Backdoor.Win32.PcClient_2ff4d57d22 – Adaware

Trojan.Win32.Llac.gugk (Kaspersky), Gen:Heur.ManBat.1 (B) (Emsisoft), Gen:Heur.ManBat.1 (AdAware), Backdoor.Win32.PcClient.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor, Worm, VirTool, WormAutorun

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 2ff4d57d2203575bac6e2fe165181e45

SHA1: 4f1f38270b18f03b43ff3800a89907025cabf1ac

SHA256: 0dfad0678e6f5d025287c245a1dd14a0e68e7dcc0f22f72ccb1468950f7b38fe

SSDeep: 24576:GF1wYAowSwIFadVan8Xb07M6dFMk7IXQFIjy9bl8uMXbk1sGbnkAZxbZL9g:Qwu3wIAXCMwP/7WIcSbzMXwSCnkUxXg

Size: 1537036 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: Firseria sl

Created at: 2014-06-12 20:01:42

Analyzed on: WindowsXP SP3 32-bit

Summary: Backdoor. Malware that enables a remote control of victim's machine.

Dynamic Analysis

Payload

Behaviour	Description
WormAutorun	A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Backdoor's file once a user opens a drive's folder in Windows Explorer.

Process activity

The Backdoor creates the following process(es):

dwwin.exe:2624
rundll32.exe:2604
rundll32.exe:2460
rundll32.exe:2204
rundll32.exe:3024
rundll32.exe:2940
rundll32.exe:2748
rundll32.exe:1880
%original file name%.exe:1940
%original file name%.exe:1108
cftmon.exe:596
cftmon.exe:572
cftmon.exe:2456
cftmon.exe:2436
cftmon.exe:492
cftmon.exe:1712
cftmon.exe:2880
cftmon.exe:2544
cftmon.exe:344
cftmon.exe:2664
cftmon.exe:1116
cftmon.exe:2012
cftmon.exe:2912
cftmon.exe:896
cftmon.exe:2580
cftmon.exe:388
cftmon.exe:1284
cftmon.exe:2232
cftmon.exe:1180
cftmon.exe:512
cftmon.exe:2536

The Backdoor injects its code into the following process(es):

rundll32.exe:1912
cftmon.exe:1312
cftmon.exe:676
Explorer.EXE:884

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process dwwin.exe:2624 makes changes in the file system.

The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\134161.dmp (138011 bytes)

The process %original file name%.exe:1940 makes changes in the file system.

The Backdoor creates and/or writes to the following file(s):

%System%\cftmon.exe (9605 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XX--XX--XX.txt (234 bytes)

The process %original file name%.exe:1108 makes changes in the file system.

The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Chrysanthemum.jpg (7405 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\file.exe (9605 bytes)

The process cftmon.exe:596 makes changes in the file system.

The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Chrysanthemum.jpg (7405 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\file.exe (9605 bytes)

The process cftmon.exe:2456 makes changes in the file system.

The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Chrysanthemum.jpg (7405 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\file.exe (9605 bytes)

The process cftmon.exe:492 makes changes in the file system.

The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\XX--XX--XX.txt (234 bytes)

The process cftmon.exe:2880 makes changes in the file system.

The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Chrysanthemum.jpg (7405 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\file.exe (9605 bytes)

The process cftmon.exe:1116 makes changes in the file system.

The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\XX--XX--XX.txt (234 bytes)

The process cftmon.exe:2012 makes changes in the file system.

The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Chrysanthemum.jpg (7405 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\file.exe (9605 bytes)

The process cftmon.exe:1312 makes changes in the file system.

The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\1c47_appcompat.txt (6214 bytes)

The process cftmon.exe:896 makes changes in the file system.

The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Chrysanthemum.jpg (7405 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\file.exe (9605 bytes)

The process cftmon.exe:676 makes changes in the file system.

The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\XxX.xXx (6232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UuU.uUu (16 bytes)
%Documents and Settings%\%current user%\Application Data\logs.dat (15 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\UuU.uUu (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XxX.xXx (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XX--XX--XX.txt (0 bytes)

The process cftmon.exe:2232 makes changes in the file system.

The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Chrysanthemum.jpg (7405 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\file.exe (9605 bytes)

The process cftmon.exe:2536 makes changes in the file system.

The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Chrysanthemum.jpg (7405 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\file.exe (9605 bytes)

Registry activity

The process dwwin.exe:2624 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "44 99 D6 6E 4B 5A F8 D0 EA D6 E3 6E 6C 7C 27 42"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 28 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process rundll32.exe:2604 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "02 A1 0C 0F 52 B5 83 0A 48 C8 B8 BE 62 9F 54 F3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process rundll32.exe:2460 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 44 8F 31 AA CB BB 21 72 EE 43 B5 1A 87 11 23"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process rundll32.exe:2204 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0B 9B DD E6 1E 9D 96 C3 2D 53 4A 89 A7 90 56 AF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process rundll32.exe:3024 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A 1B 0D 5A 25 BC 78 F8 46 86 AE 72 14 1F 2D 28"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process rundll32.exe:2940 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 19 06 77 FC 15 1C B6 9E E3 F7 F5 E9 27 8B 85"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process rundll32.exe:2748 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B F4 BB 9E 11 B8 89 51 9E 1D 49 0E 88 9C 39 C8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process rundll32.exe:1912 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 67 FA 64 89 F8 31 AF 20 5C 79 BB B4 58 CA 4B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process rundll32.exe:1880 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 DE 03 FB 18 90 13 2B 6A 52 3C A2 EE 16 0D 92"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process %original file name%.exe:1940 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "34 6C DC 5A 58 CD 25 C2 C0 22 8D 1F 1A FA 73 5E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{06FRS15A-PJJC-36N0-6C57-2YBYHN66M0H2}]
"StubPath" = "%System%\cftmon.exe Restart"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"cftmon.exe" = "vudmWThdHr"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"cftmon" = "%System%\cftmon.exe"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The process %original file name%.exe:1108 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 F4 D4 99 8A 8F 4D 87 72 62 B2 D5 80 14 45 68"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"shimgvw.dll" = "Windows Picture and Fax Viewer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The process cftmon.exe:596 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1B 46 43 E7 FF F1 7A 82 A2 95 65 C4 7D 29 4E 6E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Startup Name" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\file.exe"

The process cftmon.exe:2456 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 F1 B4 EE C6 2F 21 4B D7 0D 0F 0D 84 A3 79 E3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Startup Name" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\file.exe"

The process cftmon.exe:2436 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 45 1D 12 7A 2B E0 C6 4F 61 BC 5E CD 81 22 49"

The process cftmon.exe:492 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7F BC 45 E3 B3 40 A3 25 10 2B 64 13 CC 84 A5 F1"

The process cftmon.exe:2880 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 00 43 D9 56 09 3A AD 79 77 57 94 D6 F3 D7 65"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Startup Name" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\file.exe"

The process cftmon.exe:2544 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B7 C4 43 9E 47 67 FB F4 94 19 E9 6A E5 EE 3F EC"

The process cftmon.exe:2664 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 5C 30 D7 6A AC 2D 5F F5 3C 00 DB 34 CB 6C 2A"

The process cftmon.exe:1116 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 92 73 F3 DC F3 06 BF 15 8B 95 F1 A0 25 FA ED"

The process cftmon.exe:2012 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DA 23 8E F9 B7 CE 7D 7B CE E1 EA 50 86 8F BC 73"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Startup Name" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\file.exe"

The process cftmon.exe:2912 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F8 0F BB 51 57 81 93 AF 3A 27 9E DD 96 CF 0D B8"

The process cftmon.exe:1312 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9C 2B E7 2C 8C 46 E5 B4 16 2F CE 6E 27 F1 21 53"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The Backdoor deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]

The Backdoor deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]
"DWFileTreeRoot"

The process cftmon.exe:896 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A2 B5 E9 66 0D 3C 0C 1A D5 23 A4 42 17 EB A4 4B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Startup Name" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\file.exe"

The process cftmon.exe:676 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6E 0C 31 C5 27 9B A7 E6 48 8B 93 A4 EE F6 0B AA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\CryptoSuite_Victim]
"NewIdentification" = "CryptoSuite_Victim"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\CryptoSuite_Victim]
"FirstExecution" = "19/06/2014 -- 11:18"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The process cftmon.exe:2232 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 B9 4F B8 B9 9A DE 35 F5 E7 07 FB 08 8F 47 9D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Startup Name" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\file.exe"

The process cftmon.exe:512 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FD 38 5A F7 1C AB FC 64 64 D2 06 20 A9 2A CE B4"

The process cftmon.exe:2536 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D A7 FB 2C 3E 6C 9D 3A 20 C8 D3 64 F9 19 4D CB"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Startup Name" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\file.exe"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Backdoor's file once a user opens a drive's folder in Windows Explorer.

