Gen.Variant.Symmi.7068_ec2abceeb4
Gen:Variant.Symmi.7068 (BitDefender), VirTool:Win32/VBInject.gen!JD (Microsoft), Trojan.Win32.Inject.aahww (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.DownLoader8.24308 (DrWeb), Gen:Variant.Symmi.7068 (B) (Emsisoft), RDN/Generic.bfr!hz (McAfee), Suspicious.Cloud.2 (Symantec), Trojan-Spy.Win32.Zbot (Ikarus), Gen:Variant.Symmi.7068 (FSecure), Dropper.Generic6.CLJH (AVG), Win32:Rootkit-gen [Rtk] (Avast), TROJ_GEN.R026C0DKS16 (TrendMicro), Gen:Variant.Symmi.7068 (AdAware), GenericAutorunWorm.YR, GenericInjector.YR, GenericIRCBot.YR, TrojanDropperPolymorph1.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan-Spy, Trojan, Worm, VirTool, WormAutorun, IRCBot
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: ec2abceeb4630d7f2fb25868dfad8531
SHA1: 30502ce7d0b40c54b82e5896ed37ead7695a4d22
SHA256: 2a31b38e245e4e2b00e81d3af8024007b23d2849ecf48bf4f8410c544f2040ff
SSDeep: 1536:Ui10WhWnfGD1Vnq7ufTHySzFlO8E/6ujN8UKi2cA6Znouy8SE:UiH iYufTDze//Nz1a6Joutt
Size: 71680 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: no certificate found
Created at: 2012-10-16 19:19:57
Analyzed on: Windows7 SP1 32-bit
Summary:
Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
| IRCBot | A bot can communicate with command and control servers via IRC channel. |
Process activity
The Trojan creates the following process(es):
%original file name%.exe:1760
%original file name%.exe:316
sis32.exe:2996
sis32.exe:2788
The Trojan injects its code into the following process(es):
%original file name%.exe:264
sis32.exe:2988
sis32.exe:2776
taskhost.exe:1940
Explorer.EXE:2024
conhost.exe:3920
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process %original file name%.exe:316 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\PLKXE.txt (140 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\PLKXE.bat (142 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\opp\sis32.exe (2840 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\PLKXE.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\PLKXE.bat (0 bytes)
Registry activity
The process %original file name%.exe:316 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
The process sis32.exe:2788 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"svchost.exe" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe舀_"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"svchost.exe" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exeÀ"
Dropped PE files
| MD5 | File path |
|---|---|
| 9e2b1101a6e63bc8c4c34ae2a3a28a30 | c:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| UPX0 | 4096 | 208896 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| UPX1 | 212992 | 69632 | 66048 | 5.52822 | 274bc077689baec5f9a7ce0389dec088 |
| .rsrc | 282624 | 8192 | 4608 | 4.05145 | 43a1796badb5421c7d8425140bd2185c |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
| URL | IP |
|---|---|
| api.wipmania.com |  212.83.168.196 |
| lopta100.no-ip.info |  204.95.99.84 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
The Trojan connects to the servers at the folowing location(s):
%original file name%.exe_264:
.rsrc
C:\Windows\SysWOW64\msvbvm60.dll\3
iphlpapi.dll
GetExtendedTcpTable
SetTcpEntry
getTCPConnections
dnsapi.dll
kernel32.dll
ws2_32.dll
NTDLL.DLL
VBA6.DLL
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
.text
`.data
-gE};
Ankt%S\
KERNEL32.DLL
MSVBVM60.DLL
ilmioip.it
hXXp://VVV.ilmioip.it
avp.exe
127.0.0.1
update.exe
avast.setup
avgmfapx.exe
guardxup.exe
mcupdmgr.exe
FPAVServer.exe
drwupsrv.exe
BullGuardUpdate.exe
fshoster32.exe
Upgrader.exe
ALUpdate.exe
62.67.184
84.233.19
89.202.14
93.184.71
89.202.15
178.77.12
92.51.171
80.237.15
46.163.12
83.169.60
217.115.1
ekrn.exe
AVKProxy.exe
WinHttp.WinHttpRequest.5.1
WatchIt!.exe
%original file name%.exe_264_rwx_003C0000_0000E000:
.data
.idata
.rsrc
@.reloc
Successfully Killed And Removed Malicious File: "%s"
Usage: %s IP PORT DELAY LENGTH
Failed To Start Thread: "%d"
Failed: "%d"
Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]
Filed To Visit: "%s"
Successfully Visited: "%s"
%s #%s
%s %s
Running From: "%s"
[%s][%s] - "%s"
{%s}: %sSuccessfully Executed Process: "%s"
Failed To Create Process: "%s", Reason: "%d"
Successfully Downloaded File To: "%s"
Downloading File: "%s"
hXXp://api.wipmania.com/
JOIN
NICK
PRIVMSG
AryaN{%s-%s-x%d}%sNew{%s-%s-x%d}%s%s "" "%s" :%s
%s %s :[AryaN]: %s
%s %s %s
Finished Flooding "%s:%d"
Terminated UDP Flood Thread
%d%d%d%d%d%d%d%d
Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds
LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files
AutoRun Infected Removable Device: "%s\"
j[YPSSh
SSSSh
VSSSh
4826170
udpflood
udpflood.stop
download.stop
join
lopta100.no-ip.info
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
WS2_32.dll
SHLWAPI.dll
InternetOpenUrlA
WININET.dll
ole32.dll
PSAPI.DLL
ShellExecuteA
SHELL32.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegNotifyChangeKeyValue
ADVAPI32.dll
svchost.exe
7$7*70767<7
%userprofile%
%s\removethis_%d%d%d.exe
%temp%\oldfile.exe
Mozilla/5.0 (compatible)
%s\%d%d%d.exe
explorer.exe
Kernel32.dll
%s-deadlock
%s\SysWOW64
advapi32.dll
comsupp.dll
shell32.dll
wininet.dll
shlwapi.dll
dnsapi.dll
user32.dll
ws2_32.dll
psapi.dll
Ole32.dll
kernel32.dll
msvcrt.dll
dwm.exe
alg.exe
csrss.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%s-readfile
cmd.exe
Software\Microsoft\Windows\CurrentVersion\Run
%temp%\deletethis.exe
Removable_Drive.exe
%s\{%s-%s}/k "%s" Open %s
%windir%\System32\cmd.exe
%s\Removable_Drive.exe
%s\%s
%s\%s.lnk
icon=Shell32.dll,7
shell\open\Command=%s
open=%s
shell\explore\Command=%s
%s\autorun.inf
C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\opp\sis32.exe
%original file name%.exe_264_rwx_00400000_0000C000:
.rsrc
C:\Windows\SysWOW64\msvbvm60.dll\3
iphlpapi.dll
GetExtendedTcpTable
SetTcpEntry
getTCPConnections
dnsapi.dll
kernel32.dll
ws2_32.dll
NTDLL.DLL
VBA6.DLL
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
.text
`.data
-gE};
Ankt%S\
KERNEL32.DLL
MSVBVM60.DLL
ilmioip.it
hXXp://VVV.ilmioip.it
avp.exe
127.0.0.1
update.exe
avast.setup
avgmfapx.exe
guardxup.exe
mcupdmgr.exe
FPAVServer.exe
drwupsrv.exe
BullGuardUpdate.exe
fshoster32.exe
Upgrader.exe
ALUpdate.exe
62.67.184
84.233.19
89.202.14
93.184.71
89.202.15
178.77.12
92.51.171
80.237.15
46.163.12
83.169.60
217.115.1
ekrn.exe
AVKProxy.exe
WinHttp.WinHttpRequest.5.1
WatchIt!.exe
sis32.exe_2988:
.rsrc
C:\Windows\SysWOW64\msvbvm60.dll\3
iphlpapi.dll
GetExtendedTcpTable
SetTcpEntry
getTCPConnections
dnsapi.dll
kernel32.dll
ws2_32.dll
NTDLL.DLL
VBA6.DLL
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
.text
`.data
-gE};
Ankt%S\
KERNEL32.DLL
MSVBVM60.DLL
ilmioip.it
hXXp://VVV.ilmioip.it
avp.exe
127.0.0.1
update.exe
avast.setup
avgmfapx.exe
guardxup.exe
mcupdmgr.exe
FPAVServer.exe
drwupsrv.exe
BullGuardUpdate.exe
fshoster32.exe
Upgrader.exe
ALUpdate.exe
62.67.184
84.233.19
89.202.14
93.184.71
89.202.15
178.77.12
92.51.171
80.237.15
46.163.12
83.169.60
217.115.1
ekrn.exe
AVKProxy.exe
WinHttp.WinHttpRequest.5.1
WatchIt!.exe
sis32.exe_2988_rwx_00240000_0000E000:
.data
.idata
.rsrc
@.reloc
Successfully Killed And Removed Malicious File: "%s"
Usage: %s IP PORT DELAY LENGTH
Failed To Start Thread: "%d"
Failed: "%d"
Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]
Filed To Visit: "%s"
Successfully Visited: "%s"
%s #%s
%s %s
Running From: "%s"
[%s][%s] - "%s"
{%s}: %sSuccessfully Executed Process: "%s"
Failed To Create Process: "%s", Reason: "%d"
Successfully Downloaded File To: "%s"
Downloading File: "%s"
hXXp://api.wipmania.com/
JOIN
NICK
PRIVMSG
AryaN{%s-%s-x%d}%sNew{%s-%s-x%d}%s%s "" "%s" :%s
%s %s :[AryaN]: %s
%s %s %s
Finished Flooding "%s:%d"
Terminated UDP Flood Thread
%d%d%d%d%d%d%d%d
Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds
LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files
AutoRun Infected Removable Device: "%s\"
j[YPSSh
SSSSh
VSSSh
4826170
udpflood
udpflood.stop
download.stop
join
lopta100.no-ip.info
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
WS2_32.dll
SHLWAPI.dll
InternetOpenUrlA
WININET.dll
ole32.dll
PSAPI.DLL
ShellExecuteA
SHELL32.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegNotifyChangeKeyValue
ADVAPI32.dll
svchost.exe
7$7*70767<7
%userprofile%
%s\removethis_%d%d%d.exe
%temp%\oldfile.exe
Mozilla/5.0 (compatible)
%s\%d%d%d.exe
explorer.exe
Kernel32.dll
%s-deadlock
%s\SysWOW64
advapi32.dll
comsupp.dll
shell32.dll
wininet.dll
shlwapi.dll
dnsapi.dll
user32.dll
ws2_32.dll
psapi.dll
Ole32.dll
kernel32.dll
msvcrt.dll
dwm.exe
alg.exe
csrss.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%s-readfile
cmd.exe
Software\Microsoft\Windows\CurrentVersion\Run
%temp%\deletethis.exe
Removable_Drive.exe
%s\{%s-%s}/k "%s" Open %s
%windir%\System32\cmd.exe
%s\Removable_Drive.exe
%s\%s
%s\%s.lnk
icon=Shell32.dll,7
shell\open\Command=%s
open=%s
shell\explore\Command=%s
%s\autorun.inf
C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\opp\sis32.exe
sis32.exe_2988_rwx_00250000_0000E000:
.data
.idata
.rsrc
@.reloc
Successfully Killed And Removed Malicious File: "%s"
Usage: %s IP PORT DELAY LENGTH
Failed To Start Thread: "%d"
Failed: "%d"
Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]
Filed To Visit: "%s"
Successfully Visited: "%s"
%s #%s
%s %s
Running From: "%s"
[%s][%s] - "%s"
{%s}: %sSuccessfully Executed Process: "%s"
Failed To Create Process: "%s", Reason: "%d"
Successfully Downloaded File To: "%s"
Downloading File: "%s"
hXXp://api.wipmania.com/
JOIN
NICK
PRIVMSG
AryaN{%s-%s-x%d}%sNew{%s-%s-x%d}%s%s "" "%s" :%s
%s %s :[AryaN]: %s
%s %s %s
Finished Flooding "%s:%d"
Terminated UDP Flood Thread
%d%d%d%d%d%d%d%d
Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds
LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files
AutoRun Infected Removable Device: "%s\"
j[YPSSh
SSSSh
VSSSh
4826170
udpflood
udpflood.stop
download.stop
join
lopta100.no-ip.info
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
WS2_32.dll
SHLWAPI.dll
InternetOpenUrlA
WININET.dll
ole32.dll
