Static Analysis

PE Compile Time

2011-07-06 23:28:38

PE Imphash

61e0c59abaaf63342f8dbf1c1d5cdc47

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
.text 0x00001000 0x00002c44 0x00002e00 5.99566583871
.rdata 0x00004000 0x00001d64 0x00001e00 6.18454602153
.data 0x00006000 0x0005791c 0x00054000 6.75830725513
.reloc 0x0005e000 0x000009de 0x00000a00 3.51678674375

Imports

Library MSVCRT.dll:
0x404150 wcsstr
0x404154 _snwprintf
0x404158 strstr
0x40415c _snprintf
0x404160 _except_handler3
0x404164 memset
0x404168 memcpy
Library NETAPI32.dll:
0x404170 NetUserGetInfo
0x404174 NetApiBufferFree
Library SHELL32.dll:
0x404194 None
0x404198 SHGetFolderPathA
Library SHLWAPI.dll:
0x4041a0 PathFileExistsA
0x4041a4 PathAddBackslashA
0x4041a8 StrStrIA
0x4041ac PathAppendA
Library ntdll.dll:
0x4041c4 RtlAdjustPrivilege
0x4041c8 RtlImageNtHeader
0x4041cc RtlCreateUserThread
Library KERNEL32.dll:
0x404048 GetModuleFileNameW
0x404050 MoveFileA
0x404054 DeviceIoControl
0x404058 ExitProcess
0x40405c GlobalAddAtomA
0x404060 GlobalFindAtomA
0x404064 CopyFileA
0x404068 GetCurrentProcessId
0x404070 CreateFileW
0x404074 GetVersionExA
0x404078 FreeLibrary
0x40407c GetTickCount
0x404088 GetLastError
0x40408c GetModuleFileNameA
0x404090 CreateFileA
0x404094 SetFilePointer
0x404098 MoveFileExA
0x40409c lstrcpynA
0x4040a0 SetEndOfFile
0x4040a4 UnlockFile
0x4040a8 LockFile
0x4040ac SetFileTime
0x4040b0 WriteFile
0x4040b4 IsBadWritePtr
0x4040b8 ReadFile
0x4040bc GetFileSizeEx
0x4040c0 SetFileAttributesA
0x4040c4 GetTempFileNameA
0x4040c8 GetFileTime
0x4040cc GetTempPathA
0x4040d0 DeleteFileA
0x4040d4 GetProcAddress
0x4040d8 GetModuleHandleA
0x4040dc HeapAlloc
0x4040e0 HeapFree
0x4040e4 GetProcessHeap
0x4040e8 HeapValidate
0x4040ec GetCurrentProcess
0x4040f0 GetCurrentThread
0x4040f4 Sleep
0x4040fc VirtualAlloc
0x404100 MultiByteToWideChar
0x404104 VirtualQuery
0x404108 Process32First
0x40410c VirtualFree
0x404110 CreateRemoteThread
0x404114 OpenProcess
0x404118 CreateProcessA
0x40411c Module32First
0x404124 VirtualAllocEx
0x404128 LoadLibraryA
0x40412c Process32Next
0x404134 Module32Next
0x404138 CloseHandle
0x40413c LocalFree
0x404140 WriteProcessMemory
0x404144 SwitchToThread
Library USER32.dll:
0x4041b4 CharUpperA
0x4041b8 PostMessageA
0x4041bc FindWindowA
Library ADVAPI32.dll:
0x404000 RegOpenKeyExA
0x404004 GetUserNameA
0x40400c RegCreateKeyExA
0x404018 RegSetValueExA
0x40401c RegQueryValueExA
0x404020 RegFlushKey
0x404024 RegCloseKey
0x404028 OpenProcessToken
0x404030 OpenThreadToken
0x404038 GetTokenInformation
Library ole32.dll:
0x4041d4 CoUninitialize
0x4041d8 CoCreateInstance
0x4041e0 CoInitializeEx
Library OLEAUT32.dll:
0x404180 SysFreeString
0x404184 SysAllocString
0x404188 VariantClear
0x40418c VariantInit
!This program cannot be run in DOS mode.
