Trojan.Win32.Llac.gugk (Kaspersky), Gen:Heur.ManBat.1 (B) (Emsisoft), Gen:Heur.ManBat.1 (AdAware), Backdoor.Win32.PcClient.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor, Worm, VirTool, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 2ff4d57d2203575bac6e2fe165181e45
SHA1: 4f1f38270b18f03b43ff3800a89907025cabf1ac
SHA256: 0dfad0678e6f5d025287c245a1dd14a0e68e7dcc0f22f72ccb1468950f7b38fe
SSDeep: 24576:GF1wYAowSwIFadVan8Xb07M6dFMk7IXQFIjy9bl8uMXbk1sGbnkAZxbZL9g:Qwu3wIAXCMwP/7WIcSbzMXwSCnkUxXg
Size: 1537036 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Firseria sl
Created at: 2014-06-12 20:01:42
Analyzed on: WindowsXP SP3 32-bit
Summary: Backdoor. Malware that enables a remote control of victim's machine.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Backdoor's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Backdoor creates the following process(es):
dwwin.exe:2624
rundll32.exe:2604
rundll32.exe:2460
rundll32.exe:2204
rundll32.exe:3024
rundll32.exe:2940
rundll32.exe:2748
rundll32.exe:1880
%original file name%.exe:1940
%original file name%.exe:1108
cftmon.exe:596
cftmon.exe:572
cftmon.exe:2456
cftmon.exe:2436
cftmon.exe:492
cftmon.exe:1712
cftmon.exe:2880
cftmon.exe:2544
cftmon.exe:344
cftmon.exe:2664
cftmon.exe:1116
cftmon.exe:2012
cftmon.exe:2912
cftmon.exe:896
cftmon.exe:2580
cftmon.exe:388
cftmon.exe:1284
cftmon.exe:2232
cftmon.exe:1180
cftmon.exe:512
cftmon.exe:2536
The Backdoor injects its code into the following process(es):
rundll32.exe:1912
cftmon.exe:1312
cftmon.exe:676
Explorer.EXE:884
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process dwwin.exe:2624 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\134161.dmp (138011 bytes)
The process %original file name%.exe:1940 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%System%\cftmon.exe (9605 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XX--XX--XX.txt (234 bytes)
The process %original file name%.exe:1108 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\Chrysanthemum.jpg (7405 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\file.exe (9605 bytes)
The process cftmon.exe:596 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\Chrysanthemum.jpg (7405 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\file.exe (9605 bytes)
The process cftmon.exe:2456 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\Chrysanthemum.jpg (7405 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\file.exe (9605 bytes)
The process cftmon.exe:492 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\XX--XX--XX.txt (234 bytes)
The process cftmon.exe:2880 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\Chrysanthemum.jpg (7405 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\file.exe (9605 bytes)
The process cftmon.exe:1116 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\XX--XX--XX.txt (234 bytes)
The process cftmon.exe:2012 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\Chrysanthemum.jpg (7405 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\file.exe (9605 bytes)
The process cftmon.exe:1312 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\1c47_appcompat.txt (6214 bytes)
The process cftmon.exe:896 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\Chrysanthemum.jpg (7405 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\file.exe (9605 bytes)
The process cftmon.exe:676 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\XxX.xXx (6232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UuU.uUu (16 bytes)
%Documents and Settings%\%current user%\Application Data\logs.dat (15 bytes)
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\UuU.uUu (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XxX.xXx (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XX--XX--XX.txt (0 bytes)
The process cftmon.exe:2232 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\Chrysanthemum.jpg (7405 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\file.exe (9605 bytes)
The process cftmon.exe:2536 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\Chrysanthemum.jpg (7405 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\file.exe (9605 bytes)
Registry activity
The process dwwin.exe:2624 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "44 99 D6 6E 4B 5A F8 D0 EA D6 E3 6E 6C 7C 27 42"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 28 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Backdoor deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process rundll32.exe:2604 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "02 A1 0C 0F 52 B5 83 0A 48 C8 B8 BE 62 9F 54 F3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process rundll32.exe:2460 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 44 8F 31 AA CB BB 21 72 EE 43 B5 1A 87 11 23"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process rundll32.exe:2204 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0B 9B DD E6 1E 9D 96 C3 2D 53 4A 89 A7 90 56 AF"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process rundll32.exe:3024 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A 1B 0D 5A 25 BC 78 F8 46 86 AE 72 14 1F 2D 28"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process rundll32.exe:2940 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 19 06 77 FC 15 1C B6 9E E3 F7 F5 E9 27 8B 85"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process rundll32.exe:2748 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B F4 BB 9E 11 B8 89 51 9E 1D 49 0E 88 9C 39 C8"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process rundll32.exe:1912 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 67 FA 64 89 F8 31 AF 20 5C 79 BB B4 58 CA 4B"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process rundll32.exe:1880 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 DE 03 FB 18 90 13 2B 6A 52 3C A2 EE 16 0D 92"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process %original file name%.exe:1940 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "34 6C DC 5A 58 CD 25 C2 C0 22 8D 1F 1A FA 73 5E"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{06FRS15A-PJJC-36N0-6C57-2YBYHN66M0H2}]
"StubPath" = "%System%\cftmon.exe Restart"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"cftmon.exe" = "vudmWThdHr"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"cftmon" = "%System%\cftmon.exe"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The process %original file name%.exe:1108 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 F4 D4 99 8A 8F 4D 87 72 62 B2 D5 80 14 45 68"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"shimgvw.dll" = "Windows Picture and Fax Viewer"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The process cftmon.exe:596 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1B 46 43 E7 FF F1 7A 82 A2 95 65 C4 7D 29 4E 6E"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Startup Name" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\file.exe"
The process cftmon.exe:2456 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 F1 B4 EE C6 2F 21 4B D7 0D 0F 0D 84 A3 79 E3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Startup Name" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\file.exe"
The process cftmon.exe:2436 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 45 1D 12 7A 2B E0 C6 4F 61 BC 5E CD 81 22 49"
The process cftmon.exe:492 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7F BC 45 E3 B3 40 A3 25 10 2B 64 13 CC 84 A5 F1"
The process cftmon.exe:2880 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 00 43 D9 56 09 3A AD 79 77 57 94 D6 F3 D7 65"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Startup Name" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\file.exe"
The process cftmon.exe:2544 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B7 C4 43 9E 47 67 FB F4 94 19 E9 6A E5 EE 3F EC"
The process cftmon.exe:2664 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 5C 30 D7 6A AC 2D 5F F5 3C 00 DB 34 CB 6C 2A"
The process cftmon.exe:1116 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 92 73 F3 DC F3 06 BF 15 8B 95 F1 A0 25 FA ED"
The process cftmon.exe:2012 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DA 23 8E F9 B7 CE 7D 7B CE E1 EA 50 86 8F BC 73"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Startup Name" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\file.exe"
The process cftmon.exe:2912 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F8 0F BB 51 57 81 93 AF 3A 27 9E DD 96 CF 0D B8"
The process cftmon.exe:1312 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9C 2B E7 2C 8C 46 E5 B4 16 2F CE 6E 27 F1 21 53"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The Backdoor deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]
The Backdoor deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]
"DWFileTreeRoot"
The process cftmon.exe:896 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A2 B5 E9 66 0D 3C 0C 1A D5 23 A4 42 17 EB A4 4B"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Startup Name" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\file.exe"
The process cftmon.exe:676 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6E 0C 31 C5 27 9B A7 E6 48 8B 93 A4 EE F6 0B AA"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\CryptoSuite_Victim]
"NewIdentification" = "CryptoSuite_Victim"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\CryptoSuite_Victim]
"FirstExecution" = "19/06/2014 -- 11:18"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The process cftmon.exe:2232 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 B9 4F B8 B9 9A DE 35 F5 E7 07 FB 08 8F 47 9D"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Startup Name" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\file.exe"
The process cftmon.exe:512 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FD 38 5A F7 1C AB FC 64 64 D2 06 20 A9 2A CE B4"
The process cftmon.exe:2536 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D A7 FB 2C 3E 6C 9D 3A 20 C8 D3 64 F9 19 4D CB"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Startup Name" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\file.exe"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Backdoor's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
dwwin.exe:2624
rundll32.exe:2604
rundll32.exe:2460
rundll32.exe:2204
rundll32.exe:3024
rundll32.exe:2940
rundll32.exe:2748
rundll32.exe:1880
%original file name%.exe:1940
%original file name%.exe:1108
cftmon.exe:596
cftmon.exe:572
cftmon.exe:2456
cftmon.exe:2436
cftmon.exe:492
cftmon.exe:1712
cftmon.exe:2880
cftmon.exe:2544
cftmon.exe:344
cftmon.exe:2664
cftmon.exe:1116
cftmon.exe:2012
cftmon.exe:2912
cftmon.exe:896
cftmon.exe:2580
cftmon.exe:388
cftmon.exe:1284
cftmon.exe:2232
cftmon.exe:1180
cftmon.exe:512
cftmon.exe:2536 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%Documents and Settings%\%current user%\Local Settings\Temp\134161.dmp (138011 bytes)
%System%\cftmon.exe (9605 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XX--XX--XX.txt (234 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Chrysanthemum.jpg (7405 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\file.exe (9605 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1c47_appcompat.txt (6214 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XxX.xXx (6232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UuU.uUu (16 bytes)
%Documents and Settings%\%current user%\Application Data\logs.dat (15 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"cftmon" = "%System%\cftmon.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Startup Name" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\file.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: rDLWIRKjKV
Product Name: VxzDFUhwea
Product Version: 1.9.3.7
Legal Copyright: OLYtIoGEcx
Legal Trademarks: rqROtSJgDf
Original Filename: temp.exe
Internal Name: temp.exe
File Version: 1.9.3.7
File Description: vudmWThdHr
Comments: DAaRZoSkot
Language: English (Australia)
Company Name: rDLWIRKjKVProduct Name: VxzDFUhweaProduct Version: 1.9.3.7Legal Copyright: OLYtIoGEcxLegal Trademarks: rqROtSJgDfOriginal Filename: temp.exeInternal Name: temp.exeFile Version: 1.9.3.7File Description: vudmWThdHrComments: DAaRZoSkotLanguage: English (Australia)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 92882 | 93184 | 4.60091 | 002ff879b2b0c4f3677f1e27f2b72572 |
.rdata | 98304 | 19974 | 20480 | 3.3885 | 67440396afdbc87c679ada8acd0fdf2e |
.data | 118784 | 18636 | 6144 | 2.72567 | cf19e9657143166e9ac0344d20fd2b45 |
.rsrc | 139264 | 205016 | 205312 | 3.26 | 462472bd839efe26effa60bb27543fd6 |
.reloc | 348160 | 8110 | 8192 | 3.42245 | 43339f5586549001020910796e980af4 |
Pyrm | 356352 | 4096 | 512 | 0.261475 | bcd4e3320580612a10d7e29e233f87d5 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
445566.no-ip.biz | 198.136.55.78 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Backdoor connects to the servers at the folowing location(s):
Strings from Dumps
rundll32.exe_1912:
.text
.text
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
GDI32.dll
GDI32.dll
USER32.dll
USER32.dll
IMAGEHLP.dll
IMAGEHLP.dll
rundll32.pdb
rundll32.pdb
.....eZXnnnnnnnnnnnn3
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
O3$dS7"%U9
.manifest
.manifest
5.1.2600.5512 (xpsp.080413-2105)
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
RUNDLL.EXE
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
YThere is not enough memory to run the file %s.
