Shiz_080493ff49

by malwarelabrobot on April 29th, 2014 in Malware Descriptions.

Susp_Dropper (Kaspersky), Trojan.Generic.KDV.384775 (B) (Emsisoft), Trojan.Generic.KDV.384775 (AdAware), Backdoor.Win32.Shiz.FD, Shiz.YR, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR, BankerGeneric.YR (Lavasoft MAS)
Behaviour: Banker, Trojan, Backdoor

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 080493ff49c97d99d2ed9426f88c02d3
SHA1: 85406533b789bae4bb637bbf7c86581f2d1dfad4
SHA256: 6e10fb695c8d74db2df70c575a4fe2ecfdb024becf31abad5955ef05f464ced8
SSDeep: 3072:UiG47vmfhnT1unjf9tLEciSWEqF1R/plSaRCKj8Hn7z89NbgjZrTtM8M8Z1yuxZq:Ui0J4H rRZRxjc74DbgjNTiwr
Size: 261960 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: no certificate found
Created at: 1997-02-06 05:05:23
Analyzed on: WindowsXP SP3 32-bit

Summary:

Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

wuauclt.exe:304
%original file name%.exe:496

The Trojan injects its code into the following process(es):

winlogon.exe:708
Explorer.EXE:880
svchost.exe:956
svchost.exe:1020
svchost.exe:1104
svchost.exe:1156
svchost.exe:1200

File activity

The process wuauclt.exe:304 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (2232 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)

The Trojan deletes the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)

The process %original file name%.exe:496 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\AppPatch\ukxxgw.exe (1803 bytes)
%System%\config\software (1896 bytes)
%System%\config\SOFTWARE.LOG (2467 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (0 bytes)

Registry activity

The process %original file name%.exe:496 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "23 97 4E EF 34 66 E0 C2 5F 5D AF CC 8F 8E CA 1C"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%WinDir%\apppatch\ukxxgw.exe_, \??\%WinDir%\apppatch\ukxxgw.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"a8a67a25" = "pEÃƒÂ¬XÃ‚Â£bÃƒâ‚¬Ã‚Â¸Ã‚Â¬qÃƒâ€žHFÃ¢â‚¬Â¡KÃƒÂ¶WÃƒÂ²k Ã‚Â´Ã‚ÂµoDÃ‚Â¬<Ã‚Â»Ã‚Â¹Ã…â€œÃ‚Â³Ã…â€™Q\Ã‚Â´ÃƒÂ²dÃ‚Â¼Ã…â€™Ã‚Â¤KÃƒÂ´1,Ã…Â $ÃƒÂ«Ã¢â‚¬ÂºÃƒâ€ºÃƒÅ’Ã‚Â«Ã¢â‚¬ÂÃ‚Â¹l}Ãƒâ€¹ {Ã…â€œzÃ…â€™ÃƒÂ´C%ÃƒÂ©[qÃƒÂ±l4ÃƒÂ¬;ÃƒÂ»Ã‚Â´[Ãƒâ€™#Ã‚Â»Ãƒâ€º:Ãƒâ€˜UÃ¢â‚¬Å¾Ã¢â‚¬Å¾Ãƒâ€Ã‚Â\Ã‚Â±Ã‚ÂªÃ‚Â²DÃ†â€™uÃ…â€œÃ‚Â¡ÃƒÅ“Ã‚Â¼);Ã‚Â¼\Ã†â€™tÃ‚Âµ2Ã¢â‚¬ÂkDÃƒÂ¹Ã¢â‚¬ÂaÃ¢â‚¬Â*Ã¢â‚¬ÂºcÃƒÂ¼$}SÃƒÂ´|ÃƒÂ«$Ã‚Â¤ÃƒÂ´{Ã‚Â¬qÃ‚Â³#sÃƒâ€¦ÃƒÂ¥\yuJÃƒâ€ºÃƒâ€¹uÃ‚Â©|ÃƒÂ¹Ã‚Â¢rKÃƒÂ£!$Ã¢â‚¬â„¢Ã¢â‚¬Â¹Ã¢â‚¬Â¹bÃ‚Â±ÃƒÆ’Ãƒâ€žÃ‚Â£ÃƒÂ£ÃƒÂÃ¢â‚¬Å¡Ã¢â‚¬Å“Ãƒâ€°UcdÃƒÂÃƒâ€žZÃ‚Â¡rÃ‚Â»ÃƒÂ´Ã¢â‚¬Â)Ãƒâ€ºÃ‚Â©Ã…Â ]Ã¢â‚¬Å“QlYÃƒâ€ºl]$$DÃ‚Â´Ã†â€™ÃƒÅ’Ã‚Â£Q$aÃ…â€™Ã¢â‚¬Å¡*Ã¢â€žÂ¢ÃƒÂ¼Ã¢â‚¬ÂºÃƒâ„¢ÃƒÂ³ÃƒÂÃƒÂ=ÃƒÂ©Ãƒâ€Ãƒâ€˜Ãƒâ€˜Ã¢â‚¬Â°Ã‚Â¬q9|ÃƒÂ¡ÃƒÂÃƒÂ¹Ã¢â‚¬â„¢Ã¢â‚¬ËœÃƒÂÃƒÂÃ‚Â©Ã…Â¡Ãƒâ€žRa8a67a25"

Dropped PE files

MD5	File path
c99625cb1a89836da66571b7ff2cd3cb	c:\WINDOWS\AppPatch\ukxxgw.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in USER32.dll:

GetClipboardData
SetThreadDesktop
GetMessageA
GetMessageW
TranslateMessage

The Trojan installs the following user-mode hooks in ntdll.dll:

RtlGetNativeSystemInformation

Propagation

VersionInfo

Company Name: Alexander Roshal
Product Name: Anencephalia
Product Version: 0.7.7.0
Legal Copyright: Hyalonema
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 0.3.3.0
File Description: Strette
Comments:
Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.hdxskk	4096	7736	8192	4.38011	d791e499c0865ce2b84f80acb7a74b27
.X	12288	93574	93696	5.53997	57b9c70c42b44e73cd6de6278467159a
.FxVsb	106496	280495	3072	4.61999	2fd7b0a976eb9853be36aecaa60aba00
.iijo	389120	232050	5120	4.685	4b52df576360d9fcf3badb951b94d8fd
.peG	622592	44609	2560	4.26391	106979b6a433443a3deb4d754bb2a4a7
.szchAv	667648	12288	12288	4.92493	1d481610b0e5624c222e16330a9b3c1d
.bJPj	679936	60500	2560	4.37961	212c6d0384a8ad3f5e3eb5ef85e409f6
.GxsH	741376	40016	3072	3.4149	7678dca9593c5b6053e9383afa758373
.ZBQaI	782336	63049	2560	4.63015	7868e0b73dcb83506cf899a4f03b18ff
.FJZm	847872	92156	92160	5.54208	d5f8b503afbbb6e6fdaff4d0279dc428
.wRMZfy	942080	241026	15872	4.96893	96d00f6f27f574dd8a79a1b89d532b08
.jNEs	1183744	211491	3584	4.65848	f0fb063618cfea29bb41a693d70442d1
.I	1396736	365637	2560	4.669	44f1544f78b08d251c9a97c1c912ea97
.rsrc	1765376	6476	6656	3.23514	026f6a00d4ac5b73963cee20425d9768
.reloc	1773568	1536	1536	3.82878	c0816a1488ac5d99f955f4ada368b0ef

