MD5: 8bad758b0e732e0e3d01be6be7ea8357
SHA1: 5579a6c3dc69832fa6f01a263b0b6f8f88d5a08b
SHA256: da793fcf99de77f9434bf3f5db94affc4b2308246fc04a317bc75f8113870642
SSDeep: 24576:P2O/GlCq6ECuUo14rq03sVYiTK /aW6ZMIkA0YuIYj4q:epUS9TMWqkA0Yuoq
Size: 1078546 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: VideoPerformer
Created at: 2012-06-09 16:19:49
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):

taskkill.exe:1136
taskkill.exe:1856
taskkill.exe:1768
taskkill.exe:1744
taskkill.exe:1512
taskkill.exe:480
%original file name%.exe:312
qbapJkM.exe:784
mshta.exe:380
mshta.exe:420
mshta.exe:1364
mshta.exe:1968
mshta.exe:1088

The Trojan injects its code into the following process(es):

RegSvcs.exe:308
BitcoinFaucetBot.exe:1996

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process RegSvcs.exe:308 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\ZFT6K0QBLR.exe (32 bytes)
%Documents and Settings%\%current user%\Application Data\ltcdrive (33 bytes)

The process %original file name%.exe:312 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\leyxw\BitcoinFaucetBot.exe (2928 bytes)
%Documents and Settings%\%current user%\leyxw\DslXZuI.CFC (194 bytes)
%Documents and Settings%\%current user%\leyxw\EvpLCsmnshl.SLP (3073 bytes)
%Documents and Settings%\%current user%\leyxw\e (193759 bytes)
%Documents and Settings%\%current user%\leyxw\qbapJkM.exe (31505 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\leyxw\__tmp_rar_sfx_access_check_519500 (0 bytes)

The process qbapJkM.exe:784 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\leyxw\69394.vbs (185 bytes)
%Documents and Settings%\%current user%\leyxw\54509.cmd (55 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\start.lnk (693 bytes)
%Documents and Settings%\%current user%\leyxw\run.vbs (81 bytes)

Registry activity

The process taskkill.exe:1136 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B7 7F 9A 6E BA F6 AA 60 48 BC 33 ED 1E F6 B7 6C"

The process taskkill.exe:1856 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 57 2A 33 71 84 D2 3D 99 A4 8C D3 C1 2A 57 9C"

The process taskkill.exe:1768 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 F0 BA 11 8E F3 EA 6A A8 1A F8 B7 22 8C 7E B3"

The process taskkill.exe:1744 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B F5 2A 3E 3D 3B 86 FB 2B EA AE 24 A7 D8 48 35"

The process taskkill.exe:1512 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B6 60 CD 3B 46 52 06 51 FB 02 87 CD A5 0F E3 98"

The process taskkill.exe:480 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "01 C8 88 AE 93 E5 34 06 FE D3 DD D8 3A 70 31 A4"

The process RegSvcs.exe:308 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "59 0C 04 85 51 20 17 31 D2 E1 89 37 92 DF DB 2E"

[HKCU\Software\VB and VBA Program Settings\SrvID\ID]
"PPPWCJ8NKM" = "xlimbolandx's Bot"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\VB and VBA Program Settings\INSTALL\DATE]
"PPPWCJ8NKM" = "December 7, 2014"

The process %original file name%.exe:312 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D 3E 6E A4 15 52 73 F7 F5 95 A3 10 E5 FE 7A 16"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\leyxw]
"BitcoinFaucetBot.exe" = "Bitcoin Faucet Bot"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\leyxw]
"qbapJkM.exe" = "AutoIt v3 Script"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process BitcoinFaucetBot.exe:1996 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C 17 45 13 66 E7 41 BD 13 A1 43 ED DE 90 DF CF"

The process qbapJkM.exe:784 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"mshta.exe" = "Microsoft (R) HTML Application host"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A9 4F 10 6E 8E CF AB 23 88 C2 C9 D3 64 69 31 6B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"leyxw" = "C:\DOCUME~1\"%CurrentUserName%"\leyxw\69394.vbs"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process mshta.exe:380 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8A 1F 92 D1 FA B9 21 E0 7D 73 8B 51 99 33 59 97"

The process mshta.exe:420 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0A 88 27 B8 BA 60 B6 F5 F7 40 78 54 D6 56 4B 50"

The process mshta.exe:1364 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 E4 82 DB 7D 5C 91 67 6A 51 73 24 E7 B8 5F 88"

The process mshta.exe:1968 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C7 9D C1 39 5B AE 61 5E 8F 9F 0F 32 6C 01 31 CA"

The process mshta.exe:1088 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B7 53 41 AA 9F A8 93 7D 9A 2F CA 28 E1 AF 8F 6D"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

@.reloc

SSht:K

PSSSSSSh

Gt.Ht$

t.jGZf;

PSSSh

PVSSh

f;Crt

?#%X.y

GetProcessWindowStation

operator

kernel32.dll

RegDeleteKeyExW

advapi32.dll

oleaut32.dll

Error text not found (please report)

