Skip navigation.
Home

backdoor.ircbot

| |

Update: Thanks to NED we have some more potential varients of this one. The password is "infected" and they could use some more analysis. If I get time ill try to break the packing on them. (morphine, etc)

#################################
FILE TYPE: MS-DOS executable (EXE), OS/2 or MS Windows
MD5SUM: 34b72db0fea7ad88546b76596a6fc7f0
SHA1SUM: d7c11f5cb9ddb024c880c6d8c2e7868d8bdedaa5
SHA256SUM: 6e05e6ee8cf2ce407f40e8700ac929ce1d4999317de454d918419105d30e9a9c
A/V SCAN: MS-DOS executable (EXE), OS/2 or MS Windows
PACKER: [!] SVKP - Slovak Protector encrypted !
#################################
AntiVir Found nothing
ArcaVir Found Trojan.Rbot.Hp
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Backdoor.IRCBot.ER
ClamAV Found nothing
Dr.Web Found Win32.HLLW.MyBot.based
F-Prot Antivirus Found nothing
Fortinet Found W32/RBot.BPU!bdr
Kaspersky Anti-Virus Found Backdoor.Win32.IRCBot.nd
NOD32 Found a variant of IRC/SdBot
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found Win32.HLLW.MyBot.based

#################################
FILE TYPE: MS-DOS executable (EXE), OS/2 or MS Windows
MD5SUM: 4c7e71765aca9fb60ee86c267ba50551
SHA1SUM: b126922f0b818396e4a431e680a3d1ffac652151
SHA256SUM: e80603c3f1fa6bb9f9b9adca9101b302bdd080e1eada53760702756d5c88538b
A/V SCAN: MS-DOS executable (EXE), OS/2 or MS Windows
PACKER: Morphine 1.4-2.7->Holy_Father & Ratter/29A
#################################

AntiVir Found Packer/Morphine packer
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found Win32.IRC.Bot.based
F-Prot Antivirus Found nothing
Fortinet Found W32/NewThreat!Morphine
Kaspersky Anti-Virus Found Backdoor.Win32.IRCBot.ng
NOD32 Found probably unknown NewHeur_PE (probable variant)
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found Win32.IRC.Bot

#################################
FILE TYPE: MS-DOS executable (EXE), OS/2 or MS Windows
MD5SUM: ec4a4bca110cd80d7b63ac6f43a15271
SHA1SUM: 866adf6c4db44825c1908955b7eef659a19881d6
SHA256SUM: 53324b5e471fc537a996475c29c26549a80d12c4ab7dbf6362d0a06a8ac3b5f9
A/V SCAN: MS-DOS executable (EXE), OS/2 or MS Windows
PACKER: Morphine 1.4-2.7->Holy_Father & Ratter/29A
#################################
AntiVir Found Packer/Morphine packer
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Backdoor.IRCBot.EL
ClamAV Found nothing
Dr.Web Found Win32.IRC.Bot.based
F-Prot Antivirus Found nothing
Fortinet Found W32/NewThreat!Morphine
Kaspersky Anti-Virus Found Backdoor.Win32.IRCBot.nc
NOD32 Found probably unknown NewHeur_PE (probable variant)
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found Win32.IRC.Bot

#################################
FILE TYPE: MS-DOS executable (EXE), OS/2 or MS Windows
MD5SUM: 76159b2e3fb9a9e4821b93e1c234f785
SHA1SUM: 54930087c18847c3c3d6de4a7fc895b2171bcd8b
SHA256SUM: 5baaa93c99667991be7e8cb12fa259c7d31aa935af28b16785654d28df1ba232
A/V SCAN: MS-DOS executable (EXE), OS/2 or MS Windows
#################################

AntiVir Found Heuristic/Backdoor.IRCBot (probable variant)
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Backdoor.RBot.CJE
ClamAV Found nothing
Dr.Web Found DLOADER.IRC.PWS.Trojan (probable variant)
F-Prot Antivirus Found nothing
Fortinet Found W32/IRCBot.B
Kaspersky Anti-Virus Found Backdoor.Win32.IRCBot.jm