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://puzylyp.com/login.php	109.74.196.143
hxxp://gatyfus.com/login.php	86.124.164.25
hxxp://vocyzit.com/login.php	69.195.129.70
hxxp://vowydef.com/login.php	166.78.144.80
hxxp://vojyqem.com/login.php	198.74.50.135
hxxp://qetyfuv.com/login.php	208.73.211.182
hxxp://lysynur.com/login.php	208.73.211.172
hxxp://lymysan.com/login.php	94.126.178.29
hxxp://purycap.com/login.php	193.166.255.171
hxxp://gadyfuh.com/login.php	208.73.211.175
hxxp://vofygum.com/login.php	208.73.211.177
hxxp://vonyzuf.com/login.php	208.73.211.172
hxxp://vocyruk.com/login.php	208.73.211.152
qekyqop.com	166.78.144.80
pumyxiv.com	198.74.50.135
puzywel.com	198.74.50.135
gadyniw.com	109.74.196.143
qegyhig.com	198.74.50.135
puvyxil.com	198.74.50.135
qetyvep.com	109.74.196.143
pumypog.com	198.74.50.135
galyqaz.com	198.74.50.135
qeqysag.com	198.74.50.135
lyryfyd.com	46.242.144.90
puvytuq.com	198.74.50.135
lygygin.com	198.74.50.135
volykyc.com	198.74.50.135
www.bing.com	204.79.197.200
lysyfyj.com	198.74.50.135
pufygug.com	198.74.50.135
vofymik.com
gahyhob.com
qebytiq.com
pupybul.com
vonypom.com
galykes.com
pujyjav.com
lyvyxor.com
lyryvex.com
gacyryw.com
lykyjad.com
qekykev.com
gaqycos.com
gahyqah.com
lymyxid.com
qexyryl.com
qedynul.com
vowycac.com
lyvytuj.com
lygymoj.com
qegyqaq.com
gatyvyz.com
purydyv.com
qexylup.com
gacyzuz.com
vojyjof.com
lyxylux.com
qedyfyq.com
qeqyxov.com
gaqydeb.com
pufymoq.com
lyxywer.com
vopybyt.com
ganypih.com
volyqat.com

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Win32.Shiz.fxm/Agent-TBT Checkin
ET POLICY Unsupported/Fake Windows NT Version 5.0
ET POLICY Unsupported/Fake Internet Explorer Version MSIE 2.
ET TROJAN Known Sinkhole Response Header

Traffic

POST /login.php HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: gatyfus.com

Content-Length: 9

Pragma: no-cache

....~7.~'
HTTP/1.1 200 OK

Server: nginx/1.1.19

Date: Fri, 25 Apr 2014 19:40:46 GMT

Content-Type: text/html; charset=utf-8

Content-Length: 4

Connection: close

'OK'..

POST /login.php HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: gadyfuh.com

Content-Length: 9

Pragma: no-cache

....~7.~'
HTTP/1.0 200 (OK)

Cache-Control: private, no-cache, must-revalidate

Connection: Keep-Alive

Pragma: no-cache

Server: Oversee Turing v1.0.0

Content-Length: 1403

Content-Type: text/html

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Keep-Alive: timeout=3, max=92

P3P: policyref="hXXp://VVV.dsparking.com/w3c/p3p.xml", CP="NOI DSP COR ADMa OUR NOR STA"

Set-Cookie: parkinglot=1; domain=.gadyfuh.com; path=/; expires=Sat, 26-Apr-2014 19:40:32 GMT
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "hXXp://
VVV.w3.org/TR/html4/frameset.dtd">.<!-- turing_cluster_prod --&g
t;.<html>.  <head>.    <meta http-equiv="Content-Type" 
content="text/html; charset=utf-8" />..    <title>gadyfuh.com
</title>.    <meta name="keywords" content="gadyfuh.com" />
;.    <meta name="description" content="gadyfuh.com" />.    <
meta name="robots" content="index, follow" />.    <meta name="re
visit-after" content="10" />...    <meta name="viewport" content
="width=device-width, initial-scale=1.0" /> ...    .    <script 
type="text/javascript">.      document.cookie = "jsc=1";.    </s
cript>..  </head>.  <frameset rows="100%,*" frameborder="n
o" border="0" framespacing="0">.    <frame src="hXXp://gadyfuh.c
om?epl=TZKU_-RBzpWfkKEqEOpqfUC6-RgbJBROkdzFL4PrwydU1uuMHPEi5U96PEAmMhs
TGaOFA4Mvhh3gSqkOZJQWMDrosgbSW-4HArEo5g5O0yoKM2q8Zc_yo_HzTh6TqkRENRKEx
TsDoUXIWvhJfkHtBNS65jntzZVPxIlM0k8NjIw0Mpqeap7K1ACgQaapp9E0NBFPEYkAILD
e778AAPD_AQAAQIDbDAAA6eZjbFlTJllBMTZoWkKkAAAA8A" name="gadyfuh.com">
;.  </frameset>.  <noframes>..<body><a href="http
://gadyfuh.com?epl=TZKU_-RBzpWfkKEqEOpqfUC6-RgbJBROkdzFL4PrwydU1uuMHPE
i5U96PEAmMhsTGaOFA4Mvhh3gSqkOZJQWMDrosgbSW-4HArEo5g5O0yoKM2q8Zc_yo_HzT
h6TqkRENRKExTsDoUXIWvhJfkHtBNS65jntzZVPxIlM0k8NjIw0Mpqeap7K1ACgQaapp9E
0NBFPEYkAILDe778AAPD_AQAAQIDbDAAA6eZjbFlTJllBMTZoWkKkAAAA8A">Click 
here to go to gadyfuh.com</a>.</body>.  </noframes&<<< skipped >>>

POST /login.php HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: vowydef.com

Content-Length: 9

Pragma: no-cache

....~7.~'
HTTP/1.1 200 OK

Date: Fri, 25 Apr 2014 19:40:32 GMT

Server: Apache/2.2.20 (Ubuntu)

X-Sinkhole: malware-sinkhole

Vary: Accept-Encoding

Content-Length: 0

Connection: close

Content-Type: text/html

POST /login.php HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: vofygum.com

Content-Length: 9

Pragma: no-cache

....~7.~'
HTTP/1.0 200 (OK)

Cache-Control: private, no-cache, must-revalidate

Connection: Keep-Alive

Pragma: no-cache

Server: Oversee Turing v1.0.0

Content-Length: 1399

Content-Type: text/html

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Keep-Alive: timeout=3, max=91

P3P: policyref="hXXp://VVV.dsparking.com/w3c/p3p.xml", CP="NOI DSP COR ADMa OUR NOR STA"