`.rdata
@.data
.reloc
RSSSSSSS
t3hxE@
QSSj&S
SVWh,O@
x[h8O@
|>h<O@
T$,RVWS
Nwt`=>
u&hpR@
@vwd1nw
NKagj(h
NSystemDrive
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows\currentversion\run
userinit
\\?\globalroot\systemroot\system32\drivers\ntfs.sys
ntdll.dll
RtlUniform
kernel32.dll
IsWow64Process
kernel
SeSecurityPrivilege
Qkkbal
server
idontknow
administrator
666666
12345678
soccer
abc123
password1
football1
fuckyou
monkey
iloveyou1
superman1
slipknot1
jordan23
princess1
liverpool1
monkey1
baseball1
123abc
qwerty1
blink182
myspace1
user111
098765
qweryuiopas
qwerty
111111
password
123456
Windows Defender
MpClient.dll
WDEnable
\\.\KmxAgent
____AVP.Root
\\.\pipe\acsipc_server
\AVG\AVG9\dfncfg.dat
\AVG\AVG9\dfmcfg.dat
\PrevxCSI\csidb.csi
PWed Jul 6 06:49:26 20112
winlogon.exe
explorer.exe
\apppatch\
svchost.exe
Wed Jul 6 06:49:26 20111
user32.dll
HARDWARE\DESCRIPTION\System
SystemBiosVersion
SANDBOX
MALNETVM
VIRUSCLONE
\sand-box\
\cwsandbox\
\sandbox\
_snprintf
strstr
_snwprintf
wcsstr
MSVCRT.dll
NetUserGetInfo
NetApiBufferFree
NetQueryDisplayInformation
NETAPI32.dll
SHGetFolderPathA
SHELL32.dll
StrStrIA
PathAddBackslashA
PathFileExistsA
PathAppendA
SHLWAPI.dll
RtlImageNtHeader
RtlCreateUserThread
RtlAdjustPrivilege
ntdll.dll
GetTickCount
GetVolumeInformationA
GetEnvironmentVariableA
GetLastError
GetModuleFileNameA
CreateFileA
SetFilePointer
MoveFileExA
lstrcpynA
SetEndOfFile
UnlockFile
LockFile
SetFileTime
WriteFile
IsBadWritePtr
ReadFile
GetFileSizeEx
SetFileAttributesA
GetTempFileNameA
GetFileTime
GetTempPathA
DeleteFileA
GetProcAddress
GetModuleHandleA
HeapAlloc
HeapFree
GetProcessHeap
HeapValidate
GetCurrentProcess
GetCurrentThread
FlushInstructionCache
VirtualAlloc
MultiByteToWideChar
VirtualQuery
Process32First
VirtualFree
CreateRemoteThread
OpenProcess
CreateProcessA
Module32First
GetHandleInformation
VirtualAllocEx
LoadLibraryA
Process32Next
CreateToolhelp32Snapshot
Module32Next
CloseHandle
LocalFree
WriteProcessMemory
SwitchToThread
GetSystemWindowsDirectoryA
FreeLibrary
GetSystemTimeAsFileTime
GetModuleFileNameW
SetCurrentDirectoryA
MoveFileA
DeviceIoControl
ExitProcess
GlobalAddAtomA
GlobalFindAtomA
CopyFileA
GetCurrentProcessId
InterlockedDecrement
CreateFileW
GetVersionExA
KERNEL32.dll
CharUpperA
FindWindowA
PostMessageA
USER32.dll
RegSetValueExA
RegQueryValueExA
RegOpenKeyExA
RegFlushKey
RegCloseKey
OpenProcessToken
CreateProcessWithLogonW
OpenThreadToken
SetNamedSecurityInfoA
GetTokenInformation
LookupPrivilegeValueA
ConvertStringSecurityDescriptorToSecurityDescriptorW
GetSecurityDescriptorSacl
GetUserNameA
AdjustTokenPrivileges
RegCreateKeyExA
ADVAPI32.dll
CoCreateInstance
CoUninitialize
CoInitializeEx
CoInitializeSecurity
ole32.dll
OLEAUT32.dll
_except_handler3
memset
memcpy
Qkkbal
!This program cannot be run in DOS mode.
`.data
.reloc
!This program cannot be run in DOS mode.
Rich?U
`.rdata
@.data
.reloc
SWWWWj
t WWVh
t<WWVh
t^VVVVj
<6WQSR
L$TQRh
<>http
<>http
<>http
SSSSSVh
PPPPPVh
SSQSVR
;|$ u1
;|$ u1
D$DPSSSSSSS
PSSSSSSS
L$lQj<P
Vj'j#SPh
LSVWPQ
<0|4<9
=POSTu
=GET u
T$0+T$4
D$$VPS
_(+_,;
t"WWWW
=POSTu
<#t/<
t'<*tP
QRWWSSP
L$dQPRS
Sj(SPV
Sj(SRV
<SVWj,
WWWhpi
u9PPPhP
L$$3L$
V$PQj R
<Nt <Ft
=GET t
=POSTu
=GET t
=POSTu
VWPQSR
VWPPQh@
tbSVVVVj
<#t3<
t+<*t[
tNVVShP
?POSTuZ
uEVPPPh0
$SVWPj
8ADVAu
PSPPPWV
u}SSSW
u,8^$u'
T$LRQP
L$\QWh$
|++Fd+
|*+Fl+
ERQWPV
9RQWPV
-RQWPV
;3s)8C
;:s,8B
;s)8G
f;X0uKf
f;X2u>f
f;X4u1
u+8F/t&
It-It%
Ht9Ht.
F(9F$u
9W8tG9W@tB9WDt=;
tY9p tT9p$tO
FD)~p)~l
Nlf+Np
Vlf+Vd
QRPhH[
QRPhH[
QRPhH[
QRPhH[
QRPhH[
QRPhH[
QRPhH[
QRPhH[
QRPhH[
QRPhH[
_(9_$u
^09F0u
Oh;O\sP
Gh9Ghr
@PAQBR
name.key
\secrets.key
sign.key
kernel32.dll
CreateFileW
\explorer.exe
GetFileAttributesW
user32.dll
GetWindowTextA
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
SystemDrive
Software\Microsoft\Windows NT\CurrentVersion
InstallDate
SYSTEM
%s!%s!%08X
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows\currentversion\run
userinit
software\microsoft
\svchost.exe
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|
\winlogon.exe
%s!%s + 0x%04x
%s!0x%08x
unknown!0x%08x
ExceptionAddress =
ExceptionCode = 0x%08X
Last error: 0x%08X
Context:
Eip = 0x%08X Eax = 0x%08X Ebx = 0x%08X
Ecx = 0x%08X Edx = 0x%08X Ebp = 0x%08X
Esp = 0x%08X Esi = 0x%08X Edi = 0x%08X
EFlags = 0x%08X
Main module:
%s 0x%08X-0x%08X
Self exception = TRUE
ThreadStart =
CallStack:
dd;MMM;yyyy
HH;mm;ss
debug_%s_%s.log
sysinfo.log
scr.bmp
%d.%d.%d.%d
%dd %dh %dm
CLOSED
LISTEN
SYN_SENT
SYN_RCVD
FIN_WAIT1
FIN_WAIT2
CLOSE_WAIT
CLOSING
LAST_ACK
TIME_WAIT
DELETE_TCB
netstat
{Proto
Local address
Remote address
taskmgr
Process name
[System Process]
netuser
Software\Microsoft\Internet Explorer\TypedURLs
IE history:
DAN NLD NLB ENU ENG ENA ENC ENZ ENI FIN FRA FRB FRC FRS DEU DES DEA ISL ITA ITS NOR NON PTB PTG SVE ESP ESM ESN TRK PLK CSY SKY HUN RUS GRE ALL
{BotVer:
{Process:
{Username:
PROCESSOR_IDENTIFIER
{Processor:
{Language:
%dx%d@%d
{Screen:
dd:MMM:yyyy
{Date:
HH:mm:ss
{Local time:
%c%d:%02d
{GMT:
{Uptime:
{Windows directory:
{Administrator:
links.log
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
\Opera\Opera\global_history.dat
avast.com
kaspersky
eset.com
antivir
virustotal
virusinfo
z-oleg.com
trendsecure
anti-malware
.comodo.com
google.com
Dnsapi.dll
DnsQuery_A
DnsQuery_UTF8
DnsQuery_W
Query_Main
ws2_32.dll
getaddrinfo
gethostbyname
inet_addr
qwrtpsdfghjklzxcvbnm
eyuioa
1676d5775e05c50b46baa5579d4fc7
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
6908741AF4E26C68E1EE46F1041F009EECA931D2D53E11AD04CF03DEB7677754725005219D4B978D957ABA1678D353DE5AA0586B49E21F7EFFE2F73D7D2D8E26395286E1EA7A106CD617966D9FC5906C6E952289B4D671BA6ADE1B80ECF2468552F401D4D8134CAF4B56DC5F18B673710974A6F7A9AE9273979C092F52E8D7C9
6d3ad29879a90b4dd1b4f76e82166ca3
data.txt
ntdll.dll
ZwQuerySystemInformation
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\HighMemoryEvent_%08x
explorer.exe
Shell_TrayWnd
00000000000888888888@@@@@@@@HHHHHHHHPPPPPPXXXXXXXXXXXX`````hhhhhhhhhhpppppppppxxxxxxxxxx
000000000000000000000000@@@@@@@@@@@@@@@@PPPPPPPPPPPPPXXXXXXXXXXXhhhhhhhhhhhpppppppppxxxxxxxxxxxx
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Qkkbal
taskmgr
default
DefWindowProcW
DefWindowProcA
DefDlgProcW
DefDlgProcA
DefFrameProcW
DefFrameProcA
DefMDIChildProcW
DefMDIChildProcA
CallWindowProcW
CallWindowProcA
RegisterClassW
RegisterClassA
RegisterClassExA
RegisterClassExW
PeekMessageW
PeekMessageA
OpenInputDesktop
OpenDesktopA
OpenDesktopW
SwitchDesktop
MessageBeep
FlashWindowEx
GetCursorPos
SetCursorPos
GetMessagePos
SetCapture
ReleaseCapture
GetCapture
Winmm.dll
PlaySoundW
PlaySoundA
sndPlaySoundW
sndPlaySoundA
Kernel32.dll
Gdi32.dll
SetDIBitsToDevice
SetThreadDesktop
static
Content-Length
http://
NSS layer
https://
Referer
Content-Type
HTTP/1.
Transfer-Encoding
chunked
Connection
Proxy-Connection
identity
Accept-Encoding
If-Modified-Since
nspr4.dll
PR_Write
PR_Read
PR_Close
PR_OpenTCPSocket
PR_GetError
PR_SetError
PR_GetNameForIdentity
UserAgent
[[[URL: %s
Process: %s
User-agent: %s]]]
Accept-Encoding:
Crypt32.dll
CertVerifyCertificateChainPolicy
Wininet.dll
HttpSendRequestA
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExW
InternetQueryDataAvailable
InternetReadFile
InternetReadFileExA
InternetReadFileExW
InternetCloseHandle
set_url
data_before
data_end
data_inject
data_after
microsoft.public.win32.programmer.kernel
\iexplore.exe
keygrab
%02u.bmp
***************************
***************************
[/pst]
GetClipboardData
\\.\PhysicalDrive%u
AppEvents
Console
Control Panel
Environment
Identities
Software
System
/topic.php
keylog.txt
passwords.txt
%s%u.zip
-----------------------------
Content-Disposition: form-data; name="pcname"
-----------------------------
Content-Disposition: form-data; name="file"; filename="report"
Content-Type: text/plain
RtlUniform
TranslateMessage
GetMessageA
GetMessageW
as743vgk0odastr
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Referer: http://www.google.com
Content-Type: multipart/form-data; boundary=---------------------------%s
www.bing.com
www.microsoft.com
Content-Length:
RtlFreeHeap
id=1&post=%u
frd.exe
!kill_os
&ret_val=ok
/faq.php
!activebc
&activebc=ok
!deactivebc
&deactivebc=ok
&load=ok
!inject
&inject=ok
!new_config
&config=ok
id=%s&ver=4.1.2&up=%u&os=%03u&rights=%s&ltime=%s%d&token=%d
\chrome.exe
--no-sandbox
\java.exe
\javaw.exe
\javaws.exe
\opera.exe
\firefox.exe
\maxthon.exe
\avant.exe
\mnp.exe
\safari.exe
\netscape.exe
\tbb-firefox.exe
\frd.exe
\isclient.exe
\ipc_full.exe
\intpro.exe
\cbsmain.dll
\clmain.exe
\core.exe
\rundll32.exe
\notepad.exe
%s.dbf
%s.DBF
j_username=
j_password=
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edUserLogin=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
action=auth&np=&login=
CryptoPluginId=AGAVA&Sign
login=
password=
&ctl00%24MainMenu%24Login1%24UserName=
&ctl00%24MainMenu%24Login1%24Password=
advapi32.dll
CryptEncrypt
WSASend
WSARecv
name=%s&port=%u
/home.php
A B V G D E E J Z I Y K L M N O P R S T U F H C CHSHSH Y E YUYAA B V H G D E JE J Z Y I YI J K L M N O P R S T U F X C CH SH SH YU YA
path.txt
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\%02d.bmp
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
\private\
private.txt
\public\
public.txt
\*.key
\self.cer
\@rand
\ABONENTS*
crypto
self.cer
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.zip
path_ctunnel.txt
found.
