About
Articles
Book Store
Distributed RCE
Downloads
Event Calendar
Forums
Live Discussion
Reference Library
RSS Feeds
Search
Users
What's New
Customize Theme
bluegrey
blackgreen
metal
simple
Flag:
Tornado!
Hurricane!
Login:
Password:
Remember Me
Register
Blogs
>>
anonymouse
's Blog
Created: Tuesday, September 5 2006 06:32.27 CDT
Printer Friendly ...
goddamn brontok
Author:
anonymouse
# Views:
19516
this is purely a rant nothing else :)
these vb script kiddies are getting better and better
this scum of some backdoor that doesnt yield a good information about it ate some
hours of my time today
i submitted it to kaspersky today via online file scanner (it identified it as
brontok.q)
but refused to divulge any details saying there are no details avl at present in its
virus list
and the browser was getting closed a few times before i could gather the information
and get out of net
it comes in various forms
well may be it was spent worthily
back to topic
as usual i wanted to crawl around
and as usual i hit ctrl+esc+shift to kill all the unwanted process and what i see are
a lsass,few winlogons, lurking there and saying critical process
as usual taskmanager doesnt tell me if it is geniune
if it is running from the path it is supposed to run
well no point whining
and i am stuck with a computer with a few curios
and absolutely no tools
well i need some assasins i hit the net to get some contract killers
and goddam computer throws up and reboots
oh may be its some usual problems lets do it again baby
the comp says no dice find another and reboots again
oh my god this is challenging dear
well lets find whats hidden
no folder options visible
lets open command prompt
start run cmd enter
computer reboots spontaneously
ok cant download hijackthis from regular sites so lookfor a few mirrors around
nothing nada cant downlaod
i cant download putty pscp nothing
ok lets do it manual
open regedit computer reboots
open regedt32 says admin disabled it (who knows who is the admin)
ok lets remove the network cable and try mucking around without net
and see if it gets lost
nada its local and is still persistent in its behaviour
lets getinto safe mode , safe mode with command prompt
nothing yields any info
(dont tell me why didnt you try black light , rootkit revealer , icesword ,
and whatever that exists those possibilities were extinguished )
ok go have a break and come back
cmd closes what about command the old dos warrior
open command the comp doesnt close itself
well then if command runs we can try using reg
ok reg query .../.../current version /run yields one key and the path to its secret
files
C:\>reg query hkcu\software\microsoft\windows\currentversion\run
! REG.EXE VERSION 3.0
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run
MSMSGS REG_SZ "C:\Program Files\Messenger\msmsgs.exe" /background
Tok-Cirrhatus-1497 REG_SZ "C:\Documents and Settings\com\Local Settings\Ap
plication Data\br4017on.exe"
Tok-Cirrhatus REG_SZ
Yahoo! Pager REG_SZ "C:\Program Files\Yahoo!\Messenger\YahooMessenge
r.exe" -quiet
Bol IM REG_SZ "C:\Program Files\Rediff Bol\RediffMessenger.exe"
C:\>reg delete hkcu\software\microsoft\windows\currentversion\run
Permanently delete the registry key software\microsoft\windows\currentversion\ru
n (Y/N)? y
The operation completed successfully
C:\>
but doesnt look like its going to help anything
i cant delete the file directly as attrib is +h +s +r
if i do attrib -s -h before i could delete the attrib is changed back to
same old and command whines cant find file
ok lets copy con foo.bat
attrib
del
ctrl+z
and run foo.bat
oops it deletes
next dir/ah shows no files
and in few minutes the file is back up in the folder
c:\windows\shellnew
cant delete folder either (not even in safe mode)
ok there is no way apart from ripping it apart it seems
ok lets try copy it to some root folder
file gets copied
i floppied ollydbg from one another comp
and open it it closes ollydbg and reboots
try open it in view file it closes ollydbg and reboots
atlast i was some how able to coax ollydbg into loading it
and then traced through it
and quit when i found oep and dumped strings etc
the details below
there are a few email address etc in the strings
if some one wants to follow i have the memdumps atvarious stages as well
as two of the executables one isthe rakyatkelapatran.exe
00431B92 <ModuleEntryP>-E9 BDE5FCFF JMP lsass.00400154
0000AD92 -E9 BDE5FCFF JMP FFFD9354
oep probably
00402AF8 68 58594000 PUSH lsass.00405958
00402AFD E8 F0FFFFFF CALL lsass.00402AF2 ; JMP to MSVBVM60.ThunRTMain
Text strings referenced in lsass:NCV
Address Disassembly Text string
00401000 DD MSVBVM60.__vbaStrI2 (Initial CPU selection)
004010BC DD MSVBVM60.__vbaChkstk ASCII "QWP="
00401687 ASCII "?.",0
004019FF ASCII "@'",0
00401C15 ASCII "VA",0
00402AF8 ASCII "hXY@",0
00402B0A DD lsass.00400000 ASCII "MZ"
00402B2E ASCII " "FoBRONTOK_A",0
00402B3E ASCII "lientH",0
00402BA1 ASCII "f-",0
00402BA5 ASCII ":-",0
00402BAC ASCII "BrontokForm",0
00402BBC ASCII "Form1",0
00402BCC ASCII "lt",0
00402BDA ASCII "00",0
00402BEA ASCII " ",0
00403487 ASCII "|||",0
004048B8 DD lsass.00400000 ASCII "MZ"
004058C5 ASCII "Form1",0
004058CB ASCII "5<",0
004058E7 ASCII "TmrBrontok",0
004059D0 ASCII "Brontok.A",0
004059DA ASCII "Brontok.A.HVM31",0
004059EB ASCII "BRONTOK_A",0
00405AED ASCII "h@",0
00405B4C UNICODE "*\AF:\VP"
00405B5C UNICODE "ROJECT\S"
00405B6C UNICODE "TABLE\16"
00405B7C UNICODE "\BRONTOK"
00405B8C UNICODE ".A\Bront"
00405B9C UNICODE "ok.A.vbp"
00405BAC UNICODE 0
00405DA1 ASCII "d@",0
00405DD9 ASCII "d ",0
00405E44 ASCII "PE",0
00405E98 DD lsass.0040650C ASCII "TmrBrontok"
00405EC0 DD lsass.0040659C ASCII "Form"
004062D8 DD lsass.00406478 ASCII "BRONTOK_A"
00406304 DD lsass.0040646C ASCII "BrontokForm"
00406328 ASCII "4;!",0
00406341 ASCII "<!",0
00406345 ASCII "c!",0
00406360 ASCII "|;!",0
00406370 ASCII "P2"",0
00406390 ASCII "<1"",0
004063AD ASCII ":!",0
004063B8 ASCII "X!"",0
004063BC ASCII "$a!",0
004063C0 DD lsass.00407168 ASCII "CekKoneksiInternetNLAECV"
004063C4 DD lsass.00407184 ASCII "GetMasterHostNLAECV"
004063C8 DD lsass.00407198 ASCII "ManipulasiExecNLAECV"
004063D0 DD lsass.004071B0 ASCII "KeluarDongNLAECV"
004063D4 DD lsass.004071C4 ASCII "BronRegNLAECV"
004063D8 DD lsass.004071D4 ASCII "CopyAppDataNLAECV"
004063DC DD lsass.004071E8 ASCII "DownloadVirNLAECV"
004063E0 DD lsass.004071FC ASCII "StartDongNLAECV"
004063E4 DD lsass.0040720C ASCII "StartUpNLAECV"
004063E8 DD lsass.00407038 ASCII "DecTeks"
004063EC DD lsass.00407040 ASCII "MutMutexNLAECV"
004063F0 DD lsass.00407050 ASCII "MutCrNLAECV"
004063F4 DD lsass.00406E74 ASCII "DownloadFileNLAECV"
004063F8 DD lsass.00406E88 ASCII "CekUpdateNLAECV"
004063FC DD lsass.0040721C ASCII "InfekNetworkNLAECV"
00406400 DD lsass.00407230 ASCII "JudulNLAECV"
00406404 DD lsass.0040723C ASCII "CekRemDiskNLAECV"
00406408 DD lsass.00407250 ASCII "BikinFileNLAECV"
0040640C DD lsass.00407260 ASCII "GetEmailFileNLAECV"
00406410 DD lsass.00407274 ASCII "BersihMailNLAECV"
00406414 DD lsass.00407288 ASCII "CekValidMailNLAECV"
00406418 DD lsass.0040729C ASCII "GetTeks"
0040641C DD lsass.004072A4 ASCII "CekKar"
00406420 DD lsass.004072AC ASCII "ListMailNLAECV"
00406424 DD lsass.004072BC ASCII "GetTargetMBhsNLAECV"
00406428 DD lsass.004072D0 ASCII "GavMailerNLAECV"
0040642C DD lsass.004072E0 ASCII "BrontokMailNLAECV"
00406434 DD lsass.004072F4 ASCII "DataEmail"
00406438 DD lsass.00407300 ASCII "DownMIMENLAECV"
0040643C DD lsass.00407310 ASCII "FindFilesAPI"
00406440 DD lsass.00407320 ASCII "ListFileGavNLAECV"
00406444 DD lsass.00407334 ASCII "InfekFileNLAECV"
00406448 DD lsass.00407344 ASCII "MinggirLoeNLAECV"
0040644C DD lsass.00407358 ASCII "GetHostByNameAlias"
00406450 DD lsass.0040736C ASCII "StripNullsNLAECV"
00406454 DD lsass.00407380 ASCII "BikinKreditNLAECV"
00406458 DD lsass.00407394 ASCII "HostsFileNLAECV"
0040645C DD lsass.004073A4 ASCII "MampusinNLAECV"
00406460 DD lsass.004073B4 ASCII "SmallAttackNLAECV"
00406464 DD lsass.004073C8 ASCII "GetStrNoNLAECV"
00406468 DD lsass.004073D8 ASCII "EnkripanNLAECV"
0040646C ASCII "BrontokForm",0
00406478 ASCII "BRONTOK_A",0
0040648A UNICODE "rontok.A"
0040649A UNICODE "16NLAECV"
004064AA UNICODE " Browser"
004064BA UNICODE 0
0040650C ASCII "TmrBrontok",0
00406528 ASCII "D:\Program Files"
00406538 ASCII "\Microsoft Visua"
00406548 ASCII "l Studio\VB98\VB"
00406558 ASCII "6.OLB",0
00406574 DD lsass.00406528 ASCII "D:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB"
00406578 DD lsass.00406560 ASCII "VB"
0040659C ASCII "Form",0
004065C0 UNICODE "HTML",0
004065DA ASCII "
",0
004065F2 ASCII "
",0
004065FC ASCII "
",0
00406627 ASCII "4,",0
0040662A ASCII "
",0
00406634 ASCII "
",0
00406640 ASCII "advapi32.dll",0
00406654 ASCII "RegOpenKeyExA",0
00406664 DD lsass.00406640 ASCII "advapi32.dll"
00406668 DD lsass.00406654 ASCII "RegOpenKeyExA"
0040669C ASCII "RegSetValueExA",0
004066AC DD lsass.00406640 ASCII "advapi32.dll"
004066B0 DD lsass.0040669C ASCII "RegSetValueExA"
004066E4 ASCII "RegCloseKey",0
004066F0 DD lsass.00406640 ASCII "advapi32.dll"
004066F4 DD lsass.004066E4 ASCII "RegCloseKey"
00406728 ASCII "RegCreateKeyExA",0
00406738 DD lsass.00406640 ASCII "advapi32.dll"
0040673C DD lsass.00406728 ASCII "RegCreateKeyExA"
00406770 ASCII "kernel32",0
00406780 ASCII "Sleep",0
00406788 DD lsass.00406770 ASCII "kernel32"
0040678C DD lsass.00406780 ASCII "Sleep"
004067C0 ASCII "shell32.dll",0
004067D0 ASCII "SHGetPathFromIDL"
004067E0 ASCII "ist",0
004067E4 DD lsass.004067C0 ASCII "shell32.dll"
004067E8 DD lsass.004067D0 ASCII "SHGetPathFromIDList"
0040681C ASCII "SHGetSpecialFold"
0040682C ASCII "erLocation",0
00406838 DD lsass.004067C0 ASCII "shell32.dll"
0040683C DD lsass.0040681C ASCII "SHGetSpecialFolderLocation"
00406870 ASCII "wininet.dll",0
00406880 ASCII "InternetOpenA",0
00406890 DD lsass.00406870 ASCII "wininet.dll"
00406894 DD lsass.00406880 ASCII "InternetOpenA"
004068C8 ASCII "InternetOpenUrlA"
004068D8 ASCII 0
004068DC DD lsass.00406870 ASCII "wininet.dll"
004068E0 DD lsass.004068C8 ASCII "InternetOpenUrlA"
00406914 ASCII "InternetReadFile"
00406924 ASCII 0
0040692C ASCII "GetCurrentProces"
0040693C ASCII "s",0
00406944 UNICODE ".HTM",0
00406950 DD lsass.00406870 ASCII "wininet.dll"
00406954 DD lsass.00406914 ASCII "InternetReadFile"