Set-Cookie: parkinglot=1; domain=.vofygum.com; path=/; expires=Sat, 26-Apr-2014 19:40:32 GMT
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "hXXp://
VVV.w3.org/TR/html4/frameset.dtd">.<!-- turing_cluster_prod --&g
t;.<html>.  <head>.    <meta http-equiv="Content-Type" 
content="text/html; charset=utf-8" />..    <title>vofygum.com
</title>.    <meta name="keywords" content="vofygum.com" />
;.    <meta name="description" content="vofygum.com" />.    <
meta name="robots" content="index, follow" />.    <meta name="re
visit-after" content="10" />...    <meta name="viewport" content
="width=device-width, initial-scale=1.0" /> ...    .    <script 
type="text/javascript">.      document.cookie = "jsc=1";.    </s
cript>..  </head>.  <frameset rows="100%,*" frameborder="n
o" border="0" framespacing="0">.    <frame src="hXXp://vofygum.c
om?epl=O-jI0lEV_Mt07WS5UKMA9HjDu2mHhMIpkrv4IdaIhKHA4ExKsDXFiURjMDSUEuZ
VSNqHFQsCQe1Ft-Dy-hkH_dfKg1thfVr8FtuhOVA1zmRDOygiit4z1cE2VdAgkgrr0FJQw
mgYQXBhuSX5A4LrORiW6L3JcpI4hKRHA6Ch0dA0ZNLUAGlMPTE1PTXqodFkiqcahAAgsN_
vvwAA8P8BAABAgNsMAABveDftWVMmWUExNmhaQqUAAADw" name="vofygum.com">.
  </frameset>.  <noframes>..<body><a href="http:/
/vofygum.com?epl=O-jI0lEV_Mt07WS5UKMA9HjDu2mHhMIpkrv4IdaIhKHA4ExKsDXFi
URjMDSUEuZVSNqHFQsCQe1Ft-Dy-hkH_dfKg1thfVr8FtuhOVA1zmRDOygiit4z1cE2VdA
gkgrr0FJQwmgYQXBhuSX5A4LrORiW6L3JcpI4hKRHA6Ch0dA0ZNLUAGlMPTE1PTXqodFki
qcahAAgsN_vvwAA8P8BAABAgNsMAABveDftWVMmWUExNmhaQqUAAADw">Click here
 to go to vofygum.com</a>.</body>.  </noframes>.<<< skipped >>>

POST /login.php HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: vocyruk.com

Content-Length: 9

Pragma: no-cache

....~7.~'
HTTP/1.0 200 (OK)

Cache-Control: private, no-cache, must-revalidate

Connection: Keep-Alive

Pragma: no-cache

Server: Oversee Turing v1.0.0

Content-Length: 1399

Content-Type: text/html

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Keep-Alive: timeout=3, max=91

P3P: policyref="hXXp://VVV.dsparking.com/w3c/p3p.xml", CP="NOI DSP COR ADMa OUR NOR STA"

Set-Cookie: parkinglot=1; domain=.vocyruk.com; path=/; expires=Sat, 26-Apr-2014 19:40:31 GMT
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "hXXp://
VVV.w3.org/TR/html4/frameset.dtd">.<!-- turing_cluster_prod --&g
t;.<html>.  <head>.    <meta http-equiv="Content-Type" 
content="text/html; charset=utf-8" />..    <title>vocyruk.com
</title>.    <meta name="keywords" content="vocyruk.com" />
;.    <meta name="description" content="vocyruk.com" />.    <
meta name="robots" content="index, follow" />.    <meta name="re
visit-after" content="10" />...    <meta name="viewport" content
="width=device-width, initial-scale=1.0" /> ...    .    <script 
type="text/javascript">.      document.cookie = "jsc=1";.    </s
cript>..  </head>.  <frameset rows="100%,*" frameborder="n
o" border="0" framespacing="0">.    <frame src="hXXp://vocyruk.c
om?epl=eBdMu0VtF35XvhSTiRu2TaBNi3MOCYVTJHfxz3i-VIyJiFWtyTQoIanzRQrHpEH
0w4SFcCjBVHInEw-U1_FImslyL3bTpJ-DJeBo5XHqGIjjQGE_Gr49vajm1gAhIoFo5Ljgy
jZBd5LwO_ODWsfXIGyCt8a6qT0n9QCggeihAfWkqQFSP6ENaaZmmnqqn0hT-6kahAAgsN_
vvwAA8P4BAABAgNsMAADatDjnWVMmWUExNmhaQqMAAADw" name="vocyruk.com">.
  </frameset>.  <noframes>..<body><a href="http:/
/vocyruk.com?epl=eBdMu0VtF35XvhSTiRu2TaBNi3MOCYVTJHfxz3i-VIyJiFWtyTQoI
anzRQrHpEH0w4SFcCjBVHInEw-U1_FImslyL3bTpJ-DJeBo5XHqGIjjQGE_Gr49vajm1gA
hIoFo5LjgyjZBd5LwO_ODWsfXIGyCt8a6qT0n9QCggeihAfWkqQFSP6ENaaZmmnqqn0hT-
6kahAAgsN_vvwAA8P4BAABAgNsMAADatDjnWVMmWUExNmhaQqMAAADw">Click here
 to go to vocyruk.com</a>.</body>.  </noframes>.<<< skipped >>>

POST /login.php HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: vonyzuf.com

Content-Length: 9

Pragma: no-cache

....~7.~'
HTTP/1.0 200 (OK)

Cache-Control: private, no-cache, must-revalidate

Connection: Keep-Alive

Pragma: no-cache

Server: Oversee Turing v1.0.0

Content-Length: 1397

Content-Type: text/html

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Keep-Alive: timeout=3, max=94

P3P: policyref="hXXp://VVV.dsparking.com/w3c/p3p.xml", CP="NOI DSP COR ADMa OUR NOR STA"

Set-Cookie: parkinglot=1; domain=.vonyzuf.com; path=/; expires=Sat, 26-Apr-2014 19:40:32 GMT
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "hXXp://
VVV.w3.org/TR/html4/frameset.dtd">.<!-- turing_cluster_prod --&g
t;.<html>.  <head>.    <meta http-equiv="Content-Type" 
content="text/html; charset=utf-8" />..    <title>vonyzuf.com
</title>.    <meta name="keywords" content="vonyzuf.com" />
;.    <meta name="description" content="vonyzuf.com" />.    <
meta name="robots" content="index, follow" />.    <meta name="re
visit-after" content="10" />...    <meta name="viewport" content
="width=device-width, initial-scale=1.0" /> ...    .    <script 
type="text/javascript">.      document.cookie = "jsc=1";.    </s
cript>..  </head>.  <frameset rows="100%,*" frameborder="n
o" border="0" framespacing="0">.    <frame src="hXXp://vonyzuf.c
om?epl=poTms83-WF43IduxJY5aUcByaWkBCYVTJHfxw3-IeelXnAViTGTj1WTzw8obTGS
tTeZYoykzDxbhevmYdmRSxrlhLAZXqg7lbkAbyHQqMrV2EGi4BF-ST9pUVlEy5bhXhgop3
a1E5nReTNRpek0QrJpn_eyyeUqhHhoNylNP8TTpURMZlQBqo2loAOppGk30VEOVACCw3--
_AADw_gEAAECA2wwAACyXlhZZUyZZQTE2aFpCowAAAPA" name="vonyzuf.com">. 
 </frameset>.  <noframes>..<body><a href="hXXp://
vonyzuf.com?epl=poTms83-WF43IduxJY5aUcByaWkBCYVTJHfxw3-IeelXnAViTGTj1W
Tzw8obTGStTeZYoykzDxbhevmYdmRSxrlhLAZXqg7lbkAbyHQqMrV2EGi4BF-ST9pUVlEy
5bhXhgop3a1E5nReTNRpek0QrJpn_eyyeUqhHhoNylNP8TTpURMZlQBqo2loAOppGk30VE
OVACCw3--_AADw_gEAAECA2wwAACyXlhZZUyZZQTE2aFpCowAAAPA">Click here t
o go to vonyzuf.com</a>.</body>.  </noframes>.&l<<< skipped >>>