header.key
keys99
\header.key
masks2.key
\masks2.key
masks.key
\masks.key
\name.key
primary2.key
\primary2.key
primary.key
\primary.key
keys99.zip
path99.txt
\crypto\
\micros~\crypto\
\maxthon3\public\
\microsoft\crypto\
\crypto pro\
\progra~1\crypto~1\
\temporary internet files\
:\users\public
ryptopro
\cryptokit\
:\progra~1\common~1\crypto~1
bsi.dll
&cvv=&
&cvv2=
&cvv2=&
&cvc=&
&domain=letitbit.net&
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
FAKTURA
sks2xyz.dll
vb_pfx_import
Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
BEGIN SIGNATURE
END SIGNATURE
secret.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
inter.zip
interpro.ini
DefaultPrivateDir
General
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
&txtSubId=
&txtPin=
ebank.laiki.com
pass.txt
Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}
OFFSHORE
w.qiwi.ru
phone=
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
RCN_R50Buffer
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
client.zip
path_client.txt
\SIGN1\
path_keys.txt
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
RSTYLE
Agava_Client.exe
UseToken
Containers
KeysDiskPath
Agava_Client.ini
Agava_keys
keys_path.txt
stf.zip
mespro.dll
AddPSEPrivateKeyEx
core.exe
data\id.dbf
\data\id.dbf
keys%i.zip
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
login.yota.ru
IDToken1=
IDToken2=
YotaConfirmForm%5Bpassword%5D
pass2.txt
Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}
IsWow64Process
*SYSTEM*
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_
kernel
waveOutOpen
winmm.dll
SeSecurityPrivilege
1234567890QWERTYUIOPASDFGHJKLZXCVBNM
ct_init: length != 256
ct_init: dist != 256
ct_init: 256+dist != 512
inconsistent bit counts
not enough codes
too many codes
bad compressed size
ct_tally: bad match
bad d_code
invalid length
output buffer too small for in-memory compression
bad pack level
insufficient lookahead
no future
wild scan
more < 2
RFB 003.006
LibVNCServer 0.9.7
unknown
%s (%s)
My Documents
Network Favorites
%02d/%02d/%04d %02d:%02d
No authentication mode is registered!
Your viewer cannot handle required authentication methods
password check failed!
SCardConnectA
SCardEstablishContext
SCardFreeMemory
SCardDisconnect
SCardListReadersA
SCardReleaseContext
WinSCard.dll
IsNetworkAlive
SensApi.dll
GetTcpTable
IPHLPAPI.DLL
SymSetOptions
SymGetSymFromAddr
SymGetModuleBase
SymInitialize
SymGetModuleInfo
dbghelp.dll
calloc
malloc
_snprintf
_strrev
strstr
strtol
isdigit
sprintf
strncpy
fwrite
realloc
fclose
isprint
strchr
MSVCRT.dll
GetModuleFileNameExA
PSAPI.DLL
NetApiBufferFree
NetQueryDisplayInformation
NETAPI32.dll
DnsFlushResolverCache
DNSAPI.dll
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersA
InternetSetStatusCallback
InternetQueryOptionA
InternetConnectA
InternetReadFile
HttpOpenRequestA
InternetCheckConnectionA
HttpSendRequestA
InternetOpenA
InternetCloseHandle
WININET.dll
WS2_32.dll
SHGetFolderPathA
ShellExecuteA
ExtractIconExA
SHFileOperationA
SHGetSpecialFolderPathA
SHELL32.dll
StrStrIA
PathFindFileNameA
PathAddBackslashA
StrStrIW
PathFileExistsA
StrToIntA
PathMakeSystemFolderA
PathAppendA
StrCmpNIA
StrNCatA
StrStrA
StrChrIA
SHLWAPI.dll
ZwQueryInformationThread
RtlImageNtHeader
RtlCreateUserThread
ntdll.dll
GetLastError
SetLastError
GetProcAddress
GetModuleFileNameA
GetModuleHandleA
GetTickCount
GetVolumeInformationA
GetEnvironmentVariableA
GetCurrentProcess
GetTimeFormatA
GetCurrentThread
VirtualFree
GetDateFormatA
VirtualAlloc
AddVectoredExceptionHandler
GetSystemDefaultLangID
Process32First
OpenProcess
GetSystemWindowsDirectoryA
GetTimeZoneInformation
Process32Next
CreateToolhelp32Snapshot
WaitForSingleObject
LoadLibraryExA
ReleaseMutex
lstrcpynA
WaitForMultipleObjects
CloseHandle
GetSystemTime
CreateFileA
SetFilePointer
MoveFileExA
SetEndOfFile
SetFilePointerEx
UnlockFile
LockFile
WriteFile
IsBadWritePtr
ReadFile
CreateDirectoryA
GetFileSizeEx
FindFirstFileA