YThere is not enough memory to run the file %s.
Please close other windows and try again.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Error in %s
Missing entry:%s
Missing entry:%s
Error loading %s
Error loading %s
cftmon.exe_676_rwx_00150000_00001000:
KERNEL32.DLL
KERNEL32.DLL
cftmon.exe_676_rwx_00290000_00001000:
KERNEL32.DLL
KERNEL32.DLL
cftmon.exe_676_rwx_002D0000_00001000:
KERNEL32.DLL
KERNEL32.DLL
cftmon.exe_676_rwx_00310000_00001000:
KERNEL32.DLL
KERNEL32.DLL
cftmon.exe_676_rwx_00350000_00001000:
KERNEL32.DLL
KERNEL32.DLL
cftmon.exe_676_rwx_00390000_00001000:
KERNEL32.DLL
KERNEL32.DLL
cftmon.exe_676_rwx_00B20000_00001000:
advapi32.dll
advapi32.dll
cftmon.exe_676_rwx_00C50000_00001000:
RegOpenKeyA
RegOpenKeyA
cftmon.exe_676_rwx_00C60000_00001000:
advapi32.dll
advapi32.dll
cftmon.exe_676_rwx_00C90000_00001000:
AVICAP32.DLL
AVICAP32.DLL
cftmon.exe_676_rwx_00DD0000_00001000:
AVICAP32.DLL
AVICAP32.DLL
cftmon.exe_676_rwx_00E00000_00001000:
gdi32.dll
gdi32.dll
cftmon.exe_676_rwx_00E40000_00001000:
gdi32.dll
gdi32.dll
cftmon.exe_676_rwx_00E70000_00001000:
gdiplus.dll
gdiplus.dll
cftmon.exe_676_rwx_00EB0000_00001000:
gdiplus.dll
gdiplus.dll
cftmon.exe_676_rwx_00EF0000_00001000:
mpr.dll
mpr.dll
cftmon.exe_676_rwx_01260000_00001000:
mpr.dll
mpr.dll
cftmon.exe_676_rwx_01290000_00001000:
msacm32.dll
msacm32.dll
cftmon.exe_676_rwx_013D0000_00001000:
msacm32.dll
msacm32.dll
cftmon.exe_676_rwx_01400000_00001000:
ntdll.dll
ntdll.dll
cftmon.exe_676_rwx_01540000_00001000:
ntdll.dll
ntdll.dll
cftmon.exe_676_rwx_01570000_00001000:
ole32.dll
ole32.dll
cftmon.exe_676_rwx_016B0000_00001000:
ole32.dll
ole32.dll
cftmon.exe_676_rwx_016E0000_00001000:
oleaut32.dll
oleaut32.dll
cftmon.exe_676_rwx_01720000_00001000:
oleaut32.dll
oleaut32.dll
cftmon.exe_676_rwx_01860000_00001000:
powrprof.dll
powrprof.dll
cftmon.exe_676_rwx_019A0000_00001000:
powrprof.dll
powrprof.dll
cftmon.exe_676_rwx_019D0000_00001000:
shell32.dll
shell32.dll
cftmon.exe_676_rwx_01B10000_00001000:
shell32.dll
shell32.dll
cftmon.exe_676_rwx_01B40000_00001000:
user32.dll
user32.dll
cftmon.exe_676_rwx_01C80000_00001000:
user32.dll
user32.dll
cftmon.exe_676_rwx_01CB0000_00001000:
wininet.dll
wininet.dll
cftmon.exe_676_rwx_01DE0000_00001000:
FtpOpenFileA
FtpOpenFileA
cftmon.exe_676_rwx_01DF0000_00001000:
wininet.dll
wininet.dll
cftmon.exe_676_rwx_01E20000_00001000:
winmm.dll
winmm.dll
cftmon.exe_676_rwx_01F60000_00001000:
winmm.dll
winmm.dll
cftmon.exe_676_rwx_01F90000_00001000:
wsock32.dll
wsock32.dll
cftmon.exe_676_rwx_020E0000_00001000:
wsock32.dll
wsock32.dll
cftmon.exe_676_rwx_028B0000_0004B000:
`.rsrc
`.rsrc
40,(''''$
40,(''''$
kernel32.dll
kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
oleaut32.dll
EVariantBadIndexError
EVariantBadIndexError
ole32.dll
ole32.dll
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
##@@## ##@@## ##@@##
##@@## ##@@## ##@@##
sqlite3_bind_blob
sqlite3_bind_blob
sqlite3_bind_text
sqlite3_bind_text
sqlite3_bind_double
sqlite3_bind_double
sqlite3_bind_int
sqlite3_bind_int
sqlite3_bind_int64
sqlite3_bind_int64
sqlite3_bind_null
sqlite3_bind_null
sqlite3_bind_parameter_index
sqlite3_bind_parameter_index
sqlite3_open
sqlite3_open
sqlite3_close
sqlite3_close
sqlite3_errmsg
sqlite3_errmsg
sqlite3_errcode
sqlite3_errcode
sqlite3_free
sqlite3_free
sqlite3_prepare_v2
sqlite3_prepare_v2
sqlite3_column_count
sqlite3_column_count
sqlite3_column_name
sqlite3_column_name
sqlite3_column_decltype
sqlite3_column_decltype
sqlite3_step
sqlite3_step
sqlite3_column_blob
sqlite3_column_blob
sqlite3_column_bytes
sqlite3_column_bytes
sqlite3_column_double
sqlite3_column_double
sqlite3_column_text
sqlite3_column_text
sqlite3_column_type
sqlite3_column_type
sqlite3_column_int64
sqlite3_column_int64
sqlite3_finalize
sqlite3_finalize
sqlite3_reset
sqlite3_reset
SQL error or missing database
SQL error or missing database
An internal logic error in SQLite
An internal logic error in SQLite
Operation terminated by sqlite3_interrupt()
Operation terminated by sqlite3_interrupt()
Uses OS features not supported on host
Uses OS features not supported on host
2nd parameter to sqlite3_bind out of range
2nd parameter to sqlite3_bind out of range
sqlite3_step() has another row ready
sqlite3_step() has another row ready
sqlite3_step() has finished executing
sqlite3_step() has finished executing
Unknown SQLite Error Code "
Unknown SQLite Error Code "
u%CNu
u%CNu
%s[%d]
%s[%d]
ESQLiteException
ESQLiteException
TSQLiteDatabase
TSQLiteDatabase
TSQLiteTable
TSQLiteTable
Failed to open database "%s" : %s
Failed to open database "%s" : %s
Failed to open database "%s" : unknown error
Failed to open database "%s" : unknown error
Error [%d]: %s.
Error [%d]: %s.