POST /login.php HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: lymysan.com

Content-Length: 9

Pragma: no-cache

....~7.~'
HTTP/1.1 200 OK

Server: nginx/1.2.1

Date: Fri, 25 Apr 2014 19:40:32 GMT

Content-Type: text/html

Connection: close

X-Powered-By: PHP/5.4.15-1~dotdeb.2

POST /login.php HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: lysynur.com

Content-Length: 9

Pragma: no-cache

....~7.~'
HTTP/1.0 200 (OK)

Cache-Control: private, no-cache, must-revalidate

Connection: Keep-Alive

Pragma: no-cache

Server: Oversee Turing v1.0.0

Content-Length: 1397

Content-Type: text/html

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Keep-Alive: timeout=3, max=99

P3P: policyref="hXXp://VVV.dsparking.com/w3c/p3p.xml", CP="NOI DSP COR ADMa OUR NOR STA"

Set-Cookie: parkinglot=1; domain=.lysynur.com; path=/; expires=Sat, 26-Apr-2014 19:40:31 GMT
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "hXXp://
VVV.w3.org/TR/html4/frameset.dtd">.<!-- turing_cluster_prod --&g
t;.<html>.  <head>.    <meta http-equiv="Content-Type" 
content="text/html; charset=utf-8" />..    <title>lysynur.com
</title>.    <meta name="keywords" content="lysynur.com" />
;.    <meta name="description" content="lysynur.com" />.    <
meta name="robots" content="index, follow" />.    <meta name="re
visit-after" content="10" />...    <meta name="viewport" content
="width=device-width, initial-scale=1.0" /> ...    .    <script 
type="text/javascript">.      document.cookie = "jsc=1";.    </s
cript>..  </head>.  <frameset rows="100%,*" frameborder="n
o" border="0" framespacing="0">.    <frame src="hXXp://lysynur.c
om?epl=_KXupyIzvKeBG7vkNnCEuyC3LwCChMIpkrv4IR5Sj_wZ9TAmOshZQzGLP8YhIUM
Ra8BQpoUMA5Qgu6cNVOpposZYU90pTEYUF9aFQV_Jk6Q8Bg9uYjxTKVEQunixTGapgpueO
fkBLnJRad0v2Kyh2xOJKrWt9HX-XtQDGkj9KEyjRz0VTA1Qm4aGDBo0MY3aVEOVACCw3u-
_AADw_wEAAECA2wwAAOT2BUBZUyZZQTE2aFpCpAAAAPA" name="lysynur.com">. 
 </frameset>.  <noframes>..<body><a href="hXXp://
lysynur.com?epl=_KXupyIzvKeBG7vkNnCEuyC3LwCChMIpkrv4IR5Sj_wZ9TAmOshZQz
GLP8YhIUMRa8BQpoUMA5Qgu6cNVOpposZYU90pTEYUF9aFQV_Jk6Q8Bg9uYjxTKVEQunix
TGapgpueOfkBLnJRad0v2Kyh2xOJKrWt9HX-XtQDGkj9KEyjRz0VTA1Qm4aGDBo0MY3aVE
OVACCw3u-_AADw_wEAAECA2wwAAOT2BUBZUyZZQTE2aFpCpAAAAPA">Click here t
o go to lysynur.com</a>.</body>.  </noframes>.&l<<< skipped >>>

POST /login.php HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: qetyfuv.com

Content-Length: 9

Pragma: no-cache

....~7.~'
HTTP/1.0 200 (OK)

Cache-Control: private, no-cache, must-revalidate

Connection: Keep-Alive

Pragma: no-cache

Server: Oversee Turing v1.0.0

Content-Length: 1405

Content-Type: text/html

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Keep-Alive: timeout=3, max=98

P3P: policyref="hXXp://VVV.dsparking.com/w3c/p3p.xml", CP="NOI DSP COR ADMa OUR NOR STA"

Set-Cookie: parkinglot=1; domain=.qetyfuv.com; path=/; expires=Sat, 26-Apr-2014 19:40:31 GMT
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "hXXp://
VVV.w3.org/TR/html4/frameset.dtd">.<!-- turing_cluster_prod --&g
t;.<html>.  <head>.    <meta http-equiv="Content-Type" 
content="text/html; charset=utf-8" />..    <title>qetyfuv.com
</title>.    <meta name="keywords" content="qetyfuv.com" />
;.    <meta name="description" content="qetyfuv.com" />.    <
meta name="robots" content="index, follow" />.    <meta name="re
visit-after" content="10" />...    <meta name="viewport" content
="width=device-width, initial-scale=1.0" /> ...    .    <script 
type="text/javascript">.      document.cookie = "jsc=1";.    </s
cript>..  </head>.  <frameset rows="100%,*" frameborder="n
o" border="0" framespacing="0">.    <frame src="hXXp://qetyfuv.c
om?epl=Sqzc6YDZUzjsmEEFacIdOph8VoZBQuEUyV3kEvFF_wiHYMTElOCMtOSDlS5OLCT
SDpL2wKCA1uOdAqvjpUVv5sG_7Li4xDeN9g7MocJ1sZekiwoJWOm7xWeoUwyWlQBRJhOoN
YhH5TwxQYf0KtinJF9LS2nkeqn-vGNEAwAajaaRQXrS1DCKTRNDsamnNvVUPwloUw2FACC
w_--_AADw_wEAAECA2wwAACaflWFZUyZZQTE2aFpCpAAAAPA" name="qetyfuv.com"&g
t;.  </frameset>.  <noframes>..<body><a href="htt
p://qetyfuv.com?epl=Sqzc6YDZUzjsmEEFacIdOph8VoZBQuEUyV3kEvFF_wiHYMTElO
CMtOSDlS5OLCTSDpL2wKCA1uOdAqvjpUVv5sG_7Li4xDeN9g7MocJ1sZekiwoJWOm7xWeo
UwyWlQBRJhOoNYhH5TwxQYf0KtinJF9LS2nkeqn-vGNEAwAajaaRQXrS1DCKTRNDsamnNv
VUPwloUw2FACCw_--_AADw_wEAAECA2wwAACaflWFZUyZZQTE2aFpCpAAAAPA">Clic
k here to go to qetyfuv.com</a>.</body>.  </noframe<<< skipped >>>