operand of unlimited repeat could match the empty string

POSIX named classes are supported only within a class

erroffset passed as NULL

POSIX collating elements are not supported

this version of PCRE is compiled without UTF support

PCRE does not support \L, \l, \N{name}, \U, or \u

support for \P, \p, and \X has not been compiled

this version of PCRE is not compiled with Unicode property support

\N is not supported in a class

WSOCK32.dll

VERSION.dll

WINMM.dll

COMCTL32.dll

MPR.dll

InternetCrackUrlW

HttpQueryInfoW

HttpOpenRequestW

HttpSendRequestW

FtpOpenFileW

FtpGetFileSize

InternetOpenUrlW

WININET.dll

PSAPI.DLL

IPHLPAPI.DLL

USERENV.dll

UxTheme.dll

GetProcessHeap

CreatePipe

GetWindowsDirectoryW

KERNEL32.dll

OpenWindowStationW

SetProcessWindowStation

CloseWindowStation

MapVirtualKeyW

EnumChildWindows

EnumWindows

VkKeyScanW

GetKeyState

GetKeyboardState

SetKeyboardState

GetAsyncKeyState

keybd_event

EnumThreadWindows

ExitWindowsEx

UnregisterHotKey

RegisterHotKey

GetKeyboardLayoutNameW

USER32.dll

SetViewportOrgEx

GDI32.dll

COMDLG32.dll

RegOpenKeyExW

RegCloseKey

RegCreateKeyExW

RegEnumKeyExW

RegDeleteKeyW

ADVAPI32.dll

ShellExecuteW

SHFileOperationW

ShellExecuteExW

SHELL32.dll

ole32.dll

OLEAUT32.dll

GetCPInfo

zcÁ

UQ.WP

mI.Us

\.gGL

.FFF<

,.bh9

].Whjj*

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" language="*" processorArchitecture="*" publicKeyToken="6595b64144ccf1df"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS></application></compatibility></assembly>

< <&< <0<

4,555@5{5

;&<.<6<><~<

2-262>2 3

<"<&<*<.<2<6<

7(797@7`7

mscoree.dll

combase.dll

- CRT not initialized

- Attempt to initialize the CRT more than once.

- floating point support not loaded

USER32.DLL

CMDLINERAW

CMDLINE

/AutoIt3ExecuteLine

/AutoIt3ExecuteScript

APPSKEY

789:;<=>?

FTPSETPROXY

GUICTRLRECVMSG

GUICTRLSENDMSG

GUIGETMSG

GUIREGISTERMSG

HOTKEYSET

HTTPSETPROXY

HTTPSETUSERAGENT

ISKEYWORD

MSGBOX

REGENUMKEY

SHELLEXECUTE

SHELLEXECUTEWAIT

TCPACCEPT

TCPCLOSESOCKET

TCPCONNECT

TCPLISTEN

TCPNAMETOIP

TCPRECV

TCPSEND

TCPSHUTDOWN

TCPSTARTUP

TRAYGETMSG

UDPBIND

UDPCLOSESOCKET

UDPOPEN

UDPRECV

UDPSEND

UDPSHUTDOWN

UDPSTARTUP

SendKeyDelay

SendKeyDownDelay

TCPTimeout

WINDOWSDIR

AUTOITEXE

HOTKEYPRESSED

D%s (%d) : ==> %s.:

Line %d:

Line %d (File "%s"):

%s (%d) : ==> %s:

AutoIt script files (*.au3, *.a3x)

*.au3;*.a3x

All files (*.*)

Line %d:

04090000

%u.%u.%u.%u

0.0.0.0

Mddddd

"%s" (%d) : ==> %s:

\??\%s

GUI_RUNDEFMSG

AUTOITCALLVARIABLE%d

255.255.255.255

Keyword

AUTOIT.ERROR

Null Object assignment in FOR..IN loop

Incorrect Object type in FOR..IN loop

3, 3, 10, 2

HKEY_LOCAL_MACHINE

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

HKEY_CURRENT_USER

HKEY_USERS

%d/d/d

%Documents and Settings%\%current user%\leyxw\qbapJkM.exe

%Documents and Settings%\%current user%\leyxw\e

hXXp://VVV.autoitscript.com/autoit3/

AutoIt3.exe

AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention.

Missing operator in expression."Unbalanced brackets in expression.

>"Select" statement is missing "EndSelect" or "Case" statement. "If" statements must have a "Then" keyword. Badly formated Struct statement."Cannot assign values to constants..Cannot make existing variables into constants.9Only Object-type variables allowed in a "With" statement.v"long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead.-Object referenced outside a "With" statement.)Nested "With" statements are not allowed."Variable must be of type "Object".1The requested action with this object has failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array variable can not be used in this manner.

Invalid file filter given.*Expected a variable in user function call.1"Do" statement has no matching "Until" statement.2"Until" statement with no matching "Do" statement.#"For" statement is badly formatted.2"Next" statement with no matching "For" statement.N"ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop.1"For" statement has no matching "Next" statement.@"Case" statement with no matching "Select"or "Switch" statement.:"EndSelect" statement with no matching "Select" statement.ORecursion level has been exceeded - AutoIt will quit to prevent stack overflow.&Cannot make existing variables static.4Cannot make static variables into regular variables.

3This keyword cannot be used after a "Then" keyword.

0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line.

Invalid element in a DllStruct.*Unknown option or bad parameter specified.&Unable to load the internet libraries./"Struct" statement has no matching "EndStruct".HUnable to open file, the maximum number of open files has been exceeded.K"ContinueLoop" statement with no matching "While", "Do" or "For" statement.0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>Illegal text at the end of statement (one statement per line).1"If" statement has no matching "EndIf" statement.1"Else" statement with no matching "If" statement.2"EndIf" statement with no matching "If" statement.7Too many "Else" statements for matching "If" statement.3"While" statement has no matching "Wend" statement.4"Wend" statement with no matching "While" statement.%Variable used without being declared.XArray variable has incorrect number of subscripts or subscript dimension range exceeded.#Variable subscript badly formatted.*Subscript used on non-accessible variable.&Too many subscripts used for an array.0Missing subscript dimensions in "Dim" statement.NNo variable given for "Dim", "Local", "Global", "Struct" or "Const" statement.

HCan pass constants by reference only to parameters with "Const" keyword.*Can not initialize a variable with itself.$Incorrect way to use this parameter.:"EndSwitch" statement with no matching "Switch" statement.>"Switch" statement is missing "EndSwitch" or "Case" statement.H"ContinueCase" statement with no matching "Select"or "Switch" statement.

String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword.

DW20.EXE_1700:

.text

`.data

.cdata

.rsrc

watson.microsoft.com

.mdmp

%s?szAppName=%S&szAppVer=%S&szAppStamp=%S&szModName=%S&szModVer=%S&szModStamp=%S&fDebug=%S&offset=%S

/dw/stagetwo.asp

%s/%S/%S/%S/%S/%S/%S/%S/%S.htm

Failed to fill report params from generic params

Not offering reporting

%s Mode

Failed to get a reporting destination

Nothing to report from queue

No reports left to send. Removing queue triggers and bailing.