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
dwwin.exe:2624
rundll32.exe:2604
rundll32.exe:2460
rundll32.exe:2204
rundll32.exe:3024
rundll32.exe:2940
rundll32.exe:2748
rundll32.exe:1880
%original file name%.exe:1940
%original file name%.exe:1108
cftmon.exe:596
cftmon.exe:572
cftmon.exe:2456
cftmon.exe:2436
cftmon.exe:492
cftmon.exe:1712
cftmon.exe:2880
cftmon.exe:2544
cftmon.exe:344
cftmon.exe:2664
cftmon.exe:1116
cftmon.exe:2012
cftmon.exe:2912
cftmon.exe:896
cftmon.exe:2580
cftmon.exe:388
cftmon.exe:1284
cftmon.exe:2232
cftmon.exe:1180
cftmon.exe:512
cftmon.exe:2536
Delete the original Backdoor file.
Delete or disinfect the following files created/modified by the Backdoor:
%Documents and Settings%\%current user%\Local Settings\Temp\134161.dmp (138011 bytes)
%System%\cftmon.exe (9605 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XX--XX--XX.txt (234 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Chrysanthemum.jpg (7405 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\file.exe (9605 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1c47_appcompat.txt (6214 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XxX.xXx (6232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UuU.uUu (16 bytes)
%Documents and Settings%\%current user%\Application Data\logs.dat (15 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"cftmon" = "%System%\cftmon.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Startup Name" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\file.exe"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: rDLWIRKjKV
Product Name: VxzDFUhwea
Product Version: 1.9.3.7
Legal Copyright: OLYtIoGEcx
Legal Trademarks: rqROtSJgDf
Original Filename: temp.exe
Internal Name: temp.exe
File Version: 1.9.3.7
File Description: vudmWThdHr
Comments: DAaRZoSkot
Language: English (Australia)

Company Name: rDLWIRKjKVProduct Name: VxzDFUhweaProduct Version: 1.9.3.7Legal Copyright: OLYtIoGEcxLegal Trademarks: rqROtSJgDfOriginal Filename: temp.exeInternal Name: temp.exeFile Version: 1.9.3.7File Description: vudmWThdHrComments: DAaRZoSkotLanguage: English (Australia)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	92882	93184	4.60091	002ff879b2b0c4f3677f1e27f2b72572
.rdata	98304	19974	20480	3.3885	67440396afdbc87c679ada8acd0fdf2e
.data	118784	18636	6144	2.72567	cf19e9657143166e9ac0344d20fd2b45
.rsrc	139264	205016	205312	3.26	462472bd839efe26effa60bb27543fd6
.reloc	348160	8110	8192	3.42245	43339f5586549001020910796e980af4
Pyrm	356352	4096	512	0.261475	bcd4e3320580612a10d7e29e233f87d5

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
445566.no-ip.biz	198.136.55.78

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Backdoor connects to the servers at the folowing location(s):

Strings from Dumps

rundll32.exe_1912:

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

GDI32.dll

USER32.dll

IMAGEHLP.dll

rundll32.pdb

.....eZXnnnnnnnnnnnn3

....eDXnnnnnnnnnnnn3

...eDXnnnnnnnnnnnn,

.eDXnnnnnnnnnnnn,

%Xnnnnnnnnnnnnnnn1

O3$dS7"%U9

.manifest

5.1.2600.5512 (xpsp.080413-2105)

RUNDLL.EXE

Windows

Operating System

5.1.2600.5512

YThere is not enough memory to run the file %s.

Please close other windows and try again.

9The file %s or one of its components could not be opened.

0The file %s or one of its components cannot run.

MThe file %s or one of its components requires a different version of Windows.

UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"

Error in %s

Missing entry:%s

Error loading %s

cftmon.exe_676_rwx_00150000_00001000:

KERNEL32.DLL

cftmon.exe_676_rwx_00290000_00001000:

KERNEL32.DLL

cftmon.exe_676_rwx_002D0000_00001000:

KERNEL32.DLL

cftmon.exe_676_rwx_00310000_00001000:

KERNEL32.DLL

cftmon.exe_676_rwx_00350000_00001000:

KERNEL32.DLL

cftmon.exe_676_rwx_00390000_00001000:

KERNEL32.DLL

cftmon.exe_676_rwx_00B20000_00001000:

advapi32.dll

cftmon.exe_676_rwx_00C50000_00001000:

RegOpenKeyA

cftmon.exe_676_rwx_00C60000_00001000:

advapi32.dll

cftmon.exe_676_rwx_00C90000_00001000:

AVICAP32.DLL

cftmon.exe_676_rwx_00DD0000_00001000:

AVICAP32.DLL

cftmon.exe_676_rwx_00E00000_00001000:

gdi32.dll

cftmon.exe_676_rwx_00E40000_00001000:

gdi32.dll

cftmon.exe_676_rwx_00E70000_00001000:

gdiplus.dll

cftmon.exe_676_rwx_00EB0000_00001000:

gdiplus.dll

cftmon.exe_676_rwx_00EF0000_00001000:

mpr.dll

cftmon.exe_676_rwx_01260000_00001000:

mpr.dll

cftmon.exe_676_rwx_01290000_00001000:

msacm32.dll

cftmon.exe_676_rwx_013D0000_00001000:

msacm32.dll

cftmon.exe_676_rwx_01400000_00001000:

ntdll.dll

cftmon.exe_676_rwx_01540000_00001000:

ntdll.dll

cftmon.exe_676_rwx_01570000_00001000:

ole32.dll

cftmon.exe_676_rwx_016B0000_00001000:

ole32.dll

cftmon.exe_676_rwx_016E0000_00001000:

oleaut32.dll

cftmon.exe_676_rwx_01720000_00001000:

oleaut32.dll

cftmon.exe_676_rwx_01860000_00001000:

powrprof.dll

cftmon.exe_676_rwx_019A0000_00001000:

powrprof.dll

cftmon.exe_676_rwx_019D0000_00001000:

shell32.dll

cftmon.exe_676_rwx_01B10000_00001000:

shell32.dll

cftmon.exe_676_rwx_01B40000_00001000:

user32.dll

cftmon.exe_676_rwx_01C80000_00001000:

user32.dll

cftmon.exe_676_rwx_01CB0000_00001000:

wininet.dll

cftmon.exe_676_rwx_01DE0000_00001000:

FtpOpenFileA

cftmon.exe_676_rwx_01DF0000_00001000:

wininet.dll

cftmon.exe_676_rwx_01E20000_00001000:

winmm.dll

cftmon.exe_676_rwx_01F60000_00001000:

winmm.dll

cftmon.exe_676_rwx_01F90000_00001000:

wsock32.dll

cftmon.exe_676_rwx_020E0000_00001000:

wsock32.dll

cftmon.exe_676_rwx_028B0000_0004B000:

`.rsrc

40,(''''$

kernel32.dll

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

ole32.dll

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

##@@## ##@@## ##@@##

sqlite3_bind_blob

sqlite3_bind_text

sqlite3_bind_double

sqlite3_bind_int

sqlite3_bind_int64

sqlite3_bind_null

sqlite3_bind_parameter_index

sqlite3_open

sqlite3_close

sqlite3_errmsg

sqlite3_errcode

sqlite3_free

sqlite3_prepare_v2

sqlite3_column_count

sqlite3_column_name

sqlite3_column_decltype

sqlite3_step

sqlite3_column_blob

sqlite3_column_bytes

sqlite3_column_double

sqlite3_column_text

sqlite3_column_type

sqlite3_column_int64

sqlite3_finalize

sqlite3_reset

SQL error or missing database

An internal logic error in SQLite

Operation terminated by sqlite3_interrupt()

Uses OS features not supported on host

2nd parameter to sqlite3_bind out of range

sqlite3_step() has another row ready

sqlite3_step() has finished executing

Unknown SQLite Error Code "

u%CNu

%s[%d]

ESQLiteException

TSQLiteDatabase

TSQLiteTable

Failed to open database "%s" : %s

Failed to open database "%s" : unknown error

Error [%d]: %s.

