProgressChange

DWebBrowserEvents_Event_add_DownloadComplete

DWebBrowserEvents_Event_remove_DownloadComplete

DWebBrowserEvents_Event_add_CommandStateChange

DWebBrowserEvents_Event_remove_CommandStateChange

DWebBrowserEvents_Event_add_DownloadBegin

DWebBrowserEvents_Event_remove_DownloadBegin

DWebBrowserEvents_Event_add_TitleChange

DWebBrowserEvents_Event_remove_TitleChange

DWebBrowserEvents_Event_add_PropertyChange

DWebBrowserEvents_Event_remove_PropertyChange

DWebBrowserEvents_Event_StatusTextChange

DWebBrowserEvents_Event_ProgressChange

DWebBrowserEvents_Event_DownloadComplete

DWebBrowserEvents_Event_CommandStateChange

DWebBrowserEvents_Event_DownloadBegin

DWebBrowserEvents_Event_TitleChange

DWebBrowserEvents_Event_PropertyChange

IWebBrowser_Application

IWebBrowser_Parent

IWebBrowser_Container

IWebBrowser_Document

IWebBrowser_TopLevelContainer

IWebBrowser_Type

IWebBrowser_Left

IWebBrowser_Top

IWebBrowser_Width

IWebBrowser_Height

IWebBrowser_LocationName

IWebBrowser_LocationURL

IWebBrowser_Busy

IWebBrowserApp_GoBack

IWebBrowserApp_GoForward

IWebBrowserApp_GoHome

IWebBrowserApp_GoSearch

IWebBrowserApp_Navigate

IWebBrowserApp_Refresh

IWebBrowserApp_Refresh2

IWebBrowserApp_Stop

IWebBrowserApp_get_Application

IWebBrowserApp_get_Parent

IWebBrowserApp_get_Container

IWebBrowserApp_get_Document

IWebBrowserApp_get_TopLevelContainer

IWebBrowserApp_get_Type

IWebBrowserApp_get_Left

IWebBrowserApp_set_Left

IWebBrowserApp_get_Top

IWebBrowserApp_set_Top

IWebBrowserApp_get_Width

IWebBrowserApp_set_Width

IWebBrowserApp_get_Height

IWebBrowserApp_set_Height

IWebBrowserApp_get_LocationName

IWebBrowserApp_get_LocationURL

IWebBrowserApp_get_Busy

IWebBrowserApp_Quit

IWebBrowserApp_ClientToWindow

IWebBrowserApp_PutProperty

IWebBrowserApp_GetProperty

IWebBrowserApp_get_Name

IWebBrowserApp_get_HWND

IWebBrowserApp_get_FullName

IWebBrowserApp_get_Path

IWebBrowserApp_get_Visible

IWebBrowserApp_set_Visible

IWebBrowserApp_get_StatusBar

IWebBrowserApp_set_StatusBar

IWebBrowserApp_get_StatusText

IWebBrowserApp_set_StatusText

IWebBrowserApp_get_ToolBar

IWebBrowserApp_set_ToolBar

IWebBrowserApp_get_MenuBar

IWebBrowserApp_set_MenuBar

IWebBrowserApp_get_FullScreen

IWebBrowserApp_set_FullScreen

IWebBrowserApp_Application

IWebBrowserApp_Parent

IWebBrowserApp_Container

IWebBrowserApp_Document

IWebBrowserApp_TopLevelContainer

IWebBrowserApp_Type

IWebBrowserApp_Left

IWebBrowserApp_Top

IWebBrowserApp_Width

IWebBrowserApp_Height

IWebBrowserApp_LocationName

IWebBrowserApp_LocationURL

IWebBrowserApp_Busy

IWebBrowserApp_Name

IWebBrowserApp_HWND

IWebBrowserApp_FullName

IWebBrowserApp_Path

IWebBrowserApp_Visible

IWebBrowserApp_StatusBar

IWebBrowserApp_StatusText

IWebBrowserApp_ToolBar

IWebBrowserApp_MenuBar

IWebBrowserApp_FullScreen

SWFO_COOKIEPASSED

FindWindowSW

ImportExportFavorites

fImport

strFailureUrl

strUrl

Import

Export

getErrorMsg

getErrorUrl

getAlwaysShowLockState

get_URL

SetDefaultSearchUrl

get_InWebFolder

FindOnWeb

GetSearchAssistantURL

InWebFolder

m_WindowSetHeightDelegate

m_WindowSetWidthDelegate

m_WindowSetTopDelegate

m_WindowSetLeftDelegate

m_WindowSetResizableDelegate

Interop.SHDocVw

SHDocVw.dll

System.Runtime.InteropServices.CustomMarshalers.EnumeratorToEnumVariantMarshaler, CustomMarshalers, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a

$EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B

$EAB22AC2-30C1-11CF-A7EB-0000C05BAE0B

$34A226E0-DF30-11CF-89A9-00A0C9054129

$0002DF05-0000-0000-C000-000000000046

$D30C1661-CDAF-11D0-8A3E-00C04FC9E26E

$65507BE0-91A8-11D3-A845-009027220E6D

$34A715A0-6587-11D0-924A-0020AFC7AC4D

$EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B

SHDocVw.DWebBrowserEvents2

)SHDocVw.DWebBrowserEvents2_EventProvider

SHDocVw.DWebBrowserEvents

(SHDocVw.DWebBrowserEvents_EventProvider

SHDocVw.WebBrowser_V1Class

6SHDocVw.DWebBrowserEvents

$8856F961-340A-11D0-A96B-00C04FD705A2

SHDocVw.WebBrowserClass

6SHDocVw.DWebBrowserEvents2

$0002DF01-0000-0000-C000-000000000046

SHDocVw.InternetExplorerClass

$C08AFD90-F2A1-11D1-8455-00A0C91F3880

SHDocVw.ShellBrowserWindowClass

$F41E6981-28E5-11D0-82B4-00A0C90C29C5

$7716A370-38CA-11D0-A48B-00A0C90A8F39

$FE4106E0-399A-11D0-A48C-00A0C90A8F39

$85CB6900-4D95-11CF-960C-0080C7F4EE85

$9BA05972-F6A8-11CF-A442-00A0C90A8F39

SHDocVw.DShellWindowsEvents

*SHDocVw.DShellWindowsEvents_EventProvider

SHDocVw.ShellWindowsClass

$729FE2F8-1EA8-11D1-8F85-00C04FC2FBE1

$64AB4BB7-111E-11D1-8F79-00C04FC2FBE1

SHDocVw.ShellUIHelperClass

$55136806-B2DE-11D1-B9F2-00A0C98BC547

$55136804-B2DE-11D1-B9F2-00A0C98BC547

$E572D3C9-37BE-4AE2-825D-D521763E3108

$55136805-B2DE-11D1-B9F2-00A0C98BC547

SHDocVw.DShellNameSpaceEvents

,SHDocVw.DShellNameSpaceEvents_EventProvider

SHDocVw.ShellNameSpaceClass

$F3470F24-15FD-11D2-BB2E-00805FF7EFCA

$EFD01300-160F-11D2-BB2E-00805FF7EFCA

SHDocVw.CScriptErrorListClass

$BA9239A4-3DD5-11D2-BF8B-00C04FB93661

$47C922A2-3DD5-11D2-BF8B-00C04FB93661

$72423E8F-8011-11D2-BE79-00A0C9A83DA1

$72423E8F-8011-11D2-BE79-00A0C9A83DA2

$72423E8F-8011-11D2-BE79-00A0C9A83DA3

$1611FDDA-445B-11D2-85DE-00C04FA35C89

$B45FF030-4447-11D2-85DE-00C04FA35C89

SHDocVw.SearchAssistantOCClass

$eab22ac0-30c1-11cf-a7eb-0000c05bae0b

AxInterop.SHDocVw.dll

System.Windows.Forms

AxWebBrowser

DWebBrowserEvents2_NewWindow3Event

DWebBrowserEvents2_PrivacyImpactedStateChangeEvent

DWebBrowserEvents2_UpdatePageStatusEvent

DWebBrowserEvents2_PrintTemplateTeardownEvent

DWebBrowserEvents2_PrintTemplateInstantiationEvent

DWebBrowserEvents2_NavigateErrorEvent

DWebBrowserEvents2_FileDownloadEvent

DWebBrowserEvents2_SetSecureLockIconEvent

DWebBrowserEvents2_ClientToHostWindowEvent

DWebBrowserEvents2_WindowClosingEvent

DWebBrowserEvents2_WindowSetHeightEvent

DWebBrowserEvents2_WindowSetWidthEvent

DWebBrowserEvents2_WindowSetTopEvent

DWebBrowserEvents2_WindowSetLeftEvent

DWebBrowserEvents2_WindowSetResizableEvent

DWebBrowserEvents2_OnTheaterModeEvent

DWebBrowserEvents2_OnFullScreenEvent

DWebBrowserEvents2_OnStatusBarEvent

DWebBrowserEvents2_OnMenuBarEvent

DWebBrowserEvents2_OnToolBarEvent

DWebBrowserEvents2_OnVisibleEvent

DWebBrowserEvents2_DocumentCompleteEvent

DWebBrowserEvents2_NavigateComplete2Event

DWebBrowserEvents2_NewWindow2Event

DWebBrowserEvents2_BeforeNavigate2Event

DWebBrowserEvents2_PropertyChangeEvent

DWebBrowserEvents2_TitleChangeEvent

DWebBrowserEvents2_CommandStateChangeEvent

DWebBrowserEvents2_ProgressChangeEvent

DWebBrowserEvents2_StatusTextChangeEvent

AxWebBrowserEventMulticaster

RaiseOnWindowSetHeight

RaiseOnWindowSetWidth

RaiseOnWindowSetTop

RaiseOnWindowSetLeft

RaiseOnWindowSetResizable

AssemblyKeyFileAttribute

AxInterop.SHDocVw

System.ComponentModel

BindableSupport

&{8856f961-340a-11d0-a96b-00c04fd705a2}

System.Int32

.C:\xbox360\Projects\WindowsApplication2\jf.snk

04/08/2004 01:56:46

)System.Resources.ResourceReader, mscorlibsSystem.Resources.RuntimeResourceSet, mscorlib, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089

^System.Boolean, mscorlib, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089iSystem.Drawing.Size, System.Drawing, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aiSystem.Drawing.Icon, System.Drawing, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3apSystem.Globalization.CultureInfo, mscorlib, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089\System.Int32, mscorlib, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089mSystem.CodeDom.MemberAttributes, System, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089}System.Windows.Forms.AxHost State, System.Windows.Forms, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089kSystem.Drawing.Bitmap, System.Drawing, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3ajSystem.Drawing.Point, System.Drawing, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPADc

%]-):(/!

System.Boolean

TSystem.Drawing, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a

System.Drawing.Size

System.Drawing.Icon

!$!101989

141),))01

)89),))01)

),)),)),)),)),)),)

),)),)),)),)),)),))}

!49),)),)),)),)),)),)),)),)!

)()),)),)),)),)),)),)),)141

)()),)),)),)),)),)),)),)),)),)),)!

)()),)),)),)),)),)),)),)),)),)),)),)),)!

)()),)),)),)),)),)),)),)),)),)),)),)),)),))}

!$!!$!!$!!$!)())())())())())())())())())()!

! !)())())())())())())())())())())())())())()),1

)41101)()

),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),))()! !

989!$!),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)!$!

!$!)()),)),)),)),)),)189

)()),)),))

)()),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),))()

!$!9899<99<9),)

!$!),)),)),)),)101

)89),)),)),))41

),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)!$!

! !),)),)),)),)!

),)),)),)),)),)),)),)

),)),)),)9<9

)()),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)! !

)()),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)! !! !

)()),)),)),)),)),)),)),)),)!

!$!),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),))()9<9

989)())()! !

)()),)),)),)),)),)),)),)),)),)),))}

!$!),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)989

9<9)()),)!$!

)41),)),)),)),)),)),)),)),)),)),)),)101

)()),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),))()

)()),)),)!$!

)()),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),))()

!!$!),)),)),)),)),)),)),)),)),)),)),)),)),)!

!$!),)),)!$!

! !),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),))()

!$!),)),))()),)

! !),)),))

! !! !!$!!$!!$!! !! !

)()),))01!

189),)),)),)),)

!$!),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),))()

),)),))()

)()),)),))01!

1<9),)),)),)),)

!$!),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)101

!$!),)),)),)),))

141),)),)),))()

!$!),)),)

),)),)),)),))()

!$!),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),))()

! !),)),)),)),)),)),)189!

!$!),)),)),)),)),)),)),)),)),)),)1<9)}

!$!),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),))()

! !),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),))()

101!$!),))()

)()),)989

)()),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)

)()),)),)),)

101),)),)!$!{}{

! !),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)9<9

! !),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)9<9

9<9),)),))())()

),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),))()

989),)),)!$!

)()),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)141

1019<9989101),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),))()

!$!!$!! !! !! !! !

