Skip to main content

Gen.Variant.Kazy.71274_03b63b1928


HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Kazy.71274 (B) (Emsisoft), Gen:Variant.Kazy.71274 (AdAware), Backdoor.Win32.Shiz.FD, Shiz.YR, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 03b63b1928954b76117b4f943f881c8d

SHA1: 246d5b3efc69f063e3cbfeb78e5b177262c705eb

SHA256: 1e6bfc1ae2373d40b9f18fd67d3a1964f05cbab08b028de2a566c558efcb042c

SSDeep: 6144:5G0w4rrdhvh9Bc/byJT5E17pn2Hhru9dLP/sBPA/g:5w4vRl07V y9WhA/g

Size: 276992 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: BorlandDelphi30, UPolyXv05_v6

Company: no certificate found

Created at: 2002-10-04 05:12:45

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1108

The Trojan injects its code into the following process(es):

Explorer.EXE:1684

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:1108 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\AppPatch\drljflg.exe (1977 bytes)
%System%\config\software (2136 bytes)
%System%\config\SOFTWARE.LOG (3043 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (0 bytes)

Registry activity

The process %original file name%.exe:1108 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "25 27 BD 80 17 78 B1 ED 80 8D 4D D4 54 2D 67 83"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%WinDir%\apppatch\drljflg.exe_, \??\%WinDir%\apppatch\drljflg.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"a8a67a25" = "pEìX£bÀ¸¬qÄHF‡KöFë9µ®^$YÉòd¼Œ¤Kô1,Š$ë›ÛÌ«”¹l}Ë {œzŒôC%é[qñl4ì;û´[Ò#»Û:ÑU„„ԝ\±ª²Dƒuœ¡Ü¼);¼\ƒtµ2”kDù”a”*›cü$}Sô|ë$¤ô{¬q³#sÅå\yuJÛËu©|ù¢rKã!$’‹‹b±ÃÄ£ãÍ‚“ÉUcdÁÄZ¡r»ô”)Û©Š]“QlYÛl]$$D´ƒÌ£Q$aŒ‚*™ü›ÙóÍÁ=éÔÑщ¬q9|áíù’‘íÁ©šÄR"

Dropped PE files

MD5 File path
f0f76c78da8fa0511f3eae4d70630074c:\WINDOWS\AppPatch\drljflg.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in CRYPT32.dll:

CertVerifyCertificateChainPolicy

The Trojan installs the following user-mode hooks in WININET.dll:

HttpSendRequestExA
HttpSendRequestW
InternetReadFileExA
InternetWriteFileExA
InternetQueryDataAvailable
HttpSendRequestExW
InternetReadFile
HttpSendRequestA
InternetCloseHandle

The Trojan installs the following user-mode hooks in USER32.dll:

GetWindowTextA
GetClipboardData
SendInput
GetMessageA
GetMessageW
TranslateMessage

The Trojan installs the following user-mode hooks in ADVAPI32.dll:

CryptEncrypt

The Trojan installs the following user-mode hooks in WS2_32.dll:

WSASend
recv
gethostbyname
WSARecv
send

The Trojan installs the following user-mode hooks in kernel32.dll:

CreateFileW

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1108

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    %WinDir%\AppPatch\drljflg.exe (1977 bytes)
    %System%\config\software (2136 bytes)
    %System%\config\SOFTWARE.LOG (3043 bytes)

  5. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: platformism
Product Name: Terrella
Product Version: 4.6.0.3
Legal Copyright: Lysidine
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 5.3.4.4
File Description: Underviewer
Comments:
Language: English (United States)