"%s": %s
"%s": %s
Error executing SQL
Error executing SQL
Could not prepare SQL statement
Could not prepare SQL statement
Error executing SQL statement
Error executing SQL statement
SQLite is Busy
SQLite is Busy
\Google\Chrome\User Data\Default\Web Data
\Google\Chrome\User Data\Default\Web Data
SELECT * FROM logins
SELECT * FROM logins
password_value
password_value
origin_url
origin_url
getservbyport
getservbyport
WSAAsyncGetServByPort
WSAAsyncGetServByPort
WSAJoinLeaf
WSAJoinLeaf
WS2_32.DLL
WS2_32.DLL
127.0.0.1
127.0.0.1
TIdSocketListWindows
TIdSocketListWindows
TIdStackWindowsU
TIdStackWindowsU
IdStackWindows
IdStackWindows
ftpTransfer
ftpTransfer
ftpReady
ftpReady
ftpAborted
ftpAborted
ClientPortMin<</pre><pre>ClientPortMaxh</pre><pre>Port</pre><pre>EIdCanNotBindPortInRange</pre><pre>EIdInvalidPortRangeSVW</pre><pre>saUsernamePassword</pre><pre>Password<</pre><pre>Porth</pre><pre>0.0.0.1</pre><pre>TIdTCPConnection</pre><pre>TIdTCPConnection4</pre><pre>IdTCPConnection</pre><pre>EIdTCPConnectionError</pre><pre>EIdObjectTypeNotSupported</pre><pre>%Documents and Settings%\Administrateur\Bureau\Anubis RAT v1.0\Spy-net.2.7.beta\Units_em_comum\Indy\IdStrings.pas</pre><pre>TIdTCPServer</pre><pre>IdTCPServer</pre><pre>CmdDelimiterh</pre><pre>TIdTCPServerConnection</pre><pre>DefaultPort</pre><pre>OnExecuteP</pre><pre>EIdTCPServerError</pre><pre>EIdNoExecuteSpecified</pre><pre>TIdTCPClient</pre><pre>IdTCPClient</pre><pre>BoundPorth</pre><pre>PortU</pre><pre>TOnHTTPDocument</pre><pre>TIdHTTPProxyServer</pre><pre>TIdHTTPProxyServer4</pre><pre>IdHTTPProxyServer</pre><pre>DefaultPorth</pre><pre>OnHTTPDocument</pre><pre>HTTP/1.0</pre><pre>Windows Firewall Update</pre><pre>1.2.3</pre><pre>deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly</pre><pre>KWindows</pre><pre>IdTCPStream</pre><pre> IdTCPServer</pre><pre>SQLiteTable3</pre><pre>SQLite3</pre><pre>DIdHTTPProxyServer</pre><pre>UnitChrome</pre><pre>GetCPInfo</pre><pre>RegOpenKeyExA</pre><pre>RegFlushKey</pre><pre>RegCreateKeyExA</pre><pre>RegCloseKey</pre><pre>GetKeyboardType</pre><pre>MsgWaitForMultipleObjects</pre><pre>((&)))!&$</pre><pre>"#$$&-)01$$'&,--%.&,</pre><pre>4\@%c</pre><pre>.idata</pre><pre>.edata</pre><pre>P.reloc</pre><pre>P.rsrc</pre><pre>KERNEL32.DLL</pre><pre>advapi32.dll</pre><pre>crypt32.dll</pre><pre>user32.dll</pre><pre>funcoes.dll</pre><pre>GetChromePass</pre><pre>StartHttpProxy</pre><pre>Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.</pre><pre>Command not supported.</pre><pre>Address type not supported.</pre><pre>Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.</pre><pre>Operation would block.</pre><pre>Operation now in progress.</pre><pre>Operation already in progress.</pre><pre>Socket operation on non-socket.</pre><pre>Protocol not supported.</pre><pre>Socket type not supported."Operation not supported on socket.</pre><pre>Protocol family not supported.0Address family not supported by protocol family.</pre><pre>&Error on loading Winsock2 library (%s)</pre><pre>Resolving hostname %s.</pre><pre>Connecting to %s.</pre><pre>%s is not a valid service.</pre><pre>Socket Error # %d</pre><pre>File "%s" not found1Only one TIdAntiFreeze can exist per application.</pre><pre>Object type not supported.</pre><pre>No execute handler found.</pre><pre>No data to read.$Can not bind in port range (%d - %d)</pre><pre>Invalid Port Range (%d - %d)</pre><pre>No command handler found.*Error on call Winsock2 library function %s</pre><pre>Error reading %s%s%s: %s</pre><pre>Failed to set data for '%s'</pre><pre>%s.Seek not implemented$Operation not allowed on sorted list</pre><pre>Property %s does not exist</pre><pre>Thread creation error: %s</pre><pre>Thread Error: %s (%d)</pre><pre>Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.</pre><pre>Ancestor for '%s' not found</pre><pre>Cannot assign a %s to a %sECheckSynchronize called from thread $%x, which is NOT the main thread</pre><pre>Class %s not found%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates</pre><pre>Cannot create file "%s". %s</pre><pre>Cannot open file "%s". %s$''%s'' is not a valid component name</pre><pre>Invalid property value List capacity out of bounds (%d)</pre><pre>List count out of bounds (%d)</pre><pre>List index out of bounds (%d)</pre><pre>OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters</pre><pre>%s (%s, line %d)</pre><pre>Abstract Error?Access violation at address %p in module '%s'. %s of address %p</pre><pre>System Error. Code: %d.</pre><pre>Invalid variant operation%Invalid variant operation (%s%.8x)</pre><pre>%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)</pre><pre>Operation not supported</pre><pre>External exception %x</pre><pre>Interface not supported</pre><pre>Invalid pointer operation</pre><pre>Invalid class typecast0Access violation at address %p. %s of address %p</pre><pre>Privileged instruction(Exception %s in module %s at %p.</pre><pre>Application Error1Format '%s' invalid or incompatible with argument</pre><pre>No argument for format '%s'"Variant method calls not supported</pre><pre>!'%s' is not a valid integer value('%s' is not a valid floating point value</pre><pre>I/O error %d</pre><pre>Integer overflow Invalid floating point operation</pre><b>cftmon.exe_676_rwx_02A40000_0004B000:</b><pre>`.rsrc</pre><pre>40,(''''$</pre><pre>kernel32.dll</pre><pre>$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)</pre><pre>oleaut32.dll</pre><pre>EVariantBadIndexError</pre><pre>ole32.dll</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders</pre><pre>##@@## ##@@## ##@@##</pre><pre>sqlite3_bind_blob</pre><pre>sqlite3_bind_text</pre><pre>sqlite3_bind_double</pre><pre>sqlite3_bind_int</pre><pre>sqlite3_bind_int64</pre><pre>sqlite3_bind_null</pre><pre>sqlite3_bind_parameter_index</pre><pre>sqlite3_open</pre><pre>sqlite3_close</pre><pre>sqlite3_errmsg</pre><pre>sqlite3_errcode</pre><pre>sqlite3_free</pre><pre>sqlite3_prepare_v2</pre><pre>sqlite3_column_count</pre><pre>sqlite3_column_name</pre><pre>sqlite3_column_decltype</pre><pre>sqlite3_step</pre><pre>sqlite3_column_blob</pre><pre>sqlite3_column_bytes</pre><pre>sqlite3_column_double</pre><pre>sqlite3_column_text</pre><pre>sqlite3_column_type</pre><pre>sqlite3_column_int64</pre><pre>sqlite3_finalize</pre><pre>sqlite3_reset</pre><pre>SQL error or missing database</pre><pre>An internal logic error in SQLite</pre><pre>Operation terminated by sqlite3_interrupt()</pre><pre>Uses OS features not supported on host</pre><pre>2nd parameter to sqlite3_bind out of range</pre><pre>sqlite3_step() has another row ready</pre><pre>sqlite3_step() has finished executing</pre><pre>Unknown SQLite Error Code "</pre><pre>u%CNu</pre><pre>%s[%d]</pre><pre>ESQLiteException</pre><pre>TSQLiteDatabase</pre><pre>TSQLiteTable</pre><pre>Failed to open database "%s" : %s</pre><pre>Failed to open database "%s" : unknown error</pre><pre>Error [%d]: %s.</pre><pre>"%s": %s</pre><pre>Error executing SQL</pre><pre>Could not prepare SQL statement</pre><pre>Error executing SQL statement</pre><pre>SQLite is Busy</pre><pre>\Google\Chrome\User Data\Default\Web Data</pre><pre>SELECT * FROM logins</pre><pre>password_value</pre><pre>origin_url</pre><pre>getservbyport</pre><pre>WSAAsyncGetServByPort</pre><pre>WSAJoinLeaf</pre><pre>WS2_32.DLL</pre><pre>127.0.0.1</pre><pre>TIdSocketListWindows</pre><pre>TIdStackWindowsU</pre><pre>IdStackWindows</pre><pre>ftpTransfer</pre><pre>ftpReady</pre><pre>ftpAborted</pre><pre>ClientPortMin<</pre><pre>ClientPortMaxh</pre><pre>Port</pre><pre>EIdCanNotBindPortInRange</pre><pre>EIdInvalidPortRangeSVW</pre><pre>saUsernamePassword</pre><pre>Password<</pre><pre>Porth</pre><pre>0.0.0.1</pre><pre>TIdTCPConnection</pre><pre>TIdTCPConnection4</pre><pre>IdTCPConnection</pre><pre>EIdTCPConnectionError</pre><pre>EIdObjectTypeNotSupported</pre><pre>%Documents and Settings%\Administrateur\Bureau\Anubis RAT v1.0\Spy-net.2.7.beta\Units_em_comum\Indy\IdStrings.pas</pre><pre>TIdTCPServer</pre><pre>IdTCPServer</pre><pre>CmdDelimiterh</pre><pre>TIdTCPServerConnection</pre><pre>DefaultPort</pre><pre>OnExecuteP</pre><pre>EIdTCPServerError</pre><pre>EIdNoExecuteSpecified</pre><pre>TIdTCPClient</pre><pre>IdTCPClient</pre><pre>BoundPorth</pre><pre>PortU</pre><pre>TOnHTTPDocument</pre><pre>TIdHTTPProxyServer</pre><pre>TIdHTTPProxyServer4</pre><pre>IdHTTPProxyServer</pre><pre>DefaultPorth</pre><pre>OnHTTPDocument</pre><pre>HTTP/1.0</pre><pre>Windows Firewall Update</pre><pre>1.2.3</pre><pre>deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly</pre><pre>KWindows</pre><pre>IdTCPStream</pre><pre> IdTCPServer</pre><pre>SQLiteTable3</pre><pre>SQLite3</pre><pre>DIdHTTPProxyServer</pre><pre>UnitChrome</pre><pre>GetCPInfo</pre><pre>RegOpenKeyExA</pre><pre>RegFlushKey</pre><pre>RegCreateKeyExA</pre><pre>RegCloseKey</pre><pre>GetKeyboardType</pre><pre>MsgWaitForMultipleObjects</pre><pre>((&)))!