00406988 ASCII "InternetCloseHan"
00406998 ASCII "dle",0
0040699C DD lsass.00406870 ASCII "wininet.dll"
004069A0 DD lsass.00406988 ASCII "InternetCloseHandle"
004069D4 ASCII "user32",0
004069E0 ASCII "GetWindowTextA",0
004069F0 DD lsass.004069D4 ASCII "user32"
004069F4 DD lsass.004069E0 ASCII "GetWindowTextA"
00406A28 ASCII "GetWindowTextLen"
00406A38 ASCII "gthA",0
00406A40 DD lsass.004069D4 ASCII "user32"
00406A44 DD lsass.00406A28 ASCII "GetWindowTextLengthA"
00406A78 ASCII "GetForegroundWin"
00406A88 ASCII "dow",0
00406A8C DD lsass.004069D4 ASCII "user32"
00406A90 DD lsass.00406A78 ASCII "GetForegroundWindow"
00406AC4 ASCII "ExitWindowsEx",0
00406AD4 DD lsass.004069D4 ASCII "user32"
00406AD8 DD lsass.00406AC4 ASCII "ExitWindowsEx"
00406B0C ASCII "RtlMoveMemory",0
00406B1C DD lsass.00406770 ASCII "kernel32"
00406B20 DD lsass.0040692C ASCII "GetCurrentProcess"
00406B54 ASCII "advapi32",0
00406B64 ASCII "OpenProcessToken"
00406B74 ASCII 0
00406B78 DD lsass.00406B54 ASCII "advapi32"
00406B7C DD lsass.00406B64 ASCII "OpenProcessToken"
00406BB0 ASCII "LookupPrivilegeV"
00406BC0 ASCII "alueA",0
00406BC8 DD lsass.00406B54 ASCII "advapi32"
00406BCC DD lsass.00406BB0 ASCII "LookupPrivilegeValueA"
00406C00 ASCII "AdjustTokenPrivi"
00406C10 ASCII "leges",0
00406C18 DD lsass.00406B54 ASCII "advapi32"
00406C1C DD lsass.00406C00 ASCII "AdjustTokenPrivileges"
00406C50 ASCII "GetDriveTypeA",0
00406C60 DD lsass.00406770 ASCII "kernel32"
00406C64 DD lsass.00406C50 ASCII "GetDriveTypeA"
00406C98 ASCII "ShellExecuteA",0
00406CA8 DD lsass.004067C0 ASCII "shell32.dll"
00406CAC DD lsass.00406C98 ASCII "ShellExecuteA"
00406CDC DD lsass.00406770 ASCII "kernel32"
00406CE0 DD lsass.00406B0C ASCII "RtlMoveMemory"
00406D14 ASCII "wsock32.dll",0
00406D24 ASCII "closesocket",0
00406D30 DD lsass.00406D14 ASCII "wsock32.dll"
00406D34 DD lsass.00406D24 ASCII "closesocket"
00406D68 ASCII "connect",0
00406D70 DD lsass.00406D14 ASCII "wsock32.dll"
00406D74 DD lsass.00406D68 ASCII "connect"
00406DA8 ASCII "htons",0
00406DB0 DD lsass.00406D14 ASCII "wsock32.dll"
00406DB4 DD lsass.00406DA8 ASCII "htons"
00406DE8 ASCII "inet_addr",0
00406DF4 DD lsass.00406D14 ASCII "wsock32.dll"
00406DF8 DD lsass.00406DE8 ASCII "inet_addr"
00406E2C ASCII "recv",0
00406E34 DD lsass.00406D14 ASCII "wsock32.dll"
00406E38 DD lsass.00406E2C ASCII "recv"
00406E6C ASCII "send",0
00406E74 ASCII "DownloadFileNLAE"
00406E84 ASCII "CV",0
00406E88 ASCII "CekUpdateNLAECV",0
00406E98 DD lsass.00406D14 ASCII "wsock32.dll"
00406E9C DD lsass.00406E6C ASCII "send"
00406ED0 ASCII "socket",0
00406ED8 DD lsass.00406D14 ASCII "wsock32.dll"
00406EDC DD lsass.00406ED0 ASCII "socket"
00406F10 ASCII "gethostbyname",0
00406F20 DD lsass.00406D14 ASCII "wsock32.dll"
00406F24 DD lsass.00406F10 ASCII "gethostbyname"
00406F58 ASCII "WSAStartup",0
00406F64 DD lsass.00406D14 ASCII "wsock32.dll"
00406F68 DD lsass.00406F58 ASCII "WSAStartup"
00406F9C ASCII "WSACleanup",0
00406FA8 DD lsass.00406D14 ASCII "wsock32.dll"
00406FAC DD lsass.00406F9C ASCII "WSACleanup"
00406FE0 ASCII "WSAAsyncSelect",0
00406FF0 DD lsass.00406D14 ASCII "wsock32.dll"
00406FF4 DD lsass.00406FE0 ASCII "WSAAsyncSelect"
00407028 ASCII "FindFirstFileA",0
00407038 ASCII "DecTeks",0
00407040 ASCII "MutMutexNLAECV",0
00407050 ASCII "MutCrNLAECV",0
0040705C DD lsass.00406770 ASCII "kernel32"
00407060 DD lsass.00407028 ASCII "FindFirstFileA"
00407094 ASCII "FindNextFileA",0
004070A4 DD lsass.00406770 ASCII "kernel32"
004070A8 DD lsass.00407094 ASCII "FindNextFileA"
004070DC ASCII "GetFileAttribute"
004070EC ASCII "sA",0
004070F0 DD lsass.00406770 ASCII "kernel32"
004070F4 DD lsass.004070DC ASCII "GetFileAttributesA"
00407128 ASCII "FindClose",0
00407134 DD lsass.00406770 ASCII "kernel32"
00407138 DD lsass.00407128 ASCII "FindClose"
00407168 ASCII "CekKoneksiIntern"
00407178 ASCII "etNLAECV",0
00407184 ASCII "GetMasterHostNLA"
00407194 ASCII "ECV",0
00407198 ASCII "ManipulasiExecNL"
004071A8 ASCII "AECV",0
004071B0 ASCII "KeluarDongNLAECV"
004071C0 ASCII 0
004071C4 ASCII "BronRegNLAECV",0
004071D4 ASCII "CopyAppDataNLAEC"
004071E4 ASCII "V",0
004071E8 ASCII "DownloadVirNLAEC"
004071F8 ASCII "V",0
004071FC ASCII "StartDongNLAECV",0
0040720C ASCII "StartUpNLAECV",0
0040721C ASCII "InfekNetworkNLAE"
0040722C ASCII "CV",0
00407230 ASCII "JudulNLAECV",0
0040723C ASCII "CekRemDiskNLAECV"
0040724C ASCII 0
00407250 ASCII "BikinFileNLAECV",0
00407260 ASCII "GetEmailFileNLAE"
00407270 ASCII "CV",0
00407274 ASCII "BersihMailNLAECV"
00407284 ASCII 0
00407288 ASCII "CekValidMailNLAE"
00407298 ASCII "CV",0
0040729C ASCII "GetTeks",0
004072A4 ASCII "CekKar",0
004072AC ASCII "ListMailNLAECV",0
004072BC ASCII "GetTargetMBhsNLA"
004072CC ASCII "ECV",0
004072D0 ASCII "GavMailerNLAECV",0
004072E0 ASCII "BrontokMailNLAEC"
004072F0 ASCII "V",0
004072F4 ASCII "DataEmail",0
00407300 ASCII "DownMIMENLAECV",0
00407310 ASCII "FindFilesAPI",0
00407320 ASCII "ListFileGavNLAEC"
00407330 ASCII "V",0
00407334 ASCII "InfekFileNLAECV",0
00407344 ASCII "MinggirLoeNLAECV"
00407354 ASCII 0
00407358 ASCII "GetHostByNameAli"
00407368 ASCII "as",0
0040736C ASCII "StripNullsNLAECV"
0040737C ASCII 0
00407380 ASCII "BikinKreditNLAEC"
00407390 ASCII "V",0
00407394 ASCII "HostsFileNLAECV",0
004073A4 ASCII "MampusinNLAECV",0
004073B4 ASCII "SmallAttackNLAEC"
004073C4 ASCII "V",0
004073C8 ASCII "GetStrNoNLAECV",0
004073D8 ASCII "EnkripanNLAECV",0
00407524 UNICODE "Orf1Pdlo"
00407534 UNICODE "1Eurq1Wr"
00407544 UNICODE "n",0
0040754C UNICODE "SYSTEMPR"
0040755C UNICODE "OFILE",0
0040756C UNICODE "System",0
00407580 UNICODE "zlqorjrq"
00407590 UNICODE "1h{h>vhu"
004075A0 UNICODE "ylfhv1h{"
004075B0 UNICODE "h>ovdvv1"
004075C0 UNICODE "h{h>lqhw"
004075D0 UNICODE "lqir1h{h"
004075E0 UNICODE ">fvuvv1h"
004075F0 UNICODE "{h>vpvv1"
00407600 UNICODE "h{h",0
00407614 UNICODE "VHUYLFHV"
00407624 UNICODE ">OVDVV>L"
00407634 UNICODE "QHWLQIR>"
00407644 UNICODE "ZLQORJRQ"
00407654 UNICODE ">FVUVV>V"
00407664 UNICODE "PVV",0
00407670 UNICODE "vpvv1h{h"
00407680 UNICODE "/vhuylfh"
00407690 UNICODE "v1h{h/ov"
004076A0 UNICODE "dvv1h{h/"
004076B0 UNICODE "lqhwlqir"
004076C0 UNICODE "1h{h/fvu"
004076D0 UNICODE "vv1h{h",0
004076EC UNICODE "exe;scr;"
004076FC UNICODE "pif;com;"
0040770C UNICODE "cmd;bat;"
0040771C UNICODE "jpg",0
0040773A UNICODE "dmin",0
00407758 UNICODE "on.exe",0
0040776C UNICODE "\ShellNe"
0040777C UNICODE "w",0
00407784 UNICODE "\RakyatK"
00407794 UNICODE "elaparan"
004077A4 UNICODE ".exe",0
004077B4 UNICODE "\Kesenja"
004077C4 UNICODE "nganSosi"
004077D4 UNICODE "al.exe",0
004077E8 UNICODE "\cmd-bro"
004077F8 UNICODE "ntok.exe"
00407808 UNICODE 0
00407810 UNICODE "\Media",0
00407824 UNICODE "zlqzrug1"
00407834 UNICODE "h{h/ndqj"
00407844 UNICODE "hq1h{h/f"
00407854 UNICODE "fdssv1h{"
00407864 UNICODE "h/v|vory"
00407874 UNICODE "h1h{h",0
00407884 UNICODE "ndqjhq1h"
00407894 UNICODE "{h>xqwxn"
004078A4 UNICODE "px1h{h>p"
004078B4 UNICODE "|khduw1h"
004078C4 UNICODE "{h>p|#kh"
004078D4 UNICODE "duw1h{h>"
004078E4 UNICODE "mdqjdq#g"
004078F4 UNICODE "lexnd1h{"
00407904 UNICODE "h",0
0040790E UNICODE ":\autoex"
0040791E UNICODE "ec.bat",0
00407934 UNICODE "vriwzduh"
00407944 UNICODE "_plfurvr"
00407954 UNICODE "iw_zlqgr"
00407964 UNICODE "zv_fxuuh"
00407974 UNICODE "qwyhuvlr"
00407984 UNICODE "q_Srolfl"
00407994 UNICODE "hv_V|vwh"
004079A4 UNICODE "p",0
004079AC UNICODE "vriwzduh"
004079BC UNICODE "_plfurvr"
004079CC UNICODE "iw_zlqgr"
004079DC UNICODE "zv_fxuuh"
004079EC UNICODE "qwyhuvlr"
004079FC UNICODE "q_uxq",0
00407A0C UNICODE "vriwzduh"
00407A1C UNICODE "_plfurvr"
00407A2C UNICODE "iw_zlqgr"
00407A3C UNICODE "zv_fxuuh"
00407A4C UNICODE "qwyhuvlr"
00407A5C UNICODE "q_Srolfl"
00407A6C UNICODE "hv_H{sor"
00407A7C UNICODE "uhu",0
00407A88 UNICODE "vriwzduh"
00407A98 UNICODE "_plfurvr"
00407AA8 UNICODE "iw_zlqgr"
00407AB8 UNICODE "zv_fxuuh"
00407AC8 UNICODE "qwyhuvlr"
00407AD8 UNICODE "q_h{soru"
00407AE8 UNICODE "hu_dgydq"
00407AF8 UNICODE "fhg",0
00407B04 UNICODE "vwdeur:r"
00407B14 UNICODE "n2",0
00407B20 UNICODE "VRIWZDUH"
00407B30 UNICODE "_Plfurvr"
00407B40 UNICODE "iw_Zlqgr"
00407B50 UNICODE "zv#QW_Fx"
00407B60 UNICODE "uuhqwYhu"
00407B70 UNICODE "vlrq_Zlq"
00407B80 UNICODE "orjrq",0
00407B90 UNICODE "V\VWHP_F"
00407BA0 UNICODE "xuuhqwFr"
00407BB0 UNICODE "qwuroVhw"
00407BC0 UNICODE "_Frqwuro"
00407BD0 UNICODE "_VdihErr"
00407BE0 UNICODE "w",0
00407BE8 UNICODE "VHFXUH/V"
00407BF8 UNICODE "XSSRUW/P"
00407C08 UNICODE "DVWHU/PL"
00407C18 UNICODE "FURVRIW/"
00407C28 UNICODE "YLUXV/KD"
00407C38 UNICODE "FN/FUDFN"
00407C48 UNICODE "/OLQX[/D"
00407C58 UNICODE "YJ/JULVR"
00407C68 UNICODE "IW/FLOOL"
00407C78 UNICODE "Q/VHFXUL"
00407C88 UNICODE "W\/V\PDQ"
00407C98 UNICODE "WHF/DVVR"
00407CA8 UNICODE "FLDWH/YD"
00407CB8 UNICODE "NVLQ/QRU"
00407CC8 UNICODE "WRQ/QRUP"
00407CD8 UNICODE "DQ/SDQGD"
00407CE8 UNICODE "/VRIW/VS"
00407CF8 UNICODE "DP/EODK/"
00407D08 UNICODE 0
00407D14 UNICODE "\RXU/VRP"
00407D24 UNICODE "H/DVGI/C"
00407D34 UNICODE "1/1C/ZZZ"
00407D44 UNICODE "/YDNVLQ/"
00407D54 UNICODE "GHYHORS/"
00407D64 UNICODE "SURJUDP/"
00407D74 UNICODE "VRXUFH/Q"
00407D84 UNICODE "HWZRUN/X"
00407D94 UNICODE "SGDWH/WH"
00407DA4 UNICODE "VW/11/[["
00407DB4 UNICODE "[/VPWS/H"
00407DC4 UNICODE "[DPSOH/F"
00407DD4 UNICODE "RQWRK/LQ"
00407DE4 UNICODE "IRC/ELOO"
00407DF4 UNICODE "LQJC/1DV"
00407E04 UNICODE "S/1SKS/1"
00407E14 UNICODE "KWP/1H[H"
00407E24 UNICODE "/1MV/",0
00407E34 UNICODE "kwws=22z"
00407E44 UNICODE "zz153pez"
00407E54 UNICODE "he1frp2Q"
00407E64 UNICODE "hzv2",0
00407E74 UNICODE "fpeurvml"
00407E84 UNICODE "42",0
00407E90 UNICODE "fpeurour"
00407EA0 UNICODE "52",0
00407EAC UNICODE "fpeurwox"
00407EBC UNICODE "62",0
00407EC8 UNICODE "vhpelovw"
00407ED8 UNICODE "dern2",0
00407EE8 UNICODE "pause",0
00407EF8 UNICODE "1YEV/GRP"
00407F08 UNICODE "DLQ/KLGG"
00407F18 UNICODE "HQ/GHPR/"
00407F28 UNICODE "GHYHORS/"
00407F38 UNICODE "IRRC/NRP"
00407F48 UNICODE "SXWHU/VH"
00407F58 UNICODE "QLRU/GDU"
00407F68 UNICODE "N/EODFN/"
00407F78 UNICODE "EOHHS/IH"
00407F88 UNICODE "HGEDFN/L"
00407F98 UNICODE "EP1/LQWH"
00407FA8 UNICODE "O1/PDFUR"
00407FB8 UNICODE "/DGREH/I"
00407FC8 UNICODE "XFN/UHFL"
00407FD8 UNICODE "SLHQW/VH"
00407FE8 UNICODE "UYHU/SUR"
00407FF8 UNICODE "[\/]HQG/"
00408008 UNICODE "]GQHW/",0
0040801C UNICODE "mspaint."