Failed to plug UI; LCID=%u

Ignoring %S due to unknown queue version

Reporting is disabled

SignOff queue reporting is disabled

Queued Reporting Mode called but still want to report to the queue

Bad queue type to report from

No reports for given queue mask - %u

Invalid queue mask - %u

Suspending: Force cancel to queued reporting

Suspending: Force cancel to network reporting

CreateWindowExA failed with %d.

Application Error Reporting %d

WatsonQueuedReportingInstanceVerification

riched20.dll

qMicrosoft\PCHealth\ErrorReporting\DW

msaccess.exe

hXXp://watson.microsoft.com/dw/dcp.asp

hXXp://watson.microsoft.com/dw/watsoninfo.asp

dwintl20.dll

Launching lightweight browser with URL

mshtml.dll

Not reporting

Reporting

DWBypassQueue

DWExplainerURL

DWNoSignOffQueueReporting

DWAlwaysReport

DWReporteeName

DWURLLaunch

DWNoExternalURL

DWStressReport

ole32.dll

imm32.dll

BTLog.dll

Microsoft\PCHealth\ErrorReporting\DW

HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger

hXXp://

hXXps://

Software\Microsoft\PCHealth\ErrorReporting\DW\Debug

%s\%s

https

DwBTLog.log

Failed to get minidump for %S!

szAppName=%s

szAppVer=%d.%d.%d.%d

szAppStamp=x

szModName=%s

szModVer=%d.%d.%d.%d

szModStamp=x

fDebug=%s

offset=x

microsoft.com

.msn.com

.microsoft.com

d:d:d d-d-d

/dw/generictwo.asp

kernel32.dll

psapi.dll

mso.dll

MsoDWRecover%x

MsoDWHang%x

Launching browser with URL

shell32.dll

%d.%d.%d.%d

%d.%d.%d.%d.x.%d.%d

shfolder.dll

unknown.sig

%s dw20.exe %d.%d.%d.%d

RegKey=

ResponseURL=

URLLaunch=

NoExternalURL=

%s:(%s) XX

%s:(%s) X

%s:(%s)

%s:(%s) %s

registry.txt

wql.txt

Windows NT Version %d.%d Build: %d

Stage 1 server response: %s

Stage 2 server response: %s

Stage 4 server response: %s

StatusCode: %d

Opening server: %s

HttpOpen failed.

Opening %s Request:

HTTPS

HttpSend Failed.

HttpWrite Failed, GLE=%d.

HttpEndReq failed.

Count filename length greater than MAX_PATH, can't report.

Filesystem reporting: count file updated

FReportToQueue: GetLastError=%u

FReportToQueue: File Tree Root does not exist: %S

Failed to add heap file to cab: %S

memory.dmp

mdmpmem.hdmp

version.txt

Network reporting complete.

Network reporting failed.

Application Error Reporting Transfer %d

Filesystem reporting complete

Filesystem reporting: cab successfully written

Filesystem reporting: could not find/create directory for cab/count

Filesystem reporting: redirection failure, too many redirects

Filesystem reporting: redirection failure, no previous roots

Filesystem reporting: improper file tree root

Filesystem reporting cancelled

Filesystem reporting: file tree root is too long

Record: 0xxx

Address: 0xxx

Code: 0xx

Flags: 0xx

x:x

(%d.%d:%d.%d)

Checksum: 0xx

Time Stamp: 0xx

Image Base: 0xx

Image Size: 0xx

Module %d

Windows NT %d.%d Build: %d

CPU AMD Feature Code: X

CPU Version: X CPU Feature Code: X

CPU Vendor Code: X - X - X

0xx:

0xx: x x x x

EFlags: 0xx ESP: 0xx SegSs: 0xx

EIP: 0xx EBP: 0xx SegCs: 0xx

EBX: 0xx ECX: 0xx EDX: 0xx

EDI: 0xx ESI: 0xx EAX: 0xx

Thread ID: 0xx

Thread %d

Memory Range %d

Software\Microsoft\PCHealth\ErrorReporting\DW

OkToReportFromTheseQueues

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Failed to obtain queue mutex. GetLastError=%u

FGetQueueMutex: WaitForSingleObject returned %u

Failed to open or create queue mutex. GetLastError=%u

Failed queued reporting pester check

Failed to create run reg key

Persistent run key is set.

CoInitializeEx() returned 0x%x.

Reporting to Admin Queue

Reporting to Regular Queue

Reporting to SignOff Queue

Reporting to Headless Queue

Reporting from Regular Queue

Reporting from SignOff Queue

Reporting from Headless Queue

OOM Failed to alloc QueuedReportData

FAllocSD: GetLastError=%u

%s%s%s

FEnsureQueueDirW: GetLastError=%u

Failed to write snt. GLE: %u

Failed to create snt. GLE: %u

Failed to set info; bad queue type: %u

Failed to open reg key for queue

Failed to get windows folder path for queue: %u

Failed to move instr file from queue A to queue B - %u

Failed to move cab file from queue A to queue B - %u

Did not move any reports from admin q to user q

Did not move any reports from user q to headless q

Queue types that have reports: %u

Setting triggerAtConnectionMade to: %u

Setting triggerAtLogon to: %u

Setting the queue trigger based upon: %u

SUCCESS adding report to queue

Launched (%S)

Failed to store the SensSubscription. hr: %d

failed to allocate PROGID string: %S

Failed putting SubscriberInterface. hr: %d

Failed putting PerUser. hr: %d

Failed putting Enabled. hr: %d

Failed putting MachineName. hr: %d

Failed putting OwnerSID. hr: %d

Failed putting Description. hr: %d

Failed putting InterfaceID. hr: %d

Failed putting EventClassID. hr: %d

Failed putting MethodName. hr: %d

Failed putting SubscriptionName. hr: %d

Failed putting PublisherID. hr: %d

Failed putting SubscriberCLSID. hr: %d

Failed putting SubscriptionID. hr: %d

Failed CoCreateInstance on EventSubscription. hr: %d

Failed to remove the SensSubscription. hr: %d

failed to allocate query string: %S

Failed CoCreateInstance on EventSystem. hr: %d

SENS: StringFromIID() returned <%x>

DWSHARED: SysAllocString(%s) failed!