"%s": %s

Error executing SQL

Could not prepare SQL statement

Error executing SQL statement

SQLite is Busy

\Google\Chrome\User Data\Default\Web Data

SELECT * FROM logins

password_value

origin_url

getservbyport

WSAAsyncGetServByPort

WSAJoinLeaf

WS2_32.DLL

127.0.0.1

TIdSocketListWindows

TIdStackWindowsU

IdStackWindows

ftpTransfer

ftpReady

ftpAborted

ClientPortMin<</pre><pre>ClientPortMaxh</pre><pre>Port</pre><pre>EIdCanNotBindPortInRange</pre><pre>EIdInvalidPortRangeSVW</pre><pre>saUsernamePassword</pre><pre>Password<</pre><pre>Porth</pre><pre>0.0.0.1</pre><pre>TIdTCPConnection</pre><pre>TIdTCPConnection4</pre><pre>IdTCPConnection</pre><pre>EIdTCPConnectionError</pre><pre>EIdObjectTypeNotSupported</pre><pre>%Documents and Settings%\Administrateur\Bureau\Anubis RAT v1.0\Spy-net.2.7.beta\Units_em_comum\Indy\IdStrings.pas</pre><pre>TIdTCPServer</pre><pre>IdTCPServer</pre><pre>CmdDelimiterh</pre><pre>TIdTCPServerConnection</pre><pre>DefaultPort</pre><pre>OnExecuteP</pre><pre>EIdTCPServerError</pre><pre>EIdNoExecuteSpecified</pre><pre>TIdTCPClient</pre><pre>IdTCPClient</pre><pre>BoundPorth</pre><pre>PortU</pre><pre>TOnHTTPDocument</pre><pre>TIdHTTPProxyServer</pre><pre>TIdHTTPProxyServer4</pre><pre>IdHTTPProxyServer</pre><pre>DefaultPorth</pre><pre>OnHTTPDocument</pre><pre>HTTP/1.0</pre><pre>Windows Firewall Update</pre><pre>1.2.3</pre><pre>deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly</pre><pre>KWindows</pre><pre>IdTCPStream</pre><pre> IdTCPServer</pre><pre>SQLiteTable3</pre><pre>SQLite3</pre><pre>DIdHTTPProxyServer</pre><pre>UnitChrome</pre><pre>GetCPInfo</pre><pre>RegOpenKeyExA</pre><pre>RegFlushKey</pre><pre>RegCreateKeyExA</pre><pre>RegCloseKey</pre><pre>GetKeyboardType</pre><pre>MsgWaitForMultipleObjects</pre><pre>((&)))!&$</pre><pre>"#$$&-)01$$'&,--%.&,</pre><pre>4\@%c</pre><pre>.idata</pre><pre>.edata</pre><pre>P.reloc</pre><pre>P.rsrc</pre><pre>KERNEL32.DLL</pre><pre>advapi32.dll</pre><pre>crypt32.dll</pre><pre>user32.dll</pre><pre>funcoes.dll</pre><pre>GetChromePass</pre><pre>StartHttpProxy</pre><pre>Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.</pre><pre>Command not supported.</pre><pre>Address type not supported.</pre><pre>Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.</pre><pre>Operation would block.</pre><pre>Operation now in progress.</pre><pre>Operation already in progress.</pre><pre>Socket operation on non-socket.</pre><pre>Protocol not supported.</pre><pre>Socket type not supported."Operation not supported on socket.</pre><pre>Protocol family not supported.0Address family not supported by protocol family.</pre><pre>&Error on loading Winsock2 library (%s)</pre><pre>Resolving hostname %s.</pre><pre>Connecting to %s.</pre><pre>%s is not a valid service.</pre><pre>Socket Error # %d</pre><pre>File "%s" not found1Only one TIdAntiFreeze can exist per application.</pre><pre>Object type not supported.</pre><pre>No execute handler found.</pre><pre>No data to read.$Can not bind in port range (%d - %d)</pre><pre>Invalid Port Range (%d - %d)</pre><pre>No command handler found.*Error on call Winsock2 library function %s</pre><pre>Error reading %s%s%s: %s</pre><pre>Failed to set data for '%s'</pre><pre>%s.Seek not implemented$Operation not allowed on sorted list</pre><pre>Property %s does not exist</pre><pre>Thread creation error: %s</pre><pre>Thread Error: %s (%d)</pre><pre>Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.</pre><pre>Ancestor for '%s' not found</pre><pre>Cannot assign a %s to a %sECheckSynchronize called from thread $%x, which is NOT the main thread</pre><pre>Class %s not found%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates</pre><pre>Cannot create file "%s". %s</pre><pre>Cannot open file "%s". %s$''%s'' is not a valid component name</pre><pre>Invalid property value List capacity out of bounds (%d)</pre><pre>List count out of bounds (%d)</pre><pre>List index out of bounds (%d)</pre><pre>OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters</pre><pre>%s (%s, line %d)</pre><pre>Abstract Error?Access violation at address %p in module '%s'. %s of address %p</pre><pre>System Error. Code: %d.</pre><pre>Invalid variant operation%Invalid variant operation (%s%.8x)</pre><pre>%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)</pre><pre>Operation not supported</pre><pre>External exception %x</pre><pre>Interface not supported</pre><pre>Invalid pointer operation</pre><pre>Invalid class typecast0Access violation at address %p. %s of address %p</pre><pre>Privileged instruction(Exception %s in module %s at %p.</pre><pre>Application Error1Format '%s' invalid or incompatible with argument</pre><pre>No argument for format '%s'"Variant method calls not supported</pre><pre>!'%s' is not a valid integer value('%s' is not a valid floating point value</pre><pre>I/O error %d</pre><pre>Integer overflow Invalid floating point operation</pre>cftmon.exe_676_rwx_02A40000_0004B000:<pre>`.rsrc</pre><pre>40,(''''$</pre><pre>kernel32.dll</pre><pre>$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)</pre><pre>oleaut32.dll</pre><pre>EVariantBadIndexError</pre><pre>ole32.dll</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders</pre><pre>##@@## ##@@## ##@@##</pre><pre>sqlite3_bind_blob</pre><pre>sqlite3_bind_text</pre><pre>sqlite3_bind_double</pre><pre>sqlite3_bind_int</pre><pre>sqlite3_bind_int64</pre><pre>sqlite3_bind_null</pre><pre>sqlite3_bind_parameter_index</pre><pre>sqlite3_open</pre><pre>sqlite3_close</pre><pre>sqlite3_errmsg</pre><pre>sqlite3_errcode</pre><pre>sqlite3_free</pre><pre>sqlite3_prepare_v2</pre><pre>sqlite3_column_count</pre><pre>sqlite3_column_name</pre><pre>sqlite3_column_decltype</pre><pre>sqlite3_step</pre><pre>sqlite3_column_blob</pre><pre>sqlite3_column_bytes</pre><pre>sqlite3_column_double</pre><pre>sqlite3_column_text</pre><pre>sqlite3_column_type</pre><pre>sqlite3_column_int64</pre><pre>sqlite3_finalize</pre><pre>sqlite3_reset</pre><pre>SQL error or missing database</pre><pre>An internal logic error in SQLite</pre><pre>Operation terminated by sqlite3_interrupt()</pre><pre>Uses OS features not supported on host</pre><pre>2nd parameter to sqlite3_bind out of range</pre><pre>sqlite3_step() has another row ready</pre><pre>sqlite3_step() has finished executing</pre><pre>Unknown SQLite Error Code "</pre><pre>u%CNu</pre><pre>%s[%d]</pre><pre>ESQLiteException</pre><pre>TSQLiteDatabase</pre><pre>TSQLiteTable</pre><pre>Failed to open database "%s" : %s</pre><pre>Failed to open database "%s" : unknown error</pre><pre>Error [%d]: %s.</pre><pre>"%s": %s</pre><pre>Error executing SQL</pre><pre>Could not prepare SQL statement</pre><pre>Error executing SQL statement</pre><pre>SQLite is Busy</pre><pre>\Google\Chrome\User Data\Default\Web Data</pre><pre>SELECT * FROM logins</pre><pre>password_value</pre><pre>origin_url</pre><pre>getservbyport</pre><pre>WSAAsyncGetServByPort</pre><pre>WSAJoinLeaf</pre><pre>WS2_32.DLL</pre><pre>127.0.0.1</pre><pre>TIdSocketListWindows</pre><pre>TIdStackWindowsU</pre><pre>IdStackWindows</pre><pre>ftpTransfer</pre><pre>ftpReady</pre><pre>ftpAborted</pre><pre>ClientPortMin<</pre><pre>ClientPortMaxh</pre><pre>Port</pre><pre>EIdCanNotBindPortInRange</pre><pre>EIdInvalidPortRangeSVW</pre><pre>saUsernamePassword</pre><pre>Password<</pre><pre>Porth</pre><pre>0.0.0.1</pre><pre>TIdTCPConnection</pre><pre>TIdTCPConnection4</pre><pre>IdTCPConnection</pre><pre>EIdTCPConnectionError</pre><pre>EIdObjectTypeNotSupported</pre><pre>%Documents and Settings%\Administrateur\Bureau\Anubis RAT v1.0\Spy-net.2.7.beta\Units_em_comum\Indy\IdStrings.pas</pre><pre>TIdTCPServer</pre><pre>IdTCPServer</pre><pre>CmdDelimiterh</pre><pre>TIdTCPServerConnection</pre><pre>DefaultPort</pre><pre>OnExecuteP</pre><pre>EIdTCPServerError</pre><pre>EIdNoExecuteSpecified</pre><pre>TIdTCPClient</pre><pre>IdTCPClient</pre><pre>BoundPorth</pre><pre>PortU</pre><pre>TOnHTTPDocument</pre><pre>TIdHTTPProxyServer</pre><pre>TIdHTTPProxyServer4</pre><pre>IdHTTPProxyServer</pre><pre>DefaultPorth</pre><pre>OnHTTPDocument</pre><pre>HTTP/1.0</pre><pre>Windows Firewall Update</pre><pre>1.2.3</pre><pre>deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly</pre><pre>KWindows</pre><pre>IdTCPStream</pre><pre> IdTCPServer</pre><pre>SQLiteTable3</pre><pre>SQLite3</pre><pre>DIdHTTPProxyServer</pre><pre>UnitChrome</pre><pre>GetCPInfo</pre><pre>RegOpenKeyExA</pre><pre>RegFlushKey</pre><pre>RegCreateKeyExA</pre><pre>RegCloseKey</pre><pre>GetKeyboardType</pre><pre>MsgWaitForMultipleObjects</pre><pre>((&)))!