Trojan.Win32.Buzus.oepa (Kaspersky), Trojan.Downloader.JQEL (B) (Emsisoft), Trojan.Downloader.JQEL (AdAware), Trojan-PSW.Win32.Zbot.4.FD, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: ad282ed208a2d7f209250d9352c019cb
SHA1: ab3933c03912b70825195b88c7e81546571da515
SHA256: 3f970cbe8f2f31df5fa3a317e0e46d9e72f2fc68920712d4e8dec27548ce74f3
SSDeep: 384:bAmt53ZsCQ4P GhplI 22rL7bJ0qLPXa0w1X jv9LLaPav:bJHsCJ Ghg 22rL7bJ0qLPXa0NjF5v
Size: 21124 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2003-09-15 20:42:09
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan-PSW. Trojan program intended for stealing users passwords.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan-PSW creates the following process(es):
inaxa.exe:412
budha.exe:628
kilf.exe:200
%original file name%.exe:564
The Trojan-PSW injects its code into the following process(es):
Explorer.EXE:888
File activity
The process inaxa.exe:412 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (7080 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (6004 bytes)
The process budha.exe:628 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFE3ARI3\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8TUTG1AT\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IDQFEXCN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\47EFIV43\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFE3ARI3\profile_main[1].exe (1694 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kilf.exe (1694 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (2712 bytes)
The Trojan-PSW deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (0 bytes)
The process kilf.exe:200 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\UTZ7E3E.bat (171 bytes)
%Documents and Settings%\%current user%\Application Data\Vynamu\inaxa.exe (2734 bytes)
The process %original file name%.exe:564 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\budha.exe (21 bytes)
Registry activity
The process inaxa.exe:412 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 C6 3E 68 55 6C D0 12 F2 82 9F 01 5F 8E AA CF"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Baavugyxn]
"1i1316ec" = "6D 18 D9 E8 C8 33 4B 8B 54 2E"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
The process budha.exe:628 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"kilf.exe" = "Administrations und Wartungsprogramm fur SQLite Datenbankdateien"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D FA 9C B9 17 8E 32 2B 59 EA 5C A3 80 90 BB 4C"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan-PSW deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process kilf.exe:200 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 83 49 9B 99 68 21 1F 01 C4 C7 B2 3D A1 C8 F6"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
The process %original file name%.exe:564 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "41 44 75 D4 33 17 33 2E DC 72 F3 1F D5 2E 13 83"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"budha.exe" = "budha"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Dropped PE files
| MD5 | File path |
|---|---|
| edefbe93ee85e387b2258e918bae2ea0 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\Vynamu\inaxa.exe |
| 260321d92281ab9fe00b817b2e3d3395 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\budha.exe |
| 0154fecc492db496aa998636fc828e6d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\IFE3ARI3\profile_main[1].exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Trojan-PSW installs the following user-mode hooks in WININET.dll:
HttpSendRequestExA
HttpSendRequestW
InternetReadFileExA
InternetWriteFile
InternetWriteFileExA
InternetQueryDataAvailable
HttpQueryInfoW
HttpSendRequestExW
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
InternetCloseHandle
The Trojan-PSW installs the following user-mode hooks in CRYPT32.dll:
PFXImportCertStore
The Trojan-PSW installs the following user-mode hooks in USER32.dll:
GetClipboardData
TranslateMessage
The Trojan-PSW installs the following user-mode hooks in Secur32.dll:
DecryptMessage
SealMessage
DeleteSecurityContext
The Trojan-PSW installs the following user-mode hooks in WS2_32.dll:
WSAGetOverlappedResult
WSASend
recv
gethostbyname
WSARecv
send
closesocket
freeaddrinfo
getaddrinfo
GetAddrInfoW
The Trojan-PSW installs the following user-mode hooks in ntdll.dll:
LdrLoadDll
NtCreateThread
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
inaxa.exe:412
budha.exe:628
kilf.exe:200
%original file name%.exe:564 - Delete the original Trojan-PSW file.