Failed to subscribe subscription %u. hr: %d

Failed to get data for subscription %u. hr: %d

Failed to query install reg key

Failed to open install reg key

Software\Microsoft\PCHealth\ErrorReporting\DW\Installed

HKEY_USERS\

HKEY_CURRENT_CONFIG\

HKEY_CLASSES_ROOT\

HKEY_LOCAL_MACHINE\

HKEY_CURRENT_USER\

initing CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d

freeing CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d

0addref CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d

QIing CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d

releasing CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d

deleting CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d

creating CDwAccessible: hwnd %x, idc %d

WriteAtOffset.Write(0x%x) failed, 0xx

WriteAtOffset.Seek(0x%x) failed, 0xx

WriteMemoryFromProcess.Read(0x%I64x, 0x%x) failed, 0xx

WriteStringToPool.Write(0x%x) failed, 0xx

WriteFunctionTable.RawEntries.Write(0x%x) failed, 0xx

WriteFunctionTable.RawTable.Write(0x%x) failed, 0xx

WriteFunctionTableList.DumpTable.Write(0x%x) failed, 0xx

WriteFunctionTableList.Seek(0x%x) failed, 0xx

WriteDirectoryEntry.Write(0x%x) failed, 0xx

Thread(0x%x) callback returned FALSE

WriteSystemInfo.GetOsCsdString failed, 0xx

WriteSystemInfo.GetCpuInfo failed, 0xx

CalculateSizeForSystemInfo.GetOsCsdString failed, 0xx

WriteHeader.GetCurrentTimeDate failed, 0xx

WriteDirectoryTable.Seek(0x%x) failed, 0xx

WriteMemoryInfo.Write(0x%x) failed, 0xx

WriteMemoryInfo.QueryVirtual(0x%I64x) failed, 0xx

WriteFullMemory virtual memory layout changed, retries %d, 0x%I64x (0x%I64x:0x%I64x) vs. 0x%I64x (0x%I64x:0x%I64x)

WriteFullMemory.Memory.Write(0x%x) failed, 0xx

WriteFullMemory.Memory.Read(0x%I64x, 0x%x) failed, retries %d, 0xx

WriteFullMemory.QueryVirtual(0x%I64x) for data failed, 0xx

WriteFullMemory.Desc.Write(0x%x) failed, 0xx

WriteFullMemory.QueryVirtual(0x%I64x) for info failed, 0xx

Kernel minidump write failed, 0xx

MarshalExceptionPointers.CxRecord.Read(0x%I64x, 0x%x) failed, 0xx

MarshalExceptionPointers.ExRecord.Read(0x%I64x, 0x%x) failed, 0xx

Invalid exception record parameter count (0x%x)

Invalid exception record size (0x%x)

Invalid CPU type (0x%x)

Invalid function table size (0x%x)