&$</pre><pre>"#$$&-)01$$'&,--%.&,</pre><pre>4\@%c</pre><pre>.idata</pre><pre>.edata</pre><pre>P.reloc</pre><pre>P.rsrc</pre><pre>KERNEL32.DLL</pre><pre>advapi32.dll</pre><pre>crypt32.dll</pre><pre>user32.dll</pre><pre>funcoes.dll</pre><pre>GetChromePass</pre><pre>StartHttpProxy</pre><pre>Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.</pre><pre>Command not supported.</pre><pre>Address type not supported.</pre><pre>Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.</pre><pre>Operation would block.</pre><pre>Operation now in progress.</pre><pre>Operation already in progress.</pre><pre>Socket operation on non-socket.</pre><pre>Protocol not supported.</pre><pre>Socket type not supported."Operation not supported on socket.</pre><pre>Protocol family not supported.0Address family not supported by protocol family.</pre><pre>&Error on loading Winsock2 library (%s)</pre><pre>Resolving hostname %s.</pre><pre>Connecting to %s.</pre><pre>%s is not a valid service.</pre><pre>Socket Error # %d</pre><pre>File "%s" not found1Only one TIdAntiFreeze can exist per application.</pre><pre>Object type not supported.</pre><pre>No execute handler found.</pre><pre>No data to read.$Can not bind in port range (%d - %d)</pre><pre>Invalid Port Range (%d - %d)</pre><pre>No command handler found.*Error on call Winsock2 library function %s</pre><pre>Error reading %s%s%s: %s</pre><pre>Failed to set data for '%s'</pre><pre>%s.Seek not implemented$Operation not allowed on sorted list</pre><pre>Property %s does not exist</pre><pre>Thread creation error: %s</pre><pre>Thread Error: %s (%d)</pre><pre>Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.</pre><pre>Ancestor for '%s' not found</pre><pre>Cannot assign a %s to a %sECheckSynchronize called from thread $%x, which is NOT the main thread</pre><pre>Class %s not found%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates</pre><pre>Cannot create file "%s". %s</pre><pre>Cannot open file "%s". %s$''%s'' is not a valid component name</pre><pre>Invalid property value List capacity out of bounds (%d)</pre><pre>List count out of bounds (%d)</pre><pre>List index out of bounds (%d)</pre><pre>OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters</pre><pre>%s (%s, line %d)</pre><pre>Abstract Error?Access violation at address %p in module '%s'. %s of address %p</pre><pre>System Error. Code: %d.</pre><pre>Invalid variant operation%Invalid variant operation (%s%.8x)</pre><pre>%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)</pre><pre>Operation not supported</pre><pre>External exception %x</pre><pre>Interface not supported</pre><pre>Invalid pointer operation</pre><pre>Invalid class typecast0Access violation at address %p. %s of address %p</pre><pre>Privileged instruction(Exception %s in module %s at %p.</pre><pre>Application Error1Format '%s' invalid or incompatible with argument</pre><pre>No argument for format '%s'"Variant method calls not supported</pre><pre>!'%s' is not a valid integer value('%s' is not a valid floating point value</pre><pre>I/O error %d</pre><pre>Integer overflow Invalid floating point operation</pre>cftmon.exe_676_rwx_02B90000_0004B000:<pre>`.rsrc</pre><pre>40,(''''$</pre><pre>kernel32.dll</pre><pre>$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)</pre><pre>oleaut32.dll</pre><pre>EVariantBadIndexError</pre><pre>ole32.dll</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders</pre><pre>##@@## ##@@## ##@@##</pre><pre>sqlite3_bind_blob</pre><pre>sqlite3_bind_text</pre><pre>sqlite3_bind_double</pre><pre>sqlite3_bind_int</pre><pre>sqlite3_bind_int64</pre><pre>sqlite3_bind_null</pre><pre>sqlite3_bind_parameter_index</pre><pre>sqlite3_open</pre><pre>sqlite3_close</pre><pre>sqlite3_errmsg</pre><pre>sqlite3_errcode</pre><pre>sqlite3_free</pre><pre>sqlite3_prepare_v2</pre><pre>sqlite3_column_count</pre><pre>sqlite3_column_name</pre><pre>sqlite3_column_decltype</pre><pre>sqlite3_step</pre><pre>sqlite3_column_blob</pre><pre>sqlite3_column_bytes</pre><pre>sqlite3_column_double</pre><pre>sqlite3_column_text</pre><pre>sqlite3_column_type</pre><pre>sqlite3_column_int64</pre><pre>sqlite3_finalize</pre><pre>sqlite3_reset</pre><pre>SQL error or missing database</pre><pre>An internal logic error in SQLite</pre><pre>Operation terminated by sqlite3_interrupt()</pre><pre>Uses OS features not supported on host</pre><pre>2nd parameter to sqlite3_bind out of range</pre><pre>sqlite3_step() has another row ready</pre><pre>sqlite3_step() has finished executing</pre><pre>Unknown SQLite Error Code "</pre><pre>u%CNu</pre><pre>%s[%d]</pre><pre>ESQLiteException</pre><pre>TSQLiteDatabase</pre><pre>TSQLiteTable</pre><pre>Failed to open database "%s" : %s</pre><pre>Failed to open database "%s" : unknown error</pre><pre>Error [%d]: %s.</pre><pre>"%s": %s</pre><pre>Error executing SQL</pre><pre>Could not prepare SQL statement</pre><pre>Error executing SQL statement</pre><pre>SQLite is Busy</pre><pre>\Google\Chrome\User Data\Default\Web Data</pre><pre>SELECT * FROM logins</pre><pre>password_value</pre><pre>origin_url</pre><pre>getservbyport</pre><pre>WSAAsyncGetServByPort</pre><pre>WSAJoinLeaf</pre><pre>WS2_32.DLL</pre><pre>127.0.0.1</pre><pre>TIdSocketListWindows</pre><pre>TIdStackWindowsU</pre><pre>IdStackWindows</pre><pre>ftpTransfer</pre><pre>ftpReady</pre><pre>ftpAborted</pre><pre>ClientPortMin<</pre><pre>ClientPortMaxh</pre><pre>Port</pre><pre>EIdCanNotBindPortInRange</pre><pre>EIdInvalidPortRangeSVW</pre><pre>saUsernamePassword</pre><pre>Password<</pre><pre>Porth</pre><pre>0.0.0.1</pre><pre>TIdTCPConnection</pre><pre>TIdTCPConnection4</pre><pre>IdTCPConnection</pre><pre>EIdTCPConnectionError</pre><pre>EIdObjectTypeNotSupported</pre><pre>%Documents and Settings%\Administrateur\Bureau\Anubis RAT v1.0\Spy-net.2.7.beta\Units_em_comum\Indy\IdStrings.pas</pre><pre>TIdTCPServer</pre><pre>IdTCPServer</pre><pre>CmdDelimiterh</pre><pre>TIdTCPServerConnection</pre><pre>DefaultPort</pre><pre>OnExecuteP</pre><pre>EIdTCPServerError</pre><pre>EIdNoExecuteSpecified</pre><pre>TIdTCPClient</pre><pre>IdTCPClient</pre><pre>BoundPorth</pre><pre>PortU</pre><pre>TOnHTTPDocument</pre><pre>TIdHTTPProxyServer</pre><pre>TIdHTTPProxyServer4</pre><pre>IdHTTPProxyServer</pre><pre>DefaultPorth</pre><pre>OnHTTPDocument</pre><pre>HTTP/1.0</pre><pre>Windows Firewall Update</pre><pre>1.2.3</pre><pre>deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly</pre><pre>KWindows</pre><pre>IdTCPStream</pre><pre> IdTCPServer</pre><pre>SQLiteTable3</pre><pre>SQLite3</pre><pre>DIdHTTPProxyServer</pre><pre>UnitChrome</pre><pre>GetCPInfo</pre><pre>RegOpenKeyExA</pre><pre>RegFlushKey</pre><pre>RegCreateKeyExA</pre><pre>RegCloseKey</pre><pre>GetKeyboardType</pre><pre>MsgWaitForMultipleObjects</pre><pre>((&)))!&$</pre><pre>"#$$&-)01$$'&,--%.&,</pre><pre>4\@%c</pre><pre>.idata</pre><pre>.edata</pre><pre>P.reloc</pre><pre>P.rsrc</pre><pre>KERNEL32.DLL</pre><pre>advapi32.dll</pre><pre>crypt32.dll</pre><pre>user32.dll</pre><pre>funcoes.dll</pre><pre>GetChromePass</pre><pre>StartHttpProxy</pre><pre>Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.