Company Name: platformismProduct Name: TerrellaProduct Version: 4.6.0.3Legal Copyright: LysidineLegal Trademarks: Original Filename: Internal Name: File Version: 5.3.4.4 File Description: UnderviewerComments: Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.QwfR4096384401536053e979547d8c2ea86560ac45de08ae25
.EAeKTf450561353130720d2a70550489de356a2cd6bfc40711204
.ITOkSwi614403133230720d2a70550489de356a2cd6bfc40711204
.EeYFtGi9420829715102400f343b0931126a20f133d67c2b018a3b
.text12697616405168964.645698abc11e6d0f390de8907557ceca13c27
.pJUewT14745679910243.098738fdb88bd0f0d6a780602025b29b32045
.Ywuy151552130015363.5765646b99747333135e22a388697e935308f
.ipAxoYi155648291930723.3020908b8e22643ef4244cc2729841f02cc24
.LVTVh159744239925603.16979e715b8114e976e89ba9ea90641510f3a
.yLDaz16384075110243.48958978de2e7392ed38473456af1b9c3bdb3
.sJDw16793658410242.432253c063054b31f63b7330c4e41d1063ee0
.data17203211655971684.893522114e1ec63e947caffb185df61f405b2
.aKRpo29081668510242.846965ff4752d21cf700ce7042ad77b002c7f
.rdata2949122121732124805.54227876def98eb46ee032bc8b2caddd97
.XvvGFf50790410991536053e979547d8c2ea86560ac45de08ae25
.rsrc51200017480179202.6417255035c2bb389f2edb3013ea36f8af6f4

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

Explorer.EXE_1684_rwx_022A0000_000B2000:

.text

.text

`.data

`.data

.reloc

.reloc

`.rdata

`.rdata

@.data

@.data

http

http

PASSu98V

PASSu98V

PASSu08V

PASSu08V

FTPQ

FTPQ

12345678

12345678

password1

password1

monkey

monkey

monkey1

monkey1

password

password

Pname.key

Pname.key

\secrets.key

\secrets.key

kernel32.dll

kernel32.dll

\explorer.exe

\explorer.exe

user32.dll

user32.dll

multi_pot.exe

multi_pot.exe

HookExplorer.exe

HookExplorer.exe

proc_analyzer.exe

proc_analyzer.exe

sckTool.exe

sckTool.exe

sniff_hit.exe

sniff_hit.exe

sysAnalyzer.exe

sysAnalyzer.exe

idag.exe

idag.exe

ollydbg.exe

ollydbg.exe

dumpcap.exe

dumpcap.exe

wireshark.exe

wireshark.exe

avp.exe

avp.exe

Software\Microsoft\Windows NT\CurrentVersion

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

%s!%s!X

sysinfo.log

sysinfo.log

scr.jpg

scr.jpg

minidump.bin

minidump.bin

%d.%d.%d.%d

%d.%d.%d.%d

Ý %dh %dm

Ý %dh %dm

%s:%d

%s:%d

Software\Microsoft\Internet Explorer\TypedURLs

Software\Microsoft\Internet Explorer\TypedURLs

url%i

url%i

4.8.14

4.8.14

%dx%d@%d

%dx%d@%d

%c%d:d

%c%d:d

{Windows directory:

{Windows directory:

links.log

links.log

\History.IE5\index.dat

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

\Opera\Opera\typed_history.xml

avast.com

avast.com

93.191.13.100

93.191.13.100

drweb

drweb

eset.com

eset.com

z-oleg.com

z-oleg.com

kltest.org.ru

kltest.org.ru

.comodo.com

.comodo.com

google.com

google.com

Dnsapi.dll

Dnsapi.dll

ws2_32.dll

ws2_32.dll

Referer: hXXp://VVV.google.com

Referer: hXXp://VVV.google.com

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/login.php

/login.php

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

/search.php

/search.php

Winmm.dll

Winmm.dll

Kernel32.dll

Kernel32.dll

Gdi32.dll

Gdi32.dll

ntdll.dll

ntdll.dll

hXXp://

hXXp://

hXXps://

hXXps://

HTTP/1.

HTTP/1.

nspr4.dll

nspr4.dll

PR_OpenTCPSocket

PR_OpenTCPSocket

[[[URL: %s

[[[URL: %s

Process: %s

Process: %s

User-agent: %s]]]

User-agent: %s]]]