- Delete or disinfect the following files created/modified by the Trojan-PSW:
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (7080 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFE3ARI3\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8TUTG1AT\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IDQFEXCN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\47EFIV43\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFE3ARI3\profile_main[1].exe (1694 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kilf.exe (1694 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UTZ7E3E.bat (171 bytes)
%Documents and Settings%\%current user%\Application Data\Vynamu\inaxa.exe (2734 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\budha.exe (21 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 4881 | 5120 | 4.31273 | 5bd78445669a0ae4a1cc746b58415314 |
| .data | 12288 | 6401 | 6656 | 2.50295 | 7d33a1ebe246d96662d74d4737d52af2 |
| .idata | 20480 | 2400 | 2560 | 3.76867 | 31c85b4df47dddf1d035a6ecf4a20157 |
| .rsrc | 24576 | 5252 | 5632 | 3.70321 | f66a95fae4a4cfef8a00b2f6cd60d056 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 109
443ac8b40c16da3dddd8fde4e79583f4
ef00ebd83619981bb723ecca9e9bd12f
ca886b3281d6101221fa46fa1cbbafbb
b84c780fd81f8ed76232cdd373e6f1ce
a04291a2e50eb3b21f49e864abd24fa9
b1a14a3682ee83af0dfeb6de5e57493e
d034cb955d5030b4efbf73b0414e7f2e
d4cdcd1479acce93f3e6e90994693e39
d57df59ee627e452018a2494463fc41f
bcf6888054e2f379fbfd83d66a68c8a1
b45657e95311ab4a0d09d61049992c2f
d56ed696fa61b976f1666c2a25b29793
c0c0a9f37dae7bafc1eb553a096e319e
db494490e1b2fa67fc0355637e5ef4ba
cd2ca8db18fb5125d67945ba6d19eb21
c59c9e1e23b88998aaaab752e496ff6e
b3d7f2882f5bc72f551311a7969cb8f6
af30768ff92488278c8f34cb0950fed9
ac2471c932b5a12b630cf95f27012741
a7ad11374e88cc4684008773f353e24c
db60c5acc635f457069fc437704b7c14
d49b2a36223ac79149389ef726088a9a
cd545847dd61c2fa03145781a86f1848
b9dd1bfff387f3f74fef9155a246d34c
afcdddda2d8bccb9f96a5bb4b5484597
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt | |
| hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt | 205.237.69.74 |
| robotvacuumhut.com | 38.99.254.69 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT
Accept-Ranges: bytes
ETag: "806f4cbb43dcf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 18
Date: Fri, 13 Jun 2014 09:41:13 GMT
Connection: keep-alive
X-CCC: US
X-CID: 2
1401CF3DB40B609892HTTP/1.1 200 OK..Content-Type: text/plain..Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT..Accept-Ranges: bytes..ETag: "806f4cbb43dcf1:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Content-Length: 18..Date: Fri, 13 Jun 2014 09:41:13 GMT..Connection: keep-alive..X-CCC: US..X-CID: 2..1401CF3DB40B609892..
Map
The Trojan-PSW connects to the servers at the folowing location(s):
Strings from Dumps
Explorer.EXE_888_rwx_01EB0000_00048000:
.text
.text
`.data
`.data
.reloc
.reloc
Invalid parameter passed to C runtime function.
Invalid parameter passed to C runtime function.
)"4(7*</</pre><pre>!*< ?"4'</pre><pre>0123456789</pre><pre>userenv.dll</pre><pre>del "%s"</pre><pre>if exist "%s" goto d</pre><pre>del /F "%s"</pre><pre>http://www.google.com/</pre><pre>http://www.bing.com/</pre><pre>REPORT</pre><pre>gdiplus.dll</pre><pre>GdiplusShutdown</pre><pre>RegDeleteKeyExW</pre><pre>HTTP/1.1</pre><pre>m9.td</pre><pre>t.Ht$HHt</pre><pre>ntdll.dll</pre><pre>KERNEL32.dll</pre><pre>ExitWindowsEx</pre><pre>MsgWaitForMultipleObjects</pre><pre>GetKeyboardState</pre><pre>USER32.dll</pre><pre>CryptGetKeyParam</pre><pre>CryptImportKey</pre><pre>CryptDestroyKey</pre><pre>RegCreateKeyExW</pre><pre>RegCloseKey</pre><pre>RegQueryInfoKeyW</pre><pre>RegDeleteKeyW</pre><pre>RegOpenKeyExW</pre><pre>RegFlushKey</pre><pre>RegEnumKeyExW</pre><pre>ADVAPI32.dll</pre><pre>PathIsURLW</pre><pre>UrlUnescapeA</pre><pre>SHLWAPI.dll</pre><pre>ShellExecuteW</pre><pre>SHELL32.dll</pre><pre>Secur32.dll</pre><pre>ole32.dll</pre><pre>GDI32.dll</pre><pre>WS2_32.dll</pre><pre>PFXImportCertStore</pre><pre>CertDeleteCertificateFromStore</pre><pre>CertOpenSystemStoreW</pre><pre>CertCloseStore</pre><pre>CertEnumCertificatesInStore</pre><pre>CertDuplicateCertificateContext</pre><pre>PFXExportCertStoreEx</pre><pre>CRYPT32.dll</pre><pre>HttpSendRequestExA</pre><pre>HttpQueryInfoA</pre><pre>InternetCrackUrlA</pre><pre>HttpOpenRequestA</pre><pre>HttpEndRequestA</pre><pre>HttpAddRequestHeadersA</pre><pre>WININET.dll</pre><pre>OLEAUT32.dll</pre><pre>NETAPI32.dll</pre><pre>IPHLPAPI.DLL</pre><pre>VERSION.dll</pre><pre>msvcrt.dll</pre><pre>zcÁ</pre><pre>: :$:(:,:0:4:</pre><pre>7!7%7)7-7175797</pre><pre>4-5}5</pre><pre>:":(:3:9:</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%s</pre><pre>"%s" %s</pre><pre>/c "%s"</pre><pre>kernel32.dll</pre><pre>urlmon.dll</pre><pre>launchpadshell.exe</pre><pre>dirclt32.exe</pre><pre>wtng.exe</pre><pre>prologue.exe</pre><pre>pcsws.exe</pre><pre>fdmaster.exe</pre><pre>shell32.dll</pre><pre>\StringFileInfo\xx\%s</pre><pre>cabinet.dll</pre><pre>Wadvapi32.dll</pre><pre>%Documents and Settings%\%current user%\Application Data</pre><pre>%Documents and Settings%\%current user%\Local Settings\Application Data</pre><pre>Global\{3D6E1BE3-083C-4088-F013-F140DE00D252}</pre>