Analysis Date2014-03-17 22:48:03
MD53aefda4f7773c8d6c0d29200d3522a57
SHA1b0cfdea85c1a9038c5f7a03e7fba6e68314aa8c8

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: cf5685c658e2787d57106d8839ce9e34 sha1: cef0d6c3f6cc2c1603e85fa94cabd1f9e62b5823 size: 364544
Section.data md5: 620f0b67a91f7f74151bc5be745b7110 sha1: 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d size: 4096
Section.rsrc md5: 8db266c90291bd5886c4c231429bfbec sha1: d7b7cbf8d3d3698f5dc1847619793eca16a3104d size: 4096
Timestamp2013-05-08 09:14:54
VersionLegalCopyright: Microsoft Windows
InternalName: msdxdll
FileVersion: 2.00.0199
CompanyName: Microsoft Corporation
LegalTrademarks: Microsoft Windows
Comments: Microsoft Windows Dll Host
ProductName: Microsoft Windows Dll Host
ProductVersion: 2.00.0199
FileDescription: Microsoft Windows Dll Host
OriginalFilename: msdxdll.exe
PackerMicrosoft Visual Basic v5.0
PEhasha3316cb7f3ef7b1d6b6d5c52478108f041f69ef4
IMPhash0df19ea8d9e875a9d420516ef5ef8567
AVavgVB2.ABSD
AVaviraTR/Spy.Gen

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\webspy\ws1.srs
Creates FileC:\webspy\ws3.srs
Creates FileC:\webspy\ws2.srs
Creates File\Device\Afd\AsyncConnectHlp
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DFC880.tmp
Creates File\Device\Afd\AsyncSelectHlp
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\webspy\ws0.srs

Network Details:

DNSdownload.3utilities.com
Type: A
127.0.0.1
DNSyourdata.redirectme.net
Type: A

Raw Pcap

Strings
}
g.....

 -- 
 --- 
 !! ---
--- 
0C0A04B0
1&'(
{1D5BE4B5-FA4A-452D-9CDD-5DB35105E7EB}
2.00.0199
 [219] 
24810
24811
24812
24813
24814
24815
24816
24817
{557CF401-1A04-11D3-9A73-0000F81EF32E}
5850505589E55753515231C0EB0EE8xxxxx01x83F802742285C074258B45103D0008000074433D01080000745BE8200000005A595B5FC9C21400E813000000EBF168xxxxx02x6AFCFF750CE8xxxxx03xEBE0FF7518FF7514FF7510FF750C68xxxxx04xE8xxxxx05xC3BBxxxxx06x8B4514BFxxxxx07x89D9F2AF75B629CB4B8B1C9Dxxxxx08xEB1DBBxxxxx09x8B4514BFxxxxx0Ax89D9F2AF759729CB4B8B1C9Dxxxxx0Bx895D088B1B8B5B1C89D85A595B5FC9FFE0
{860BB310-5D01-11d0-BD3B-00A0C911CE86}
acabar
 acabar 
] -- Activando WebSpy Keyword: 
Address already in use.
Address family not supported by protocol family.
 [Alt] 
application/octet-stream
archivo
ArchivoInexistente;
Archivos;
 archivos en 
:\ArchivosP
ArchivosPart;
ArchivosRed
 [Back] 
Bad address.
Bad protocol option.
Buscar
Busqueda
BusquedaOk
cabj
CallWindowProcA
 cam 
 camara web
camara web
camarita
 camarita 
&Cancel
Cannot assign requested address.
Cannot save the image. GDI+ Error:
Cannot send after socket shutdown.
 [Capslock] 
changeConnectFreq
changeConnectFreq;
changeHostname
changeHostname;OK
changeThumbPattern
changeThumbPattern;OK
changeUploadFreq
changeUploadFreq;
changeWebSpyFreq
changeWebSpyFreq;OK
checking files...
chupar
 chupar 
CliSock;
CloseMe
cmdPrint
cmdPrint;
cmdRun
cmdRun;
cmdStop
CommandNotFound;
Comments
CompanyName
concha
 concha 
 conchita
 conchita 
Connection refused.