0040802C UNICODE "exe",0
00408038 UNICODE "explorer"
00408048 UNICODE ".exe",0
00408064 UNICODE "google.c"
00408074 UNICODE "om",0
00408080 UNICODE "yahoo.co"
00408090 UNICODE "m",0
00408098 UNICODE "kwws=22z"
004080A8 UNICODE "zz1jhrfl"
004080B8 UNICODE "wlhv1frp"
004080C8 UNICODE "2",0
004080D8 UNICODE "FQHW/GRZ"
004080E8 UNICODE "QORDG/KS"
004080F8 UNICODE "1/[HUR[/"
00408108 UNICODE "FDQRQ/VH"
00408118 UNICODE "UYLFH/DU"
00408128 UNICODE "FKLHYH/Q"
00408138 UNICODE "HWVFDSH/"
00408148 UNICODE "PR]LOOD/"
00408158 UNICODE "RSHUD/QR"
00408168 UNICODE "YHOO/QHZ"
00408178 UNICODE "V/XSGDWH"
00408188 UNICODE "/UHVSRQV"
00408198 UNICODE "H/RYHUWX"
004081A8 UNICODE "UH/JURXS"
004081B8 UNICODE "/JDWHZD\"
004081C8 UNICODE "/UHOD\/D"
004081D8 UNICODE "OHUW/VHN"
004081E8 UNICODE "XU/FLVFR"
004081F8 UNICODE "/",0
00408200 UNICODE "\BerasJa"
00408210 UNICODE "tah.exe",0
00408224 UNICODE "\bronsta"
00408234 UNICODE "b.exe",0
00408244 UNICODE "\sempalo"
00408254 UNICODE "ng.exe",0
00408268 UNICODE "\WowTump"
00408278 UNICODE "eh.com",0
0040828C UNICODE "\Brengko"
0040829C UNICODE "lang.com"
004082AC UNICODE 0
004082BC UNICODE "ORWXV/PL"
004082CC UNICODE "FUR/WUHQ"
004082DC UNICODE "G/VLHPHQ"
004082EC UNICODE "V/IXMLWV"
004082FC UNICODE "X/QRNLD/"
0040830C UNICODE "Z61/QYLG"
0040831C UNICODE "LD/DSDFK"
0040832C UNICODE "H/P\VTO/"
0040833C UNICODE "SRVWJUH/"
0040834C UNICODE "VXQ1/JRR"
0040835C UNICODE "JOH/VSHU"
0040836C UNICODE "VN\/]RPE"
0040837C UNICODE "LH/DGPLQ"
0040838C UNICODE "/DYLUD/D"
0040839C UNICODE "YDVW/WUX"
004083AC UNICODE "VW/HVDYH"
004083BC UNICODE "/HVDIH/S"
004083CC UNICODE "URWHFW/",0
004083E0 UNICODE "\A.kotno"
004083F0 UNICODE "rB.com",0
00408404 UNICODE "\3D Anim"
00408414 UNICODE "ation.sc"
00408424 UNICODE "r",0
0040842C UNICODE "\eksplor"
0040843C UNICODE "asi.pif",0
00408450 UNICODE "\eksplor"
00408460 UNICODE "asi.exe",0
00408474 UNICODE "\ShellNe"
00408484 UNICODE "w\ElnorB"
00408494 UNICODE ".exe",0
004084A4 UNICODE "DODGGLQ/"
004084B4 UNICODE "DOHUW/EX"
004084C4 UNICODE "LOGHU/GD"
004084D4 UNICODE "WDEDVH/D"
004084E4 UNICODE "KQODE/SU"
004084F4 UNICODE "RODQG/HV"
00408504 UNICODE "FDQ/KDXU"
00408514 UNICODE "L/QRG65/"
00408524 UNICODE "V\EDUL/D"
00408534 UNICODE "QWLJHQ/U"
00408544 UNICODE "RERW/DOZ"
00408554 UNICODE "LO/EURZV"
00408564 UNICODE "H/FRPSXV"
00408574 UNICODE "H/FRPSXW"
00408584 UNICODE "H/VHFXQ/"
00408594 UNICODE "VS\Z/UHJ"
004085A4 UNICODE "LVW/IUHH"
004085B4 UNICODE "/EXJ/PDW"
004085C4 UNICODE "K/",0
004085D0 UNICODE ".em.bin",0
004085E4 UNICODE "\Update."
004085F4 UNICODE 0
004085FC UNICODE ".Bron.To"
0040860C UNICODE "k.bin",0
0040861C UNICODE "\IDTempl"
0040862C UNICODE "ate.exe",0
0040864C UNICODE "\bararon"
0040865C UNICODE "tok.com",0
00408670 UNICODE ".JPG",0
00408684 UNICODE "ODE/LHHH"
00408694 UNICODE "/NGH/WUD"
004086A4 UNICODE "FN/LQIRU"
004086B4 UNICODE "PD/IXML/"
004086C4 UNICODE "CPDF/VOD"
004086D4 UNICODE "FN/UHGKD"
004086E4 UNICODE "/VXVH/EX"
004086F4 UNICODE "QWX/[DQG"
00408704 UNICODE "URV/CDEF"
00408714 UNICODE "/C456/OR"
00408724 UNICODE "RNVPDUW/"
00408734 UNICODE "V\QGLFDW"
00408744 UNICODE "/HOHNWUR"
00408754 UNICODE "/HOHFWUR"
00408764 UNICODE "/QDVD/OX"
00408774 UNICODE "FHQW/WHO"
00408784 UNICODE "HFRP/VWX"
00408794 UNICODE "GLR/VLHU"
004087A4 UNICODE "UD/",0
004087B0 UNICODE "XVHUQDPH"
004087C0 UNICODE "/LSWHN/F"
004087D0 UNICODE "OLFN/VDO"
004087E0 UNICODE "HV/SURPR"
004087F0 UNICODE 0
004087F8 UNICODE "\Update."
00408808 UNICODE "AN.",0
0040881C UNICODE "ron.Tok."
0040882C UNICODE "tempo.ex"
0040883C UNICODE "e",0
00408844 UNICODE "\Bron.to"
00408854 UNICODE "k.A",0
0040886C UNICODE "UHJLVWU\"
0040887C UNICODE "/V\VWHP#"
0040888C UNICODE "FRQILJXU"
0040889C UNICODE "DWLRQ/FR"
004088AC UNICODE "PPDQG#SU"
004088BC UNICODE "RPSW/1H["
004088CC UNICODE "H/VKXW#G"
004088DC UNICODE "RZQ/VFUL"
004088EC UNICODE "SW#KRVW/"
004088FC UNICODE "ORJ#RII#"
0040890C UNICODE "ZLQGRZV/"
0040891C UNICODE "NLOOER[/"
0040892C UNICODE "WDVNNLOO"
0040893C UNICODE "/WDVN#NL"
0040894C UNICODE "OO/KLMDF"
0040895C UNICODE "N/EOHHSL"
0040896C UNICODE "QJ/V\VLQ"
0040897C UNICODE "WHUQDO/S"
0040898C UNICODE "URFHVV#H"
0040899C UNICODE "[S/IDMDU"
004089AC UNICODE "ZHE/UHPR"
004089BC UNICODE "YHU/FOHD"
004089CC UNICODE "QHU/JURX"
004089DC UNICODE "S#SROLF\"
004089EC UNICODE "/PRY][",0
004089FA DD lsass.00400000 ASCII "MZ"
00408A00 UNICODE "dw#44=36"
00408A10 UNICODE "#2hyhu|="
00408A20 UNICODE "P/W/Z/Wk"
00408A30 UNICODE "/I/V/Vx#"
00408A40 UNICODE 0
00408A54 UNICODE "SODVD>WH"
00408A64 UNICODE "ONRP>LQG"
00408A74 UNICODE "R>1FR1LG"
00408A84 UNICODE ">1JR1LG>"
00408A94 UNICODE "1PLO1LG>"
00408AA4 UNICODE "1VFK1LG>"
00408AB4 UNICODE "1QHW1LG>"
00408AC4 UNICODE "1RU1LG>1"
00408AD4 UNICODE "DF1LG>1Z"
00408AE4 UNICODE "HE1LG>1Z"
00408AF4 UNICODE "DU1QHW1L"
00408B04 UNICODE "G>DVWDJD"
00408B14 UNICODE ">JDXO>ER"
00408B24 UNICODE "OHK>HPDL"
00408B34 UNICODE "ONX>VDWX"
00408B44 UNICODE 0
00408B4C UNICODE "dw#2ghoh"
00408B5C UNICODE "wh#2|",0
00408B6C UNICODE "\Empty.p"
00408B7C UNICODE "if",0
00408B88 UNICODE "-Nendang"
00408B98 UNICODE "Bro.com",0
00408BAC UNICODE "'s Setti"
00408BBC UNICODE "ng.scr",0
00408BCA DD lsass.00400000 ASCII "MZ"
00408BD0 UNICODE "dw#4:=3;"
00408BE0 UNICODE "#2hyhu|="
00408BF0 UNICODE "P/W/Z/Wk"
00408C00 UNICODE "/I/V/Vx#"
00408C10 UNICODE 0
00408C18 UNICODE "UPDATE",0
00408C2C UNICODE "SeShutdo"
00408C3C UNICODE "wnPrivil"
00408C4C UNICODE "ege",0
00408C58 UNICODE "GlvdeohU"
00408C68 UNICODE "hjlvwu|W"
00408C78 UNICODE "rrov",0
00408C88 UNICODE "GlvdeohF"
00408C98 UNICODE "PG",0
00408CA4 UNICODE "QrIroghu"
00408CB4 UNICODE "Rswlrqv",0
00408CC8 UNICODE "Klgghq",0
00408CDC UNICODE "KlghIloh"
00408CEC UNICODE "H{w",0
00408CF8 UNICODE "VkrzVxsh"
00408D08 UNICODE "uKlgghq",0
00408D1C UNICODE "Dowhuqdw"
00408D2C UNICODE "hVkhoo",0
00408D42 UNICODE "ron-Spiz"
00408D52 UNICODE "aetus",0
00408D64 UNICODE "Explorer"
00408D74 UNICODE ".exe ",0
00408D84 UNICODE "Shell",0
00408D94 UNICODE "cmd-bron"
00408DA4 UNICODE "tok.exe",0
00408DB8 UNICODE "Tok-Cirr"
00408DC8 UNICODE "hatus-",0
00408DDC UNICODE "DISK",0
00408DEC UNICODE "Tok-Cirr"
00408DFC UNICODE "hatus",0
00408E1C UNICODE "ron.Tok",0
00408E30 UNICODE "http://",0
00408E50 UNICODE ".css",0
00408E70 UNICODE "ron.Tok."