PSAPI.DLL
ShellExecuteA
SHELL32.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegNotifyChangeKeyValue
ADVAPI32.dll
svchost.exe
7$7*70767<7
%userprofile%
%s\removethis_%d%d%d.exe
%temp%\oldfile.exe
Mozilla/5.0 (compatible)
%s\%d%d%d.exe
explorer.exe
Kernel32.dll
%s-deadlock
%s\SysWOW64
advapi32.dll
comsupp.dll
shell32.dll
wininet.dll
shlwapi.dll
dnsapi.dll
user32.dll
ws2_32.dll
psapi.dll
Ole32.dll
kernel32.dll
msvcrt.dll
dwm.exe
alg.exe
csrss.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%s-readfile
cmd.exe
Software\Microsoft\Windows\CurrentVersion\Run
%temp%\deletethis.exe
Removable_Drive.exe
%s\{%s-%s}/k "%s" Open %s
%windir%\System32\cmd.exe
%s\Removable_Drive.exe
%s\%s
%s\%s.lnk
icon=Shell32.dll,7
shell\open\Command=%s
open=%s
shell\explore\Command=%s
%s\autorun.inf
C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\opp\sis32.exe
sis32.exe_2988_rwx_00400000_0000C000:
.rsrc
C:\Windows\SysWOW64\msvbvm60.dll\3
iphlpapi.dll
GetExtendedTcpTable
SetTcpEntry
getTCPConnections
dnsapi.dll
kernel32.dll
ws2_32.dll
NTDLL.DLL
VBA6.DLL
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
.text
`.data
-gE};
Ankt%S\
KERNEL32.DLL
MSVBVM60.DLL
ilmioip.it
hXXp://VVV.ilmioip.it
avp.exe
127.0.0.1
update.exe
avast.setup
avgmfapx.exe
guardxup.exe
mcupdmgr.exe
FPAVServer.exe
drwupsrv.exe
BullGuardUpdate.exe
fshoster32.exe
Upgrader.exe
ALUpdate.exe
62.67.184
84.233.19
89.202.14
93.184.71
89.202.15
178.77.12
92.51.171
80.237.15
46.163.12
83.169.60
217.115.1
ekrn.exe
AVKProxy.exe
WinHttp.WinHttpRequest.5.1
WatchIt!.exe
sis32.exe_2776:
`.rsrc
DetectWindows
advapi32.dll
ntdll.dll
VBA6.DLL
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
shell32.dll
ShellExecuteEx
lz32.dll
.text
`.data
.rsrc
updates32*1*|OFF|*appdata*opp\*sis32.exe*
KERNEL32.DLL
MSVBVM60.DLL
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
WScript.Shell
explorer.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Scripting.FileSystemObject
Explorer.exe,
a.exe
sis32.exe_2776_rwx_00400000_0000B000:
`.rsrc
DetectWindows
advapi32.dll
ntdll.dll
VBA6.DLL
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
shell32.dll
ShellExecuteEx
lz32.dll
.text
`.data
.rsrc
updates32*1*|OFF|*appdata*opp\*sis32.exe*
KERNEL32.DLL
MSVBVM60.DLL
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
WScript.Shell
explorer.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Scripting.FileSystemObject
Explorer.exe,
a.exe
taskhost.exe_1940_rwx_00120000_0000E000:
.data
.idata
.rsrc
@.reloc
Successfully Killed And Removed Malicious File: "%s"
Usage: %s IP PORT DELAY LENGTH
Failed To Start Thread: "%d"
Failed: "%d"
Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]
Filed To Visit: "%s"
Successfully Visited: "%s"
%s #%s
%s %s
Running From: "%s"
[%s][%s] - "%s"
{%s}: %sSuccessfully Executed Process: "%s"
Failed To Create Process: "%s", Reason: "%d"
Successfully Downloaded File To: "%s"
Downloading File: "%s"
hXXp://api.wipmania.com/
JOIN
NICK
PRIVMSG
AryaN{%s-%s-x%d}%sNew{%s-%s-x%d}%s%s "" "%s" :%s
%s %s :[AryaN]: %s
%s %s %s
Finished Flooding "%s:%d"
Terminated UDP Flood Thread
%d%d%d%d%d%d%d%d
Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds
LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files
AutoRun Infected Removable Device: "%s\"
j[YPSSh
SSSSh
VSSSh
4826170
udpflood
udpflood.stop
download.stop
join
lopta100.no-ip.info
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
WS2_32.dll
SHLWAPI.dll
InternetOpenUrlA
WININET.dll
ole32.dll
PSAPI.DLL
ShellExecuteA
SHELL32.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegNotifyChangeKeyValue
ADVAPI32.dll
svchost.exe
7$7*70767<7
%userprofile%
%s\removethis_%d%d%d.exe
%temp%\oldfile.exe
Mozilla/5.0 (compatible)
%s\%d%d%d.exe
explorer.exe
Kernel32.dll
%s-deadlock
%s\SysWOW64
advapi32.dll
comsupp.dll
shell32.dll
wininet.dll
shlwapi.dll
dnsapi.dll
user32.dll
ws2_32.dll
psapi.dll
Ole32.dll
kernel32.dll
msvcrt.dll
dwm.exe
alg.exe
csrss.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%s-readfile
cmd.exe
Software\Microsoft\Windows\CurrentVersion\Run
%temp%\deletethis.exe
Removable_Drive.exe
%s\{%s-%s}/k "%s" Open %s
%windir%\System32\cmd.exe
%s\Removable_Drive.exe
%s\%s
%s\%s.lnk
icon=Shell32.dll,7
shell\open\Command=%s
open=%s
shell\explore\Command=%s
%s\autorun.inf
C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\opp\sis32.exe
taskhost.exe_1940_rwx_00370000_0000E000:
.data
.idata
.rsrc
@.reloc
Successfully Killed And Removed Malicious File: "%s"
Usage: %s IP PORT DELAY LENGTH
Failed To Start Thread: "%d"
Failed: "%d"
Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]
Filed To Visit: "%s"
Successfully Visited: "%s"
%s #%s
%s %s
Running From: "%s"
[%s][%s] - "%s"
{%s}: %sSuccessfully Executed Process: "%s"
Failed To Create Process: "%s", Reason: "%d"
Successfully Downloaded File To: "%s"
Downloading File: "%s"
hXXp://api.wipmania.com/
JOIN
NICK
PRIVMSG
AryaN{%s-%s-x%d}%sNew{%s-%s-x%d}%s%s "" "%s" :%s
%s %s :[AryaN]: %s
%s %s %s
Finished Flooding "%s:%d"
Terminated UDP Flood Thread
%d%d%d%d%d%d%d%d
Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds
LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files
AutoRun Infected Removable Device: "%s\"
j[YPSSh
SSSSh
VSSSh
4826170
udpflood
udpflood.stop
download.stop
join
lopta100.no-ip.info
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
WS2_32.dll
SHLWAPI.dll
InternetOpenUrlA
WININET.dll
ole32.dll
PSAPI.DLL
ShellExecuteA
SHELL32.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegNotifyChangeKeyValue
ADVAPI32.dll
svchost.exe
7$7*70767<7
%userprofile%
%s\removethis_%d%d%d.exe
%temp%\oldfile.exe
Mozilla/5.0 (compatible)
%s\%d%d%d.exe
explorer.exe
Kernel32.dll
%s-deadlock
%s\SysWOW64
advapi32.dll
comsupp.dll
shell32.dll
wininet.dll
shlwapi.dll
dnsapi.dll
user32.dll
ws2_32.dll
psapi.dll
Ole32.dll
kernel32.dll
msvcrt.dll
dwm.exe
alg.exe
csrss.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%s-readfile
cmd.exe
Software\Microsoft\Windows\CurrentVersion\Run
%temp%\deletethis.exe
Removable_Drive.exe
%s\{%s-%s}/k "%s" Open %s
%windir%\System32\cmd.exe
%s\Removable_Drive.exe
%s\%s
%s\%s.lnk
icon=Shell32.dll,7
shell\open\Command=%s
open=%s
shell\explore\Command=%s
%s\autorun.inf
C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\opp\sis32.exe
Explorer.EXE_2024_rwx_01EE0000_0000E000:
.data
.idata
.rsrc
@.reloc
Successfully Killed And Removed Malicious File: "%s"
Usage: %s IP PORT DELAY LENGTH
Failed To Start Thread: "%d"
Failed: "%d"
Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]
Filed To Visit: "%s"
Successfully Visited: "%s"
%s #%s
%s %s
Running From: "%s"
[%s][%s] - "%s"
{%s}: %sSuccessfully Executed Process: "%s"
Failed To Create Process: "%s", Reason: "%d"
Successfully Downloaded File To: "%s"
Downloading File: "%s"
hXXp://api.wipmania.com/
JOIN
NICK
PRIVMSG
AryaN{%s-%s-x%d}%sNew{%s-%s-x%d}%s%s "" "%s" :%s
%s %s :[AryaN]: %s
%s %s %s
Finished Flooding "%s:%d"
Terminated UDP Flood Thread
%d%d%d%d%d%d%d%d
Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds
LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files
AutoRun Infected Removable Device: "%s\"
j[YPSSh
SSSSh
VSSSh
4826170
udpflood
udpflood.stop
download.stop
join
lopta100.no-ip.info
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
WS2_32.dll
SHLWAPI.dll
InternetOpenUrlA
WININET.dll
ole32.dll
PSAPI.DLL
ShellExecuteA
SHELL32.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegNotifyChangeKeyValue
ADVAPI32.dll
svchost.exe
7$7*70767<7
%userprofile%
%s\removethis_%d%d%d.exe
%temp%\oldfile.exe
Mozilla/5.0 (compatible)
%s\%d%d%d.exe
explorer.exe
Kernel32.dll
%s-deadlock
%s\SysWOW64
advapi32.dll
comsupp.dll
shell32.dll
wininet.dll
shlwapi.dll
dnsapi.dll
user32.dll
ws2_32.dll
psapi.dll
Ole32.dll
kernel32.dll
msvcrt.dll
dwm.exe
alg.exe
csrss.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%s-readfile
cmd.exe
Software\Microsoft\Windows\CurrentVersion\Run
%temp%\deletethis.exe
Removable_Drive.exe
%s\{%s-%s}/k "%s" Open %s
%windir%\System32\cmd.exe
%s\Removable_Drive.exe
%s\%s
%s\%s.lnk
icon=Shell32.dll,7
shell\open\Command=%s
open=%s
shell\explore\Command=%s
%s\autorun.inf
C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\opp\sis32.exe
Explorer.EXE_2024_rwx_02B80000_0000E000:
.data
.idata
.rsrc
@.reloc
Successfully Killed And Removed Malicious File: "%s"
Usage: %s IP PORT DELAY LENGTH
Failed To Start Thread: "%d"
Failed: "%d"
Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]
Filed To Visit: "%s"
Successfully Visited: "%s"
%s #%s
%s %s
Running From: "%s"
[%s][%s] - "%s"
{%s}: %sSuccessfully Executed Process: "%s"
Failed To Create Process: "%s", Reason: "%d"
Successfully Downloaded File To: "%s"
Downloading File: "%s"
hXXp://api.wipmania.com/
JOIN
NICK
PRIVMSG
AryaN{%s-%s-x%d}%sNew{%s-%s-x%d}%s%s "" "%s" :%s
%s %s :[AryaN]: %s
%s %s %s
Finished Flooding "%s:%d"
Terminated UDP Flood Thread
%d%d%d%d%d%d%d%d
Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds
LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files
AutoRun Infected Removable Device: "%s\"
j[YPSSh
SSSSh
VSSSh
4826170
udpflood
udpflood.stop
download.stop
join
lopta100.no-ip.info
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
WS2_32.dll
SHLWAPI.dll
InternetOpenUrlA
WININET.dll
ole32.dll
PSAPI.DLL
ShellExecuteA
SHELL32.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegNotifyChangeKeyValue
ADVAPI32.dll
svchost.exe
7$7*70767<7
%userprofile%
%s\removethis_%d%d%d.exe
%temp%\oldfile.exe
Mozilla/5.0 (compatible)
%s\%d%d%d.exe
explorer.exe
Kernel32.dll
%s-deadlock
%s\SysWOW64
advapi32.dll
comsupp.dll
shell32.dll
wininet.dll
shlwapi.dll
dnsapi.dll
user32.dll
ws2_32.dll
psapi.dll
Ole32.dll
kernel32.dll
msvcrt.dll
dwm.exe
alg.exe
csrss.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%s-readfile
cmd.exe
Software\Microsoft\Windows\CurrentVersion\Run
%temp%\deletethis.exe
Removable_Drive.exe
%s\{%s-%s}/k "%s" Open %s
%windir%\System32\cmd.exe
%s\Removable_Drive.exe
%s\%s
%s\%s.lnk
icon=Shell32.dll,7
shell\open\Command=%s
open=%s
shell\explore\Command=%s
%s\autorun.inf