{{{%s

{{{%s

Crypt32.dll

Crypt32.dll

CertVerifyCertificateChainPolicy

CertVerifyCertificateChainPolicy

Wininet.dll

Wininet.dll

HttpSendRequestA

HttpSendRequestA

HttpSendRequestW

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestExW

set_url

set_url

microsoft.public.win32.programmer.kernel

microsoft.public.win32.programmer.kernel

\iexplore.exe

\iexplore.exe

\firefox.exe

\firefox.exe

keygrab

keygrab

u.jpg

u.jpg

IprivLibEx.dll

IprivLibEx.dll

\\.\PhysicalDrive%u

\\.\PhysicalDrive%u

/topic.php

/topic.php

keylog.txt

keylog.txt

sniff.log

sniff.log

passwords.txt

passwords.txt

%s%u.zip

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

Content-Type: multipart/form-data; boundary=---------------------------%s

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.bing.com

VVV.microsoft.com

VVV.microsoft.com

frd.exe

frd.exe

command=config&update_url=

command=config&update_url=

&port=

&port=

command=load&url=

command=load&url=

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

hid=%s&username=SYSTEM&compname=%s&bot_version=4.8.14&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

hid=%s&username=SYSTEM&compname=%s&bot_version=4.8.14&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

\chrome.exe

\chrome.exe

\svchost.exe

\svchost.exe

\opera.exe

\opera.exe

\cbmain.ex

\cbmain.ex

\iscc.exe

\iscc.exe

\clmain.exe

\clmain.exe

\wclnt.exe

\wclnt.exe

internal_wutex_0xx

internal_wutex_0xx

%s.dbf

%s.dbf

%s.DBF

%s.DBF

pop2://%s:%s@%s:%i

pop2://%s:%s@%s:%i

pop3://%s:%s@%s:%i

pop3://%s:%s@%s:%i

nntp://%s:%s@%s:%i

nntp://%s:%s@%s:%i

PTF://%s:%s@%s:%i

PTF://%s:%s@%s:%i

PTF://anonymous:

PTF://anonymous:

AUTHINFO PASS

AUTHINFO PASS

j_password=

j_password=

pass.log

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edClientLogin=

edUserLogin=

edUserLogin=

edPassword=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

&LOGIN_AUTHORIZATION_CODE=

login=

login=

password=

password=

pass_

pass_

ssleay32.dll

ssleay32.dll

advapi32.dll

advapi32.dll

path.txt

path.txt

keys.zip

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.jpg

%s\d.jpg

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

keys

private.txt

private.txt

public.txt

public.txt

\*.key

\*.key

\self.cer

\self.cer

self.cer

self.cer

self.pub

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.exe

ctunnel.zip

ctunnel.zip

path_ctunnel.txt

path_ctunnel.txt

header.key

header.key

keys99

keys99

\header.key

\header.key

masks2.key

masks2.key

\masks2.key

\masks2.key

masks.key

masks.key

\masks.key

\masks.key

\name.key

\name.key

primary2.key

primary2.key

\primary2.key

\primary2.key

primary.key

primary.key

\primary.key

\primary.key

keys99.zip

keys99.zip

path99.txt

path99.txt

bsi.dll

bsi.dll

&domain=letitbit.net&

&domain=letitbit.net&

cc.txt

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

prv_key.pfx

keys\

keys\

sign.cer

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

sks2xyz.dll

vb_pfx_import

vb_pfx_import

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

secret.key

pubkeys.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

path1.txt

inter.zip

inter.zip

interpro.ini

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{BQQQW777-B777-4e47-8B10-69798A04C732}

Local\{BQQQW777-B777-4e47-8B10-69798A04C732}

cbsmain.dll

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

pass.txt

pass.txt

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

FilialRCon.dll

ISClient.cfg

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

rfk.zip

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

Agava_Client.exe

KeysDiskPath

KeysDiskPath

Agava_Client.ini

Agava_Client.ini

Agava_keys

Agava_keys

keys_path.txt

keys_path.txt

Local\{AA53E2BF-8989-4EEE-9A0D-95CD39DC0A14}

Local\{AA53E2BF-8989-4EEE-9A0D-95CD39DC0A14}

mespro.dll

mespro.dll

AddPSEPrivateKeyEx

AddPSEPrivateKeyEx

core.exe

core.exe

data\id.dbf

data\id.dbf

\data\id.dbf

\data\id.dbf

keys%i.zip

keys%i.zip

path%i.txt

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

cert.pem

cert.pem

Local\{BE3CEFA7-B777-4e47-8B10-69745D04C732}

Local\{BE3CEFA7-B777-4e47-8B10-69745D04C732}

winmm.dll

winmm.dll

1.2.5

1.2.5

unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

%s\%s

%s\%s

#webcam

#webcam

#webcam%d

#webcam%d

RFB d.d

RFB d.d

%s (%s)

%s (%s)

d/d/d d:d

d/d/d d:d

password check failed!

password check failed!