Connection reset by peer.
Connection timed out.
Content-Disposition: form-data; name="
Content-Length
Content-Length: 
Content-Type: 
Content-Type: multipart/form-data, boundary=
CSocketMaster.ConnectToIP
CSocketMaster.Listen
CSocketMaster.PostSocket
CSocketMaster.ResolveIfHostname
CSocketMaster.SendBufferedData
CSocketMaster.SendBufferedDataUDP
CSocketMaster.SocketExists
 [Ctrl] 
culo
 culo 
 [D] 
debug
 [Del] 
DelDir
DeleteFile
DeleteOk;
DelRegValue
DelRegValueFAIL;
DelRegValueOK;
] -- Desactivando WebSpy :: 10 minutos de inactividad -- 
Destination address required.
Directorio
DirectorioAnterior
DirectorioRed
Directorios;
DirectoriosRed;
disableConnect
disableConnect;OK
disableKeyLog
disableKeyLog;OK
disableThumbear
disableThumbear;OK
disableUpload
disableUpload;OK
disableWebSpy
disableWebSpy;OK
Dixanta Vision System
.dmp
Download
Drives;
E*\AC:\Documents and Settings\Administrador\Escritorio\idata20130404-0443\Intruzzo\Intruzzo.vbp
EbMode
Ejecutado;
Ejecutar
Ejecutar_Hidden
El archivo subio con exito
elhacker.zapto.org
enableConnect
enableConnect;OK
enableKeyLog
enableKeyLog;OK
enableThumbear
enableThumbear;OK
enableUpload
enableUpload;OK
enableWebSpy
enableWebSpy;OK
 [End] 
EnviarArchivo
EnviarArchivoFrom
EnviarArchivoNew
Error;
ERROR
Error loading picture 
Error trying to allocate memory
ERROR trying to create socket
ERROR trying to initiate winsock service
ERROR trying to register events from socket 
 [Esc] 
Exe;
ExecQuery
ExePath;
fDenyTSConnections
FD_WRITE 
FileDescription
"; filename="
FileVersion
FreeMe
gang
 gang
GDI+ Module
GET /
getConfig
getConfig; 
getConnect
getConnect;
getConnectFreq
getConnectFreq;
GetDrives
GetExe
getHostName
getHostName;
getKeyLog
getKeyLog;
GetMousePos
GetMousePos;
GetPath
GetRegValue
GetRegValue;
GetRev
getThumbear
getThumbear;
getThumbPattern
getThumbPattern;
getUpload
getUpload;
getUploadFreq
getUploadFreq;
GetVer
getWebSpy
getWebSpy;
getWebSpyFreq
getWebSpyFreq;
GoLocal
GoTemp
grabarConfig
grabarConfigOk;
grep
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
 [Home] 
host: 
Host: 
Host not found.
 HTTP/1.0
 HTTP/1.1
? HTTP/1.1
http://www.todo-downloads.com.ar/uploadb.php
hWnd
ImHereToServe;
 :: INICIANDO XPENDIO EN 
 [Insert] 
InternalName
Interrupted function call.
Invalid argument.
It is important to scan all the files. Are you sure you want to cancel the scanning procedure?
jjjj
*.jpg;*.mpg;*.mov;*.avi;*.3gp;*.wmv;*.csv;*.db;*.crypt;*.rar;*.zip
*.jpg;*.srs
KeyStrokes;
KeyStrokesFinal;
KeyStrokesOk
KeyUploadFail;
KeyUploadOk;
 [L] 
LeerConfigOk;
LegalCopyright
LegalTrademarks
lesbian
 lesbian
listarProcesos
loadConfig
matarProceso
MD5Sum
MD5SumOK;
Message too long.