GetSystemType.GetOsInfo failed, 0xx

GetSystemType.GetCpuType failed, 0xx

Write.Start failed, 0xx

Dump type requires streaming but output provider does not support streaming

Invalid dump type 0x%x

dbghelp.dll

Alloc(0x%x) failed

Thread(0x%x) will not be included

GenGetImageSections.Section.Read(0x%I64x, 0x%x) failed, 0xx

GenGetImageSections.GenImageNtHeader(0x%I64x) failed

GenGetImageSections.Read(0x%I64x, 0x%x) failed, 0xx

0GenAllocateThreadObject.GetTebInfo(0x%x) failed, 0xx

GenAllocateThreadObject.GetContext(0x%x) failed, 0xx

GenAllocateThreadObject.Open(0x%x) failed, 0xx

GenReadTlsDirectory.Index(0x%I64x, %ws) failed, 0xx

GenReadTlsDirectory(0x%I64x, %ws) unknown machine 0x%x

GenReadTlsDirectory.Read(0x%I64x, %ws) failed, 0xx

GenAllocateModuleObject.GenDebugRecord(0x%I64x, %ws) failed, 0xx

GenAllocateModuleObject.GenImageNtHeader(0x%I64x, %ws) failed, 0xx

GenAllocateModuleObject.GetImageHeaderInfo(0x%I64x, %ws) failed, 0xx

GenAllocateModuleObject.GetVersion(0x%I64x, %ws) failed, 0xx

GenAllocateProcessObject.GetPeb(0x%x) failed, 0xx

GenIncludeUnwindInfoMemory.Enum(0x%I64x, 0x%x) failed, 0xx

GenGenTebMemory.TLS(0x%I64x) failed, 0xx

GenScanAddressSpace.QueryVirtual(0x%I64x) failed, 0xx

0GenGetAuxMemory(%ws) failed, 0xx

GenGetProcessInfo.EnumUnloadedModules(0x%x) failed, 0xx

GenGetProcessInfo.EnumUnloadedModules(0x%x) looped

GenGetProcessInfo.EnumFunctionTableEntries(0x%I64x, 0x%x) failed, 0xx

GenGetProcessInfo.EnumFunctionTables(0x%x) failed, 0xx

GenGetProcessInfo.EnumFunctionTables(0x%x) looped

GenGetProcessInfo.EnumModules(0x%x) failed, 0xx

GenGetProcessInfo.EnumModules(0x%x) looped

GenGetProcessInfo.EnumThreads(0x%x) failed, 0xx

GenGetProcessInfo.EnumThreads(0x%x) looped

GenGetProcessInfo.Start(0x%x) failed, 0xx

GenWriteHandleData.Desc.Write(0x%x) failed, 0xx

GenWriteHandleData.Header.Write(0x%x) failed, 0xx

GenWriteHandleData.ObjectName.Write(0x%x) failed, 0xx

GenWriteHandleData.ObjectNameLen.Write(0x%x) failed, 0xx

GenWriteHandleData.TypeName.Write(0x%x) failed, 0xx

GenWriteHandleData.TypeNameLen.Write(0x%x) failed, 0xx

GenWriteHandleData.Start(0x%x) failed, 0xx

GenWriteHandleData.Seek(0x%x) failed, 0xx

Software\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDlls

Software\Microsoft\Windows NT\CurrentVersion\KnownManagedDebuggingDlls

version.dll

ntdll.dll

%$%,%4%<%

S%T%U%V%W%X%Y%Z%[%\%]%^%_%`%a%

b%c%d%e%f%g%h%i%j%k%l%

!"#$%&'()* ,-./0123456789:;<=

!!!!2222

%%%f||||

!!!!2222||||

!"#$%&'(

'()* ,-./0

&'()* ,-./

&'()* ,-./012345

3456789

.ASex

!"#$%&'()* ,-./012

!"#$%&'()

?msodatad.dat

msodatalast.dat

Unicows.dll

Kernel32.dll

SHLWAPI.DLL

GDI32.DLL

wintrust.dll

1108160

0u.hN

0SSh 

t.WWWj

PSSh07

t5SSh(

PSSSSSSh

0SSSSh

ADVAPI32.dll

COMCTL32.dll

GDI32.dll

KERNEL32.dll

OLEACC.dll

OLEAUT32.dll

MSVCRT.dll

RPCRT4.dll

SHELL32.dll

SHLWAPI.dll

urlmon.dll

USER32.dll

VERSION.dll

WININET.dll

RegCloseKey

RegOpenKeyExA

RegCreateKeyExA

ReportEventA

ReportEventW

RegEnumKeyExA

RegQueryInfoKeyA

RegQueryInfoKeyW

GetProcessHeap

GetSystemWindowsDirectoryW

_amsg_exit

_acmdln

ShellExecuteExA

UrlGetPartA

CreateURLMoniker

CreateDialogIndirectParamA

EnumWindows

HttpQueryInfoA

HttpSendRequestExA

HttpOpenRequestA

InternetCanonicalizeUrlA

InternetCrackUrlA

HttpEndRequestA

dw20.pdb

\devsplab1\otools\BBT_TEMP\DW20O.pdb

winword.exe

wwordlt.exe

excel.exe

excellt.exe

mspub.exe

frontpg.exe

outlook.exe

powerpnt.exe

powpntlt.exe

onenote.exe

infopath.exe

winproj.exe

ois.exe

visio.exe

`!`'`)` `

e%f-f|3 f'f/f

]!^"^#^ ^$^

t.uGuHu

x4x7x%x-x x

h&h(h.hMh:h%h h,k/k-k1k4kmk

k%lzmcmdmvm

^Q]Q~NzP}P\PGPCPLPZPIPePvPNPUPuPtPwPOP

]8^6^3^7^

ichczc]eVeQeYeWe_UOeXeUeTe

{1{ {-{/{2{8{

r6s%s4s)s:t*t3t"t%t5t6t4t/t

t&t(t%u&ukuju

WHX%X

`IaJa aEa6a2a.aFa/aOa)a@a bh

d@d%d'd

duewexei

kCpDpJpHpIpEpFp

S$S%S&S'S(S)S S,S.S2S3S5S6S8S:S;SBSFSKSNSOSPSUSVSXSYS[S]S_SbSdSeSgShSiSjSkSmStSvSzS}S~S

U U!U"U#U$U%U(U)U U:U=U?UBUGUIULUSUTUXUYUZU[U]U`UgUhUiUkUlUmUnUoUpUqUrUsUtUxUyUzU

c c!c"c#c$c%c&c'c.c0c1c5c7c?cRcSc[c\c]c^c_c`cacbcccdcfcjclcsctcyc~c

m!m#m$m&mCmDmEmFmGmHmImJmKmLmMmNmOmPmQmRmSmTmUmVmWm[m\m]mkmqmrmsm

nRsSsh

evg%f

m.tRa

gtr%x

Q%SKg

f.ebp>QI

y.yxT

fn:q%uN

aw.Toiz

RMeXe

S#S$S%S;ScSdSrSsStSuS

`!`"`&`'`)`*` `,`-`.`/`0`2`3`4`5`6`:`=`>`?`

^ ^!^"^#^$^%^&^'^.^}^

c c!c"c#c$c%c&c'c*c7c:c;cSc[c1e?e@eAeBeCeDeEe

f f!f"f#f$f%f&f'f(f)f*f f,f-f

m m!m"m#m$m%m&m'm(m)m*m m,m-m.m1m2m3m4m5m6m7m8m9m:m;m<m=m>m?m@mBmCmDmGmHmImJmKmLmMmNmOmPmQmRmSmTmUm

u u-u.uFuGuHuIuJuKuLuMuNuOuPuQuRuSu

U U!U"U#U$U%U&U'U(U4UJU

](^)^*^ ^,^-^/^0^1^

m/mAmFmVmWmXmYmZm[m\m]m^m_m`mambmcmdmemfmgmhmimjmkmlmmmnmompmqmrmsmtmumvmwmxmymzm{m|m}m~m

x x!x"x#x$x%x'x(x)x*x x,x.x/x0x1x2x3x4x5x6x7x8x9x:x;x<x=x>x?x@xAxXy_yaycydyeygyiyjykylynyoy

} }!}"}#}$}%}&}'}

] ]!]"]#]$]%]&]'](])]*] ],]-].]/]0]

]2^3^4^5^6^7^8^9^:^;^<^>^

cMeNeOePeQeReSeTeUeWeXeYeZe[e]ebe

X X!X"X#X$X%X&X'X(X)X*X X,X-X.X/X0X1X3X4X6X7X8X9X:X;X<X>X?X@XAXBXCXDXEXFXGXHXJXTX_X`XfXmX

d%d-d0d=dRdad2e\e^e_e`eaecedeeefegeheiejele

s"s#s$s%s&s(s)s,s-s/s0s1s2s3s4s5s6s8s9s>s@sGs

u$u%u&u/ujukulumunuouqurusutu

duewexeyeze{e

~ ~!~"~#~$~%~&~'~(~*~ ~-~8~:~0

| |!|"|#|$|%|&|(|)|*|-|.|/|0|1|2|6|

{3~3}3|3

eZl%u

Q.YeY

R:\Sg|p5rL

e$e#e e4e5e7e6e8eKuHeVeUeMeXe^e]erexei

s4s/s)s%s>sNsOs

s&t*t)t.tbt

2%2.bx

{ | }9},

d6exe9j

]%sOu4](n

m.t.zB}

w%xIyWy

^vcÓv

%f?iCt

U>_.lE

f.ebp

.nrR=

{fn:q%uN

bitcoinfaucetbot.exe

name="Microsoft.Windows.ErrorReporter"

version="5.1.0.0"

publicKeyToken="6595b64144ccf1df" />

<description>Windows Error Reporting</description>

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

1%s\%s\%s\%s\%s\%s\%s\%s

AppName: %s AppVer: %s AppStamp:%s

ModName: %s ModVer: %s ModStamp:%s

fDebug: %s Offset: %s

Main_AlwaysReportBtn=

Main_NoReportBtn=

Main_ReportBtn=

General_Reportee=

CheckBoxRegKey=

ReportingFlags=

Stage1URL=

Stage2URL=

%General_Reportee%

%u %s

%u.%u %s

%s %s %s %s in %s %s %s fDebug %s at offset %s

Bucket: d

BucketTable %d

%s, %s, %s, %s, %s, %s, %s, %s, %s, %s %s

\dw.log

policy.txt

crash.log

status.txt

hits.log

count.txt

%s\%s\%s

%s\%s\%s\%s

eDWQueuedReporting

DWPersistentQueuedReporting

"%s\%s" -%c

dwtrig20.exe

ReportSize=

\*.cab

dwq.snt

"%s" -%c %u

SEventSystem.EventSubscription

SubscriptionID=%s

#$%&%&'(

Comctl32.dll

BitcoinFaucetBot.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\7FDE6.dmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp

.NET Runtime 4.0 Error Reporting

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\dw.log

Microsoft Application Error Reporting

11.0.8160

Windows

DW20.Exe

RegSvcs.exe_308:

.text

`.data

.rsrc

MSVBVM60.DLL

bss_server.usrReverseRelay

tmrWebHide

bss_server.Socket

bss_server.usrRelay

ieframe.dll

SHDocVwCtl.WebBrowser

WebBrowser

mswinsck.ocx

MSWinsockLib.Winsock

modLaunchWeb

%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB

C:\Windows\SysWOW64\ieframe.dll

winmm.dll

user32.dll

advapi32.dll

shell32.dll

kernel32.dll

avicap32.dll

advpack.dll

GetAsyncKeyState

SetWindowsHookExA

UnhookWindowsHookEx

GetKeyboardLayout

GetKeyboardState

GetKeyState

SHFileOperationA

CreatePipe

PSAPI.DLL

GetTcpTable

ExitWindowsEx

EnumWindows

WinInet.dll

DeleteUrlCacheEntryA

urlmon

URLDownloadToFileA

ShellExecuteA

keybd_event

CHAT_ADDMSG

VBA6.DLL

ws2_32.dll

D:\Blackshades Project\bs_net\loginserver\msvbvm60.dll\3

AddMsg

olepro32.dll

GdiplusShutdown

RemotePort

LocalPort

WSOCK32.DLL

RegCloseKey

RegOpenKeyExA

ntdll.dll

C:\Windows\SysWOW64\ieframe.oca

%Program Files% (x86)\Microsoft Visual Studio\VB98\mswinsck.oca

tmrTCP

tmrUDP

UDPSocket

UDPFlood

ole32.dll

crypt32.dll

oleaut32.dll

RegOpenKeyA

FindFirstUrlCacheEntryA

FindNextUrlCacheEntryA

`txtPassword

imgLoginPressed

imgLogin

RegCreateKeyA

RegDeleteKeyA

RegEnumKeyExA

gdi32.dll

InternetOpenUrlA

FtpGetFileA

FtpPutFileA

FtpSetCurrentDirectoryA

FtpGetCurrentDirectoryA

FtpOpenFileA

FtpGetFileSize

FtpDeleteFileA

FtpCreateDirectoryA

FtpRemoveDirectoryA

FtpRenameFileA

FtpDownload

FtpUpload

FtpGetDirectory

Http_DownloadFile

cmdShowfiles

msvbvm60.dll

?8??8??8??8??8?

txtPassword

2>e%Xdq

uMsg

strMsg

MsgNum

AllMsgs

lngPort

URL_TARGET

Port

Password

WebURL

Returns/Sets the port to be connected to on the remote computer

Returns/Sets the port used on the local computer

Binds socket to specific port and adapter

Occurs after a send operation has completed

*\AD:\Blackshades Project\bs_net\server\server.vbp

2c49f800-c2dd-11cf-9ad6-0080c7e7b78d

Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1) Gecko/20090612 Firefox/3.5

{00020404-0000-0000-C000-000000000046}

5.5.1

\nir_cmd.bss speak text

\nir_cmd.bss setsysvolume 65535

\nir_cmd.bss mutesysvolume 1

\nir_cmd.bss mutesysvolume 0

\nir_cmd.bss screensaver

\nir_cmd.bss monitor off

\nir_cmd.bss monitor on

PORT

TRANSFERPORT

\rsout.tmp

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\

Keylog

Wscript.Shell

HKEY_CLASSES_ROOT\HTTP\shell\open\command\

\winlogon.exe

iexplore.exe

hXXp://VVV.facebook.com/?ref=home

hXXp://VVV.facebook.com

ADVAPI32.dll

Windows Firewall/Internet Connection Sharing (ICS)