NOD32 Found probably unknown NewHeur_PE (probable variant)
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found Backdoor.xBot.1 (paranoid heuristics) (probable variant)

00000088 00400088 0 Rich-
000001A0 004001A0 0 .text
000001C8 004001C8 0 .rdata
000001EF 004001EF 0 @.data
00000218 00400218 0 .rsrc
0000737A 0040857A 0 Sleep
00007382 00408582 0 lstrlenA
0000738E 0040858E 0 lstrcmpiA
0000739A 0040859A 0 CloseHandle
000073A8 004085A8 0 ReadFile
000073B4 004085B4 0 SetFilePointer
000073C6 004085C6 0 GetFileSize
000073D4 004085D4 0 CreateFileA
000073E2 004085E2 0 WriteFile
000073EE 004085EE 0 FindClose
000073FA 004085FA 0 FindNextFileA
0000740A 0040860A 0 FileTimeToSystemTime
00007422 00408622 0 FindFirstFileA
00007434 00408634 0 lstrcatA
00007440 00408640 0 lstrcpyA
0000744C 0040864C 0 GetSystemTime
0000745C 0040865C 0 GetLogicalDrives
00007470 00408670 0 CreateThread
00007480 00408680 0 SetEvent
0000748C 0040868C 0 GetFileAttributesA
000074A2 004086A2 0 WaitForSingleObject
000074B8 004086B8 0 CreateEventA
000074C8 004086C8 0 CreateDirectoryA
000074DC 004086DC 0 RemoveDirectoryA
000074F0 004086F0 0 DeleteFileA
000074FE 004086FE 0 MoveFileA
0000750A 0040870A 0 lstrcpynA
00007516 00408716 0 lstrcmpA
00007522 00408722 0 TerminateThread
00007534 00408734 0 WinExec
0000753E 0040873E 0 GetSystemDirectoryA
00007554 00408754 0 Process32Next
00007564 00408764 0 Process32First
00007576 00408776 0 CreateToolhelp32Snapshot
00007592 00408792 0 TerminateProcess
000075A6 004087A6 0 OpenProcess
000075B4 004087B4 0 SetFileAttributesA
000075CA 004087CA 0 MoveFileExA
000075D8 004087D8 0 CopyFileA
000075E4 004087E4 0 GetDiskFreeSpaceA
000075F8 004087F8 0 GetVolumeInformationA
00007610 00408810 0 GetDriveTypeA
00007620 00408820 0 GetFullPathNameA
00007634 00408834 0 GetVersionExA
00007644 00408844 0 GetTickCount
00007654 00408854 0 GetProcessHeap
00007666 00408866 0 HeapAlloc
00007672 00408872 0 HeapFree
0000767E 0040887E 0 CreateProcessA
00007690 00408890 0 GetModuleFileNameA
000076A6 004088A6 0 GetLastError
000076B6 004088B6 0 CreateMutexA
000076C6 004088C6 0 SetErrorMode
000076D6 004088D6 0 GetCommandLineW
000076E8 004088E8 0 GetProcAddress
000076FA 004088FA 0 LoadLibraryA
0000770A 0040890A 0 DeviceIoControl
0000771C 0040891C 0 LockResource
0000772C 0040892C 0 SizeofResource
0000773E 0040893E 0 LoadResource
0000774E 0040894E 0 FindResourceA
0000775E 0040895E 0 DeleteCriticalSection
00007776 00408976 0 InitializeCriticalSection
00007792 00408992 0 LeaveCriticalSection
000077AA 004089AA 0 EnterCriticalSection
000077C2 004089C2 0 ExitProcess
000077D0 004089D0 0 CreateRemoteThread
000077E6 004089E6 0 WriteProcessMemory
000077FC 004089FC 0 VirtualAllocEx
0000780E 00408A0E 0 GetModuleHandleA
00007820 00408A20 0 KERNEL32.dll
00007830 00408A30 0 IsCharAlphaNumericA
00007846 00408A46 0 wsprintfA
00007850 00408A50 0 USER32.dll
0000785E 00408A5E 0 RegCloseKey
0000786C 00408A6C 0 RegSetValueExA
0000787E 00408A7E 0 RegOpenKeyA
0000788C 00408A8C 0 DeleteService
0000789C 00408A9C 0 ControlService
000078AE 00408AAE 0 OpenServiceA
000078BE 00408ABE 0 OpenSCManagerA
000078D0 00408AD0 0 RegQueryValueExA
000078E4 00408AE4 0 RegOpenKeyExA
000078F4 00408AF4 0 RegCreateKeyA
00007904 00408B04 0 StartServiceA
00007914 00408B14 0 CloseServiceHandle