FFF.FFFs@@@

%%%x(((

System.Globalization.CultureInfo

System.Globalization.CompareInfo

System.Globalization.TextInfo%System.Globalization.NumberFormatInfo'System.Globalization.DateTimeFormatInfo

System.Globalization.Calendar

System.Globalization.TextInfo

%System.Globalization.NumberFormatInfo

LSystem, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089

System.CodeDom.MemberAttributes

ZSystem.Windows.Forms, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089

!System.Windows.Forms.AxHost State

System.Drawing.Bitmap

(7),01444

'9=82<.342

sx.LM

m.MZc

ÀRL

%fNHVx

.Zz`:TYo[

B)3%u[

IO%c(

N*.vU

r'QA.TQ

>/; 7'3'7

`öv

7j8f-X}

<IaV><pre>IÝ~t</pre><pre>g^z%d</pre><pre>System.Drawing.Point</pre><pre>.cctor</pre><pre>_WinMainCRTStartup</pre><pre>0.591396905</pre><pre>add_KeyDown</pre><pre>AssemblyKeyNameAttribute</pre><pre>BurnerMax.exe</pre><pre>CreateSubKey</pre><pre>get_KeyCode</pre><pre>get_Msg</pre><pre>GetExecutingAssembly</pre><pre>GetPublicKey</pre><pre>ISupportInitialize</pre><pre>KeyEventArgs</pre><pre>KeyEventHandler</pre><pre>Keys</pre><pre>Microsoft.VisualC</pre><pre>Microsoft.Win32</pre><pre>NineRays.Decompiler</pre><pre>NineRays.Obfuscator</pre><pre>RegistryKey</pre><pre>set_KeyPreview</pre><pre>SetWindowsHookExA</pre><pre>System.Diagnostics</pre><pre>System.Drawing</pre><pre>System.Globalization</pre><pre>System.IO</pre><pre>System.Resources</pre><pre>System.Runtime.CompilerServices</pre><pre>System.Security</pre><pre>System.Security.Permissions</pre><pre>System.Text</pre><pre>UnhookWindowsHookEx</pre><pre>..\jf.snk</pre><pre>vThis software protected by 9Rays.Net Spices.Obfuscator (Evaluation version) and can't be used for commercial purposes.</pre><pre>C:\xbox360\BurnMax\BurnMax\Debug\BurnerMax.pdb</pre><pre>GetCPInfo</pre><pre>KERNEL32.dll</pre><pre>_CorExeMain</pre><pre>USER32.dll</pre><pre>GDI32.dll</pre><pre>zcÁ</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\tb2323xt.exe</pre><pre><requestedExecutionLevel level="highestAvailable" uiAccess="false" /></pre><pre><description>VC.NET How-To XP Theme Support</description></pre><pre>name="Microsoft.Windows.Common-Controls"</pre><pre>version="6.0.0.0"</pre><pre>publicKeyToken="6595b64144ccf1df"</pre><pre>8 9'999@9[9{9</pre><pre>=%=1=?=^=</pre><pre>0D0J0y0</pre><pre>5 5`5 6|7</pre><pre>7$8(84888</pre><pre>mscorlib.dll</pre><pre>1.1.0.0</pre><pre>Interop.SHDocVw.dll</pre><pre>Assembly imported from type library SHDocVw</pre><pre>8856f961-340a-11d0-a96b-00c04fd705a2</pre><pre>$this.DrawGrid</pre><pre>$this.GridSize6</pre><pre>$this.Icon</pre><pre>$this.Language</pre><pre>$this.Localizable</pre><pre>$this.Locked</pre><pre>$this.SnapToGrid</pre><pre>$this.TrayHeight</pre><pre>$this.TrayLargeIcon</pre><pre>axWebBrowser1.Locked</pre><pre>axWebBrowser1.Modifiers</pre><pre>axWebBrowser1.OcxState</pre><pre>button12.Locked</pre><pre>button12.Modifiers</pre><pre>checkBox1.Locked</pre><pre>checkBox1.Modifiers</pre><pre>comboBox1.Locked</pre><pre>comboBox1.Modifiers</pre><pre>pictureBox1.Image</pre><pre>pictureBox1.Locked</pre><pre>pictureBox1.Modifiers</pre><pre>pictureBox2.Image</pre><pre>pictureBox2.Locked</pre><pre>pictureBox2.Modifiers</pre><pre>pictureBox5.Image</pre><pre>pictureBox5.Locked</pre><pre>pictureBox5.Modifiers</pre><pre>tabControl1.DrawGrid</pre><pre>tabControl1.GridSize</pre><pre>tabControl1.Locked</pre><pre>tabControl1.Modifiers</pre><pre>tabControl1.SnapToGrid</pre><pre>tabPage1.DrawGrid</pre><pre>tabPage1.GridSize</pre><pre>tabPage1.Locked</pre><pre>tabPage1.Modifiers</pre><pre>tabPage1.SnapToGrid</pre><pre>tabPage2.DrawGrid</pre><pre>tabPage2.GridSize</pre><pre>tabPage2.Locked</pre><pre>tabPage2.Modifiers</pre><pre>tabPage2.SnapToGrid</pre><pre>tabPage3.DrawGrid</pre><pre>tabPage3.GridSize</pre><pre>tabPage3.Locked</pre><pre>tabPage3.Modifiers</pre><pre>tabPage3.SnapToGrid</pre><pre>textBox3.Locked</pre><pre>textBox3.Modifiers</pre><pre>toolTip1.Location</pre><pre>toolTip1.Modifiers</pre><pre>. Z.cZ.#Z.</pre><pre><PermissionSet class="System.Security.PermissionSet"><pre><IPermission class="System.Security.Permissions.SecurityPermission, mscorlib, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"><pre>0, 15, 0, 0</pre><b>scvhost.exe_320:</b><pre>.text</pre><pre>`.itext</pre><pre>`.data</pre><pre>.idata</pre><pre>.rdata</pre><pre>@.reloc</pre><pre>B.rsrc</pre><pre>kernel32.dll</pre><pre>Windows</pre><pre>MSWHEEL_ROLLMSG</pre><pre>MSH_WHEELSUPPORT_MSG</pre><pre>MSH_SCROLL_LINES_MSG</pre><pre>$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)</pre><pre>oleaut32.dll</pre><pre>EVariantBadIndexError</pre><pre>ssShift</pre><pre>htKeyword</pre><pre>EInvalidOperation</pre><pre>%s_%d</pre><pre>EInvalidGraphicOperation</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes</pre><pre>%s, ClassID: %s</pre><pre>%s, ProgID: "%s"</pre><pre>ole32.dll</pre><pre>USER32.DLL</pre><pre>uxtheme.dll</pre><pre>DWMAPI.DLL</pre><pre>clWebSnow</pre><pre>clWebFloralWhite</pre><pre>clWebLavenderBlush</pre><pre>clWebOldLace</pre><pre>clWebIvory</pre><pre>clWebCornSilk</pre><pre>clWebBeige</pre><pre>clWebAntiqueWhite</pre><pre>clWebWheat</pre><pre>clWebAliceBlue</pre><pre>clWebGhostWhite</pre><pre>clWebLavender</pre><pre>clWebSeashell</pre><pre>clWebLightYellow</pre><pre>clWebPapayaWhip</pre><pre>clWebNavajoWhite</pre><pre>clWebMoccasin</pre><pre>clWebBurlywood</pre><pre>clWebAzure</pre><pre>clWebMintcream</pre><pre>clWebHoneydew</pre><pre>clWebLinen</pre><pre>clWebLemonChiffon</pre><pre>clWebBlanchedAlmond</pre><pre>clWebBisque</pre><pre>clWebPeachPuff</pre><pre>clWebTan</pre><pre>clWebYellow</pre><pre>clWebDarkOrange</pre><pre>clWebRed</pre><pre>clWebDarkRed</pre><pre>clWebMaroon</pre><pre>clWebIndianRed</pre><pre>clWebSalmon</pre><pre>clWebCoral</pre><pre>clWebGold</pre><pre>clWebTomato</pre><pre>clWebCrimson</pre><pre>clWebBrown</pre><pre>clWebChocolate</pre><pre>clWebSandyBrown</pre><pre>clWebLightSalmon</pre><pre>clWebLightCoral</pre><pre>clWebOrange</pre><pre>clWebOrangeRed</pre><pre>clWebFirebrick</pre><pre>clWebSaddleBrown</pre><pre>clWebSienna</pre><pre>clWebPeru</pre><pre>clWebDarkSalmon</pre><pre>clWebRosyBrown</pre><pre>clWebPaleGoldenrod</pre><pre>clWebLightGoldenrodYellow</pre><pre>clWebOlive</pre><pre>clWebForestGreen</pre><pre>clWebGreenYellow</pre><pre>clWebChartreuse</pre><pre>clWebLightGreen</pre><pre>clWebAquamarine</pre><pre>clWebSeaGreen</pre><pre>clWebGoldenRod</pre><pre>clWebKhaki</pre><pre>clWebOliveDrab</pre><pre>clWebGreen</pre><pre>clWebYellowGreen</pre><pre>clWebLawnGreen</pre><pre>clWebPaleGreen</pre><pre>clWebMediumAquamarine</pre><pre>clWebMediumSeaGreen</pre><pre>clWebDarkGoldenRod</pre><pre>clWebDarkKhaki</pre><pre>clWebDarkOliveGreen</pre><pre>clWebDarkgreen</pre><pre>clWebLimeGreen</pre><pre>clWebLime</pre><pre>clWebSpringGreen</pre><pre>clWebMediumSpringGreen</pre><pre>clWebDarkSeaGreen</pre><pre>clWebLightSeaGreen</pre><pre>clWebPaleTurquoise</pre><pre>clWebLightCyan</pre><pre>clWebLightBlue</pre><pre>clWebLightSkyBlue</pre><pre>clWebCornFlowerBlue</pre><pre>clWebDarkBlue</pre><pre>clWebIndigo</pre><pre>clWebMediumTurquoise</pre><pre>clWebTurquoise</pre><pre>clWebCyan</pre><pre>clWebPowderBlue</pre><pre>clWebSkyBlue</pre><pre>clWebRoyalBlue</pre><pre>clWebMediumBlue</pre><pre>clWebMidnightBlue</pre><pre>clWebDarkTurquoise</pre><pre>clWebCadetBlue</pre><pre>clWebDarkCyan</pre><pre>clWebTeal</pre><pre>clWebDeepskyBlue</pre><pre>clWebDodgerBlue</pre><pre>clWebBlue</pre><pre>clWebNavy</pre><pre>clWebDarkViolet</pre><pre>clWebDarkOrchid</pre><pre>clWebMagenta</pre><pre>clWebDarkMagenta</pre><pre>clWebMediumVioletRed</pre><pre>clWebPaleVioletRed</pre><pre>clWebBlueViolet</pre><pre>clWebMediumOrchid</pre><pre>clWebMediumPurple</pre><pre>clWebPurple</pre><pre>clWebDeepPink</pre><pre>clWebLightPink</pre><pre>clWebViolet</pre><pre>clWebOrchid</pre><pre>clWebPlum</pre><pre>clWebThistle</pre><pre>clWebHotPink</pre><pre>clWebPink</pre><pre>clWebLightSteelBlue</pre><pre>clWebMediumSlateBlue</pre><pre>clWebLightSlateGray</pre><pre>clWebWhite</pre><pre>clWebLightgrey</pre><pre>clWebGray</pre><pre>clWebSteelBlue</pre><pre>clWebSlateBlue</pre><pre>clWebSlateGray</pre><pre>clWebWhiteSmoke</pre><pre>clWebSilver</pre><pre>clWebDimGray</pre><pre>clWebMistyRose</pre><pre>clWebDarkSlateBlue</pre><pre>clWebDarkSlategray</pre><pre>clWebGainsboro</pre><pre>clWebDarkGray</pre><pre>clWebBlack</pre><pre>comctl32.dll</pre><pre>AutoHotkeysd-</pre><pre>AutoHotkeys</pre><pre>\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\</pre><pre>ssHotTrack</pre><pre>TWindowState</pre><pre>poProportional</pre><pre>TWMKey</pre><pre>KeyPreview</pre><pre>WindowState</pre><pre>OnKeyDownL</pre><pre>OnKeyPress</pre><pre>OnKeyUpH</pre><pre>GlassFrame.Bottom</pre><pre>GlassFrame.Enabled</pre><pre>GlassFrame.Left</pre><pre>GlassFrame.Right</pre><pre>GlassFrame.SheetOfGlass</pre><pre>GlassFrame.Top</pre><pre>System\CurrentControlSet\Control\Keyboard Layouts\%.8x</pre><pre>User32.dll</pre><pre>TKeyEvent</pre><pre>TKeyPressEvent</pre><pre>HelpKeyword n</pre><pre>crSQLWait</pre><pre>%s (%s)</pre><pre>imm32.dll</pre><pre>TSocketPort</pre><pre>%d.%d.%d.%d</pre><pre>0.0.0.0</pre><pre>PSAPI.dll</pre><pre>TDCWebCam</pre><pre>127.0.0.1</pre><pre>BuildImportTable: can't load library:</pre><pre>BuildImportTable: ReallocMemory failed</pre><pre>BuildImportTable: GetProcAddress failed</pre><pre>BTMemoryLoadLibary: BuildImportTable failed</pre><pre>BTMemoryGetProcAddress: no export table found</pre><pre>BTMemoryGetProcAddress: DLL doesn't export anything</pre><pre>BTMemoryGetProcAddress: exported symbol not found</pre><pre>1.2.3</pre><pre>127.0.0.1:1604</pre><pre>#KCMDDC51#-</pre><pre>5.3.0</pre><pre>cmd.exe</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Run</pre><pre>hkey</pre><pre>\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders</pre><pre>*.torrent</pre><pre>\Internet Explorer\iexplore.exe</pre><pre>explorer.exe</pre><pre>wlanapi.dll</pre><pre>80211_SHARED_KEY</pre><pre>user32.dll</pre><pre>TUploadFTP</pre><pre>notepad.exe</pre><pre>KEYNAME</pre><pre>%ShortCut#</pre><pre>RELATEDCMD</pre><pre>ping 127.0.0.1 -n 4 > NUL && "</pre><pre>DRKey</pre><pre>CRKey</pre><pre>DelMSKey</pre><pre>InstallHKEY</pre><pre>ActiveOnlineKeylogger</pre><pre>UnActiveOnlineKeylogger</pre><pre>KeylogOn</pre><pre>ActiveOfflineKeylogger</pre><pre>UnActiveOfflineKeylogger</pre><pre>ActiveOnlineKeyStrokes</pre><pre>UnActiveOnlineKeyStrokes</pre><pre>OpenWebPage</pre><pre>tmpprint.txt</pre><pre>URLUpdate</pre><pre>MSGBOX</pre><pre>#BOT#VisitUrl</pre><pre>#BOT#OpenUrl</pre><pre>HTTP://</pre><pre>http://</pre><pre>BTRESULTOpen URL|</pre><pre>Command successfully executed!