</pre><pre>Command not supported.</pre><pre>Address type not supported.</pre><pre>Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.</pre><pre>Operation would block.</pre><pre>Operation now in progress.</pre><pre>Operation already in progress.</pre><pre>Socket operation on non-socket.</pre><pre>Protocol not supported.</pre><pre>Socket type not supported."Operation not supported on socket.</pre><pre>Protocol family not supported.0Address family not supported by protocol family.</pre><pre>&Error on loading Winsock2 library (%s)</pre><pre>Resolving hostname %s.</pre><pre>Connecting to %s.</pre><pre>%s is not a valid service.</pre><pre>Socket Error # %d</pre><pre>File "%s" not found1Only one TIdAntiFreeze can exist per application.</pre><pre>Object type not supported.</pre><pre>No execute handler found.</pre><pre>No data to read.$Can not bind in port range (%d - %d)</pre><pre>Invalid Port Range (%d - %d)</pre><pre>No command handler found.*Error on call Winsock2 library function %s</pre><pre>Error reading %s%s%s: %s</pre><pre>Failed to set data for '%s'</pre><pre>%s.Seek not implemented$Operation not allowed on sorted list</pre><pre>Property %s does not exist</pre><pre>Thread creation error: %s</pre><pre>Thread Error: %s (%d)</pre><pre>Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.</pre><pre>Ancestor for '%s' not found</pre><pre>Cannot assign a %s to a %sECheckSynchronize called from thread $%x, which is NOT the main thread</pre><pre>Class %s not found%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates</pre><pre>Cannot create file "%s". %s</pre><pre>Cannot open file "%s". %s$''%s'' is not a valid component name</pre><pre>Invalid property value List capacity out of bounds (%d)</pre><pre>List count out of bounds (%d)</pre><pre>List index out of bounds (%d)</pre><pre>OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters</pre><pre>%s (%s, line %d)</pre><pre>Abstract Error?Access violation at address %p in module '%s'. %s of address %p</pre><pre>System Error. Code: %d.</pre><pre>Invalid variant operation%Invalid variant operation (%s%.8x)</pre><pre>%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)</pre><pre>Operation not supported</pre><pre>External exception %x</pre><pre>Interface not supported</pre><pre>Invalid pointer operation</pre><pre>Invalid class typecast0Access violation at address %p. %s of address %p</pre><pre>Privileged instruction(Exception %s in module %s at %p.</pre><pre>Application Error1Format '%s' invalid or incompatible with argument</pre><pre>No argument for format '%s'"Variant method calls not supported</pre><pre>!'%s' is not a valid integer value('%s' is not a valid floating point value</pre><pre>I/O error %d</pre><pre>Integer overflow Invalid floating point operation</pre>cftmon.exe_676_rwx_24010000_00062000:<pre>`.rsrc</pre><pre>kernel32.dll</pre><pre>Portions Copyright (c) 1999,2003 Avenger by NhT</pre><pre>SHFileOperationA</pre><pre>shell32.dll</pre><pre>URLDownloadToFileA</pre><pre>urlmon.dll</pre><pre>ShellExecuteA</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders</pre><pre>GetWindowsDirectoryA</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion</pre><pre>http\shell\open\command</pre><pre>\Internet Explorer\iexplore.exe</pre><pre>####@####</pre><pre>$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)</pre><pre>Portugal</pre><pre>Turkey</pre><pre>Windows 3.1</pre><pre>Windows 95 (Release 2)</pre><pre>Windows 95</pre><pre>Windows 98 SE</pre><pre>Windows 98</pre><pre>Windows ME</pre><pre>Windows 7</pre><pre>Windows Vista</pre><pre>%s %s</pre><pre>Windows XP Professional x64</pre><pre>Windows XP Home</pre><pre>Windows XP Professional</pre><pre>Windows 2000 Professional</pre><pre>Windows NT %d.%d</pre><pre>Windows 2008</pre><pre>%s %s Server</pre><pre>Windows 2003 Server Datacenter</pre><pre>Windows 2003 Server Enterprise</pre><pre>Windows 2003 Server Web Edition</pre><pre>Windows 2003 Server</pre><pre>Windows Home Server</pre><pre>Windows 2003 Server (Release 2)</pre><pre>Windows 2000 Server Datacenter</pre><pre>Windows 2000 Server Enterprise</pre><pre>Windows 2000 Server Web Edition</pre><pre>Windows 2000 Server</pre><pre>Windows NT 4.0 Server Datacenter</pre><pre>Windows NT 4.0 Server Enterprise</pre><pre>Windows NT 4.0 Server Web Edition</pre><pre>Windows NT 4.0 Server</pre><pre>Unknown Platform ID (%d)</pre><pre>%d.%d</pre><pre>%s (Build: %d</pre><pre>- Service Pack: %s</pre><pre>KERNEL32.DLL</pre><pre>teste.vbs</pre><pre>teste.txt</pre><pre>Set objSecurityCenter = GetObject("winmgmts:\\.\root\SecurityCenter")</pre><pre>Set colFirewall = objSecurityCenter.ExecQuery("Select * From FirewallProduct",,48)</pre><pre>Set colAntiVirus = objSecurityCenter.ExecQuery("Select * From AntiVirusProduct",,48)</pre><pre>Set objFileSystem = CreateObject("Scripting.fileSystemObject")</pre><pre>Set objFile = objFileSystem.CreateTextFile("</pre><pre>Info = Info & "F" & CountFw & ") " & objFirewall.displayName & " v" & objFirewall.versionNumber & Enter</pre><pre>Info = Info & "A" & CountAV & ") " & objAntiVirus.displayName & " v" & objAntiVirus.versionNumber & Enter</pre><pre>objFile.WriteLine(Info)</pre><pre>objFile.Close</pre><pre>cscript.exe</pre><pre>AVICAP32.dll</pre><pre>tFtpAccess</pre><pre>BuildImportTable: can't load library:</pre><pre>BuildImportTable: ReallocMemory failed</pre><pre>BuildImportTable: GetProcAddress failed</pre><pre>BTMemoryLoadLibary: BuildImportTable failed</pre><pre>BTMemoryGetProcAddress: no export table found</pre><pre>BTMemoryGetProcAddress: DLL doesn't export anything</pre><pre>BTMemoryGetProcAddress: exported symbol not found</pre><pre>SetupApi.dll</pre><pre>SetupDiOpenClassRegKey</pre><pre>SetupDiOpenClassRegKeyExA</pre><pre>SetupDiOpenClassRegKeyExW</pre><pre>SetupDiCreateDeviceInterfaceRegKeyA</pre><pre>SetupDiCreateDeviceInterfaceRegKeyW</pre><pre>SetupDiOpenDeviceInterfaceRegKey</pre><pre>SetupDiDeleteDeviceInterfaceRegKey</pre><pre>SetupDiCreateDevRegKeyA</pre><pre>SetupDiCreateDevRegKeyW</pre><pre>SetupDiOpenDevRegKey</pre><pre>SetupDiDeleteDevRegKey</pre><pre>CM_DEVCAP_LOCKSUPPORTED</pre><pre>CM_DEVCAP_EJECTSUPPORTED</pre><pre>PDCAP_D0_SUPPORTED</pre><pre>PDCAP_D1_SUPPORTED</pre><pre>PDCAP_D2_SUPPORTED</pre><pre>PDCAP_D3_SUPPORTED</pre><pre>PDCAP_WAKE_FROM_D0_SUPPORTED</pre><pre>PDCAP_WAKE_FROM_D1_SUPPORTED</pre><pre>PDCAP_WAKE_FROM_D2_SUPPORTED</pre><pre>PDCAP_WAKE_FROM_D3_SUPPORTED</pre><pre>PDCAP_WARM_EJECT_SUPPORTED</pre><pre>HKEY_CLASSES_ROOT</pre><pre>HKEY_CURRENT_CONFIG</pre><pre>HKEY_CURRENT_USER</pre><pre>HKEY_LOCAL_MACHINE</pre><pre>HKEY_USERS</pre><pre>127.0.0.1</pre><pre>iphlpapi.dll</pre><pre>AllocateAndGetTcpExTableFromStack</pre><pre>AllocateAndGetUdpExTableFromStack</pre><pre>SetTcpEntry</pre><pre>GetExtendedTcpTable</pre><pre>GetExtendedUdpTable</pre><pre>Mozilla3_5Password</pre><pre>GetChromePass</pre><pre>StartHttpProxy</pre><pre>1.2.3</pre><pre>XxX.xXx</pre><pre>UuU.uUu</pre><pre>keyboardkey</pre><pre>webcaminactive</pre><pre>webcamgetbuffer</pre><pre>webcam</pre><pre>enviarexecnormal</pre><pre>enviarexechidden</pre><pre>openweb</pre><pre>downexec</pre><pre>sendftp</pre><pre>keylogger</pre><pre>keyloggergetlog</pre><pre>keyloggereraselog</pre><pre>keyloggerativar</pre><pre>keyloggerdesativar</pre><pre>renamekey</pre><pre>windowsfechar</pre><pre>windowsmax</pre><pre>windowsmin</pre><pre>windowsmostrar</pre><pre>windowsocultar</pre><pre>windowsmintodas</pre><pre>windowscaption</pre><pre>listarportas</pre><pre>listarportasdns</pre><pre>finalizarprocessoportas</pre><pre>webcamsettings</pre><pre>chatmsg</pre><pre>getpassword</pre><pre>updateservidorweb</pre><pre>keyloggersearch</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\</pre><pre>PSAPI.dll</pre><pre>\config\SteamAppData.vdf</pre><pre>AutoLoginUser</pre><pre>/ClientRegistry.Blob</pre><pre>\ClientRegistry.blob</pre><pre>\steam.dll</pre><pre>%SYS%</pre><pre>ÞSKTOP%</pre><pre>FirstExecution</pre><pre>chatmsg|</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</pre><pre>listarjanelas|windowsfechar|</pre><pre>listarjanelas|windowsmax|</pre><pre>listarjanelas|windowsmin|</pre><pre>listarjanelas|windowsmostrar|</pre><pre>listarjanelas|windowsocultar|</pre><pre>listarjanelas|windowsmintodas|</pre><pre>listarjanelas|windowscaption|</pre><pre>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall</pre><pre>listarportas|listadeportaspronta|</pre><pre>listarportas|finalizarconexao|</pre><pre>listarportas|finalizarprocessoportas|Y|</pre><pre>listarportas|finalizarprocessoportas|N|</pre><pre>registro|renamekey|</pre><pre>keylogger|keylogger|keyloggerativar|</pre><pre>keylogger|keylogger|keyloggerdesativar|</pre><pre>keylogger|keyloggergetlog|</pre><pre>keylogger|keylogger|keyloggervazio|</pre><pre>keyloggersearchok|</pre><pre>webcam|webcaminactive|</pre><pre>webcam|webcamactive|</pre><pre>_x_X_PASSWORDLIST_X_x_</pre><pre>NOIP.abc</pre><pre>MSN.abc</pre><pre>IELOGIN.abc</pre><pre>IEPASS.abc</pre><pre>IEAUTO.abc</pre><pre>IEWEB.abc</pre><pre>getielogin</pre><pre>getiepass</pre><pre>getieweb</pre><pre>getchrome</pre><pre>getpassword|getpasswordlist|</pre><pre>getpassword|getpassworderror|</pre><pre>##@@## ##@@## ##@@##</pre><pre>Windows\CurrentVersion\Uninstall\eDonkey2000</pre><pre>UNWISE.EXE</pre><pre>ntdll.dll</pre><pre>icon=shell32.dll,4</pre><pre>shellexecute=</pre><pre>autorun.inf</pre><pre>XX--XX--XX.txt</pre><pre>logs.dat</pre><pre>SQLite3.dll</pre><pre>$1.2.3</pre><pre>deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly</pre><pre>inflate 1.2.3 Copyright 1995-2005 Mark Adler</pre><pre>KWindows</pre><pre>UnitExecutarComandos</pre><pre>uftp</pre><pre>UrlMon</pre><pre>.UnitBytesSize</pre><pre>UnitListarPortasAtivas</pre><pre>UnitWebcam</pre><pre>UnitKeylogger</pre><pre>WinExec</pre><pre>SetNamedPipeHandleState</pre><pre>GetProcessHeap</pre><pre>CreatePipe</pre><pre>RegOpenKeyExA</pre><pre>RegOpenKeyA</pre><pre>RegEnumKeyExA</pre><pre>RegDeleteKeyA</pre><pre>RegCreateKeyA</pre><pre>RegCloseKey</pre><pre>GdiplusShutdown</pre><pre>keybd_event</pre><pre>MapVirtualKeyA</pre><pre>GetKeyboardState</pre><pre>GetKeyboardLayoutNameA</pre><pre>GetKeyState</pre><pre>GetAsyncKeyState</pre><pre>ExitWindowsEx</pre><pre>EnumWindows</pre><pre>FtpGetFileSize</pre><pre>FtpSetCurrentDirectoryA</pre><pre>FtpOpenFileA</pre><pre>%( % & % % % ]</pre><pre>.idata</pre><pre>.reloc</pre><pre>P.rsrc</pre><pre>h`S%S</pre><pre>advapi32.dll</pre><pre>AVICAP32.DLL</pre><pre>gdi32.dll</pre><pre>gdiplus.dll</pre><pre>mpr.dll</pre><pre>msacm32.dll</pre><pre>ole32.dll</pre><pre>oleaut32.dll</pre><pre>powrprof.dll</pre><pre>user32.dll</pre><pre>wininet.dll</pre><pre>winmm.dll</pre><pre>wsock32.dll</pre>cftmon.exe_1312_rwx_00150000_00001000:<pre>KERNEL32.DLL</pre>cftmon.exe_1312_rwx_00290000_00001000:<pre>KERNEL32.DLL</pre>cftmon.exe_1312_rwx_002D0000_00001000:<pre>KERNEL32.DLL</pre>cftmon.exe_1312_rwx_00310000_00001000:<pre>KERNEL32.DLL</pre>cftmon.exe_1312_rwx_00350000_00001000:<pre>KERNEL32.DLL</pre>cftmon.exe_1312_rwx_00390000_00001000:<pre>KERNEL32.DLL</pre>cftmon.exe_1312_rwx_00B20000_00001000:<pre>advapi32.dll</pre>cftmon.exe_1312_rwx_00C50000_00001000:<pre>RegOpenKeyA</pre>cftmon.exe_1312_rwx_00C60000_00001000:<pre>advapi32.dll</pre>cftmon.exe_1312_rwx_00C90000_00001000:<pre>AVICAP32.DLL</pre>cftmon.exe_1312_rwx_00DD0000_00001000:<pre>AVICAP32.DLL</pre>cftmon.exe_1312_rwx_00E00000_00001000:<pre>gdi32.dll</pre>cftmon.exe_1312_rwx_00E40000_00001000:<pre>gdi32.dll</pre>cftmon.exe_1312_rwx_00E70000_00001000:<pre>gdiplus.dll</pre>cftmon.exe_1312_rwx_00EB0000_00001000:<pre>gdiplus.dll</pre>cftmon.exe_1312_rwx_00EF0000_00001000:<pre>mpr.dll</pre>cftmon.exe_1312_rwx_01260000_00001000:<pre>mpr.dll</pre>cftmon.exe_1312_rwx_01290000_00001000:<pre>msacm32.dll</pre>cftmon.exe_1312_rwx_013D0000_00001000:<pre>msacm32.dll</pre>cftmon.exe_1312_rwx_01400000_00001000:<pre>ntdll.dll</pre>cftmon.exe_1312_rwx_01540000_00001000:<pre>ntdll.dll</pre>cftmon.exe_1312_rwx_01570000_00001000:<pre>ole32.dll</pre>cftmon.exe_1312_rwx_016B0000_00001000:<pre>ole32.dll</pre>cftmon.exe_1312_rwx_016E0000_00001000:<pre>oleaut32.dll</pre>cftmon.exe_1312_rwx_01720000_00001000:<pre>oleaut32.dll</pre>cftmon.exe_1312_rwx_01860000_00001000:<pre>powrprof.dll</pre>cftmon.exe_1312_rwx_019A0000_00001000:<pre>powrprof.dll</pre>cftmon.exe_1312_rwx_019D0000_00001000:<pre>shell32.dll</pre>cftmon.exe_1312_rwx_01B10000_00001000:<pre>shell32.dll</pre>cftmon.exe_1312_rwx_01B40000_00001000:<pre>user32.dll</pre>cftmon.exe_1312_rwx_01C80000_00001000:<pre>user32.dll</pre>cftmon.exe_1312_rwx_01CB0000_00001000:<pre>wininet.dll</pre>cftmon.exe_1312_rwx_01DE0000_00001000:<pre>FtpOpenFileA</pre>cftmon.exe_1312_rwx_01DF0000_00001000:<pre>wininet.dll</pre>cftmon.exe_1312_rwx_01E20000_00001000:<pre>winmm.dll</pre>cftmon.exe_1312_rwx_01F60000_00001000:<pre>winmm.dll</pre>cftmon.exe_1312_rwx_01F90000_00001000:<pre>wsock32.dll</pre>cftmon.exe_1312_rwx_020E0000_00001000:<pre>wsock32.dll</pre>cftmon.exe_1312_rwx_24010000_00062000:<pre>`.rsrc</pre><pre>kernel32.dll</pre><pre>Portions Copyright (c) 1999,2003 Avenger by NhT</pre><pre>SHFileOperationA</pre><pre>shell32.dll</pre><pre>URLDownloadToFileA</pre><pre>urlmon.dll</pre><pre>ShellExecuteA</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders</pre><pre>GetWindowsDirectoryA</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion</pre><pre>http\shell\open\command</pre><pre>\Internet Explorer\iexplore.exe</pre><pre>####@####</pre><pre>$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)</pre><pre>Portugal</pre><pre>Turkey</pre><pre>Windows 3.1</pre><pre>Windows 95 (Release 2)</pre><pre>Windows 95</pre><pre>Windows 98 SE</pre><pre>Windows 98</pre><pre>Windows ME</pre><pre>Windows 7</pre><pre>Windows Vista</pre><pre>%s %s</pre><pre>Windows XP Professional x64</pre><pre>Windows XP Home</pre><pre>Windows XP Professional</pre><pre>Windows 2000 Professional</pre><pre>Windows NT %d.%d</pre><pre>Windows 2008</pre><pre>%s %s Server</pre><pre>Windows 2003 Server Datacenter</pre><pre>Windows 2003 Server Enterprise</pre><pre>Windows 2003 Server Web Edition</pre><pre>Windows 2003 Server</pre><pre>Windows Home Server</pre><pre>Windows 2003 Server (Release 2)</pre><pre>Windows 2000 Server Datacenter</pre><pre>Windows 2000 Server Enterprise</pre><pre>Windows 2000 Server Web Edition</pre><pre>Windows 2000 Server</pre><pre>Windows NT 4.0 Server Datacenter</pre><pre>Windows NT 4.0 Server Enterprise</pre><pre>Windows NT 4.0 Server Web Edition</pre><pre>Windows NT 4.0 Server</pre><pre>Unknown Platform ID (%d)</pre><pre>%d.%d</pre><pre>%s (Build: %d</pre><pre>- Service Pack: %s</pre><pre>KERNEL32.DLL</pre><pre>teste.vbs</pre><pre>teste.txt</pre><pre>Set objSecurityCenter = GetObject("winmgmts:\\.