0000792A 00408B2A 0 CreateServiceA
0000793A 00408B3A 0 ADVAPI32.dll
0000794A 00408B4A 0 StrCmpNIA
00007956 00408B56 0 StrChrA
00007960 00408B60 0 ShellExecuteA
00007970 00408B70 0 StrStrIA
0000797C 00408B7C 0 StrStrA
00007986 00408B86 0 CommandLineToArgvW
0000799C 00408B9C 0 StrCmpNA
000079A6 00408BA6 0 SHELL32.dll
000079B4 00408BB4 0 WSAEnumNetworkEvents
000079CC 00408BCC 0 WSAEventSelect
000079DE 00408BDE 0 WSACreateEvent
000079F0 00408BF0 0 WSAResetEvent
00007A00 00408C00 0 WSASocketA
00007A0C 00408C0C 0 WS2_32.dll
00007A1A 00408C1A 0 StrToIntA
00007A24 00408C24 0 SHLWAPI.dll
00007A32 00408C32 0 InternetCrackUrlA
00007A44 00408C44 0 WININET.dll
00007A52 00408C52 0 memcpy
00007A5C 00408C5C 0 memset
00007A66 00408C66 0 strlen
00007A70 00408C70 0 sprintf
00007A7A 00408C7A 0 _chkstk
00007A84 00408C84 0 sscanf
00007A8E 00408C8E 0 strchr
00007A98 00408C98 0 _allmul
00007AA2 00408CA2 0 strcat
00007AAC 00408CAC 0 strncmp
00007AB6 00408CB6 0 strcpy
00007AC0 00408CC0 0 strncpy
00007ACA 00408CCA 0 _ftol
00007AD2 00408CD2 0 memmove
00007ADC 00408CDC 0 strstr
00007AE6 00408CE6 0 wcscpy
00007AF0 00408CF0 0 wcscat
00007AFA 00408CFA 0 mbstowcs
00007B04 00408D04 0 ntdll.dll
00007C44 00409044 0 PC NETWORK PROGRAM 1.0
00007C5C 0040905C 0 LANMAN1.0
00007C67 00409067 0 Windows for Workgroups 3.1a
00007C84 00409084 0 LM1.2X002
00007C8F 0040908F 0 LANMAN2.1
00007C9A 0040909A 0 NT LM 0.12
00007CE7 004090E7 0 D CKFDENECFDEFFCFGEFFCCACACACACACA
00007D0A 0040910A 0 CACACACACACACACACACACACACACACAAA
00007D91 00409191 0 PPPSPP
00007E71 00409271 0 ;|$$u
00008144 00409544 0 250 File executed successfully.
00008164 00409564 0 150 Data connection accepted.
00008184 00409584 0 350 REST supported. Ready to resume at byte offset %d.
000081BC 004095BC 0 213 %d
000081C4 004095C4 0 227 Entering Passive Mode (%d,%d,%d,%d,%d,%d).
000081F4 004095F4 0 225 ABOR command successful.
00008214 00409614 0 200 NOOP ok.
00008224 00409624 0 550 Can't remove directory.
00008240 00409640 0 250 Directory removed.
00008258 00409658 0 550 Can't create directory.
00008274 00409674 0 257 Directory created.
0000828C 0040968C 0 250 File renamed successfully.
000082AC 004096AC 0 350 File exists, ready for destination name.
000082DC 004096DC 0 450 File can't be deleted.
000082F8 004096F8 0 250 File deleted successfully.
00008318 00409718 0 550 No such file or directory.
00008338 00409738 0 502 Command not implemented
00008354 00409754 0 550 No port specified.
0000836C 0040976C 0 200 Type set to %c.
00008380 00409780 0 451 Requested action aborted: local error in processing.
000083BC 004097BC 0 451 Failed: Cannot build data connection.
000083E8 004097E8 0 215 foolprof FTP server
00008400 00409800 0 226 Transfer ok
00008410 00409810 0 426 Connection closed.
00008428 00409828 0 150 Opening data connection.
00008448 00409848 0 425 Can't open data connection.
00008468 00409868 0 501 Invalid PORT command.
00008484 00409884 0 200 Port command successful.
000084A4 004098A4 0 221 Goodbye.
000084B4 004098B4 0 257 "%s" is current directory.
000084D4 004098D4 0 250 CWD command successful.
000084F0 004098F0 0 331 FtpPassword required.
0000850C 0040990C 0 230 User logged in.
00008520 00409920 0 530 Please login with USER and PASS.
00008548 00409948 0 530 Login incorrect.