 me ves 
me ves
Microsoft Corporation
Microsoft Windows
Microsoft Windows Dll Host
modSocketMaster.DestroyWinsockMessageWindow
modSocketMaster.FinalizeProcesses
modSocketMaster.InitiateProcesses
modSocketMaster.RegisterSocket
 - modSocketMaster.UnsignedToInteger(m_lngRemotePort)
mostrame
 mostrame 
MouseClickDer
MouseClickDer;
MouseClickIzq
MouseClickIzq;
MouseClickIzqPos
MouseClickIzqPos;
MousePos
MousePos;
msdxdll
msdxdll.conf
msdxdll.exe
mswdll.exe
nantaque
Network dropped connection on reset.
Network is down.
Network is unreachable.
Network subsystem is unavailable.
No buffer space available.
Nombre=
Nonauthoritative host not found.
 --- No pude abrir 
No route to host.
NoSubiendoActualmente;
ObtenerArchivos
ObtenerArchivosOk
ObtenerArchivosRed
ObtenerArchivosRedOK
ObtenerDirectorios
ObtenerKeyStrokes
ObtenerTailKeyStrokes
ObtenerTamanio
OK Bind HOST: 
OK Bytes obtained from buffer: 
OK Bytes sent: 
OK Connecting to: 
OK Created accept collection
OK Created socket collection
OK Created winsock message window 
OK Destroyed accept collection
OK Destroyed socket collection
OK Destroyed winsock message window 
OK Finished SENDING
OK Freed subclass memory at: 
OK: lngRemoteHostAddress:
OK Registered events from socket 
OK Subclass memory allocated at: 
OK Winsock service finalized
OK Winsock service initiated
open
Operation already in progress.
Operation not supported.
Operation now in progress.
OriginalFilename
@osoft Visual Studio\VB98\C2.EXE.Manifest
Out of memory
Part;
 [Pause] 
 [PDown] 
Permission denied.
porno
 porno
 PORT: 
POST 
postponeConnect
Procesos
ProcesosOk
ProductName
ProductVersion
Protocol family not supported.
Protocol not supported.
Protocol wrong type for socket.
PSKill
 [PUp] 
 [R] 
$rar$.00365mbeo3
$rar$.00365mbeo3\
RebootMe
RebootMe;
Reconectar=
RenameFile
RenameOk;
] -- Renovando WebSpy Keyword: 
ReRoute
Resolving host 
Resource temporarily unavailable.
RiRoute
RmDir
RmDirOk;
rmrf
rmRFOK;
Router
RouterDestinoClosed;
RouterDestinoConectado;
RouterOrigenClosed;
RouterSourceConectado;
sacate
 sacate 
SampleGrabber
Scanning... 
ScreenCapture
ScreenCapture;
ScreenCaptureCuadro
ScreenCaptureCuadro;
ScreenCaptureParam
ScreenCaptureParam;
ScreenSize
 :: SE ENCONTRARON LAS SIGUIENTES UNIDADES: 
 [Select] 
select name from Win32_Process where name='
 :: SE THUMBEARON 
SetRegValue
SetRegValueFAIL;
SetRegValueOK;
SetWindowLongA
 sex cam 
sex cam
sexo
 sexo 
 [Shift] 
 - sin_port:
skype
Socket is already connected.
Socket is not connected.
Socket operation on nonsocket.
Socket type not supported.
SOCKET_WINDOW
Software caused connection abort.
Software\Microsoft\Windows\CurrentVersion\Run
.srs
STATE: sckClosed
STATE: sckClosing
STATE: sckConnected
STATE: sckConnecting
STATE: sckError
STATE: sckHostResolved
STATE: sckListening
STATE: sckOpen
STATE: sckResolvingHost
STATIC
STOP
StringFileInfo
SubiendoActualmente;
SubirLogs=
Successful WSAStartup not yet performed.