POST /login.php HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: vocyzit.com

Content-Length: 9

Pragma: no-cache

....~7.~'
HTTP/1.1 200 OK

Server: nginx/1.2.1

Date: Fri, 25 Apr 2014 19:40:31 GMT

Content-Type: text/plain; charset=utf-8

Content-Length: 0

Connection: close

winlogon.exe_708_rwx_01600000_000B4000:

.text

`.data

.reloc

`.rdata

@.data

<>http

PSShL

SSShp

tUSSSh

SSShp;

SSSh0

SSShpk

SSShpF

t9SSSh

u1SSShP

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

ollydbg.exe

dumpcap.exe

wireshark.exe

C:\iDEFENSE

\\.\NPF_NdisWanIp

avp.exe

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\winlogon.exe

sysinfo.log

scr.bmp

minidump.bin

%d.%d.%d.%d

Ý %dh %dm

%s:%d

Software\Microsoft\Internet Explorer\TypedURLs

url%i

4.4.10

%dx%d@%d

%c%d:d

{Windows directory:

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/login.php

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

Winmm.dll

Kernel32.dll

Gdi32.dll

http://

https://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: http://www.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

www.bing.com

www.microsoft.com

frd.exe

command=config&update_url=

/search.php

&port=

command=load&url=

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

\chrome.exe

\svchost.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

\cbank.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

login=

password=

pass_

advapi32.dll

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

pass.txt

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

%s\%s

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

dbghelp.dll

MSVCRT.dll

PSAPI.DLL

NETAPI32.dll

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

RegDeleteKeyA

ADVAPI32.dll

?456789:;<=

!"#$%&'()* ,-./0123

;3 #>6.&

'2, / 0&7!4-)1#

MSCTF.Shared.MAPPING.%x

Desk_%u%x

MSCTF.Shared.MUTEX.%x

.Prev

.current

1-191j1w1}1

?"?(?-?~?

;-;5;=;^;|;

7"7)7\7~7

6 6$6(6,6064686

mavast.com

ya.ru

serverkey.dat

\windows\

winlogon.exe_708_rwx_01D70000_000C3000:

.text

`.rdata

@.data

.reloc

<>http

PSShL

SSShp

tUSSSh

SSShp;

SSSh0

SSShpk

SSShpF

t9SSSh

u1SSShP

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

ollydbg.exe

dumpcap.exe

wireshark.exe

C:\iDEFENSE

\\.\NPF_NdisWanIp

avp.exe

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\winlogon.exe

sysinfo.log

scr.bmp

minidump.bin

%d.%d.%d.%d

Ý %dh %dm

%s:%d

Software\Microsoft\Internet Explorer\TypedURLs

url%i

4.4.10

%dx%d@%d

%c%d:d

{Windows directory:

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/login.php

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

Winmm.dll

Kernel32.dll

Gdi32.dll

http://

https://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: http://www.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

www.bing.com

www.microsoft.com

frd.exe

command=config&update_url=

/search.php

&port=

command=load&url=

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

\chrome.exe

\svchost.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

\cbank.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

login=

password=

pass_

advapi32.dll

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

pass.txt

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

%s\%s

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

dbghelp.dll

MSVCRT.dll

PSAPI.DLL

NETAPI32.dll

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

RegDeleteKeyA

ADVAPI32.dll

?456789:;<=

!"#$%&'()* ,-./0123

;3 #>6.&

'2, / 0&7!4-)1#

MSCTF.Shared.MAPPING.%x

Desk_%u%x

MSCTF.Shared.MUTEX.%x

.Prev

.current

SYSTEM!XP3!F9BE9A8A

%Documents and Settings%\%current user%\Application Data\

1-191j1w1}1

?"?(?-?~?

;-;5;=;^;|;

7"7)7\7~7

6 6$6(6,6064686

`.data

mavast.com

ya.ru

serverkey.dat

\windows\

Explorer.EXE_880_rwx_01E50000_0005B000:

.text

`.data

.reloc

`.rdata

@.data

<>http

PSShL

SSShp

tUSSSh

SSShp;

SSSh0

SSShpk

SSShpF

t9SSSh

u1SSShP

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

ollydbg.exe

dumpcap.exe

wireshark.exe

C:\iDEFENSE

\\.\NPF_NdisWanIp

avp.exe

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\winlogon.exe

sysinfo.log

scr.bmp

minidump.bin

%d.%d.%d.%d

Ý %dh %dm

%s:%d

Software\Microsoft\Internet Explorer\TypedURLs

url%i

4.4.10

%dx%d@%d

%c%d:d

{Windows directory:

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/login.php

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

Winmm.dll

Kernel32.dll

Gdi32.dll

http://

https://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: http://www.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

www.bing.com

www.microsoft.com

frd.exe

command=config&update_url=

/search.php

&port=

command=load&url=

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

\chrome.exe

\svchost.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

\cbank.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

login=

password=

pass_

advapi32.dll

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

pass.txt

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

%s\%s

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

dbghelp.dll

MSVCRT.dll

PSAPI.DLL

NETAPI32.dll

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

RegDeleteKeyA

ADVAPI32.dll

?456789:;<=

!"#$%&'()* ,-./0123

;3 #>6.&

'2, / 0&7!4-)1#

MSCTF.Shared.MAPPING.%x

Desk_%u%x

MSCTF.Shared.MUTEX.%x

.Prev

.current

1-191j1w1}1

?"?(?-?~?

;-;5;=;^;|;

7"7)7\7~7

6 6$6(6,6064686

mavast.com

ya.ru

serverkey.dat

\windows\

Explorer.EXE_880_rwx_01EF0000_0006A000:

.text

`.rdata

@.data

.reloc

<>http

PSShL

SSShp

tUSSSh

SSShp;

SSSh0

SSShpk

SSShpF

t9SSSh

u1SSShP

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

ollydbg.exe

dumpcap.exe

wireshark.exe

C:\iDEFENSE

\\.\NPF_NdisWanIp

avp.exe

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\winlogon.exe

sysinfo.log

scr.bmp

minidump.bin

%d.%d.%d.%d

Ý %dh %dm

%s:%d

Software\Microsoft\Internet Explorer\TypedURLs

url%i

4.4.10

%dx%d@%d

%c%d:d

{Windows directory:

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/login.php

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

Winmm.dll

Kernel32.dll

Gdi32.dll

http://

https://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: http://www.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

www.bing.com

www.microsoft.com

frd.exe

command=config&update_url=

/search.php

&port=

command=load&url=

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

\chrome.exe

\svchost.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

\cbank.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

login=

password=

pass_

advapi32.dll

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

pass.txt

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

%s\%s

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

dbghelp.dll

MSVCRT.dll

PSAPI.DLL

NETAPI32.dll

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

RegDeleteKeyA

ADVAPI32.dll

?456789:;<=

!"#$%&'()* ,-./0123

;3 #>6.&

'2, / 0&7!4-)1#

MSCTF.Shared.MAPPING.%x

Desk_%u%x

MSCTF.Shared.MUTEX.%x

.Prev

.current

ADM!XP3!F9BE9A8A

MSCTF.Shared.MAPPING.fffffe00

MSCTF.Shared.MAPPING.ffffff00

MSCTF.Shared.MAPPING.fffffd00

MSCTF.Shared.MUTEX.fffffe00

MSCTF.Shared.MUTEX.ffffff00

%Documents and Settings%\%current user%\Application Data\

1-191j1w1}1

?"?(?-?~?

