Backdoor.Win32.Caphaw_QKKBAL_931eaa36fb

by malwarelabrobot on March 9th, 2016 in Malware Descriptions.

Win32.Ramnit.Y (B) (Emsisoft), Backdoor.Win32.Farfli.FD, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR (Lavasoft MAS)
Behaviour: Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 931eaa36fbed3ceaf2653449f22950c7
SHA1: a55887b91fbd77e0741b35d362eb7834a85566c8
SHA256: ad7594bb2b1f4145f970a1a74f39ada0cc405c58b94f6902bef7a9cbe209018e
SSDeep: 98304:MQ41CpdhMMhcIKC6dazTes4M6i8y4DvXo89B:rhZhA5dyD6i8y4zo4B
Size: 5414912 bytes
File type: DLL
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2010-08-25 23:17:22
Analyzed on: WindowsXP SP3 32-bit


Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

regsvr32.exe:1208
Tq8SbV3:348
csslisog.exe:320

The Backdoor injects its code into the following process(es):

svchost.exe:624
svchost.exe:1476
wmiprvse.exe:432
services.exe:756
lsass.exe:768
Explorer.EXE:888
svchost.exe:936
svchost.exe:1020
svchost.exe:1104
svchost.exe:1164
svchost.exe:1244
spoolsv.exe:1436
jqs.exe:1592

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process regsvr32.exe:1208 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

The process Tq8SbV3:348 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\csslisog.exe (2105 bytes)

The process csslisog.exe:320 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Start Menu\Programs\Startup\swegbgid.exe (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kqmtqgym\swegbgid.exe (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jyabgndb.exe (2105 bytes)

Registry activity

The process regsvr32.exe:1208 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E8 4C 84 3E C6 BE 59 D2 53 94 11 8A 3E FB 18 E9"

The process Tq8SbV3:348 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB E7 69 79 87 26 88 87 92 88 33 2F 70 F4 07 09"

The process csslisog.exe:320 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "51 2D C7 E4 4C 34 38 EE 9B 54 04 0C 1B 4F 73 FE"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion]
"jfghdug_ooetvtgk" = "TRUE"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"

"FirewallOverride" = "1"
"UacDisableNotify" = "1"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

The following service is disabled:

[HKLM\System\CurrentControlSet\Services\wuauserv]
"Start" = "4"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"SweGbgid" = "%Documents and Settings%\%current user%\Local Settings\Application Data\kqmtqgym\swegbgid.exe"

The following service is disabled:

[HKLM\System\CurrentControlSet\Services\wscsvc]
"Start" = "4"

Firewall notifications are disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"

The Backdoor deletes the following value(s) in system registry:
The Backdoor disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"

Dropped PE files

MD5 File path
89ebda8285ef0aab513a132fac1a4150 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\csslisog.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Sage
Product Name: Sage Simply Accounting 2011
Product Version: 2011
Legal Copyright: (c) 2010 Sage Software Canada, Ltd. All Rights Reserved.
Legal Trademarks: Sage Simply Accounting is a registered trademark of Sage Software, Inc. or its affiliated entities.
Original Filename:
Internal Name:
File Version: Release A
File Description: Sage Simply Accounting 2011
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 2076 4096 2.64169 13fa825dd5cf6107307abdc9cf8213c4
.rdata 8192 1243 4096 1.2489 12ec5a03f207e4bb622997cdb4475fd3
.data 12288 868 4096 0.032328 2b9276a3fa8071f832a3ba7472fc068a
.rsrc 16384 5391708 5394432 5.38171 317ab2a95f9d16f40aa96027a8a4e3fe
.reloc 5410816 1836 4096 0.490898 28a017b73bcb63b5b93641aad35d8d34

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Backdoor connects to the servers at the folowing location(s):

svchost.exe_624:

.text
`.data
.rsrc
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
RPCRT4.dll
NETAPI32.dll
ole32.dll
ntdll.dll
RegCloseKey
RegOpenKeyExW
GetProcessHeap
NtOpenKey
svchost.pdb
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
Windows
Operating System
5.1.2600.5512

svchost.exe_624_rwx_002B0000_00001000:

|C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\csslisog.exe

svchost.exe_624_rwx_15190000_0003D000:

`.rsrc
.text
`.rdata
@.data
.reloc
Gh.logWj
h.logPj
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
PeekNamedPipe
SetNamedPipeHandleState
WaitNamedPipeA
kernel32.dll
ExitWindowsEx
user32.dll
RegCloseKey
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
advapi32.dll
modules.dll
GetWindowsDirectoryA
{X-X-X-X-XX}
ntdll.dll
shlwapi.dll
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
%CommonProgramFiles%
\/*.*
\\.\pipe\
VWRQRh.exe
h.exe
ws2_32.dll
RegCreateKeyExA
ShellExecuteA
gdi32.dll
ole32.dll
rmnsoft.dll
google.com:80
bing.com:80
yahoo.com:80
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Defender
Software\Microsoft\Windows\CurrentVersion\Policies
Software\Microsoft\Windows\CurrentVersion\Policies\Associations
Software\Microsoft\Windows\CurrentVersion\policies\system
\ SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
"ntdll.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion\Run
HTTP/*.*
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Referer: %s
Content-Type: multipart/form-data; boundary=%s
Content-Length: %d
Content-Disposition: form-data; name="%s"
--%s--
%s /%s HTTP/1.1
Host: %s
User-Agent: %s
%sAccept-Language: %s
HTTP/1.x 301 Moved Permanently
Server: Apache/2.2.14
gdiplus.dll
GdiplusShutdown
\\.\131D2408D44C4f47AC647AB96987D4D5
\Google\Chrome\User Data\Default\Cookies
\Google\Chrome\User Data\Default\Extension Cookies
%APPDATA%\Apple Computer\Safari\Cookies\Cookies.plist
%APPDATA%\Mozilla\Firefox\
%WinDir%\Application Data\Mozilla\Firefox\
profiles.ini
Profile%d
\cookies.txt
\cookies.sqlite
%APPDATA%\Opera\
\profile\cookies4.dat
\cookies4.dat
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Opera.exe
FireFox Cookies\Profile %d\cookies.txt
FireFox Cookies\Profile %d\cookies.sqlite
Chrome\Cookies
Chrome\Extension Cookies
Opera\Profile %d\cookies4.dat
Safari\Cookies.plist
1etexec
complete.dat
<"<(<.<4<:<@<
SRQVWh.exe
h.exeVj
h.exeh$~
tvh.exe
PSSSSSSh
More information: hXXp://VVV.ibsensoftware.com/
Advapi32.dll
RegDeleteKeyExA
com.%s.sdb
%s\cmd.%s.bat
start "" "%s"
"%%windir%%\%s\iscsicli.exe"
/q "%s"
\system32\sdbinst.exe"
SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\{f48a0c57-7c48-461c-9957-ab255ddc986e}\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\iscsicli.exe\
\AppPatch\Custom\{f48a0c57-7c48-461c-9957-ab255ddc986e}.sdb
/q /u "%s"
SOFTWARE\Microsoft\Windows NT\CurrentVersion\
SOFTWARE\Microsoft\Updates\Windows XP\SP4
SOFTWARE\Microsoft\Updates\Windows XP\SP3
SOFTWARE\Microsoft\Updates\Windows XP\SP10
SOFTWARE\Microsoft\Updates\Windows XP\SP0
SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages
:Zone.Identifier:$DATA
:Zone.Identifier
svchost.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v svchost.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v consent.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v rundll32.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v spoolsv.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v explorer.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v rgjdu.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v afwqs.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions " /v *.tmp /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions " /v *.dll /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions " /v *.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v svchost.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v consent.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v rundll32.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v spoolsv.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v explorer.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v rgjdu.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v afwqs.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Extensions " /v *.tmp /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Extensions " /v *.dll /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Extensions " /v *.exe /t REG_DWORD /d 0
spoolsv.exe
..\p.exe
CheckBypassed ok
loader.exe
_CheckBypassed@0
|GetWindowsDirectoryA
\/{X-X-X-X-XX}
|ZwDelayExecution
%ProgramFiles%\Internet Explorer\iexplore.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE
http\shell\open\command
chrome.exe
opera.exe
cmd.exe
/C ""%s"" %s
/C ""%s""
user32.DLL
p.exe
Rapport
1onsent.exe
&.bAp
%Program Files%\Internet Explorer\iexplore.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\csslisog.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\p.exe
GetProcessHeap
RegEnumKeyA
RegOpenKeyA
ShellExecuteExA
SetWindowsHookExA
UnhookWindowsHook
EnumWindows
.rdata
.rsrc
*HI0.XF
PF8-.XU
O3$dS7"%U9
KERNEL32.DLL
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
2.1.0.3
iscsicli.exe
RedirectEXE
%temp%\..\..\LocalLow\cmd.%username%.bat
emsseces.exe

svchost.exe_624_rwx_20010000_00001000:

.text
`.rdata
@.data
.reloc

svchost.exe_1476:

.text
`.data
.rsrc
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
RPCRT4.dll
NETAPI32.dll
ole32.dll
ntdll.dll
RegCloseKey
RegOpenKeyExW
GetProcessHeap
NtOpenKey
svchost.pdb
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
Windows
Operating System
5.1.2600.5512

svchost.exe_1476_rwx_002B0000_00001000:

|C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\csslisog.exe

svchost.exe_1476_rwx_15190000_0003D000:

`.rsrc
.text
`.rdata
@.data
.reloc
Gh.logWj
h.logPj
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
PeekNamedPipe
SetNamedPipeHandleState
WaitNamedPipeA
kernel32.dll
ExitWindowsEx
user32.dll
RegCloseKey
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
advapi32.dll
modules.dll
GetWindowsDirectoryA
{X-X-X-X-XX}
ntdll.dll
shlwapi.dll
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
%CommonProgramFiles%
\/*.*
\\.\pipe\
VWRQRh.exe
h.exe
ws2_32.dll
RegCreateKeyExA
ShellExecuteA
gdi32.dll
ole32.dll
rmnsoft.dll
google.com:80
bing.com:80
yahoo.com:80
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Defender
Software\Microsoft\Windows\CurrentVersion\Policies
Software\Microsoft\Windows\CurrentVersion\Policies\Associations
Software\Microsoft\Windows\CurrentVersion\policies\system
\ SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
"ntdll.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion\Run
HTTP/*.*
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Referer: %s
Content-Type: multipart/form-data; boundary=%s
Content-Length: %d
Content-Disposition: form-data; name="%s"
--%s--
%s /%s HTTP/1.1
Host: %s
User-Agent: %s
%sAccept-Language: %s
HTTP/1.x 301 Moved Permanently
Server: Apache/2.2.14
gdiplus.dll
GdiplusShutdown
\\.\131D2408D44C4f47AC647AB96987D4D5
\Google\Chrome\User Data\Default\Cookies
\Google\Chrome\User Data\Default\Extension Cookies
%APPDATA%\Apple Computer\Safari\Cookies\Cookies.plist
%APPDATA%\Mozilla\Firefox\
%WinDir%\Application Data\Mozilla\Firefox\
profiles.ini
Profile%d
\cookies.txt
\cookies.sqlite
%APPDATA%\Opera\
\profile\cookies4.dat
\cookies4.dat
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Opera.exe
FireFox Cookies\Profile %d\cookies.txt
FireFox Cookies\Profile %d\cookies.sqlite
Chrome\Cookies
Chrome\Extension Cookies
Opera\Profile %d\cookies4.dat
Safari\Cookies.plist
1etexec
complete.dat
<"<(<.<4<:<@<
SRQVWh.exe
h.exeVj
h.exeh$~
tvh.exe
PSSSSSSh
More information: hXXp://VVV.ibsensoftware.com/
Advapi32.dll
RegDeleteKeyExA
com.%s.sdb
%s\cmd.%s.bat
start "" "%s"
"%%windir%%\%s\iscsicli.exe"
/q "%s"
\system32\sdbinst.exe"
SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\{f48a0c57-7c48-461c-9957-ab255ddc986e}\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\iscsicli.exe\
\AppPatch\Custom\{f48a0c57-7c48-461c-9957-ab255ddc986e}.sdb
/q /u "%s"
SOFTWARE\Microsoft\Windows NT\CurrentVersion\
SOFTWARE\Microsoft\Updates\Windows XP\SP4
SOFTWARE\Microsoft\Updates\Windows XP\SP3
SOFTWARE\Microsoft\Updates\Windows XP\SP10
SOFTWARE\Microsoft\Updates\Windows XP\SP0
SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages
:Zone.Identifier:$DATA
:Zone.Identifier
svchost.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v svchost.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v consent.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v rundll32.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v spoolsv.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v explorer.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v rgjdu.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v afwqs.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions " /v *.tmp /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions " /v *.dll /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions " /v *.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v svchost.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v consent.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v rundll32.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v spoolsv.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v explorer.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v rgjdu.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v afwqs.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Extensions " /v *.tmp /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Extensions " /v *.dll /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Extensions " /v *.exe /t REG_DWORD /d 0
spoolsv.exe
..\p.exe
CheckBypassed ok
loader.exe
_CheckBypassed@0
|GetWindowsDirectoryA
\/{X-X-X-X-XX}
|ZwDelayExecution
%ProgramFiles%\Internet Explorer\iexplore.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE
http\shell\open\command
chrome.exe
opera.exe
cmd.exe
/C ""%s"" %s
/C ""%s""
user32.DLL
p.exe
Rapport
1onsent.exe
&.bAp
%Program Files%\Internet Explorer\iexplore.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\csslisog.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\p.exe
GetProcessHeap
RegEnumKeyA
RegOpenKeyA
ShellExecuteExA
SetWindowsHookExA
UnhookWindowsHook
EnumWindows
.rdata
.rsrc
*HI0.XF
PF8-.XU
O3$dS7"%U9
KERNEL32.DLL
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
2.1.0.3
iscsicli.exe
RedirectEXE
%temp%\..\..\LocalLow\cmd.%username%.bat
emsseces.exe

svchost.exe_1476_rwx_20010000_00001000:

.text
`.rdata
@.data
.reloc

svchost.exe_1476_rwx_20021000_0000D000:

Gh.logWj
h.logPj
h.exe
{X-X-X-X-XX}
\ SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
"ntdll.dll
kernel32.dll
shlwapi.dll
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
%CommonProgramFiles%
\/*.*
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion\Run
advapi32.dll
\AVG\AVG2013\avgui.exe
\AVAST Software\Avast\AvastUI.exe
\ESET\ESET NOD32 Antivirus\egui.exe
*.exe
\Bitdefender\Bitdefender 2013\seccenter.exe
\uiStub.exe
%Documents and Settings%\%current user%\Local Settings\Application Data\wyxhmtka.log
GetWindowsDirectoryA
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
ShellExecuteA
ExitWindowsEx
.text
.rdata
@.data
.reloc
{X-4
Windows\CurrentVersion\Un
api.SHD:
eKeyA
XM%S_O;

svchost.exe_1476_rwx_20031000_00011000:

Gh.logWj
h.logPj
{X-X-X-X-XX}
ntdll.dll
kernel32.dll
shlwapi.dll
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
%CommonProgramFiles%
\/*.*
advapi32.dll
wshell32.dll
\Google\Chrome\User Data\Default\Cookies
\Google\Chrome\User Data\Default\Extension Cookies
%APPDATA%\Apple Computer\Safari\Cookies\Cookies.plist
%APPDATA%\Mozilla\Firefox\
%WinDir%\Application Data\Mozilla\Firefox\
profiles.ini
Profile%d
\cookies.txt
\cookies.sqlite
%APPDATA%\Opera\
\profile\cookies4.dat
\cookies4.dat
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Opera.exe
FireFox Cookies\Profile %d\cookies.txt
FireFox Cookies\Profile %d\cookies.sqlite
Chrome\Cookies
Chrome\Extension Cookies
Opera\Profile %d\cookies4.dat
Safari\Cookies.plist
GetWindowsDirectoryA
RegQueryInfoKeyA
RegOpenKeyExA
RegEnumKeyExA
RegDeleteKeyA
RegCloseKey
ExitWindowsEx
.text
`.rdata
@.data
.reloc
{X-
eKeyA
s^.exe

svchost.exe_1476_rwx_20051000_00011000:

0WSSh
h.log
%USERPROFILE%
Kernel32.dll
%s %s %s: %s:%d
GetWindowsDirectoryA
GetProcessHeap
PeekNamedPipe
.text
`.rdata
@.data
.idata
.reloc
ernel32.dllS.
ls.EnW
m.div

svchost.exe_1476_rwx_20071000_000A0000:

i<%u-
.iniu>
.exeuZH
=.datuLh
Q=.bpsuLh
.xmluIh
t%SVP
.iniu
.prfu1
h.log
Q.Rjv
H.Qjv
#$%&'()* ,--
-4-4--567
s%j.Zf
j%Xf;
>%u[f
FtpControl
32bit FTP
LeapFtp
SoftFx FTP
ClassicFTP
WebSitePublisher
FtpExplorer
Core ftp
Coffee cup ftp
FFFtp
TurboFtp
SmartFtp
BulletproofFTP
FtpCommander
Cute FTP
WS FTP
Windows/Total commander
PTF://
Password
password
FtpIniName
\Ipswitch\WS_FTP Home\Sites
\Ipswitch\WS_FTP\Sites
\%.d.0
Quick.dat
port
sitemanager.xml
Port
Software\Microsoft\Windows\CurrentVersion\Uninstall
History.dat
Favorites.dat
\Frigate3\FtpSite.XML
\sites.xml
\FTPRush\RushSite.xml
SET PASS
NODE: TYPE = FTP
\BitKinex\bitkinex.ds
_Password
FtpUserName
FtpServer
FtpDirectory
FtpDescription
_FtpPassword
SELECT ServerName, Url, ServerUser, ServerPass, RemoteDir FROM "TServers"
SharedSettings.ccs
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
sites.dat
LeapFTP
HostPassword
\32BitFtp.ini
PassWord
%USERPROFILE%
Kernel32.dll
sql_trace
sqlite_version
sqlite_rename_trigger
sqlite_rename_table
RowKey
SQLite format 3
CREATE TABLE sqlite_master(
sql text
CREATE TEMP TABLE sqlite_temp_master(
ABORTABLEFTEMPORARYADDATABASELECTHENDEFAULTRANSACTIONATURALTERAISEACHECKEYAFTEREFERENCESCAPELSEXCEPTRIGGEREGEXPLAINITIALLYANALYZEXCLUSIVEXISTSTATEMENTANDEFERRABLEATTACHAVINGLOBEFOREIGNOREINDEXAUTOINCREMENTBEGINNERENAMEBETWEENOTNULLIKEBYCASCADEFERREDELETECASECASTCOLLATECOLUMNCOMMITCONFLICTCONSTRAINTERSECTCREATECROSSCURRENT_DATECURRENT_TIMESTAMPLANDESCDETACHDISTINCTDROPRAGMATCHFAILIMITFROMFULLGROUPDATEIFIMMEDIATEINSERTINSTEADINTOFFSETISNULLJOINORDEREPLACEOUTERESTRICTPRIMARYQUERYRIGHTROLLBACKROWHENUNIONUNIQUEUSINGVACUUMVALUESVIEWHEREVIRTUAL
f){-.gBsu1Z2^
3.3.14
Ad-d-d d:d:d
d:d:d
d-d-d
M@d
2147483647
%s\etilqs_
Outstanding page count goes from %d to %d during this analysis
Pointer map page %d is referenced
Page %d is never used
Unable to malloc %d bytes
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
Failed to read ptrmap key=%d
freelist leaf count too big on page %d
failed to get page %d
%d of %d pages missing from overflow list starting at %d
2nd reference to page %d
invalid page number %d
Fragmented space is %d byte reported as %d on page %d
Multiple uses for byte %d of page %d
Corruption detected in cell %d on page %d
On page %d at right child:
On tree page %d cell %d:
initPage() returns error code %d
unable to get the page. error code=%d
Page %d:
%s(%d)
keyinfo(%d
%s-mjX
Aunable to use function %s in the requested context
Unsupported module operation: xNext
Unsupported module operation: xColumn
Unsupported module operation: xRowid
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s
sqlite_master
sqlite_temp_master
transaction - SQL statements in progress
variable number must be between ?1 and ?%d
not authorized to use function: %s
ambiguous column name: %s
no such column: %s
%.*s%Q%s
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
UPDATE %Q.sqlite_sequence set name = %Q WHERE name = %Q
sqlite_sequence
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name, %d 18,10) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
table %s may not be altered
sqlite_
there is already another table or index with this name: %s
%s OR name=%Q
UPDATE %Q.%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d,length(sql)) WHERE type = 'table' AND name = %Q
Cannot add a PRIMARY KEY column
DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q
CREATE TABLE %Q.sqlite_stat1(tbl,idx,stat)
sqlite_stat1
SELECT idx, stat FROM %Q.sqlite_stat1
sqlite_detach
sqlite_attach
unable to open database: %s
database %s is already in use
too many attached databases - max %d
database %s is locked
cannot detach database %s
no such database: %s
%s %T cannot reference objects in database %s
access to %s.%s is prohibited
access to %s.%s.%s is prohibited
illegal return value (%d) from the authorization function - should be SQLITE_OK, SQLITE_IGNORE, or SQLITE_DENY
no such table: %s
no such table: %s.%s
object name reserved for internal use: %s
there is already an index named %s
duplicate column name: %s
default value of column [%s] is not constant
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
table "%s" has more than one primary key
CREATE TABLE %Q.sqlite_sequence(name,seq)
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#0, sql=%Q WHERE rowid=#1
CREATE %s %.*s
view %s is circularly defined
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
DELETE FROM %s.sqlite_sequence WHERE name=%Q
use DROP VIEW to delete view %s
use DROP TABLE to delete table %s
table %s may not be dropped
UPDATE %Q.%s SET rootpage=%d WHERE #0 AND rootpage=#0
unknown column "%s" in foreign key definition
number of columns in foreign key does not match the number of columns in the referenced table
foreign key on %s should reference only one column of table %T
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#0,%Q);
CREATE%s INDEX %.*s
table %s has no column named %s
sqlite_autoindex_
index %s already exists
there is already a table named %s
virtual tables may not be indexed
views may not be indexed
table %s may not be indexed
indexed columns are not unique
DELETE FROM %Q.%s WHERE name=%Q
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
no such index: %S
unable to identify the object to be reindexed
no such collation sequence: %s
cannot modify %s because it is a view
table %s may not be modified
table %S has no column named %s
%d values for %d columns
table %S has %d columns but %d values were supplied
PRIMARY KEY must be unique
error during initialization: %s
no entry point [%s] in shared library [%s]
unable to open shared library [%s]
sqlite3_extension_init
automatic extension loading failed: %s
unsupported encoding: %s
*** in database %s ***
foreign_key_list
SELECT name, rootpage, sql FROM '%q'.%s
unsupported file format
database schema is locked: %s
RIGHT and FULL OUTER JOINs are not currently supported
unknown or unsupported join type: %T%s%T%s%T
%z:%d
column%d
%s.%s
sqlite_subquery_%p_
cannot join using column %s - column not present in both tables
cannot have both ON and USING clauses in the same join
a NATURAL join may not have an ON or USING clause
%s BY column number %d out of range - should be between 1 and %d
SELECTs to the left and right of %s do not have the same number of result columns
LIMIT clause should come after %s not before
ORDER BY clause should come after %s not before
ORDER BY term number %d does not match any result column
ORDER BY position %d should be between 1 and %d
sqlite3_get_table() called with two or more incompatible queries
cannot create INSTEAD OF trigger on table: %S
cannot create %s trigger on view: %S
no such trigger: %S
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';'FROM sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21,100000000) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14,100000000) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14,100000000) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
PRAGMA vacuum_db.synchronous=OFF
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#1
no such module: %s
vtable constructor did not declare schema: %s
vtable constructor failed: %s
%z VIRTUAL TABLE INDEX %d:%s
%z USING PRIMARY KEY
%z WITH INDEX %s
%z AS %s
TABLE %s
B}Tat most %d tables in a join
incomplete SQL statement
kernel lacks large file support
SQL logic error or missing database
Invalid parameter passed to C runtime function.
SOFTWARE\Far2\SavedDialogHistory\FTPHost
SOFTWARE\Far2\Plugins\FTP\Hosts
\wcx_PTF.ini
Software\Ghisler\Windows Commander
CSMFTPItem
\sm.dat
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
\GlobalSCAPE\CuteFTP
\GlobalSCAPE\CuteFTP Pro
\GlobalSCAPE\CuteFTP Home
\GlobalSCAPE\CuteFTP Lite
\Quick.dat
\Sites.dat
<schema> <document name="FileZilla3"> <collection name="Servers"> <collection name="Server" type="mixed"> <text name="Host"/> <text name="Port"/> <text name="Protocol"/> <text name="Type"/> <text name="User"/> <text name="Pass"/> <text name="Logontype"/> <text name="TimezoneOffset"/> <text name="PasvMode"/> <text name="MaximumMultipleConnections"/> <text name="EncodingType"/> <text name="BypassProxy"/> <text name="Name"/> <text name="Comments"/> <text name="LocalDir"/> <text name="RemoteDir"/> <text name="SyncBrowsing"/> </collection> </collection> </document></schema>
<schema> <document name="FileZilla3"> <collection name="RecentServers"> <collection name="Server" type="mixed"> <text name="Host"/> <text name="Port"/> <text name="Protocol"/> <text name="Type"/> <text name="User"/> <text name="Pass"/> <text name="Logontype"/> <text name="TimezoneOffset"/> <text name="PasvMode"/> <text name="MaximumMultipleConnections"/> <text name="EncodingType"/> <text name="BypassProxy"/> </collection> </collection> </document></schema>
\FileZilla\sitemanager.xml
\FileZilla\recentservers.xml
\ftplist.txt
FTP Commander Pro
FTP Navigator
FTP Commander
FTP Commander Deluxe
Software\BFTP
\BulletProof Software\BulletProof FTP Client 2009
\BulletProof Software\BulletProof FTP Client
<schema> <document name="FavoriteItem"> <text name="Version"/> <text name="Name"/> <text name="Id"/> <text name="Protocol"/> <text name="Host"/> <text name="Port"/> <text name="User"/> <text name="Password"/> <text name="Path"/> <text name="Description"/> <collection name="Settings"> </collection> <collection name="Statistics"> </collection> </document></schema>
\SmartFTP\Client 2.0\Favorites
\SmartFTP
\TurboFTP
\addrbk.dat
Software\TurboFTP
Software\Sota\FFFTP
DefaultPassword
Software\Sota\FFFTP\Options
Software\FTPWare\COREFTP\Sites
<schema> <document name="FTPx10"> <text name="Name"/> <text name="Host"/> <text name="Login"/> <text name="Password"/> <text name="LocalPath"/> <text name="RemotePath"/> <text name="Description"/> <text name="Anonymous"/> <text name="Cache"/> <text name="Default"/> <text name="PasvMode"/> <text name="Retries"/> <text name="RetryDelay"/> <text name="Port"/> </document></schema>
</FTPx10>
<FTPx10>
\FTP Explorer\profiles.xml
<schema> <document name="Ftp"> <collection name="Item"> <attribute name="Name"/> <attribute name="Host"/> <attribute name="Home"/> <attribute name="User"/> <attribute name="Pass"/> <attribute name="Port"/> <attribute name="UserProxy"/> <attribute name="Passive"/> <attribute name="SecureType"/> <attribute name="UploadType"/> <attribute name="CodePage"/> <attribute name="SingleConnect"/> <attribute name="RequestPassword"/> </collection> </document></schema>
<schema> <document name="SITES"> <collection name="GROUP"> <attribute name="NAME"/> <collection name="SITE"> <attribute name="NAME"/> <collection name="CONNECT"> <attribute name="RETRYCOUNT"/> <attribute name="DELAY"/> <attribute name="FTPTIMEOUT"/> </collection> <text name="HOST"/> <text name="USER"/> <text name="PASS"/> <text name="RPATH"/> </collection> </collection> </document></schema>
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UltraFXP
<schema> <document name="SITES"> <collection name="GROUP"> <collection name="GROUP"> <attribute name="NAME"/> <collection name="SITE"> <attribute name="NAME"/> <attribute name="UID"/> <text name="HOST"/> <text name="SHORT"/> <text name="USER"/> <text name="PASS"/> <text name="RPATH"/> </collection> </collection> </collection> </document></schema>
Software\Cryer\WebSitePublisher
Software\NCH Software\ClassicFTP\FTPAccounts
Software\SoftX.org\FTPClient\Sites
Software\FTPClient\Sites
<schema><document name="ftpsites"> <collection name="site"> <attribute name="cfgflags"/> <attribute name="flags"/> <attribute name="flags2"/> <attribute name="indexmax"/> <attribute name="name"/> <attribute name="siteflags"/> <attribute name="type"/> <collection name="host"> <attribute name="comment"/> <attribute name="host"/> <attribute name="pass"/> <attribute name="port"/> <attribute name="user"/> </collection> <text name="dir"/> </collection></document></schema>
\GPSoftware\Directory Opus\ConfigFiles\PTF.oxc
Software\Dev Zero G\FTP Uploader\FTP Uploader
Software\South River Technologies\WebDrive\Connections
<schema> <document name="FTP"> <collection name="Site"> <attribute name="Type"/> <attribute name="Name"/> <attribute name="UID"/> <text name="Address"/> <text name="User"/> <text name="Pass"/> <text name="Drive"/> <text name="Port"/> <text name="ConnectAtRun"/> <text name="Anonymous"/> <text name="Passive"/> <text name="ConnectAtBoot"/> <text name="Encoding"/> <text name="SSL"/> <text name="WriteFtpLogs"/> <text name="FtpLogsPath"/> <text name="SessionsLimit"/> <text name="SessionsLimitNumber"/> <text name="FTPListA"/> <text name="ProxyType"/> <text name="ProxyAddress"/> <text name="ProxyPort"/> <text name="ProxyUser"/> <text name="ProxyPass"/> </collection> </document></schema>
klfhuw%$#%fgjlvf
</FTP>
<FTP>
\NetDrive\NDSites.ini
zcÁ
GetWindowsDirectoryA
GetProcessHeap
PeekNamedPipe
RegEnumKeyExA
RegOpenKeyA
RegCloseKey
.flat
.text
`.rdata
@.data
.idata
.asmdata
@.reloc
TPFk/dPipeG
;-keXE
 .ho"

svchost.exe_1476_rwx_20121000_0005D000:

t#WSSh
BrowserRealKeyStream
BrowserRealKeyPress
BrowserKeyPress
GetDocumentUrl
LoadUrl
ikey
!<>=*/&| -
0123456789
--%s--
Content-Disposition: form-data; name="%s"
Content-Disposition: form-data; name="%s"; filename="%s"
Content-Transfer-Encoding: %s
Content-Type: multipart/form-data, boundary=%s
Content-Type: application/x-www-form-urlencoded
Range: bytes=%d-
Range: bytes=%d-%d
https
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
%s%s%s
00000409
%CommonProgramFiles%
GetExeDirectory
GetExeFullPath
GetExeName
SetDownloadUrl
UrlEncode
DeleteUrlCache
SetUrlCookie
GetUrlCookie
KERNEL32.DLL
mscoree.dll
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
operator
kernel32.dll
GetProcessWindowStation
USER32.DLL
.?AVCMyWebBrowser@@
.?AVCSdkWebBrowser@@
IEScope%d
iexplore%d
zcÁ
%System%\svchost.exe
GetWindowsDirectoryA
GetCPInfo
GetProcessHeap
GetConsoleOutputCP
PeekNamedPipe
ShellExecuteA
UrlMkSetSessionOption
UrlMkGetSessionOption
SetWindowsHookExA
UnhookWindowsHookEx
LoadKeyboardLayoutA
VkKeyScanExA
keybd_event
DeleteUrlCacheEntry
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
HttpSendRequestA
HttpEndRequestA
GetUrlCacheEntryInfoA
InternetCrackUrlA
FindCloseUrlCache
HttpOpenRequestA
HttpAddRequestHeadersA
HttpSendRequestExA
xquuuuuRLMLMLMLMLMLM
.text
`.rdata
@.data
.rsrc
@.reloc

svchost.exe_1476_rwx_20181000_00036000:

Gh.logWj
h.logPj
tcPR
h.exe
user32.dll
kernel32.dll
|GetWindowsDirectoryA
{X-X-X-X-XX}
ntdll.dll
shlwapi.dll
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
?456789:;<=
!"#$%&'()* ,-./0123
ws2_32.dll
HTTP/*.*
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Referer: %s
Content-Type: multipart/form-data; boundary=%s
Content-Length: %d
Content-Disposition: form-data; name="%s"
--%s--
%s /%s HTTP/1.1
Host: %s
User-Agent: %s
%sAccept-Language: %s
HTTP/1.x 301 Moved Permanently
Server: Apache/2.2.14
advapi32.dll
%CommonProgramFiles%
\/*.*
winlogon.exe
csrss.exe
smss.exe
keyworddestination<
USER PASS
PORT
RapportGP.dll
csshiftjis
cswindows31j
iso_646.irv:1991
windows-1250
windows-1251
windows-1252
windows-1253
windows-1254
windows-1255
windows-1256
windows-1257
windows-1258
windows-874
hostuser-agentoptionsgetheadpostputdeletetraceacceptaccept-charsetaccept-encodingaccept-languageauthorizationexpectfromhostif-modified-sinceif-matchif-none-matchif-rangeif-unmodifiedsincemax-forwardsproxy-authorizationrangerefererteuser-agent100101200201202203204205206300301302303304305306307400401402403404405406407408409410411412413414415416417500501502503504505accept-rangesageetaglocationproxy-authenticatepublicretry-afterservervarywarningwww-authenticateallowcontent-basecontent-encodingcache-controlconnectiondatetrailertransfer-encodingupgradeviawarningcontent-languagecontent-lengthcontent-locationcontent-md5content-rangecontent-typeetagexpireslast-modifiedset-cookieMondayTuesdayWednesdayThursdayFridaySaturdaySundayJanFebMarAprMayJunJulAugSepOctNovDecchunkedtext/htmlimage/pngimage/jpgimage/gifapplication/xmlapplication/xhtmltext/plainpublicmax-agecharset=iso-8859-1utf-8gzipdeflateHTTP/1.1statusversionurl
HTTP/1.1
\\.\pipe\
gdiplus.dll
GdiplusShutdown
PTF://%s:%s@%s:%d/
pop3://%s:%s@%s:%d/
dnsapi.dll
wininet.dll
HttpOpenRequestA
HttpOpenRequestW
InternetOpenUrlA
InternetOpenUrlW
HttpSendRequestA
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExW
DeleteUrlCacheEntryW
HttpQueryInfoA
HttpQueryInfoW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersA
HttpAddRequestHeadersW
urlmon.dll
UrlMkGetSessionOption
nss3.dll
PR_OpenTCPSocket
nspr4.dll
hXXps://hXXp://TE
%Documents and Settings%\%current user%\Local Settings\Application Data\iwmikkry.log
%Documents and Settings%\%current user%\Local Settings\Application Data\ahigjltn.log
%Documents and Settings%\%current user%\Local Settings\Application Data\taywrdpm.log
%Documents and Settings%\%current user%\Local Settings\Application Data\vssqectp.log
%Documents and Settings%\%current user%\Local Settings\Application Data\klsckhjr.log
{49A21781-C39D-B603-C11E-00485360D01E}
{49A21782-C39D-B603-C11E-00485360D01E}
{49A21783-C39D-B603-C11E-00485360D01E}
PeekNamedPipe
SetNamedPipeHandleState
WaitNamedPipeA
DisconnectNamedPipe
CreateNamedPipeA
ConnectNamedPipe
RegCloseKey
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
ExitWindowsEx
GetKeyboardState
.text
`.rdata
@.data
.reloc
|75001234
PR_xTCPSh
wsock32.dll
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
keywords
alluniqcontrolexplicitASCIIUTF8UNICODE{keyword}
set_url
WebFilters
WebDataFilters
WebFakes
|0123456789
gzipdeflateContent-Type: application/x-www-form-urlencoded
Tdomain=google.ru&cookies=enabled&reason=1&auth=false
Cookie: User-Agent-Session: Basic login: Basic password:

svchost.exe_1476_rwx_20201000_0003F000:

\$0#\$83
\$4#\$,3
PSSh0G#
@M%X"
G%F;0r
Single block msg
AES-CTR-128 (%s):
AES-CFB128-= (%s):
AES-CBC-= (%s):
passed
AES-ECB-= (%s):
ARC4 test #%d:
?456789:;<=
!"#$%&'()* ,-./0123
Unexpected error, return code = X
failed at %d
CAMELLIA-CTR-128 (%s):
CAMELLIA-CBC-= (%s):
CAMELLIA-ECB-= (%s):
-----BEGIN CERTIFICATE-----
gZUwgZIwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUtFrkpbPe0lL2udWmlQ/rPrzH
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
JczSfpRWLlbPznZg8OQh/VgCMA58N5DjOzTIK7sJJ5r 94ZBTCpgAMbF588f0NTR
-----END RSA PRIVATE KEY-----
lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w
pgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTrlZvc/kFeF6babFtpzAK6
%s(d): %s
%s(d): %s() returned %d (0x%x)
%s(d): x:
%s(d): dumping '%s' (%d bytes)
%s(d):
%s(d): value of '%s' (%lu bits) is:
crt->rsa.E
crt->rsa.N
%s(d): %s #%d:
DES%c-CBC-= (%s):
DES%c-ECB-= (%s):
HMAC-MD5 test #%d:
MD5 test #%d:
RSA key validation:
HMAC-SHA-1 test #%d:
SHA-1 test #%d:
HMAC-SHA-%d test #%d:
SHA-%d test #%d:
p.il :
client hello, server name extension: %s
client hello, compress alg.: %d
client hello, compress len.: %d
client hello, add ciphersuite: -
client hello, got %d ciphersuites
client hello, session id len.: %d
client hello, max version: [%d:%d]
server hello, compress alg.: %d
server hello, chosen ciphersuite: %d
%s session has been resumed
ssl_derive_keys
server hello, session id len.: %d
server hello, chosen version: [%d:%d]
<= parse server key exchange
bad server key exchange message
<= skip parse server key exchange
=> parse server key exchange
<= parse certificate request
got %s certificate request
bad certificate request message
=> parse certificate request
<= write client key exchange
=> write client key exchange
<= skip write certificate verify
<= write certificate verify
got no private key
=> write certificate verify
invalid state %d
client state: %d
client hello v3, max. version: [%d:%d]
client hello v3, handshake len.: %d
client hello v3, handshake type: %d
client hello v3, protocol ver: [%d:%d]
client hello v3, message len.: %d
client hello v3, message type: %d
ciph_len: %d, sess_len: %d, chal_len: %d
client hello v2, max. version: [%d:%d]
client hello v2, message len.: %d
client hello v2, message type: %d
<= write certificate request
<= skip write certificate request
=> write certificate request
<= write server key exchange
<= skip write server key exchange
=> write server key exchange
<= parse client key exchange
bad client key exchange message
=> parse client key exchange
<= parse certificate verify
bad certificate verify message
<= skip parse certificate verify
=> parse certificate verify
server state: %d
before encrypt: msglen = %d, including %d bytes of IV and %d bytes of padding
before encrypt: msglen = %d, including %d bytes of padding
bad padding byte: should be x, but is x
bad padding length: is %d, should be no more than %d
msglen (%d) %% ivlen (%d) != 0
in_msglen (%d) < minlen (%d)
in_left: %d, nb_want: %d
message length: %d, out_left: %d
output record: msgtype = %d, version = [%d:%d], msglen = %d
got an alert message, type: [%d:%d]
input record: msgtype = %d, version = [%d:%d], msglen = %d
handshake message: msglen = %d, type = %d, hslen = %d
<= write certificate
certificate too large, %d > %d
own certificate
got no certificate to send
<= skip write certificate
=> write certificate
<= parse certificate
x509_verify_cert
x509parse_crt
peer certificate
malloc(%d bytes) failed
bad certificate message
TLSv1 client has no certificate
SSLv3 client has no certificate
<= skip parse certificate
=> parse certificate
<= derive keys
keylen: %d, minlen: %d, ivlen: %d, maclen: %d
ciphersuite %s is not available
key block
ciphersuite = %s
key expansion
=> derive keys
1.0.0
PolarSSL 1.0.0
M-----
------
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----
0xX=
X%s
%sRSA key size : %d bits
%ssigned using : RSA 
%sexpires on : d-d-d d:d:d
%sissued on : d-d-d d:d:d
%ssubject name :
%sissuer name :
%sserial number :
%scert. version : %d
TLS Web Client Authentication
TLS Web Server Authentication
%d.%d
revocation date: d-d-d d:d:d
%sserial number:
%sRevoked certificates:
%snext update : d-d-d d:d:d
%sthis update : d-d-d d:d:d
%sCRL version : %d
X.509 private key load:
X.509 certificate load:
XTEA test #%d:
Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX
System32\Macromed\Flash\mms.cfg
%SystemRoot%\
/get/flashplayer/current/licensing/win/install_flash_player_11_active_x_32bit.exe
/get/flashplayer/current/licensing/win/install_flash_player_11_plugin_32bit.exe
fpdownload.macromedia.com
\install_flash_player_11_plugin_32bit.exe
\install_flash_player_11_active_x_32bit.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ardownload.adobe.com
/pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe
\AdbeRdr1012_en_US.exe
\Common Files\Java\Java Update\jucheck.exe
https
hXXp://VVV.oracle.com/technetwork/java/javase/downloads/jre-6u31-download-1501637.html
download.oracle.com
/otn-pub/java/jdk/6u31-b05/jre-6u31-windows-i586.exe
\jre-6u31-windows-i586-s.exe
%s=%s
Range: bytes=%d-%d
Cookie:%s
Cache-Control: %s
Connection: %s
Content-Length: %d
Host: %s
Accept-Encoding: %s
Content-Type: %s
User-Agent: %s
Accept-Language: %s
Referer: %s
Accept: %s
%s %s HTTP/1.1
Test Using Larger Than Block-Size Key - Hash Key First
Test Using Larger Than Block-Size Key and Larger Than One Block-Size Data
This is a test using a larger than block-size key and a larger than block-size data. The key needs to be hashed before being used by the HMAC algorithm.
gpw_e24=http://VVV.oracle.com/technetwork/java/javase/downloads/jre-6u31-download-1501637.html
s_sq=[[B]];
%s=%s;
GetProcessHeap
CreateIoCompletionPort
RegEnumKeyExA
RegOpenKeyA
RegCreateKeyExA
RegCloseKey
.text
`.rdata
@.data
.idata
.reloc

wmiprvse.exe_432_rwx_201C0000_00037000:

Gh.logWj
h.logPj
tcPR
h.exe
user32.dll
kernel32.dll
|GetWindowsDirectoryA
{X-X-X-X-XX}
ntdll.dll
shlwapi.dll
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
?456789:;<=
!"#$%&'()* ,-./0123
ws2_32.dll
HTTP/*.*
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Referer: %s
Content-Type: multipart/form-data; boundary=%s
Content-Length: %d
Content-Disposition: form-data; name="%s"
--%s--
%s /%s HTTP/1.1
Host: %s
User-Agent: %s
%sAccept-Language: %s
HTTP/1.x 301 Moved Permanently
Server: Apache/2.2.14
advapi32.dll
%CommonProgramFiles%
\/*.*
winlogon.exe
csrss.exe
smss.exe
keyworddestination<
USER PASS
PORT
RapportGP.dll
csshiftjis
cswindows31j
iso_646.irv:1991
windows-1250
windows-1251
windows-1252
windows-1253
windows-1254
windows-1255
windows-1256
windows-1257
windows-1258
windows-874
hostuser-agentoptionsgetheadpostputdeletetraceacceptaccept-charsetaccept-encodingaccept-languageauthorizationexpectfromhostif-modified-sinceif-matchif-none-matchif-rangeif-unmodifiedsincemax-forwardsproxy-authorizationrangerefererteuser-agent100101200201202203204205206300301302303304305306307400401402403404405406407408409410411412413414415416417500501502503504505accept-rangesageetaglocationproxy-authenticatepublicretry-afterservervarywarningwww-authenticateallowcontent-basecontent-encodingcache-controlconnectiondatetrailertransfer-encodingupgradeviawarningcontent-languagecontent-lengthcontent-locationcontent-md5content-rangecontent-typeetagexpireslast-modifiedset-cookieMondayTuesdayWednesdayThursdayFridaySaturdaySundayJanFebMarAprMayJunJulAugSepOctNovDecchunkedtext/htmlimage/pngimage/jpgimage/gifapplication/xmlapplication/xhtmltext/plainpublicmax-agecharset=iso-8859-1utf-8gzipdeflateHTTP/1.1statusversionurl
HTTP/1.1
\\.\pipe\
gdiplus.dll
GdiplusShutdown
PTF://%s:%s@%s:%d/
pop3://%s:%s@%s:%d/
dnsapi.dll
wininet.dll
HttpOpenRequestA
HttpOpenRequestW
InternetOpenUrlA
InternetOpenUrlW
HttpSendRequestA
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExW
DeleteUrlCacheEntryW
HttpQueryInfoA
HttpQueryInfoW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersA
HttpAddRequestHeadersW
urlmon.dll
UrlMkGetSessionOption
nss3.dll
PR_OpenTCPSocket
nspr4.dll
hXXps://hXXp://TE
{49A21781-C39D-B603-C11E-00485360D01E}
%System%\config\systemprofile\Local Settings\Application Data\iwmikkry.log
{49A21783-C39D-B603-C11E-00485360D01E}
{49A21782-C39D-B603-C11E-00485360D01E}
PeekNamedPipe
SetNamedPipeHandleState
WaitNamedPipeA
DisconnectNamedPipe
CreateNamedPipeA
ConnectNamedPipe
RegCloseKey
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
ExitWindowsEx
GetKeyboardState
.text
`.rdata
@.data
.reloc
|75001234
PR_xTCPSh
wsock32.dll
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
keywords
alluniqcontrolexplicitASCIIUTF8UNICODE{keyword}
set_url
WebFilters
WebDataFilters
WebFakes
|0123456789
gzipdeflateContent-Type: application/x-www-form-urlencoded
Tdomain=google.ru&cookies=enabled&reason=1&auth=false
Cookie: User-Agent-Session: Basic login: Basic password:

services.exe_756_rwx_201C0000_00037000:

Gh.logWj
h.logPj
tcPR
h.exe
user32.dll
kernel32.dll
|GetWindowsDirectoryA
{X-X-X-X-XX}
ntdll.dll
shlwapi.dll
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
?456789:;<=
!"#$%&'()* ,-./0123
ws2_32.dll
HTTP/*.*
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Referer: %s
Content-Type: multipart/form-data; boundary=%s
Content-Length: %d
Content-Disposition: form-data; name="%s"
--%s--
%s /%s HTTP/1.1
Host: %s
User-Agent: %s
%sAccept-Language: %s
HTTP/1.x 301 Moved Permanently
Server: Apache/2.2.14
advapi32.dll
%CommonProgramFiles%
\/*.*
winlogon.exe
csrss.exe
smss.exe
keyworddestination<
USER PASS
PORT
RapportGP.dll
csshiftjis
cswindows31j
iso_646.irv:1991
windows-1250
windows-1251
windows-1252
windows-1253
windows-1254
windows-1255
windows-1256
windows-1257
windows-1258
windows-874
hostuser-agentoptionsgetheadpostputdeletetraceacceptaccept-charsetaccept-encodingaccept-languageauthorizationexpectfromhostif-modified-sinceif-matchif-none-matchif-rangeif-unmodifiedsincemax-forwardsproxy-authorizationrangerefererteuser-agent100101200201202203204205206300301302303304305306307400401402403404405406407408409410411412413414415416417500501502503504505accept-rangesageetaglocationproxy-authenticatepublicretry-afterservervarywarningwww-authenticateallowcontent-basecontent-encodingcache-controlconnectiondatetrailertransfer-encodingupgradeviawarningcontent-languagecontent-lengthcontent-locationcontent-md5content-rangecontent-typeetagexpireslast-modifiedset-cookieMondayTuesdayWednesdayThursdayFridaySaturdaySundayJanFebMarAprMayJunJulAugSepOctNovDecchunkedtext/htmlimage/pngimage/jpgimage/gifapplication/xmlapplication/xhtmltext/plainpublicmax-agecharset=iso-8859-1utf-8gzipdeflateHTTP/1.1statusversionurl
HTTP/1.1
\\.\pipe\
gdiplus.dll
GdiplusShutdown
PTF://%s:%s@%s:%d/
pop3://%s:%s@%s:%d/
dnsapi.dll
wininet.dll
HttpOpenRequestA
HttpOpenRequestW
InternetOpenUrlA
InternetOpenUrlW
HttpSendRequestA
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExW
DeleteUrlCacheEntryW
HttpQueryInfoA
HttpQueryInfoW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersA
HttpAddRequestHeadersW
urlmon.dll
UrlMkGetSessionOption
nss3.dll
PR_OpenTCPSocket
nspr4.dll
hXXps://hXXp://TE
{49A21781-C39D-B603-C11E-00485360D01E}
%Documents and Settings%\LocalService\Local Settings\Application Data\iwmikkry.log
{49A21783-C39D-B603-C11E-00485360D01E}
{49A21782-C39D-B603-C11E-00485360D01E}
PeekNamedPipe
SetNamedPipeHandleState
WaitNamedPipeA
DisconnectNamedPipe
CreateNamedPipeA
ConnectNamedPipe
RegCloseKey
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
ExitWindowsEx
GetKeyboardState
.text
`.rdata
@.data
.reloc
|75001234
PR_xTCPSh
wsock32.dll
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
keywords
alluniqcontrolexplicitASCIIUTF8UNICODE{keyword}
set_url
WebFilters
WebDataFilters
WebFakes
|0123456789
gzipdeflateContent-Type: application/x-www-form-urlencoded
Tdomain=google.ru&cookies=enabled&reason=1&auth=false
Cookie: User-Agent-Session: Basic login: Basic password:

lsass.exe_768_rwx_201C0000_00037000:

Gh.logWj
h.logPj
tcPR
h.exe
user32.dll
kernel32.dll
|GetWindowsDirectoryA
{X-X-X-X-XX}
ntdll.dll
shlwapi.dll
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
?456789:;<=
!"#$%&'()* ,-./0123
ws2_32.dll
HTTP/*.*
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Referer: %s
Content-Type: multipart/form-data; boundary=%s
Content-Length: %d
Content-Disposition: form-data; name="%s"
--%s--
%s /%s HTTP/1.1
Host: %s
User-Agent: %s
%sAccept-Language: %s
HTTP/1.x 301 Moved Permanently
Server: Apache/2.2.14
advapi32.dll
%CommonProgramFiles%
\/*.*
winlogon.exe
csrss.exe
smss.exe
keyworddestination<
USER PASS
PORT
RapportGP.dll
csshiftjis
cswindows31j
iso_646.irv:1991
windows-1250
windows-1251
windows-1252
windows-1253
windows-1254
windows-1255
windows-1256
windows-1257
windows-1258
windows-874
hostuser-agentoptionsgetheadpostputdeletetraceacceptaccept-charsetaccept-encodingaccept-languageauthorizationexpectfromhostif-modified-sinceif-matchif-none-matchif-rangeif-unmodifiedsincemax-forwardsproxy-authorizationrangerefererteuser-agent100101200201202203204205206300301302303304305306307400401402403404405406407408409410411412413414415416417500501502503504505accept-rangesageetaglocationproxy-authenticatepublicretry-afterservervarywarningwww-authenticateallowcontent-basecontent-encodingcache-controlconnectiondatetrailertransfer-encodingupgradeviawarningcontent-languagecontent-lengthcontent-locationcontent-md5content-rangecontent-typeetagexpireslast-modifiedset-cookieMondayTuesdayWednesdayThursdayFridaySaturdaySundayJanFebMarAprMayJunJulAugSepOctNovDecchunkedtext/htmlimage/pngimage/jpgimage/gifapplication/xmlapplication/xhtmltext/plainpublicmax-agecharset=iso-8859-1utf-8gzipdeflateHTTP/1.1statusversionurl
HTTP/1.1
\\.\pipe\
gdiplus.dll
GdiplusShutdown
PTF://%s:%s@%s:%d/
pop3://%s:%s@%s:%d/
dnsapi.dll
wininet.dll
HttpOpenRequestA
HttpOpenRequestW
InternetOpenUrlA
InternetOpenUrlW
HttpSendRequestA
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExW
DeleteUrlCacheEntryW
HttpQueryInfoA
HttpQueryInfoW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersA
HttpAddRequestHeadersW
urlmon.dll
UrlMkGetSessionOption
nss3.dll
PR_OpenTCPSocket
nspr4.dll
hXXps://hXXp://TE
{49A21781-C39D-B603-C11E-00485360D01E}
%System%\config\systemprofile\Local Settings\Application Data\iwmikkry.log
{49A21783-C39D-B603-C11E-00485360D01E}
{49A21782-C39D-B603-C11E-00485360D01E}
PeekNamedPipe
SetNamedPipeHandleState
WaitNamedPipeA
DisconnectNamedPipe
CreateNamedPipeA
ConnectNamedPipe
RegCloseKey
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
ExitWindowsEx
GetKeyboardState
.text
`.rdata
@.data
.reloc
|75001234
PR_xTCPSh
wsock32.dll
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
keywords
alluniqcontrolexplicitASCIIUTF8UNICODE{keyword}
set_url
WebFilters
WebDataFilters
WebFakes
|0123456789
gzipdeflateContent-Type: application/x-www-form-urlencoded
Tdomain=google.ru&cookies=enabled&reason=1&auth=false
Cookie: User-Agent-Session: Basic login: Basic password:

Explorer.EXE_888_rwx_201C0000_00037000:

Gh.logWj
h.logPj
tcPR
h.exe
user32.dll
kernel32.dll
|GetWindowsDirectoryA
{X-X-X-X-XX}
ntdll.dll
shlwapi.dll
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
?456789:;<=
!"#$%&'()* ,-./0123
ws2_32.dll
HTTP/*.*
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Referer: %s
Content-Type: multipart/form-data; boundary=%s
Content-Length: %d
Content-Disposition: form-data; name="%s"
--%s--
%s /%s HTTP/1.1
Host: %s
User-Agent: %s
%sAccept-Language: %s
HTTP/1.x 301 Moved Permanently
Server: Apache/2.2.14
advapi32.dll
%CommonProgramFiles%
\/*.*
winlogon.exe
csrss.exe
smss.exe
keyworddestination<
USER PASS
PORT
RapportGP.dll
csshiftjis
cswindows31j
iso_646.irv:1991
windows-1250
windows-1251
windows-1252
windows-1253
windows-1254
windows-1255
windows-1256
windows-1257
windows-1258
windows-874
hostuser-agentoptionsgetheadpostputdeletetraceacceptaccept-charsetaccept-encodingaccept-languageauthorizationexpectfromhostif-modified-sinceif-matchif-none-matchif-rangeif-unmodifiedsincemax-forwardsproxy-authorizationrangerefererteuser-agent100101200201202203204205206300301302303304305306307400401402403404405406407408409410411412413414415416417500501502503504505accept-rangesageetaglocationproxy-authenticatepublicretry-afterservervarywarningwww-authenticateallowcontent-basecontent-encodingcache-controlconnectiondatetrailertransfer-encodingupgradeviawarningcontent-languagecontent-lengthcontent-locationcontent-md5content-rangecontent-typeetagexpireslast-modifiedset-cookieMondayTuesdayWednesdayThursdayFridaySaturdaySundayJanFebMarAprMayJunJulAugSepOctNovDecchunkedtext/htmlimage/pngimage/jpgimage/gifapplication/xmlapplication/xhtmltext/plainpublicmax-agecharset=iso-8859-1utf-8gzipdeflateHTTP/1.1statusversionurl
HTTP/1.1
\\.\pipe\
gdiplus.dll
GdiplusShutdown
PTF://%s:%s@%s:%d/
pop3://%s:%s@%s:%d/
dnsapi.dll
wininet.dll
HttpOpenRequestA
HttpOpenRequestW
InternetOpenUrlA
InternetOpenUrlW
HttpSendRequestA
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExW
DeleteUrlCacheEntryW
HttpQueryInfoA
HttpQueryInfoW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersA
HttpAddRequestHeadersW
wurlmon.dll
UrlMkGetSessionOption
nss3.dll
PR_OpenTCPSocket
nspr4.dll
hXXps://hXXp://TE
{49A21781-C39D-B603-C11E-00485360D01E}
%Documents and Settings%\%current user%\Local Settings\Application Data\iwmikkry.log
{49A21783-C39D-B603-C11E-00485360D01E}
{49A21782-C39D-B603-C11E-00485360D01E}
PeekNamedPipe
SetNamedPipeHandleState
WaitNamedPipeA
DisconnectNamedPipe
CreateNamedPipeA
ConnectNamedPipe
RegCloseKey
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
ExitWindowsEx
GetKeyboardState
.text
`.rdata
@.data
.reloc
|75001234
PR_xTCPSh
wsock32.dll
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
keywords
alluniqcontrolexplicitASCIIUTF8UNICODE{keyword}
set_url
WebFilters
WebDataFilters
WebFakes
|0123456789
gzipdeflateContent-Type: application/x-www-form-urlencoded
Tdomain=google.ru&cookies=enabled&reason=1&auth=false
Cookie: User-Agent-Session: Basic login: Basic password:

svchost.exe_936_rwx_201C0000_00037000:

Gh.logWj
h.logPj
tcPR
h.exe
user32.dll
kernel32.dll
|GetWindowsDirectoryA
{X-X-X-X-XX}
ntdll.dll
shlwapi.dll
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
?456789:;<=
!"#$%&'()* ,-./0123
ws2_32.dll
HTTP/*.*
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Referer: %s
Content-Type: multipart/form-data; boundary=%s
Content-Length: %d
Content-Disposition: form-data; name="%s"
--%s--
%s /%s HTTP/1.1
Host: %s
User-Agent: %s
%sAccept-Language: %s
HTTP/1.x 301 Moved Permanently
Server: Apache/2.2.14
advapi32.dll
%CommonProgramFiles%
\/*.*
winlogon.exe
csrss.exe
smss.exe
keyworddestination<
USER PASS
PORT
RapportGP.dll
csshiftjis
cswindows31j
iso_646.irv:1991
windows-1250
windows-1251
windows-1252
windows-1253
windows-1254
windows-1255
windows-1256
windows-1257
windows-1258
windows-874
hostuser-agentoptionsgetheadpostputdeletetraceacceptaccept-charsetaccept-encodingaccept-languageauthorizationexpectfromhostif-modified-sinceif-matchif-none-matchif-rangeif-unmodifiedsincemax-forwardsproxy-authorizationrangerefererteuser-agent100101200201202203204205206300301302303304305306307400401402403404405406407408409410411412413414415416417500501502503504505accept-rangesageetaglocationproxy-authenticatepublicretry-afterservervarywarningwww-authenticateallowcontent-basecontent-encodingcache-controlconnectiondatetrailertransfer-encodingupgradeviawarningcontent-languagecontent-lengthcontent-locationcontent-md5content-rangecontent-typeetagexpireslast-modifiedset-cookieMondayTuesdayWednesdayThursdayFridaySaturdaySundayJanFebMarAprMayJunJulAugSepOctNovDecchunkedtext/htmlimage/pngimage/jpgimage/gifapplication/xmlapplication/xhtmltext/plainpublicmax-agecharset=iso-8859-1utf-8gzipdeflateHTTP/1.1statusversionurl
HTTP/1.1
\\.\pipe\
gdiplus.dll
GdiplusShutdown
PTF://%s:%s@%s:%d/
pop3://%s:%s@%s:%d/
dnsapi.dll
wininet.dll
HttpOpenRequestA
HttpOpenRequestW
InternetOpenUrlA
InternetOpenUrlW
HttpSendRequestA
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExW
DeleteUrlCacheEntryW
HttpQueryInfoA
HttpQueryInfoW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersA
HttpAddRequestHeadersW
urlmon.dll
UrlMkGetSessionOption
nss3.dll
PR_OpenTCPSocket
nspr4.dll
hXXps://hXXp://TE
{49A21781-C39D-B603-C11E-00485360D01E}
%System%\config\systemprofile\Local Settings\Application Data\iwmikkry.log
{49A21783-C39D-B603-C11E-00485360D01E}
{49A21782-C39D-B603-C11E-00485360D01E}
PeekNamedPipe
SetNamedPipeHandleState
WaitNamedPipeA
DisconnectNamedPipe
CreateNamedPipeA
ConnectNamedPipe
RegCloseKey
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
ExitWindowsEx
GetKeyboardState
.text
`.rdata
@.data
.reloc
|75001234
PR_xTCPSh
wsock32.dll
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
keywords
alluniqcontrolexplicitASCIIUTF8UNICODE{keyword}
set_url
WebFilters
WebDataFilters
WebFakes
|0123456789
gzipdeflateContent-Type: application/x-www-form-urlencoded
Tdomain=google.ru&cookies=enabled&reason=1&auth=false
Cookie: User-Agent-Session: Basic login: Basic password:

svchost.exe_1020_rwx_201C0000_00037000:

Gh.logWj
h.logPj
tcPR
h.exe
user32.dll
kernel32.dll
|GetWindowsDirectoryA
{X-X-X-X-XX}
ntdll.dll
shlwapi.dll
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
?456789:;<=
!"#$%&'()* ,-./0123
ws2_32.dll
HTTP/*.*
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Referer: %s
Content-Type: multipart/form-data; boundary=%s
Content-Length: %d
Content-Disposition: form-data; name="%s"
--%s--
%s /%s HTTP/1.1
Host: %s
User-Agent: %s
%sAccept-Language: %s
HTTP/1.x 301 Moved Permanently
Server: Apache/2.2.14
advapi32.dll
%CommonProgramFiles%
\/*.*
winlogon.exe
csrss.exe
smss.exe
keyworddestination<
USER PASS
PORT
RapportGP.dll
csshiftjis
cswindows31j
iso_646.irv:1991
windows-1250
windows-1251
windows-1252
windows-1253
windows-1254
windows-1255
windows-1256
windows-1257
windows-1258
windows-874
hostuser-agentoptionsgetheadpostputdeletetraceacceptaccept-charsetaccept-encodingaccept-languageauthorizationexpectfromhostif-modified-sinceif-matchif-none-matchif-rangeif-unmodifiedsincemax-forwardsproxy-authorizationrangerefererteuser-agent100101200201202203204205206300301302303304305306307400401402403404405406407408409410411412413414415416417500501502503504505accept-rangesageetaglocationproxy-authenticatepublicretry-afterservervarywarningwww-authenticateallowcontent-basecontent-encodingcache-controlconnectiondatetrailertransfer-encodingupgradeviawarningcontent-languagecontent-lengthcontent-locationcontent-md5content-rangecontent-typeetagexpireslast-modifiedset-cookieMondayTuesdayWednesdayThursdayFridaySaturdaySundayJanFebMarAprMayJunJulAugSepOctNovDecchunkedtext/htmlimage/pngimage/jpgimage/gifapplication/xmlapplication/xhtmltext/plainpublicmax-agecharset=iso-8859-1utf-8gzipdeflateHTTP/1.1statusversionurl
HTTP/1.1
\\.\pipe\
gdiplus.dll
GdiplusShutdown
PTF://%s:%s@%s:%d/
pop3://%s:%s@%s:%d/
dnsapi.dll
wininet.dll
HttpOpenRequestA
HttpOpenRequestW
InternetOpenUrlA
InternetOpenUrlW
HttpSendRequestA
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExW
DeleteUrlCacheEntryW
HttpQueryInfoA
HttpQueryInfoW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersA
HttpAddRequestHeadersW
urlmon.dll
UrlMkGetSessionOption
nss3.dll
PR_OpenTCPSocket
nspr4.dll
hXXps://hXXp://TE
{49A21781-C39D-B603-C11E-00485360D01E}
%Documents and Settings%\NetworkService\Local Settings\Application Data\iwmikkry.log
{49A21783-C39D-B603-C11E-00485360D01E}
{49A21782-C39D-B603-C11E-00485360D01E}
PeekNamedPipe
SetNamedPipeHandleState
WaitNamedPipeA
DisconnectNamedPipe
CreateNamedPipeA
ConnectNamedPipe
RegCloseKey
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
ExitWindowsEx
GetKeyboardState
.text
`.rdata
@.data
.reloc
|75001234
PR_xTCPSh
wsock32.dll
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
keywords
alluniqcontrolexplicitASCIIUTF8UNICODE{keyword}
set_url
WebFilters
WebDataFilters
WebFakes
|0123456789
gzipdeflateContent-Type: application/x-www-form-urlencoded
Tdomain=google.ru&cookies=enabled&reason=1&auth=false
Cookie: User-Agent-Session: Basic login: Basic password:

svchost.exe_1104_rwx_201C0000_00037000:

Gh.logWj
h.logPj
tcPR
h.exe
user32.dll
kernel32.dll
|GetWindowsDirectoryA
{X-X-X-X-XX}
ntdll.dll
shlwapi.dll
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
?456789:;<=
!"#$%&'()* ,-./0123
ws2_32.dll
HTTP/*.*
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Referer: %s
Content-Type: multipart/form-data; boundary=%s
Content-Length: %d
Content-Disposition: form-data; name="%s"
--%s--
%s /%s HTTP/1.1
Host: %s
User-Agent: %s
%sAccept-Language: %s
HTTP/1.x 301 Moved Permanently
Server: Apache/2.2.14
advapi32.dll
%CommonProgramFiles%
\/*.*
winlogon.exe
csrss.exe
smss.exe
keyworddestination<
USER PASS
PORT
RapportGP.dll
csshiftjis
cswindows31j
iso_646.irv:1991
windows-1250
windows-1251
windows-1252
windows-1253
windows-1254
windows-1255
windows-1256
windows-1257
windows-1258
windows-874
hostuser-agentoptionsgetheadpostputdeletetraceacceptaccept-charsetaccept-encodingaccept-languageauthorizationexpectfromhostif-modified-sinceif-matchif-none-matchif-rangeif-unmodifiedsincemax-forwardsproxy-authorizationrangerefererteuser-agent100101200201202203204205206300301302303304305306307400401402403404405406407408409410411412413414415416417500501502503504505accept-rangesageetaglocationproxy-authenticatepublicretry-afterservervarywarningwww-authenticateallowcontent-basecontent-encodingcache-controlconnectiondatetrailertransfer-encodingupgradeviawarningcontent-languagecontent-lengthcontent-locationcontent-md5content-rangecontent-typeetagexpireslast-modifiedset-cookieMondayTuesdayWednesdayThursdayFridaySaturdaySundayJanFebMarAprMayJunJulAugSepOctNovDecchunkedtext/htmlimage/pngimage/jpgimage/gifapplication/xmlapplication/xhtmltext/plainpublicmax-agecharset=iso-8859-1utf-8gzipdeflateHTTP/1.1statusversionurl
HTTP/1.1
\\.\pipe\
gdiplus.dll
GdiplusShutdown
PTF://%s:%s@%s:%d/
pop3://%s:%s@%s:%d/
dnsapi.dll
wininet.dll
HttpOpenRequestA
HttpOpenRequestW
InternetOpenUrlA
InternetOpenUrlW
HttpSendRequestA
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExW
DeleteUrlCacheEntryW
HttpQueryInfoA
HttpQueryInfoW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersA
HttpAddRequestHeadersW
wurlmon.dll
UrlMkGetSessionOption
nss3.dll
PR_OpenTCPSocket
nspr4.dll
hXXps://hXXp://TE
{49A21781-C39D-B603-C11E-00485360D01E}
%Documents and Settings%\NetworkService\Local Settings\Application Data\iwmikkry.log
{49A21783-C39D-B603-C11E-00485360D01E}
{49A21782-C39D-B603-C11E-00485360D01E}
PeekNamedPipe
SetNamedPipeHandleState
WaitNamedPipeA
DisconnectNamedPipe
CreateNamedPipeA
ConnectNamedPipe
RegCloseKey
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
ExitWindowsEx
GetKeyboardState
.text
`.rdata
@.data
.reloc
|75001234
PR_xTCPSh
wsock32.dll
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
keywords
alluniqcontrolexplicitASCIIUTF8UNICODE{keyword}
set_url
WebFilters
WebDataFilters
WebFakes
|0123456789
gzipdeflateContent-Type: application/x-www-form-urlencoded
Tdomain=google.ru&cookies=enabled&reason=1&auth=false
Cookie: User-Agent-Session: Basic login: Basic password:

svchost.exe_1164_rwx_201C0000_00037000:

Gh.logWj
h.logPj
tcPR
h.exe
user32.dll
kernel32.dll
|GetWindowsDirectoryA
{X-X-X-X-XX}
ntdll.dll
shlwapi.dll
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
?456789:;<=
!"#$%&'()* ,-./0123
ws2_32.dll
HTTP/*.*
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Referer: %s
Content-Type: multipart/form-data; boundary=%s
Content-Length: %d
Content-Disposition: form-data; name="%s"
--%s--
%s /%s HTTP/1.1
Host: %s
User-Agent: %s
%sAccept-Language: %s
HTTP/1.x 301 Moved Permanently
Server: Apache/2.2.14
advapi32.dll
%CommonProgramFiles%
\/*.*
winlogon.exe
csrss.exe
smss.exe
keyworddestination<
USER PASS
PORT
RapportGP.dll
csshiftjis
cswindows31j
iso_646.irv:1991
windows-1250
windows-1251
windows-1252
windows-1253
windows-1254
windows-1255
windows-1256
windows-1257
windows-1258
windows-874
hostuser-agentoptionsgetheadpostputdeletetraceacceptaccept-charsetaccept-encodingaccept-languageauthorizationexpectfromhostif-modified-sinceif-matchif-none-matchif-rangeif-unmodifiedsincemax-forwardsproxy-authorizationrangerefererteuser-agent100101200201202203204205206300301302303304305306307400401402403404405406407408409410411412413414415416417500501502503504505accept-rangesageetaglocationproxy-authenticatepublicretry-afterservervarywarningwww-authenticateallowcontent-basecontent-encodingcache-controlconnectiondatetrailertransfer-encodingupgradeviawarningcontent-languagecontent-lengthcontent-locationcontent-md5content-rangecontent-typeetagexpireslast-modifiedset-cookieMondayTuesdayWednesdayThursdayFridaySaturdaySundayJanFebMarAprMayJunJulAugSepOctNovDecchunkedtext/htmlimage/pngimage/jpgimage/gifapplication/xmlapplication/xhtmltext/plainpublicmax-agecharset=iso-8859-1utf-8gzipdeflateHTTP/1.1statusversionurl
HTTP/1.1
\\.\pipe\
gdiplus.dll
GdiplusShutdown
PTF://%s:%s@%s:%d/
pop3://%s:%s@%s:%d/
dnsapi.dll
wininet.dll
HttpOpenRequestA
HttpOpenRequestW
InternetOpenUrlA
InternetOpenUrlW
HttpSendRequestA
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExW
DeleteUrlCacheEntryW
HttpQueryInfoA
HttpQueryInfoW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersA
HttpAddRequestHeadersW
urlmon.dll
UrlMkGetSessionOption
nss3.dll
PR_OpenTCPSocket
nspr4.dll
hXXps://hXXp://TE
{49A21781-C39D-B603-C11E-00485360D01E}
%Documents and Settings%\NetworkService\Local Settings\Application Data\iwmikkry.log
{49A21783-C39D-B603-C11E-00485360D01E}
{49A21782-C39D-B603-C11E-00485360D01E}
PeekNamedPipe
SetNamedPipeHandleState
WaitNamedPipeA
DisconnectNamedPipe
CreateNamedPipeA
ConnectNamedPipe
RegCloseKey
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
ExitWindowsEx
GetKeyboardState
.text
`.rdata
@.data
.reloc
|75001234
PR_xTCPSh
wsock32.dll
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
keywords
alluniqcontrolexplicitASCIIUTF8UNICODE{keyword}
set_url
WebFilters
WebDataFilters
WebFakes
|0123456789
gzipdeflateContent-Type: application/x-www-form-urlencoded
Tdomain=google.ru&cookies=enabled&reason=1&auth=false
Cookie: User-Agent-Session: Basic login: Basic password:

svchost.exe_1244_rwx_201C0000_00037000:

Gh.logWj
h.logPj
tcPR
h.exe
user32.dll
kernel32.dll
|GetWindowsDirectoryA
{X-X-X-X-XX}
ntdll.dll
shlwapi.dll
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
?456789:;<=
!"#$%&'()* ,-./0123
ws2_32.dll
HTTP/*.*
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Referer: %s
Content-Type: multipart/form-data; boundary=%s
Content-Length: %d
Content-Disposition: form-data; name="%s"
--%s--
%s /%s HTTP/1.1
Host: %s
User-Agent: %s
%sAccept-Language: %s
HTTP/1.x 301 Moved Permanently
Server: Apache/2.2.14
advapi32.dll
%CommonProgramFiles%
\/*.*
winlogon.exe
csrss.exe
smss.exe
keyworddestination<
USER PASS
PORT
RapportGP.dll
csshiftjis
cswindows31j
iso_646.irv:1991
windows-1250
windows-1251
windows-1252
windows-1253
windows-1254
windows-1255
windows-1256
windows-1257
windows-1258
windows-874
hostuser-agentoptionsgetheadpostputdeletetraceacceptaccept-charsetaccept-encodingaccept-languageauthorizationexpectfromhostif-modified-sinceif-matchif-none-matchif-rangeif-unmodifiedsincemax-forwardsproxy-authorizationrangerefererteuser-agent100101200201202203204205206300301302303304305306307400401402403404405406407408409410411412413414415416417500501502503504505accept-rangesageetaglocationproxy-authenticatepublicretry-afterservervarywarningwww-authenticateallowcontent-basecontent-encodingcache-controlconnectiondatetrailertransfer-encodingupgradeviawarningcontent-languagecontent-lengthcontent-locationcontent-md5content-rangecontent-typeetagexpireslast-modifiedset-cookieMondayTuesdayWednesdayThursdayFridaySaturdaySundayJanFebMarAprMayJunJulAugSepOctNovDecchunkedtext/htmlimage/pngimage/jpgimage/gifapplication/xmlapplication/xhtmltext/plainpublicmax-agecharset=iso-8859-1utf-8gzipdeflateHTTP/1.1statusversionurl
HTTP/1.1
\\.\pipe\
gdiplus.dll
GdiplusShutdown
PTF://%s:%s@%s:%d/
pop3://%s:%s@%s:%d/
dnsapi.dll
wininet.dll
HttpOpenRequestA
HttpOpenRequestW
InternetOpenUrlA
InternetOpenUrlW
HttpSendRequestA
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExW
DeleteUrlCacheEntryW
HttpQueryInfoA
HttpQueryInfoW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersA
HttpAddRequestHeadersW
wurlmon.dll
UrlMkGetSessionOption
nss3.dll
PR_OpenTCPSocket
nspr4.dll
hXXps://hXXp://TE
{49A21781-C39D-B603-C11E-00485360D01E}
%Documents and Settings%\LocalService\Local Settings\Application Data\iwmikkry.log
{49A21783-C39D-B603-C11E-00485360D01E}
{49A21782-C39D-B603-C11E-00485360D01E}
PeekNamedPipe
SetNamedPipeHandleState
WaitNamedPipeA
DisconnectNamedPipe
CreateNamedPipeA
ConnectNamedPipe
RegCloseKey
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
ExitWindowsEx
GetKeyboardState
.text
`.rdata
@.data
.reloc
|75001234
PR_xTCPSh
wsock32.dll
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
keywords
alluniqcontrolexplicitASCIIUTF8UNICODE{keyword}
set_url
WebFilters
WebDataFilters
WebFakes
|0123456789
gzipdeflateContent-Type: application/x-www-form-urlencoded
Tdomain=google.ru&cookies=enabled&reason=1&auth=false
Cookie: User-Agent-Session: Basic login: Basic password:

spoolsv.exe_1436_rwx_201C0000_00037000:

Gh.logWj
h.logPj
tcPR
h.exe
user32.dll
kernel32.dll
|GetWindowsDirectoryA
{X-X-X-X-XX}
ntdll.dll
shlwapi.dll
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
?456789:;<=
!"#$%&'()* ,-./0123
ws2_32.dll
HTTP/*.*
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Referer: %s
Content-Type: multipart/form-data; boundary=%s
Content-Length: %d
Content-Disposition: form-data; name="%s"
--%s--
%s /%s HTTP/1.1
Host: %s
User-Agent: %s
%sAccept-Language: %s
HTTP/1.x 301 Moved Permanently
Server: Apache/2.2.14
advapi32.dll
%CommonProgramFiles%
\/*.*
winlogon.exe
csrss.exe
smss.exe
keyworddestination<
USER PASS
PORT
RapportGP.dll
csshiftjis
cswindows31j
iso_646.irv:1991
windows-1250
windows-1251
windows-1252
windows-1253
windows-1254
windows-1255
windows-1256
windows-1257
windows-1258
windows-874
hostuser-agentoptionsgetheadpostputdeletetraceacceptaccept-charsetaccept-encodingaccept-languageauthorizationexpectfromhostif-modified-sinceif-matchif-none-matchif-rangeif-unmodifiedsincemax-forwardsproxy-authorizationrangerefererteuser-agent100101200201202203204205206300301302303304305306307400401402403404405406407408409410411412413414415416417500501502503504505accept-rangesageetaglocationproxy-authenticatepublicretry-afterservervarywarningwww-authenticateallowcontent-basecontent-encodingcache-controlconnectiondatetrailertransfer-encodingupgradeviawarningcontent-languagecontent-lengthcontent-locationcontent-md5content-rangecontent-typeetagexpireslast-modifiedset-cookieMondayTuesdayWednesdayThursdayFridaySaturdaySundayJanFebMarAprMayJunJulAugSepOctNovDecchunkedtext/htmlimage/pngimage/jpgimage/gifapplication/xmlapplication/xhtmltext/plainpublicmax-agecharset=iso-8859-1utf-8gzipdeflateHTTP/1.1statusversionurl
HTTP/1.1
\\.\pipe\
gdiplus.dll
GdiplusShutdown
PTF://%s:%s@%s:%d/
pop3://%s:%s@%s:%d/
dnsapi.dll
wininet.dll
HttpOpenRequestA
HttpOpenRequestW
InternetOpenUrlA
InternetOpenUrlW
HttpSendRequestA
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExW
DeleteUrlCacheEntryW
HttpQueryInfoA
HttpQueryInfoW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersA
HttpAddRequestHeadersW
urlmon.dll
UrlMkGetSessionOption
nss3.dll
PR_OpenTCPSocket
nspr4.dll
hXXps://hXXp://TE
{49A21781-C39D-B603-C11E-00485360D01E}
%Documents and Settings%\LocalService\Local Settings\Application Data\iwmikkry.log
{49A21783-C39D-B603-C11E-00485360D01E}
{49A21782-C39D-B603-C11E-00485360D01E}
PeekNamedPipe
SetNamedPipeHandleState
WaitNamedPipeA
DisconnectNamedPipe
CreateNamedPipeA
ConnectNamedPipe
RegCloseKey
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
ExitWindowsEx
GetKeyboardState
.text
`.rdata
@.data
.reloc
|75001234
PR_xTCPSh
wsock32.dll
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
keywords
alluniqcontrolexplicitASCIIUTF8UNICODE{keyword}
set_url
WebFilters
WebDataFilters
WebFakes
|0123456789
gzipdeflateContent-Type: application/x-www-form-urlencoded
Tdomain=google.ru&cookies=enabled&reason=1&auth=false
Cookie: User-Agent-Session: Basic login: Basic password:

jqs.exe_1592_rwx_201C0000_00037000:

Gh.logWj
h.logPj
tcPR
h.exe
user32.dll
kernel32.dll
|GetWindowsDirectoryA
{X-X-X-X-XX}
ntdll.dll
shlwapi.dll
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
?456789:;<=
!"#$%&'()* ,-./0123
ws2_32.dll
HTTP/*.*
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Referer: %s
Content-Type: multipart/form-data; boundary=%s
Content-Length: %d
Content-Disposition: form-data; name="%s"
--%s--
%s /%s HTTP/1.1
Host: %s
User-Agent: %s
%sAccept-Language: %s
HTTP/1.x 301 Moved Permanently
Server: Apache/2.2.14
advapi32.dll
%CommonProgramFiles%
\/*.*
winlogon.exe
csrss.exe
smss.exe
keyworddestination<
USER PASS
PORT
RapportGP.dll
csshiftjis
cswindows31j
iso_646.irv:1991
windows-1250
windows-1251
windows-1252
windows-1253
windows-1254
windows-1255
windows-1256
windows-1257
windows-1258
windows-874
hostuser-agentoptionsgetheadpostputdeletetraceacceptaccept-charsetaccept-encodingaccept-languageauthorizationexpectfromhostif-modified-sinceif-matchif-none-matchif-rangeif-unmodifiedsincemax-forwardsproxy-authorizationrangerefererteuser-agent100101200201202203204205206300301302303304305306307400401402403404405406407408409410411412413414415416417500501502503504505accept-rangesageetaglocationproxy-authenticatepublicretry-afterservervarywarningwww-authenticateallowcontent-basecontent-encodingcache-controlconnectiondatetrailertransfer-encodingupgradeviawarningcontent-languagecontent-lengthcontent-locationcontent-md5content-rangecontent-typeetagexpireslast-modifiedset-cookieMondayTuesdayWednesdayThursdayFridaySaturdaySundayJanFebMarAprMayJunJulAugSepOctNovDecchunkedtext/htmlimage/pngimage/jpgimage/gifapplication/xmlapplication/xhtmltext/plainpublicmax-agecharset=iso-8859-1utf-8gzipdeflateHTTP/1.1statusversionurl
HTTP/1.1
\\.\pipe\
gdiplus.dll
GdiplusShutdown
PTF://%s:%s@%s:%d/
pop3://%s:%s@%s:%d/
dnsapi.dll
wininet.dll
HttpOpenRequestA
HttpOpenRequestW
InternetOpenUrlA
InternetOpenUrlW
HttpSendRequestA
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExW
DeleteUrlCacheEntryW
HttpQueryInfoA
HttpQueryInfoW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersA
HttpAddRequestHeadersW
urlmon.dll
UrlMkGetSessionOption
nss3.dll
PR_OpenTCPSocket
nspr4.dll
hXXps://hXXp://TE
{49A21781-C39D-B603-C11E-00485360D01E}
%Documents and Settings%\LocalService\Local Settings\Application Data\iwmikkry.log
{49A21783-C39D-B603-C11E-00485360D01E}
{49A21782-C39D-B603-C11E-00485360D01E}
PeekNamedPipe
SetNamedPipeHandleState
WaitNamedPipeA
DisconnectNamedPipe
CreateNamedPipeA
ConnectNamedPipe
RegCloseKey
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
ExitWindowsEx
GetKeyboardState
.text
`.rdata
@.data
.reloc
|75001234
PR_xTCPSh
wsock32.dll
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
keywords
alluniqcontrolexplicitASCIIUTF8UNICODE{keyword}
set_url
WebFilters
WebDataFilters
WebFakes
|0123456789
gzipdeflateContent-Type: application/x-www-form-urlencoded
Tdomain=google.ru&cookies=enabled&reason=1&auth=false
Cookie: User-Agent-Session: Basic login: Basic password:


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    regsvr32.exe:1208
    Tq8SbV3:348
    csslisog.exe:320

  2. Delete the original Backdoor file.
  3. Delete or disinfect the following files created/modified by the Backdoor:

    %Documents and Settings%\%current user%\Local Settings\Temp\csslisog.exe (2105 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Startup\swegbgid.exe (2105 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\kqmtqgym\swegbgid.exe (2105 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jyabgndb.exe (2105 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "SweGbgid" = "%Documents and Settings%\%current user%\Local Settings\Application Data\kqmtqgym\swegbgid.exe"

  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now