00408E80 UNICODE "exe",0
00408E9C UNICODE "WinNT:",0
00408EB0 UNICODE "WinNT://"
00408EC0 UNICODE 0
00408EC4 UNICODE "Name",0
00408EE0 UNICODE "\\SCHEMA"
00408EF0 UNICODE 0
00408EF8 UNICODE "NET VIEW"
00408F08 UNICODE " ",0
00408F10 UNICODE " >> ",0
00408F20 UNICODE "\BronFol"
00408F30 UNICODE "dNetDomL"
00408F40 UNICODE "ist.txt",0
00408F54 UNICODE "EXIT >> "
00408F64 UNICODE 0
00408F6C UNICODE "\BronNet"
00408F7C UNICODE "DomList."
00408F8C UNICODE "bat",0
00408F98 UNICODE "\BronNPa"
00408FA8 UNICODE "th0.txt",0
00408FBC UNICODE "\Data ",0
00408FD0 UNICODE ".exe",0
00408FE2 UNICODE "rontok",0
00408FF4 UNICODE "\Bron.to"
00409004 UNICODE "k-",0
00409018 UNICODE "PROPERTI"
00409028 UNICODE "ES",0
00409036 UNICODE "PPLICATI"
00409046 UNICODE "ON DATA",0
0040905E UNICODE ":\rontok"
0040906E UNICODE "bro.txt",0
00409084 UNICODE "\about.B"
00409094 UNICODE "rontok.A"
004090A4 UNICODE ".html",0
004090B4 UNICODE "open",0
004090C4 UNICODE "\Kosong."
004090D4 UNICODE "Bron.Tok"
004090E4 UNICODE ".txt",0
004090F6 UNICODE "rontok.A"
00409106 UNICODE 0
0040910E UNICODE "y: HVM31"
0040911E UNICODE 0
00409124 UNICODE "\Ok-Send"
00409134 UNICODE "Mail-Bro"
00409144 UNICODE "n-tok\",0
0040915C UNICODE "-- JowoB"
0040916C UNICODE "ot #VM C"
0040917C UNICODE "ommunity"
0040918C UNICODE " --",0
00409198 UNICODE ":\Data ",0
004091AC UNICODE "\NetMail"
004091BC UNICODE "Tmp.bin",0
004091CE DD lsass.00400000 ASCII "MZ"
004091E4 UNICODE ".ini",0
004091FC UNICODE "\Ok-Send"
0040920C UNICODE "Mail-Bro"
0040921C UNICODE "n-tok",0
0040922C UNICODE "*.ini",0
0040923A DD lsass.00400000 ASCII "MZ"
0040923E UNICODE "YAHOO",0
00409250 UNICODE "mta237.m"
00409260 UNICODE "ail.re2."
00409270 UNICODE "yahoo.co"
00409280 UNICODE "m",0
00409288 UNICODE "KHOR#",0
00409298 UNICODE "PDLO#IUR"
004092A8 UNICODE "P=#",0
004092B4 UNICODE "UFSW#WR="
004092C4 UNICODE "#",0
004092CC UNICODE "GDWD",0
004092DC UNICODE "TXLW",0
004092EC UNICODE ";smtp.;m"
004092FC UNICODE "ail.;ns1"
0040930C UNICODE ".",0
00409318 UNICODE "Photo_",0
0040932A DD lsass.00400000 ASCII "MZ"
0040932E UNICODE "boleh.co"
0040933E UNICODE "m",0
00409348 UNICODE "Galeri_",0
0040935A DD lsass.00400000 ASCII "MZ"
0040935E UNICODE "friendst"
0040936E UNICODE "er.com",0
00409380 UNICODE "PicSende"
00409390 UNICODE "r_",0
0040939C UNICODE "#_MULAI_"
004093AC UNICODE "DARI_SIN"
004093BC UNICODE "I",0
004093C4 UNICODE "#_BERAKH"
004093D4 UNICODE "IR_DISIN"
004093E4 UNICODE "I",0
004093EC UNICODE "#_MAIL_4"
004093FC UNICODE "_ID",0
00409408 UNICODE "#STOP_MA"
00409418 UNICODE "IL_4_ID",0
0040942C UNICODE "#_MAIL_4"
0040943C UNICODE "_EN",0
00409448 UNICODE "#STOP_MA"
00409458 UNICODE "IL_4_EN",0
0040946C UNICODE "Date: ",0
00409480 UNICODE "From: ",0
00409494 UNICODE "To: ",0
004094A4 UNICODE "0047_01C"
004094B4 UNICODE "5AB88.E2"
004094C4 UNICODE "38EA90",0
004094DC UNICODE "0047_01",0
004094F2 UNICODE "B88.E238"
00409502 UNICODE "EA",0
0040950C UNICODE "#INI_Bro"
0040951C UNICODE "ntok_A",0
00409532 UNICODE "ron-ID",0
00409558 UNICODE ":\SYSTEM"
00409568 UNICODE " VOLUME",0
0040957C UNICODE ":\RECYCL"
0040958C UNICODE "E",0
00409594 UNICODE ".INI",0
004095A4 UNICODE "MY DATA "
004095B4 UNICODE "SOURCES",0
004095C8 UNICODE "MY EBOOK"
004095D8 UNICODE "S",0
004095E0 UNICODE "MY MUSIC"
004095F0 UNICODE 0
004095F8 UNICODE "MY PICTU"
00409608 UNICODE "RES",0
00409614 UNICODE "MY SHAPE"
00409624 UNICODE "S",0
0040962C UNICODE "MY VIDEO"
0040963C UNICODE "S",0
00409644 UNICODE "MY DOCUM"
00409654 UNICODE "ENTS",0
00409664 UNICODE "_FILES",0
00409678 UNICODE "`.exe",0
00409688 UNICODE ".TXT",0
00409698 UNICODE ".EML",0
004096A8 UNICODE ".WAB",0
004096B8 UNICODE ".ASP",0
004096C8 UNICODE ".PHP",0
004096D8 UNICODE ".CFM",0
004096E8 UNICODE ".CSV",0
004096F8 UNICODE ".DOC",0
00409708 UNICODE "NDQJHQ",0
00409728 UNICODE ".XLS",0
00409738 UNICODE ".PDF",0
00409748 UNICODE ".PPT",0
00409758 UNICODE ".HTT",0
00409768 UNICODE "RORO",0
00409778 UNICODE "FOLDER.H"
00409788 UNICODE "TT",0
00409794 UNICODE ".EXE",0
004097A4 UNICODE "OrdgVhuy"
004097B4 UNICODE "lfh>FFDS"
004097C4 UNICODE "SV>RVD>V"
004097D4 UNICODE "|pUxq>or"
004097E4 UNICODE "fdo#vhuy"
004097F4 UNICODE "lfh>Vhfx"
00409804 UNICODE "ulw|",0
00409814 UNICODE ".DOC.EXE"
00409824 UNICODE ";.DOC ;."
00409834 UNICODE "XLS.EXE;"
00409844 UNICODE ".XLS ;PA"
00409854 UNICODE "TAH;HATI"
00409864 UNICODE ";CINTA;U"
00409874 UNICODE "NTUKMU;D"
00409884 UNICODE "ATA-TEME"
00409894 UNICODE "N;RIYANI"
004098A4 UNICODE ";JANGKAR"
004098B4 UNICODE "U;KANGEN"
004098C4 UNICODE ";JROX",0
004098D4 UNICODE "\rundll3"
004098E4 UNICODE "2.exe",0
004098F4 UNICODE "\fonts\t"
00409904 UNICODE "skmgr.ex"
00409914 UNICODE "e",0
0040991E UNICODE ":\!Submi"
0040992E UNICODE "t\winwor"
0040993E UNICODE "d.exe",0
00409952 UNICODE ":\!Submi"
00409962 UNICODE "t\xpshar"
00409972 UNICODE "e.exe",0
00409986 UNICODE ":\Window"
00409996 UNICODE "s\Systra"
004099A6 UNICODE "y.exe",0
004099B8 UNICODE "\Systray"
004099C8 UNICODE ".exe",0
004099D8 UNICODE "?KWPOA?K"
004099E8 UNICODE "HDGA?WLW"
004099F8 UNICODE "OHAEURQW"
00409A08 UNICODE "RN1D^49`"
00409A18 UNICODE "##^#E|=#"
00409A28 UNICODE "KYP64#00"
00409A38 UNICODE "#MrzrErw"
00409A48 UNICODE "#&YP#Frp"
00409A58 UNICODE "pxqlw|#`"
00409A68 UNICODE "?2WLWOHA"
00409A78 UNICODE "?2KHDGA",0
00409A92 DD lsass.00400000 ASCII "MZ"
00409A98 UNICODE "?ERG\#ej"
00409AA8 UNICODE "froru@%&"
00409AB8 UNICODE ":<F43:%A"
00409AC8 UNICODE "?FHQWHUA"
00409AD8 UNICODE 0
00409AE0 UNICODE "?K4A?Irq"
00409AF0 UNICODE "w#idfh@%"
00409B00 UNICODE "Yhugdqd%"
00409B10 UNICODE "#froru@%"
00409B20 UNICODE "&II3333%"
00409B30 UNICODE "A?XAEURQ"
00409B40 UNICODE "WRN1D^49"
00409B50 UNICODE "`?2XA?2I"
00409B60 UNICODE "rqwA?2K5"
00409B70 UNICODE "A",0
00409B78 UNICODE "wdvnnloo"
00409B88 UNICODE "#2i#2lp#"
00409B98 UNICODE 0
00409BA0 UNICODE "?K6A?Irq"
00409BB0 UNICODE "w#idfh@%"
00409BC0 UNICODE "Yhugdqd%"
00409BD0 UNICODE "#froru@%"
00409BE0 UNICODE "&IIIIII%"
00409BF0 UNICODE "A",0
00409BF8 UNICODE "00#Khqwl"
00409C08 UNICODE "ndqodk#n"
00409C18 UNICODE "hereurnd"
00409C28 UNICODE "q#gl#qhj"
00409C38 UNICODE "hul#lql#"
00409C48 UNICODE "00?euA?e"
00409C58 UNICODE "uA",0
00409C64 UNICODE "41#Shqmd"
00409C74 UNICODE "udndq#Nr"
00409C84 UNICODE "uxswru/#"
00409C94 UNICODE "Shq|hoxq"
00409CA4 UNICODE "gxs/#Wxn"
00409CB4 UNICODE "dqj#Vxds"
00409CC4 UNICODE "/#)#Edqg"
00409CD4 UNICODE "du#QDUNR"
00409CE4 UNICODE "ED?euA",0
00409CF8 UNICODE "+#Vhqg#w"
00409D08 UNICODE "r#%QXVDN"
00409D18 UNICODE "DPEDQJDQ"
00409D28 UNICODE "%,?euA?e"
00409D38 UNICODE "uA",0
00409D44 UNICODE "\ListHos"
00409D54 UNICODE "t",0
00409D5C UNICODE ".txt",0
00409D6C UNICODE "Host",0
00409D7C UNICODE "51#Vwrs#"
00409D8C UNICODE "Iuhh#Vh{"
00409D9C UNICODE "/#Deruvl"
00409DAC UNICODE "/#)#Surv"
00409DBC UNICODE "wlwxvl?e"
00409DCC UNICODE "uA+#Jr#W"
00409DDC UNICODE "r#KHOO#,"
00409DEC UNICODE "?euA?euA"
00409DFC UNICODE 0
00409E04 UNICODE "61#Vwrs#"
00409E14 UNICODE "shqfhpdu"
00409E24 UNICODE "dq#olqjn"
00409E34 UNICODE "xqjdq/#s"
00409E44 UNICODE "hpedndud"
00409E54 UNICODE "q#kxwdq#"
00409E64 UNICODE ")#shuexu"
00409E74 UNICODE "xdq#oldu"
00409E84 UNICODE "1#?euA?e"
00409E94 UNICODE "uA",0
00409EA0 UNICODE "71#Vwrs#"
00409EB0 UNICODE "Sruqrjud"
00409EC0 UNICODE "il#)#Sru"
00409ED0 UNICODE "qrdnvl?e"
00409EE0 UNICODE "uA?euA",0
00409EF4 UNICODE "81#VD\#Q"
00409F04 UNICODE "R#WR#GUX"
00409F14 UNICODE "JV#$$$?e"
00409F24 UNICODE "uA?euA?e"
00409F34 UNICODE "uA",0
00409F40 UNICODE ".com",0
00409F50 UNICODE "?irqw#fr"
00409F60 UNICODE "oru@%&44"
00409F70 UNICODE "55II%#vl"
00409F80 UNICODE "}h@8A00#"
00409F90 UNICODE "NLDPDW#V"
00409FA0 UNICODE "XGDK#GHN"
00409FB0 UNICODE "DW#00?2i"
00409FC0 UNICODE "rqwA?euA"
00409FD0 UNICODE "?euA",0
00409FE0 UNICODE "Whulqvsl"
00409FF0 UNICODE "udvl#roh"
0040A000 UNICODE "k=#?euAH"
0040A010 UNICODE "odqj#Eur"
0040A020 UNICODE "qwrn#+Vs"
0040A030 UNICODE "l}dhwxv#"
0040A040 UNICODE "Fluukdwx"
0040A050 UNICODE "v,#|dqj#"
0040A060 UNICODE "kdpslu#s"
0040A070 UNICODE "xqdk?euA"
0040A080 UNICODE 0
0040A088 UNICODE "?Vfulsw#"
0040A098 UNICODE "Odqjxdjh"
0040A0A8 UNICODE "@Mdydvfu"
0040A0B8 UNICODE "lsw#LG@%"
0040A0C8 UNICODE "Eurqwrn1"
0040A0D8 UNICODE "D%A",0
0040A0E4 UNICODE "dohuw#+%"
0040A0F4 UNICODE "Dqgd#Vhw"
0040A104 UNICODE "xmxB%,>",0
0040A118 UNICODE "?2Vfulsw"
0040A128 UNICODE "A",0
0040A130 UNICODE "?K5A?Irq"
0040A140 UNICODE "w#idfh@%"
0040A150 UNICODE "Yhugdqd%"
0040A160 UNICODE "#froru@%"
0040A170 UNICODE "&H5HD38%"
0040A180 UNICODE "A^#E|=#K"
0040A190 UNICODE "YP64#`?e"
0040A1A0 UNICODE "uA00#Mrz"
0040A1B0 UNICODE "rErw#&YP"
0040A1C0 UNICODE "#Frppxql"
0040A1D0 UNICODE "w|#00?2I"
0040A1E0 UNICODE "rqwA?2K5"
0040A1F0 UNICODE "A",0
0040A1F8 UNICODE "?2irqwA?"