00008560 00409960 0 220 FTP Server ready.
00008578 00409978 0 %crw-rw-rw%c 1 nouser nogroup %u %s %u %u:%u %s
000085B4 004099B4 0 Content-Length:
000085D0 004099D0 0 GET %s HTTP/1.1
000085E2 004099E2 0 Host: %s %sConnection: Close
00008608 00409A08 0 PRIVMSG
0000862A 00409A2A 0 NICK
00008636 00409A36 0 USER
0000863C 00409A3C 0 PASS
00008644 00409A44 0 JOIN
0000864C 00409A4C 0 PART
00008658 00409A58 0 PRIVMSG
00008664 00409A64 0 Login faild
00008670 00409A70 0 Your are admin
00008680 00409A80 0 Logout command
00008690 00409A90 0 Start updating
000086A0 00409AA0 0 Old version
000086AC 00409AAC 0 %s %d %d %x
000086B8 00409AB8 0 Download command without filename
000086DC 00409ADC 0 Can not download file
000086F4 00409AF4 0 Can not save file
00008710 00409B10 0 Exit process
00008720 00409B20 0 Userinit
0000872C 00409B2C 0 Userinit.exe
0000873C 00409B3C 0 SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
00008774 00409B74 0 Cleaning registry...
0000878C 00409B8C 0 Deleting service...
000087A0 00409BA0 0 %s\drivers\%s.sys
000087B4 00409BB4 0 isa32
000087BC 00409BBC 0 Error set value
000087CC 00409BCC 0 Error query value
000087E0 00409BE0 0 Start Page
000087EC 00409BEC 0 Error open key
000087FC 00409BFC 0 Software\Microsoft\Internet Explorer\Main
00008828 00409C28 0 %d days, %d:%d:%d
00008844 00409C44 0 %d. %s - %d
00008850 00409C50 0 Can not open process
00008868 00409C68 0 Can not terminate process
00008884 00409C84 0 Process was terminate
0000889C 00409C9C 0 Executing...
000088B0 00409CB0 0 NICK rndnick%d
000088C0 00409CC0 0 NICK rndnick
000088D0 00409CD0 0 Can not delete file
000088E4 00409CE4 0 File was deleted
00008904 00409D04 0 End deleting tree...
0000891C 00409D1C 0 Start deleting tree...
00008934 00409D34 0 Can not move
00008944 00409D44 0 Was moved
00008954 00409D54 0 Can not copy
00008964 00409D64 0 Was coped
00008970 00409D70 0 Can not set file attrs
00008988 00409D88 0 File attrs was set
000089BC 00409DBC 0 File attributes -
000089D0 00409DD0 0 Can not open file
000089E4 00409DE4 0 Starting proxy...
000089F8 00409DF8 0 Stoping proxy...
00008A0C 00409E0C 0 Starting WebDDos...
00008A20 00409E20 0 Stoping WebDDos...
00008A34 00409E34 0 Raw command...
00008A44 00409E44 0 , Free bytes:
00008A54 00409E54 0 , Total bytes:
00008A64 00409E64 0 - Unknown,
00008A74 00409E74 0 - Mounted,
00008A84 00409E84 0 - Removable,
00008A94 00409E94 0 - Fixed,
00008AA0 00409EA0 0 - Remote,
00008AAC 00409EAC 0 - CD-ROM,
00008AB8 00409EB8 0 - RAM-Disk,
00008AC8 00409EC8 0 %I64d
00008AD0 00409ED0 0 Starting shell...
00008AE4 00409EE4 0 Stoping shell...
00008AF8 00409EF8 0 Parameters error
00008B0C 00409F0C 0 Starting back connect shell...
00008B2C 00409F2C 0 Starting SynDDos...
00008B40 00409F40 0 Stoping SynDDos...
00008B58 00409F58 0 Search complete
00008B68 00409F68 0 Start searching...
00008B7C 00409F7C 0 Search already running
00008B94 00409F94 0 Scan starting...
00008BA8 00409FA8 0 Scan stoping...