RemoveDirectoryA
SetFileAttributesA
GetTempFileNameA
FindClose
FindNextFileA
GetTempPathA
DeleteFileA
HeapReAlloc
HeapAlloc
HeapFree
ExitProcess
SetErrorMode
SetEvent
OpenMutexA
GetCurrentThreadId
GetCurrentProcessId
lstrcpyA
MapViewOfFile
UnmapViewOfFile
IsBadReadPtr
CreateFileMappingA
GlobalLock
GlobalAlloc
CreateProcessA
GlobalUnlock
GlobalFree
CreateThread
HeapCreate
lstrcmpiA
OpenEventA
lstrcmpiW
OpenFileMappingA
CreateMutexA
GetComputerNameA
lstrlenA
CreateEventA
GetVersionExA
ResetEvent
GetCommandLineA
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
GetDriveTypeA
SetThreadPriority
SetCurrentDirectoryA
GetLogicalDriveStringsA
CopyFileA
GetCurrentDirectoryA
GetProcessHeap
HeapValidate
HeapSize
GetCommandLineW
ExitThread
MoveFileA
WinExec
TerminateThread
FindNextChangeNotification
FindFirstChangeNotificationA
lstrcmpA
FlushInstructionCache
InterlockedExchange
GetThreadPriority
VirtualProtect
WideCharToMultiByte
MultiByteToWideChar
GetVersionExW
GetFileAttributesA
GetFileAttributesW
GetShortPathNameA
GetPrivateProfileStringA
VirtualQuery
CreateRemoteThread
GetProcessTimes
Module32First
GetHandleInformation
VirtualAllocEx
LoadLibraryA
Module32Next
LocalFree
WriteProcessMemory
SwitchToThread
FileTimeToDosDateTime
GetFileSize
SystemTimeToFileTime
GetLocalTime
LocalAlloc
GetFileType
GetFileInformationByHandle
FindFirstFileW
FileTimeToSystemTime
CreateFileW
lstrlenW
FindNextFileW
KERNEL32.dll
CharUpperA
GetSystemMetrics
SetCaretBlinkTime
SetThreadDesktop
GetThreadDesktop
ReleaseDC
GetShellWindow
GetWindow
FindWindowA
SetClipboardData
OpenClipboard
GetDesktopWindow
EmptyClipboard
RegisterWindowMessageA
CreateDesktopA
GetTopWindow
CloseClipboard
SendMessageW
IsWindowVisible
IsWindow
GetLastActivePopup
PostMessageW
IsIconic
MapVirtualKeyW
IsRectEmpty
GetClassLongA
GetWindowThreadProcessId
MapWindowPoints
PostMessageA
GetMenuItemInfoA
SetWindowPos
SendMessageTimeoutA
GetWindowLongA
GetAncestor
SendMessageA
GetWindowInfo
GetParent
GetWindowRect
GetSystemMenu
DefWindowProcW
EndMenu
HiliteMenuItem
DefMDIChildProcA
GetMenuItemCount
DefMDIChildProcW
DefWindowProcA
GetMenuState
TrackPopupMenuEx
GetMenuItemRect
GetMenu
MenuItemFromPoint
GetSubMenu
SetKeyboardState
GetMenuItemID
OpenDesktopA
GetUserObjectInformationA
PrintWindow
WindowFromDC
SetLayeredWindowAttributes
EnumChildWindows
RedrawWindow
GetWindowRgn
SetClassLongA
SetWindowLongA
GetScrollBarInfo
MoveWindow
DialogBoxIndirectParamA
SetWindowTextA
ShowWindow
EndDialog
GetDlgItem
CreateWindowExA
GetWindowTextLengthA
GetClientRect
LoadIconA
AttachThreadInput
DestroyWindow
wsprintfA
PtInRect
WindowFromPoint
GetFocus
RealChildWindowFromPoint
GetClassNameA
GetCursorPos
GetWindowTextW
GetOpenClipboardWindow
GetActiveWindow
GetWindowTextA
GetGUIThreadInfo
GetKeyboardState
ToAscii
FindWindowW
DispatchMessageW
PeekMessageW
TranslateMessage
MsgWaitForMultipleObjects
GetWindowDC
USER32.dll
GetDeviceCaps
CreateCompatibleBitmap
CreateCompatibleDC
SelectObject
DeleteObject
GdiFlush
GetDIBits
CreateDIBSection
DeleteDC
CreateRectRgn
OffsetRgn
SelectClipRgn
SetViewportOrgEx
GetViewportOrgEx
BitBlt
GetClipRgn
GetObjectA
CreateFontIndirectA
GDI32.dll
RegSetValueExA
RegQueryValueExA
RegOpenKeyExA
RegFlushKey
RegCloseKey
GetUserNameA
RegDeleteValueA
RegEnumKeyExA
RegNotifyChangeKeyValue
OpenProcessToken
OpenThreadToken
SetNamedSecurityInfoA
GetTokenInformation
RegDeleteKeyA
LookupPrivilegeValueA
ConvertStringSecurityDescriptorToSecurityDescriptorW
GetSecurityDescriptorSacl
AdjustTokenPrivileges
ADVAPI32.dll
memcpy
memset
_except_handler3
?456789:;<=
 !"#$%&'()*+,-./0123
Qkkbal
;3+#>6.&
'2, /+0&7!4-)1#
$Id: dbfopen.c,v 1.48 2003/03/10 14:51:27 warmerda Exp $
Desk_%u%x
nuca?B
MSCTF.Shared.MAPPING.%x
.current
MSCTF.Shared.MUTEX.%x
0@0G0u0
1,1=1J1U1d1
1#2@2G2s2}2
2'313;3n3x3
0@1F1S1j1
2!21262J2R2X2b2
2'3@3F3S3p3y3
4*404I4w4~4
5.555K5R5\5f5w5
5F6W6\6k6t6
7(777D7W7t7}7
:5;J;P;];j;r;z;
;)<?<I<
="=Z=b=k=t=
>&>B>S>Z>
>"?3?:?z?