&$</pre><pre>"#$$&-)01$$'&,--%.&,</pre><pre>4\@%c</pre><pre>.idata</pre><pre>.edata</pre><pre>P.reloc</pre><pre>P.rsrc</pre><pre>KERNEL32.DLL</pre><pre>advapi32.dll</pre><pre>crypt32.dll</pre><pre>user32.dll</pre><pre>funcoes.dll</pre><pre>GetChromePass</pre><pre>StartHttpProxy</pre><pre>Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.</pre><pre>Command not supported.</pre><pre>Address type not supported.</pre><pre>Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.</pre><pre>Operation would block.</pre><pre>Operation now in progress.</pre><pre>Operation already in progress.</pre><pre>Socket operation on non-socket.</pre><pre>Protocol not supported.</pre><pre>Socket type not supported."Operation not supported on socket.</pre><pre>Protocol family not supported.0Address family not supported by protocol family.</pre><pre>&Error on loading Winsock2 library (%s)</pre><pre>Resolving hostname %s.</pre><pre>Connecting to %s.</pre><pre>%s is not a valid service.</pre><pre>Socket Error # %d</pre><pre>File "%s" not found1Only one TIdAntiFreeze can exist per application.</pre><pre>Object type not supported.</pre><pre>No execute handler found.</pre><pre>No data to read.$Can not bind in port range (%d - %d)</pre><pre>Invalid Port Range (%d - %d)</pre><pre>No command handler found.*Error on call Winsock2 library function %s</pre><pre>Error reading %s%s%s: %s</pre><pre>Failed to set data for '%s'</pre><pre>%s.Seek not implemented$Operation not allowed on sorted list</pre><pre>Property %s does not exist</pre><pre>Thread creation error: %s</pre><pre>Thread Error: %s (%d)</pre><pre>Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.</pre><pre>Ancestor for '%s' not found</pre><pre>Cannot assign a %s to a %sECheckSynchronize called from thread $%x, which is NOT the main thread</pre><pre>Class %s not found%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates</pre><pre>Cannot create file "%s". %s</pre><pre>Cannot open file "%s". %s$''%s'' is not a valid component name</pre><pre>Invalid property value List capacity out of bounds (%d)</pre><pre>List count out of bounds (%d)</pre><pre>List index out of bounds (%d)</pre><pre>OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters</pre><pre>%s (%s, line %d)</pre><pre>Abstract Error?Access violation at address %p in module '%s'. %s of address %p</pre><pre>System Error. Code: %d.</pre><pre>Invalid variant operation%Invalid variant operation (%s%.8x)</pre><pre>%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)</pre><pre>Operation not supported</pre><pre>External exception %x</pre><pre>Interface not supported</pre><pre>Invalid pointer operation</pre><pre>Invalid class typecast0Access violation at address %p. %s of address %p</pre><pre>Privileged instruction(Exception %s in module %s at %p.</pre><pre>Application Error1Format '%s' invalid or incompatible with argument</pre><pre>No argument for format '%s'"Variant method calls not supported</pre><pre>!'%s' is not a valid integer value('%s' is not a valid floating point value</pre><pre>I/O error %d</pre><pre>Integer overflow Invalid floating point operation</pre><b>cftmon.exe_676_rwx_02B90000_0004B000:</b><pre>`.rsrc</pre><pre>40,(''''$</pre><pre>kernel32.dll</pre><pre>$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)</pre><pre>oleaut32.dll</pre><pre>EVariantBadIndexError</pre><pre>ole32.dll</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders</pre><pre>##@@## ##@@## ##@@##</pre><pre>sqlite3_bind_blob</pre><pre>sqlite3_bind_text</pre><pre>sqlite3_bind_double</pre><pre>sqlite3_bind_int</pre><pre>sqlite3_bind_int64</pre><pre>sqlite3_bind_null</pre><pre>sqlite3_bind_parameter_index</pre><pre>sqlite3_open</pre><pre>sqlite3_close</pre><pre>sqlite3_errmsg</pre><pre>sqlite3_errcode</pre><pre>sqlite3_free</pre><pre>sqlite3_prepare_v2</pre><pre>sqlite3_column_count</pre><pre>sqlite3_column_name</pre><pre>sqlite3_column_decltype</pre><pre>sqlite3_step</pre><pre>sqlite3_column_blob</pre><pre>sqlite3_column_bytes</pre><pre>sqlite3_column_double</pre><pre>sqlite3_column_text</pre><pre>sqlite3_column_type</pre><pre>sqlite3_column_int64</pre><pre>sqlite3_finalize</pre><pre>sqlite3_reset</pre><pre>SQL error or missing database</pre><pre>An internal logic error in SQLite</pre><pre>Operation terminated by sqlite3_interrupt()</pre><pre>Uses OS features not supported on host</pre><pre>2nd parameter to sqlite3_bind out of range</pre><pre>sqlite3_step() has another row ready</pre><pre>sqlite3_step() has finished executing</pre><pre>Unknown SQLite Error Code "</pre><pre>u%CNu</pre><pre>%s[%d]</pre><pre>ESQLiteException</pre><pre>TSQLiteDatabase</pre><pre>TSQLiteTable</pre><pre>Failed to open database "%s" : %s</pre><pre>Failed to open database "%s" : unknown error</pre><pre>Error [%d]: %s.</pre><pre>"%s": %s</pre><pre>Error executing SQL</pre><pre>Could not prepare SQL statement</pre><pre>Error executing SQL statement</pre><pre>SQLite is Busy</pre><pre>\Google\Chrome\User Data\Default\Web Data</pre><pre>SELECT * FROM logins</pre><pre>password_value</pre><pre>origin_url</pre><pre>getservbyport</pre><pre>WSAAsyncGetServByPort</pre><pre>WSAJoinLeaf</pre><pre>WS2_32.DLL</pre><pre>127.0.0.1</pre><pre>TIdSocketListWindows</pre><pre>TIdStackWindowsU</pre><pre>IdStackWindows</pre><pre>ftpTransfer</pre><pre>ftpReady</pre><pre>ftpAborted</pre><pre>ClientPortMin<</pre><pre>ClientPortMaxh</pre><pre>Port</pre><pre>EIdCanNotBindPortInRange</pre><pre>EIdInvalidPortRangeSVW</pre><pre>saUsernamePassword</pre><pre>Password<</pre><pre>Porth</pre><pre>0.0.0.1</pre><pre>TIdTCPConnection</pre><pre>TIdTCPConnection4</pre><pre>IdTCPConnection</pre><pre>EIdTCPConnectionError</pre><pre>EIdObjectTypeNotSupported</pre><pre>%Documents and Settings%\Administrateur\Bureau\Anubis RAT v1.0\Spy-net.2.7.beta\Units_em_comum\Indy\IdStrings.pas</pre><pre>TIdTCPServer</pre><pre>IdTCPServer</pre><pre>CmdDelimiterh</pre><pre>TIdTCPServerConnection</pre><pre>DefaultPort</pre><pre>OnExecuteP</pre><pre>EIdTCPServerError</pre><pre>EIdNoExecuteSpecified</pre><pre>TIdTCPClient</pre><pre>IdTCPClient</pre><pre>BoundPorth</pre><pre>PortU</pre><pre>TOnHTTPDocument</pre><pre>TIdHTTPProxyServer</pre><pre>TIdHTTPProxyServer4</pre><pre>IdHTTPProxyServer</pre><pre>DefaultPorth</pre><pre>OnHTTPDocument</pre><pre>HTTP/1.0</pre><pre>Windows Firewall Update</pre><pre>1.2.3</pre><pre>deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly</pre><pre>KWindows</pre><pre>IdTCPStream</pre><pre> IdTCPServer</pre><pre>SQLiteTable3</pre><pre>SQLite3</pre><pre>DIdHTTPProxyServer</pre><pre>UnitChrome</pre><pre>GetCPInfo</pre><pre>RegOpenKeyExA</pre><pre>RegFlushKey</pre><pre>RegCreateKeyExA</pre><pre>RegCloseKey</pre><pre>GetKeyboardType</pre><pre>MsgWaitForMultipleObjects</pre><pre>((&)))!&$</pre><pre>"#$$&-)01$$'&,--%.&,</pre><pre>4\@%c</pre><pre>.idata</pre><pre>.edata</pre><pre>P.reloc</pre><pre>P.rsrc</pre><pre>KERNEL32.DLL</pre><pre>advapi32.dll</pre><pre>crypt32.dll</pre><pre>user32.dll</pre><pre>funcoes.dll</pre><pre>GetChromePass</pre><pre>StartHttpProxy</pre><pre>Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.