WinSCard.dll

WinSCard.dll

SensApi.dll

SensApi.dll

GetTcpTable

GetTcpTable

IPHLPAPI.DLL

IPHLPAPI.DLL

dbghelp.dll

dbghelp.dll

PSAPI.DLL

PSAPI.DLL

NETAPI32.dll

NETAPI32.dll

DNSAPI.dll

DNSAPI.dll

HttpQueryInfoA

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpAddRequestHeadersA

HttpOpenRequestA

HttpOpenRequestA

WININET.dll

WININET.dll

WS2_32.dll

WS2_32.dll

SHFileOperationA

SHFileOperationA

SHELL32.dll

SHELL32.dll

SHLWAPI.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetSystemWindowsDirectoryA

WinExec

WinExec

SetThreadExecutionState

SetThreadExecutionState

GetWindowsDirectoryA

GetWindowsDirectoryA

KERNEL32.dll

KERNEL32.dll

GetKeyboardState

GetKeyboardState

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

GetKeyboardLayoutList

GetKeyboardLayoutList

GetAsyncKeyState

GetAsyncKeyState

GetKeyboardLayout

GetKeyboardLayout

MapVirtualKeyW

MapVirtualKeyW

VkKeyScanW

VkKeyScanW

VkKeyScanExW

VkKeyScanExW

keybd_event

keybd_event

EnumChildWindows

EnumChildWindows

ActivateKeyboardLayout

ActivateKeyboardLayout

SetKeyboardState

SetKeyboardState

USER32.dll

USER32.dll

SetViewportOrgEx

SetViewportOrgEx

GetViewportOrgEx

GetViewportOrgEx

GDI32.dll

GDI32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

RegFlushKey

RegFlushKey

RegNotifyChangeKeyValue

RegNotifyChangeKeyValue

RegDeleteKeyA

RegDeleteKeyA

RegEnumKeyExA

RegEnumKeyExA

RegOpenKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegQueryInfoKeyW

RegEnumKeyExW

RegEnumKeyExW

ADVAPI32.dll

ADVAPI32.dll

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

gdiplus.dll

gdiplus.dll

MSVCRT.dll

MSVCRT.dll

AVICAP32.dll

AVICAP32.dll

MSVFW32.dll

MSVFW32.dll

ShellExecuteW

ShellExecuteW

GetProcessHeap

GetProcessHeap

?456789:;

?456789:;

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

;3 #>6.&

;3 #>6.&

'2, / 0&7!4-)1#

'2, / 0&7!4-)1#

5`6C6Q6}6

5`6C6Q6}6

55

55

;";,;6;

;";,;6;

6&7-737

6&7-737

3"33393>3}3

3"33393>3}3

;#;);/;=;

;#;);/;=;

=}=

=}=

:(:-:8:=:

:(:-:8:=:

7#7)7/7=7

7#7)7/7=7

9&9,929@9

9&9,929@9

0!02090>0

0!02090>0

>$>*>4>9>

>$>*>4>9>

Windows Explorer

Windows Explorer

mavast.com

mavast.com

ya.ru

ya.ru

serverkey.dat

serverkey.dat

\windows\

\windows\

dntdll.dll

dntdll.dll

.NET CLR Networking_Perf_Library_Lock_PID_0

.NET CLR Networking_Perf_Library_Lock_PID_0

.NET Data Provider for SqlServer_Perf_Library_Lock_PID_0

.NET Data Provider for SqlServer_Perf_Library_Lock_PID_0

ASP.NET_2.0.50727_Perf_Library_Lock_PID_0

ASP.NET_2.0.50727_Perf_Library_Lock_PID_0

SOFTWARE\JavaSoft\Java Plug-in\1.6.0_%d

SOFTWARE\JavaSoft\Java Plug-in\1.6.0_%d

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d

Software\Microsoft\Windows\CurrentVersion\Internet Settings

Software\Microsoft\Windows\CurrentVersion\Internet Settings

iexplore.exe

iexplore.exe

HighMemoryEvent_x

HighMemoryEvent_x

MSCTF.Shared.MAPPING.x

MSCTF.Shared.MAPPING.x

MSCTF.Shared.EVENT.x

MSCTF.Shared.EVENT.x

MSCTF.Shared.MUTEX.x

MSCTF.Shared.MUTEX.x

.Prev

.Prev

.current

.current

Explorer.EXE_1684_rwx_02E20000_000B8000:

.text

.text

`.rdata

`.rdata

@.data

@.data

.reloc

.reloc

http

http

PASSu98V

PASSu98V

PASSu08V

PASSu08V

FTPQ

FTPQ

12345678

12345678

password1

password1

monkey

monkey

monkey1

monkey1

password

password

Pname.key

Pname.key

\secrets.key

\secrets.key

kernel32.dll

kernel32.dll

\explorer.exe

\explorer.exe

user32.dll

user32.dll

multi_pot.exe

multi_pot.exe

HookExplorer.exe

HookExplorer.exe

proc_analyzer.exe

proc_analyzer.exe

sckTool.exe

sckTool.exe

sniff_hit.exe

sniff_hit.exe

sysAnalyzer.exe

sysAnalyzer.exe

idag.exe

idag.exe

ollydbg.exe

ollydbg.exe

dumpcap.exe

dumpcap.exe

wireshark.exe

wireshark.exe

avp.exe

avp.exe

Software\Microsoft\Windows NT\CurrentVersion

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

%s!%s!X

sysinfo.log

sysinfo.log

scr.jpg

scr.jpg

minidump.bin

minidump.bin

%d.%d.%d.%d

%d.%d.%d.%d

Ý %dh %dm

Ý %dh %dm

%s:%d

%s:%d

Software\Microsoft\Internet Explorer\TypedURLs

Software\Microsoft\Internet Explorer\TypedURLs

url%i

url%i

4.8.14

4.8.14

%dx%d@%d

%dx%d@%d

%c%d:d

%c%d:d

{Windows directory:

{Windows directory:

links.log

links.log

\History.IE5\index.dat

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

\Opera\Opera\typed_history.xml

avast.com

avast.com

93.191.13.100

93.191.13.100

drweb

drweb

eset.com

eset.com

z-oleg.com

z-oleg.com

kltest.org.ru

kltest.org.ru

.comodo.com

.comodo.com

google.com

google.com

Dnsapi.dll

Dnsapi.dll

ws2_32.dll

ws2_32.dll

Referer: hXXp://VVV.google.com

Referer: hXXp://VVV.google.com

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/login.php

/login.php

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

/search.php

/search.php

Winmm.dll

Winmm.dll

Kernel32.dll

Kernel32.dll

Gdi32.dll

Gdi32.dll

ntdll.dll

ntdll.dll

hXXp://

hXXp://

hXXps://

hXXps://

HTTP/1.

HTTP/1.

nspr4.dll

nspr4.dll

PR_OpenTCPSocket

PR_OpenTCPSocket

[[[URL: %s

[[[URL: %s

Process: %s

Process: %s

User-agent: %s]]]

User-agent: %s]]]

{{{%s

{{{%s

Crypt32.dll

Crypt32.dll

CertVerifyCertificateChainPolicy

CertVerifyCertificateChainPolicy

Wininet.dll

Wininet.dll

HttpSendRequestA

HttpSendRequestA

HttpSendRequestW

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestExW

set_url

set_url

microsoft.public.win32.programmer.kernel

microsoft.public.win32.programmer.kernel

\iexplore.exe

\iexplore.exe

\firefox.exe

\firefox.exe

keygrab

keygrab

u.jpg

u.jpg

IprivLibEx.dll

IprivLibEx.dll

\\.\PhysicalDrive%u

\\.\PhysicalDrive%u

/topic.php

/topic.php

keylog.txt

keylog.txt

sniff.log

sniff.log

passwords.txt

passwords.txt

%s%u.zip

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

Content-Type: multipart/form-data; boundary=---------------------------%s

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.bing.com

VVV.microsoft.com

VVV.microsoft.com

frd.exe

frd.exe

command=config&update_url=

command=config&update_url=

&port=

&port=

command=load&url=

command=load&url=

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

hid=%s&username=SYSTEM&compname=%s&bot_version=4.8.14&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

hid=%s&username=SYSTEM&compname=%s&bot_version=4.8.14&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