0040A208 UNICODE "2k6A?k7A"
0040A218 UNICODE "$$$#Dndq"
0040A228 UNICODE "#Nxexdw#"
0040A238 UNICODE "Phuhnd#+"
0040A248 UNICODE "YP#orndo"
0040A258 UNICODE "#|j#fhqj"
0040A268 UNICODE "hqj#)#er"
0040A278 UNICODE "grk,#Whu"
0040A288 UNICODE "ndsdu#$$"
0040A298 UNICODE "$?2k7A?2"
0040A2A8 UNICODE "FHQWHUA?"
0040A2B8 UNICODE "2ERG\A?2"
0040A2C8 UNICODE "KWPOA",0
0040A2D8 UNICODE "\drivers"
0040A2E8 UNICODE "\etc\hos"
0040A2F8 UNICODE "ts",0
0040A304 UNICODE "-Denied "
0040A314 UNICODE "By-",0
0040A320 UNICODE "pfyvhvfq"
0040A330 UNICODE "1h{h>srs"
0040A340 UNICODE "ur{|1h{h"
0040A350 UNICODE ">dyjhpf1"
0040A360 UNICODE "h{h>ffds"
0040A370 UNICODE "sv1h{h>w"
0040A380 UNICODE "vnpju1h{"
0040A390 UNICODE "h>v|vory"
0040A3A0 UNICODE "h1h{h>{s"
0040A3B0 UNICODE "vkduh1h{"
0040A3C0 UNICODE "h>ul|dql"
0040A3D0 UNICODE "bmdqjndu"
0040A3E0 UNICODE "x1h{h>v|"
0040A3F0 UNICODE "vwud|1h{"
0040A400 UNICODE "h>dvkpdl"
0040A410 UNICODE "vy1h{h>d"
0040A420 UNICODE "vzxsgvy1"
0040A430 UNICODE "h{h>qyfr"
0040A440 UNICODE "dv1h{h>f"
0040A450 UNICODE "fodz1h{h"
0040A460 UNICODE ">qmhhyhv"
0040A470 UNICODE "1h{h>qls"
0040A480 UNICODE "vyf1h{h",0
0040A4A0 UNICODE "slqj#ndv"
0040A4B0 UNICODE "nxv1frp#"
0040A4C0 UNICODE "0q#583#0"
0040A4D0 UNICODE "o#:7:",0
0040A4E0 UNICODE "slqj#4:w"
0040A4F0 UNICODE "dkxq1frp"
0040A500 UNICODE "#0q#583#"
0040A510 UNICODE "0o#:7:",0
0040A524 UNICODE "NDOL",0
0040A534 UNICODE "SIJI",0
0040A544 UNICODE "LORO",0
0040A554 UNICODE "TELU",0
0040A574 UNICODE "LIMA",0
0040A584 UNICODE "ENEM",0
0040A594 UNICODE "PITU",0
0040A5A4 UNICODE "WOLU",0
0040A5B4 UNICODE "SANGA",0
0040A5DC ASCII "VBA6.DLL",0
0040A5E8 ASCII "__vbaVarAdd",0
0040A5F4 ASCII "__vbaI4Var",0
0040A600 ASCII "__vbaRedimPreser"
0040A610 ASCII "ve",0
0040A614 ASCII "__vbaLenVar",0
0040A620 ASCII "__vbaVarTstEq",0
0040A630 ASCII "__vbaGenerateBou"
0040A640 ASCII "ndsError",0
0040A64C ASCII "__vbaAryConstruc"
0040A65C ASCII "t2",0
0040A660 ASCII "__vbaFpR8",0
0040A66C ASCII "__vbaStrFixstr",0
0040A67C ASCII "__vbaRedim",0
0040A688 ASCII "__vbaInStrVar",0
0040A698 ASCII "__vbaVarCmpGt",0
0040A6A8 ASCII "__vbaStrI2",0
0040A6B4 ASCII "__vbaVarAnd",0
0040A6C0 ASCII "__vbaBoolVarNull"
0040A6D0 ASCII 0
0040A6D4 ASCII "__vbaR8IntI2",0
0040A6E4 ASCII "__vbaStrVarVal",0
0040A6F4 ASCII "__vbaNextEachCol"
0040A704 ASCII "lAd",0
0040A708 ASCII "__vbaLateMemCall"
0040A718 ASCII "Ld",0
0040A71C ASCII "__vbaForEachColl"
0040A72C ASCII "Ad",0
0040A730 ASCII "__vbaObjVar",0
0040A73C ASCII "__vbaPut3",0
0040A748 ASCII "__vbaLsetFixstr",0
0040A758 ASCII "__vbaFixstrConst"
0040A768 ASCII "ruct",0
0040A770 ASCII "__vbaStrToUnicod"
0040A780 ASCII "e",0
0040A784 ASCII "__vbaFreeObjList"
0040A794 ASCII 0
0040A798 ASCII "__vbaLineInputSt"
0040A7A8 ASCII "r",0
0040A7AC ASCII "__vbaCopyBytes",0
0040A7BC ASCII "__vbaExitProc",0
0040A7CC ASCII "__vbaFileClose",0
0040A7DC ASCII "__vbaPrintFile",0
0040A7EC ASCII "__vbaFileOpen",0
0040A7FC ASCII "__vbaVarMove",0
0040A80C ASCII "__vbaRecAnsiToUn"
0040A81C ASCII "i",0
0040A820 ASCII "__vbaRecUniToAns"
0040A830 ASCII "i",0
0040A834 ASCII "__vbaStrToAnsi",0
0040A844 ASCII "__vbaStrI4",0
0040A850 ASCII "__vbaAryUnlock",0
0040A860 ASCII "__vbaAryLock",0
0040A870 ASCII "__vbaR8Str",0
0040A87C ASCII "__vbaFPInt",0
0040A888 ASCII "__vbaFpI2",0
0040A894 ASCII "__vbaInStr",0
0040A8A0 ASCII "__vbaErrorOverfl"
0040A8B0 ASCII "ow",0
0040A8B4 ASCII "__vbaAryDestruct"
0040A8C4 ASCII 0
0040A8C8 ASCII "__vbaSetSystemEr"
0040A8D8 ASCII "ror",0
0040A8DC ASCII "__vbaVarInt",0
0040A8E8 ASCII "__vbaI2Var",0
0040A8F4 ASCII "__vbaVarCat",0
0040A900 ASCII "__vbaStrVarMove",0
0040A910 ASCII "__vbaI4Str",0
0040A91C ASCII "__vbaObjSetAddre"
0040A92C ASCII "f",0
0040A938 ASCII "__vbaLenBstr",0
0040A948 ASCII "__vbaFreeVar",0
0040A958 ASCII "__vbaFreeStrList"
0040A968 ASCII 0
0040A970 ASCII "__vbaDerefAry1",0
0040A980 ASCII "__vbaLenBstrB",0
0040A990 ASCII "__vbaLbound",0
0040A99C ASCII "__vbaUbound",0
0040A9A8 ASCII "__vbaI2I4",0
0040A9B4 ASCII "__vbaStrCat",0
0040A9C0 ASCII "__vbaStrCmp",0
0040A9CC ASCII "__vbaStrMove",0
0040A9DC ASCII "__vbaFreeVarList"
0040A9EC ASCII 0
0040A9F0 ASCII "__vbaVarDup",0
0040A9FC ASCII "__vbaAryVar",0
0040AA08 ASCII "__vbaAryCopy",0
0040AA18 ASCII "__vbaFreeStr",0
0040AA28 ASCII "__vbaObjSet",0
0040AA34 ASCII "__vbaStrCopy",0
0040AA44 ASCII "__vbaFreeObj",0
0040AA54 ASCII "__vbaHresultChec"
0040AA64 ASCII "kObj",0
0040AA6C ASCII "__vbaNew2",0
0040AA78 ASCII "__vbaOnError",0
0040AA88 DD lsass.0040B588 ASCII "GtEmail"
0040AA90 DD lsass.0040B554 ASCII "BackDown"
0040AA9C DD lsass.0040B5F4 ASCII "InpUser"
0040AAA0 DD lsass.0040B494 ASCII "Cadang"
0040AAA4 DD lsass.0040B500 ASCII "Awalkah"
0040AAA8 DD lsass.0040B4F0 ASCII "Simpan"
0040AAAC DD lsass.0040B4F8 ASCII "Alamat"
0040AAB0 DD lsass.0040B48C ASCII "GHari"
0040AAB8 DD lsass.0040B49C ASCII "tks"
0040AAC0 DD lsass.0040B508 ASCII "NamaFileCr"
0040AAC4 DD lsass.0040B514 ASCII "DataFileCr"
0040AAC8 DD lsass.0040B560 ASCII "SInpMail"
0040AAD0 DD lsass.0040B5E0 ASCII "OriginalStr"
0040AAD8 DD lsass.0040B5D4 ASCII "HostName"
0040AAE0 DD lsass.0040B5C4 ASCII "PthFile"
0040AAE4 DD lsass.0040B5CC ASCII "GetMode"
0040AAE8 DD lsass.0040B538 ASCII "BMail"
0040AAF0 DD lsass.0040B540 ASCII "InpMail"
0040AAF8 DD lsass.0040B5EC ASCII "GetInt"
0040AB00 DD lsass.0040B54C ASCII "ikar"
0040AB08 DD lsass.0040B520 ASCII "GetNmFileMail"
0040AB0C DD lsass.0040B530 ASCII "Apnet"
0040AB10 DD lsass.0040B548 ASCII "inp"
0040AB18 DD lsass.0040B5A8 ASCII "path"
0040AB1C DD lsass.0040B5B0 ASCII "SearchStr"
0040AB20 DD lsass.0040B5BC ASCII "Modenya"
0040AB24 DD lsass.0040B4E0 ASCII "GetTeks"
0040AB28 DD lsass.0040B4E8 ASCII "DecInt"
0040AB30 DD lsass.0040B4C8 ASCII "hKeynya"
0040AB34 DD lsass.0040B4A8 ASCII "subkeynya"
0040AB38 DD lsass.0040B4D0 ASCII "YgRun"
0040AB3C DD lsass.0040B4D8 ASCII "NamaReg"
0040AB40 DD lsass.0040B4A0 ASCII "RootKey"
0040AB44 DD lsass.0040B4A8 ASCII "subkeynya"
0040AB48 DD lsass.0040B4B4 ASCII "Namanya"
0040AB4C DD lsass.0040B4BC ASCII "harganya"
0040AB50 DD lsass.0040B590 ASCII "Dari"
0040AB54 DD lsass.0040B598 ASCII "Untuk"
0040AB58 DD lsass.0040B5A0 ASCII "SGBhs"
0040AB60 DD lsass.0040B56C ASCII "ServAw"
0040AB64 DD lsass.0040B574 ASCII "sFrom"
0040AB68 DD lsass.0040B57C ASCII "sTo"
0040AB6C DD lsass.0040B580 ASCII "InBhs"
0040AEF5 ASCII "00",0
0040B48C ASCII "GHari",0
0040B494 ASCII "Cadang",0
0040B49C ASCII "tks",0
0040B4A0 ASCII "RootKey",0
0040B4A8 ASCII "subkeynya",0
0040B4B4 ASCII "Namanya",0
0040B4BC ASCII "harganya",0
0040B4C8 ASCII "hKeynya",0
0040B4D0 ASCII "YgRun",0
0040B4D8 ASCII "NamaReg",0
0040B4E0 ASCII "GetTeks",0
0040B4E8 ASCII "DecInt",0
0040B4F0 ASCII "Simpan",0
0040B4F8 ASCII "Alamat",0
0040B500 ASCII "Awalkah",0
0040B508 ASCII "NamaFileCr",0
0040B514 ASCII "DataFileCr",0
0040B520 ASCII "GetNmFileMail",0
0040B530 ASCII "Apnet",0
0040B538 ASCII "BMail",0
0040B540 ASCII "InpMail",0
0040B548 ASCII "inp",0
0040B54C ASCII "ikar",0
0040B554 ASCII "BackDown",0
0040B560 ASCII "SInpMail",0
0040B56C ASCII "ServAw",0
0040B574 ASCII "sFrom",0
0040B57C ASCII "sTo",0
0040B580 ASCII "InBhs",0
0040B588 ASCII "GtEmail",0
0040B590 ASCII "Dari",0
0040B598 ASCII "Untuk",0
0040B5A0 ASCII "SGBhs",0
0040B5A8 ASCII "path",0
0040B5B0 ASCII "SearchStr",0
0040B5BC ASCII "Modenya",0
0040B5C4 ASCII "PthFile",0
0040B5CC ASCII "GetMode",0
0040B5D4 ASCII "HostName",0