WebCamCapture

\Vuze\Azureus.exe

\LimeWire\LimeWire.exe

\uTorrent\uTorrent.exe

\uTorrent\uTorrent.exe /HIDE

\BitTorrent\bittorrent.exe

\MSWINSCK.OCX

hXXp://

HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1

\cmd.exe

\data.dat

\steam\steam.exe

nkey

dkey

regsvr32.exe

\pws_mail.bss

\pws_mess.bss

\pws_cdk.bss

\pws_ff.bss

\pws_chro.bss

\nir_cmd.bss

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "

:*:Enabled:Windows Messanger" /f

winmgmts:{impersonationLevel=Impersonate}!\\.\root\cimv2

00000000

winmgmts:\\.\root\cimv2

api.ipinfodb.com

Select * from Win32_Keyboard

GET /v2/ip_query.php?key=

&timezone=off HTTP/1.1

Host: api.ipinfodb.com

GET /v2/ip_query_country.php?key=

Portable

winmgmts:\\.\root\SecurityCenter

\wallpaper.bmp

\wallpaper.jpg

WScript.Shell

WinServer 2003, Web Edition

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName

__oxFrame.class__

Scripting.FileSystemObject

Autorun.ini

{557CF401-1A04-11D3-9A73-0000F81EF32E}

{1D5BE4B5-FA4A-452D-9CDD-5DB35105E7EB}

Address family not supported by protocol family.

Operation already in progress.

Operation now in progress.

Socket operation on nonsocket.

Operation not supported.

Protocol family not supported.

Protocol not supported.

Socket type not supported.

Winsock.dll version out of range.

CSocketMaster.SocketExists

CSocketMaster.PostSocket

CSocketMaster.ConnectToIP

CSocketMaster.ResolveIfHostname

CSocketMaster.SendBufferedDataUDP

CSocketMaster.SendBufferedData

Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1

$('#jschl_answer').val(

application/x-www-form-urlencoded

abe2869f-9b47-4cd9-a358-c22904dba7f7

/stext mess.dat

\mess.dat

/stext mail.dat

\mail.dat

/stext ffpw.dat

\ffpw.dat

Web Site

Password

/stext chro.dat

\chro.dat

Action URL

SOFTWARE\MICROSOFT\Windows NT\CurrentVersion

Windows

SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command

http\shell\open\command

127.0.0.1

\dump.txt

\uTorrent\uTorrent.exe /DIRECTORY

255.255.255.255

finalizarprocessoportas

CONNECT %s:%i HTTP/1.0

SOFTWARE\Classes\http\shell\open\command

Software\Classes\http\shell\open\command

Software\Microsoft\Windows NT\CurrentVersion\SystemRestore

code.is.a.winner

Software\Microsoft\Windows\CurrentVersion\Uninstall\eMule

SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\DigitalProductId

bps1.exe

bhookpl.dll

bnfa.exe

drvloadn.dll

drvloadx.dll

VNCHooks.dll

xr4tdwa.exe

\rspad.dat

shutdown.exe

TCnRawKeyBoard

HuntHTTPDownload

autorun.inf

explorer.exe

hXXps://onlineeast#.bankofamerica.com

winlogon.exe

moz_logins

WEBCAMLIVE

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

\system32\userinit.exe,

notepad.exe

\system32\userinit.exe

steam.exe

hl.exe

@*\AD:\Blackshades Project\bs_net\server\server.vbp

RegSvcs.exe_308_rwx_00400000_0007A000:

.text

`.data

.rsrc

MSVBVM60.DLL

bss_server.usrReverseRelay

tmrWebHide

bss_server.Socket

bss_server.usrRelay

ieframe.dll

SHDocVwCtl.WebBrowser

WebBrowser

mswinsck.ocx

MSWinsockLib.Winsock

modLaunchWeb

%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB

C:\Windows\SysWOW64\ieframe.dll

winmm.dll

user32.dll

advapi32.dll

shell32.dll

kernel32.dll

avicap32.dll

advpack.dll

GetAsyncKeyState

SetWindowsHookExA

UnhookWindowsHookEx

GetKeyboardLayout

GetKeyboardState

GetKeyState

SHFileOperationA

CreatePipe

PSAPI.DLL

GetTcpTable

ExitWindowsEx

EnumWindows

WinInet.dll

DeleteUrlCacheEntryA

urlmon

URLDownloadToFileA

ShellExecuteA

keybd_event

CHAT_ADDMSG

VBA6.DLL

ws2_32.dll

D:\Blackshades Project\bs_net\loginserver\msvbvm60.dll\3

AddMsg

olepro32.dll

GdiplusShutdown

RemotePort

LocalPort

WSOCK32.DLL

RegCloseKey

RegOpenKeyExA

ntdll.dll

C:\Windows\SysWOW64\ieframe.oca

%Program Files% (x86)\Microsoft Visual Studio\VB98\mswinsck.oca

tmrTCP

tmrUDP

UDPSocket

UDPFlood

ole32.dll

crypt32.dll

oleaut32.dll

RegOpenKeyA

FindFirstUrlCacheEntryA

FindNextUrlCacheEntryA

`txtPassword

imgLoginPressed

imgLogin

RegCreateKeyA

RegDeleteKeyA

RegEnumKeyExA

gdi32.dll

InternetOpenUrlA

FtpGetFileA

FtpPutFileA

FtpSetCurrentDirectoryA

FtpGetCurrentDirectoryA

FtpOpenFileA

FtpGetFileSize

FtpDeleteFileA

FtpCreateDirectoryA

FtpRemoveDirectoryA

FtpRenameFileA

FtpDownload

FtpUpload

FtpGetDirectory

Http_DownloadFile

cmdShowfiles

msvbvm60.dll

?8??8??8??8??8?