</pre><pre>Command not supported.</pre><pre>Address type not supported.</pre><pre>Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.</pre><pre>Operation would block.</pre><pre>Operation now in progress.</pre><pre>Operation already in progress.</pre><pre>Socket operation on non-socket.</pre><pre>Protocol not supported.</pre><pre>Socket type not supported."Operation not supported on socket.</pre><pre>Protocol family not supported.0Address family not supported by protocol family.</pre><pre>&Error on loading Winsock2 library (%s)</pre><pre>Resolving hostname %s.</pre><pre>Connecting to %s.</pre><pre>%s is not a valid service.</pre><pre>Socket Error # %d</pre><pre>File "%s" not found1Only one TIdAntiFreeze can exist per application.</pre><pre>Object type not supported.</pre><pre>No execute handler found.</pre><pre>No data to read.$Can not bind in port range (%d - %d)</pre><pre>Invalid Port Range (%d - %d)</pre><pre>No command handler found.*Error on call Winsock2 library function %s</pre><pre>Error reading %s%s%s: %s</pre><pre>Failed to set data for '%s'</pre><pre>%s.Seek not implemented$Operation not allowed on sorted list</pre><pre>Property %s does not exist</pre><pre>Thread creation error: %s</pre><pre>Thread Error: %s (%d)</pre><pre>Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.</pre><pre>Ancestor for '%s' not found</pre><pre>Cannot assign a %s to a %sECheckSynchronize called from thread $%x, which is NOT the main thread</pre><pre>Class %s not found%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates</pre><pre>Cannot create file "%s". %s</pre><pre>Cannot open file "%s". %s$''%s'' is not a valid component name</pre><pre>Invalid property value List capacity out of bounds (%d)</pre><pre>List count out of bounds (%d)</pre><pre>List index out of bounds (%d)</pre><pre>OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters</pre><pre>%s (%s, line %d)</pre><pre>Abstract Error?Access violation at address %p in module '%s'. %s of address %p</pre><pre>System Error. Code: %d.</pre><pre>Invalid variant operation%Invalid variant operation (%s%.8x)</pre><pre>%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)</pre><pre>Operation not supported</pre><pre>External exception %x</pre><pre>Interface not supported</pre><pre>Invalid pointer operation</pre><pre>Invalid class typecast0Access violation at address %p. %s of address %p</pre><pre>Privileged instruction(Exception %s in module %s at %p.</pre><pre>Application Error1Format '%s' invalid or incompatible with argument</pre><pre>No argument for format '%s'"Variant method calls not supported</pre><pre>!'%s' is not a valid integer value('%s' is not a valid floating point value</pre><pre>I/O error %d</pre><pre>Integer overflow Invalid floating point operation</pre><b>cftmon.exe_676_rwx_24010000_00062000:</b><pre>`.rsrc</pre><pre>kernel32.dll</pre><pre>Portions Copyright (c) 1999,2003 Avenger by NhT</pre><pre>SHFileOperationA</pre><pre>shell32.dll</pre><pre>URLDownloadToFileA</pre><pre>urlmon.dll</pre><pre>ShellExecuteA</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders</pre><pre>GetWindowsDirectoryA</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion</pre><pre>http\shell\open\command</pre><pre>\Internet Explorer\iexplore.exe</pre><pre>####@####</pre><pre>$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)</pre><pre>Portugal</pre><pre>Turkey</pre><pre>Windows 3.1</pre><pre>Windows 95 (Release 2)</pre><pre>Windows 95</pre><pre>Windows 98 SE</pre><pre>Windows 98</pre><pre>Windows ME</pre><pre>Windows 7</pre><pre>Windows Vista</pre><pre>%s %s</pre><pre>Windows XP Professional x64</pre><pre>Windows XP Home</pre><pre>Windows XP Professional</pre><pre>Windows 2000 Professional</pre><pre>Windows NT %d.%d</pre><pre>Windows 2008</pre><pre>%s %s Server</pre><pre>Windows 2003 Server Datacenter</pre><pre>Windows 2003 Server Enterprise</pre><pre>Windows 2003 Server Web Edition</pre><pre>Windows 2003 Server</pre><pre>Windows Home Server</pre><pre>Windows 2003 Server (Release 2)</pre><pre>Windows 2000 Server Datacenter</pre><pre>Windows 2000 Server Enterprise</pre><pre>Windows 2000 Server Web Edition</pre><pre>Windows 2000 Server</pre><pre>Windows NT 4.0 Server Datacenter</pre><pre>Windows NT 4.0 Server Enterprise</pre><pre>Windows NT 4.0 Server Web Edition</pre><pre>Windows NT 4.0 Server</pre><pre>Unknown Platform ID (%d)</pre><pre>%d.%d</pre><pre>%s (Build: %d</pre><pre>- Service Pack: %s</pre><pre>KERNEL32.DLL</pre><pre>teste.vbs</pre><pre>teste.txt</pre><pre>Set objSecurityCenter = GetObject("winmgmts:\\.\root\SecurityCenter")</pre><pre>Set colFirewall = objSecurityCenter.ExecQuery("Select * From FirewallProduct",,48)</pre><pre>Set colAntiVirus = objSecurityCenter.ExecQuery("Select * From AntiVirusProduct",,48)</pre><pre>Set objFileSystem = CreateObject("Scripting.fileSystemObject")</pre><pre>Set objFile = objFileSystem.CreateTextFile("</pre><pre>Info = Info & "F" & CountFw & ") " & objFirewall.displayName & " v" & objFirewall.versionNumber & Enter</pre><pre>Info = Info & "A" & CountAV & ") " & objAntiVirus.displayName & " v" & objAntiVirus.versionNumber & Enter</pre><pre>objFile.WriteLine(Info)</pre><pre>objFile.Close</pre><pre>cscript.exe</pre><pre>AVICAP32.dll</pre><pre>tFtpAccess</pre><pre>BuildImportTable: can't load library:</pre><pre>BuildImportTable: ReallocMemory failed</pre><pre>BuildImportTable: GetProcAddress failed</pre><pre>BTMemoryLoadLibary: BuildImportTable failed</pre><pre>BTMemoryGetProcAddress: no export table found</pre><pre>BTMemoryGetProcAddress: DLL doesn't export anything</pre><pre>BTMemoryGetProcAddress: exported symbol not found</pre><pre>SetupApi.dll</pre><pre>SetupDiOpenClassRegKey</pre><pre>SetupDiOpenClassRegKeyExA</pre><pre>SetupDiOpenClassRegKeyExW</pre><pre>SetupDiCreateDeviceInterfaceRegKeyA</pre><pre>SetupDiCreateDeviceInterfaceRegKeyW</pre><pre>SetupDiOpenDeviceInterfaceRegKey</pre><pre>SetupDiDeleteDeviceInterfaceRegKey</pre><pre>SetupDiCreateDevRegKeyA</pre><pre>SetupDiCreateDevRegKeyW</pre><pre>SetupDiOpenDevRegKey</pre><pre>SetupDiDeleteDevRegKey</pre><pre>CM_DEVCAP_LOCKSUPPORTED</pre><pre>CM_DEVCAP_EJECTSUPPORTED</pre><pre>PDCAP_D0_SUPPORTED</pre><pre>PDCAP_D1_SUPPORTED</pre><pre>PDCAP_D2_SUPPORTED</pre><pre>PDCAP_D3_SUPPORTED</pre><pre>PDCAP_WAKE_FROM_D0_SUPPORTED</pre><pre>PDCAP_WAKE_FROM_D1_SUPPORTED</pre><pre>PDCAP_WAKE_FROM_D2_SUPPORTED</pre><pre>PDCAP_WAKE_FROM_D3_SUPPORTED</pre><pre>PDCAP_WARM_EJECT_SUPPORTED</pre><pre>HKEY_CLASSES_ROOT</pre><pre>HKEY_CURRENT_CONFIG</pre><pre>HKEY_CURRENT_USER</pre><pre>HKEY_LOCAL_MACHINE</pre><pre>HKEY_USERS</pre><pre>127.0.0.1</pre><pre>iphlpapi.dll</pre><pre>AllocateAndGetTcpExTableFromStack</pre><pre>AllocateAndGetUdpExTableFromStack</pre><pre>SetTcpEntry</pre><pre>GetExtendedTcpTable</pre><pre>GetExtendedUdpTable</pre><pre>Mozilla3_5Password</pre><pre>GetChromePass</pre><pre>StartHttpProxy</pre><pre>1.2.3</pre><pre>XxX.xXx</pre><pre>UuU.uUu</pre><pre>keyboardkey</pre><pre>webcaminactive</pre><pre>webcamgetbuffer</pre><pre>webcam</pre><pre>enviarexecnormal</pre><pre>enviarexechidden</pre><pre>openweb</pre><pre>downexec</pre><pre>sendftp</pre><pre>keylogger</pre><pre>keyloggergetlog</pre><pre>keyloggereraselog</pre><pre>keyloggerativar</pre><pre>keyloggerdesativar</pre><pre>renamekey</pre><pre>windowsfechar</pre><pre>windowsmax</pre><pre>windowsmin</pre><pre>windowsmostrar</pre><pre>windowsocultar</pre><pre>windowsmintodas</pre><pre>windowscaption</pre><pre>listarportas</pre><pre>listarportasdns</pre><pre>finalizarprocessoportas</pre><pre>webcamsettings</pre><pre>chatmsg</pre><pre>getpassword</pre><pre>updateservidorweb</pre><pre>keyloggersearch</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\</pre><pre>PSAPI.dll</pre><pre>\config\SteamAppData.vdf</pre><pre>AutoLoginUser</pre><pre>/ClientRegistry.Blob</pre><pre>\ClientRegistry.blob</pre><pre>\steam.dll</pre