C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\opp\sis32.exe
Explorer.EXE_2024_rwx_02B90000_0000E000:
.data
.idata
.rsrc
@.reloc
Successfully Killed And Removed Malicious File: "%s"
Usage: %s IP PORT DELAY LENGTH
Failed To Start Thread: "%d"
Failed: "%d"
Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]
Filed To Visit: "%s"
Successfully Visited: "%s"
%s #%s
%s %s
Running From: "%s"
[%s][%s] - "%s"
{%s}: %sSuccessfully Executed Process: "%s"
Failed To Create Process: "%s", Reason: "%d"
Successfully Downloaded File To: "%s"
Downloading File: "%s"
hXXp://api.wipmania.com/
JOIN
NICK
PRIVMSG
AryaN{%s-%s-x%d}%sNew{%s-%s-x%d}%s%s "" "%s" :%s
%s %s :[AryaN]: %s
%s %s %s
Finished Flooding "%s:%d"
Terminated UDP Flood Thread
%d%d%d%d%d%d%d%d
Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds
LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files
AutoRun Infected Removable Device: "%s\"
j[YPSSh
SSSSh
VSSSh
4826170
udpflood
udpflood.stop
download.stop
join
lopta100.no-ip.info
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
WS2_32.dll
SHLWAPI.dll
InternetOpenUrlA
WININET.dll
ole32.dll
PSAPI.DLL
ShellExecuteA
SHELL32.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegNotifyChangeKeyValue
ADVAPI32.dll
svchost.exe
7$7*70767<7
%userprofile%
%s\removethis_%d%d%d.exe
%temp%\oldfile.exe
Mozilla/5.0 (compatible)
%s\%d%d%d.exe
explorer.exe
Kernel32.dll
%s-deadlock
%s\SysWOW64
advapi32.dll
comsupp.dll
shell32.dll
wininet.dll
shlwapi.dll
dnsapi.dll
user32.dll
ws2_32.dll
psapi.dll
Ole32.dll
kernel32.dll
msvcrt.dll
dwm.exe
alg.exe
csrss.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%s-readfile
cmd.exe
Software\Microsoft\Windows\CurrentVersion\Run
%temp%\deletethis.exe
Removable_Drive.exe
%s\{%s-%s}/k "%s" Open %s
%windir%\System32\cmd.exe
%s\Removable_Drive.exe
%s\%s
%s\%s.lnk
icon=Shell32.dll,7
shell\open\Command=%s
open=%s
shell\explore\Command=%s
%s\autorun.inf
C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\opp\sis32.exe
Explorer.EXE_2024_rwx_02D60000_0000E000:
.data
.idata
.rsrc
@.reloc
Successfully Killed And Removed Malicious File: "%s"
Usage: %s IP PORT DELAY LENGTH
Failed To Start Thread: "%d"
Failed: "%d"
Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]
Filed To Visit: "%s"
Successfully Visited: "%s"
%s #%s
%s %s
Running From: "%s"
[%s][%s] - "%s"
{%s}: %sSuccessfully Executed Process: "%s"
Failed To Create Process: "%s", Reason: "%d"
Successfully Downloaded File To: "%s"
Downloading File: "%s"
hXXp://api.wipmania.com/
JOIN
NICK
PRIVMSG
AryaN{%s-%s-x%d}%sNew{%s-%s-x%d}%s%s "" "%s" :%s
%s %s :[AryaN]: %s
%s %s %s
Finished Flooding "%s:%d"
Terminated UDP Flood Thread
%d%d%d%d%d%d%d%d
Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds
LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files
AutoRun Infected Removable Device: "%s\"
j[YPSSh
SSSSh
VSSSh
4826170
udpflood
udpflood.stop
download.stop
join
lopta100.no-ip.info
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
WS2_32.dll
SHLWAPI.dll
InternetOpenUrlA
WININET.dll
ole32.dll
PSAPI.DLL
ShellExecuteA
SHELL32.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegNotifyChangeKeyValue
ADVAPI32.dll
svchost.exe
7$7*70767<7
%userprofile%
%s\removethis_%d%d%d.exe
%temp%\oldfile.exe
Mozilla/5.0 (compatible)
%s\%d%d%d.exe
explorer.exe
Kernel32.dll
%s-deadlock
%s\SysWOW64
advapi32.dll
comsupp.dll
shell32.dll
wininet.dll
shlwapi.dll
dnsapi.dll
user32.dll
ws2_32.dll
psapi.dll
Ole32.dll
kernel32.dll
msvcrt.dll
dwm.exe
alg.exe
csrss.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%s-readfile
cmd.exe
Software\Microsoft\Windows\CurrentVersion\Run
%temp%\deletethis.exe
Removable_Drive.exe
%s\{%s-%s}/k "%s" Open %s
%windir%\System32\cmd.exe
%s\Removable_Drive.exe
%s\%s
%s\%s.lnk
icon=Shell32.dll,7
shell\open\Command=%s
open=%s
shell\explore\Command=%s
%s\autorun.inf
C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\opp\sis32.exe
Explorer.EXE_2024_rwx_02D70000_0000E000:
.data
.idata
.rsrc
@.reloc
Successfully Killed And Removed Malicious File: "%s"
Usage: %s IP PORT DELAY LENGTH
Failed To Start Thread: "%d"
Failed: "%d"
Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]
Filed To Visit: "%s"
Successfully Visited: "%s"
%s #%s
%s %s
Running From: "%s"
[%s][%s] - "%s"
{%s}: %sSuccessfully Executed Process: "%s"
Failed To Create Process: "%s", Reason: "%d"
Successfully Downloaded File To: "%s"
Downloading File: "%s"
hXXp://api.wipmania.com/
JOIN
NICK
PRIVMSG
AryaN{%s-%s-x%d}%sNew{%s-%s-x%d}%s%s "" "%s" :%s
%s %s :[AryaN]: %s
%s %s %s
Finished Flooding "%s:%d"
Terminated UDP Flood Thread
%d%d%d%d%d%d%d%d
Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds
LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files
AutoRun Infected Removable Device: "%s\"
j[YPSSh
SSSSh
VSSSh
4826170
udpflood
udpflood.stop
download.stop
join
lopta100.no-ip.info
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
WS2_32.dll
SHLWAPI.dll
InternetOpenUrlA
WININET.dll
ole32.dll
PSAPI.DLL
ShellExecuteA
SHELL32.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegNotifyChangeKeyValue
ADVAPI32.dll
svchost.exe
7$7*70767<7
%userprofile%
%s\removethis_%d%d%d.exe
%temp%\oldfile.exe
Mozilla/5.0 (compatible)
%s\%d%d%d.exe
explorer.exe
Kernel32.dll
%s-deadlock
%s\SysWOW64
advapi32.dll
comsupp.dll
shell32.dll
wininet.dll
shlwapi.dll
dnsapi.dll
user32.dll
ws2_32.dll
psapi.dll
Ole32.dll
kernel32.dll
msvcrt.dll
dwm.exe
alg.exe
csrss.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%s-readfile
cmd.exe
Software\Microsoft\Windows\CurrentVersion\Run
%temp%\deletethis.exe
Removable_Drive.exe
%s\{%s-%s}/k "%s" Open %s
%windir%\System32\cmd.exe
%s\Removable_Drive.exe
%s\%s
%s\%s.lnk
icon=Shell32.dll,7
shell\open\Command=%s
open=%s
shell\explore\Command=%s
%s\autorun.inf
C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\opp\sis32.exe
Explorer.EXE_2024_rwx_02D80000_0000E000:
.data
.idata
.rsrc
@.reloc
Successfully Killed And Removed Malicious File: "%s"
Usage: %s IP PORT DELAY LENGTH
Failed To Start Thread: "%d"
Failed: "%d"
Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]
Filed To Visit: "%s"
Successfully Visited: "%s"
%s #%s
%s %s
Running From: "%s"
[%s][%s] - "%s"
{%s}: %sSuccessfully Executed Process: "%s"
Failed To Create Process: "%s", Reason: "%d"
Successfully Downloaded File To: "%s"
Downloading File: "%s"
hXXp://api.wipmania.com/
JOIN
NICK
PRIVMSG
AryaN{%s-%s-x%d}%sNew{%s-%s-x%d}%s%s "" "%s" :%s
%s %s :[AryaN]: %s
%s %s %s
Finished Flooding "%s:%d"
Terminated UDP Flood Thread
%d%d%d%d%d%d%d%d
Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds
LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files
AutoRun Infected Removable Device: "%s\"
j[YPSSh
SSSSh
VSSSh
4826170
udpflood
udpflood.stop
download.stop
join
lopta100.no-ip.info
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
WS2_32.dll
SHLWAPI.dll
InternetOpenUrlA
WININET.dll
ole32.dll
PSAPI.DLL
ShellExecuteA
SHELL32.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegNotifyChangeKeyValue
ADVAPI32.dll
svchost.exe
7$7*70767<7
%userprofile%
%s\removethis_%d%d%d.exe
%temp%\oldfile.exe
Mozilla/5.0 (compatible)
%s\%d%d%d.exe
explorer.exe
Kernel32.dll
%s-deadlock
%s\SysWOW64
advapi32.dll
comsupp.dll
shell32.dll
wininet.dll
shlwapi.dll
dnsapi.dll
user32.dll
ws2_32.dll
psapi.dll
Ole32.dll
kernel32.dll
msvcrt.dll
dwm.exe
alg.exe
csrss.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%s-readfile
cmd.exe
Software\Microsoft\Windows\CurrentVersion\Run
%temp%\deletethis.exe
Removable_Drive.exe
%s\{%s-%s}/k "%s" Open %s
%windir%\System32\cmd.exe
%s\Removable_Drive.exe
%s\%s
%s\%s.lnk
icon=Shell32.dll,7
shell\open\Command=%s
open=%s
shell\explore\Command=%s
%s\autorun.inf
C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\opp\sis32.exe
Explorer.EXE_2024_rwx_02EE0000_0000E000:
.data
.idata
.rsrc
@.reloc
Successfully Killed And Removed Malicious File: "%s"
Usage: %s IP PORT DELAY LENGTH
Failed To Start Thread: "%d"
Failed: "%d"
Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]
Filed To Visit: "%s"
Successfully Visited: "%s"
%s #%s
%s %s
Running From: "%s"
[%s][%s] - "%s"
{%s}: %sSuccessfully Executed Process: "%s"
Failed To Create Process: "%s", Reason: "%d"
Successfully Downloaded File To: "%s"
Downloading File: "%s"
hXXp://api.wipmania.com/
JOIN
NICK
PRIVMSG
AryaN{%s-%s-x%d}%sNew{%s-%s-x%d}%s%s "" "%s" :%s
%s %s :[AryaN]: %s
%s %s %s
Finished Flooding "%s:%d"
Terminated UDP Flood Thread
%d%d%d%d%d%d%d%d
Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds
LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files
AutoRun Infected Removable Device: "%s\"
j[YPSSh
SSSSh
VSSSh
4826170
udpflood
udpflood.stop
download.stop
join
lopta100.no-ip.info
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
WS2_32.dll
SHLWAPI.dll
InternetOpenUrlA
WININET.dll
ole32.dll
PSAPI.DLL
ShellExecuteA
SHELL32.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegNotifyChangeKeyValue
ADVAPI32.dll
svchost.exe
7$7*70767<7
%userprofile%
%s\removethis_%d%d%d.exe
%temp%\oldfile.exe
Mozilla/5.0 (compatible)
%s\%d%d%d.exe
explorer.exe
Kernel32.dll
%s-deadlock
%s\SysWOW64
advapi32.dll
comsupp.dll
shell32.dll
wininet.dll
shlwapi.dll
dnsapi.dll
user32.dll
ws2_32.dll
psapi.dll
Ole32.dll
kernel32.dll
msvcrt.dll
dwm.exe
alg.exe
csrss.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%s-readfile
cmd.exe
Software\Microsoft\Windows\CurrentVersion\Run
%temp%\deletethis.exe
Removable_Drive.exe
%s\{%s-%s}/k "%s" Open %s
%windir%\System32\cmd.exe
%s\Removable_Drive.exe
%s\%s
%s\%s.lnk
icon=Shell32.dll,7
shell\open\Command=%s
open=%s
shell\explore\Command=%s
%s\autorun.inf
C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\opp\sis32.exe
Explorer.EXE_2024_rwx_02EF0000_0000E000:
.data
.idata
.rsrc
@.reloc
Successfully Killed And Removed Malicious File: "%s"
Usage: %s IP PORT DELAY LENGTH
Failed To Start Thread: "%d"
Failed: "%d"
Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]
Filed To Visit: "%s"
Successfully Visited: "%s"
%s #%s
%s %s
Running From: "%s"
[%s][%s] - "%s"
{%s}: %sSuccessfully Executed Process: "%s"