0040B5E0 ASCII "OriginalStr",0
0040B5EC ASCII "GetInt",0
0040B5F4 ASCII "InpUser",0
0040B7AE MOV EDX,lsass.004074FC UNICODE "16"
0040B7C5 MOV EDX,lsass.00407508 UNICODE "123"
0040B85D PUSH lsass.00407524 UNICODE "Orf1Pdlo1Eurq1Wrn"
0040B9CD PUSH lsass.00407580 UNICODE "zlqorjrq1h{h>vhuylfhv1h{h>ovdvv1h{h>lqhwlqir1h{h>fvuvv1h{h>vpvv1h{h"
0040BAA5 PUSH lsass.00407614 UNICODE "VHUYLFHV>OVDVV>LQHWLQIR>ZLQORJRQ>FVUVV>VPVV"
0040BB7D PUSH lsass.00407670 UNICODE "vpvv1h{h/vhuylfhv1h{h/ovdvv1h{h/lqhwlqir1h{h/fvuvv1h{h"
0040BC79 PUSH lsass.004076EC UNICODE "exe;scr;pif;com;cmd;bat;jpg"
0040C1DD MOV EDX,lsass.00407738 UNICODE "Admin"
0040C20C PUSH lsass.0040754C UNICODE "SYSTEMPROFILE"
0040C23E MOV EDX,lsass.0040756C UNICODE "System"
0040C319 MOV DWORD PTR SS:[EBP-C0],lsass.00407748 UNICODE "br"
0040C360 MOV DWORD PTR SS:[EBP-D0],lsass.00407758 UNICODE "on.exe"
0040C664 PUSH lsass.0040776C UNICODE "\ShellNew"
0040C6A0 PUSH lsass.00407784 UNICODE "\RakyatKelaparan.exe"
0040C6D9 PUSH lsass.004077B4 UNICODE "\KesenjanganSosial.exe"
0040C712 PUSH lsass.004077E8 UNICODE "\cmd-brontok.exe"
0040C7C8 PUSH lsass.00407810 UNICODE "\Media"
0040C7FE PUSH lsass.00407824 UNICODE "zlqzrug1h{h/ndqjhq1h{h/ffdssv1h{h/v|voryh1h{h"
0040C8D6 PUSH lsass.00407884 UNICODE "ndqjhq1h{h>xqwxnpx1h{h>p|khduw1h{h>p|#khduw1h{h>mdqjdq#glexnd1h{h"
0040C9AE PUSH lsass.00407934 UNICODE "vriwzduh_plfurvriw_zlqgrzv_fxuuhqwyhuvlrq_Srolflhv_V|vwhp"
0040CA1D PUSH lsass.004079AC UNICODE "vriwzduh_plfurvriw_zlqgrzv_fxuuhqwyhuvlrq_uxq"
0040CA8C PUSH lsass.00407A0C UNICODE "vriwzduh_plfurvriw_zlqgrzv_fxuuhqwyhuvlrq_Srolflhv_H{soruhu"
0040CAFB PUSH lsass.00407A88 UNICODE "vriwzduh_plfurvriw_zlqgrzv_fxuuhqwyhuvlrq_h{soruhu_dgydqfhg"
0040CB6A PUSH lsass.00407B20 UNICODE "VRIWZDUH_Plfurvriw_Zlqgrzv#QW_FxuuhqwYhuvlrq_Zlqorjrq"
0040CBD9 PUSH lsass.00407B90 UNICODE "V\VWHP_FxuuhqwFrqwuroVhw_Frqwuro_VdihErrw"
0040CDF1 PUSH lsass.00407BE8 UNICODE "VHFXUH/VXSSRUW/PDVWHU/PLFURVRIW/YLUXV/KDFN/FUDFN/OLQX[/DYJ/JULVRIW/FLOOLQ/VHFXULW\/V\PDQWHF/DVVRFLDW"
0040CDF6 PUSH lsass.00407D14 UNICODE "\RXU/VRPH/DVGI/C1/1C/ZZZ/YDNVLQ/GHYHORS/SURJUDP/VRXUFH/QHWZRUN/XSGDWH/WHVW/11/[[[/VPWS/H[DPSOH/FRQWR"
0040CE0B PUSH lsass.00407EF8 UNICODE "1YEV/GRPDLQ/KLGGHQ/GHPR/GHYHORS/IRRC/NRPSXWHU/VHQLRU/GDUN/EODFN/EOHHS/IHHGEDFN/LEP1/LQWHO1/PDFUR/DGR"
0040CE20 PUSH lsass.004080D8 UNICODE "FQHW/GRZQORDG/KS1/[HUR[/FDQRQ/VHUYLFH/DUFKLHYH/QHWVFDSH/PR]LOOD/RSHUD/QRYHOO/QHZV/XSGDWH/UHVSRQVH/RY"
0040CE35 PUSH lsass.004082BC UNICODE "ORWXV/PLFUR/WUHQG/VLHPHQV/IXMLWVX/QRNLD/Z61/QYLGLD/DSDFKH/P\VTO/SRVWJUH/VXQ1/JRRJOH/VSHUVN\/]RPELH/D"
0040CE4A PUSH lsass.004084A4 UNICODE "DODGGLQ/DOHUW/EXLOGHU/GDWDEDVH/DKQODE/SURODQG/HVFDQ/KDXUL/QRG65/V\EDUL/DQWLJHQ/URERW/DOZLO/EURZVH/FR"
0040CE5F PUSH lsass.00408684 UNICODE "ODE/LHHH/NGH/WUDFN/LQIRUPD/IXML/CPDF/VODFN/UHGKD/VXVH/EXQWX/[DQGURV/CDEF/C456/ORRNVPDUW/V\QGLFDW/HOH"
0040CE74 PUSH lsass.004087B0 UNICODE "XVHUQDPH/LSWHN/FOLFN/VDOHV/SURPR"
0040CF7E PUSH lsass.0040886C UNICODE "UHJLVWU\/V\VWHP#FRQILJXUDWLRQ/FRPPDQG#SURPSW/1H[H/VKXW#GRZQ/VFULSW#KRVW/ORJ#RII#ZLQGRZV/NLOOER[/WDVN"
0040D056 PUSH lsass.00408A54 UNICODE "SODVD>WHONRP>LQGR>1FR1LG>1JR1LG>1PLO1LG>1VFK1LG>1QHW1LG>1RU1LG>1DF1LG>1ZHE1LG>1ZDU1QHW1LG>DVWDJD>JDX"
0040D5D5 PUSH lsass.00408B4C UNICODE "dw#2ghohwh#2|"
0040D6BF PUSH lsass.00408B6C UNICODE "\Empty.pif"
0040D754 MOV DWORD PTR SS:[EBP-C0],lsass.00408B88 UNICODE "-NendangBro.com"
0040D838 PUSH lsass.00408BAC UNICODE "'s Setting.scr"
0040D919 PUSH lsass.00408BD0 UNICODE "dw#4:=3;#2hyhu|=P/W/Z/Wk/I/V/Vx#"
0040DA86 PUSH lsass.00408A00 UNICODE "dw#44=36#2hyhu|=P/W/Z/Wk/I/V/Vx#"
0040EB87 MOV EDX,lsass.00408A48 UNICODE "*.*"
0040F27A PUSH lsass.00408C18 UNICODE "UPDATE"
0040F56C PUSH lsass.004087F8 UNICODE "\Update.AN."
0040F586 MOV DWORD PTR SS:[EBP-128],lsass.00408814 UNICODE ".A.Bron.Tok.tempo.exe"
0040F738 PUSH lsass.004087F8 UNICODE "\Update.AN."
0040F78B MOV DWORD PTR SS:[EBP-128],lsass.00408814 UNICODE ".A.Bron.Tok.tempo.exe"
0040F93B PUSH lsass.00408844 UNICODE "\Bron.tok.A"
0040F955 MOV DWORD PTR SS:[EBP-128],lsass.004085D0 UNICODE ".em.bin"
0040FB07 PUSH lsass.00408844 UNICODE "\Bron.tok.A"
0040FB5A MOV DWORD PTR SS:[EBP-128],lsass.004085D0 UNICODE ".em.bin"
0040FD0A PUSH lsass.004085E4 UNICODE "\Update."
0040FD24 MOV DWORD PTR SS:[EBP-128],lsass.004085FC UNICODE ".Bron.Tok.bin"
0040FED6 PUSH lsass.004085E4 UNICODE "\Update."
0040FF29 MOV DWORD PTR SS:[EBP-128],lsass.004085FC UNICODE ".Bron.Tok.bin"
004100A9 MOV DWORD PTR SS:[EBP-118],lsass.00408640 UNICODE "
"
004100DC PUSH lsass.0040861C UNICODE "\IDTemplate.exe"
004100F1 PUSH lsass.00408640 UNICODE "
"
0041011C PUSH lsass.0040864C UNICODE "\bararontok.com"
00410131 PUSH lsass.00408640 UNICODE "
"
0041015C PUSH lsass.004083E0 UNICODE "\A.kotnorB.com"
00410171 PUSH lsass.00408640 UNICODE "
"
0041019C PUSH lsass.00408404 UNICODE "\3D Animation.scr"
004101B1 PUSH lsass.00408640 UNICODE "
"
004101DC PUSH lsass.0040842C UNICODE "\eksplorasi.pif"
004101F1 PUSH lsass.00408640 UNICODE "
"
0041021C PUSH lsass.00408450 UNICODE "\eksplorasi.exe"
00410231 PUSH lsass.00408640 UNICODE "
"
0041025C PUSH lsass.00408474 UNICODE "\ShellNew\ElnorB.exe"
00410271 PUSH lsass.00408640 UNICODE "
"
004102A2 PUSH lsass.00408200 UNICODE "\BerasJatah.exe"
004102BA PUSH lsass.00408640 UNICODE "
"
004102EE PUSH lsass.00408224 UNICODE "\bronstab.exe"
00410306 PUSH lsass.00408640 UNICODE "
"
0041033A PUSH lsass.00408244 UNICODE "\sempalong.exe"
00410352 PUSH lsass.00408640 UNICODE "
"
00410383 PUSH lsass.00408268 UNICODE "\WowTumpeh.com"
0041039B PUSH lsass.00408640 UNICODE "
"
004103CC PUSH lsass.0040828C UNICODE "\Brengkolang.com"
00410C29 PUSH lsass.00408670 UNICODE ".JPG"
00410C65 MOV DWORD PTR SS:[EBP-118],lsass.0040801C UNICODE "mspaint.exe"
00410CB2 MOV DWORD PTR SS:[EBP-118],lsass.00408038 UNICODE "explorer.exe"
00411064 PUSH lsass.00408058 UNICODE ":\"
0041120D PUSH lsass.00408064 UNICODE "google.com"
0041127B PUSH lsass.00408080 UNICODE "yahoo.com"
00411369 PUSH lsass.00408098 UNICODE "kwws=22zzz1jhrflwlhv1frp2"
004113AA PUSH lsass.00407E34 UNICODE "kwws=22zzz153pezhe1frp2Qhzv2"
004113F7 PUSH lsass.00407E74 UNICODE "fpeurvml42"
00411417 PUSH lsass.00407E90 UNICODE "fpeurour52"
00411437 PUSH lsass.00407EAC UNICODE "fpeurwox62"
00411457 PUSH lsass.00407EC8 UNICODE "vhpelovwdern2"
0041146B PUSH lsass.00407B04 UNICODE "vwdeur:rn2"
00411578 MOV ESI,lsass.0040790C UNICODE "C:\autoexec.bat"
0041158E PUSH lsass.00407EE8 UNICODE "pause"
00411672 PUSH lsass.00408C2C UNICODE "SeShutdownPrivilege"
00411840 PUSH lsass.00408C58 UNICODE "GlvdeohUhjlvwu|Wrrov"
004118A8 PUSH lsass.00408C88 UNICODE "GlvdeohFPG"
00411910 PUSH lsass.00408CA4 UNICODE "QrIroghuRswlrqv"
00411978 PUSH lsass.00408CC8 UNICODE "Klgghq"
004119E0 PUSH lsass.00408CDC UNICODE "KlghIlohH{w"
00411A48 PUSH lsass.00408CF8 UNICODE "VkrzVxshuKlgghq"
00411AB0 PUSH lsass.00408D1C UNICODE "DowhuqdwhVkhoo"
00411F4F PUSH lsass.00408D40 UNICODE "Bron-Spizaetus"
004120B5 PUSH lsass.00408D84 UNICODE "Shell"
004120BA PUSH lsass.00408D64 UNICODE "Explorer.exe "
004121E0 PUSH lsass.00408D94 UNICODE "cmd-brontok.exe"
0041231B PUSH lsass.00408DB8 UNICODE "Tok-Cirrhatus-"
00412429 PUSH lsass.00408DEC UNICODE "Tok-Cirrhatus"
00412949 PUSH lsass.004085E4 UNICODE "\Update."
00412974 PUSH lsass.004085FC UNICODE ".Bron.Tok.bin"
00412ADE PUSH lsass.004087F8 UNICODE "\Update.AN."