><pre>%SYS%</pre><pre>ÞSKTOP%</pre><pre>FirstExecution</pre><pre>chatmsg|</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</pre><pre>listarjanelas|windowsfechar|</pre><pre>listarjanelas|windowsmax|</pre><pre>listarjanelas|windowsmin|</pre><pre>listarjanelas|windowsmostrar|</pre><pre>listarjanelas|windowsocultar|</pre><pre>listarjanelas|windowsmintodas|</pre><pre>listarjanelas|windowscaption|</pre><pre>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall</pre><pre>listarportas|listadeportaspronta|</pre><pre>listarportas|finalizarconexao|</pre><pre>listarportas|finalizarprocessoportas|Y|</pre><pre>listarportas|finalizarprocessoportas|N|</pre><pre>registro|renamekey|</pre><pre>keylogger|keylogger|keyloggerativar|</pre><pre>keylogger|keylogger|keyloggerdesativar|</pre><pre>keylogger|keyloggergetlog|</pre><pre>keylogger|keylogger|keyloggervazio|</pre><pre>keyloggersearchok|</pre><pre>webcam|webcaminactive|</pre><pre>webcam|webcamactive|</pre><pre>_x_X_PASSWORDLIST_X_x_</pre><pre>NOIP.abc</pre><pre>MSN.abc</pre><pre>IELOGIN.abc</pre><pre>IEPASS.abc</pre><pre>IEAUTO.abc</pre><pre>IEWEB.abc</pre><pre>getielogin</pre><pre>getiepass</pre><pre>getieweb</pre><pre>getchrome</pre><pre>getpassword|getpasswordlist|</pre><pre>getpassword|getpassworderror|</pre><pre>##@@## ##@@## ##@@##</pre><pre>Windows\CurrentVersion\Uninstall\eDonkey2000</pre><pre>UNWISE.EXE</pre><pre>ntdll.dll</pre><pre>icon=shell32.dll,4</pre><pre>shellexecute=</pre><pre>autorun.inf</pre><pre>XX--XX--XX.txt</pre><pre>logs.dat</pre><pre>SQLite3.dll</pre><pre>$1.2.3</pre><pre>deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly</pre><pre>inflate 1.2.3 Copyright 1995-2005 Mark Adler</pre><pre>KWindows</pre><pre>UnitExecutarComandos</pre><pre>uftp</pre><pre>UrlMon</pre><pre>.UnitBytesSize</pre><pre>UnitListarPortasAtivas</pre><pre>UnitWebcam</pre><pre>UnitKeylogger</pre><pre>WinExec</pre><pre>SetNamedPipeHandleState</pre><pre>GetProcessHeap</pre><pre>CreatePipe</pre><pre>RegOpenKeyExA</pre><pre>RegOpenKeyA</pre><pre>RegEnumKeyExA</pre><pre>RegDeleteKeyA</pre><pre>RegCreateKeyA</pre><pre>RegCloseKey</pre><pre>GdiplusShutdown</pre><pre>keybd_event</pre><pre>MapVirtualKeyA</pre><pre>GetKeyboardState</pre><pre>GetKeyboardLayoutNameA</pre><pre>GetKeyState</pre><pre>GetAsyncKeyState</pre><pre>ExitWindowsEx</pre><pre>EnumWindows</pre><pre>FtpGetFileSize</pre><pre>FtpSetCurrentDirectoryA</pre><pre>FtpOpenFileA</pre><pre>%( % & % % % ]</pre><pre>.idata</pre><pre>.reloc</pre><pre>P.rsrc</pre><pre>h`S%S</pre><pre>advapi32.dll</pre><pre>AVICAP32.DLL</pre><pre>gdi32.dll</pre><pre>gdiplus.dll</pre><pre>mpr.dll</pre><pre>msacm32.dll</pre><pre>ole32.dll</pre><pre>oleaut32.dll</pre><pre>powrprof.dll</pre><pre>user32.dll</pre><pre>wininet.dll</pre><pre>winmm.dll</pre><pre>wsock32.dll</pre><b>cftmon.exe_1312_rwx_00150000_00001000:</b><pre>KERNEL32.DLL</pre><b>cftmon.exe_1312_rwx_00290000_00001000:</b><pre>KERNEL32.DLL</pre><b>cftmon.exe_1312_rwx_002D0000_00001000:</b><pre>KERNEL32.DLL</pre><b>cftmon.exe_1312_rwx_00310000_00001000:</b><pre>KERNEL32.DLL</pre><b>cftmon.exe_1312_rwx_00350000_00001000:</b><pre>KERNEL32.DLL</pre><b>cftmon.exe_1312_rwx_00390000_00001000:</b><pre>KERNEL32.DLL</pre><b>cftmon.exe_1312_rwx_00B20000_00001000:</b><pre>advapi32.dll</pre><b>cftmon.exe_1312_rwx_00C50000_00001000:</b><pre>RegOpenKeyA</pre><b>cftmon.exe_1312_rwx_00C60000_00001000:</b><pre>advapi32.dll</pre><b>cftmon.exe_1312_rwx_00C90000_00001000:</b><pre>AVICAP32.DLL</pre><b>cftmon.exe_1312_rwx_00DD0000_00001000:</b><pre>AVICAP32.DLL</pre><b>cftmon.exe_1312_rwx_00E00000_00001000:</b><pre>gdi32.dll</pre><b>cftmon.exe_1312_rwx_00E40000_00001000:</b><pre>gdi32.dll</pre><b>cftmon.exe_1312_rwx_00E70000_00001000:</b><pre>gdiplus.dll</pre><b>cftmon.exe_1312_rwx_00EB0000_00001000:</b><pre>gdiplus.dll</pre><b>cftmon.exe_1312_rwx_00EF0000_00001000:</b><pre>mpr.dll</pre><b>cftmon.exe_1312_rwx_01260000_00001000:</b><pre>mpr.dll</pre><b>cftmon.exe_1312_rwx_01290000_00001000:</b><pre>msacm32.dll</pre><b>cftmon.exe_1312_rwx_013D0000_00001000:</b><pre>msacm32.dll</pre><b>cftmon.exe_1312_rwx_01400000_00001000:</b><pre>ntdll.dll</pre><b>cftmon.exe_1312_rwx_01540000_00001000:</b><pre>ntdll.dll</pre><b>cftmon.exe_1312_rwx_01570000_00001000:</b><pre>ole32.dll</pre><b>cftmon.exe_1312_rwx_016B0000_00001000:</b><pre>ole32.dll</pre><b>cftmon.exe_1312_rwx_016E0000_00001000:</b><pre>oleaut32.dll</pre><b>cftmon.exe_1312_rwx_01720000_00001000:</b><pre>oleaut32.dll</pre><b>cftmon.exe_1312_rwx_01860000_00001000:</b><pre>powrprof.dll</pre><b>cftmon.exe_1312_rwx_019A0000_00001000:</b><pre>powrprof.dll</pre><b>cftmon.exe_1312_rwx_019D0000_00001000:</b><pre>shell32.dll</pre><b>cftmon.exe_1312_rwx_01B10000_00001000:</b><pre>shell32.dll</pre><b>cftmon.exe_1312_rwx_01B40000_00001000:</b><pre>user32.dll</pre><b>cftmon.exe_1312_rwx_01C80000_00001000:</b><pre>user32.dll</pre><b>cftmon.exe_1312_rwx_01CB0000_00001000:</b><pre>wininet.dll</pre><b>cftmon.exe_1312_rwx_01DE0000_00001000:</b><pre>FtpOpenFileA</pre><b>cftmon.exe_1312_rwx_01DF0000_00001000:</b><pre>wininet.dll</pre><b>cftmon.exe_1312_rwx_01E20000_00001000:</b><pre>winmm.dll</pre><b>cftmon.exe_1312_rwx_01F60000_00001000:</b><pre>winmm.dll</pre><b>cftmon.exe_1312_rwx_01F90000_00001000:</b><pre>wsock32.dll</pre><b>cftmon.exe_1312_rwx_020E0000_00001000:</b><pre>wsock32.dll</pre><b>cftmon.exe_1312_rwx_24010000_00062000:</b><pre>`.rsrc</pre><pre>kernel32.dll</pre><pre>Portions Copyright (c) 1999,2003 Avenger by NhT</pre><pre>SHFileOperationA</pre><pre>shell32.dll</pre><pre>URLDownloadToFileA</pre><pre>urlmon.dll</pre><pre>ShellExecuteA</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders</pre><pre>GetWindowsDirectoryA</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion</pre><pre>http\shell\open\command</pre><pre>\Internet Explorer\iexplore.exe</pre><pre>####@####</pre><pre>$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)</pre><pre>Portugal</pre><pre>Turkey</pre><pre>Windows 3.1</pre><pre>Windows 95 (Release 2)</pre><pre>Windows 95</pre><pre>Windows 98 SE</pre><pre>Windows 98</pre><pre>Windows ME</pre><pre>Windows 7</pre><pre>Windows Vista</pre><pre>%s %s</pre><pre>Windows XP Professional x64</pre><pre>Windows XP Home</pre><pre>Windows XP Professional</pre><pre>Windows 2000 Professional</pre><pre>Windows NT %d.%d</pre><pre>Windows 2008</pre><pre>%s %s Server</pre><pre>Windows 2003 Server Datacenter</pre><pre>Windows 2003 Server Enterprise</pre><pre>Windows 2003 Server Web Edition</pre><pre>Windows 2003 Server</pre><pre>Windows Home Server</pre><pre>Windows 2003 Server (Release 2)</pre><pre>Windows 2000 Server Datacenter</pre><pre>Windows 2000 Server Enterprise</pre><pre>Windows 2000 Server Web Edition</pre><pre>Windows 2000 Server</pre><pre>Windows NT 4.0 Server Datacenter</pre><pre>Windows NT 4.0 Server Enterprise</pre><pre>Windows NT 4.0 Server Web Edition</pre><pre>Windows NT 4.0 Server</pre><pre>Unknown Platform ID (%d)</pre><pre>%d.%d</pre><pre>%s (Build: %d</pre><pre>- Service Pack: %s</pre><pre>KERNEL32.DLL</pre><pre>teste.vbs</pre><pre>teste.txt</pre><pre>Set objSecurityCenter = GetObject("winmgmts:\\.