Symantec Worm/kido.ih.30 Removal Tool 1.3.0.1
Symantec Worm/Psycho.B Removal Tool 1.3.0.1
SYSTEM\CurrentControlSet\Control\Terminal Server
 [Tab] 
TamanioArchivo;
Terminate
tetas
 tetas 
The Symantec Worm/kido.ih.30 was successfully removed from your computer.
This is a nonrecoverable error.
Thumbear;
thumbearDir
thumbearDirEnd;
ThumbearDirPattern
ThumbearDirPatternOk;
thumbearDirQ
thumbearEnable
ThumbearPen=
ThumbearPhoto
ThumbearPhotoQ
thumbearStop
ThumbPattern=
Too many open files.
Too many processes.
Translation
 [U] 
Ultimatum
Unknown error.
Upload
Upload;
UploadAbort
UploadEnd;
UploadInProgress;
UploadNew
UploadOk
UploadStop
user32
Valid name, no data record of requested type.
VarFileInfo
vba5
vba6
Ver;
verifying memory...
verifying privileges...
verifying process... alg.exe
verifying process... explorer.exe
verifying process... jusched.exe
verifying process... lsass.exe
verifying process... services.exe
verifying process... svchost.exe
verifying process... winlogon.exe
verme
 verme 
Ver;XBA+20130111
videos
 videos
VS_VERSION_INFO
WARNING: Async already registered!
WARNING lngWindowHandle is ZERO
WARNING: Omitting FD_ACCEPT
WARNING: Omitting FD_CLOSE
WARNING: Omitting FD_CONNECT
WARNING: Omitting FD_READ
WARNING: Omitting FD_WRITE
WARNING: Send buffer full, waiting...
WARNING: Socket already registered!
was cancelled before it finished. The threat may still be present on the machine.
WebCamGetDevices
WebCamGetDevices;
WebCapture
WebCapture;
WebCapture;FAIL
WebCaptureNew
WebCaptureNew;
WebCaptureNew;FAIL
WebCaptureNewParam
WebCaptureNewParamDevice
WebCaptureNewParamDevice;
WebCaptureNewParamDevice;FAIL
webspy
webspy\
WebSpy=
WGetOK;
 [Win] 
winmgmts:
Winsock buffer size for receives: 
Winsock buffer size for sends: 
Winsock.dll version out of range.
 with handle 
Worm/kido.ih.30 found on file lsass.exe. Press yes to remove the virus from the file
Worm/kido.ih.30 has not been found on your computer, but the scan
Worm/kido.ih.30 has not been totally removed from your computer, but the scan was cancelled before it finished. The threat may still be present on the machine.
wsc.srs
\wsj.srs
wsj.srs
www.todo-downloads.com.ar
xjpgs$.$
xpend
xpendio
 xxx 
yourdata.redirectme.net
yyyymmdd
yyyymmddHHMM
yyyy-mm-dd HH:MM
^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^
>/>//>//////
//>/>/
///>>/////>/
///>///>
///////
////////
''''''
''''''''''''''''''''''''' !"#$%''''''''''''''''''''''''''&
'''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''''''''
(^^^^^^^
(^^^^^^^^
[[[[[[[
!000!00e0e0e
0!000e0
000!0T!4!
0e0000!4
0e!!!T!
24TTTTTT!000?
4TTTTTTTTTTT
&About...
About...