\root\SecurityCenter")</pre><pre>Set colFirewall = objSecurityCenter.ExecQuery("Select * From FirewallProduct",,48)</pre><pre>Set colAntiVirus = objSecurityCenter.ExecQuery("Select * From AntiVirusProduct",,48)</pre><pre>Set objFileSystem = CreateObject("Scripting.fileSystemObject")</pre><pre>Set objFile = objFileSystem.CreateTextFile("</pre><pre>Info = Info & "F" & CountFw & ") " & objFirewall.displayName & " v" & objFirewall.versionNumber & Enter</pre><pre>Info = Info & "A" & CountAV & ") " & objAntiVirus.displayName & " v" & objAntiVirus.versionNumber & Enter</pre><pre>objFile.WriteLine(Info)</pre><pre>objFile.Close</pre><pre>cscript.exe</pre><pre>AVICAP32.dll</pre><pre>tFtpAccess</pre><pre>BuildImportTable: can't load library:</pre><pre>BuildImportTable: ReallocMemory failed</pre><pre>BuildImportTable: GetProcAddress failed</pre><pre>BTMemoryLoadLibary: BuildImportTable failed</pre><pre>BTMemoryGetProcAddress: no export table found</pre><pre>BTMemoryGetProcAddress: DLL doesn't export anything</pre><pre>BTMemoryGetProcAddress: exported symbol not found</pre><pre>SetupApi.dll</pre><pre>SetupDiOpenClassRegKey</pre><pre>SetupDiOpenClassRegKeyExA</pre><pre>SetupDiOpenClassRegKeyExW</pre><pre>SetupDiCreateDeviceInterfaceRegKeyA</pre><pre>SetupDiCreateDeviceInterfaceRegKeyW</pre><pre>SetupDiOpenDeviceInterfaceRegKey</pre><pre>SetupDiDeleteDeviceInterfaceRegKey</pre><pre>SetupDiCreateDevRegKeyA</pre><pre>SetupDiCreateDevRegKeyW</pre><pre>SetupDiOpenDevRegKey</pre><pre>SetupDiDeleteDevRegKey</pre><pre>CM_DEVCAP_LOCKSUPPORTED</pre><pre>CM_DEVCAP_EJECTSUPPORTED</pre><pre>PDCAP_D0_SUPPORTED</pre><pre>PDCAP_D1_SUPPORTED</pre><pre>PDCAP_D2_SUPPORTED</pre><pre>PDCAP_D3_SUPPORTED</pre><pre>PDCAP_WAKE_FROM_D0_SUPPORTED</pre><pre>PDCAP_WAKE_FROM_D1_SUPPORTED</pre><pre>PDCAP_WAKE_FROM_D2_SUPPORTED</pre><pre>PDCAP_WAKE_FROM_D3_SUPPORTED</pre><pre>PDCAP_WARM_EJECT_SUPPORTED</pre><pre>HKEY_CLASSES_ROOT</pre><pre>HKEY_CURRENT_CONFIG</pre><pre>HKEY_CURRENT_USER</pre><pre>HKEY_LOCAL_MACHINE</pre><pre>HKEY_USERS</pre><pre>127.0.0.1</pre><pre>iphlpapi.dll</pre><pre>AllocateAndGetTcpExTableFromStack</pre><pre>AllocateAndGetUdpExTableFromStack</pre><pre>SetTcpEntry</pre><pre>GetExtendedTcpTable</pre><pre>GetExtendedUdpTable</pre><pre>Mozilla3_5Password</pre><pre>GetChromePass</pre><pre>StartHttpProxy</pre><pre>1.2.3</pre><pre>XxX.xXx</pre><pre>UuU.uUu</pre><pre>keyboardkey</pre><pre>webcaminactive</pre><pre>webcamgetbuffer</pre><pre>webcam</pre><pre>enviarexecnormal</pre><pre>enviarexechidden</pre><pre>openweb</pre><pre>downexec</pre><pre>sendftp</pre><pre>keylogger</pre><pre>keyloggergetlog</pre><pre>keyloggereraselog</pre><pre>keyloggerativar</pre><pre>keyloggerdesativar</pre><pre>renamekey</pre><pre>windowsfechar</pre><pre>windowsmax</pre><pre>windowsmin</pre><pre>windowsmostrar</pre><pre>windowsocultar</pre><pre>windowsmintodas</pre><pre>windowscaption</pre><pre>listarportas</pre><pre>listarportasdns</pre><pre>finalizarprocessoportas</pre><pre>webcamsettings</pre><pre>chatmsg</pre><pre>getpassword</pre><pre>updateservidorweb</pre><pre>keyloggersearch</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\</pre><pre>PSAPI.dll</pre><pre>\config\SteamAppData.vdf</pre><pre>AutoLoginUser</pre><pre>/ClientRegistry.Blob</pre><pre>\ClientRegistry.blob</pre><pre>\steam.dll</pre><pre>%SYS%</pre><pre>ÞSKTOP%</pre><pre>FirstExecution</pre><pre>chatmsg|</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</pre><pre>listarjanelas|windowsfechar|</pre><pre>listarjanelas|windowsmax|</pre><pre>listarjanelas|windowsmin|</pre><pre>listarjanelas|windowsmostrar|</pre><pre>listarjanelas|windowsocultar|</pre><pre>listarjanelas|windowsmintodas|</pre><pre>listarjanelas|windowscaption|</pre><pre>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall</pre><pre>listarportas|listadeportaspronta|</pre><pre>listarportas|finalizarconexao|</pre><pre>listarportas|finalizarprocessoportas|Y|</pre><pre>listarportas|finalizarprocessoportas|N|</pre><pre>registro|renamekey|</pre><pre>keylogger|keylogger|keyloggerativar|</pre><pre>keylogger|keylogger|keyloggerdesativar|</pre><pre>keylogger|keyloggergetlog|</pre><pre>keylogger|keylogger|keyloggervazio|</pre><pre>keyloggersearchok|</pre><pre>webcam|webcaminactive|</pre><pre>webcam|webcamactive|</pre><pre>_x_X_PASSWORDLIST_X_x_</pre><pre>NOIP.abc</pre><pre>MSN.abc</pre><pre>IELOGIN.abc</pre><pre>IEPASS.abc</pre><pre>IEAUTO.abc</pre><pre>IEWEB.abc</pre><pre>getielogin</pre><pre>getiepass</pre><pre>getieweb</pre><pre>getchrome</pre><pre>getpassword|getpasswordlist|</pre><pre>getpassword|getpassworderror|</pre><pre>##@@## ##@@## ##@@##</pre><pre>Windows\CurrentVersion\Uninstall\eDonkey2000</pre><pre>UNWISE.EXE</pre><pre>ntdll.dll</pre><pre>icon=shell32.dll,4</pre><pre>shellexecute=</pre><pre>autorun.inf</pre><pre>XX--XX--XX.txt</pre><pre>logs.dat</pre><pre>SQLite3.dll</pre><pre>$1.2.3</pre><pre>deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly</pre><pre>inflate 1.2.3 Copyright 1995-2005 Mark Adler</pre><pre>KWindows</pre><pre>UnitExecutarComandos</pre><pre>uftp</pre><pre>UrlMon</pre><pre>.UnitBytesSize</pre><pre>UnitListarPortasAtivas</pre><pre>UnitWebcam</pre><pre>UnitKeylogger</pre><pre>WinExec</pre><pre>SetNamedPipeHandleState</pre><pre>GetProcessHeap</pre><pre>CreatePipe</pre><pre>RegOpenKeyExA</pre><pre>RegOpenKeyA</pre><pre>RegEnumKeyExA</pre><pre>RegDeleteKeyA</pre><pre>RegCreateKeyA</pre><pre>RegCloseKey</pre><pre>GdiplusShutdown</pre><pre>keybd_event</pre><pre>MapVirtualKeyA</pre><pre>GetKeyboardState</pre><pre>GetKeyboardLayoutNameA</pre><pre>GetKeyState</pre><pre>GetAsyncKeyState</pre><pre>ExitWindowsEx</pre><pre>EnumWindows</pre><pre>FtpGetFileSize</pre><pre>FtpSetCurrentDirectoryA</pre><pre>FtpOpenFileA</pre><pre>%( % & % % % ]</pre><pre>.idata</pre><pre>.reloc</pre><pre>P.rsrc</pre><pre>h`S%S</pre><pre>advapi32.dll</pre><pre>AVICAP32.DLL</pre><pre>gdi32.dll</pre><pre>gdiplus.dll</pre><pre>mpr.dll</pre><pre>msacm32.dll</pre><pre>ole32.dll</pre><pre>oleaut32.dll</pre><pre>powrprof.dll</pre><pre>user32.dll</pre><pre>wininet.dll</pre><pre>winmm.dll</pre><pre>wsock32.dll</pre>Explorer.EXE_884_rwx_014D0000_00001000:<pre>KERNEL32.DLL</pre>Explorer.EXE_884_rwx_02000000_00001000:<pre>KERNEL32.DLL</pre>Explorer.EXE_884_rwx_02040000_00001000:<pre>KERNEL32.DLL</pre>Explorer.EXE_884_rwx_02080000_00001000:<pre>KERNEL32.DLL</pre>Explorer.EXE_884_rwx_020C0000_00001000:<pre>KERNEL32.DLL</pre>Explorer.EXE_884_rwx_02100000_00001000:<pre>KERNEL32.DLL</pre>Explorer.EXE_884_rwx_02130000_00001000:<pre>advapi32.dll</pre>Explorer.EXE_884_rwx_02260000_00001000:<pre>RegOpenKeyA</pre>Explorer.EXE_884_rwx_02270000_00001000:<pre>advapi32.dll</pre>Explorer.EXE_884_rwx_022A0000_00001000:<pre>AVICAP32.DLL</pre>Explorer.EXE_884_rwx_023E0000_00001000:<pre>AVICAP32.DLL</pre>Explorer.EXE_884_rwx_02410000_00001000:<pre>gdi32.dll</pre>Explorer.EXE_884_rwx_02550000_00001000:<pre>gdi32.dll</pre>Explorer.EXE_884_rwx_02580000_00001000:<pre>gdiplus.dll</pre>Explorer.EXE_884_rwx_026C0000_00001000:<pre>gdiplus.dll</pre>Explorer.EXE_884_rwx_026F0000_00001000:<pre>mpr.dll</pre>Explorer.EXE_884_rwx_02730000_00001000:<pre>mpr.dll</pre>Explorer.EXE_884_rwx_02760000_00001000:<pre>msacm32.dll</pre>Explorer.EXE_884_rwx_027A0000_00001000:<pre>msacm32.dll</pre>Explorer.EXE_884_rwx_027D0000_00001000:<pre>ntdll.dll</pre>Explorer.EXE_884_rwx_02B20000_00001000:<pre>ntdll.dll</pre>Explorer.EXE_884_rwx_02B50000_00001000:<pre>ole32.dll</pre>Explorer.EXE_884_rwx_02C90000_00001000:<pre>ole32.dll</pre>Explorer.EXE_884_rwx_02CC0000_00001000:<pre>oleaut32.dll</pre>Explorer.EXE_884_rwx_02E00000_00001000:<pre>oleaut32.dll</pre>Explorer.EXE_884_rwx_02E30000_00001000:<pre>powrprof.dll</pre>Explorer.EXE_884_rwx_02F70000_00001000:<pre>powrprof.dll</pre>Explorer.EXE_884_rwx_02FA0000_00001000:<pre>shell32.dll</pre>Explorer.EXE_884_rwx_030E0000_00001000:<pre>shell32.dll</pre>Explorer.EXE_884_rwx_03110000_00001000:<pre>user32.dll</pre>Explorer.EXE_884_rwx_03250000_00001000:<pre>user32.dll</pre>Explorer.EXE_884_rwx_03280000_00001000:<pre>wininet.dll</pre>Explorer.EXE_884_rwx_033B0000_00001000:<pre>FtpOpenFileA</pre>Explorer.EXE_884_rwx_033C0000_00001000:<pre>wininet.dll</pre>Explorer.EXE_884_rwx_033F0000_00001000:<pre>winmm.dll</pre>Explorer.EXE_884_rwx_03530000_00001000:<pre>winmm.dll</pre>Explorer.EXE_884_rwx_03560000_00001000:<pre>wsock32.dll</pre>Explorer.EXE_884_rwx_036A0000_00001000:<pre>wsock32.dll</pre>Explorer.EXE_884_rwx_03840000_00001000:<pre>c:\%original file name%.exe</pre>Explorer.EXE_884_rwx_24010000_00062000:<pre>`.rsrc</pre><pre>kernel32.dll</pre><pre>Portions Copyright (c) 1999,2003 Avenger by NhT</pre><pre>SHFileOperationA</pre><pre>shell32.dll</pre><pre>URLDownloadToFileA</pre><pre>urlmon.dll</pre><pre>ShellExecuteA</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders</pre><pre>GetWindowsDirectoryA</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion</pre><pre>http\shell\open\command</pre><pre>\Internet Explorer\iexplore.exe</pre><pre>####@####</pre><pre>$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)</pre><pre>Portugal</pre><pre>Turkey</pre><pre>Windows 3.1</pre><pre>Windows 95 (Release 2)</pre><pre>Windows 95</pre><pre>Windows 98 SE</pre><pre>Windows 98</pre><pre>Windows ME</pre><pre>Windows 7</pre><pre>Windows Vista</pre><pre>%s %s</pre><pre>Windows XP Professional x64</pre><pre>Windows XP Home</pre><pre>Windows XP Professional</pre><pre>Windows 2000 Professional</pre><pre>Windows NT %d.