|</pre><pre>#BOT#URLUpdate</pre><pre>BTERRORUpdate from URL| Error on downloading file check if you type the correct url...|</pre><pre>BTRESULTUpdate from URL|Update : File Downloaded , Executing new one in temp dir...|</pre><pre>#BOT#URLDownload</pre><pre>GetActivePorts</pre><pre>out.txt</pre><pre>tmp.txt</pre><pre>DDOSHTTPFLOOD</pre><pre>DDOSUDPFLOOD</pre><pre>%IPPORTSCAN</pre><pre>SAPI.SpVoice</pre><pre>WEBCAMLIVE</pre><pre>WEBCAMSTOP</pre><pre>PASSWORD</pre><pre>FTPFILEUPLOAD</pre><pre>URLDOWNLOADTOFILE</pre><pre>UPLOADEXEC</pre><pre>UPANDEXEC</pre><pre>FTPPORT</pre><pre>FTPPASS</pre><pre>FTPUSER</pre><pre>FTPHOST</pre><pre>FTPROOT</pre><pre>FTPUPLOADK</pre><pre>FTPSIZE</pre><pre>BTRESULTUDP Flood|UDP Flood task finished!|</pre><pre>PortScanAdd</pre><pre>BTRESULTVisit URL|finished to visit</pre><pre>BTERRORVisit URL|An exception occured in the thread|</pre><pre>POST /index.php/1.0</pre><pre>BTRESULTHTTP Flood|Http Flood task finished!|</pre><pre>Mozilla</pre><pre>BTRESULTDownload File|Mass Download : File Downloaded , Executing new one in temp dir...|</pre><pre>BTERRORDownload File| Error on downloading file check if you type the correct url...|</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>Software\Microsoft\Windows NT\CurrentVersion\Winlogon</pre><pre>ERR|Cannot listen to port, try another one..|</pre><pre>TCaptureWebcam</pre><pre>taskmgr.exe</pre><pre>\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall</pre><pre>\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\</pre><pre>DC3_FEXEC</pre><pre>Windows NT 4.0</pre><pre>Windows 2000</pre><pre>Windows XP</pre><pre>Windows Server 2003</pre><pre>Windows Vista</pre><pre>Windows 7</pre><pre>Windows 95</pre><pre>Windows 98</pre><pre>Windows Me</pre><pre>S-%u-</pre><pre>FAKEMSG</pre><pre>MSGICON</pre><pre>MSGTITLE</pre><pre>MSGCORE</pre><pre>deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly</pre><pre>inflate 1.2.3 Copyright 1995-2005 Mark Adler</pre><pre>%Documents and Settings%\%current user%\Application Data\dclogs\2014-08-01-6.dc</pre><pre>advapi32.dll</pre><pre>RegOpenKeyExA</pre><pre>RegCloseKey</pre><pre>GetKeyboardType</pre><pre>keybd_event</pre><pre>VkKeyScanA</pre><pre>UnhookWindowsHookEx</pre><pre>SetWindowsHookExA</pre><pre>MsgWaitForMultipleObjectsEx</pre><pre>MsgWaitForMultipleObjects</pre><pre>MapVirtualKeyA</pre><pre>LoadKeyboardLayoutA</pre><pre>GetKeyboardState</pre><pre>GetKeyboardLayoutNameA</pre><pre>GetKeyboardLayoutList</pre><pre>GetKeyboardLayout</pre><pre>GetKeyState</pre><pre>GetKeyNameTextA</pre><pre>ExitWindowsEx</pre><pre>EnumWindows</pre><pre>EnumThreadWindows</pre><pre>EnumChildWindows</pre><pre>ActivateKeyboardLayout</pre><pre>gdi32.dll</pre><pre>SetViewportOrgEx</pre><pre>version.dll</pre><pre>WinExec</pre><pre>PeekNamedPipe</pre><pre>GetWindowsDirectoryA</pre><pre>GetProcessHeap</pre><pre>GetCPInfo</pre><pre>CreatePipe</pre><pre>RegQueryInfoKeyA</pre><pre>RegOpenKeyA</pre><pre>RegFlushKey</pre><pre>RegEnumKeyExA</pre><pre>RegDeleteKeyA</pre><pre>RegCreateKeyExA</pre><pre>RegCreateKeyA</pre><pre>wsock32.dll</pre><pre>shell32.dll</pre><pre>ShellExecuteExA</pre><pre>ShellExecuteA</pre><pre>SHFileOperationA</pre><pre>URLMON.DLL</pre><pre>URLDownloadToFileA</pre><pre>wininet.dll</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoA</pre><pre>FtpPutFileA</pre><pre>winmm.dll</pre><pre>netapi32.dll</pre><pre>gdiplus.dll</pre><pre>GdiplusShutdown</pre><pre>msacm32.dll</pre><pre>ntdll.dll</pre><pre>WS2_32.DLL</pre><pre>SHFolder.dll</pre><pre>SHELL32.DLL</pre><pre>AVICAP32.DLL</pre><pre>1!1,1=1|1</pre><pre>6 6$6(6,606</pre><pre>=!=%=)=-=1=</pre><pre>01m1</pre><pre>0 0$0(0,0004080<0@0</pre><pre><!><pre>;"<?<_><pre>; ;$;(;,;0;4;8;<;@;</pre><pre>7 8$888<8</pre><pre>= =$=(=,=0=4=8=</pre><pre>UntKeylogger</pre><pre>KWindows</pre><pre>UntActivePorts</pre><pre>UntControlKey</pre><pre>UntCaptureWebcam</pre><pre>UntWebCam</pre><pre>UrlMon</pre><pre>(UntUploadFTPThread</pre><pre>UntFTP</pre><pre>_UntUDPFlood</pre><pre>YUntScanPorts</pre><pre>0UntPasswordAndData</pre><pre>XUntHTTPFlood</pre><pre>UntCPU</pre><pre>66006666</pre><pre>No help found for %s#No context-sensitive help installed</pre><pre>No help found for context$No topic-based help system installedNUnable to retrieve a pointer to a running object registered with OLE for %s/%s</pre><pre>Invalid clipboard format Clipboard does not support Icons</pre><pre>Cannot open clipboard/Menu '%s' is already being used by another form</pre><pre>- Dock zone has no controlLError loading dock zone from the stream. Expecting version %d, but found %d.