\chrome.exe

\chrome.exe

\svchost.exe

\svchost.exe

\opera.exe

\opera.exe

\cbmain.ex

\cbmain.ex

\iscc.exe

\iscc.exe

\clmain.exe

\clmain.exe

\wclnt.exe

\wclnt.exe

internal_wutex_0xx

internal_wutex_0xx

%s.dbf

%s.dbf

%s.DBF

%s.DBF

pop2://%s:%s@%s:%i

pop2://%s:%s@%s:%i

pop3://%s:%s@%s:%i

pop3://%s:%s@%s:%i

nntp://%s:%s@%s:%i

nntp://%s:%s@%s:%i

PTF://%s:%s@%s:%i

PTF://%s:%s@%s:%i

PTF://anonymous:

PTF://anonymous:

AUTHINFO PASS

AUTHINFO PASS

j_password=

j_password=

pass.log

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edClientLogin=

edUserLogin=

edUserLogin=

edPassword=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

&LOGIN_AUTHORIZATION_CODE=

login=

login=

password=

password=

pass_

pass_

ssleay32.dll

ssleay32.dll

advapi32.dll

advapi32.dll

path.txt

path.txt

keys.zip

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.jpg

%s\d.jpg

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

keys

private.txt

private.txt

public.txt

public.txt

\*.key

\*.key

\self.cer

\self.cer

self.cer

self.cer

self.pub

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.exe

ctunnel.zip

ctunnel.zip

path_ctunnel.txt

path_ctunnel.txt

header.key

header.key

keys99

keys99

\header.key

\header.key

masks2.key

masks2.key

\masks2.key

\masks2.key

masks.key

masks.key

\masks.key

\masks.key

\name.key

\name.key

primary2.key

primary2.key

\primary2.key

\primary2.key

primary.key

primary.key

\primary.key

\primary.key

keys99.zip

keys99.zip

path99.txt

path99.txt

bsi.dll

bsi.dll

&domain=letitbit.net&

&domain=letitbit.net&

cc.txt

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

prv_key.pfx

keys\

keys\

sign.cer

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

sks2xyz.dll

vb_pfx_import

vb_pfx_import

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

secret.key

pubkeys.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

path1.txt

inter.zip

inter.zip

interpro.ini

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{BQQQW777-B777-4e47-8B10-69798A04C732}

Local\{BQQQW777-B777-4e47-8B10-69798A04C732}

cbsmain.dll

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

pass.txt

pass.txt

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

FilialRCon.dll

ISClient.cfg

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

rfk.zip

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

Agava_Client.exe

KeysDiskPath

KeysDiskPath

Agava_Client.ini

Agava_Client.ini

Agava_keys

Agava_keys

keys_path.txt

keys_path.txt

Local\{AA53E2BF-8989-4EEE-9A0D-95CD39DC0A14}

Local\{AA53E2BF-8989-4EEE-9A0D-95CD39DC0A14}

mespro.dll

mespro.dll

AddPSEPrivateKeyEx

AddPSEPrivateKeyEx

core.exe

core.exe

data\id.dbf

data\id.dbf

\data\id.dbf

\data\id.dbf

keys%i.zip

keys%i.zip

path%i.txt

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

cert.pem

cert.pem

Local\{BE3CEFA7-B777-4e47-8B10-69745D04C732}

Local\{BE3CEFA7-B777-4e47-8B10-69745D04C732}

winmm.dll

winmm.dll

1.2.5

1.2.5

unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

%s\%s

%s\%s

#webcam

#webcam

#webcam%d

#webcam%d

RFB d.d

RFB d.d

%s (%s)

%s (%s)

d/d/d d:d

d/d/d d:d

password check failed!

password check failed!