%d</pre><pre>Windows 2008</pre><pre>%s %s Server</pre><pre>Windows 2003 Server Datacenter</pre><pre>Windows 2003 Server Enterprise</pre><pre>Windows 2003 Server Web Edition</pre><pre>Windows 2003 Server</pre><pre>Windows Home Server</pre><pre>Windows 2003 Server (Release 2)</pre><pre>Windows 2000 Server Datacenter</pre><pre>Windows 2000 Server Enterprise</pre><pre>Windows 2000 Server Web Edition</pre><pre>Windows 2000 Server</pre><pre>Windows NT 4.0 Server Datacenter</pre><pre>Windows NT 4.0 Server Enterprise</pre><pre>Windows NT 4.0 Server Web Edition</pre><pre>Windows NT 4.0 Server</pre><pre>Unknown Platform ID (%d)</pre><pre>%d.%d</pre><pre>%s (Build: %d</pre><pre>- Service Pack: %s</pre><pre>KERNEL32.DLL</pre><pre>teste.vbs</pre><pre>teste.txt</pre><pre>Set objSecurityCenter = GetObject("winmgmts:\\.\root\SecurityCenter")</pre><pre>Set colFirewall = objSecurityCenter.ExecQuery("Select * From FirewallProduct",,48)</pre><pre>Set colAntiVirus = objSecurityCenter.ExecQuery("Select * From AntiVirusProduct",,48)</pre><pre>Set objFileSystem = CreateObject("Scripting.fileSystemObject")</pre><pre>Set objFile = objFileSystem.CreateTextFile("</pre><pre>Info = Info & "F" & CountFw & ") " & objFirewall.displayName & " v" & objFirewall.versionNumber & Enter</pre><pre>Info = Info & "A" & CountAV & ") " & objAntiVirus.displayName & " v" & objAntiVirus.versionNumber & Enter</pre><pre>objFile.WriteLine(Info)</pre><pre>objFile.Close</pre><pre>cscript.exe</pre><pre>AVICAP32.dll</pre><pre>tFtpAccess</pre><pre>BuildImportTable: can't load library:</pre><pre>BuildImportTable: ReallocMemory failed</pre><pre>BuildImportTable: GetProcAddress failed</pre><pre>BTMemoryLoadLibary: BuildImportTable failed</pre><pre>BTMemoryGetProcAddress: no export table found</pre><pre>BTMemoryGetProcAddress: DLL doesn't export anything</pre><pre>BTMemoryGetProcAddress: exported symbol not found</pre><pre>SetupApi.dll</pre><pre>SetupDiOpenClassRegKey</pre><pre>SetupDiOpenClassRegKeyExA</pre><pre>SetupDiOpenClassRegKeyExW</pre><pre>SetupDiCreateDeviceInterfaceRegKeyA</pre><pre>SetupDiCreateDeviceInterfaceRegKeyW</pre><pre>SetupDiOpenDeviceInterfaceRegKey</pre><pre>SetupDiDeleteDeviceInterfaceRegKey</pre><pre>SetupDiCreateDevRegKeyA</pre><pre>SetupDiCreateDevRegKeyW</pre><pre>SetupDiOpenDevRegKey</pre><pre>SetupDiDeleteDevRegKey</pre><pre>CM_DEVCAP_LOCKSUPPORTED</pre><pre>CM_DEVCAP_EJECTSUPPORTED</pre><pre>PDCAP_D0_SUPPORTED</pre><pre>PDCAP_D1_SUPPORTED</pre><pre>PDCAP_D2_SUPPORTED</pre><pre>PDCAP_D3_SUPPORTED</pre><pre>PDCAP_WAKE_FROM_D0_SUPPORTED</pre><pre>PDCAP_WAKE_FROM_D1_SUPPORTED</pre><pre>PDCAP_WAKE_FROM_D2_SUPPORTED</pre><pre>PDCAP_WAKE_FROM_D3_SUPPORTED</pre><pre>PDCAP_WARM_EJECT_SUPPORTED</pre><pre>HKEY_CLASSES_ROOT</pre><pre>HKEY_CURRENT_CONFIG</pre><pre>HKEY_CURRENT_USER</pre><pre>HKEY_LOCAL_MACHINE</pre><pre>HKEY_USERS</pre><pre>127.0.0.1</pre><pre>iphlpapi.dll</pre><pre>AllocateAndGetTcpExTableFromStack</pre><pre>AllocateAndGetUdpExTableFromStack</pre><pre>SetTcpEntry</pre><pre>GetExtendedTcpTable</pre><pre>GetExtendedUdpTable</pre><pre>Mozilla3_5Password</pre><pre>GetChromePass</pre><pre>StartHttpProxy</pre><pre>1.2.3</pre><pre>XxX.xXx</pre><pre>UuU.uUu</pre><pre>keyboardkey</pre><pre>webcaminactive</pre><pre>webcamgetbuffer</pre><pre>webcam</pre><pre>enviarexecnormal</pre><pre>enviarexechidden</pre><pre>openweb</pre><pre>downexec</pre><pre>sendftp</pre><pre>keylogger</pre><pre>keyloggergetlog</pre><pre>keyloggereraselog</pre><pre>keyloggerativar</pre><pre>keyloggerdesativar</pre><pre>renamekey</pre><pre>windowsfechar</pre><pre>windowsmax</pre><pre>windowsmin</pre><pre>windowsmostrar</pre><pre>windowsocultar</pre><pre>windowsmintodas</pre><pre>windowscaption</pre><pre>listarportas</pre><pre>listarportasdns</pre><pre>finalizarprocessoportas</pre><pre>webcamsettings</pre><pre>chatmsg</pre><pre>getpassword</pre><pre>updateservidorweb</pre><pre>keyloggersearch</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\</pre><pre>PSAPI.dll</pre><pre>\config\SteamAppData.vdf</pre><pre>AutoLoginUser</pre><pre>/ClientRegistry.Blob</pre><pre>\ClientRegistry.blob</pre><pre>\steam.dll</pre><pre>%SYS%</pre><pre>ÞSKTOP%</pre><pre>FirstExecution</pre><pre>chatmsg|</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</pre><pre>listarjanelas|windowsfechar|</pre><pre>listarjanelas|windowsmax|</pre><pre>listarjanelas|windowsmin|</pre><pre>listarjanelas|windowsmostrar|</pre><pre>listarjanelas|windowsocultar|</pre><pre>listarjanelas|windowsmintodas|</pre><pre>listarjanelas|windowscaption|</pre><pre>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall</pre><pre>listarportas|listadeportaspronta|</pre><pre>listarportas|finalizarconexao|</pre><pre>listarportas|finalizarprocessoportas|Y|</pre><pre>listarportas|finalizarprocessoportas|N|</pre><pre>registro|renamekey|</pre><pre>keylogger|keylogger|keyloggerativar|</pre><pre>keylogger|keylogger|keyloggerdesativar|</pre><pre>keylogger|keyloggergetlog|</pre><pre>keylogger|keylogger|keyloggervazio|</pre><pre>keyloggersearchok|</pre><pre>webcam|webcaminactive|</pre><pre>webcam|webcamactive|</pre><pre>_x_X_PASSWORDLIST_X_x_</pre><pre>NOIP.abc</pre><pre>MSN.abc</pre><pre>IELOGIN.abc</pre><pre>IEPASS.abc</pre><pre>IEAUTO.abc</pre><pre>IEWEB.abc</pre><pre>getielogin</pre><pre>getiepass</pre><pre>getieweb</pre><pre>getchrome</pre><pre>getpassword|getpasswordlist|</pre><pre>getpassword|getpassworderror|</pre><pre>##@@## ##@@## ##@@##</pre><pre>Windows\CurrentVersion\Uninstall\eDonkey2000</pre><pre>UNWISE.EXE</pre><pre>ntdll.dll</pre><pre>icon=shell32.dll,4</pre><pre>shellexecute=</pre><pre>autorun.inf</pre><pre>XX--XX--XX.txt</pre><pre>logs.dat</pre><pre>SQLite3.dll</pre><pre>$1.2.3</pre><pre>deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly</pre><pre>inflate 1.2.3 Copyright 1995-2005 Mark Adler</pre><pre>KWindows</pre><pre>UnitExecutarComandos</pre><pre>uftp</pre><pre>UrlMon</pre><pre>.UnitBytesSize</pre><pre>UnitListarPortasAtivas</pre><pre>UnitWebcam</pre><pre>UnitKeylogger</pre><pre>WinExec</pre><pre>SetNamedPipeHandleState</pre><pre>GetProcessHeap</pre><pre>CreatePipe</pre><pre>RegOpenKeyExA</pre><pre>RegOpenKeyA</pre><pre>RegEnumKeyExA</pre><pre>RegDeleteKeyA</pre><pre>RegCreateKeyA</pre><pre>RegCloseKey</pre><pre>GdiplusShutdown</pre><pre>keybd_event</pre><pre>MapVirtualKeyA</pre><pre>GetKeyboardState</pre><pre>GetKeyboardLayoutNameA</pre><pre>GetKeyState</pre><pre>GetAsyncKeyState</pre><pre>ExitWindowsEx</pre><pre>EnumWindows</pre><pre>FtpGetFileSize</pre><pre>FtpSetCurrentDirectoryA</pre><pre>FtpOpenFileA</pre><pre>%( % & % % % ]</pre><pre>.idata</pre><pre>.reloc</pre><pre>P.rsrc</pre><pre>h`S%S</pre><pre>advapi32.dll</pre><pre>AVICAP32.DLL</pre><pre>gdi32.dll</pre><pre>gdiplus.dll</pre><pre>mpr.dll</pre><pre>msacm32.dll</pre><pre>ole32.dll</pre><pre>oleaut32.dll</pre><pre>powrprof.dll</pre><pre>user32.dll</pre><pre>wininet.dll</pre><pre>winmm.dll</pre><pre>wsock32.dll</pre></pre></pre></pre></pre></pre>