C:\ InstallDate SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId SOFTWARE\Microsoft\Windows NT\CurrentVersion %s#%s %s#%s \svchost.exe svchost.exe -k netsvc ntdll ZwWriteVirtualMemory ZwQueueApcThread ntdll.dll ZwQueryInformationProcess ntdll.dll \svchost.exe Exploit /c "%s" \cmd.exe runas ModuleInit Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) HTTP/1.1 Content-Type: application/x-www-form-urlencoded ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ %2B %3D /webpro.php POST SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall DisplayName DisplayVersion Windows 8.1 SP Windows Server 2012 R2 SP Windows 8 SP Windows Server 2012 SP Windows 7 SP Windows Server 2008 R2 SP Windows Vista SP Windows Server 2008 SP Windows Server 2003 R2 SP Windows Home Server SP Windows Server 2003 SP Undetected (Windows 5.2) SP Windows XP SP Undetected (Windows %d.%d) SP %d x64 x86 %s Build %d .ilpszBotIDx klpszVersion hmainType.gsubType gBitness kdwTimestamp dData fLength flpData@ hdwStatus kdwTimestamp dData fLength flpData hModule32 hModule64 fszName iszVersion jMainModule hAutoLoad jInjectType lProcessCount mlpProcessList jmoduleSize eImage fLength flpData %0.2X %0.2X \\.%s cmd.exe ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz Software\KasperskyLab Software\AVG wndClass .png wndClass kernel32.dll IsWow64Process Wow64DisableWow64FsRedirection Wow64RevertWow64FsRedirection ntdll.dll LdrGetProcedureAddress NtAllocateVirtualMemory NtWriteVirtualMemory NtReadVirtualMemory NtProtectVirtualMemory