</pre><pre>OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters</pre><pre>Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window</pre><pre>Not enough timers available@GroupIndex cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active$%s not in a class registration group</pre><pre>Property %s does not exist</pre><pre>Thread creation error: %s</pre><pre>Thread Error: %s (%d)</pre><pre>Unsupported clipboard format</pre><pre>Invalid data type for '%s' List capacity out of bounds (%d)</pre><pre>List count out of bounds (%d)</pre><pre>List index out of bounds (%d) Out of memory while expanding memory stream</pre><pre>Error reading %s%s%s: %s</pre><pre>Failed to create key %s</pre><pre>Failed to get data for '%s'</pre><pre>Failed to set data for '%s'</pre><pre>Resource %s not found</pre><pre>%s.Seek not implemented$Operation not allowed on sorted list</pre><pre>Ancestor for '%s' not found</pre><pre>Cannot assign a %s to a %s</pre><pre>Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread</pre><pre>Class %s not found</pre><pre>A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates</pre><pre>Cannot create file "%s". %s</pre><pre>Cannot open file "%s". %s</pre><pre>Invalid stream format$''%s'' is not a valid component name</pre><pre>External exception %x</pre><pre>Interface not supported</pre><pre>%s (%s, line %d)</pre><pre>Abstract Error?Access violation at address %p in module '%s'. %s of address %p</pre><pre>System Error. Code: %d.</pre><pre>No argument for format '%s'"Variant method calls not supported</pre><pre>Invalid variant operation%Invalid variant operation (%s%.8x)</pre><pre>%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)</pre><pre>Operation not supported</pre><pre>Integer overflow Invalid floating point operation</pre><pre>Invalid pointer operation</pre><pre>Invalid class typecast0Access violation at address %p. %s of address %p</pre><pre>Privileged instruction(Exception %s in module %s at %p.</pre><pre>Application Error1Format '%s' invalid or incompatible with argument</pre><pre>!'%s' is not a valid integer value('%s' is not a valid floating point value!'%s' is not a valid date and time</pre><pre>'%s' is not a valid GUID value</pre><pre>I/O error %d</pre><pre>1, 0, 0, 1</pre><pre>MSRSAAP.EXE</pre><pre>4, 0, 0, 0</pre><b>scvhost.exe_320_rwx_00050000_000B2000:</b><pre>.text</pre><pre>`.itext</pre><pre>`.data</pre><pre>.idata</pre><pre>.rdata</pre><pre>@.reloc</pre><pre>B.rsrc</pre><pre>kernel32.dll</pre><pre>Windows</pre><pre>MSWHEEL_ROLLMSG</pre><pre>MSH_WHEELSUPPORT_MSG</pre><pre>MSH_SCROLL_LINES_MSG</pre><pre>$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)</pre><pre>oleaut32.dll</pre><pre>EVariantBadIndexError</pre><pre>ssShift</pre><pre>htKeyword</pre><pre>EInvalidOperation</pre><pre>%s_%d</pre><pre>EInvalidGraphicOperation</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes</pre><pre>%s, ClassID: %s</pre><pre>%s, ProgID: "%s"</pre><pre>ole32.dll</pre><pre>USER32.DLL</pre><pre>uxtheme.dll</pre><pre>DWMAPI.DLL</pre><pre>clWebSnow</pre><pre>clWebFloralWhite</pre><pre>clWebLavenderBlush</pre><pre>clWebOldLace</pre><pre>clWebIvory</pre><pre>clWebCornSilk</pre><pre>clWebBeige</pre><pre>clWebAntiqueWhite</pre><pre>clWebWheat</pre><pre>clWebAliceBlue</pre><pre>clWebGhostWhite</pre><pre>clWebLavender</pre><pre>clWebSeashell</pre><pre>clWebLightYellow</pre><pre>clWebPapayaWhip</pre><pre>clWebNavajoWhite</pre><pre>clWebMoccasin</pre><pre>clWebBurlywood</pre><pre>clWebAzure</pre><pre>clWebMintcream</pre><pre>clWebHoneydew</pre><pre>clWebLinen</pre><pre>clWebLemonChiffon</pre><pre>clWebBlanchedAlmond</pre><pre>clWebBisque</pre><pre>clWebPeachPuff</pre><pre>clWebTan</pre><pre>clWebYellow</pre><pre>clWebDarkOrange</pre><pre>clWebRed</pre><pre>clWebDarkRed</pre><pre>clWebMaroon</pre><pre>clWebIndianRed</pre><pre>clWebSalmon</pre><pre>clWebCoral</pre><pre>clWebGold</pre><pre>clWebTomato</pre><pre>clWebCrimson</pre><pre>clWebBrown</pre><pre>clWebChocolate</pre><pre>clWebSandyBrown</pre><pre>clWebLightSalmon</pre><pre>clWebLightCoral</pre><pre>clWebOrange</pre><pre>clWebOrangeRed</pre><pre>clWebFirebrick</pre><pre>clWebSaddleBrown</pre><pre>clWebSienna</pre><pre>clWebPeru</pre><pre>clWebDarkSalmon</pre><pre>clWebRosyBrown</pre><pre>clWebPaleGoldenrod</pre><pre>clWebLightGoldenrodYellow</pre><pre>clWebOlive</pre><pre>clWebForestGreen</pre><pre>clWebGreenYellow</pre><pre>clWebChartreuse</pre><pre>clWebLightGreen</pre><pre>clWebAquamarine</pre><pre>clWebSeaGreen</pre><pre>clWebGoldenRod</pre><pre>clWebKhaki</pre><pre>clWebOliveDrab</pre><pre>clWebGreen</pre><pre>clWebYellowGreen</pre><pre>clWebLawnGreen</pre><pre>clWebPaleGreen</pre><pre>clWebMediumAquamarine</pre><pre>clWebMediumSeaGreen</pre><pre>clWebDarkGoldenRod</pre><pre>clWebDarkKhaki</pre><pre>clWebDarkOliveGreen</pre><pre>clWebDarkgreen</pre><pre>clWebLimeGreen</pre><pre>clWebLime</pre><pre>clWebSpringGreen</pre><pre>clWebMediumSpringGreen</pre><pre>clWebDarkSeaGreen</pre><pre>clWebLightSeaGreen</pre><pre>clWebPaleTurquoise</pre><pre>clWebLightCyan</pre><pre>clWebLightBlue</pre><pre>clWebLightSkyBlue</pre><pre>clWebCornFlowerBlue</pre><pre>clWebDarkBlue</pre><pre>clWebIndigo</pre><pre>clWebMediumTurquoise</pre><pre>clWebTurquoise</pre><pre>clWebCyan</pre><pre>clWebPowderBlue</pre><pre>clWebSkyBlue</pre><pre>clWebRoyalBlue</pre><pre>clWebMediumBlue</pre><pre>clWebMidnightBlue</pre><pre>clWebDarkTurquoise