accept
Accept
_adj_fdiv_m16i
_adj_fdiv_m32
_adj_fdiv_m32i
_adj_fdiv_m64
_adj_fdiv_r
_adj_fdivr_m16i
_adj_fdivr_m32
_adj_fdivr_m32i
_adj_fdivr_m64
_adj_fpatan
_adj_fprem
_adj_fprem1
_adj_fptan
advapi32
advapi32.dll
_allmul
aplicarConfig
archivo
avicap32.dll
borrarFile
BuscarEnList
BytesReceived
bytesRemaining
bytesSent
bytesTotal
C#4TT[x
CancelDisplay
capCreateCaptureWindowA
capturaScreen
C:\Archivos de programa\Microsoft Visual Studio\VB98\VB6.OLB
cargarFiles
cargarFiles2List
_CIatan
_CIcos
_CIexp
_CIlog
_CIsin
_CIsqrt
_CItan
cJs7/Gs
CliSock
CliSock_CloseSck
CliSock_Connect
CliSock_DataArrival
CliSock_Error
&Close
CloseHandle
CloseSck
closesocket
CLSIDFromString
cmdLine
cmdStop
cmdText
comando
Command1
Command2
Command3
connect
CONNECT
ConnectionRequest
Copyright (C) 2012 Symantec Corporation
CreateBitmap
CreateCompatibleBitmap
CreateCompatibleDC
CreatePipe
CreateProcessA
CreateSolidBrush
CreateToolhelp32Snapshot
CreateWindowExA
CSocketMaster
C:\WINDOWS\system32\msvbvm60.dll\3
`.data
DataArrival
DeleteDC
DeleteObject
delimiter
depurarlista
Description
DestroyWindow
device
directorio
DllFunctionCall
D$$PQRV
D$(QRP
D$$QRP3
Drive1
Drive2
enmProtocol
EVENT_SINK_AddRef
EVENT_SINK_GetIDsOfNames
EVENT_SINK_Invoke
EVENT_SINK_QueryInterface
EVENT_SINK_Release
ExitWindowsEx
f9~|u	
fConfig
Fs1hJs
Fs];Gs'
GdipCreateBitmapFromHBITMAP
GdipCreateBitmapFromHICON
GdipCreateFromHDC
GdipCreateMetafileFromEmf
GdipCreateMetafileFromWmf
GdipDeleteGraphics
GdipDisposeImage
GdipDrawImageRectI
GdipDrawImageRectRectI
GdipGetImageHeight
GdipGetImageWidth
GdipLoadImageFromFile
GDIPlus
gdiplus.dll
GdiplusShutdown
GdiplusStartup
GdipSaveImageToFile
GdipSetInterpolationMode
GenerarArchivosRed
GenerarDirectorios
GenerarDirectoriosRed
GenerarDrives
GenerarLista
genPath
GetAsyncKeyState
GetCamera
GetComputerNameA
GetCurrentProcessId
GetCursorPos
GetData
GetDesktopWindow
GetDeviceCaps
GetDeviceNames
getDirNoRep
getFnameNoRep
GetForegroundWindow
gethostbyaddr
gethostbyname
gethostname
GetModuleHandleA
getNextFname
getPathNextFname
getpeername
GetProcAddress
getsockname
getsockopt
GetStartupInfoA
GetSystemDirectoryA
GetTempDir
GetTempPathA
GetTheComputerName
GetTheSystemDirectory
GetTheWindowsDirectory
GetWindowLongA
GetWindowsDirectoryA
GetWindowTextA
GlobalAlloc
GlobalFree
GlobalLock
GlobalUnlock
grabarConfig
Gs0sJssnHs
GsBLHs
-GsbrJs
GsEtHs
[GsFdJs
?Gs?|Hs
Gs{LHs
GsmLHs
GsObGs(&Gs@sJs
Gs\THs
HelpContext
HelpFile
Hesvchost
HideApp
Hs0jHs
Hs7vHsfLHs
HsE`Gs
HsetHs
Hs$FHs
Hsl`Js
Hs"UHs
Hs)uHskbIs
inet_addr
inet_ntoa
iniciando_por
Intruzzo
ioctlsocket
Is@9Js
Isj|Hs
Is_LHstjHs
Is&nHsI
iSock_CloseSck
iSock_Connect
iSock_DataArrival
IsWindow
IswUHs7
}#jdhl