;-;5;=;^;|;

7"7)7\7~7

6 6$6(6,6064686

mavast.com

ya.ru

serverkey.dat

\windows\

svchost.exe_956_rwx_00ED0000_0005B000:

.text

`.data

.reloc

`.rdata

@.data

<>http

PSShL

SSShp

tUSSSh

SSShp;

SSSh0

SSShpk

SSShpF

t9SSSh

u1SSShP

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

ollydbg.exe

dumpcap.exe

wireshark.exe

C:\iDEFENSE

\\.\NPF_NdisWanIp

avp.exe

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\winlogon.exe

sysinfo.log

scr.bmp

minidump.bin

%d.%d.%d.%d

Ý %dh %dm

%s:%d

Software\Microsoft\Internet Explorer\TypedURLs

url%i

4.4.10

%dx%d@%d

%c%d:d

{Windows directory:

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/login.php

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

Winmm.dll

Kernel32.dll

Gdi32.dll

http://

https://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: http://www.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

www.bing.com

www.microsoft.com

frd.exe

command=config&update_url=

/search.php

&port=

command=load&url=

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

\chrome.exe

\svchost.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

\cbank.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

login=

password=

pass_

advapi32.dll

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

pass.txt

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

%s\%s

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

dbghelp.dll

MSVCRT.dll

PSAPI.DLL

NETAPI32.dll

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

RegDeleteKeyA

ADVAPI32.dll

?456789:;<=

!"#$%&'()* ,-./0123

;3 #>6.&

'2, / 0&7!4-)1#

MSCTF.Shared.MAPPING.%x

Desk_%u%x

MSCTF.Shared.MUTEX.%x

.Prev

.current

1-191j1w1}1

?"?(?-?~?

;-;5;=;^;|;

7"7)7\7~7

6 6$6(6,6064686

mavast.com

ya.ru

serverkey.dat

\windows\

svchost.exe_956_rwx_00F30000_0006A000:

.text

`.rdata

@.data

.reloc

<>http

PSShL

SSShp

tUSSSh

SSShp;

SSSh0

SSShpk

SSShpF

t9SSSh

u1SSShP

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

ollydbg.exe

dumpcap.exe

wireshark.exe

C:\iDEFENSE

\\.\NPF_NdisWanIp

avp.exe

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\winlogon.exe

sysinfo.log

scr.bmp

minidump.bin

%d.%d.%d.%d

Ý %dh %dm

%s:%d

Software\Microsoft\Internet Explorer\TypedURLs

url%i

4.4.10

%dx%d@%d

%c%d:d

{Windows directory:

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/login.php

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

Winmm.dll

Kernel32.dll

Gdi32.dll

http://

https://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: http://www.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

www.bing.com

www.microsoft.com

frd.exe

command=config&update_url=

/search.php

&port=

command=load&url=

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

\chrome.exe

\svchost.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

\cbank.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

login=

password=

pass_

advapi32.dll

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

pass.txt

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

%s\%s

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

dbghelp.dll

MSVCRT.dll

PSAPI.DLL

NETAPI32.dll

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

RegDeleteKeyA

ADVAPI32.dll

?456789:;<=

!"#$%&'()* ,-./0123

;3 #>6.&

'2, / 0&7!4-)1#

MSCTF.Shared.MAPPING.%x

Desk_%u%x

MSCTF.Shared.MUTEX.%x

.Prev

.current

SYSTEM!XP3!F9BE9A8A

MSCTF.Shared.MAPPING.fffffe00

MSCTF.Shared.MAPPING.ffffff00

MSCTF.Shared.MAPPING.fffffd00

MSCTF.Shared.MUTEX.fffffe00

MSCTF.Shared.MUTEX.ffffff00

%System%\config\systemprofile\Application Data\

1-191j1w1}1

?"?(?-?~?

;-;5;=;^;|;

7"7)7\7~7

6 6$6(6,6064686

mavast.com

ya.ru

serverkey.dat

\windows\

svchost.exe_1020_rwx_00AC0000_0005B000:

.text

`.data

.reloc

`.rdata

@.data

<>http

PSShL

SSShp

tUSSSh

SSShp;

SSSh0

SSShpk

SSShpF

t9SSSh

u1SSShP

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

ollydbg.exe

dumpcap.exe

wireshark.exe

C:\iDEFENSE

\\.\NPF_NdisWanIp

avp.exe

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\winlogon.exe

sysinfo.log

scr.bmp

minidump.bin

%d.%d.%d.%d

Ý %dh %dm

%s:%d

Software\Microsoft\Internet Explorer\TypedURLs

url%i

4.4.10

%dx%d@%d

%c%d:d

{Windows directory:

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/login.php

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

Winmm.dll

Kernel32.dll

Gdi32.dll

http://

https://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: http://www.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

www.bing.com

www.microsoft.com

frd.exe

command=config&update_url=

/search.php

&port=

command=load&url=

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

\chrome.exe

\svchost.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

\cbank.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

login=

password=

pass_

advapi32.dll

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

pass.txt

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

%s\%s

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

dbghelp.dll

MSVCRT.dll

PSAPI.DLL

NETAPI32.dll

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

RegDeleteKeyA

ADVAPI32.dll

?456789:;<=

!"#$%&'()* ,-./0123

;3 #>6.&

'2, / 0&7!4-)1#

MSCTF.Shared.MAPPING.%x

Desk_%u%x

MSCTF.Shared.MUTEX.%x

.Prev

.current

1-191j1w1}1

?"?(?-?~?