Failed To Create Process: "%s", Reason: "%d"
Successfully Downloaded File To: "%s"
Downloading File: "%s"
hXXp://api.wipmania.com/
JOIN
NICK
PRIVMSG
AryaN{%s-%s-x%d}%sNew{%s-%s-x%d}%s%s "" "%s" :%s
%s %s :[AryaN]: %s
%s %s %s
Finished Flooding "%s:%d"
Terminated UDP Flood Thread
%d%d%d%d%d%d%d%d
Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds
LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files
AutoRun Infected Removable Device: "%s\"
j[YPSSh
SSSSh
VSSSh
4826170
udpflood
udpflood.stop
download.stop
join
lopta100.no-ip.info
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
WS2_32.dll
SHLWAPI.dll
InternetOpenUrlA
WININET.dll
ole32.dll
PSAPI.DLL
ShellExecuteA
SHELL32.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegNotifyChangeKeyValue
ADVAPI32.dll
svchost.exe
7$7*70767<7
%userprofile%
%s\removethis_%d%d%d.exe
%temp%\oldfile.exe
Mozilla/5.0 (compatible)
%s\%d%d%d.exe
explorer.exe
Kernel32.dll
%s-deadlock
%s\SysWOW64
advapi32.dll
comsupp.dll
shell32.dll
wininet.dll
shlwapi.dll
dnsapi.dll
user32.dll
ws2_32.dll
psapi.dll
Ole32.dll
kernel32.dll
msvcrt.dll
dwm.exe
alg.exe
csrss.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%s-readfile
cmd.exe
Software\Microsoft\Windows\CurrentVersion\Run
%temp%\deletethis.exe
Removable_Drive.exe
%s\{%s-%s}/k "%s" Open %s
%windir%\System32\cmd.exe
%s\Removable_Drive.exe
%s\%s
%s\%s.lnk
icon=Shell32.dll,7
shell\open\Command=%s
open=%s
shell\explore\Command=%s
%s\autorun.inf
C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\opp\sis32.exe
Explorer.EXE_2024_rwx_02F00000_0000E000:
.data
.idata
.rsrc
@.reloc
Successfully Killed And Removed Malicious File: "%s"
Usage: %s IP PORT DELAY LENGTH
Failed To Start Thread: "%d"
Failed: "%d"
Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]
Filed To Visit: "%s"
Successfully Visited: "%s"
%s #%s
%s %s
Running From: "%s"
[%s][%s] - "%s"
{%s}: %sSuccessfully Executed Process: "%s"
Failed To Create Process: "%s", Reason: "%d"
Successfully Downloaded File To: "%s"
Downloading File: "%s"
hXXp://api.wipmania.com/
JOIN
NICK
PRIVMSG
AryaN{%s-%s-x%d}%sNew{%s-%s-x%d}%s%s "" "%s" :%s
%s %s :[AryaN]: %s
%s %s %s
Finished Flooding "%s:%d"
Terminated UDP Flood Thread
%d%d%d%d%d%d%d%d
Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds
LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files
AutoRun Infected Removable Device: "%s\"
j[YPSSh
SSSSh
VSSSh
4826170
udpflood
udpflood.stop
download.stop
join
lopta100.no-ip.info
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
WS2_32.dll
SHLWAPI.dll
InternetOpenUrlA
WININET.dll
ole32.dll
PSAPI.DLL
ShellExecuteA
SHELL32.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegNotifyChangeKeyValue
ADVAPI32.dll
svchost.exe
7$7*70767<7
%userprofile%
%s\removethis_%d%d%d.exe
%temp%\oldfile.exe
Mozilla/5.0 (compatible)
%s\%d%d%d.exe
explorer.exe
Kernel32.dll
%s-deadlock
%s\SysWOW64
advapi32.dll
comsupp.dll
shell32.dll
wininet.dll
shlwapi.dll
dnsapi.dll
user32.dll
ws2_32.dll
psapi.dll
Ole32.dll
kernel32.dll
msvcrt.dll
dwm.exe
alg.exe
csrss.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%s-readfile
cmd.exe
Software\Microsoft\Windows\CurrentVersion\Run
%temp%\deletethis.exe
Removable_Drive.exe
%s\{%s-%s}/k "%s" Open %s
%windir%\System32\cmd.exe
%s\Removable_Drive.exe
%s\%s
%s\%s.lnk
icon=Shell32.dll,7
shell\open\Command=%s
open=%s
shell\explore\Command=%s
%s\autorun.inf
C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\opp\sis32.exe
Explorer.EXE_2024_rwx_02F10000_0000E000:
.data
.idata
.rsrc
@.reloc
Successfully Killed And Removed Malicious File: "%s"
Usage: %s IP PORT DELAY LENGTH
Failed To Start Thread: "%d"
Failed: "%d"
Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]
Filed To Visit: "%s"
Successfully Visited: "%s"
%s #%s
%s %s
Running From: "%s"
[%s][%s] - "%s"
{%s}: %sSuccessfully Executed Process: "%s"
Failed To Create Process: "%s", Reason: "%d"
Successfully Downloaded File To: "%s"
Downloading File: "%s"
hXXp://api.wipmania.com/
JOIN
NICK
PRIVMSG
AryaN{%s-%s-x%d}%sNew{%s-%s-x%d}%s%s "" "%s" :%s
%s %s :[AryaN]: %s
%s %s %s
Finished Flooding "%s:%d"
Terminated UDP Flood Thread
%d%d%d%d%d%d%d%d
Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds
LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files
AutoRun Infected Removable Device: "%s\"
j[YPSSh
SSSSh
VSSSh
4826170
udpflood
udpflood.stop
download.stop
join
lopta100.no-ip.info
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
WS2_32.dll
SHLWAPI.dll
InternetOpenUrlA
WININET.dll
ole32.dll
PSAPI.DLL
ShellExecuteA
SHELL32.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegNotifyChangeKeyValue
ADVAPI32.dll
svchost.exe
7$7*70767<7
%userprofile%
%s\removethis_%d%d%d.exe
%temp%\oldfile.exe
Mozilla/5.0 (compatible)
%s\%d%d%d.exe
explorer.exe
Kernel32.dll
%s-deadlock
%s\SysWOW64
advapi32.dll
comsupp.dll
shell32.dll
wininet.dll
shlwapi.dll
dnsapi.dll
user32.dll
ws2_32.dll
psapi.dll
Ole32.dll
kernel32.dll
msvcrt.dll
dwm.exe
alg.exe
csrss.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%s-readfile
cmd.exe
Software\Microsoft\Windows\CurrentVersion\Run
%temp%\deletethis.exe
Removable_Drive.exe
%s\{%s-%s}/k "%s" Open %s
%windir%\System32\cmd.exe
%s\Removable_Drive.exe
%s\%s
%s\%s.lnk
icon=Shell32.dll,7
shell\open\Command=%s
open=%s
shell\explore\Command=%s
%s\autorun.inf
C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\opp\sis32.exe
Explorer.EXE_2024_rwx_035D0000_0000E000:
.data
.idata
.rsrc
@.reloc
Successfully Killed And Removed Malicious File: "%s"
Usage: %s IP PORT DELAY LENGTH
Failed To Start Thread: "%d"
Failed: "%d"
Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]
Filed To Visit: "%s"
Successfully Visited: "%s"
%s #%s
%s %s
Running From: "%s"
[%s][%s] - "%s"
{%s}: %sSuccessfully Executed Process: "%s"
Failed To Create Process: "%s", Reason: "%d"
Successfully Downloaded File To: "%s"
Downloading File: "%s"
hXXp://api.wipmania.com/
JOIN
NICK
PRIVMSG
AryaN{%s-%s-x%d}%sNew{%s-%s-x%d}%s%s "" "%s" :%s
%s %s :[AryaN]: %s
%s %s %s
Finished Flooding "%s:%d"
Terminated UDP Flood Thread
%d%d%d%d%d%d%d%d
Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds
LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files
AutoRun Infected Removable Device: "%s\"
j[YPSSh
SSSSh
VSSSh
4826170
udpflood
udpflood.stop
download.stop
join
lopta100.no-ip.info
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
WS2_32.dll
SHLWAPI.dll
InternetOpenUrlA
WININET.dll
ole32.dll
PSAPI.DLL
ShellExecuteA
SHELL32.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegNotifyChangeKeyValue
ADVAPI32.dll
svchost.exe
7$7*70767<7
%userprofile%
%s\removethis_%d%d%d.exe
%temp%\oldfile.exe
Mozilla/5.0 (compatible)
%s\%d%d%d.exe
explorer.exe
Kernel32.dll
%s-deadlock
%s\SysWOW64
advapi32.dll
comsupp.dll
shell32.dll
wininet.dll
shlwapi.dll
dnsapi.dll
user32.dll
ws2_32.dll
psapi.dll
Ole32.dll
kernel32.dll
msvcrt.dll
dwm.exe
alg.exe
csrss.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%s-readfile
cmd.exe
Software\Microsoft\Windows\CurrentVersion\Run
%temp%\deletethis.exe
Removable_Drive.exe
%s\{%s-%s}/k "%s" Open %s
%windir%\System32\cmd.exe
%s\Removable_Drive.exe
%s\%s
%s\%s.lnk
icon=Shell32.dll,7
shell\open\Command=%s
open=%s
shell\explore\Command=%s
%s\autorun.inf
C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\opp\sis32.exe
Explorer.EXE_2024_rwx_03980000_0000E000:
.data
.idata
.rsrc
@.reloc
Successfully Killed And Removed Malicious File: "%s"
Usage: %s IP PORT DELAY LENGTH
Failed To Start Thread: "%d"
Failed: "%d"
Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]
Filed To Visit: "%s"
Successfully Visited: "%s"
%s #%s
%s %s
Running From: "%s"
[%s][%s] - "%s"
{%s}: %sSuccessfully Executed Process: "%s"
Failed To Create Process: "%s", Reason: "%d"
Successfully Downloaded File To: "%s"
Downloading File: "%s"
hXXp://api.wipmania.com/
JOIN
NICK
PRIVMSG
AryaN{%s-%s-x%d}%sNew{%s-%s-x%d}%s%s "" "%s" :%s
%s %s :[AryaN]: %s
%s %s %s
Finished Flooding "%s:%d"
Terminated UDP Flood Thread
%d%d%d%d%d%d%d%d
Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds
LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files
AutoRun Infected Removable Device: "%s\"
j[YPSSh
SSSSh
VSSSh
4826170
udpflood
udpflood.stop
download.stop
join
lopta100.no-ip.info
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
WS2_32.dll
SHLWAPI.dll
InternetOpenUrlA
WININET.dll
ole32.dll
PSAPI.DLL
ShellExecuteA
SHELL32.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegNotifyChangeKeyValue
ADVAPI32.dll
svchost.exe
7$7*70767<7
%userprofile%
%s\removethis_%d%d%d.exe
%temp%\oldfile.exe
Mozilla/5.0 (compatible)
%s\%d%d%d.exe
explorer.exe
Kernel32.dll
%s-deadlock
%s\SysWOW64
advapi32.dll
comsupp.dll
shell32.dll
wininet.dll
shlwapi.dll
dnsapi.dll
user32.dll
ws2_32.dll
psapi.dll
Ole32.dll
kernel32.dll
msvcrt.dll
dwm.exe
alg.exe
csrss.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%s-readfile
cmd.exe
Software\Microsoft\Windows\CurrentVersion\Run
%temp%\deletethis.exe
Removable_Drive.exe
%s\{%s-%s}/k "%s" Open %s
%windir%\System32\cmd.exe
%s\Removable_Drive.exe
%s\%s
%s\%s.lnk
icon=Shell32.dll,7
shell\open\Command=%s
open=%s
shell\explore\Command=%s
%s\autorun.inf
C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\opp\sis32.exe
Explorer.EXE_2024_rwx_03A10000_0000E000:
.data
.idata
.rsrc
@.reloc
Successfully Killed And Removed Malicious File: "%s"
Usage: %s IP PORT DELAY LENGTH
Failed To Start Thread: "%d"
Failed: "%d"
Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]
Filed To Visit: "%s"
Successfully Visited: "%s"
%s #%s
%s %s
Running From: "%s"
[%s][%s] - "%s"
{%s}: %sSuccessfully Executed Process: "%s"
Failed To Create Process: "%s", Reason: "%d"
Successfully Downloaded File To: "%s"
Downloading File: "%s"
hXXp://api.wipmania.com/
JOIN
NICK
PRIVMSG
AryaN{%s-%s-x%d}%sNew{%s-%s-x%d}%s%s "" "%s" :%s
%s %s :[AryaN]: %s
%s %s %s
Finished Flooding "%s:%d"
Terminated UDP Flood Thread
%d%d%d%d%d%d%d%d
Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds
LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files