00008BB8 00409FB8 0 127.0.0.1
00008D64 0040A164 0 TERMINAL
00008D70 0040A170 0 CURRENTIP
00008D7C 0040A17C 0 STOPSCAN
00008D88 0040A188 0 STARTSCAN
00008D94 0040A194 0 PSTORAGE
00008DA0 0040A1A0 0 SEARCHALL
00008DAC 0040A1AC 0 SEARCH
00008DB4 0040A1B4 0 GETIP
00008DBC 0040A1BC 0 STOPSYNDDOS
00008DC8 0040A1C8 0 STARTSYNDDOS
00008DD8 0040A1D8 0 BACKSHELL
00008DE4 0040A1E4 0 STOPSHELL
00008DF0 0040A1F0 0 STARTSHELL
00008E00 0040A200 0 DRIVESINFO
00008E10 0040A210 0 STOPWEBDDOS
00008E1C 0040A21C 0 STARTWEBDDOS
00008E2C 0040A22C 0 STOPPROXY
00008E38 0040A238 0 STARTPROXY
00008E44 0040A244 0 FILECAT
00008E4C 0040A24C 0 FILEATTR
00008E58 0040A258 0 FILECOPY
00008E64 0040A264 0 FILEMOVE
00008E70 0040A270 0 REMOVEDIR
00008E7C 0040A27C 0 FILEDEL
00008E84 0040A284 0 RANDNICK
00008E94 0040A294 0 TASKKILL
00008EA0 0040A2A0 0 TASKKILLP
00008EAC 0040A2AC 0 TASKLIST
00008EB8 0040A2B8 0 BOTVERSION
00008EC4 0040A2C4 0 UPTIME
00008ECC 0040A2CC 0 IESTART
00008EE4 0040A2E4 0 LOGOUT
00008EEC 0040A2EC 0 LOGIN
00008EF8 0040A2F8 0 DOWNLOAD
00008F04 0040A304 0 UPDATE
00008F14 0040A314 0 #queryer
00008F20 0040A320 0 ##blad2
00008F2C 0040A32C 0 microsoft.com
00008F3C 0040A33C 0 pizdec
00008F44 0040A344 0 x.proxylist.ru
00008F54 0040A354 0 new.proxylist.ru
00008F68 0040A368 0 a.proxylist.ru
00008F7C 0040A37C 0 http://ftp.icq.com/pub/ICQ_Win95_98_NT4/ICQ_5/icq5_setup.exe
00008FCC 0040A3CC 0 Bot installed on %s
00008FE0 0040A3E0 0 SOFTWARE\Microsoft\Windows NT\CurrentVersion\MCI32\ldr
00009020 0040A420 0 [%d]%s
00009028 0040A428 0 [N]%s
00009030 0040A430 0 userinit.exe
00009040 0040A440 0 MutexMutexMutex9864258
00009060 0040A460 0 4FFFF
00009068 0040A468 0 FFFFFFFFFFFFFF
00009078 0040A478 0 FFFFF$FD
00009092 0040A492 0 fwhvFD
0000909E 0040A49E 0 whvFD
000090A4 0040A4A4 0 /(")15f )4f
000090B0 0040A4B0 0 )4-!4)365fuhw'FD
000090C6 0040A4C6 0 vvtFD
000090D1 0040A4D1 0 thwFD
000090DB 0040A4DB 0 fvhwtF
00009123 0040A523 0 NTLMSSP
000091CF 0040A5CF 0 NTLMSSP
000092A6 0040A6A6 0 ?????
00009504 0040A904 0 \\%s\IPC$
00009510 0040A910 0 Host:
00009518 0040A918 0 HTTP/1.1 200 Connection established
00009544 0040A944 0 CONNECT
00009550 0040A950 0 AutoComplete Passwords - %s, %s, %s
00009578 0040A978 0 https:/
00009580 0040A980 0 http:/
00009588 0040A988 0 :String
00009590 0040A990 0 StringIndex
0000959C 0040A99C 0 e161255a
000095A8 0040A9A8 0 MSN Explorer Signup - %s, %s
000095CC 0040A9CC 0 b9819c52
000095D8 0040A9D8 0 IE:Password-Protected sites - %s, %s, %s
00009608 0040AA08 0 5e7e8100
00009614 0040AA14 0 Deleted OE Account - %s, %s, %s
00009638 0040AA38 0 220d5cc1
00009648 0040AA48 0 PStoreCreateInstance
00009660 0040AA60 0 pstorec.dll
0000966C 0040AA6C 0 \\.\foolproof
00009684 0040AA84 0 " - -
000096E0 0040AAE0 0 asn445
00009706 0040AB06 0 asn139
00009752 0040AB52 0 scanall
00009778 0040AB78 0 ftp://%s:%s@%s:%u/%s
00009790 0040AB90 0 %s %c %d %s
0000979C 0040AB9C 0 cmd.exe
000097A8 0040ABA8 0 Enter password:
0000984D 0040AC4D 0 QQWVQ
000098C6 0040ACC6 0 r-_GW
000098FA 0040ACFA 0 urlmon.dll
00009905 0040AD05 0 URLDownloadToFileA
00009918 0040AD18 0 MutexMutexMutex9864258
0000992F 0040AD2F 0 LoadLibraryA
0000993C 0040AD3C 0 GetProcAddress
0000994B 0040AD4B 0 WinExec
00009953 0040AD53 0 CreateMutexA
00009960 0040AD60 0 GetSystemDirectoryA
00009974 0040AD74 0 ExitThread
0000997F 0040AD7F 0 CloseHandle
000099AC 0040ADAC 0 svchost.exe
000099B8 0040ADB8 0 CloseHandle
000099C4 0040ADC4 0 WriteFile
000099D0 0040ADD0 0 WinExec
000099D8 0040ADD8 0 Sleep
000099E0 0040ADE0 0 ExitProcess
000099EC 0040ADEC 0 DeleteFileA
000099F8 0040ADF8 0 CreateFileA
00009A04 0040AE04 0 kernel32.dll
00009CAD 0040C0AD 0 !This program cannot be run in DOS mode.