WinSCard.dll

WinSCard.dll

SensApi.dll

SensApi.dll

GetTcpTable

GetTcpTable

IPHLPAPI.DLL

IPHLPAPI.DLL

dbghelp.dll

dbghelp.dll

PSAPI.DLL

PSAPI.DLL

NETAPI32.dll

NETAPI32.dll

DNSAPI.dll

DNSAPI.dll

HttpQueryInfoA

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpAddRequestHeadersA

HttpOpenRequestA

HttpOpenRequestA

WININET.dll

WININET.dll

WS2_32.dll

WS2_32.dll

SHFileOperationA

SHFileOperationA

SHELL32.dll

SHELL32.dll

SHLWAPI.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetSystemWindowsDirectoryA

WinExec

WinExec

SetThreadExecutionState

SetThreadExecutionState

GetWindowsDirectoryA

GetWindowsDirectoryA

KERNEL32.dll

KERNEL32.dll

GetKeyboardState

GetKeyboardState

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

GetKeyboardLayoutList

GetKeyboardLayoutList

GetAsyncKeyState

GetAsyncKeyState

GetKeyboardLayout

GetKeyboardLayout

MapVirtualKeyW

MapVirtualKeyW

VkKeyScanW

VkKeyScanW

VkKeyScanExW

VkKeyScanExW

keybd_event

keybd_event

EnumChildWindows

EnumChildWindows

ActivateKeyboardLayout

ActivateKeyboardLayout

SetKeyboardState

SetKeyboardState

USER32.dll

USER32.dll

SetViewportOrgEx

SetViewportOrgEx

GetViewportOrgEx

GetViewportOrgEx

GDI32.dll

GDI32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

RegFlushKey

RegFlushKey

RegNotifyChangeKeyValue

RegNotifyChangeKeyValue

RegDeleteKeyA

RegDeleteKeyA

RegEnumKeyExA

RegEnumKeyExA

RegOpenKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegQueryInfoKeyW

RegEnumKeyExW

RegEnumKeyExW

ADVAPI32.dll

ADVAPI32.dll

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

gdiplus.dll

gdiplus.dll

MSVCRT.dll

MSVCRT.dll

AVICAP32.dll

AVICAP32.dll

MSVFW32.dll

MSVFW32.dll

ShellExecuteW

ShellExecuteW

GetProcessHeap

GetProcessHeap

?456789:;

?456789:;

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

;3 #>6.&

;3 #>6.&

'2, / 0&7!4-)1#

'2, / 0&7!4-)1#

SYSTEM!XP1!F9BE9A8A

SYSTEM!XP1!F9BE9A8A

%WinDir%\apppatch\drljflg.exe

%WinDir%\apppatch\drljflg.exe

%Documents and Settings%\%current user%\Application Data\

%Documents and Settings%\%current user%\Application Data\

5`6C6Q6}6

5`6C6Q6}6

55

55

;";,;6;

;";,;6;

6&7-737

6&7-737

3"33393>3}3

3"33393>3}3

;#;);/;=;

;#;);/;=;

=}=

=}=

:(:-:8:=:

:(:-:8:=:

7#7)7/7=7

7#7)7/7=7

9&9,929@9

9&9,929@9

0!02090>0

0!02090>0

>$>*>4>9>

>$>*>4>9>

`.data

`.data

Windows Explorer

Windows Explorer

mavast.com

mavast.com

ya.ru

ya.ru

serverkey.dat

serverkey.dat

\windows\

\windows\

dntdll.dll

dntdll.dll

.NET CLR Networking_Perf_Library_Lock_PID_0

.NET CLR Networking_Perf_Library_Lock_PID_0

.NET Data Provider for SqlServer_Perf_Library_Lock_PID_0

.NET Data Provider for SqlServer_Perf_Library_Lock_PID_0

ASP.NET_2.0.50727_Perf_Library_Lock_PID_0

ASP.NET_2.0.50727_Perf_Library_Lock_PID_0

SOFTWARE\JavaSoft\Java Plug-in\1.6.0_%d

SOFTWARE\JavaSoft\Java Plug-in\1.6.0_%d

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d

Software\Microsoft\Windows\CurrentVersion\Internet Settings

Software\Microsoft\Windows\CurrentVersion\Internet Settings

iexplore.exe

iexplore.exe

HighMemoryEvent_x

HighMemoryEvent_x

MSCTF.Shared.MAPPING.x

MSCTF.Shared.MAPPING.x

MSCTF.Shared.EVENT.x

MSCTF.Shared.EVENT.x

MSCTF.Shared.MUTEX.x

MSCTF.Shared.MUTEX.x

.Prev

.Prev

.current

.current