AutoRun Infected Removable Device: "%s\"
j[YPSSh
SSSSh
VSSSh
4826170
udpflood
udpflood.stop
download.stop
join
lopta100.no-ip.info
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
WS2_32.dll
SHLWAPI.dll
InternetOpenUrlA
WININET.dll
ole32.dll
PSAPI.DLL
ShellExecuteA
SHELL32.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegNotifyChangeKeyValue
ADVAPI32.dll
svchost.exe
7$7*70767<7
%userprofile%
%s\removethis_%d%d%d.exe
%temp%\oldfile.exe
Mozilla/5.0 (compatible)
%s\%d%d%d.exe
explorer.exe
Kernel32.dll
%s-deadlock
%s\SysWOW64
advapi32.dll
comsupp.dll
shell32.dll
wininet.dll
shlwapi.dll
dnsapi.dll
user32.dll
ws2_32.dll
psapi.dll
Ole32.dll
kernel32.dll
msvcrt.dll
dwm.exe
alg.exe
csrss.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%s-readfile
cmd.exe
Software\Microsoft\Windows\CurrentVersion\Run
%temp%\deletethis.exe
Removable_Drive.exe
%s\{%s-%s}/k "%s" Open %s
%windir%\System32\cmd.exe
%s\Removable_Drive.exe
%s\%s
%s\%s.lnk
icon=Shell32.dll,7
shell\open\Command=%s
open=%s
shell\explore\Command=%s
%s\autorun.inf
C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\opp\sis32.exe
Explorer.EXE_2024_rwx_03A20000_0000E000:
.data
.idata
.rsrc
@.reloc
Successfully Killed And Removed Malicious File: "%s"
Usage: %s IP PORT DELAY LENGTH
Failed To Start Thread: "%d"
Failed: "%d"
Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]
Filed To Visit: "%s"
Successfully Visited: "%s"
%s #%s
%s %s
Running From: "%s"
[%s][%s] - "%s"
{%s}: %sSuccessfully Executed Process: "%s"
Failed To Create Process: "%s", Reason: "%d"
Successfully Downloaded File To: "%s"
Downloading File: "%s"
hXXp://api.wipmania.com/
JOIN
NICK
PRIVMSG
AryaN{%s-%s-x%d}%sNew{%s-%s-x%d}%s%s "" "%s" :%s
%s %s :[AryaN]: %s
%s %s %s
Finished Flooding "%s:%d"
Terminated UDP Flood Thread
%d%d%d%d%d%d%d%d
Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds
LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files
AutoRun Infected Removable Device: "%s\"
j[YPSSh
SSSSh
VSSSh
4826170
udpflood
udpflood.stop
download.stop
join
lopta100.no-ip.info
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
WS2_32.dll
SHLWAPI.dll
InternetOpenUrlA
WININET.dll
ole32.dll
PSAPI.DLL
ShellExecuteA
SHELL32.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegNotifyChangeKeyValue
ADVAPI32.dll
svchost.exe
7$7*70767<7
%userprofile%
%s\removethis_%d%d%d.exe
%temp%\oldfile.exe
Mozilla/5.0 (compatible)
%s\%d%d%d.exe
explorer.exe
Kernel32.dll
%s-deadlock
%s\SysWOW64
advapi32.dll
comsupp.dll
shell32.dll
wininet.dll
shlwapi.dll
dnsapi.dll
user32.dll
ws2_32.dll
psapi.dll
Ole32.dll
kernel32.dll
msvcrt.dll
dwm.exe
alg.exe
csrss.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%s-readfile
cmd.exe
Software\Microsoft\Windows\CurrentVersion\Run
%temp%\deletethis.exe
Removable_Drive.exe
%s\{%s-%s}/k "%s" Open %s
%windir%\System32\cmd.exe
%s\Removable_Drive.exe
%s\%s
%s\%s.lnk
icon=Shell32.dll,7
shell\open\Command=%s
open=%s
shell\explore\Command=%s
%s\autorun.inf
C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\opp\sis32.exe
Explorer.EXE_2024_rwx_03B30000_0000E000:
.data
.idata
.rsrc
@.reloc
Successfully Killed And Removed Malicious File: "%s"
Usage: %s IP PORT DELAY LENGTH
Failed To Start Thread: "%d"
Failed: "%d"
Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]
Filed To Visit: "%s"
Successfully Visited: "%s"
%s #%s
%s %s
Running From: "%s"
[%s][%s] - "%s"
{%s}: %sSuccessfully Executed Process: "%s"
Failed To Create Process: "%s", Reason: "%d"
Successfully Downloaded File To: "%s"
Downloading File: "%s"
hXXp://api.wipmania.com/
JOIN
NICK
PRIVMSG
AryaN{%s-%s-x%d}%sNew{%s-%s-x%d}%s%s "" "%s" :%s
%s %s :[AryaN]: %s
%s %s %s
Finished Flooding "%s:%d"
Terminated UDP Flood Thread
%d%d%d%d%d%d%d%d
Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds
LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files
AutoRun Infected Removable Device: "%s\"
j[YPSSh
SSSSh
VSSSh
4826170
udpflood
udpflood.stop
download.stop
join
lopta100.no-ip.info
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
WS2_32.dll
SHLWAPI.dll
InternetOpenUrlA
WININET.dll
ole32.dll
PSAPI.DLL
ShellExecuteA
SHELL32.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegNotifyChangeKeyValue
ADVAPI32.dll
svchost.exe
7$7*70767<7
%userprofile%
%s\removethis_%d%d%d.exe
%temp%\oldfile.exe
Mozilla/5.0 (compatible)
%s\%d%d%d.exe
explorer.exe
Kernel32.dll
%s-deadlock
%s\SysWOW64
advapi32.dll
comsupp.dll
shell32.dll
wininet.dll
shlwapi.dll
dnsapi.dll
user32.dll
ws2_32.dll
psapi.dll
Ole32.dll
kernel32.dll
msvcrt.dll
dwm.exe
alg.exe
csrss.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%s-readfile
cmd.exe
Software\Microsoft\Windows\CurrentVersion\Run
%temp%\deletethis.exe
Removable_Drive.exe
%s\{%s-%s}/k "%s" Open %s
%windir%\System32\cmd.exe
%s\Removable_Drive.exe
%s\%s
%s\%s.lnk
icon=Shell32.dll,7
shell\open\Command=%s
open=%s
shell\explore\Command=%s
%s\autorun.inf
C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\opp\sis32.exe
Explorer.EXE_2024_rwx_03B40000_0000E000:
.data
.idata
.rsrc
@.reloc
Successfully Killed And Removed Malicious File: "%s"
Usage: %s IP PORT DELAY LENGTH
Failed To Start Thread: "%d"
Failed: "%d"
Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]
Filed To Visit: "%s"
Successfully Visited: "%s"
%s #%s
%s %s
Running From: "%s"
[%s][%s] - "%s"
{%s}: %sSuccessfully Executed Process: "%s"
Failed To Create Process: "%s", Reason: "%d"
Successfully Downloaded File To: "%s"
Downloading File: "%s"
hXXp://api.wipmania.com/
JOIN
NICK
PRIVMSG
AryaN{%s-%s-x%d}%sNew{%s-%s-x%d}%s%s "" "%s" :%s
%s %s :[AryaN]: %s
%s %s %s
Finished Flooding "%s:%d"
Terminated UDP Flood Thread
%d%d%d%d%d%d%d%d
Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds
LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files
AutoRun Infected Removable Device: "%s\"
j[YPSSh
SSSSh
VSSSh
4826170
udpflood
udpflood.stop
download.stop
join
lopta100.no-ip.info
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
WS2_32.dll
SHLWAPI.dll
InternetOpenUrlA
WININET.dll
ole32.dll
PSAPI.DLL
ShellExecuteA
SHELL32.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegNotifyChangeKeyValue
ADVAPI32.dll
svchost.exe
7$7*70767<7
%userprofile%
%s\removethis_%d%d%d.exe
%temp%\oldfile.exe
Mozilla/5.0 (compatible)
%s\%d%d%d.exe
explorer.exe
Kernel32.dll
%s-deadlock
%s\SysWOW64
advapi32.dll
comsupp.dll
shell32.dll
wininet.dll
shlwapi.dll
dnsapi.dll
user32.dll
ws2_32.dll
psapi.dll
Ole32.dll
kernel32.dll
msvcrt.dll
dwm.exe
alg.exe
csrss.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%s-readfile
cmd.exe
Software\Microsoft\Windows\CurrentVersion\Run
%temp%\deletethis.exe
Removable_Drive.exe
%s\{%s-%s}/k "%s" Open %s
%windir%\System32\cmd.exe
%s\Removable_Drive.exe
%s\%s
%s\%s.lnk
icon=Shell32.dll,7
shell\open\Command=%s
open=%s
shell\explore\Command=%s
%s\autorun.inf
C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\opp\sis32.exe
Explorer.EXE_2024_rwx_03B50000_0000E000:
.data
.idata
.rsrc
@.reloc
Successfully Killed And Removed Malicious File: "%s"
Usage: %s IP PORT DELAY LENGTH
Failed To Start Thread: "%d"
Failed: "%d"
Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]
Filed To Visit: "%s"
Successfully Visited: "%s"
%s #%s
%s %s
Running From: "%s"
[%s][%s] - "%s"
{%s}: %sSuccessfully Executed Process: "%s"
Failed To Create Process: "%s", Reason: "%d"
Successfully Downloaded File To: "%s"
Downloading File: "%s"
hXXp://api.wipmania.com/
JOIN
NICK
PRIVMSG
AryaN{%s-%s-x%d}%sNew{%s-%s-x%d}%s%s "" "%s" :%s
%s %s :[AryaN]: %s
%s %s %s
Finished Flooding "%s:%d"
Terminated UDP Flood Thread
%d%d%d%d%d%d%d%d
Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds
LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files
AutoRun Infected Removable Device: "%s\"
j[YPSSh
SSSSh
VSSSh
4826170
udpflood
udpflood.stop
download.stop
join
lopta100.no-ip.info
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
WS2_32.dll
SHLWAPI.dll
InternetOpenUrlA
WININET.dll
ole32.dll
PSAPI.DLL
ShellExecuteA
SHELL32.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegNotifyChangeKeyValue
ADVAPI32.dll
svchost.exe
7$7*70767<7
%userprofile%
%s\removethis_%d%d%d.exe
%temp%\oldfile.exe
Mozilla/5.0 (compatible)
%s\%d%d%d.exe
explorer.exe
Kernel32.dll
%s-deadlock
%s\SysWOW64
advapi32.dll
comsupp.dll
shell32.dll
wininet.dll
shlwapi.dll
dnsapi.dll
user32.dll
ws2_32.dll
psapi.dll
Ole32.dll
kernel32.dll
msvcrt.dll
dwm.exe
alg.exe
csrss.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%s-readfile
cmd.exe
Software\Microsoft\Windows\CurrentVersion\Run
%temp%\deletethis.exe
Removable_Drive.exe
%s\{%s-%s}/k "%s" Open %s
%windir%\System32\cmd.exe
%s\Removable_Drive.exe
%s\%s
%s\%s.lnk
icon=Shell32.dll,7
shell\open\Command=%s
open=%s
shell\explore\Command=%s
%s\autorun.inf
C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\opp\sis32.exe
Explorer.EXE_2024_rwx_03C60000_0000E000:
.data
.idata
.rsrc
@.reloc
Successfully Killed And Removed Malicious File: "%s"
Usage: %s IP PORT DELAY LENGTH
Failed To Start Thread: "%d"
Failed: "%d"
Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]
Filed To Visit: "%s"
Successfully Visited: "%s"
%s #%s
%s %s
Running From: "%s"
[%s][%s] - "%s"
{%s}: %sSuccessfully Executed Process: "%s"
Failed To Create Process: "%s", Reason: "%d"
Successfully Downloaded File To: "%s"
Downloading File: "%s"
hXXp://api.wipmania.com/
JOIN
NICK
PRIVMSG
AryaN{%s-%s-x%d}%sNew{%s-%s-x%d}%s%s "" "%s" :%s
%s %s :[AryaN]: %s
%s %s %s
Finished Flooding "%s:%d"
Terminated UDP Flood Thread
%d%d%d%d%d%d%d%d
Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds
LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files
AutoRun Infected Removable Device: "%s\"
j[YPSSh
SSSSh
VSSSh
4826170
udpflood
udpflood.stop
download.stop
join
lopta100.no-ip.info
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
WS2_32.dll
SHLWAPI.dll
InternetOpenUrlA
WININET.dll
ole32.dll
PSAPI.DLL
ShellExecuteA
SHELL32.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegNotifyChangeKeyValue
ADVAPI32.dll
svchost.exe
7$7*70767<7
%userprofile%
%s\removethis_%d%d%d.exe