00412B09 PUSH lsass.00408E14 UNICODE ".A.Bron.Tok"
00412CA7 PUSH lsass.004085E4 UNICODE "\Update."
00412CD2 PUSH lsass.004085FC UNICODE ".Bron.Tok.bin"
00412D98 PUSH lsass.00408E30 UNICODE "http://"
00412F13 PUSH lsass.004087F8 UNICODE "\Update.AN."
00412F3E PUSH lsass.00408E14 UNICODE ".A.Bron.Tok"
004130A7 PUSH lsass.004085E4 UNICODE "\Update."
004130D2 PUSH lsass.004085FC UNICODE ".Bron.Tok.bin"
00413384 PUSH lsass.00408E44 UNICODE "IN"
004133C2 PUSH lsass.00408E50 UNICODE ".css"
004133DA PUSH lsass.004085E4 UNICODE "\Update."
00413405 PUSH lsass.004085FC UNICODE ".Bron.Tok.bin"
004135C5 PUSH lsass.004085E4 UNICODE "\Update."
004135F0 PUSH lsass.004085FC UNICODE ".Bron.Tok.bin"
004137FD PUSH lsass.004085E4 UNICODE "\Update."
00413828 PUSH lsass.004085FC UNICODE ".Bron.Tok.bin"
00413962 PUSH lsass.004087F8 UNICODE "\Update.AN."
0041398D PUSH lsass.00408E14 UNICODE ".A.Bron.Tok"
00413BB6 PUSH lsass.004087F8 UNICODE "\Update.AN."
00413BE1 PUSH lsass.00408E68 UNICODE ".A.Bron.Tok.exe"
00413BF9 PUSH lsass.004087F8 UNICODE "\Update.AN."
00413C24 PUSH lsass.00408E14 UNICODE ".A.Bron.Tok"
00413D79 PUSH lsass.004085E4 UNICODE "\Update."
00413DA4 PUSH lsass.004085FC UNICODE ".Bron.Tok.bin"
00413ED9 PUSH lsass.004087F8 UNICODE "\Update.AN."
00413F04 PUSH lsass.00408E14 UNICODE ".A.Bron.Tok"
00414CA9 PUSH lsass.00406488 UNICODE "Brontok.A16NLAECV Browser"
0041505F PUSH lsass.004087F8 UNICODE "\Update.AN."
0041508A PUSH lsass.00408E68 UNICODE ".A.Bron.Tok.exe"
004152D9 PUSH lsass.004087F8 UNICODE "\Update.AN."
00415304 PUSH lsass.00408814 UNICODE ".A.Bron.Tok.tempo.exe"
0041531C PUSH lsass.004087F8 UNICODE "\Update.AN."
00415347 PUSH lsass.00408E68 UNICODE ".A.Bron.Tok.exe"
0041545C PUSH lsass.004087F8 UNICODE "\Update.AN."
00415487 PUSH lsass.00408E68 UNICODE ".A.Bron.Tok.exe"
00415589 PUSH lsass.004087F8 UNICODE "\Update.AN."
004155B4 PUSH lsass.00408814 UNICODE ".A.Bron.Tok.tempo.exe"
0041576E MOV DWORD PTR SS:[EBP-DC],lsass.00408E9C UNICODE "WinNT:"
0041583F MOV DWORD PTR SS:[EBP-DC],lsass.00408EB0 UNICODE "WinNT://"
00415863 PUSH lsass.00408EC4 UNICODE "Name"
004158FC MOV DWORD PTR SS:[EBP-DC],lsass.00408ED4 UNICODE "\\"
00415919 PUSH lsass.00408EC4 UNICODE "Name"
0041597F PUSH lsass.00408EE0 UNICODE "\\SCHEMA"
00415A9E PUSH lsass.00408EF8 UNICODE "NET VIEW "
00415AC6 PUSH lsass.00408F10 UNICODE " >> "
00415B13 PUSH lsass.00408F20 UNICODE "\BronFoldNetDomList.txt"
00415B53 PUSH lsass.00408640 UNICODE "
"
00415CF3 PUSH lsass.00408F54 UNICODE "EXIT >> "
00415D3D PUSH lsass.00408F20 UNICODE "\BronFoldNetDomList.txt"
00415E9C PUSH lsass.00408F6C UNICODE "\BronNetDomList.bat"
0041603B PUSH lsass.00408F20 UNICODE "\BronFoldNetDomList.txt"
004161A9 PUSH lsass.00408F20 UNICODE "\BronFoldNetDomList.txt"
004162F2 PUSH lsass.00408F6C UNICODE "\BronNetDomList.bat"
00416461 PUSH lsass.00408F20 UNICODE "\BronFoldNetDomList.txt"
0041660B PUSH lsass.00408F6C UNICODE "\BronNetDomList.bat"
00416779 PUSH lsass.00408F6C UNICODE "\BronNetDomList.bat"
00416905 PUSH lsass.00408F20 UNICODE "\BronFoldNetDomList.txt"
0041699D PUSH lsass.00408ED4 UNICODE "\\"
004169C7 PUSH lsass.00408DDC UNICODE "DISK"
00416AA8 PUSH lsass.00408ED4 UNICODE "\\"
00416B23 PUSH lsass.00408DDC UNICODE "DISK"
00416BB5 PUSH lsass.00408DDC UNICODE "DISK"
00416BFE PUSH lsass.00408640 UNICODE "
"
00416D3A PUSH lsass.00408F98 UNICODE "\BronNPath0.txt"
00416EB5 PUSH lsass.00408F20 UNICODE "\BronFoldNetDomList.txt"
00416FFE PUSH lsass.00408F98 UNICODE "\BronNPath0.txt"
004171C5 PUSH lsass.00408F98 UNICODE "\BronNPath0.txt"
00417238 PUSH lsass.00408ED4 UNICODE "\\"
00417265 PUSH lsass.00408640 UNICODE "
"
00417397 PUSH lsass.00408F98 UNICODE "\BronNPath0.txt"
00417412 MOV DWORD PTR SS:[EBP-DC],lsass.00408640 UNICODE "
"
00417546 PUSH lsass.00408FBC UNICODE "\Data "
00417571 PUSH lsass.00408FD0 UNICODE ".exe"
004175AE MOV EDX,lsass.00408A48 UNICODE "*.*"
0041780D MOV EDX,lsass.00408FE0 UNICODE "Brontok"
0041798F PUSH lsass.00408FF4 UNICODE "\Bron.tok-"
00417B75 PUSH lsass.00408FF4 UNICODE "\Bron.tok-"
00417DAA PUSH lsass.00408FF4 UNICODE "\Bron.tok-"
00418072 PUSH lsass.00409018 UNICODE "PROPERTIES"
004180EA PUSH lsass.00409034 UNICODE "APPLICATION DATA"
00418105 MOV DWORD PTR SS:[EBP-90],lsass.0040905C UNICODE "C:\rontokbro.txt"
0041821A PUSH lsass.00409084 UNICODE "\about.Brontok.A.html"
004182BF PUSH lsass.00409084 UNICODE "\about.Brontok.A.html"
004182DE PUSH lsass.004090B4 UNICODE "open"
00418747 PUSH lsass.004090C4 UNICODE "\Kosong.Bron.Tok.txt"
0041886B PUSH lsass.004090F4 UNICODE "Brontok.A"
00418870 PUSH lsass.00408640 UNICODE "
"
00418885 PUSH lsass.0040910C UNICODE "By: HVM31"
0041889A PUSH lsass.00408640 UNICODE "
"
004188AF PUSH lsass.0040915C UNICODE "-- JowoBot #VM Community --"
004188C7 PUSH lsass.004090C4 UNICODE "\Kosong.Bron.Tok.txt"
00418A6E PUSH lsass.00409198 UNICODE ":\Data "
00418AA9 PUSH lsass.00408FD0 UNICODE ".exe"
00418B02 MOV EDX,lsass.00408A48 UNICODE "*.*"
00418B2B PUSH lsass.00408058 UNICODE ":\"
00418E4D PUSH lsass.004091AC UNICODE "\NetMailTmp.bin"
00418F55 PUSH lsass.00408640 UNICODE "
"
00418FA2 MOV EBX,lsass.00408640 UNICODE "
"
00419137 PUSH lsass.004091D8 UNICODE " "
00419191 PUSH lsass.004091D8 UNICODE " "
00419341 PUSH lsass.004091E4 UNICODE ".ini"
004194CB PUSH lsass.004091E4 UNICODE ".ini"
004194E3 PUSH lsass.004090C4 UNICODE "\Kosong.Bron.Tok.txt"
00419EBA MOV EDX,lsass.00408640 UNICODE "
"
0041A012 PUSH lsass.004091FC UNICODE "\Ok-SendMail-Bron-tok"
0041A12A PUSH lsass.004091FC UNICODE "\Ok-SendMail-Bron-tok"
0041A21D PUSH lsass.00408844 UNICODE "\Bron.tok.A"
0041A248 PUSH lsass.004085D0 UNICODE ".em.bin"
0041A50D MOV EDX,lsass.0040922C UNICODE "*.ini"
0041A8B9 MOV DWORD PTR SS:[EBP-3E0],lsass.0040923C UNICODE "@YAHOO"
0041A974 MOV EDX,lsass.00409250 UNICODE "mta237.mail.re2.yahoo.com"
0041ACA1 PUSH lsass.00409288 UNICODE "KHOR#"
0041AD26 MOV EDI,lsass.00408640 UNICODE "
"
0041AD89 PUSH lsass.00409298 UNICODE "PDLO#IURP=#"
0041AE1A PUSH lsass.004092B4 UNICODE "UFSW#WR=#"
0041AEAB PUSH lsass.004092CC UNICODE "GDWD"
0041B0C2 PUSH lsass.004092DC UNICODE "TXLW"
0041B35A PUSH lsass.00408844 UNICODE "\Bron.tok.A"
0041B385 PUSH lsass.004085D0 UNICODE ".em.bin"
0041B42D PUSH lsass.004092EC UNICODE ";smtp.;mail.;ns1."
0041B591 PUSH lsass.00409124 UNICODE "\Ok-SendMail-Bron-tok\"
0041B5C5 PUSH lsass.004091E4 UNICODE ".ini"
0041B7F7 PUSH lsass.00409318 UNICODE "Photo_"
0041B830 PUSH lsass.0040932C UNICODE "@boleh.com"
0041B887 PUSH lsass.00409348 UNICODE "Galeri_"
0041B8C0 PUSH lsass.0040932C UNICODE "@boleh.com"
0041B929 PUSH lsass.00409318 UNICODE "Photo_"
0041B962 PUSH lsass.0040935C UNICODE "@friendster.com"
0041B9B9 PUSH lsass.00409380 UNICODE "PicSender_"
0041B9F2 PUSH lsass.0040935C UNICODE "@friendster.com"
0041BCD0 PUSH lsass.00409124 UNICODE "\Ok-SendMail-Bron-tok\"
0041BD08 PUSH lsass.004091E4 UNICODE ".ini"
0041BD20 PUSH lsass.004090C4 UNICODE "\Kosong.Bron.Tok.txt"
0041C216 PUSH lsass.00408844 UNICODE "\Bron.tok.A"
0041C23E MOV EBX,lsass.004085D0 UNICODE ".em.bin"
0041C32C PUSH lsass.00408844 UNICODE "\Bron.tok.A"
0041C3AA MOV EBX,lsass.004094A4 UNICODE "0047_01C5AB88.E238EA90"
0041C407 PUSH lsass.0040939C UNICODE "#_MULAI_DARI_SINI"
0041C424 PUSH lsass.004093C4 UNICODE "#_BERAKHIR_DISINI"
0041C447 MOV EDX,lsass.004093EC UNICODE "#_MAIL_4_ID"
0041C454 MOV EDX,lsass.00409408 UNICODE "#STOP_MAIL_4_ID"
0041C45B MOV EDX,lsass.0040942C UNICODE "#_MAIL_4_EN"
0041C468 MOV EDX,lsass.00409448 UNICODE "#STOP_MAIL_4_EN"
0041C4CE PUSH lsass.0040946C UNICODE "Date: "
0041C4F7 PUSH lsass.0040946C UNICODE "Date: "
0041C54A PUSH lsass.00409480 UNICODE "From: "
0041C56A PUSH lsass.00409480 UNICODE "From: "
0041C589 PUSH lsass.00409494 UNICODE "To: "
0041C5A9 PUSH lsass.00409494 UNICODE "To: "
0041C69D PUSH lsass.004094DC UNICODE "0047_01"
0041C6BB PUSH lsass.004094F0 UNICODE "AB88.E238EA"
0041C72A PUSH lsass.00408640 UNICODE "
"
0041C74E PUSH lsass.0040950C UNICODE "#INI_Brontok_A"
0041C806 PUSH lsass.00408844 UNICODE "\Bron.tok.A"
0041C82E PUSH lsass.004085D0 UNICODE ".em.bin"
0041CA76 PUSH lsass.00409530 UNICODE "Bron-ID"
0041CAA1 PUSH lsass.00408E50 UNICODE ".css"
0041CAB9 PUSH lsass.00408844 UNICODE "\Bron.tok.A"
0041CAE4 PUSH lsass.004085D0 UNICODE ".em.bin"
0041CE52 PUSH lsass.0040954C UNICODE ".."
0041D1A0 PUSH lsass.0040954C UNICODE ".."
0041D23C PUSH lsass.00409558 UNICODE ":\SYSTEM VOLUME"
0041D255 PUSH lsass.0040957C UNICODE ":\RECYCLE"
0041D2B5 PUSH lsass.00409594 UNICODE ".INI"
0041D747 MOV EDX,lsass.00408A48 UNICODE "*.*"
0041D76A PUSH lsass.00408058 UNICODE ":\"
0041DA71 PUSH lsass.004095C8 UNICODE "MY EBOOKS"
0041DA86 PUSH lsass.004095A4 UNICODE "MY DATA SOURCES"
0041DAA1 PUSH lsass.004095E0 UNICODE "MY MUSIC"
0041DABC PUSH lsass.004095F8 UNICODE "MY PICTURES"
0041DAD7 PUSH lsass.00409614 UNICODE "MY SHAPES"
0041DAF2 PUSH lsass.0040962C UNICODE "MY VIDEOS"
0041DB0D PUSH lsass.00409644 UNICODE "MY DOCUMENTS"
0041DB4A PUSH lsass.00409664 UNICODE "_FILES"
0041DBA0 PUSH lsass.00409678 UNICODE "`.exe"
0041DBB7 PUSH lsass.00408FD0 UNICODE ".exe"
0041DD13 PUSH lsass.004065C0 UNICODE "HTML"
0041DD28 PUSH lsass.00406944 UNICODE ".HTM"
0041DD43 PUSH lsass.00409688 UNICODE ".TXT"
0041DD5E PUSH lsass.00409698 UNICODE ".EML"
0041DD79 PUSH lsass.004096A8 UNICODE ".WAB"
0041DD94 PUSH lsass.004096B8 UNICODE ".ASP"
0041DDAF PUSH lsass.004096C8 UNICODE ".PHP"
0041DDCA PUSH lsass.004096D8 UNICODE ".CFM"
0041DDE5 PUSH lsass.004096E8 UNICODE ".CSV"
0041DE3B PUSH lsass.004096F8 UNICODE ".DOC"
0041DE60 PUSH lsass.00409708 UNICODE "NDQJHQ"
0041DF07 PUSH lsass.0040971C UNICODE "exe"
0041DFAD PUSH lsass.00409738 UNICODE ".PDF"
0041DFC2 PUSH lsass.00409728 UNICODE ".XLS"
0041DFDD PUSH lsass.00409748 UNICODE ".PPT"
0041E037 PUSH lsass.0040971C UNICODE "exe"
0041E0D2 PUSH lsass.00409758 UNICODE ".HTT"
0041E0E5 PUSH lsass.00409768 UNICODE "RORO"
0041E0FA PUSH lsass.00409778 UNICODE "FOLDER.HTT"
0041E140 PUSH lsass.00409794 UNICODE ".EXE"
0041E177 PUSH lsass.00409814 UNICODE ".DOC.EXE;.DOC ;.XLS.EXE;.XLS ;PATAH;HATI;CINTA;UNTUKMU;DATA-TEMEN;RIYANI;JANGKARU;KANGEN;JROX"
0041E533 MOV DWORD PTR SS:[EBP-7C],lsass.00408640 UNICODE "
"
0041E560 PUSH lsass.004098D4 UNICODE "\rundll32.exe"
0041E575 PUSH lsass.00408640 UNICODE "
"
0041E5A0 PUSH lsass.004098F4 UNICODE "\fonts\tskmgr.exe"
0041E76A MOV DWORD PTR SS:[EBP-7C],lsass.00408640 UNICODE "
"
0041E791 PUSH lsass.0040991C UNICODE "C:\!Submit\winword.exe"
0041E796 PUSH lsass.00408640 UNICODE "
"
0041E7AB PUSH lsass.00409950 UNICODE "C:\!Submit\xpshare.exe"
0041E7C0 PUSH lsass.00408640 UNICODE "
"
0041E7D5 PUSH lsass.00409984 UNICODE "C:\Windows\Systray.exe"
0041E7EA PUSH lsass.00408640 UNICODE "
"
0041E815 PUSH lsass.004099B8 UNICODE "\Systray.exe"
0041E9F7 PUSH lsass.004097A4 UNICODE "OrdgVhuylfh>FFDSSV>RVD>V|pUxq>orfdo#vhuylfh>Vhfxulw|"
0041EF4F MOV DWORD PTR SS:[EBP-DC],lsass.00409A8C UNICODE ";;;"
0041EF7F PUSH lsass.004099D8 UNICODE "?KWPOA?KHDGA?WLWOHAEURQWRN1D^49`##^#E|=#KYP64#00#MrzrErw#&YP#Frppxqlw|#`?2WLWOHA?2KHDGA"
0041EF84 PUSH lsass.00409A8C UNICODE ";;;"
0041EF99 PUSH lsass.00409A98 UNICODE "?ERG\#ejfroru@%&:<F43:%A?FHQWHUA"
0041EFAE PUSH lsass.00409A8C UNICODE ";;;"
0041EFC3 PUSH lsass.00409AE0 UNICODE "?K4A?Irqw#idfh@%Yhugdqd%#froru@%&II3333%A?XAEURQWRN1D^49`?2XA?2IrqwA?2K5A"
0041EFD8 PUSH lsass.00409A8C UNICODE ";;;"
0041EFED PUSH lsass.00409BA0 UNICODE "?K6A?Irqw#idfh@%Yhugdqd%#froru@%&IIIIII%A"
0041F002 PUSH lsass.00409A8C UNICODE ";;;"
0041F017 PUSH lsass.00409BF8 UNICODE "00#Khqwlndqodk#nhereurndq#gl#qhjhul#lql#00?euA?euA"
0041F02C PUSH lsass.00409A8C UNICODE ";;;"
0041F041 PUSH lsass.00409C64 UNICODE "41#Shqmdudndq#Nruxswru/#Shq|hoxqgxs/#Wxndqj#Vxds/#)#Edqgdu#QDUNRED?euA"
0041F056 PUSH lsass.00409A8C UNICODE ";;;"
0041F06B PUSH lsass.00409CF8 UNICODE "+#Vhqg#wr#%QXVDNDPEDQJDQ%,?euA?euA"
0041F080 PUSH lsass.00409A8C UNICODE ";;;"
0041F095 PUSH lsass.00409D7C UNICODE "51#Vwrs#Iuhh#Vh{/#Deruvl/#)#Survwlwxvl?euA+#Jr#Wr#KHOO#,?euA?euA"
0041F0AA PUSH lsass.00409A8C UNICODE ";;;"
0041F0BF PUSH lsass.00409E04 UNICODE "61#Vwrs#shqfhpdudq#olqjnxqjdq/#shpedndudq#kxwdq#)#shuexuxdq#oldu1#?euA?euA"
0041F0D4 PUSH lsass.00409A8C UNICODE ";;;"
0041F0E9 PUSH lsass.00409EA0 UNICODE "71#Vwrs#Sruqrjudil#)#Sruqrdnvl?euA?euA"
0041F0FE PUSH lsass.00409A8C UNICODE ";;;"
0041F113 PUSH lsass.00409EF4 UNICODE "81#VD\#QR#WR#GUXJV#$$$?euA?euA?euA"
0041F128 PUSH lsass.00409A8C UNICODE ";;;"
0041F13D PUSH lsass.00409F50 UNICODE "?irqw#froru@%&4455II%#vl}h@8A00#NLDPDW#VXGDK#GHNDW#00?2irqwA?euA?euA"
0041F155 PUSH lsass.00409A8C UNICODE ";;;"
0041F16D PUSH lsass.00409FE0 UNICODE "Whulqvsludvl#rohk=#?euAHodqj#Eurqwrn#+Vsl}dhwxv#Fluukdwxv,#|dqj#kdpslu#sxqdk?euA"
0041F185 PUSH lsass.00409A8C UNICODE ";;;"
0041F19D PUSH lsass.0040A130 UNICODE "?K5A?Irqw#idfh@%Yhugdqd%#froru@%&H5HD38%A^#E|=#KYP64#`?euA00#MrzrErw#&YP#Frppxqlw|#00?2IrqwA?2K5A"
0041F1B5 PUSH lsass.00409A8C UNICODE ";;;"
0041F1CD PUSH lsass.0040A1F8 UNICODE "?2irqwA?2k6A?k7A$$$#Dndq#Nxexdw#Phuhnd#+YP#orndo#|j#fhqjhqj#)#ergrk,#Whundsdu#$$$?2k7A?2FHQWHUA?2ERG"
0041F1E5 PUSH lsass.00409A8C UNICODE ";;;"
0041F1FD PUSH lsass.0040A088 UNICODE "?Vfulsw#Odqjxdjh@Mdydvfulsw#LG@%Eurqwrn1D%A"
0041F215 PUSH lsass.00409A8C UNICODE ";;;"
0041F22D PUSH lsass.0040A0E4 UNICODE "dohuw#+%Dqgd#VhwxmxB%,>"
0041F245 PUSH lsass.00409A8C UNICODE ";;;"
0041F25D PUSH lsass.0040A118 UNICODE "?2VfulswA"
0041F468 PUSH lsass.00408640 UNICODE "
"
0041F533 PUSH lsass.00409084 UNICODE "\about.Brontok.A.html"
0041F72A PUSH lsass.0040A2D8 UNICODE "\drivers\etc\hosts"
0041F748 PUSH lsass.0040A304 UNICODE "-Denied By-"
0041F773 PUSH lsass.00409F40 UNICODE ".com"
0041F843 PUSH lsass.00409D44 UNICODE "\ListHost"
0041F86E PUSH lsass.00409D5C UNICODE ".txt"
0041FA87 PUSH lsass.00409D6C UNICODE "Host"
0041FAB2 PUSH lsass.00408E50 UNICODE ".css"
0041FBE2 PUSH lsass.00409B78 UNICODE "wdvnnloo#2i#2lp#"
0041FC4A PUSH lsass.0040A320 UNICODE "pfyvhvfq1h{h>srsur{|1h{h>dyjhpf1h{h>ffdssv1h{h>wvnpju1h{h>v|voryh1h{h>{svkduh1h{h>ul|dqlbmdqjndux1h{"
0041FD6D PUSH lsass.0040A494 UNICODE " /t"
0041FEF5 PUSH lsass.0040A4A0 UNICODE "slqj#ndvnxv1frp#0q#583#0o#:7:"
0041FEFC PUSH lsass.0040A4E0 UNICODE "slqj#4:wdkxq1frp#0q#583#0o#:7:"
00420026 MOV EDX,lsass.0040A524 UNICODE "NDOL"
0042006A MOV EDX,lsass.0040A534 UNICODE "SIJI"
004200AE MOV EDX,lsass.0040A544 UNICODE "LORO"
004200F2 MOV EDX,lsass.0040A554 UNICODE "TELU"
00420136 MOV EDX,lsass.0040A564 UNICODE "PAPAT"
0042017A MOV EDX,lsass.0040A574 UNICODE "LIMA"
004201BE MOV EDX,lsass.0040A584 UNICODE "ENEM"
00420202 MOV EDX,lsass.0040A594 UNICODE "PITU"
00420246 MOV EDX,lsass.0040A5A4 UNICODE "WOLU"
0042028A MOV EDX,lsass.0040A5B4 UNICODE "SANGA"
0042203E UNICODE "\AF:\VPR"
0042204E UNICODE "OJECT\ST"
0042205E UNICODE "ABLE\16\"
0042206E UNICODE "BRONTOK."
0042207E UNICODE "A\Bronto"
0042208E UNICODE "k.A.vbp",0
0042224E ASCII "Cs",0
0042229E ASCII "Cs",0
004222AA ASCII "Cs",0
004225AA ASCII "Rs$ Rs, R"
004225B6 ASCII "Rs< RsD R"
004225C2 ASCII "RsT Rs\ R"
004225CE ASCII "Rsl Rst R"
0042262A ASCII "Rs$
Rs,
Rs"
00422642 ASCII "RsT
Rs\
Rs"
00426986 ASCII "fptan",0
0042698D ASCII "__vbaStrI4",0
00426999 ASCII "__vbaVarMove",0
004269A7 ASCII "__vbaFreeVar",0
004269B5 ASCII "__vbaLenBstr",0
004269C3 ASCII "__vbaStrVarMove",0
004269D4 ASCII "__vbaLineInputSt"
004269E4 ASCII "r",0
00426A36 ASCII "fprem1",0
00426C9B ASCII "fpatan",0
00426CB5 ASCII "ct",0
00426D6D ASCII "fprem",0
00426DEB ASCII "_CIlog",0
Add New Comment
Comment:
There are
31,322
total registered users.
Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
hi!
Jul/01
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM
oleavr
Oct/24
Anatomy of a code tracer
hasherezade
Sep/24
IAT Patcher - new tool for ...
oleavr
Aug/27
CryptoShark: code tracer ba...
oleavr
Jun/25
Build a debugger in 5 minutes
More ...
Recent Blog Comments
nieo
on:
Mar/22
IAT Patcher - new tool for ...
djnemo
on:
Nov/17
Kernel debugger vs user mod...
acel
on:
Nov/14
Kernel debugger vs user mod...
pedram
on:
Dec/21
frida.github.io: scriptable...
capadleman
on:
Jun/19
Using NtCreateThreadEx for ...
More ...
Imagery
SoySauce Blueprint
Jun 6, 2008
[+] expand
View Gallery
(11) /
Submit
Printer Friendly ...
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}