</pre><pre>clWebCadetBlue</pre><pre>clWebDarkCyan</pre><pre>clWebTeal</pre><pre>clWebDeepskyBlue</pre><pre>clWebDodgerBlue</pre><pre>clWebBlue</pre><pre>clWebNavy</pre><pre>clWebDarkViolet</pre><pre>clWebDarkOrchid</pre><pre>clWebMagenta</pre><pre>clWebDarkMagenta</pre><pre>clWebMediumVioletRed</pre><pre>clWebPaleVioletRed</pre><pre>clWebBlueViolet</pre><pre>clWebMediumOrchid</pre><pre>clWebMediumPurple</pre><pre>clWebPurple</pre><pre>clWebDeepPink</pre><pre>clWebLightPink</pre><pre>clWebViolet</pre><pre>clWebOrchid</pre><pre>clWebPlum</pre><pre>clWebThistle</pre><pre>clWebHotPink</pre><pre>clWebPink</pre><pre>clWebLightSteelBlue</pre><pre>clWebMediumSlateBlue</pre><pre>clWebLightSlateGray</pre><pre>clWebWhite</pre><pre>clWebLightgrey</pre><pre>clWebGray</pre><pre>clWebSteelBlue</pre><pre>clWebSlateBlue</pre><pre>clWebSlateGray</pre><pre>clWebWhiteSmoke</pre><pre>clWebSilver</pre><pre>clWebDimGray</pre><pre>clWebMistyRose</pre><pre>clWebDarkSlateBlue</pre><pre>clWebDarkSlategray</pre><pre>clWebGainsboro</pre><pre>clWebDarkGray</pre><pre>clWebBlack</pre><pre>comctl32.dll</pre><pre>AutoHotkeysd-</pre><pre>AutoHotkeys</pre><pre>\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\</pre><pre>ssHotTrack</pre><pre>TWindowState</pre><pre>poProportional</pre><pre>TWMKey</pre><pre>KeyPreview</pre><pre>WindowState</pre><pre>OnKeyDownL</pre><pre>OnKeyPress</pre><pre>OnKeyUpH</pre><pre>GlassFrame.Bottom</pre><pre>GlassFrame.Enabled</pre><pre>GlassFrame.Left</pre><pre>GlassFrame.Right</pre><pre>GlassFrame.SheetOfGlass</pre><pre>GlassFrame.Top</pre><pre>System\CurrentControlSet\Control\Keyboard Layouts\%.8x</pre><pre>User32.dll</pre><pre>TKeyEvent</pre><pre>TKeyPressEvent</pre><pre>HelpKeyword n</pre><pre>crSQLWait</pre><pre>%s (%s)</pre><pre>imm32.dll</pre><pre>TSocketPort</pre><pre>%d.%d.%d.%d</pre><pre>0.0.0.0</pre><pre>PSAPI.dll</pre><pre>TDCWebCam</pre><pre>127.0.0.1</pre><pre>BuildImportTable: can't load library:</pre><pre>BuildImportTable: ReallocMemory failed</pre><pre>BuildImportTable: GetProcAddress failed</pre><pre>BTMemoryLoadLibary: BuildImportTable failed</pre><pre>BTMemoryGetProcAddress: no export table found</pre><pre>BTMemoryGetProcAddress: DLL doesn't export anything</pre><pre>BTMemoryGetProcAddress: exported symbol not found</pre><pre>1.2.3</pre><pre>127.0.0.1:1604</pre><pre>#KCMDDC51#-</pre><pre>5.3.0</pre><pre>cmd.exe</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Run</pre><pre>hkey</pre><pre>\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders</pre><pre>*.torrent</pre><pre>\Internet Explorer\iexplore.exe</pre><pre>explorer.exe</pre><pre>wlanapi.dll</pre><pre>80211_SHARED_KEY</pre><pre>user32.dll</pre><pre>TUploadFTP</pre><pre>notepad.exe</pre><pre>KEYNAME</pre><pre>%ShortCut#</pre><pre>RELATEDCMD</pre><pre>ping 127.0.0.1 -n 4 > NUL && "</pre><pre>DRKey</pre><pre>CRKey</pre><pre>DelMSKey</pre><pre>InstallHKEY</pre><pre>ActiveOnlineKeylogger</pre><pre>UnActiveOnlineKeylogger</pre><pre>KeylogOn</pre><pre>ActiveOfflineKeylogger</pre><pre>UnActiveOfflineKeylogger</pre><pre>ActiveOnlineKeyStrokes</pre><pre>UnActiveOnlineKeyStrokes</pre><pre>OpenWebPage</pre><pre>tmpprint.txt</pre><pre>URLUpdate</pre><pre>MSGBOX</pre><pre>#BOT#VisitUrl</pre><pre>#BOT#OpenUrl</pre><pre>HTTP://</pre><pre>http://</pre><pre>BTRESULTOpen URL|</pre><pre>Command successfully executed!|</pre><pre>#BOT#URLUpdate</pre><pre>BTERRORUpdate from URL| Error on downloading file check if you type the correct url...|</pre><pre>BTRESULTUpdate from URL|Update : File Downloaded , Executing new one in temp dir...|</pre><pre>#BOT#URLDownload</pre><pre>GetActivePorts</pre><pre>out.txt</pre><pre>tmp.txt</pre><pre>DDOSHTTPFLOOD</pre><pre>DDOSUDPFLOOD</pre><pre>%IPPORTSCAN</pre><pre>SAPI.SpVoice</pre><pre>WEBCAMLIVE</pre><pre>WEBCAMSTOP</pre><pre>PASSWORD</pre><pre>FTPFILEUPLOAD</pre><pre>URLDOWNLOADTOFILE</pre><pre>UPLOADEXEC</pre><pre>UPANDEXEC</pre><pre>FTPPORT</pre><pre>FTPPASS</pre><pre>FTPUSER</pre><pre>FTPHOST</pre><pre>FTPROOT</pre><pre>FTPUPLOADK</pre><pre>FTPSIZE</pre><pre>BTRESULTUDP Flood|UDP Flood task finished!|</pre><pre>PortScanAdd</pre><pre>BTRESULTVisit URL|finished to visit</pre><pre>BTERRORVisit URL|An exception occured in the thread|</pre><pre>POST /index.php/1.0</pre><pre>BTRESULTHTTP Flood|Http Flood task finished!|</pre><pre>Mozilla</pre><pre>BTRESULTDownload File|Mass Download : File Downloaded , Executing new one in temp dir...|</pre><pre>BTERRORDownload File| Error on downloading file check if you type the correct url...|</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>Software\Microsoft\Windows NT\CurrentVersion\Winlogon</pre><pre>ERR|Cannot listen to port, try another one..