;-;5;=;^;|;

7"7)7\7~7

6 6$6(6,6064686

mavast.com

ya.ru

serverkey.dat

\windows\

svchost.exe_1020_rwx_00B60000_0006A000:

.text

`.rdata

@.data

.reloc

<>http

PSShL

SSShp

tUSSSh

SSShp;

SSSh0

SSShpk

SSShpF

t9SSSh

u1SSShP

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

ollydbg.exe

dumpcap.exe

wireshark.exe

C:\iDEFENSE

\\.\NPF_NdisWanIp

avp.exe

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\winlogon.exe

sysinfo.log

scr.bmp

minidump.bin

%d.%d.%d.%d

Ý %dh %dm

%s:%d

Software\Microsoft\Internet Explorer\TypedURLs

url%i

4.4.10

%dx%d@%d

%c%d:d

{Windows directory:

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/login.php

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

Winmm.dll

Kernel32.dll

Gdi32.dll

http://

https://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: http://www.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

www.bing.com

www.microsoft.com

frd.exe

command=config&update_url=

/search.php

&port=

command=load&url=

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

\chrome.exe

\svchost.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

\cbank.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

login=

password=

pass_

advapi32.dll

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

pass.txt

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

%s\%s

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

dbghelp.dll

MSVCRT.dll

PSAPI.DLL

NETAPI32.dll

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

RegDeleteKeyA

ADVAPI32.dll

?456789:;<=

!"#$%&'()* ,-./0123

;3 #>6.&

'2, / 0&7!4-)1#

MSCTF.Shared.MAPPING.%x

Desk_%u%x

MSCTF.Shared.MUTEX.%x

.Prev

.current

NETWORKSERVICE!XP3!F9BE9A8A

MSCTF.Shared.MAPPING.fffffe00

MSCTF.Shared.MAPPING.ffffff00

MSCTF.Shared.MAPPING.fffffd00

MSCTF.Shared.MUTEX.fffffe00

MSCTF.Shared.MUTEX.ffffff00

%Documents and Settings%\NetworkService\Application Data\

1-191j1w1}1

?"?(?-?~?

;-;5;=;^;|;

7"7)7\7~7

6 6$6(6,6064686

mavast.com

ya.ru

serverkey.dat

\windows\

svchost.exe_1104_rwx_02BD0000_0005B000:

.text

`.data

.reloc

`.rdata

@.data

<>http

PSShL

SSShp

tUSSSh

SSShp;

SSSh0

SSShpk

SSShpF

t9SSSh

u1SSShP

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

ollydbg.exe

dumpcap.exe

wireshark.exe

C:\iDEFENSE

\\.\NPF_NdisWanIp

avp.exe

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\winlogon.exe

sysinfo.log

scr.bmp

minidump.bin

%d.%d.%d.%d

Ý %dh %dm

%s:%d

Software\Microsoft\Internet Explorer\TypedURLs

url%i

4.4.10

%dx%d@%d

%c%d:d

{Windows directory:

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/login.php

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

Winmm.dll

Kernel32.dll

Gdi32.dll

http://

https://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: http://www.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

www.bing.com

www.microsoft.com

frd.exe

command=config&update_url=

/search.php

&port=

command=load&url=

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

\chrome.exe

\svchost.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

\cbank.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

login=

password=

pass_

advapi32.dll

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

pass.txt

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

%s\%s

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

dbghelp.dll

MSVCRT.dll

PSAPI.DLL

NETAPI32.dll

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

RegDeleteKeyA

ADVAPI32.dll

?456789:;<=

!"#$%&'()* ,-./0123

;3 #>6.&

'2, / 0&7!4-)1#

MSCTF.Shared.MAPPING.%x

Desk_%u%x

MSCTF.Shared.MUTEX.%x

.Prev

.current

1-191j1w1}1

?"?(?-?~?

;-;5;=;^;|;

7"7)7\7~7

6 6$6(6,6064686

mavast.com

ya.ru

serverkey.dat

\windows\

svchost.exe_1104_rwx_02C30000_0006A000:

.text

`.rdata

@.data

.reloc

<>http

PSShL

SSShp

tUSSSh

SSShp;

SSSh0

SSShpk

SSShpF

t9SSSh

u1SSShP

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

ollydbg.exe

dumpcap.exe

wireshark.exe

C:\iDEFENSE

\\.\NPF_NdisWanIp

avp.exe

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\winlogon.exe

sysinfo.log

scr.bmp

minidump.bin

%d.%d.%d.%d

Ý %dh %dm

%s:%d

Software\Microsoft\Internet Explorer\TypedURLs

url%i

4.4.10

%dx%d@%d

%c%d:d

{Windows directory:

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/login.php

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

Winmm.dll

Kernel32.dll

Gdi32.dll

http://

https://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: http://www.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

www.bing.com

www.microsoft.com

frd.exe

command=config&update_url=

/search.php

&port=

command=load&url=

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

\chrome.exe

\svchost.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

\cbank.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

login=

password=

pass_

advapi32.dll

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

pass.txt

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

%s\%s

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

dbghelp.dll

MSVCRT.dll

PSAPI.DLL

NETAPI32.dll

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

RegDeleteKeyA

ADVAPI32.dll

?456789:;<=

!"#$%&'()* ,-./0123

;3 #>6.&

'2, / 0&7!4-)1#

MSCTF.Shared.MAPPING.%x

Desk_%u%x

MSCTF.Shared.MUTEX.%x

.Prev

.current

SYSTEM!XP3!F9BE9A8A

MSCTF.Shared.MAPPING.fffffe00

MSCTF.Shared.MAPPING.ffffff00

MSCTF.Shared.MAPPING.fffffd00

MSCTF.Shared.MUTEX.fffffe00

MSCTF.Shared.MUTEX.ffffff00

%Documents and Settings%\NetworkService\Application Data\

1-191j1w1}1

?"?(?-?~?

;-;5;=;^;|;

7"7)7\7~7

6 6$6(6,6064686

mavast.com

ya.ru

serverkey.dat

\windows\

svchost.exe_1156_rwx_00860000_0005B000:

.text

`.data

.reloc

`.rdata

@.data

<>http

PSShL

SSShp

tUSSSh

SSShp;

SSSh0

SSShpk

SSShpF

t9SSSh

u1SSShP

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

ollydbg.exe

dumpcap.exe

wireshark.exe

C:\iDEFENSE

\\.\NPF_NdisWanIp

avp.exe

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\winlogon.exe

sysinfo.log

scr.bmp

minidump.bin

%d.%d.%d.%d

Ý %dh %dm

%s:%d

Software\Microsoft\Internet Explorer\TypedURLs

url%i

4.4.10

%dx%d@%d

%c%d:d

{Windows directory:

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/login.php

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

Winmm.dll

Kernel32.dll

Gdi32.dll

http://

https://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: http://www.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

www.bing.com

www.microsoft.com

frd.exe

command=config&update_url=

/search.php

&port=

command=load&url=

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

\chrome.exe

\svchost.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

\cbank.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

login=

password=

pass_

advapi32.dll

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

pass.txt

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

%s\%s

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

dbghelp.dll

MSVCRT.dll

PSAPI.DLL

NETAPI32.dll

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

RegDeleteKeyA

ADVAPI32.dll

?456789:;<=

!"#$%&'()* ,-./0123

;3 #>6.&

'2, / 0&7!4-)1#

MSCTF.Shared.MAPPING.%x

Desk_%u%x

MSCTF.Shared.MUTEX.%x

.Prev

.current

1-191j1w1}1

?"?(?-?~?