\root\SecurityCenter")</pre><pre>Set colFirewall = objSecurityCenter.ExecQuery("Select * From FirewallProduct",,48)</pre><pre>Set colAntiVirus = objSecurityCenter.ExecQuery("Select * From AntiVirusProduct",,48)</pre><pre>Set objFileSystem = CreateObject("Scripting.fileSystemObject")</pre><pre>Set objFile = objFileSystem.CreateTextFile("</pre><pre>Info = Info & "F" & CountFw & ") " & objFirewall.displayName & " v" & objFirewall.versionNumber & Enter</pre><pre>Info = Info & "A" & CountAV & ") " & objAntiVirus.displayName & " v" & objAntiVirus.versionNumber & Enter</pre><pre>objFile.WriteLine(Info)</pre><pre>objFile.Close</pre><pre>cscript.exe</pre><pre>AVICAP32.dll</pre><pre>tFtpAccess</pre><pre>BuildImportTable: can't load library:</pre><pre>BuildImportTable: ReallocMemory failed</pre><pre>BuildImportTable: GetProcAddress failed</pre><pre>BTMemoryLoadLibary: BuildImportTable failed</pre><pre>BTMemoryGetProcAddress: no export table found</pre><pre>BTMemoryGetProcAddress: DLL doesn't export anything</pre><pre>BTMemoryGetProcAddress: exported symbol not found</pre><pre>SetupApi.dll</pre><pre>SetupDiOpenClassRegKey</pre><pre>SetupDiOpenClassRegKeyExA</pre><pre>SetupDiOpenClassRegKeyExW</pre><pre>SetupDiCreateDeviceInterfaceRegKeyA</pre><pre>SetupDiCreateDeviceInterfaceRegKeyW</pre><pre>SetupDiOpenDeviceInterfaceRegKey</pre><pre>SetupDiDeleteDeviceInterfaceRegKey</pre><pre>SetupDiCreateDevRegKeyA</pre><pre>SetupDiCreateDevRegKeyW</pre><pre>SetupDiOpenDevRegKey</pre><pre>SetupDiDeleteDevRegKey</pre><pre>CM_DEVCAP_LOCKSUPPORTED</pre><pre>CM_DEVCAP_EJECTSUPPORTED</pre><pre>PDCAP_D0_SUPPORTED</pre><pre>PDCAP_D1_SUPPORTED</pre><pre>PDCAP_D2_SUPPORTED</pre><pre>PDCAP_D3_SUPPORTED</pre><pre>PDCAP_WAKE_FROM_D0_SUPPORTED</pre><pre>PDCAP_WAKE_FROM_D1_SUPPORTED</pre><pre>PDCAP_WAKE_FROM_D2_SUPPORTED</pre><pre>PDCAP_WAKE_FROM_D3_SUPPORTED</pre><pre>PDCAP_WARM_EJECT_SUPPORTED</pre><pre>HKEY_CLASSES_ROOT</pre><pre>HKEY_CURRENT_CONFIG</pre><pre>HKEY_CURRENT_USER</pre><pre>HKEY_LOCAL_MACHINE</pre><pre>HKEY_USERS</pre><pre>127.0.0.1</pre><pre>iphlpapi.dll</pre><pre>AllocateAndGetTcpExTableFromStack</pre><pre>AllocateAndGetUdpExTableFromStack</pre><pre>SetTcpEntry</pre><pre>GetExtendedTcpTable</pre><pre>GetExtendedUdpTable</pre><pre>Mozilla3_5Password</pre><pre>GetChromePass</pre><pre>StartHttpProxy</pre><pre>1.2.3</pre><pre>XxX.xXx</pre><pre>UuU.uUu</pre><pre>keyboardkey</pre><pre>webcaminactive</pre><pre>webcamgetbuffer</pre><pre>webcam</pre><pre>enviarexecnormal</pre><pre>enviarexechidden</pre><pre>openweb</pre><pre>downexec</pre><pre>sendftp</pre><pre>keylogger</pre><pre>keyloggergetlog</pre><pre>keyloggereraselog</pre><pre>keyloggerativar</pre><pre>keyloggerdesativar</pre><pre>renamekey</pre><pre>windowsfechar</pre><pre>windowsmax</pre><pre>windowsmin</pre><pre>windowsmostrar</pre><pre>windowsocultar</pre><pre>windowsmintodas</pre><pre>windowscaption</pre><pre>listarportas</pre><pre>listarportasdns</pre><pre>finalizarprocessoportas</pre><pre>webcamsettings</pre><pre>chatmsg</pre><pre>getpassword</pre><pre>updateservidorweb</pre><pre>keyloggersearch</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\</pre><pre>PSAPI.dll</pre><pre>\config\SteamAppData.vdf</pre><pre>AutoLoginUser</pre><pre>/ClientRegistry.Blob</pre><pre>\ClientRegistry.blob</pre><pre>\steam.dll</pre><pre>%SYS%</pre><pre>ÞSKTOP%</pre><pre>FirstExecution</pre><pre>chatmsg|</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</pre><pre>listarjanelas|windowsfechar|</pre><pre>listarjanelas|windowsmax|</pre><pre>listarjanelas|windowsmin|</pre><pre>listarjanelas|windowsmostrar|</pre><pre>listarjanelas|windowsocultar|</pre><pre>listarjanelas|windowsmintodas|</pre><pre>listarjanelas|windowscaption|</pre><pre>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall</pre><pre>listarportas|listadeportaspronta|</pre><pre>listarportas|finalizarconexao|</pre><pre>listarportas|finalizarprocessoportas|Y|</pre><pre>listarportas|finalizarprocessoportas|N|</pre><pre>registro|renamekey|</pre><pre>keylogger|keylogger|keyloggerativar|</pre><pre>keylogger|keylogger|keyloggerdesativar|</pre><pre>keylogger|keyloggergetlog|</pre><pre>keylogger|keylogger|keyloggervazio|</pre><pre>keyloggersearchok|</pre><pre>webcam|webcaminactive|</pre><pre>webcam|webcamactive|</pre><pre>_x_X_PASSWORDLIST_X_x_</pre><pre>NOIP.abc</pre><pre>MSN.abc</pre><pre>IELOGIN.abc</pre><pre>IEPASS.abc</pre><pre>IEAUTO.abc</pre><pre>IEWEB.abc</pre><pre>getielogin</pre><pre>getiepass</pre><pre>getieweb</pre><pre>getchrome</pre><pre>getpassword|getpasswordlist|</pre><pre>getpassword|getpassworderror|</pre><pre>##@@## ##@@## ##@@##</pre><pre>Windows\CurrentVersion\Uninstall\eDonkey2000</pre><pre>UNWISE.EXE</pre><pre>ntdll.dll</pre><pre>icon=shell32.dll,4</pre><pre>shellexecute=</pre><pre>autorun.inf</pre><pre>XX--XX--XX.txt</pre><pre>logs.dat</pre><pre>SQLite3.dll</pre><pre>$1.2.3</pre><pre>deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly</pre><pre>inflate 1.2.3 Copyright 1995-2005 Mark Adler</pre><pre>KWindows</pre><pre>UnitExecutarComandos</pre><pre>uftp</pre><pre>UrlMon</pre><pre>.UnitBytesSize</pre><pre>UnitListarPortasAtivas</pre><pre>UnitWebcam</pre><pre>UnitKeylogger</pre><pre>WinExec</pre><pre>SetNamedPipeHandleState</pre><pre>GetProcessHeap</pre><pre>CreatePipe</pre><pre>RegOpenKeyExA</pre><pre>RegOpenKeyA</pre><pre>RegEnumKeyExA</pre><pre>RegDeleteKeyA</pre><pre>RegCreateKeyA</pre><pre>RegCloseKey</pre><pre>GdiplusShutdown</pre><pre>keybd_event</pre><pre>MapVirtualKeyA</pre><pre>GetKeyboardState</pre><pre>GetKeyboardLayoutNameA</pre><pre>GetKeyState</pre><pre>GetAsyncKeyState</pre><pre>ExitWindowsEx</pre><pre>EnumWindows</pre><pre>FtpGetFileSize</pre><pre>FtpSetCurrentDirectoryA</pre><pre>FtpOpenFileA</pre><pre>%( % & % % % ]</pre><pre>.idata</pre><pre>.reloc</pre><pre>P.rsrc</pre><pre>h`S%S</pre><pre>advapi32.dll</pre><pre>AVICAP32.DLL</pre><pre>gdi32.dll</pre><pre>gdiplus.dll</pre><pre>mpr.dll</pre><pre>msacm32.dll</pre><pre>ole32.dll</pre><pre>oleaut32.dll</pre><pre>powrprof.dll</pre><pre>user32.dll</pre><pre>wininet.dll</pre><pre>winmm.dll</pre><pre>wsock32.dll</pre><b>Explorer.EXE_884_rwx_014D0000_00001000:</b><pre>KERNEL32.DLL</pre><b>Explorer.EXE_884_rwx_02000000_00001000:</b><pre>KERNEL32.DLL</pre><b>Explorer.EXE_884_rwx_02040000_00001000:</b><pre>KERNEL32.DLL</pre><b>Explorer.EXE_884_rwx_02080000_00001000:</b><pre>KERNEL32.DLL</pre><b>Explorer.EXE_884_rwx_020C0000_00001000:</b><pre>KERNEL32.DLL</pre><b>Explorer.EXE_884_rwx_02100000_00001000:</b><pre>KERNEL32.DLL</pre><b>Explorer.EXE_884_rwx_02130000_00001000:</b><pre>advapi32.dll</pre><b>Explorer.EXE_884_rwx_02260000_00001000:</b><pre>RegOpenKeyA</pre><b>Explorer.EXE_884_rwx_02270000_00001000:</b><pre>advapi32.dll</pre><b>Explorer.EXE_884_rwx_022A0000_00001000:</b><pre>AVICAP32.DLL</pre><b>Explorer.EXE_884_rwx_023E0000_00001000:</b><pre>AVICAP32.DLL</pre><b>Explorer.EXE_884_rwx_02410000_00001000:</b><pre>gdi32.dll</pre><b>Explorer.EXE_884_rwx_02550000_00001000:</b><pre>gdi32.dll</pre><b>Explorer.EXE_884_rwx_02580000_00001000:</b><pre>gdiplus.dll</pre><b>Explorer.EXE_884_rwx_026C0000_00001000:</b><pre>gdiplus.dll</pre><b>Explorer.EXE_884_rwx_026F0000_00001000:</b><pre>mpr.dll</pre><b>Explorer.EXE_884_rwx_02730000_00001000:</b><pre>mpr.dll</pre><b>Explorer.EXE_884_rwx_02760000_00001000:</b><pre>msacm32.dll</pre><b>Explorer.EXE_884_rwx_027A0000_00001000:</b><pre>msacm32.dll</pre><b>Explorer.EXE_884_rwx_027D0000_00001000:</b><pre>ntdll.dll</pre><b>Explorer.EXE_884_rwx_02B20000_00001000:</b><pre>ntdll.dll</pre><b>Explorer.EXE_884_rwx_02B50000_00001000:</b><pre>ole32.dll</pre><b>Explorer.EXE_884_rwx_02C90000_00001000:</b><pre>ole32.dll</pre><b>Explorer.EXE_884_rwx_02CC0000_00001000:</b><pre>oleaut32.dll</pre><b>Explorer.EXE_884_rwx_02E00000_00001000:</b><pre>oleaut32.dll</pre><b>Explorer.EXE_884_rwx_02E30000_00001000:</b><pre>powrprof.dll</pre><b>Explorer.EXE_884_rwx_02F70000_00001000:</b><pre>powrprof.dll</pre><b>Explorer.EXE_884_rwx_02FA0000_00001000:</b><pre>shell32.dll</pre><b>Explorer.EXE_884_rwx_030E0000_00001000:</b><pre>shell32.dll</pre><b>Explorer.EXE_884_rwx_03110000_00001000:</b><pre>user32.dll</pre><b>Explorer.EXE_884_rwx_03250000_00001000:</b><pre>user32.dll</pre><b>Explorer.EXE_884_rwx_03280000_00001000:</b><pre>wininet.dll</pre><b>Explorer.EXE_884_rwx_033B0000_00001000:</b><pre>FtpOpenFileA</pre><b>Explorer.EXE_884_rwx_033C0000_00001000:</b><pre>wininet.dll</pre><b>Explorer.EXE_884_rwx_033F0000_00001000:</b><pre>winmm.dll</pre><b>Explorer.EXE_884_rwx_03530000_00001000:</b><pre>winmm.dll</pre><b>Explorer.EXE_884_rwx_03560000_00001000:</b><pre>wsock32.dll</pre><b>Explorer.EXE_884_rwx_036A0000_00001000:</b><pre>wsock32.dll</pre><b>Explorer.EXE_884_rwx_03840000_00001000:</b><pre>c:\%original file name%.exe</pre><b>Explorer.EXE_884_rwx_24010000_00062000:</b><pre>`.rsrc</pre><pre>kernel32.dll</pre><pre>Portions Copyright (c) 1999,2003 Avenger by NhT</pre><pre>SHFileOperationA</pre><pre>shell32.dll</pre><pre>URLDownloadToFileA</pre><pre>urlmon.dll</pre><pre>ShellExecuteA</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders</pre><pre>GetWindowsDirectoryA</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion</pre><pre>http\shell\open\command</pre><pre>\Internet Explorer\iexplore.exe</pre><pre>####@####</pre><pre>$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)</pre><pre>Portugal</pre><pre>Turkey</pre><pre>Windows 3.1</pre><pre>Windows 95 (Release 2)</pre><pre>Windows 95</pre><pre>Windows 98 SE</pre><pre>Windows 98</pre><pre>Windows ME</pre><pre>Windows 7</pre><pre>Windows Vista</pre><pre>%s %s</pre><pre>Windows XP Professional x64</pre><pre>Windows XP Home</pre><pre>Windows XP Professional</pre><pre>Windows 2000 Professional</pre><pre>Windows NT %d.