|</pre><pre>TCaptureWebcam</pre><pre>taskmgr.exe</pre><pre>\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall</pre><pre>\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\</pre><pre>DC3_FEXEC</pre><pre>Windows NT 4.0</pre><pre>Windows 2000</pre><pre>Windows XP</pre><pre>Windows Server 2003</pre><pre>Windows Vista</pre><pre>Windows 7</pre><pre>Windows 95</pre><pre>Windows 98</pre><pre>Windows Me</pre><pre>S-%u-</pre><pre>FAKEMSG</pre><pre>MSGICON</pre><pre>MSGTITLE</pre><pre>MSGCORE</pre><pre>deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly</pre><pre>inflate 1.2.3 Copyright 1995-2005 Mark Adler</pre><pre>%Documents and Settings%\%current user%\Application Data\dclogs\2014-08-01-6.dc</pre><pre>advapi32.dll</pre><pre>RegOpenKeyExA</pre><pre>RegCloseKey</pre><pre>GetKeyboardType</pre><pre>keybd_event</pre><pre>VkKeyScanA</pre><pre>UnhookWindowsHookEx</pre><pre>SetWindowsHookExA</pre><pre>MsgWaitForMultipleObjectsEx</pre><pre>MsgWaitForMultipleObjects</pre><pre>MapVirtualKeyA</pre><pre>LoadKeyboardLayoutA</pre><pre>GetKeyboardState</pre><pre>GetKeyboardLayoutNameA</pre><pre>GetKeyboardLayoutList</pre><pre>GetKeyboardLayout</pre><pre>GetKeyState</pre><pre>GetKeyNameTextA</pre><pre>ExitWindowsEx</pre><pre>EnumWindows</pre><pre>EnumThreadWindows</pre><pre>EnumChildWindows</pre><pre>ActivateKeyboardLayout</pre><pre>gdi32.dll</pre><pre>SetViewportOrgEx</pre><pre>version.dll</pre><pre>WinExec</pre><pre>PeekNamedPipe</pre><pre>GetWindowsDirectoryA</pre><pre>GetProcessHeap</pre><pre>GetCPInfo</pre><pre>CreatePipe</pre><pre>RegQueryInfoKeyA</pre><pre>RegOpenKeyA</pre><pre>RegFlushKey</pre><pre>RegEnumKeyExA</pre><pre>RegDeleteKeyA</pre><pre>RegCreateKeyExA</pre><pre>RegCreateKeyA</pre><pre>wsock32.dll</pre><pre>shell32.dll</pre><pre>ShellExecuteExA</pre><pre>ShellExecuteA</pre><pre>SHFileOperationA</pre><pre>URLMON.DLL</pre><pre>URLDownloadToFileA</pre><pre>wininet.dll</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoA</pre><pre>FtpPutFileA</pre><pre>winmm.dll</pre><pre>netapi32.dll</pre><pre>gdiplus.dll</pre><pre>GdiplusShutdown</pre><pre>msacm32.dll</pre><pre>ntdll.dll</pre><pre>WS2_32.DLL</pre><pre>SHFolder.dll</pre><pre>SHELL32.DLL</pre><pre>AVICAP32.DLL</pre><pre>1!1,1=1|1</pre><pre>6 6$6(6,606</pre><pre>=!=%=)=-=1=</pre><pre>01m1</pre><pre>0 0$0(0,0004080<0@0</pre><pre><!><pre>;"<?<_><pre>; ;$;(;,;0;4;8;<;@;</pre><pre>7 8$888<8</pre><pre>= =$=(=,=0=4=8=</pre><pre>UntKeylogger</pre><pre>KWindows</pre><pre>UntActivePorts</pre><pre>UntControlKey</pre><pre>UntCaptureWebcam</pre><pre>UntWebCam</pre><pre>UrlMon</pre><pre>(UntUploadFTPThread</pre><pre>UntFTP</pre><pre>_UntUDPFlood</pre><pre>YUntScanPorts</pre><pre>0UntPasswordAndData</pre><pre>XUntHTTPFlood</pre><pre>UntCPU</pre><pre>66006666</pre><pre>No help found for %s#No context-sensitive help installed</pre><pre>No help found for context$No topic-based help system installedNUnable to retrieve a pointer to a running object registered with OLE for %s/%s</pre><pre>Invalid clipboard format Clipboard does not support Icons</pre><pre>Cannot open clipboard/Menu '%s' is already being used by another form</pre><pre>- Dock zone has no controlLError loading dock zone from the stream. Expecting version %d, but found %d.</pre><pre>OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters</pre><pre>Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window</pre><pre>Not enough timers available@GroupIndex cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active$%s not in a class registration group</pre><pre>Property %s does not exist</pre><pre>Thread creation error: %s</pre><pre>Thread Error: %s (%d)</pre><pre>Unsupported clipboard format</pre><pre>Invalid data type for '%s' List capacity out of bounds (%d)</pre><pre>List count out of bounds (%d)</pre><pre>List index out of bounds (%d) Out of memory while expanding memory stream</pre><pre>Error reading %s%s%s: %s</pre><pre>Failed to create key %s</pre><pre>Failed to get data for '%s'</pre><pre>Failed to set data for '%s'</pre><pre>Resource %s not found</pre><pre>%s.Seek not implemented$Operation not allowed on sorted list</pre><pre>Ancestor for '%s' not found</pre><pre>Cannot assign a %s to a %s</pre><pre>Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread</pre><pre>Class %s not found</pre><pre>A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates</pre><pre>Cannot create file "%s". %s</pre><pre>Cannot open file "%s". %s</pre><pre>Invalid stream format$''%s'' is not a valid component name</pre><pre>External exception %x</pre><pre>Interface not supported</pre><pre>%s (%s, line %d)</pre><pre>Abstract Error?Access violation at address %p in module '%s'. %s of address %p</pre><pre>System Error. Code: %d.</pre><pre>No argument for format '%s'"Variant method calls not supported</pre><pre>Invalid variant operation%Invalid variant operation (%s%.8x)</pre><pre>%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)</pre><pre>Operation not supported</pre><pre>Integer overflow Invalid floating point operation</pre><pre>Invalid pointer operation</pre><pre>Invalid class typecast0Access violation at address %p. %s of address %p</pre><pre>Privileged instruction(Exception %s in module %s at %p.</pre><pre>Application Error1Format '%s' invalid or incompatible with argument</pre><pre>!'%s' is not a valid integer value('%s' is not a valid floating point value!'%s' is not a valid date and time</pre><pre>'%s' is not a valid GUID value</pre><pre>I/O error %d</pre><pre>1, 0, 0, 1</pre><pre>MSRSAAP.EXE</pre><pre>4, 0, 0, 0</pre></_></pre></!></pre></_></pre></!></pre></IPermission></pre></PermissionSet></pre></IaV>