0G0N0S0t0
1X1b1h1q1
2&272G2b2
2H3O3`3g3
4;4D4p4
535O5i5
6"6(626;6d6}6
8-868C8
9'969O9a9
:Q:f:v:
:9<R<f<z<
=*=T=[=l=
>'>Q>X>i>
?#?M?T?e?
1$1N1U1f1p1w1
142G2q2x2
293L3v3}3
3A4T4~4
51585I5
67&777
8"8)808E8L8W8
9&9[9d9j9|9
:/:5:D:s:
; ;';@;_;j;p;
<<9<@<J<q<x<
>,?3?@?G?\?
0D0S0h0u0
1&121>1J1V1b1n1z1
2*262B2N2o2
323=3R3\3f3l3y3~3
4 4)434E4
586?6r6~6
7!767^7s7
8+8k8%919A9L9]9d9
:H:O:j:q:
<#<P<^<
>(>A>G>p>
2O2U2]2
4/4?4L4n4
5U5e5t5
5:6I6[6k6
8W8h8v8|8
9%9N9Z9j9
: :9:@:I:V:z:
;<&<e<
>!?.?<?Q?k?z?
010C0I0e0k0y0
1/1G1Y1g1w1
2*2:2J2U2[2h2z2
3>3E3K3Q3`3
4)4Z4g4m4s4
5$5-5P5
6&6+60666=6_6z6
7&737N7W7`7
9>9H9w9
9B: ;1;=;[;`;p;z;E<
=!=7===C=K=
?!?)?4?>?D?L?R?[?a?j?s?~?
0'01090?0L0]0r0x0
1"1+111D1J1R1a1i1n1
22292>2V2g2m2x2
33(3H3R3]3c3i3r3
324C4P4]4
5=5L5c5k5x5
6,6l6r6
7/7A7G7M7R7X7]7b7h7n7t7z7
798?8R8a8
9"9*91979=9C9I9O9s9}9
;3;B;X;
< <(<:<C<a<s<
<*=1=@=L=S=e=n=}=
?,?3?T?^?c?
0-040h0x0
2#2,242=2C2`2
3'3N3m3
4(4/4P4{4
556_6t6x6|6
797@7T7
:!;.;@;T;j;
<.<M<h<~<
=#=)=0=B=i=v=
>*>L>k>r>
?*?L?k?r?
0%0:0\0{0
1%1:1\1{1
2%2:2\2{2
3"3)30373>3E3N3Y3h3|3
4"4*41494@4\4k4
5+5E5Y5_5j5u5
656H6U6h6u6
7?7O7e7u7
8%8<8E8J8P8r8y8
9"9/959C9M9R9X9
:K:Q:h:|:
;0;@;i;
<)<@<i<n<t<y<
=)=0=9=F=U=c=i=s=
>">'>0>8>E>J>P>Y>^>d>t>
?'?,?7?G?L?W?g?l?w?
0'0,070G0L0W0g0l0w0
1'1,171G1L1W1g1l1w1
2202@2E2P2`2e2p2
3+313V3d3n3~3
3#4F4f4
5$5*5/545G5V5i5r5
5(616D6L6S6Z6q6~6
7)747:7U7`7j7q7y7
8Z8b8k8
969Z9b9o9~9
:#:7:k:w:
<Z=e=v=
?"?C?J?U?f?
1141t1
2D2[2q2
233<3B3J3T3l3
4"4*494>4D4[4q4x4
455_5k5q5
6"626E6c6}6
7%7+707=7J7[7i7t7
88)80878E8a8h8o8v8~8
9-9B9Q9\9c9|9
:/:::@:E:P:U:n:
;";9;?;I;O;d;q;
<&</<<<
<!=C=V=s=
=!>+>:>
?!?+?:?S?Z?_?k?
"00090_0z0
1+1V1v1
2^2m2{2
2L3T3Z3h3
4=5H5W5]5q5
5a6c7r7
8B8Q8X8_8p8{8!;(;
=!>1>B>c>
5S5_5o5n6d7
8'8.8y8
9X:]:t:
<3<N<a<
0"0*00070=0D0
2!2>2[2b2
34393w3
4 494J4]4m4
768=8J8Q8
;:;B;Z;b;q;
<N=Z=a=}=
=^>j>q>
2'2,272C2H2S2_2d2o2{2
4!444;4N4U4h4o4
6!61666<6
9D9a9f9{9
:":H:T:d:w:
0#0)0U0f0{0
2>2N2b2r2
3%373B3N3Z3
3B4H4R4o4v4}4
525E5_5e5
6%656;6n6y6~6
6%7v7|7
9Z9b9z9
:$:*:6:F:g:y:
<,<7<T<
=B=S=c=t=}=
>;>J>]>j>
0(0/070]0d0j0p0
1`1d1h1l1p1t1x1K2`2
3*4:4U4g4
5g5n5u5|5
5+62686B6H6X6`6f6l6
737a7h7r7
7X8n8y8
:-:=:m:
; ;);2;N;\;
="=/=m=t=
1'1-13181>1G1N1W1^1
2+222L2S2}2
44F4z4
555O5v5
67&7d7
:9:H:~:
<,<C<Y<g<l<~<
=(=.=O=h=r=x=
>.>5>F>V>l>}>
?/???I?
1"121J1Q1y1
2F2L2x2
3%3*343J3_3
4+4T4_4e4k4
565S5e5k5
6@6M6`6i6p6v6
7Y7^7f7m7v7{7
8#8/848?8K8P8[8g8l8w8~8
9"9'939W9c9p9
:":.:3:>:D:I:N:S:k:v:
;,;<;C;\;f;
;J<P<X<
= ='=1=N=r=
=:>@>H>Q>
>&?<?C?Q?b?