%temp%\oldfile.exe
Mozilla/5.0 (compatible)
%s\%d%d%d.exe
explorer.exe
Kernel32.dll
%s-deadlock
%s\SysWOW64
advapi32.dll
comsupp.dll
shell32.dll
wininet.dll
shlwapi.dll
dnsapi.dll
user32.dll
ws2_32.dll
psapi.dll
Ole32.dll
kernel32.dll
msvcrt.dll
dwm.exe
alg.exe
csrss.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%s-readfile
cmd.exe
Software\Microsoft\Windows\CurrentVersion\Run
%temp%\deletethis.exe
Removable_Drive.exe
%s\{%s-%s}/k "%s" Open %s
%windir%\System32\cmd.exe
%s\Removable_Drive.exe
%s\%s
%s\%s.lnk
icon=Shell32.dll,7
shell\open\Command=%s
open=%s
shell\explore\Command=%s
%s\autorun.inf
C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\opp\sis32.exe
Explorer.EXE_2024_rwx_03CA0000_0000E000:
.data
.idata
.rsrc
@.reloc
Successfully Killed And Removed Malicious File: "%s"
Usage: %s IP PORT DELAY LENGTH
Failed To Start Thread: "%d"
Failed: "%d"
Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]
Filed To Visit: "%s"
Successfully Visited: "%s"
%s #%s
%s %s
Running From: "%s"
[%s][%s] - "%s"
{%s}: %sSuccessfully Executed Process: "%s"
Failed To Create Process: "%s", Reason: "%d"
Successfully Downloaded File To: "%s"
Downloading File: "%s"
hXXp://api.wipmania.com/
JOIN
NICK
PRIVMSG
AryaN{%s-%s-x%d}%sNew{%s-%s-x%d}%s%s "" "%s" :%s
%s %s :[AryaN]: %s
%s %s %s
Finished Flooding "%s:%d"
Terminated UDP Flood Thread
%d%d%d%d%d%d%d%d
Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds
LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files
AutoRun Infected Removable Device: "%s\"
j[YPSSh
SSSSh
VSSSh
4826170
udpflood
udpflood.stop
download.stop
join
lopta100.no-ip.info
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
WS2_32.dll
SHLWAPI.dll
InternetOpenUrlA
WININET.dll
ole32.dll
PSAPI.DLL
ShellExecuteA
SHELL32.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegNotifyChangeKeyValue
ADVAPI32.dll
svchost.exe
7$7*70767<7
%userprofile%
%s\removethis_%d%d%d.exe
%temp%\oldfile.exe
Mozilla/5.0 (compatible)
%s\%d%d%d.exe
explorer.exe
Kernel32.dll
%s-deadlock
%s\SysWOW64
advapi32.dll
comsupp.dll
shell32.dll
wininet.dll
shlwapi.dll
dnsapi.dll
user32.dll
ws2_32.dll
psapi.dll
Ole32.dll
kernel32.dll
msvcrt.dll
dwm.exe
alg.exe
csrss.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%s-readfile
cmd.exe
Software\Microsoft\Windows\CurrentVersion\Run
%temp%\deletethis.exe
Removable_Drive.exe
%s\{%s-%s}/k "%s" Open %s
%windir%\System32\cmd.exe
%s\Removable_Drive.exe
%s\%s
%s\%s.lnk
icon=Shell32.dll,7
shell\open\Command=%s
open=%s
shell\explore\Command=%s
%s\autorun.inf
C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\opp\sis32.exe
Explorer.EXE_2024_rwx_03CB0000_0000E000:
.data
.idata
.rsrc
@.reloc
Successfully Killed And Removed Malicious File: "%s"
Usage: %s IP PORT DELAY LENGTH
Failed To Start Thread: "%d"
Failed: "%d"
Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]
Filed To Visit: "%s"
Successfully Visited: "%s"
%s #%s
%s %s
Running From: "%s"
[%s][%s] - "%s"
{%s}: %sSuccessfully Executed Process: "%s"
Failed To Create Process: "%s", Reason: "%d"
Successfully Downloaded File To: "%s"
Downloading File: "%s"
hXXp://api.wipmania.com/
JOIN
NICK
PRIVMSG
AryaN{%s-%s-x%d}%sNew{%s-%s-x%d}%s%s "" "%s" :%s
%s %s :[AryaN]: %s
%s %s %s
Finished Flooding "%s:%d"
Terminated UDP Flood Thread
%d%d%d%d%d%d%d%d
Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds
LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files
AutoRun Infected Removable Device: "%s\"
j[YPSSh
SSSSh
VSSSh
4826170
udpflood
udpflood.stop
download.stop
join
lopta100.no-ip.info
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
WS2_32.dll
SHLWAPI.dll
InternetOpenUrlA
WININET.dll
ole32.dll
PSAPI.DLL
ShellExecuteA
SHELL32.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegNotifyChangeKeyValue
ADVAPI32.dll
svchost.exe
7$7*70767<7
%userprofile%
%s\removethis_%d%d%d.exe
%temp%\oldfile.exe
Mozilla/5.0 (compatible)
%s\%d%d%d.exe
explorer.exe
Kernel32.dll
%s-deadlock
%s\SysWOW64
advapi32.dll
comsupp.dll
shell32.dll
wininet.dll
shlwapi.dll
dnsapi.dll
user32.dll
ws2_32.dll
psapi.dll
Ole32.dll
kernel32.dll
msvcrt.dll
dwm.exe
alg.exe
csrss.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%s-readfile
cmd.exe
Software\Microsoft\Windows\CurrentVersion\Run
%temp%\deletethis.exe
Removable_Drive.exe
%s\{%s-%s}/k "%s" Open %s
%windir%\System32\cmd.exe
%s\Removable_Drive.exe
%s\%s
%s\%s.lnk
icon=Shell32.dll,7
shell\open\Command=%s
open=%s
shell\explore\Command=%s
%s\autorun.inf
C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\opp\sis32.exe
Explorer.EXE_2024_rwx_03D00000_0000E000:
.data
.idata
.rsrc
@.reloc
Successfully Killed And Removed Malicious File: "%s"
Usage: %s IP PORT DELAY LENGTH
Failed To Start Thread: "%d"
Failed: "%d"
Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]
Filed To Visit: "%s"
Successfully Visited: "%s"
%s #%s
%s %s
Running From: "%s"
[%s][%s] - "%s"
{%s}: %sSuccessfully Executed Process: "%s"
Failed To Create Process: "%s", Reason: "%d"
Successfully Downloaded File To: "%s"
Downloading File: "%s"
hXXp://api.wipmania.com/
JOIN
NICK
PRIVMSG
AryaN{%s-%s-x%d}%sNew{%s-%s-x%d}%s%s "" "%s" :%s
%s %s :[AryaN]: %s
%s %s %s
Finished Flooding "%s:%d"
Terminated UDP Flood Thread
%d%d%d%d%d%d%d%d
Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds
LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files
AutoRun Infected Removable Device: "%s\"
j[YPSSh
SSSSh
VSSSh
4826170
udpflood
udpflood.stop
download.stop
join
lopta100.no-ip.info
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
WS2_32.dll
SHLWAPI.dll
InternetOpenUrlA
WININET.dll
ole32.dll
PSAPI.DLL
ShellExecuteA
SHELL32.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegNotifyChangeKeyValue
ADVAPI32.dll
svchost.exe
7$7*70767<7
%userprofile%
%s\removethis_%d%d%d.exe
%temp%\oldfile.exe
Mozilla/5.0 (compatible)
%s\%d%d%d.exe
explorer.exe
Kernel32.dll
%s-deadlock
%s\SysWOW64
advapi32.dll
comsupp.dll
shell32.dll
wininet.dll
shlwapi.dll
dnsapi.dll
user32.dll
ws2_32.dll
psapi.dll
Ole32.dll
kernel32.dll
msvcrt.dll
dwm.exe
alg.exe
csrss.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%s-readfile
cmd.exe
Software\Microsoft\Windows\CurrentVersion\Run
%temp%\deletethis.exe
Removable_Drive.exe
%s\{%s-%s}/k "%s" Open %s
%windir%\System32\cmd.exe
%s\Removable_Drive.exe
%s\%s
%s\%s.lnk
icon=Shell32.dll,7
shell\open\Command=%s
open=%s
shell\explore\Command=%s
%s\autorun.inf
C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\opp\sis32.exe
Explorer.EXE_2024_rwx_03D30000_0000E000:
.data
.idata
.rsrc
@.reloc
Successfully Killed And Removed Malicious File: "%s"
Usage: %s IP PORT DELAY LENGTH
Failed To Start Thread: "%d"
Failed: "%d"
Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]
Filed To Visit: "%s"
Successfully Visited: "%s"
%s #%s
%s %s
Running From: "%s"
[%s][%s] - "%s"
{%s}: %sSuccessfully Executed Process: "%s"
Failed To Create Process: "%s", Reason: "%d"
Successfully Downloaded File To: "%s"
Downloading File: "%s"
hXXp://api.wipmania.com/
JOIN
NICK
PRIVMSG
AryaN{%s-%s-x%d}%sNew{%s-%s-x%d}%s%s "" "%s" :%s
%s %s :[AryaN]: %s
%s %s %s
Finished Flooding "%s:%d"
Terminated UDP Flood Thread
%d%d%d%d%d%d%d%d
Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds
LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files
AutoRun Infected Removable Device: "%s\"
j[YPSSh
SSSSh
VSSSh
4826170
udpflood
udpflood.stop
download.stop
join
lopta100.no-ip.info
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
WS2_32.dll
SHLWAPI.dll
InternetOpenUrlA
WININET.dll
ole32.dll
PSAPI.DLL
ShellExecuteA
SHELL32.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegNotifyChangeKeyValue
ADVAPI32.dll
svchost.exe
7$7*70767<7
%userprofile%
%s\removethis_%d%d%d.exe
%temp%\oldfile.exe
Mozilla/5.0 (compatible)
%s\%d%d%d.exe
explorer.exe
Kernel32.dll
%s-deadlock
%s\SysWOW64
advapi32.dll
comsupp.dll
shell32.dll
wininet.dll
shlwapi.dll
dnsapi.dll
user32.dll
ws2_32.dll
psapi.dll
Ole32.dll
kernel32.dll
msvcrt.dll
dwm.exe
alg.exe
csrss.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%s-readfile
cmd.exe
Software\Microsoft\Windows\CurrentVersion\Run
%temp%\deletethis.exe
Removable_Drive.exe
%s\{%s-%s}/k "%s" Open %s
%windir%\System32\cmd.exe
%s\Removable_Drive.exe
%s\%s
%s\%s.lnk
icon=Shell32.dll,7
shell\open\Command=%s
open=%s
shell\explore\Command=%s
%s\autorun.inf
C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\opp\sis32.exe
Explorer.EXE_2024_rwx_03DA0000_0000E000:
.data
.idata
.rsrc
@.reloc
Successfully Killed And Removed Malicious File: "%s"
Usage: %s IP PORT DELAY LENGTH
Failed To Start Thread: "%d"
Failed: "%d"
Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]
Filed To Visit: "%s"
Successfully Visited: "%s"
%s #%s
%s %s
Running From: "%s"
[%s][%s] - "%s"
{%s}: %sSuccessfully Executed Process: "%s"
Failed To Create Process: "%s", Reason: "%d"
Successfully Downloaded File To: "%s"
Downloading File: "%s"
hXXp://api.wipmania.com/
JOIN
NICK
PRIVMSG
AryaN{%s-%s-x%d}%sNew{%s-%s-x%d}%s%s "" "%s" :%s
%s %s :[AryaN]: %s
%s %s %s
Finished Flooding "%s:%d"
Terminated UDP Flood Thread
%d%d%d%d%d%d%d%d
Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds
LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files
AutoRun Infected Removable Device: "%s\"
j[YPSSh
SSSSh
VSSSh
4826170
udpflood
udpflood.stop
download.stop
join
lopta100.no-ip.info
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
WS2_32.dll
SHLWAPI.dll
InternetOpenUrlA
WININET.dll
ole32.dll
PSAPI.DLL
ShellExecuteA
SHELL32.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegNotifyChangeKeyValue
ADVAPI32.dll
svchost.exe
7$7*70767<7
%userprofile%
%s\removethis_%d%d%d.exe
%temp%\oldfile.exe
Mozilla/5.0 (compatible)
%s\%d%d%d.exe
explorer.exe
Kernel32.dll
%s-deadlock
%s\SysWOW64
advapi32.dll
comsupp.dll
shell32.dll
wininet.dll
shlwapi.dll
dnsapi.dll
user32.dll
ws2_32.dll
psapi.dll
Ole32.dll
kernel32.dll
msvcrt.dll
dwm.exe
alg.exe
csrss.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%s-readfile
cmd.exe
Software\Microsoft\Windows\CurrentVersion\Run
%temp%\deletethis.exe
Removable_Drive.exe
%s\{%s-%s}/k "%s" Open %s