%d</pre><pre>Windows 2008</pre><pre>%s %s Server</pre><pre>Windows 2003 Server Datacenter</pre><pre>Windows 2003 Server Enterprise</pre><pre>Windows 2003 Server Web Edition</pre><pre>Windows 2003 Server</pre><pre>Windows Home Server</pre><pre>Windows 2003 Server (Release 2)</pre><pre>Windows 2000 Server Datacenter</pre><pre>Windows 2000 Server Enterprise</pre><pre>Windows 2000 Server Web Edition</pre><pre>Windows 2000 Server</pre><pre>Windows NT 4.0 Server Datacenter</pre><pre>Windows NT 4.0 Server Enterprise</pre><pre>Windows NT 4.0 Server Web Edition</pre><pre>Windows NT 4.0 Server</pre><pre>Unknown Platform ID (%d)</pre><pre>%d.%d</pre><pre>%s (Build: %d</pre><pre>- Service Pack: %s</pre><pre>KERNEL32.DLL</pre><pre>teste.vbs</pre><pre>teste.txt</pre><pre>Set objSecurityCenter = GetObject("winmgmts:\\.\root\SecurityCenter")</pre><pre>Set colFirewall = objSecurityCenter.ExecQuery("Select * From FirewallProduct",,48)</pre><pre>Set colAntiVirus = objSecurityCenter.ExecQuery("Select * From AntiVirusProduct",,48)</pre><pre>Set objFileSystem = CreateObject("Scripting.fileSystemObject")</pre><pre>Set objFile = objFileSystem.CreateTextFile("</pre><pre>Info = Info & "F" & CountFw & ") " & objFirewall.displayName & " v" & objFirewall.versionNumber & Enter</pre><pre>Info = Info & "A" & CountAV & ") " & objAntiVirus.displayName & " v" & objAntiVirus.versionNumber & Enter</pre><pre>objFile.WriteLine(Info)</pre><pre>objFile.Close</pre><pre>cscript.exe</pre><pre>AVICAP32.dll</pre><pre>tFtpAccess</pre><pre>BuildImportTable: can't load library:</pre><pre>BuildImportTable: ReallocMemory failed</pre><pre>BuildImportTable: GetProcAddress failed</pre><pre>BTMemoryLoadLibary: BuildImportTable failed</pre><pre>BTMemoryGetProcAddress: no export table found</pre><pre>BTMemoryGetProcAddress: DLL doesn't export anything</pre><pre>BTMemoryGetProcAddress: exported symbol not found</pre><pre>SetupApi.dll</pre><pre>SetupDiOpenClassRegKey</pre><pre>SetupDiOpenClassRegKeyExA</pre><pre>SetupDiOpenClassRegKeyExW</pre><pre>SetupDiCreateDeviceInterfaceRegKeyA</pre><pre>SetupDiCreateDeviceInterfaceRegKeyW</pre><pre>SetupDiOpenDeviceInterfaceRegKey</pre><pre>SetupDiDeleteDeviceInterfaceRegKey</pre><pre>SetupDiCreateDevRegKeyA</pre><pre>SetupDiCreateDevRegKeyW</pre><pre>SetupDiOpenDevRegKey</pre><pre>SetupDiDeleteDevRegKey</pre><pre>CM_DEVCAP_LOCKSUPPORTED</pre><pre>CM_DEVCAP_EJECTSUPPORTED</pre><pre>PDCAP_D0_SUPPORTED</pre><pre>PDCAP_D1_SUPPORTED</pre><pre>PDCAP_D2_SUPPORTED</pre><pre>PDCAP_D3_SUPPORTED</pre><pre>PDCAP_WAKE_FROM_D0_SUPPORTED</pre><pre>PDCAP_WAKE_FROM_D1_SUPPORTED</pre><pre>PDCAP_WAKE_FROM_D2_SUPPORTED</pre><pre>PDCAP_WAKE_FROM_D3_SUPPORTED</pre><pre>PDCAP_WARM_EJECT_SUPPORTED</pre><pre>HKEY_CLASSES_ROOT</pre><pre>HKEY_CURRENT_CONFIG</pre><pre>HKEY_CURRENT_USER</pre><pre>HKEY_LOCAL_MACHINE</pre><pre>HKEY_USERS</pre><pre>127.0.0.1</pre><pre>iphlpapi.dll</pre><pre>AllocateAndGetTcpExTableFromStack</pre><pre>AllocateAndGetUdpExTableFromStack</pre><pre>SetTcpEntry</pre><pre>GetExtendedTcpTable</pre><pre>GetExtendedUdpTable</pre><pre>Mozilla3_5Password</pre><pre>GetChromePass</pre><pre>StartHttpProxy</pre><pre>1.2.3</pre><pre>XxX.xXx</pre><pre>UuU.uUu</pre><pre>keyboardkey</pre><pre>webcaminactive</pre><pre>webcamgetbuffer</pre><pre>webcam</pre><pre>enviarexecnormal</pre><pre>enviarexechidden</pre><pre>openweb</pre><pre>downexec</pre><pre>sendftp</pre><pre>keylogger</pre><pre>keyloggergetlog</pre><pre>keyloggereraselog</pre><pre>keyloggerativar</pre><pre>keyloggerdesativar</pre><pre>renamekey</pre><pre>windowsfechar</pre><pre>windowsmax</pre><pre>windowsmin</pre><pre>windowsmostrar</pre><pre>windowsocultar</pre><pre>windowsmintodas</pre><pre>windowscaption</pre><pre>listarportas</pre><pre>listarportasdns</pre><pre>finalizarprocessoportas</pre><pre>webcamsettings</pre><pre>chatmsg</pre><pre>getpassword</pre><pre>updateservidorweb</pre><pre>keyloggersearch</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\</pre><pre>PSAPI.dll</pre><pre>\config\SteamAppData.vdf</pre><pre>AutoLoginUser</pre><pre>/ClientRegistry.Blob</pre><pre>\ClientRegistry.blob</pre><pre>\steam.dll</pre><pre>%SYS%</pre><pre>ÞSKTOP%</pre><pre>FirstExecution</pre><pre>chatmsg|</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</pre><pre>listarjanelas|windowsfechar|</pre><pre>listarjanelas|windowsmax|</pre><pre>listarjanelas|windowsmin|</pre><pre>listarjanelas|windowsmostrar|</pre><pre>listarjanelas|windowsocultar|</pre><pre>listarjanelas|windowsmintodas|</pre><pre>listarjanelas|windowscaption|</pre><pre>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall</pre><pre>listarportas|listadeportaspronta|</pre><pre>listarportas|finalizarconexao|</pre><pre>listarportas|finalizarprocessoportas|Y|</pre><pre>listarportas|finalizarprocessoportas|N|</pre><pre>registro|renamekey|</pre><pre>keylogger|keylogger|keyloggerativar|</pre><pre>keylogger|keylogger|keyloggerdesativar|</pre><pre>keylogger|keyloggergetlog|</pre><pre>keylogger|keylogger|keyloggervazio|</pre><pre>keyloggersearchok|</pre><pre>webcam|webcaminactive|</pre><pre>webcam|webcamactive|</pre><pre>_x_X_PASSWORDLIST_X_x_</pre><pre>NOIP.abc</pre><pre>MSN.abc</pre><pre>IELOGIN.abc</pre><pre>IEPASS.abc</pre><pre>IEAUTO.abc</pre><pre>IEWEB.abc</pre><pre>getielogin</pre><pre>getiepass</pre><pre>getieweb</pre><pre>getchrome</pre><pre>getpassword|getpasswordlist|</pre><pre>getpassword|getpassworderror|</pre><pre>##@@## ##@@## ##@@##</pre><pre>Windows\CurrentVersion\Uninstall\eDonkey2000</pre><pre>UNWISE.EXE</pre><pre>ntdll.dll</pre><pre>icon=shell32.dll,4</pre><pre>shellexecute=</pre><pre>autorun.inf</pre><pre>XX--XX--XX.txt</pre><pre>logs.dat</pre><pre>SQLite3.dll</pre><pre>$1.2.3</pre><pre>deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly</pre><pre>inflate 1.2.3 Copyright 1995-2005 Mark Adler</pre><pre>KWindows</pre><pre>UnitExecutarComandos</pre><pre>uftp</pre><pre>UrlMon</pre><pre>.UnitBytesSize</pre><pre>UnitListarPortasAtivas</pre><pre>UnitWebcam</pre><pre>UnitKeylogger</pre><pre>WinExec</pre><pre>SetNamedPipeHandleState</pre><pre>GetProcessHeap</pre><pre>CreatePipe</pre><pre>RegOpenKeyExA</pre><pre>RegOpenKeyA</pre><pre>RegEnumKeyExA</pre><pre>RegDeleteKeyA</pre><pre>RegCreateKeyA</pre><pre>RegCloseKey</pre><pre>GdiplusShutdown</pre><pre>keybd_event</pre><pre>MapVirtualKeyA</pre><pre>GetKeyboardState</pre><pre>GetKeyboardLayoutNameA</pre><pre>GetKeyState</pre><pre>GetAsyncKeyState</pre><pre>ExitWindowsEx</pre><pre>EnumWindows</pre><pre>FtpGetFileSize</pre><pre>FtpSetCurrentDirectoryA</pre><pre>FtpOpenFileA</pre><pre>%( % & % % % ]</pre><pre>.idata</pre><pre>.reloc</pre><pre>P.rsrc</pre><pre>h`S%S</pre><pre>advapi32.dll</pre><pre>AVICAP32.DLL</pre><pre>gdi32.dll</pre><pre>gdiplus.dll</pre><pre>mpr.dll</pre><pre>msacm32.dll</pre><pre>ole32.dll</pre><pre>oleaut32.dll</pre><pre>powrprof.dll</pre><pre>user32.dll</pre><pre>wininet.dll</pre><pre>winmm.dll</pre><pre>wsock32.dll</pre></pre></pre></pre></pre></pre>