}#j`hl
}#j\hl
}#j,hX
Js4uJs
Js*aIs
JsEjHsZ]Gs
JstLHs"
jtS-l'
}#jXhl
kernel32
kernel32.dll
keybd_event
kJspuJs
{kykkyyyyyyyyyyykky
Label1
Label2
leerConfig
ListarProcesos
listen
Listen
ListenTimer
lngPort
loadDefaults
LocalHostName
LocalIP
LocalPort
lParam
L$(QSR
lstrcpyA
lstrlenA
mandarArchivos
mandarLista
matarProceso
maxLen
mmmmmmmmmzzz
modGDIPlusResize
modInStart
modSocketMaster
modWebcam
mouse_event
msdxdll
MS Sans Serif
msvbvm50.dll
MSVBVM60.DLL
nombre
NoPath
Number
nykkkkkkkyyymmmm
objTarget
OleCreatePictureIndirect
olepro32.dll
olllllllllllllkyymn~
ommyyyyyyymmmmz
OpenProcess
palabra
paparazzi
parametro
parametros
PatBlt
PeekData
Picture1
Picture2
Picture3
pkflllllllkkkyyymmz
Preview
prevInstance
Process32First
Process32Next
Proteger
Protocol
proxKeyStrokeBuffer
qqqqrjjjj](VVVV
qqrrjjjjjjjj
qrrjjj
quality
ReadFile
recvfrom
Redirect
RegCloseKey
RegDeleteValueA
RegisterServiceProcess
registrar
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
ReleaseDC
RemoteHost
RemoteHostIP
RemotePort
requestID
RouterD
RouterD_CloseSck
RouterD_CONNECT
RouterD_DataArrival
RouterS
RouterS_CloseSck
RouterS_CONNECT
RouterS_DataArrival
RtlMoveMemory
SaveAsJPG
SelectObject
SendComplete
SendData
SendMessageA
sendNextChunk
SendProgress
sendto
SetCursorPos
setsockopt
SetStretchBltMode
SetWindowLongA
SetWindowTextA
sglg}}oh}}}ggo
shell32.dll
ShellExecuteA
shg}poppppo}|
shlllggghllflffh
SHsDRGsk
socket
SocketHandle
Source
&Start
Starter
StretchBlt
strHost
strTag
svchost
swplit
Symantec Worm/kido.ih.30 Removal Tool 1.2.0.9
Symantec Worm/kido.ih.30  Removal Tool 1.3.0.1
T$4QRP
T$4WPQSSR
TbYYYY
TerminateProcess
t'f9^|
!This program cannot be run in DOS mode.
Timer1
Timer2
Timer3
[TT400?
TT9TCT4T[xxTT4T4[4TTTTTTTTTTTTTTTTTTTTTTTT
TTT!!00
TTT4!!0e
TTTT04!4
!TTTTT
TTTTTTTTT
TTTTTTTTTTTTTTTTT
uolllllllllllllfk}p
uoopppppppo
url_helper
user32
user32.dll
UTT00e
UTT4000e
UTTTT!
UTUTTTTTTT
,V9SLBn
validarSpy
VarPtr
varType
VB6ES.DLL
VBA6.DLL
__vbaAryConstruct2
__vbaAryCopy
__vbaAryDestruct
__vbaAryLock
__vbaAryMove
__vbaAryUnlock
__vbaAryVar
__vbaBoolErrVar
__vbaBoolVar
__vbaBoolVarNull
__vbaCastObj
__vbaCastObjVar
__vbaChkstk
__vbaCyErrVar
__vbaDateR8
__vbaDateStr
__vbaDateVar
__vbaEnd
__vbaErase
__vbaError
__vbaErrorOverflow
__vbaExceptHandler
__vbaExitEachColl
__vbaExitProc
__vbaFileClose
__vbaFileOpen
__vbaFileSeek
__vbaFixstrConstruct
__vbaForEachCollObj
__vbaForEachCollVar
__vbaForEachVar
__vbaFPException
__vbaFpI4
__vbaFPInt
__vbaFpUI1
__vbaFreeObj
__vbaFreeObjList
__vbaFreeStr
__vbaFreeStrList
__vbaFreeVar
__vbaFreeVarList
__vbaGenerateBoundsError
__vbaGet3
__vbaGetOwner3
__vbaGetOwner4
__vbaHresultCheckObj
__vbaI2ErrVar
__vbaI2I4
__vbaI2Str
__vbaI2Var
__vbaI4ErrVar
__vbaI4Str
__vbaI4Var
__vbaInStr
__vbaInStrVar
__vbaLateIdCallLd
__vbaLateMemCall
__vbaLateMemCallLd
__vbaLenBstr
__vbaLenBstrB
__vbaLineInputStr
__vbaLsetFixstr
__vbaLsetFixstrFree
__vbaNameFile
__vbaNew
__vbaNew2
__vbaNextEachCollObj
__vbaNextEachCollVar
__vbaNextEachVar
__vbaObjIs
__vbaObjSet
__vbaObjSetAddref
__vbaObjVar
__vbaOnError
__vbaPrintFile
__vbaPut4
__vbaPutOwner4
__vbaR4ErrVar
__vbaR8ErrVar
__vbaR8IntI4
__vbaR8Str
__vbaRaiseEvent
__vbaRecAnsiToUni
__vbaRecAssign
__vbaRecDestruct
__vbaRecUniToAnsi
__vbaRedim
__vbaRedimPreserve
__vbaSetSystemError
__vbaStrBool
__vbaStrCat
__vbaStrCmp
__vbaStrCopy
__vbaStrErrVarCopy
__vbaStrFixstr
__vbaStrI2
__vbaStrI4
__vbaStrMove
__vbaStrToAnsi
__vbaStrToUnicode
__vbaStrUI1
__vbaStrVarCopy
__vbaStrVarMove
__vbaStrVarVal
__vbaUbound
__vbaUI1ErrVar
__vbaUI1I2
__vbaUI1I4
__vbaUI1Str
__vbaVar2Vec
__vbaVarAdd
__vbaVarCat
__vbaVarCmpEq
__vbaVarCmpGt
__vbaVarCmpLt
__vbaVarCopy
__vbaVarDup
__vbaVarForInit
__vbaVarForNext
__vbaVargVarCopy
__vbaVargVarMove
__vbaVarLateMemCallLd
__vbaVarMove
__vbaVarOr
__vbaVarSub
__vbaVarTstEq
__vbaVarTstGe
__vbaVarTstGt
__vbaVarTstNe
__vbaVarVargNofree
__vbaVarZero
VVE2TTTT
VVUT400
VVV9T!0
(VVVV(
VVVVVVVV
VVVVVVVVVVjjjjjr
VVVVVVVVVVVVVVVVjjjjjjjj
(VVVVVVVVVVVVVVVVVVV
webSpy
wGet_CONNECT
wGet_DataArrival
WndProc
wParam
ws2_32.dll
WSAAsyncGetHostByName
WSAAsyncSelect
WSACancelAsyncRequest
WSACleanup
WSAGetLastError
WSAStartup
wsock32.dll
wwwDownload
wwwDownload_CloseSck
wwwDownload_CONNECT
wwwDownload_DataArrival
wwwwwuuu
wwwwww
WWWWWW
wwwwwwwc
wwwwwwwwwww
wwwwwwwwwwwuuuu
wwwwwwwwwwwwww
wwwwwwwwwwwwwwwwuuuuuu
wwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwww
[wwwwwwwwwwwwwwwwwwwwuuuu
wwwwwwwwwwwwwwwwwwwwwwwuuu
wwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwuuu
wwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwuuuuuu
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwuuuu
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwuuuuu
wwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwuuu
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwuuuu
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwuuuuu
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwuuw
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwu
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwuu
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwuuu
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwuuuu
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwuuu
w]Z``YY
xpendio
xSpyware
ykymyy
yykkky
YYY```\
yyykyyyykkky
yyyyyy
yyyyyyy
yyyyyyyyy
Y`\ZZZ
ZGs_]Is
Zombie_GetTypeInfo
Zombie_GetTypeInfoCount
ZY`YYY
zzzzzzz