%windir%\System32\cmd.exe
%s\Removable_Drive.exe
%s\%s
%s\%s.lnk
icon=Shell32.dll,7
shell\open\Command=%s
open=%s
shell\explore\Command=%s
%s\autorun.inf
C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\opp\sis32.exe
Explorer.EXE_2024_rwx_03EC0000_0000E000:
.data
.idata
.rsrc
@.reloc
Successfully Killed And Removed Malicious File: "%s"
Usage: %s IP PORT DELAY LENGTH
Failed To Start Thread: "%d"
Failed: "%d"
Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]
Filed To Visit: "%s"
Successfully Visited: "%s"
%s #%s
%s %s
Running From: "%s"
[%s][%s] - "%s"
{%s}: %sSuccessfully Executed Process: "%s"
Failed To Create Process: "%s", Reason: "%d"
Successfully Downloaded File To: "%s"
Downloading File: "%s"
hXXp://api.wipmania.com/
JOIN
NICK
PRIVMSG
AryaN{%s-%s-x%d}%sNew{%s-%s-x%d}%s%s "" "%s" :%s
%s %s :[AryaN]: %s
%s %s %s
Finished Flooding "%s:%d"
Terminated UDP Flood Thread
%d%d%d%d%d%d%d%d
Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds
LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files
AutoRun Infected Removable Device: "%s\"
j[YPSSh
SSSSh
VSSSh
4826170
udpflood
udpflood.stop
download.stop
join
lopta100.no-ip.info
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
WS2_32.dll
SHLWAPI.dll
InternetOpenUrlA
WININET.dll
ole32.dll
PSAPI.DLL
ShellExecuteA
SHELL32.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegNotifyChangeKeyValue
ADVAPI32.dll
svchost.exe
7$7*70767<7
%userprofile%
%s\removethis_%d%d%d.exe
%temp%\oldfile.exe
Mozilla/5.0 (compatible)
%s\%d%d%d.exe
explorer.exe
Kernel32.dll
%s-deadlock
%s\SysWOW64
advapi32.dll
comsupp.dll
shell32.dll
wininet.dll
shlwapi.dll
dnsapi.dll
user32.dll
ws2_32.dll
psapi.dll
Ole32.dll
kernel32.dll
msvcrt.dll
dwm.exe
alg.exe
csrss.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%s-readfile
cmd.exe
Software\Microsoft\Windows\CurrentVersion\Run
%temp%\deletethis.exe
Removable_Drive.exe
%s\{%s-%s}/k "%s" Open %s
%windir%\System32\cmd.exe
%s\Removable_Drive.exe
%s\%s
%s\%s.lnk
icon=Shell32.dll,7
shell\open\Command=%s
open=%s
shell\explore\Command=%s
%s\autorun.inf
C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\opp\sis32.exe
Explorer.EXE_2024_rwx_03F60000_0000E000:
.data
.idata
.rsrc
@.reloc
Successfully Killed And Removed Malicious File: "%s"
Usage: %s IP PORT DELAY LENGTH
Failed To Start Thread: "%d"
Failed: "%d"
Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]
Filed To Visit: "%s"
Successfully Visited: "%s"
%s #%s
%s %s
Running From: "%s"
[%s][%s] - "%s"
{%s}: %sSuccessfully Executed Process: "%s"
Failed To Create Process: "%s", Reason: "%d"
Successfully Downloaded File To: "%s"
Downloading File: "%s"
hXXp://api.wipmania.com/
JOIN
NICK
PRIVMSG
AryaN{%s-%s-x%d}%sNew{%s-%s-x%d}%s%s "" "%s" :%s
%s %s :[AryaN]: %s
%s %s %s
Finished Flooding "%s:%d"
Terminated UDP Flood Thread
%d%d%d%d%d%d%d%d
Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds
LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files
AutoRun Infected Removable Device: "%s\"
j[YPSSh
SSSSh
VSSSh
4826170
udpflood
udpflood.stop
download.stop
join
lopta100.no-ip.info
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
WS2_32.dll
SHLWAPI.dll
InternetOpenUrlA
WININET.dll
ole32.dll
PSAPI.DLL
ShellExecuteA
SHELL32.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegNotifyChangeKeyValue
ADVAPI32.dll
svchost.exe
7$7*70767<7
%userprofile%
%s\removethis_%d%d%d.exe
%temp%\oldfile.exe
Mozilla/5.0 (compatible)
%s\%d%d%d.exe
explorer.exe
Kernel32.dll
%s-deadlock
%s\SysWOW64
advapi32.dll
comsupp.dll
shell32.dll
wininet.dll
shlwapi.dll
dnsapi.dll
user32.dll
ws2_32.dll
psapi.dll
Ole32.dll
kernel32.dll
msvcrt.dll
dwm.exe
alg.exe
csrss.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%s-readfile
cmd.exe
Software\Microsoft\Windows\CurrentVersion\Run
%temp%\deletethis.exe
Removable_Drive.exe
%s\{%s-%s}/k "%s" Open %s
%windir%\System32\cmd.exe
%s\Removable_Drive.exe
%s\%s
%s\%s.lnk
icon=Shell32.dll,7
shell\open\Command=%s
open=%s
shell\explore\Command=%s
%s\autorun.inf
C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\opp\sis32.exe
Explorer.EXE_2024_rwx_03F70000_0000E000:
.data
.idata
.rsrc
@.reloc
Successfully Killed And Removed Malicious File: "%s"
Usage: %s IP PORT DELAY LENGTH
Failed To Start Thread: "%d"
Failed: "%d"
Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]
Filed To Visit: "%s"
Successfully Visited: "%s"
%s #%s
%s %s
Running From: "%s"
[%s][%s] - "%s"
{%s}: %sSuccessfully Executed Process: "%s"
Failed To Create Process: "%s", Reason: "%d"
Successfully Downloaded File To: "%s"
Downloading File: "%s"
hXXp://api.wipmania.com/
JOIN
NICK
PRIVMSG
AryaN{%s-%s-x%d}%sNew{%s-%s-x%d}%s%s "" "%s" :%s
%s %s :[AryaN]: %s
%s %s %s
Finished Flooding "%s:%d"
Terminated UDP Flood Thread
%d%d%d%d%d%d%d%d
Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds
LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files
AutoRun Infected Removable Device: "%s\"
j[YPSSh
SSSSh
VSSSh
4826170
udpflood
udpflood.stop
download.stop
join
lopta100.no-ip.info
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
WS2_32.dll
SHLWAPI.dll
InternetOpenUrlA
WININET.dll
ole32.dll
PSAPI.DLL
ShellExecuteA
SHELL32.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegNotifyChangeKeyValue
ADVAPI32.dll
svchost.exe
7$7*70767<7
%userprofile%
%s\removethis_%d%d%d.exe
%temp%\oldfile.exe
Mozilla/5.0 (compatible)
%s\%d%d%d.exe
explorer.exe
Kernel32.dll
%s-deadlock
%s\SysWOW64
advapi32.dll
comsupp.dll
shell32.dll
wininet.dll
shlwapi.dll
dnsapi.dll
user32.dll
ws2_32.dll
psapi.dll
Ole32.dll
kernel32.dll
msvcrt.dll
dwm.exe
alg.exe
csrss.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%s-readfile
cmd.exe
Software\Microsoft\Windows\CurrentVersion\Run
%temp%\deletethis.exe
Removable_Drive.exe
%s\{%s-%s}/k "%s" Open %s
%windir%\System32\cmd.exe
%s\Removable_Drive.exe
%s\%s
%s\%s.lnk
icon=Shell32.dll,7
shell\open\Command=%s
open=%s
shell\explore\Command=%s
%s\autorun.inf
C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\opp\sis32.exe
Explorer.EXE_2024_rwx_03F80000_0000E000:
.data
.idata
.rsrc
@.reloc
Successfully Killed And Removed Malicious File: "%s"
Usage: %s IP PORT DELAY LENGTH
Failed To Start Thread: "%d"
Failed: "%d"
Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]
Filed To Visit: "%s"
Successfully Visited: "%s"
%s #%s
%s %s
Running From: "%s"
[%s][%s] - "%s"
{%s}: %sSuccessfully Executed Process: "%s"
Failed To Create Process: "%s", Reason: "%d"
Successfully Downloaded File To: "%s"
Downloading File: "%s"
hXXp://api.wipmania.com/
JOIN
NICK
PRIVMSG
AryaN{%s-%s-x%d}%sNew{%s-%s-x%d}%s%s "" "%s" :%s
%s %s :[AryaN]: %s
%s %s %s
Finished Flooding "%s:%d"
Terminated UDP Flood Thread
%d%d%d%d%d%d%d%d
Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds
LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files
AutoRun Infected Removable Device: "%s\"
3SSSh
j[YPSSh
SSSSh
VSSSh
4826170
udpflood
udpflood.stop
download.stop
join
lopta100.no-ip.info
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
WS2_32.dll
SHLWAPI.dll
InternetOpenUrlA
WININET.dll
ole32.dll
PSAPI.DLL
ShellExecuteA
SHELL32.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegNotifyChangeKeyValue
ADVAPI32.dll
svchost.exe
7$7*70767<7
%userprofile%
%s\removethis_%d%d%d.exe
%temp%\oldfile.exe
Mozilla/5.0 (compatible)
%s\%d%d%d.exe
explorer.exe
Kernel32.dll
%s-deadlock
%s\SysWOW64
advapi32.dll
comsupp.dll
shell32.dll
wininet.dll
shlwapi.dll
dnsapi.dll
user32.dll
ws2_32.dll
psapi.dll
Ole32.dll
kernel32.dll
msvcrt.dll
dwm.exe
alg.exe
csrss.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%s-readfile
cmd.exe
Software\Microsoft\Windows\CurrentVersion\Run
%temp%\deletethis.exe
Removable_Drive.exe
%s\{%s-%s}/k "%s" Open %s
%windir%\System32\cmd.exe
%s\Removable_Drive.exe
%s\%s
%s\%s.lnk
icon=Shell32.dll,7
shell\open\Command=%s
open=%s
shell\explore\Command=%s
%s\autorun.inf
C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\opp\sis32.exe
Explorer.EXE_2024_rwx_03F90000_0000E000:
.data
.idata
.rsrc
@.reloc
Successfully Killed And Removed Malicious File: "%s"
Usage: %s IP PORT DELAY LENGTH
Failed To Start Thread: "%d"
Failed: "%d"
Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]
Filed To Visit: "%s"
Successfully Visited: "%s"
%s #%s
%s %s
Running From: "%s"
[%s][%s] - "%s"
{%s}: %sSuccessfully Executed Process: "%s"
Failed To Create Process: "%s", Reason: "%d"
Successfully Downloaded File To: "%s"
Downloading File: "%s"
hXXp://api.wipmania.com/
JOIN
NICK
PRIVMSG
AryaN{%s-%s-x%d}%sNew{%s-%s-x%d}%s%s "" "%s" :%s
%s %s :[AryaN]: %s
%s %s %s
Finished Flooding "%s:%d"
Terminated UDP Flood Thread
%d%d%d%d%d%d%d%d
Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds
LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files
AutoRun Infected Removable Device: "%s\"
j[YPSSh
SSSSh
VSSSh
4826170
udpflood
udpflood.stop
download.stop
join
lopta100.no-ip.info
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
WS2_32.dll
SHLWAPI.dll
InternetOpenUrlA
WININET.dll
ole32.dll
PSAPI.DLL
ShellExecuteA
SHELL32.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegNotifyChangeKeyValue
ADVAPI32.dll
svchost.exe
7$7*70767<7
%userprofile%
%s\removethis_%d%d%d.exe
%temp%\oldfile.exe
Mozilla/5.0 (compatible)
%s\%d%d%d.exe
explorer.exe
Kernel32.dll
%s-deadlock
%s\SysWOW64
advapi32.dll
comsupp.dll
shell32.dll
wininet.dll
shlwapi.dll
dnsapi.dll
user32.dll
ws2_32.dll
psapi.dll
Ole32.dll
kernel32.dll
msvcrt.dll
dwm.exe
alg.exe
csrss.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%s-readfile
cmd.exe
Software\Microsoft\Windows\CurrentVersion\Run
%temp%\deletethis.exe
Removable_Drive.exe
%s\{%s-%s}/k "%s" Open %s
%windir%\System32\cmd.exe
%s\Removable_Drive.exe
%s\%s
%s\%s.lnk
icon=Shell32.dll,7
shell\open\Command=%s
open=%s
shell\explore\Command=%s
%s\autorun.inf
C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\opp\sis32.exe
Explorer.EXE_2024_rwx_04020000_0000E000:
.data
.idata
.rsrc
@.reloc
Successfully Killed And Removed Malicious File: "%s"
Usage: %s IP PORT DELAY LENGTH
Failed To Start Thread: "%d"
Failed: "%d"
Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]
Filed To Visit: "%s"
Successfully Visited: "%s"
%s #%s
%s %s
Running From: "%s"
[%s][%s] - "%s"
{%s}: %sSuccessfully Executed Process: "%s"
Failed To Create Process: "%s", Reason: "%d"
Successfully Downloaded File To: "%s"
Downloading File: "%s"
hXXp://api.wipmania.com/
JOIN
NICK
PRIVMSG
AryaN{%s-%s-x%d}%sNew{%s-%s-x%d}%s%s "" "%s" :%s
%s %s :[AryaN]: %s
%s %s %s
Finished Flooding "%s:%d"
Terminated UDP Flood Thread
%d%d%d%d%d%d%d%d
Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds
LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files
AutoRun Infected Removable Device: "%s\"
j[YPSSh
SSSSh
VSSSh
4826170
udpflood
udpflood.stop
download.stop
join
lopta100.no-ip.info
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
WS2_32.dll
SHLWAPI.dll
InternetOpenUrlA
WININET.dll
ole32.dll
PSAPI.DLL
ShellExecuteA
SHELL32.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegNotifyChangeKeyValue
ADVAPI32.dll
svchost.exe
7$7*70767<7
%userprofile%
%s\removethis_%d%d%d.exe
%temp%\oldfile.exe
Mozilla/5.0 (compatible)
%s\%d%d%d.exe
explorer.exe
Kernel32.dll
%s-deadlock
%s\SysWOW64
advapi32.dll
comsupp.dll
shell32.dll
wininet.dll
shlwapi.dll
dnsapi.dll
user32.dll
ws2_32.dll
psapi.dll
Ole32.dll
kernel32.dll
msvcrt.dll
dwm.exe
alg.exe
csrss.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%s-readfile
cmd.exe
Software\Microsoft\Windows\CurrentVersion\Run
%temp%\deletethis.exe
Removable_Drive.exe
%s\{%s-%s}/k "%s" Open %s
%windir%\System32\cmd.exe
%s\Removable_Drive.exe
%s\%s
%s\%s.lnk
icon=Shell32.dll,7
shell\open\Command=%s
open=%s
shell\explore\Command=%s
%s\autorun.inf
C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\opp\sis32.exe
Explorer.EXE_2024_rwx_04030000_0000E000:
.data
.idata
.rsrc
@.reloc
Successfully Killed And Removed Malicious File: "%s"
Usage: %s IP PORT DELAY LENGTH
Failed To Start Thread: "%d"
Failed: "%d"
Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]
Filed To Visit: "%s"
Successfully Visited: "%s"
%s #%s
%s %s
Running From: "%s"
[%s][%s] - "%s"
{%s}: %sSuccessfully Executed Process: "%s"
Failed To Create Process: "%s", Reason: "%d"
Successfully Downloaded File To: "%s"
Downloading File: "%s"
hXXp://api.wipmania.com/
JOIN
NICK
PRIVMSG
AryaN{%s-%s-x%d}%sNew{%s-%s-x%d}%s%s "" "%s" :%s
%s %s :[AryaN]: %s
%s %s %s
Finished Flooding "%s:%d"
Terminated UDP Flood Thread
%d%d%d%d%d%d%d%d
Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds
LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files
AutoRun Infected Removable Device: "%s\"
j[YPSSh
SSSSh
VSSSh
4826170
udpflood
udpflood.stop
download.stop
join
lopta100.no-ip.info
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
WS2_32.dll
SHLWAPI.dll
InternetOpenUrlA
WININET.dll
ole32.dll
PSAPI.DLL
ShellExecuteA
SHELL32.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegNotifyChangeKeyValue
ADVAPI32.dll
svchost.exe
7$7*70767<7
%userprofile%
%s\removethis_%d%d%d.exe
%temp%\oldfile.exe
Mozilla/5.0 (compatible)
%s\%d%d%d.exe
explorer.exe
Kernel32.dll
%s-deadlock
%s\SysWOW64
advapi32.dll
comsupp.dll
shell32.dll
wininet.dll
shlwapi.dll
dnsapi.dll
user32.dll
ws2_32.dll
psapi.dll
Ole32.dll
kernel32.dll
msvcrt.dll
dwm.exe
alg.exe
csrss.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%s-readfile
cmd.exe
Software\Microsoft\Windows\CurrentVersion\Run
%temp%\deletethis.exe
Removable_Drive.exe
%s\{%s-%s}/k "%s" Open %s
%windir%\System32\cmd.exe
%s\Removable_Drive.exe
%s\%s
%s\%s.lnk
icon=Shell32.dll,7
shell\open\Command=%s
open=%s
shell\explore\Command=%s
%s\autorun.inf
C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\opp\sis32.exe
conhost.exe_3920_rwx_000E0000_0000E000:
.data
.idata
.rsrc
@.reloc
Successfully Killed And Removed Malicious File: "%s"
Usage: %s IP PORT DELAY LENGTH
Failed To Start Thread: "%d"
Failed: "%d"
Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]
Filed To Visit: "%s"
Successfully Visited: "%s"
%s #%s
%s %s
Running From: "%s"
[%s][%s] - "%s"
{%s}: %sSuccessfully Executed Process: "%s"
Failed To Create Process: "%s", Reason: "%d"
Successfully Downloaded File To: "%s"
Downloading File: "%s"
hXXp://api.wipmania.com/
JOIN
NICK
PRIVMSG
AryaN{%s-%s-x%d}%sNew{%s-%s-x%d}%s%s "" "%s" :%s
%s %s :[AryaN]: %s
%s %s %s
Finished Flooding "%s:%d"
Terminated UDP Flood Thread
%d%d%d%d%d%d%d%d
Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds
LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files
AutoRun Infected Removable Device: "%s\"
j[YPSSh
SSSSh
VSSSh
4826170
udpflood
udpflood.stop
download.stop
join
lopta100.no-ip.info
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
WS2_32.dll
SHLWAPI.dll
InternetOpenUrlA
WININET.dll
ole32.dll
PSAPI.DLL
ShellExecuteA
SHELL32.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegNotifyChangeKeyValue
ADVAPI32.dll
svchost.exe
7$7*70767<7
%userprofile%
%s\removethis_%d%d%d.exe
%temp%\oldfile.exe
Mozilla/5.0 (compatible)
%s\%d%d%d.exe
explorer.exe
Kernel32.dll
%s-deadlock
%s\SysWOW64
advapi32.dll
comsupp.dll
shell32.dll
wininet.dll
shlwapi.dll
dnsapi.dll
user32.dll
ws2_32.dll
psapi.dll
Ole32.dll
kernel32.dll
msvcrt.dll
dwm.exe
alg.exe
csrss.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%s-readfile
cmd.exe
Software\Microsoft\Windows\CurrentVersion\Run
%temp%\deletethis.exe
Removable_Drive.exe
%s\{%s-%s}/k "%s" Open %s
%windir%\System32\cmd.exe
%s\Removable_Drive.exe
%s\%s
%s\%s.lnk
icon=Shell32.dll,7
shell\open\Command=%s
open=%s
shell\explore\Command=%s
%s\autorun.inf
C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\opp\sis32.exe
conhost.exe_3920_rwx_000F0000_0000E000:
.data
.idata
.rsrc
@.reloc
Successfully Killed And Removed Malicious File: "%s"
Usage: %s IP PORT DELAY LENGTH
Failed To Start Thread: "%d"
Failed: "%d"
Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]
Filed To Visit: "%s"
Successfully Visited: "%s"
%s #%s
%s %s
Running From: "%s"
[%s][%s] - "%s"
{%s}: %sSuccessfully Executed Process: "%s"
Failed To Create Process: "%s", Reason: "%d"
Successfully Downloaded File To: "%s"
Downloading File: "%s"
hXXp://api.wipmania.com/
JOIN
NICK
PRIVMSG
AryaN{%s-%s-x%d}%sNew{%s-%s-x%d}%s%s "" "%s" :%s
%s %s :[AryaN]: %s
%s %s %s
Finished Flooding "%s:%d"
Terminated UDP Flood Thread
%d%d%d%d%d%d%d%d
Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds
LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files
AutoRun Infected Removable Device: "%s\"
j[YPSSh
SSSSh
VSSSh
4826170
udpflood
udpflood.stop
download.stop
join
lopta100.no-ip.info
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
WS2_32.dll
SHLWAPI.dll
InternetOpenUrlA
WININET.dll
ole32.dll
PSAPI.DLL
ShellExecuteA
SHELL32.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegNotifyChangeKeyValue
ADVAPI32.dll
svchost.exe
7$7*70767<7
%userprofile%
%s\removethis_%d%d%d.exe
%temp%\oldfile.exe
Mozilla/5.0 (compatible)
%s\%d%d%d.exe
explorer.exe
Kernel32.dll
%s-deadlock
%s\SysWOW64
advapi32.dll
comsupp.dll
shell32.dll
wininet.dll
shlwapi.dll
dnsapi.dll
user32.dll
ws2_32.dll
psapi.dll
Ole32.dll
kernel32.dll
msvcrt.dll
dwm.exe
alg.exe
csrss.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%s-readfile
cmd.exe
Software\Microsoft\Windows\CurrentVersion\Run
%temp%\deletethis.exe
Removable_Drive.exe
%s\{%s-%s}/k "%s" Open %s
%windir%\System32\cmd.exe
%s\Removable_Drive.exe
%s\%s
%s\%s.lnk
icon=Shell32.dll,7
shell\open\Command=%s
open=%s
shell\explore\Command=%s
%s\autorun.inf
C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\opp\sis32.exe
conhost.exe_3920_rwx_00100000_0000E000:
.data
.idata
.rsrc
@.reloc
Successfully Killed And Removed Malicious File: "%s"
Usage: %s IP PORT DELAY LENGTH
Failed To Start Thread: "%d"
Failed: "%d"
Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]
Filed To Visit: "%s"
Successfully Visited: "%s"
%s #%s
%s %s
Running From: "%s"
[%s][%s] - "%s"
{%s}: %sSuccessfully Executed Process: "%s"
Failed To Create Process: "%s", Reason: "%d"
Successfully Downloaded File To: "%s"
Downloading File: "%s"
hXXp://api.wipmania.com/
JOIN
NICK
PRIVMSG
AryaN{%s-%s-x%d}%sNew{%s-%s-x%d}%s%s "" "%s" :%s
%s %s :[AryaN]: %s
%s %s %s
Finished Flooding "%s:%d"
Terminated UDP Flood Thread
%d%d%d%d%d%d%d%d
Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds
LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files
AutoRun Infected Removable Device: "%s\"
j[YPSSh
SSSSh
VSSSh
4826170
udpflood
udpflood.stop
download.stop
join
lopta100.no-ip.info
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
WS2_32.dll
SHLWAPI.dll
InternetOpenUrlA
WININET.dll
ole32.dll
PSAPI.DLL
ShellExecuteA
SHELL32.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegNotifyChangeKeyValue
ADVAPI32.dll
svchost.exe
7$7*70767<7
%userprofile%
%s\removethis_%d%d%d.exe
%temp%\oldfile.exe
Mozilla/5.0 (compatible)
%s\%d%d%d.exe
explorer.exe
Kernel32.dll
%s-deadlock
%s\SysWOW64
advapi32.dll
comsupp.dll
shell32.dll
wininet.dll
shlwapi.dll
dnsapi.dll
user32.dll
ws2_32.dll
psapi.dll
Ole32.dll
kernel32.dll
msvcrt.dll
dwm.exe
alg.exe
csrss.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%s-readfile
cmd.exe
Software\Microsoft\Windows\CurrentVersion\Run
%temp%\deletethis.exe
Removable_Drive.exe
%s\{%s-%s}/k "%s" Open %s
%windir%\System32\cmd.exe
%s\Removable_Drive.exe
%s\%s
%s\%s.lnk
icon=Shell32.dll,7
shell\open\Command=%s
open=%s
shell\explore\Command=%s
%s\autorun.inf
C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\opp\sis32.exe
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1760
%original file name%.exe:316
sis32.exe:2996
sis32.exe:2788 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\PLKXE.txt (140 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\PLKXE.bat (142 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\opp\sis32.exe (2840 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"svchost.exe" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe舀_"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"svchost.exe" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exeÀ" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