0"030b0x0
1#1*1<1M1
1 282E2K2S2i2t2
343J3P3
4 4(4@4X4
5*60696B6[6s6
7.7@7J7b7s7x7
8#858K8R8\8f8
949L9Y9
::(:.:5:@:L:l:
;(;];i;y;
="=+=5=?=Z=a=g=m=t=}=
=!>0>N>_>d>z>
?0?6?@?E?K?U?m?~?
0%01070<0K0T0g0v0
101F1\1r1
2B2M2x2
3%3P3[3
3(434^4i4
565A5l5w5
6,6>6P6b6t6
7&737?7G7_7p7{7
8"8*8@8F8\8b8n8~8
979C9J9s9y9
:-;N;r;
=9=K=X=`=e=k=
>6>B>f>m>
?;?B?H?T?d?n?
0-0=0L0S0
2&393Y3d3
5$5.5;5J5Q5\5h5}5
536>6S6c6t6
9;9F9L9V9i9s9{9
:R:W:g:
:);B;T;Y;`;m;{;
<"<4<9<@<M<[<b<
="=J=P=X=
>>>R>d>i>p>}>
0#0(0;0R0d0i0p0}0
1$1)101=1B1I1j1p1x1
2<2B2J2k2u2
484[4a4
5#5;5A5e5
6G6P6V6{6
6 7K7T7Z7
8#8-858>8J8O8^8k8w8|8
;1;=;h;
;F<L<S<
<9=\=i=p=|=
=O>U>c>p>u>{>
?#?3?@?M?\?
0!0,0H0O0W0j0p0
1"1I1[1n1u1
182@2X2i2{2
3)363V3[3x3
5z576L6o6
77%7,7H7Q7V7\7g7p7v7
8I8P8h8t8{8
839>99:V:]:
0"13191>1w1
2#242:2?2
2-333;3l3
4"43494>4
5&525@5H5Q5W5^5c5r5x5
6)616:6@6G6r6
7.7R7f7l7q7
8 8'8-838J8
9'9;9M9R9X9]9b9
9$:7:=:B:y:
;";(;1;M;U;f;m;r;w;};
<"<3<9<><}<
=$=*=J=P=X=m=w=
=>>R>c>i>n>
?#?)?.?g?q?y?
-030a0g0n0x0
0!1/141A1I1O1l1~1
2%2Y2r2
3[3b3h3p3
5K6Q6Z6c6
7`7i7w7
9,9@9q9w9
:M:S:[:w:
;.;d;o;
<1<6<E<U<k<
<*=0=6=>=b=p=v={=
>(>>>]>o>
?"?(?0?C?
0!0*0?0L0
1,232O2z2
3"31383K3Q3
44'464=4P4V4
546A6G6b6p6v6{6
7-747J7P7X7g7p7z7
8$8,8F8N8]8d8z8
9$939:9M9T9\9v9~9
:I:\:d:s:z:
;";3;A;G;L;
< <(<2<A<K<U<[<r<
=&=.===D=Z=`=h=q=
>+>1>:>C>R>c>i>n>
?J?P?Y?b?
0010?0N0]0j0v0
1*1?1G1T1h1y1
2"24292@2m2v2
3&303:3R3c3i3
4#4)4/4<4H4V4b4t4
5@5J5b5s5
6'6.6;6S6]6d6i6x6
7!7j7}7
8%828@8R8`8f8k8
8*909W9e9k9p9
;c;v;|;
<*<R<c<i<n<
=3=M=W=d=t={=
>7>@>N>_>f>{>
>%?2?=?G?L?e?v?
0E0X0_0l0
1*10181M1Z1_1q1
2 2(2=2J2q2v2
263?3M3^3e3z3
32484E4K4P4^4
5:5M5\5b5h5
6$6,666@6M6]6d6v6
7"7,7B7d7i7o7t7y7
8828K8
:#:1:9:B:H:O:T:j:p:x:
;!;*;0;7;<;K;R;[;k;s;|;
;/<6<C<L<T<a<q<x<
=7=@=N=_=f={=
=%>2>=>G>L>e>v>
><?S?X?h?
040D0Y0i0
1(1-181=1H1M1X1]1h1m1x1}1
252=2N2U2j2p2{2
424C4I4N4
5"5l5q5
6$6)6/64696o6
7"7U7f7v7
7B8S8Y8^8
939A9G9L9
:/:Y:j:}:
;8;I;\;k;
<<%<0<;<B<R<d<
=D=M=[=l=s=
=,>1>@>U>k>q>
>2?E?L?S?
"030:0z0
031=1E1V1]1r1x1
2+2Z2b2s2z2
223C3I3N3
5%5/5<5L5S5e5v5
626T6Y6_6d6i6
667C7~7
7@8I8W8h8o8
869@9M9]9d9v9
:!:):/:4:9:y:~:
;#;n;x;
<%<+<5<@<G<U<f<
=;=b=o=t=
>#>o>y>
?2?8?=?B?[?l?
0 0(0=0J0_0i0v0
1%1+121e1n1
1"23292>2w2
3 3O3Z3f3v3
4#4:4@4^4o4v4|4
515<5F5\5~5
6"6)626;6X6_6s6x6
7%747G7L7U7_7
8#8)8.8i8s8{8
9#9c9m9u9
:.:K:z:
<"<3<9<><y<
<2=b=s=y=~=
?(?R?c?i?n?
0!0(0:0K0T0`0p0
1*101N1_1f1l1r1
1!2,262L2n2s2y2~2
3"3R3c3i3n3
44&4,424B4
5.53595>5C5}5
6$6/6k6p6}6
7"767R7d7i7p7
8J8P8X8b8x8
9#9c9m9u9
:.:K:z:
;R;e;l;s;
;<%<-<B<S<Z<
=%=.=K=P=V=a=
>G>P>d>n>v>
? ?9?\?b?l?|?