;-;5;=;^;|;

7"7)7\7~7

6 6$6(6,6064686

mavast.com

ya.ru

serverkey.dat

\windows\

svchost.exe_1156_rwx_00900000_0006A000:

.text

`.rdata

@.data

.reloc

<>http

PSShL

SSShp

tUSSSh

SSShp;

SSSh0

SSShpk

SSShpF

t9SSSh

u1SSShP

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

ollydbg.exe

dumpcap.exe

wireshark.exe

C:\iDEFENSE

\\.\NPF_NdisWanIp

avp.exe

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\winlogon.exe

sysinfo.log

scr.bmp

minidump.bin

%d.%d.%d.%d

Ý %dh %dm

%s:%d

Software\Microsoft\Internet Explorer\TypedURLs

url%i

4.4.10

%dx%d@%d

%c%d:d

{Windows directory:

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/login.php

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

Winmm.dll

Kernel32.dll

Gdi32.dll

http://

https://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: http://www.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

www.bing.com

www.microsoft.com

frd.exe

command=config&update_url=

/search.php

&port=

command=load&url=

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

\chrome.exe

\svchost.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

\cbank.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

login=

password=

pass_

advapi32.dll

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

pass.txt

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

%s\%s

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

dbghelp.dll

MSVCRT.dll

PSAPI.DLL

NETAPI32.dll

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

RegDeleteKeyA

ADVAPI32.dll

?456789:;<=

!"#$%&'()* ,-./0123

;3 #>6.&

'2, / 0&7!4-)1#

MSCTF.Shared.MAPPING.%x

Desk_%u%x

MSCTF.Shared.MUTEX.%x

.Prev

.current

NETWORKSERVICE!XP3!F9BE9A8A

MSCTF.Shared.MAPPING.fffffe00

MSCTF.Shared.MAPPING.ffffff00

MSCTF.Shared.MAPPING.fffffd00

MSCTF.Shared.MUTEX.fffffe00

MSCTF.Shared.MUTEX.ffffff00

%Documents and Settings%\NetworkService\Application Data\

1-191j1w1}1

?"?(?-?~?

;-;5;=;^;|;

7"7)7\7~7

6 6$6(6,6064686

mavast.com

ya.ru

serverkey.dat

\windows\

svchost.exe_1200_rwx_00C70000_0005B000:

.text

`.data

.reloc

`.rdata

@.data

<>http

PSShL

SSShp

tUSSSh

SSShp;

SSSh0

SSShpk

SSShpF

t9SSSh

u1SSShP

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

ollydbg.exe

dumpcap.exe

wireshark.exe

C:\iDEFENSE

\\.\NPF_NdisWanIp

avp.exe

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\winlogon.exe

sysinfo.log

scr.bmp

minidump.bin

%d.%d.%d.%d

Ý %dh %dm

%s:%d

Software\Microsoft\Internet Explorer\TypedURLs

url%i

4.4.10

%dx%d@%d

%c%d:d

{Windows directory:

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/login.php

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

Winmm.dll

Kernel32.dll

Gdi32.dll

http://

https://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: http://www.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

www.bing.com

www.microsoft.com

frd.exe

command=config&update_url=

/search.php

&port=

command=load&url=

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

\chrome.exe

\svchost.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

\cbank.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

login=

password=

pass_

advapi32.dll

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

pass.txt

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

%s\%s

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

dbghelp.dll

MSVCRT.dll

PSAPI.DLL

NETAPI32.dll

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

RegDeleteKeyA

ADVAPI32.dll

?456789:;<=

!"#$%&'()* ,-./0123

;3 #>6.&

'2, / 0&7!4-)1#

MSCTF.Shared.MAPPING.%x

Desk_%u%x

MSCTF.Shared.MUTEX.%x

.Prev

.current

1-191j1w1}1

?"?(?-?~?

;-;5;=;^;|;

7"7)7\7~7

6 6$6(6,6064686

mavast.com

ya.ru

serverkey.dat

\windows\

svchost.exe_1200_rwx_00D10000_0006A000:

.text

`.rdata

@.data

.reloc

<>http

PSShL

SSShp

tUSSSh

SSShp;

SSSh0

SSShpk

SSShpF

t9SSSh

u1SSShP

name.key

\secrets.key

sign.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

ollydbg.exe

dumpcap.exe

wireshark.exe

C:\iDEFENSE

\\.\NPF_NdisWanIp

avp.exe

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

\winlogon.exe

sysinfo.log

scr.bmp

minidump.bin

%d.%d.%d.%d

Ý %dh %dm

%s:%d

Software\Microsoft\Internet Explorer\TypedURLs

url%i

4.4.10

%dx%d@%d

%c%d:d

{Windows directory:

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/login.php

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

explorer.exe

1.2.5

- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

Winmm.dll

Kernel32.dll

Gdi32.dll

http://

https://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

keygrab

u.bmp

\\.\PhysicalDrive%u

/topic.php

keylog.txt

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Referer: http://www.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

www.bing.com

www.microsoft.com

frd.exe

command=config&update_url=

/search.php

&port=

command=load&url=

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

\chrome.exe

\svchost.exe

\java.exe

\javaw.exe

\javaws.exe

\opera.exe

\firefox.exe

\maxthon.exe

\avant.exe

\mnp.exe

\safari.exe

\netscape.exe

\tbb-firefox.exe

\frd.exe

\isclient.exe

\ipc_full.exe

\intpro.exe

\cbsmain.dll

\clmain.exe

\core.exe

\rundll32.exe

\notepad.exe

\cbank.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|

%s.dbf

%s.DBF

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

login=

password=

pass_

advapi32.dll

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

pass.txt

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

client.zip

path_client.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

%s\%s

LibVNCServer 0.9.7

%s (%s)

d/d/d d:d

password check failed!

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

dbghelp.dll

MSVCRT.dll

PSAPI.DLL

NETAPI32.dll

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

ShellExecuteA

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetProcessHeap

WinExec

KERNEL32.dll

MapVirtualKeyW

SetKeyboardState

EnumChildWindows

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegEnumKeyExA

RegNotifyChangeKeyValue

RegDeleteKeyA

ADVAPI32.dll

?456789:;<=

!"#$%&'()* ,-./0123

;3 #>6.&

'2, / 0&7!4-)1#

MSCTF.Shared.MAPPING.%x

Desk_%u%x

MSCTF.Shared.MUTEX.%x

.Prev

.current

LOCALSERVICE!XP3!F9BE9A8A

MSCTF.Shared.MAPPING.fffffe00

MSCTF.Shared.MAPPING.ffffff00

MSCTF.Shared.MAPPING.fffffd00

MSCTF.Shared.MUTEX.fffffe00

MSCTF.Shared.MUTEX.ffffff00

%Documents and Settings%\LocalService\Application Data\

1-191j1w1}1

?"?(?-?~?

;-;5;=;^;|;

7"7)7\7~7

6 6$6(6,6064686

mavast.com

ya.ru

serverkey.dat

\windows\

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Scan a system with an anti-rootkit tool.
Terminate malicious process(es) (How to End a Process With the Task Manager):

wuauclt.exe:304
%original file name%.exe:496
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (2232 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
%WinDir%\AppPatch\ukxxgw.exe (1803 bytes)
%System%\config\software (1896 bytes)
%System%\config\SOFTWARE.LOG (2467 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Shiz_080493ff49

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Shiz_080493ff49

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet