Skip to main content

Gen.Variant.Zbot.15_ea805843d3


HEUR:Backdoor.Win32.Generic (Kaspersky), Gen:Variant.Zbot.15 (B) (Emsisoft), Gen:Variant.Zbot.15 (AdAware), Shiz.YR, Sinowal.YR, GenericInjector.YR, BankerGeneric.YR (Lavasoft MAS)Behaviour: Banker, Backdoor

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: ea805843d32cbea341ce6e796599db85

SHA1: 177e0844dfab6470bb3c670b3cd5df0fddf678b6

SHA256: ef8db9d910908644084bd0f63d5c6ea3b07d79960c1170c1f4f6015514c4300f

SSDeep: 3072:pxG5Er7 qD/mfP/BnY F0Su7n7yQX7dPzKSvk:pxh9O1l6SkZs

Size: 101376 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: AKorea

Created at: 2000-06-25 06:33:28

Analyzed on: WindowsXP SP3 32-bit

Summary: Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1988

The Trojan injects its code into the following process(es):

services.exe:764
Explorer.EXE:1684

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

No files have been created.

Registry activity

The process %original file name%.exe:1988 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 22 1A 33 11 24 9E 62 B0 F0 6B C1 2A E2 B1 54"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1988

  2. Delete the original Trojan file.
  3. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: Svxruw Uwzyhjm Owipnut Xtpnusy
Product Name: Fdkip Anlsq
Product Version: 0.2.5.1
Legal Copyright: Wyhkm
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 4.1.7.8
File Description: Xpuvqw Utign Fuovtbi Dkipt
Comments:
Language: Language Neutral

Company Name: Svxruw Uwzyhjm Owipnut XtpnusyProduct Name: Fdkip AnlsqProduct Version: 0.2.5.1Legal Copyright: WyhkmLegal Trademarks: Original Filename: Internal Name: File Version: 4.1.7.8File Description: Xpuvqw Utign Fuovtbi DkiptComments: Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text409629855302085.1866274b88f46604ee78a5a6b365595e15b4a
.data3686460016604164.9439845f6076214648553307c4f2e7ef4126e
.idata98304136615363.19634340ff712aad3815a7109ad7db87d516a
.rsrc102400816481925.0144670974b91b1d2477a08b312a799ca5e00

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

services.exe_764_rwx_00040000_0002C000:

|$L.tj

|$L.tj

t.Vh

t.Vh

SSSh*

SSSh*

u#SSSh

u#SSSh

SSShh@

SSShh@

SSShP

SSShP

SSShV

SSShV

beautifumortimer.com

beautifumortimer.com

POST /gate.php HTTP/1.0

POST /gate.php HTTP/1.0

Host: %s

Host: %s

Content-Length: %u

Content-Length: %u

195.222.17.0

195.222.17.0

74.55.143.0

74.55.143.0

62.67.184.0

62.67.184.0

208.43.44.0

208.43.44.0

188.40.74.0

188.40.74.0

212.59.118.0

212.59.118.0

81.176.67.0

81.176.67.0

87.242.75.0

87.242.75.0

83.102.130.0

83.102.130.0

207.44.254.0

207.44.254.0

75.125.212.0

75.125.212.0

74.86.125.0

74.86.125.0

75.125.43.0

75.125.43.0

75.125.189.0

75.125.189.0

74.54.46.0

74.54.46.0

74.54.130.0

74.54.130.0

174.120.184.0

174.120.184.0

174.120.185.0

174.120.185.0

174.133.38.0

174.133.38.0

74.54.139.0

74.54.139.0

74.86.232.0

74.86.232.0

74.53.70.0

74.53.70.0

208.43.71.0

208.43.71.0

174.120.186.0

174.120.186.0

75.125.185.0

75.125.185.0

74.55.74.0

74.55.74.0

95.140.225.0

95.140.225.0

94.236.0.0

94.236.0.0

94.23.206.0

94.23.206.0

93.191.13.0

93.191.13.0

93.184.71.0

93.184.71.0

92.53.106.0

92.53.106.0

92.123.155.0

92.123.155.0

91.209.196.0

91.209.196.0

91.199.212.0

91.199.212.0

91.121.97.0

91.121.97.0

90.183.101.0

90.183.101.0

90.156.159.0

90.156.159.0

89.202.157.0

89.202.157.0

89.202.149.0

89.202.149.0

89.111.176.0

89.111.176.0

89.108.66.0

89.108.66.0

88.221.119.0

88.221.119.0

87.242.79.0

87.242.79.0

87.242.74.0

87.242.74.0

87.242.72.0

87.242.72.0

87.238.48.0

87.238.48.0

87.230.79.0

87.230.79.0

87.106.254.0

87.106.254.0

87.106.242.0

87.106.242.0

85.31.222.0

85.31.222.0

85.255.19.0

85.255.19.0

85.214.106.0

85.214.106.0

85.17.210.0

85.17.210.0

85.12.57.0

85.12.57.0

84.40.30.0

84.40.30.0

83.223.117.0

83.223.117.0

83.222.31.0

83.222.31.0

83.222.23.0

83.222.23.0

83.202.175.0

83.202.175.0

82.98.86.0

82.98.86.0

82.165.103.0

82.165.103.0

82.151.107.0

82.151.107.0

82.117.238.0

82.117.238.0

81.24.35.0

81.24.35.0

81.177.31.0

81.177.31.0

81.176.66.0

81.176.66.0

80.86.107.0

80.86.107.0

80.237.132.0

80.237.132.0

80.190.154.0

80.190.154.0

80.190.130.0

80.190.130.0

80.153.193.0

80.153.193.0

79.125.5.0

79.125.5.0

78.47.87.0

78.47.87.0

78.137.164.0

78.137.164.0

78.108.86.0

78.108.86.0

75.125.82.0

75.125.82.0

75.125.29.0

75.125.29.0

74.55.40.0

74.55.40.0

74.53.201.0

74.53.201.0

74.52.233.0

74.52.233.0

74.50.0.0

74.50.0.0

74.208.20.0

74.208.20.0

74.208.158.0

74.208.158.0

74.125.77.0

74.125.77.0

72.32.70.0

72.32.70.0

72.32.149.0

72.32.149.0

72.32.125.0

72.32.125.0

72.3.254.0

72.3.254.0

72.232.246.0

72.232.246.0

70.84.211.0

70.84.211.0

69.93.226.0

69.93.226.0

69.57.142.0

69.57.142.0

69.20.104.0

69.20.104.0

69.18.148.0

69.18.148.0

69.162.79.0

69.162.79.0

68.177.102.0

68.177.102.0

67.227.172.0

67.227.172.0

67.225.206.0

67.225.206.0

67.192.135.0

67.192.135.0

67.19.34.0

67.19.34.0

67.15.231.0

67.15.231.0

67.15.103.0

67.15.103.0

67.134.208.0

67.134.208.0

66.77.70.0

66.77.70.0

66.249.17.0

66.249.17.0

66.223.50.0

66.223.50.0

65.55.240.0

65.55.240.0

65.55.184.0

65.55.184.0

65.175.38.0

65.175.38.0

64.78.182.0

64.78.182.0

64.66.190.0

64.66.190.0

64.41.151.0

64.41.151.0

64.41.142.0

64.41.142.0

64.246.4.0

64.246.4.0

64.202.189.0

64.202.189.0

64.13.134.0

64.13.134.0

64.128.133.0

64.128.133.0

63.85.36.0

63.85.36.0

62.75.216.0

62.75.216.0

62.75.163.0

62.75.163.0

62.213.110.0

62.213.110.0

62.189.194.0

62.189.194.0

62.146.66.0

62.146.66.0

62.146.210.0

62.146.210.0

62.14.249.0

62.14.249.0

38.113.1.0

38.113.1.0

217.174.103.0

217.174.103.0

217.170.21.0

217.170.21.0

217.16.16.0

217.16.16.0

217.106.234.0

217.106.234.0

216.99.133.0

216.99.133.0

216.55.183.0

216.55.183.0

216.49.94.0

216.49.94.0

216.49.88.0

216.49.88.0

216.246.90.0

216.246.90.0

216.239.122.0

216.239.122.0

216.12.145.0

216.12.145.0

216.10.192.0

216.10.192.0

213.31.172.0

213.31.172.0

213.220.100.0

213.220.100.0

213.198.89.0

213.198.89.0

213.171.218.0

213.171.218.0

213.133.34.0

213.133.34.0

212.8.79.0

212.8.79.0

212.72.62.0

212.72.62.0

212.67.88.0

212.67.88.0

212.47.219.0

212.47.219.0

209.87.209.0

209.87.209.0

209.62.68.0

209.62.68.0

209.62.112.0

209.62.112.0

209.51.167.0

209.51.167.0

209.216.46.0

209.216.46.0

209.160.22.0

209.160.22.0

209.157.69.0

209.157.69.0

209.124.55.0

209.124.55.0

208.79.250.0

208.79.250.0

207.66.0.0

207.66.0.0

207.46.232.0

207.46.232.0

207.46.20.0

207.46.20.0

207.46.18.0

207.46.18.0

207.44.154.0

207.44.154.0

206.204.52.0

206.204.52.0

205.227.136.0

205.227.136.0

205.178.145.0

205.178.145.0

204.14.90.0

204.14.90.0

203.160.188.0

203.160.188.0

199.203.243.0

199.203.243.0

198.6.49.0

198.6.49.0

195.70.37.0

195.70.37.0

195.64.225.0

195.64.225.0

195.55.72.0

195.55.72.0

195.210.42.0

195.210.42.0

195.2.240.0

195.2.240.0

195.146.235.0

195.146.235.0

195.137.160.0

195.137.160.0

194.33.180.0

194.33.180.0

194.206.126.0

194.206.126.0

194.112.106.0

194.112.106.0

194.109.142.0

194.109.142.0

194.0.200.0

194.0.200.0

193.71.68.0

193.71.68.0

193.69.114.0

193.69.114.0

193.66.251.0

193.66.251.0

193.24.237.0

193.24.237.0

193.193.194.0

193.193.194.0

193.17.85.0

193.17.85.0

193.110.109.0

193.110.109.0

193.1.193.0

193.1.193.0

193.0.6.0

193.0.6.0

192.150.94.0

192.150.94.0

188.93.8.0

188.93.8.0

18.85.2.0

18.85.2.0

166.70.98.0

166.70.98.0

165.160.15.0

165.160.15.0

162.40.10.0

162.40.10.0

155.35.248.0

155.35.248.0

150.70.93.0

150.70.93.0

149.101.225.0

149.101.225.0

141.202.248.0

141.202.248.0

139.91.222.0

139.91.222.0

128.130.60.0

128.130.60.0

128.130.56.0

128.130.56.0

128.111.48.0

128.111.48.0

sfc.dll

sfc.dll

winlogon.exe

winlogon.exe

\\.\PhysicalDrive

\\.\PhysicalDrive

smss.exe

smss.exe

csrss.exe

csrss.exe

lsass.exe

lsass.exe

%s\%s

%s\%s

%d.%d.%d.%d

%d.%d.%d.%d

route.exe -p add %s mask 255.255.255.0 %s

route.exe -p add %s mask 255.255.255.0 %s

Software\Microsoft\Windows NT\CurrentVersion

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

%s!%s!X

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

[[[URL: %s

[[[URL: %s

Process: %s

Process: %s

Referer: %s

Referer: %s

User-Agent: %s

User-Agent: %s

Title: %s]]]

Title: %s]]]

ntdll.dll

ntdll.dll

keys

keys

bssrepp\private.txt

bssrepp\private.txt

bssrepp\keys

bssrepp\keys

bssrepp\public.txt

bssrepp\public.txt

keys.zip

keys.zip

\*.key

\*.key

\self.cer

\self.cer

self.cer

self.cer

path.txt

path.txt

pass.log

pass.log

ctunnel.exe

ctunnel.exe

ctunnel.zip

ctunnel.zip

path_ctunnel.txt

path_ctunnel.txt

keylog.txt

keylog.txt

links.log

links.log

Content-Disposition: form-data; name="file"; filename="report"

Content-Disposition: form-data; name="file"; filename="report"

header.key

header.key

keys99

keys99

\header.key

\header.key

masks2.key

masks2.key

\masks2.key

\masks2.key

masks.key

masks.key

\masks.key

\masks.key

name.key

name.key

\name.key

\name.key

primary2.key

primary2.key

\primary2.key

\primary2.key

primary.key

primary.key

\primary.key

\primary.key

keys99.zip

keys99.zip

path99.txt

path99.txt

user32.dll

user32.dll

prv_key.pfx

prv_key.pfx

keys\

keys\

sign.cer

sign.cer

\History.IE5\index.dat

\History.IE5\index.dat

https

https

\Opera\Opera\typed_history.xml

\Opera\Opera\typed_history.xml

secret.key

secret.key

pubkeys.key

pubkeys.key

\\.\KmxAgent

\\.\KmxAgent

\Windows Defender

\Windows Defender

MpClient.dll

MpClient.dll

____AVP.Root

____AVP.Root

avipc.dll

avipc.dll

\AVG\AVG9\dfncfg.dat

\AVG\AVG9\dfncfg.dat

\AVG\AVG9\dfmcfg.dat

\AVG\AVG9\dfmcfg.dat

kernel32.dll

kernel32.dll

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q246009

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q246009

Server 2003 for Itanium64

Server 2003 for Itanium64

Server 2003 for AMD64

Server 2003 for AMD64

smime3.dll

smime3.dll

nss3.dll

nss3.dll

softokn3.dll

softokn3.dll

nssutil3.dll

nssutil3.dll

sqlite3.dll

sqlite3.dll

plc4.dll

plc4.dll

plds4.dll

plds4.dll

nspr4.dll

nspr4.dll

mozcrt19.dll

mozcrt19.dll

webmoney

webmoney

PK11_ListCerts

PK11_ListCerts

CERT_DestroyCertList

CERT_DestroyCertList

CERT_GetDefaultCertDB

CERT_GetDefaultCertDB

PORT_UCS2_UTF8Conversion

PORT_UCS2_UTF8Conversion

PORT_SetUCS2_ASCIIConversionFunction

PORT_SetUCS2_ASCIIConversionFunction

PK11_GetInternalKeySlot

PK11_GetInternalKeySlot

PK11_CheckUserPassword

PK11_CheckUserPassword

SEC_PKCS12AddPasswordIntegrity

SEC_PKCS12AddPasswordIntegrity

SEC_PKCS12CreatePasswordPrivSafe

SEC_PKCS12CreatePasswordPrivSafe

SEC_PKCS12AddCertAndKey

SEC_PKCS12AddCertAndKey

SEC_PKCS12DestroyExportContext

SEC_PKCS12DestroyExportContext

SEC_PKCS12CreateExportContext

SEC_PKCS12CreateExportContext

1234567890

1234567890

firefox

firefox

\Mozilla\Firefox\profiles.ini

\Mozilla\Firefox\profiles.ini

\Mozilla\Firefox\

\Mozilla\Firefox\

balance.htm

balance.htm

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

action=auth&np=&login=

action=auth&np=&login=

IW_FormName=fmLogin&IW_FormClass=TfmLogin

IW_FormName=fmLogin&IW_FormClass=TfmLogin

opera.dll

opera.dll

HttpSendRequestA

HttpSendRequestA

HttpSendRequestW

HttpSendRequestW

Title: %s

Title: %s

User-agent: %s]]]

User-agent: %s]]]

{{{%s}}}

{{{%s}}}

Kernel32.dll

Kernel32.dll

\*.bk

\*.bk

ISClient.cfg

ISClient.cfg

interpro.ini

interpro.ini

rfk.zip

rfk.zip

pass_

pass_

login=

login=

password=

password=

ws2_32.dll

ws2_32.dll

Agava_Client.exe

Agava_Client.exe

KeysDiskPath

KeysDiskPath

Agava_Client.ini

Agava_Client.ini

Agava_keys

Agava_keys

keys_path.txt

keys_path.txt

path1.txt

path1.txt

inter.zip

inter.zip

cbsmain.dll

cbsmain.dll

bsi.dll

bsi.dll

vb_pfx_import

vb_pfx_import

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|mnp.exe|loadmain.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|mnp.exe|loadmain.exe

hXXp://

hXXp://

/knok.php?id=

/knok.php?id=

hXXp://beautifumortimer.com/knok.php?id=

hXXp://beautifumortimer.com/knok.php?id=

C:\temp_file_bin

C:\temp_file_bin

login

login

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows nt\currentversion\winlogon

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List

%d:TCP

%d:TCP

%d:TCP:*:Enabled:%d

%d:TCP:*:Enabled:%d

%Program Files%

%Program Files%

services.exe

services.exe

/socks.php?name=

/socks.php?name=

&port=

&port=

iexplore.exe

iexplore.exe

java.exe

java.exe

javaw.exe

javaw.exe

javaws.exe

javaws.exe

opera.exe

opera.exe

mnp.exe

mnp.exe

explorer.exe

explorer.exe

isclient.exe

isclient.exe

intpro.exe

intpro.exe

loadmain.exe

loadmain.exe

advapi32.dll

advapi32.dll

sks2xyz.dll

sks2xyz.dll

FilialRCon.dll

FilialRCon.dll

Wininet.dll

Wininet.dll

qlogin

qlogin

SYSTEM!XP1!F9BE9A8A

SYSTEM!XP1!F9BE9A8A

XP Service Pack 3

XP Service Pack 3

%Program Files%\Common Files\

%Program Files%\Common Files\

WinExec

WinExec

GetProcessHeap

GetProcessHeap

GetSystemWindowsDirectoryA

GetSystemWindowsDirectoryA

RegOpenKeyExA

RegOpenKeyExA

RegCreateKeyExA

RegCreateKeyExA

RegFlushKey

RegFlushKey

RegCloseKey

RegCloseKey

RegOpenKeyA

RegOpenKeyA

CertOpenSystemStoreA

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertDeleteCertificateFromStore

PFXExportCertStoreEx

PFXExportCertStoreEx

CertDuplicateCertificateContext

CertDuplicateCertificateContext

CertEnumCertificatesInStore

CertEnumCertificatesInStore

PFXImportCertStore

PFXImportCertStore

CertGetNameStringA

CertGetNameStringA

CertCloseStore

CertCloseStore

CertAddCertificateContextToStore

CertAddCertificateContextToStore

CertOpenStore

CertOpenStore

SHFileOperationA

SHFileOperationA

URLDownloadToFileA

URLDownloadToFileA

GetKeyboardState

GetKeyboardState

GetKeyState

GetKeyState

DeleteUrlCacheEntry

DeleteUrlCacheEntry

InternetOpenUrlA

InternetOpenUrlA

6$6$6$6$6 6

6$6$6$6$6 6

.text

.text

`.rdata

`.rdata

@.data

@.data

.reloc

.reloc

KERNEL32.DLL

KERNEL32.DLL

ADVAPI32.dll

ADVAPI32.dll

CRYPT32.dll

CRYPT32.dll

IPHLPAPI.DLL

IPHLPAPI.DLL

MSVCRT.dll

MSVCRT.dll

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

PSAPI.DLL

PSAPI.DLL

SHELL32.dll

SHELL32.dll

SHLWAPI.dll

SHLWAPI.dll

urlmon.dll

urlmon.dll

USER32.dll

USER32.dll

WININET.dll

WININET.dll

WS2_32.dll

WS2_32.dll

J,%u?>

J,%u?>

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

btnLogin

lself.cer

lself.cer

\secrets.key

\secrets.key

services.exe_764_rwx_00093000_00001000:

Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\

Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\

5.1.2600.551

5.1.2600.551

\Driver\PptpMiniport

\Driver\PptpMiniport

services.exe_764_rwx_000B2000_00001000:

w2.5.29.1

w2.5.29.1

w2.5.29.2

w2.5.29.2

w2.5.29.4

w2.5.29.4

w2.5.29.7

w2.5.29.7

w2.5.29.8

w2.5.29.8

w2.5.29.10

w2.5.29.10

w2.5.29.15

w2.5.29.15

w2.5.29.19

w2.5.29.19

w2.5.29.32

w2.5.29.32

w1.3.6.1.5.5.7.2.2

w1.3.6.1.5.5.7.2.2

w2.5.29.35

w2.5.29.35

w2.5.29.14

w2.5.29.14

w2.5.29.17

w2.5.29.17

w2.5.29.18

w2.5.29.18

w2.5.29.21

w2.5.29.21

w1.3.6.1.5.5.7.1.1

w1.3.6.1.5.5.7.1.1

w2.5.29.31

w2.5.29.31

w1.3.6.1.4.1.311.2.1.14

w1.3.6.1.4.1.311.2.1.14

w1.2.840.113549.1.9.14

w1.2.840.113549.1.9.14

w1.3.6.1.4.1.311.10.2

w1.3.6.1.4.1.311.10.2

w2.5.29.37

w2.5.29.37

w1.3.6.1.4.1.311.10.1

w1.3.6.1.4.1.311.10.1

w1.2.840.113549.3.2

w1.2.840.113549.3.2

w1.2.840.113549.1.9.15

w1.2.840.113549.1.9.15

w1.2.840.113549.1.9.5

w1.2.840.113549.1.9.5

w1.3.6.1.4.1.311.13.2.1

w1.3.6.1.4.1.311.13.2.1

w1.3.6.1.4.1.311.13.2.2

w1.3.6.1.4.1.311.13.2.2

w2.5.29.20

w2.5.29.20

w2.5.29.27

w2.5.29.27

w2.5.29.28

w2.5.29.28

w2.5.29.46

w2.5.29.46

w2.5.29.30

w2.5.29.30

w2.5.29.33

w2.5.29.33

w2.5.29.5

w2.5.29.5

w2.5.29.36

w2.5.29.36

w1.3.6.1.4.1.311.10.9.1

w1.3.6.1.4.1.311.10.9.1

w1.3.6.1.4.1.311.21.7

w1.3.6.1.4.1.311.21.7

w2.5.29.3

w2.5.29.3

\\.\PIPE\scerpc

\\.\PIPE\scerpc

services.exe_764_rwx_000B9000_00001000:

q CKM66.228.61.232

q CKM66.228.61.232

%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\

%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\

%WinDir%\System32\svchost.exe -k netsvcs

%WinDir%\System32\svchost.exe -k netsvcs

\svchost.exe.Con

\svchost.exe.Con

%System%\svchost -k rpcss

%System%\svchost -k rpcss

services.exe_764_rwx_000C7000_00001000:

.dll,!

.dll,!

w0.9.2342.19200300.100.1.25

w0.9.2342.19200300.100.1.25

%System%\userinit.exe,%System%\mqbgmm.exe,

%System%\userinit.exe,%System%\mqbgmm.exe,

%Documents and Settings%\LocalService\Local Settings\History\History.IE5\index.dat

%Documents and Settings%\LocalService\Local Settings\History\History.IE5\index.dat

%System%\mqbgmm.exe,

%System%\mqbgmm.exe,

ware\microsoft\windows nt\currentversion\winlogon

ware\microsoft\windows nt\currentversion\winlogon

services.exe_764_rwx_000CD000_00001000:

hXXp://beautifumortimer.com/knok.php?id=SYSTEM!XP1!F9BE9A8A&ver=16&up=1348&os=XP Service Pack 3

hXXp://beautifumortimer.com/knok.php?id=SYSTEM!XP1!F9BE9A8A&ver=16&up=1348&os=XP Service Pack 3

CryptDllExportPublicKeyInfoEx

CryptDllExportPublicKeyInfoEx

CryptDllImportPublicKeyInfoEx

CryptDllImportPublicKeyInfoEx

CryptDllConvertPublicKeyInfo

CryptDllConvertPublicKeyInfo

w1.3.14.3.2.12

w1.3.14.3.2.12

services.exe_764_rwx_000D2000_00001000:

w2.5.4.4

w2.5.4.4

:2013021120130212:

:2013021120130212:

beautifumortimer.com

beautifumortimer.com

%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat

%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat

w2.5.4.10

w2.5.4.10

w2.5.4.3

w2.5.4.3

INDOWS\system32\route.exe

INDOWS\system32\route.exe

5.1.2600.5512

5.1.2600.5512

0303030303030303

0303030303030303

Explorer.EXE_1684_rwx_000C4000_00001000:

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat

\\?\IDE#CdRomNECVMWar_VMware_IDE_CDR10_______________1.00____#3031303030303030303030303030303030303130#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

\\?\IDE#CdRomNECVMWar_VMware_IDE_CDR10_______________1.00____#3031303030303030303030303030303030303130#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

%Documents and Settings%\All Users\Start Menu\Programs\Startup

%Documents and Settings%\All Users\Start Menu\Programs\Startup

%System%\stobject.dll

%System%\stobject.dll

Explorer.EXE_1684_rwx_000E2000_00001000:

%SystemRoot%\system32\mswsock.dll

%SystemRoot%\system32\mswsock.dll

%Program Files%\VMware\VMware Tools\VSock SDK\bin\win32\vsocklib.dll

%Program Files%\VMware\VMware Tools\VSock SDK\bin\win32\vsocklib.dll

Tcpip

Tcpip

CLSID\{8C7461EF-2B13-11D2-BE35-3078302C2030}

CLSID\{8C7461EF-2B13-11D2-BE35-3078302C2030}

%System%\browseui.dll

%System%\browseui.dll

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1

%Documents and Settings%\%current user%\My Documents

%Documents and Settings%\%current user%\My Documents

ice\{E1070104-F404-44CE-B556-0622F9D63EE5}

ice\{E1070104-F404-44CE-B556-0622F9D63EE5}

CLSID\{26FDC864-BE88-46E7-9235-032D8EA5162E}

CLSID\{26FDC864-BE88-46E7-9235-032D8EA5162E}

%System%\SHELL32.dll

%System%\SHELL32.dll

Explorer.EXE_1684_rwx_000F4000_00001000:

@C:\PROGRA~1\MOVIEM~1\wmm2res.dll,-61446

@C:\PROGRA~1\MOVIEM~1\wmm2res.dll,-61446

%SystemRoot%\system32\mswsock.dll

%SystemRoot%\system32\mswsock.dll

%WinDir%\LastGood

%WinDir%\LastGood

ice\{E1070104-F404-44CE-B556-0622F9D63EE5}

ice\{E1070104-F404-44CE-B556-0622F9D63EE5}

Maker.lnk

Maker.lnk

%Program Files%\Movie Mak

%Program Files%\Movie Mak

%WinDir%\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\

%WinDir%\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\

%Documents and Settings%\All Users\Application Data\Adobe\Acrobat\9.0\Replicate\Security\

%Documents and Settings%\All Users\Application Data\Adobe\Acrobat\9.0\Replicate\Security\

ISTRY\USER\S-1-5-21-1844237615-1960408961-1801674531-1003_Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}

ISTRY\USER\S-1-5-21-1844237615-1960408961-1801674531-1003_Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}

MSAFD NetBIOS [\Device\NetBT_Tcpip_{FA3B3797-8A29-4E30-9B14-9ECEA8F69703}] SEQPACKET 2

MSAFD NetBIOS [\Device\NetBT_Tcpip_{FA3B3797-8A29-4E30-9B14-9ECEA8F69703}] SEQPACKET 2

Explorer.EXE_1684_rwx_0010C000_00001000:

@shell32.dll,-22016

@shell32.dll,-22016

4/04/10 13:22:14 1684.35]

4/04/10 13:22:14 1684.35]

4/04/10 13:22:14 1684.36]

4/04/10 13:22:14 1684.36]

Wizard.lnk

Wizard.lnk

[2014/04/10 13:22:14 1684.37]

[2014/04/10 13:22:14 1684.37]

wiz.exe

wiz.exe

b8a05-beee-4442-

b8a05-beee-4442-

Explorer.EXE_1684_rwx_0013A000_00001000:

1.2.840.113549.1.9.16.2.3

1.2.840.113549.1.9.16.2.3

1.2.840.113549.1.9.16.2.4

1.2.840.113549.1.9.16.2.4

1.3.6.1.4.1.311.12.1.1

1.3.6.1.4.1.311.12.1.1

1.3.6.1.4.1.311.12.1.2

1.3.6.1.4.1.311.12.1.2

sk: 255.255.255.0

sk: 255.255.255.0

02:\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.193_x-ww_ac24e7bf\downlevel_manifest.8.0.50727.193\

02:\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.193_x-ww_ac24e7bf\downlevel_manifest.8.0.50727.193\

NDOWS;%WinDir%\System32\Wbem;c:\Program Files\Wireshark

NDOWS;%WinDir%\System32\Wbem;c:\Program Files\Wireshark

Explorer.EXE_1684_rwx_00142000_00001000:

IsFileSupportedName

IsFileSupportedName

Set\ServCLSID\{F020E586-5264-11D1-A532-0000F8757D7E}

Set\ServCLSID\{F020E586-5264-11D1-A532-0000F8757D7E}

%System%\hnetcfg.dll

%System%\hnetcfg.dll

CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}

CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}

%System%\wbem\wbemprox.dll

%System%\wbem\wbemprox.dll

0D04FE0-3AEA-1069-A2D8-08002B30309D}\::{21EC2020-3AEA-1069-A2DD-08002B30309D}

0D04FE0-3AEA-1069-A2D8-08002B30309D}\::{21EC2020-3AEA-1069-A2DD-08002B30309D}

Explorer.EXE_1684_rwx_00153000_00002000:

ice\NetBT_Tcpip_{E1070104-F404-44CE-B556-0622F9D63EE5}

ice\NetBT_Tcpip_{E1070104-F404-44CE-B556-0622F9D63EE5}

DCLSID\{5B4DAE26-B807-11D0-9815-00C04FD91972}

DCLSID\{5B4DAE26-B807-11D0-9815-00C04FD91972}

NDOWS;%WinDir%\System32\Wbem;c:\Program Files\Wireshark

NDOWS;%WinDir%\System32\Wbem;c:\Program Files\Wireshark

ADOBER~1.LNKAdobe Reader 9.lnk

ADOBER~1.LNKAdobe Reader 9.lnk

Explorer.EXE_1684_rwx_0015B000_00001000:

{E1070104-F404-44CE-B556-0622F9D63EE5}

{E1070104-F404-44CE-B556-0622F9D63EE5}

AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport

AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport

192.168.25.207

192.168.25.207

255.255.255.0

255.255.255.0

192.168.25.3

192.168.25.3

0.0.0.0

0.0.0.0

255.255.255.255

255.255.255.255

192.168.25.26

192.168.25.26

urCLSID\{ECD4FC4F-521C-11D0-B792-00A0C90312E1}

urCLSID\{ECD4FC4F-521C-11D0-B792-00A0C90312E1}

erl\site\bin;C:\Perl\bin;%System%;%WinDir%;%WinDir%\System32\Wbem;c:\Program Files\Wireshark

erl\site\bin;C:\Perl\bin;%System%;%WinDir%;%WinDir%\System32\Wbem;c:\Program Files\Wireshark

ess Monitor - Exporting event data

ess Monitor - Exporting event data

Explorer.EXE_1684_rwx_00EE0000_00021000:

|$L.tj

|$L.tj

t.Vh

t.Vh

SSSh*

SSSh*

u#SSSh

u#SSSh

SSShh@

SSShh@

SSShP

SSShP

SSShV

SSShV

beautifumortimer.com

beautifumortimer.com

POST /gate.php HTTP/1.0

POST /gate.php HTTP/1.0

Host: %s

Host: %s

Content-Length: %u

Content-Length: %u

195.222.17.0

195.222.17.0

74.55.143.0

74.55.143.0

62.67.184.0

62.67.184.0

208.43.44.0

208.43.44.0

188.40.74.0

188.40.74.0

212.59.118.0

212.59.118.0

81.176.67.0

81.176.67.0

87.242.75.0

87.242.75.0

83.102.130.0

83.102.130.0

207.44.254.0

207.44.254.0

75.125.212.0

75.125.212.0

74.86.125.0

74.86.125.0

75.125.43.0

75.125.43.0

75.125.189.0

75.125.189.0

74.54.46.0

74.54.46.0

74.54.130.0

74.54.130.0

174.120.184.0

174.120.184.0

174.120.185.0

174.120.185.0

174.133.38.0

174.133.38.0

74.54.139.0

74.54.139.0

74.86.232.0

74.86.232.0

74.53.70.0

74.53.70.0

208.43.71.0

208.43.71.0

174.120.186.0

174.120.186.0

75.125.185.0

75.125.185.0

74.55.74.0

74.55.74.0

95.140.225.0

95.140.225.0

94.236.0.0

94.236.0.0

94.23.206.0

94.23.206.0

93.191.13.0

93.191.13.0

93.184.71.0

93.184.71.0

92.53.106.0

92.53.106.0

92.123.155.0

92.123.155.0

91.209.196.0

91.209.196.0

91.199.212.0

91.199.212.0

91.121.97.0

91.121.97.0

90.183.101.0

90.183.101.0

90.156.159.0

90.156.159.0

89.202.157.0

89.202.157.0

89.202.149.0

89.202.149.0

89.111.176.0

89.111.176.0

89.108.66.0

89.108.66.0

88.221.119.0

88.221.119.0

87.242.79.0

87.242.79.0

87.242.74.0

87.242.74.0

87.242.72.0

87.242.72.0

87.238.48.0

87.238.48.0

87.230.79.0

87.230.79.0

87.106.254.0

87.106.254.0

87.106.242.0

87.106.242.0

85.31.222.0

85.31.222.0

85.255.19.0

85.255.19.0

85.214.106.0

85.214.106.0

85.17.210.0

85.17.210.0

85.12.57.0

85.12.57.0

84.40.30.0

84.40.30.0

83.223.117.0

83.223.117.0

83.222.31.0

83.222.31.0

83.222.23.0

83.222.23.0

83.202.175.0

83.202.175.0

82.98.86.0

82.98.86.0

82.165.103.0

82.165.103.0

82.151.107.0

82.151.107.0

82.117.238.0

82.117.238.0

81.24.35.0

81.24.35.0

81.177.31.0

81.177.31.0

81.176.66.0

81.176.66.0

80.86.107.0

80.86.107.0

80.237.132.0

80.237.132.0

80.190.154.0

80.190.154.0

80.190.130.0

80.190.130.0

80.153.193.0

80.153.193.0

79.125.5.0

79.125.5.0

78.47.87.0

78.47.87.0

78.137.164.0

78.137.164.0

78.108.86.0

78.108.86.0

75.125.82.0

75.125.82.0

75.125.29.0

75.125.29.0

74.55.40.0

74.55.40.0

74.53.201.0

74.53.201.0

74.52.233.0

74.52.233.0

74.50.0.0

74.50.0.0

74.208.20.0

74.208.20.0

74.208.158.0

74.208.158.0

74.125.77.0

74.125.77.0

72.32.70.0

72.32.70.0

72.32.149.0

72.32.149.0

72.32.125.0

72.32.125.0

72.3.254.0

72.3.254.0

72.232.246.0

72.232.246.0

70.84.211.0

70.84.211.0

69.93.226.0

69.93.226.0

69.57.142.0

69.57.142.0

69.20.104.0

69.20.104.0

69.18.148.0

69.18.148.0

69.162.79.0

69.162.79.0

68.177.102.0

68.177.102.0

67.227.172.0

67.227.172.0

67.225.206.0

67.225.206.0

67.192.135.0

67.192.135.0

67.19.34.0

67.19.34.0

67.15.231.0

67.15.231.0

67.15.103.0

67.15.103.0

67.134.208.0

67.134.208.0

66.77.70.0

66.77.70.0

66.249.17.0

66.249.17.0

66.223.50.0

66.223.50.0

65.55.240.0

65.55.240.0

65.55.184.0

65.55.184.0

65.175.38.0

65.175.38.0

64.78.182.0

64.78.182.0

64.66.190.0

64.66.190.0

64.41.151.0

64.41.151.0

64.41.142.0

64.41.142.0

64.246.4.0

64.246.4.0

64.202.189.0

64.202.189.0

64.13.134.0

64.13.134.0

64.128.133.0

64.128.133.0

63.85.36.0

63.85.36.0

62.75.216.0

62.75.216.0

62.75.163.0

62.75.163.0

62.213.110.0

62.213.110.0

62.189.194.0

62.189.194.0

62.146.66.0

62.146.66.0

62.146.210.0

62.146.210.0

62.14.249.0

62.14.249.0

38.113.1.0

38.113.1.0

217.174.103.0

217.174.103.0

217.170.21.0

217.170.21.0

217.16.16.0

217.16.16.0

217.106.234.0

217.106.234.0

216.99.133.0

216.99.133.0

216.55.183.0

216.55.183.0

216.49.94.0

216.49.94.0

216.49.88.0

216.49.88.0

216.246.90.0

216.246.90.0

216.239.122.0

216.239.122.0

216.12.145.0

216.12.145.0

216.10.192.0

216.10.192.0

213.31.172.0

213.31.172.0

213.220.100.0

213.220.100.0

213.198.89.0

213.198.89.0

213.171.218.0

213.171.218.0

213.133.34.0

213.133.34.0

212.8.79.0

212.8.79.0

212.72.62.0

212.72.62.0

212.67.88.0

212.67.88.0

212.47.219.0

212.47.219.0

209.87.209.0

209.87.209.0

209.62.68.0

209.62.68.0

209.62.112.0

209.62.112.0

209.51.167.0

209.51.167.0

209.216.46.0

209.216.46.0

209.160.22.0

209.160.22.0

209.157.69.0

209.157.69.0

209.124.55.0

209.124.55.0

208.79.250.0

208.79.250.0

207.66.0.0

207.66.0.0

207.46.232.0

207.46.232.0

207.46.20.0

207.46.20.0

207.46.18.0

207.46.18.0

207.44.154.0

207.44.154.0

206.204.52.0

206.204.52.0

205.227.136.0

205.227.136.0

205.178.145.0

205.178.145.0

204.14.90.0

204.14.90.0

203.160.188.0

203.160.188.0

199.203.243.0

199.203.243.0

198.6.49.0

198.6.49.0

195.70.37.0

195.70.37.0

195.64.225.0

195.64.225.0

195.55.72.0

195.55.72.0

195.210.42.0

195.210.42.0

195.2.240.0

195.2.240.0

195.146.235.0

195.146.235.0

195.137.160.0

195.137.160.0

194.33.180.0

194.33.180.0

194.206.126.0

194.206.126.0

194.112.106.0

194.112.106.0

194.109.142.0

194.109.142.0

194.0.200.0

194.0.200.0

193.71.68.0

193.71.68.0

193.69.114.0

193.69.114.0

193.66.251.0

193.66.251.0

193.24.237.0

193.24.237.0

193.193.194.0

193.193.194.0

193.17.85.0

193.17.85.0

193.110.109.0

193.110.109.0

193.1.193.0

193.1.193.0

193.0.6.0

193.0.6.0

192.150.94.0

192.150.94.0

188.93.8.0

188.93.8.0

18.85.2.0

18.85.2.0

166.70.98.0

166.70.98.0

165.160.15.0

165.160.15.0

162.40.10.0

162.40.10.0

155.35.248.0

155.35.248.0

150.70.93.0

150.70.93.0

149.101.225.0

149.101.225.0

141.202.248.0

141.202.248.0

139.91.222.0

139.91.222.0

128.130.60.0

128.130.60.0

128.130.56.0

128.130.56.0

128.111.48.0

128.111.48.0

sfc.dll

sfc.dll

winlogon.exe

winlogon.exe

\\.\PhysicalDrive

\\.\PhysicalDrive

smss.exe

smss.exe

csrss.exe

csrss.exe

lsass.exe

lsass.exe

%s\%s

%s\%s

%d.%d.%d.%d

%d.%d.%d.%d

route.exe -p add %s mask 255.255.255.0 %s

route.exe -p add %s mask 255.255.255.0 %s

Software\Microsoft\Windows NT\CurrentVersion

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

%s!%s!X

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

[[[URL: %s

[[[URL: %s

Process: %s

Process: %s

Referer: %s

Referer: %s

User-Agent: %s

User-Agent: %s

Title: %s]]]

Title: %s]]]

ntdll.dll

ntdll.dll

keys

keys

bssrepp\private.txt

bssrepp\private.txt

bssrepp\keys

bssrepp\keys

bssrepp\public.txt

bssrepp\public.txt

keys.zip

keys.zip

\*.key

\*.key

\self.cer

\self.cer

self.cer

self.cer

path.txt

path.txt

pass.log

pass.log

ctunnel.exe

ctunnel.exe

ctunnel.zip

ctunnel.zip

path_ctunnel.txt

path_ctunnel.txt

keylog.txt

keylog.txt

links.log

links.log

Content-Disposition: form-data; name="file"; filename="report"

Content-Disposition: form-data; name="file"; filename="report"