0"03090>0w0
1"13191>1
3%3+303o3u3}3
4%4;4S4e4j4p4u4z4
5$5*5/5\5d5r5
6)62696R6c6i6n6
7:7@7a7x7~7
838E8J8P8U8Z8
9=9N9`9q9
9E:T:d:|:
:;;[;b;s;};
;!<G<M<S<
< =2=?=E=N=a=o=|=
>F>T>|>
?6?R?X?n?
040;0_0p0
151<1`1q1
4)454E4
4$5.5K5Q5[5q5x5
7,767<7A7S7
7+8<8w8
9B9I9Y9`9m9
:(:9:b:
;%;;;K;T;`;z;
<\<+?z?
8!878M8t8
;9<Y<j<
=^>l>~>.?
8*898O8
:/:O:t:
2$3,383>3F3R3X3_3k3q3y3
3,4>4S4]4
4C6J6P6[6g6o6u6|6
<$</<8<A<G<S<[<
2"3X3v3
5'5/5G5N5T5_5k5s5
929<9p9
=%=8=[=
0#0C0^0
6L7l7|7
<;<A<w<
)0H0^0
8084888<8@8D8H8L8P8T8X8\8`8d8
1t2x2|2
>">B>h>
!050L0
3!3,383R3e3p3
6B7Y8c8D9N95:T:
7\:b:g:s:
;0;N;_;
83?:?@?K?W?_?e?l?r?}?
404I4O4Z4c4l4r4
7 797?7K7S7\7b7o7x7'828
:):/:9:A:J:P:]:f:
2#363D3W3e3x3
5%5.5<5E5S5\5j5s5
999@9O9Y9m9|9
%0,3K3
6$7.7<7E7
8Z8d8r8{8
3$323i3u3
5+656J6S6,7
;0I0q0z0
Z0d0r0{0
788F8T8b8
90999h9
:[;e;z;
7+74738
B0\0t0}0
1+252K2W2
3C4P4^4g4
5M6[6i6x6
7#7B7L7{7
=+=9=H=v=
I0S0a0j0N1
67)7;7D7
8Y8c8q8z8
<_=i={=
?#?1?:?
6 6$6(6,6064686<6@6D6H6L6
1>1J1Z1y1
2A324J4S4a4i4r4x4
:):5=;=M=S=
L>P>\>`>h>l>
5,5@5H5L5P5T5X5\5`5d5h5l5p5t5x5|5
0 0$0(0,0004080<0@0D0H0L0P0T0
$Id: dbfopen.c,v 1.48 2003/03/10 14:51:27 warmerda Exp $
#rqgbt
?=-f~;\
;0\0b0
2*262F2f2w2
33393^3k3
3-444;4F4N4S4^4e4n4v4
5+585Y5}5
7#7A7G7Y7q7
8,868F8X8p8
8%9>9R9{9
:%:,:Y:_:
:Q;_;e;k;p;v;
<!<7<H<z<
=2=A=j={=
>)>0>=>S>m>w>
?;?\?g?
061?1L1Y1b1h1v1}1
515^5|5
:9:@:O:Y:
; ;);2;?;H;O;`;|;
="===C=W=h=y=
>'>4>I>V>w>
??5?>?E?\?z?
0$000@0b0
535I5u5
6W6]6p6
7 7R7u7
9!949M9W9
96:b:|:
;+;K;o;
;<4<:<@<
6 6$6(6,6064686<6@6D6H6L6P6T6X6\6`6d6h6l6p6t6x6|6
eS:(ML;;NRNWNX;;;LW)
iWindows Explorer
cmd.exe
<Principals>
<Principal id="LocalSystem">
<UserId>S-1-5-18</UserId>
<RunLevel>HighestAvailable</RunLevel>
</Principal>
</Principals>
<Actions Context="LocalSystem">
<Exec>
<Command>%s</Command>
</Exec>
</Actions>
</Task>
<!--00-->
\\?\globalroot\systemroot\system32\tasks\
task%d
<Actions
mavast.com
kaspersky
eset.com
antivir
virustotal
virusinfo
z-oleg.com
trendsecure
anti-malware
.comodo.com
google.com
#+3;CScs
tdefault
--no-sandbox
serverkey.dat
private
public
\java\
\windows\
SunAwtFrame
SunAwtDialog
eS:(ML;;NRNWNX;;;LW)
MS Sans Serif
No antivirus signatures available.
IRMA Signature
Trend Micro SProtect (Linux) Clean
Avast Core Security (Linux) Win32:Shiz-JT [Trj]
C4S ClamAV (Linux) Win.Trojan.Shiz-9949267-0
Trellix (Linux) BackDoor-FDOB
Sophos Anti-Virus (Linux) Troj/Shiz-Gen
Bitdefender Antivirus (Linux) Backdoor.Simda.A
G Data Antivirus (Windows) Virus: Backdoor.Simda.A (Engine A), Win32.Trojan.Spyshiz.A (Engine B)
WithSecure (Linux) Trojan.TR/Hijacker.Gen
ESET Security (Windows) a variant of Win32/Spy.Shiz.NBX trojan
DrWeb Antivirus (Linux) Trojan.PWS.Ibank.300
ClamAV (Linux) Clean
eScan Antivirus (Linux) Backdoor.Simda.A(DB)
Kaspersky Standard (Windows) HEUR:Backdoor.Win32.Generic
Emsisoft Commandline Scanner (Windows) Backdoor.Simda.A (B)
Cuckoo

We're processing your submission... This could take a few seconds.