00009DD8 0040C1D8 0 .text
00009E27 0040C227 0 H.reloc
0000A2D3 0040C6D3 0 $$+q4
0000A7F1 0040CBF1 0 dbemmsgMq
0000A8E7 0040CCE7 0 oheqT&
0000AA71 0040CE71 0 3x*4O
0000ACC3 0040D0C3 0 BX}tg
0000AD68 0040D168 0 eJ {L
0000AED6 0040D2D6 0 :jOH:
0000B08A 0040D48A 0 S1nC
0000B218 0040D618 0 0LFDy
0000B37B 0040D77B 0 eaibth
0000B56F 0040D96F 0 KX7]X
0000B599 0040D999 0 }+yRKv
0000B6D8 0040DAD8 0 'JLD{@
0000B814 0040DC14 0 "TIVt
0000B9C9 0040DDC9 0 =>40K
0000BAA1 0040DEA1 0 lL/.A
0000BCB5 0040E0B5 0 OD1pM
0000BCD6 0040E0D6 0 o]+2j
0000BE38 0040E238 0 $_al/
0000C004 0040E404 0 \pZdX>V"
0000C01C 0040E41C 0 5l5f5\515'5
0000C137 0040E537 0 mA[1S!C
0000C1F8 0040E5F8 0 eBpVPVJVEV
0000C269 0040E669 0 hBjVUVOVJVE
0000C2AF 0040E6AF 0 _BHVQVFV@V:V3V
0000C834 0040EC34 0 ntoskrnl.exe
0000C843 0040EC43 0 IoAllocateWorkItem
0000C858 0040EC58 0 IoFreeWorkItem
0000C869 0040EC69 0 _stricmp
0000C874 0040EC74 0 ZwClose
0000C87E 0040EC7E 0 memset
0000C887 0040EC87 0 MmMapLockedPages
0000C89A 0040EC9A 0 ExAllocatePool
0000C8AB 0040ECAB 0 memcpy
0000C8B4 0040ECB4 0 ObfReferenceObject
0000C8C9 0040ECC9 0 ExQueueWorkItem
0000C8DB 0040ECDB 0 KeInsertQueueDpc
0000C8EE 0040ECEE 0 ExFreePool
0000C8FB 0040ECFB 0 KeInsertQueueApc
0000C90E 0040ED0E 0 ExAllocatePoolWithTag
0000C926 0040ED26 0 ExRaiseException
0000C939 0040ED39 0 IoAllocateIrp
0000C949 0040ED49 0 IofCallDriver
0000C959 0040ED59 0 ZwQuerySystemInformation
0000C9AD 0040EDAD 0 6=7c7
00009144 0040A544 0 Windows 2000 2195
00009168 0040A568 0 Windows 2000 5.0
00009227 0040A627 0 Windows 2000 2195
0000924A 0040A64A 0 Windows 2000 5.0
00009308 0040A708 0 \browser
00009364 0040A764 0 \PIPE\
00009408 0040A808 0 \PIPE\
0000943C 0040A83C 0 ROOT\SYSTEM\0000
00009690 0040AA90 0 isa32;
000096A0 0040AAA0 0 mstgr32;
000096B4 0040AAB4 0 isa32.sys;_HDFILE_;