txtPassword

2>e%Xdq

uMsg

strMsg

MsgNum

AllMsgs

lngPort

URL_TARGET

Port

Password

WebURL

Returns/Sets the port to be connected to on the remote computer

Returns/Sets the port used on the local computer

Binds socket to specific port and adapter

Occurs after a send operation has completed

*\AD:\Blackshades Project\bs_net\server\server.vbp

2c49f800-c2dd-11cf-9ad6-0080c7e7b78d

Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1) Gecko/20090612 Firefox/3.5

{00020404-0000-0000-C000-000000000046}

5.5.1

\nir_cmd.bss speak text

\nir_cmd.bss setsysvolume 65535

\nir_cmd.bss mutesysvolume 1

\nir_cmd.bss mutesysvolume 0

\nir_cmd.bss screensaver

\nir_cmd.bss monitor off

\nir_cmd.bss monitor on

PORT

TRANSFERPORT

\rsout.tmp

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\

Keylog

Wscript.Shell

HKEY_CLASSES_ROOT\HTTP\shell\open\command\

\winlogon.exe

iexplore.exe

hXXp://VVV.facebook.com/?ref=home

hXXp://VVV.facebook.com

ADVAPI32.dll

Windows Firewall/Internet Connection Sharing (ICS)

WebCamCapture

\Vuze\Azureus.exe

\LimeWire\LimeWire.exe

\uTorrent\uTorrent.exe

\uTorrent\uTorrent.exe /HIDE

\BitTorrent\bittorrent.exe

\MSWINSCK.OCX

hXXp://

HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1

\cmd.exe

\data.dat

\steam\steam.exe

nkey

dkey

regsvr32.exe

\pws_mail.bss

\pws_mess.bss

\pws_cdk.bss

\pws_ff.bss

\pws_chro.bss

\nir_cmd.bss

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "

:*:Enabled:Windows Messanger" /f

winmgmts:{impersonationLevel=Impersonate}!\\.\root\cimv2

00000000

winmgmts:\\.\root\cimv2

api.ipinfodb.com

Select * from Win32_Keyboard

GET /v2/ip_query.php?key=

&timezone=off HTTP/1.1

Host: api.ipinfodb.com

GET /v2/ip_query_country.php?key=

Portable

winmgmts:\\.\root\SecurityCenter

\wallpaper.bmp

\wallpaper.jpg

WScript.Shell

WinServer 2003, Web Edition

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName

__oxFrame.class__

Scripting.FileSystemObject

Autorun.ini

{557CF401-1A04-11D3-9A73-0000F81EF32E}

{1D5BE4B5-FA4A-452D-9CDD-5DB35105E7EB}

Address family not supported by protocol family.

Operation already in progress.

Operation now in progress.

Socket operation on nonsocket.

Operation not supported.

Protocol family not supported.

Protocol not supported.

Socket type not supported.

Winsock.dll version out of range.

CSocketMaster.SocketExists

CSocketMaster.PostSocket

CSocketMaster.ConnectToIP

CSocketMaster.ResolveIfHostname

CSocketMaster.SendBufferedDataUDP

CSocketMaster.SendBufferedData

Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1

$('#jschl_answer').val(

application/x-www-form-urlencoded

abe2869f-9b47-4cd9-a358-c22904dba7f7

/stext mess.dat

\mess.dat

/stext mail.dat

\mail.dat

/stext ffpw.dat

\ffpw.dat

Web Site

Password

/stext chro.dat

\chro.dat

Action URL

SOFTWARE\MICROSOFT\Windows NT\CurrentVersion

Windows

SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command

http\shell\open\command

127.0.0.1

\dump.txt

\uTorrent\uTorrent.exe /DIRECTORY

255.255.255.255

finalizarprocessoportas

CONNECT %s:%i HTTP/1.0

SOFTWARE\Classes\http\shell\open\command

Software\Classes\http\shell\open\command

Software\Microsoft\Windows NT\CurrentVersion\SystemRestore

code.is.a.winner

Software\Microsoft\Windows\CurrentVersion\Uninstall\eMule

SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\DigitalProductId

bps1.exe

bhookpl.dll

bnfa.exe

drvloadn.dll

drvloadx.dll

VNCHooks.dll

xr4tdwa.exe

\rspad.dat

shutdown.exe

TCnRawKeyBoard

HuntHTTPDownload

autorun.inf

explorer.exe

hXXps://onlineeast#.bankofamerica.com

winlogon.exe

moz_logins

WEBCAMLIVE

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

\system32\userinit.exe,

notepad.exe

\system32\userinit.exe

steam.exe

hl.exe

@*\AD:\Blackshades Project\bs_net\server\server.vbp

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   taskkill.exe:1136
   taskkill.exe:1856
   taskkill.exe:1768
   taskkill.exe:1744
   taskkill.exe:1512
   taskkill.exe:480
   %original file name%.exe:312
   qbapJkM.exe:784
   mshta.exe:380
   mshta.exe:420
   mshta.exe:1364
   mshta.exe:1968
   mshta.exe:1088

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Application Data\ZFT6K0QBLR.exe (32 bytes)
   %Documents and Settings%\%current user%\Application Data\ltcdrive (33 bytes)
   %Documents and Settings%\%current user%\leyxw\BitcoinFaucetBot.exe (2928 bytes)
   %Documents and Settings%\%current user%\leyxw\DslXZuI.CFC (194 bytes)
   %Documents and Settings%\%current user%\leyxw\EvpLCsmnshl.SLP (3073 bytes)
   %Documents and Settings%\%current user%\leyxw\e (193759 bytes)
   %Documents and Settings%\%current user%\leyxw\qbapJkM.exe (31505 bytes)
   %Documents and Settings%\%current user%\leyxw\69394.vbs (185 bytes)
   %Documents and Settings%\%current user%\leyxw\54509.cmd (55 bytes)
   %Documents and Settings%\%current user%\Start Menu\Programs\Startup\start.lnk (693 bytes)
   %Documents and Settings%\%current user%\leyxw\run.vbs (81 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
   "leyxw" = "C:\DOCUME~1\"%CurrentUserName%"\leyxw\69394.vbs"

5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.