header.key

header.key

keys99

keys99

\header.key

\header.key

masks2.key

masks2.key

\masks2.key

\masks2.key

masks.key

masks.key

\masks.key

\masks.key

name.key

name.key

\name.key

\name.key

primary2.key

primary2.key

\primary2.key

\primary2.key

primary.key

primary.key

\primary.key

\primary.key

keys99.zip

keys99.zip

path99.txt

path99.txt

user32.dll

user32.dll

prv_key.pfx

prv_key.pfx

keys\

keys\

sign.cer

sign.cer

\History.IE5\index.dat

\History.IE5\index.dat

https

https

\Opera\Opera\typed_history.xml

\Opera\Opera\typed_history.xml

secret.key

secret.key

pubkeys.key

pubkeys.key

\\.\KmxAgent

\\.\KmxAgent

\Windows Defender

\Windows Defender

MpClient.dll

MpClient.dll

____AVP.Root

____AVP.Root

avipc.dll

avipc.dll

\AVG\AVG9\dfncfg.dat

\AVG\AVG9\dfncfg.dat

\AVG\AVG9\dfmcfg.dat

\AVG\AVG9\dfmcfg.dat

kernel32.dll

kernel32.dll

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q246009

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q246009

Server 2003 for Itanium64

Server 2003 for Itanium64

Server 2003 for AMD64

Server 2003 for AMD64

smime3.dll

smime3.dll

nss3.dll

nss3.dll

softokn3.dll

softokn3.dll

nssutil3.dll

nssutil3.dll

sqlite3.dll

sqlite3.dll

plc4.dll

plc4.dll

plds4.dll

plds4.dll

nspr4.dll

nspr4.dll

mozcrt19.dll

mozcrt19.dll

webmoney

webmoney

PK11_ListCerts

PK11_ListCerts

CERT_DestroyCertList

CERT_DestroyCertList

CERT_GetDefaultCertDB

CERT_GetDefaultCertDB

PORT_UCS2_UTF8Conversion

PORT_UCS2_UTF8Conversion

PORT_SetUCS2_ASCIIConversionFunction

PORT_SetUCS2_ASCIIConversionFunction

PK11_GetInternalKeySlot

PK11_GetInternalKeySlot

PK11_CheckUserPassword

PK11_CheckUserPassword

SEC_PKCS12AddPasswordIntegrity

SEC_PKCS12AddPasswordIntegrity

SEC_PKCS12CreatePasswordPrivSafe

SEC_PKCS12CreatePasswordPrivSafe

SEC_PKCS12AddCertAndKey

SEC_PKCS12AddCertAndKey

SEC_PKCS12DestroyExportContext

SEC_PKCS12DestroyExportContext

SEC_PKCS12CreateExportContext

SEC_PKCS12CreateExportContext

1234567890

1234567890

firefox

firefox

\Mozilla\Firefox\profiles.ini

\Mozilla\Firefox\profiles.ini

\Mozilla\Firefox\

\Mozilla\Firefox\

balance.htm

balance.htm

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

action=auth&np=&login=

action=auth&np=&login=

IW_FormName=fmLogin&IW_FormClass=TfmLogin

IW_FormName=fmLogin&IW_FormClass=TfmLogin

opera.dll

opera.dll

HttpSendRequestA

HttpSendRequestA

HttpSendRequestW

HttpSendRequestW

Title: %s

Title: %s

User-agent: %s]]]

User-agent: %s]]]

{{{%s}}}

{{{%s}}}

Kernel32.dll

Kernel32.dll

\*.bk

\*.bk

ISClient.cfg

ISClient.cfg

interpro.ini

interpro.ini

rfk.zip

rfk.zip

pass_

pass_

login=

login=

password=

password=

ws2_32.dll

ws2_32.dll

Agava_Client.exe

Agava_Client.exe

KeysDiskPath

KeysDiskPath

Agava_Client.ini

Agava_Client.ini

Agava_keys

Agava_keys

keys_path.txt

keys_path.txt

path1.txt

path1.txt

inter.zip

inter.zip

cbsmain.dll

cbsmain.dll

bsi.dll

bsi.dll

vb_pfx_import

vb_pfx_import

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|mnp.exe|loadmain.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|mnp.exe|loadmain.exe

hXXp://

hXXp://

/knok.php?id=

/knok.php?id=

hXXp://beautifumortimer.com/knok.php?id=

hXXp://beautifumortimer.com/knok.php?id=

C:\temp_file_bin

C:\temp_file_bin

login

login

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows nt\currentversion\winlogon

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List

%d:TCP

%d:TCP

%d:TCP:*:Enabled:%d

%d:TCP:*:Enabled:%d

%Program Files%

%Program Files%

services.exe

services.exe

/socks.php?name=

/socks.php?name=

&port=

&port=

iexplore.exe

iexplore.exe

java.exe

java.exe

javaw.exe

javaw.exe

javaws.exe

javaws.exe

opera.exe

opera.exe

mnp.exe

mnp.exe

explorer.exe

explorer.exe

isclient.exe

isclient.exe

intpro.exe

intpro.exe

loadmain.exe

loadmain.exe

advapi32.dll

advapi32.dll

sks2xyz.dll

sks2xyz.dll

FilialRCon.dll

FilialRCon.dll

Wininet.dll

Wininet.dll

%Program Files%\Common Files\

%Program Files%\Common Files\

WinExec

WinExec

GetProcessHeap

GetProcessHeap

GetSystemWindowsDirectoryA

GetSystemWindowsDirectoryA

RegOpenKeyExA

RegOpenKeyExA

RegCreateKeyExA

RegCreateKeyExA

RegFlushKey

RegFlushKey

RegCloseKey

RegCloseKey

RegOpenKeyA

RegOpenKeyA

CertOpenSystemStoreA

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertDeleteCertificateFromStore

PFXExportCertStoreEx

PFXExportCertStoreEx

CertDuplicateCertificateContext

CertDuplicateCertificateContext

CertEnumCertificatesInStore

CertEnumCertificatesInStore

PFXImportCertStore

PFXImportCertStore

CertGetNameStringA

CertGetNameStringA

CertCloseStore

CertCloseStore

CertAddCertificateContextToStore

CertAddCertificateContextToStore

CertOpenStore

CertOpenStore

SHFileOperationA

SHFileOperationA

URLDownloadToFileA

URLDownloadToFileA

GetKeyboardState

GetKeyboardState

GetKeyState

GetKeyState

DeleteUrlCacheEntry

DeleteUrlCacheEntry

InternetOpenUrlA

InternetOpenUrlA

6$6$6$6$6 6

6$6$6$6$6 6

.text

.text

`.rdata

`.rdata

@.data

@.data

.reloc

.reloc

KERNEL32.DLL

KERNEL32.DLL

ADVAPI32.dll

ADVAPI32.dll

CRYPT32.dll

CRYPT32.dll

IPHLPAPI.DLL

IPHLPAPI.DLL

MSVCRT.dll

MSVCRT.dll

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

PSAPI.DLL

PSAPI.DLL

SHELL32.dll

SHELL32.dll

SHLWAPI.dll

SHLWAPI.dll

urlmon.dll

urlmon.dll

USER32.dll

USER32.dll

WININET.dll

WININET.dll

WS2_32.dll

WS2_32.dll

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx

btnLogin

btnLogin

lself.cer

lself.cer

\secrets.key

\secrets.key

Explorer.EXE_1684_rwx_03171000_00001000:

Software\Policies\Microsoft\SystemCertificates\trust

Software\Policies\Microsoft\SystemCertificates\trust

%Documents and Settings%\%current user%\Application Data\Microsoft\SystemCertificates\My

%Documents and Settings%\%current user%\Application Data\Microsoft\SystemCertificates\My