HEUR:Backdoor.Win32.Generic (Kaspersky), Gen:Variant.Zbot.15 (B) (Emsisoft), Gen:Variant.Zbot.15 (AdAware), Shiz.YR, Sinowal.YR, GenericInjector.YR, BankerGeneric.YR (Lavasoft MAS)Behaviour: Banker, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: ea805843d32cbea341ce6e796599db85
SHA1: 177e0844dfab6470bb3c670b3cd5df0fddf678b6
SHA256: ef8db9d910908644084bd0f63d5c6ea3b07d79960c1170c1f4f6015514c4300f
SSDeep: 3072:pxG5Er7 qD/mfP/BnY F0Su7n7yQX7dPzKSvk:pxh9O1l6SkZs
Size: 101376 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: AKorea
Created at: 2000-06-25 06:33:28
Analyzed on: WindowsXP SP3 32-bit
Summary: Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:1988
The Trojan injects its code into the following process(es):
services.exe:764
Explorer.EXE:1684
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
No files have been created.
Registry activity
The process %original file name%.exe:1988 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 22 1A 33 11 24 9E 62 B0 F0 6B C1 2A E2 B1 54"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1988
- Delete the original Trojan file.
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: Svxruw Uwzyhjm Owipnut Xtpnusy
Product Name: Fdkip Anlsq
Product Version: 0.2.5.1
Legal Copyright: Wyhkm
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 4.1.7.8
File Description: Xpuvqw Utign Fuovtbi Dkipt
Comments:
Language: Language Neutral
Company Name: Svxruw Uwzyhjm Owipnut XtpnusyProduct Name: Fdkip AnlsqProduct Version: 0.2.5.1Legal Copyright: WyhkmLegal Trademarks: Original Filename: Internal Name: File Version: 4.1.7.8File Description: Xpuvqw Utign Fuovtbi DkiptComments: Language: Language Neutral
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 29855 | 30208 | 5.18662 | 74b88f46604ee78a5a6b365595e15b4a |
.data | 36864 | 60016 | 60416 | 4.94398 | 45f6076214648553307c4f2e7ef4126e |
.idata | 98304 | 1366 | 1536 | 3.19634 | 340ff712aad3815a7109ad7db87d516a |
.rsrc | 102400 | 8164 | 8192 | 5.01446 | 70974b91b1d2477a08b312a799ca5e00 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
services.exe_764_rwx_00040000_0002C000:
|$L.tj
|$L.tj
t.Vh
t.Vh
SSSh*
SSSh*
u#SSSh
u#SSSh
SSShh@
SSShh@
SSShP
SSShP
SSShV
SSShV
beautifumortimer.com
beautifumortimer.com
POST /gate.php HTTP/1.0
POST /gate.php HTTP/1.0
Host: %s
Host: %s
Content-Length: %u
Content-Length: %u
195.222.17.0
195.222.17.0
74.55.143.0
74.55.143.0
62.67.184.0
62.67.184.0
208.43.44.0
208.43.44.0
188.40.74.0
188.40.74.0
212.59.118.0
212.59.118.0
81.176.67.0
81.176.67.0
87.242.75.0
87.242.75.0
83.102.130.0
83.102.130.0
207.44.254.0
207.44.254.0
75.125.212.0
75.125.212.0
74.86.125.0
74.86.125.0
75.125.43.0
75.125.43.0
75.125.189.0
75.125.189.0
74.54.46.0
74.54.46.0
74.54.130.0
74.54.130.0
174.120.184.0
174.120.184.0
174.120.185.0
174.120.185.0
174.133.38.0
174.133.38.0
74.54.139.0
74.54.139.0
74.86.232.0
74.86.232.0
74.53.70.0
74.53.70.0
208.43.71.0
208.43.71.0
174.120.186.0
174.120.186.0
75.125.185.0
75.125.185.0
74.55.74.0
74.55.74.0
95.140.225.0
95.140.225.0
94.236.0.0
94.236.0.0
94.23.206.0
94.23.206.0
93.191.13.0
93.191.13.0
93.184.71.0
93.184.71.0
92.53.106.0
92.53.106.0
92.123.155.0
92.123.155.0
91.209.196.0
91.209.196.0
91.199.212.0
91.199.212.0
91.121.97.0
91.121.97.0
90.183.101.0
90.183.101.0
90.156.159.0
90.156.159.0
89.202.157.0
89.202.157.0
89.202.149.0
89.202.149.0
89.111.176.0
89.111.176.0
89.108.66.0
89.108.66.0
88.221.119.0
88.221.119.0
87.242.79.0
87.242.79.0
87.242.74.0
87.242.74.0
87.242.72.0
87.242.72.0
87.238.48.0
87.238.48.0
87.230.79.0
87.230.79.0
87.106.254.0
87.106.254.0
87.106.242.0
87.106.242.0
85.31.222.0
85.31.222.0
85.255.19.0
85.255.19.0
85.214.106.0
85.214.106.0
85.17.210.0
85.17.210.0
85.12.57.0
85.12.57.0
84.40.30.0
84.40.30.0
83.223.117.0
83.223.117.0
83.222.31.0
83.222.31.0
83.222.23.0
83.222.23.0
83.202.175.0
83.202.175.0
82.98.86.0
82.98.86.0
82.165.103.0
82.165.103.0
82.151.107.0
82.151.107.0
82.117.238.0
82.117.238.0
81.24.35.0
81.24.35.0
81.177.31.0
81.177.31.0
81.176.66.0
81.176.66.0
80.86.107.0
80.86.107.0
80.237.132.0
80.237.132.0
80.190.154.0
80.190.154.0
80.190.130.0
80.190.130.0
80.153.193.0
80.153.193.0
79.125.5.0
79.125.5.0
78.47.87.0
78.47.87.0
78.137.164.0
78.137.164.0
78.108.86.0
78.108.86.0
75.125.82.0
75.125.82.0
75.125.29.0
75.125.29.0
74.55.40.0
74.55.40.0
74.53.201.0
74.53.201.0
74.52.233.0
74.52.233.0
74.50.0.0
74.50.0.0
74.208.20.0
74.208.20.0
74.208.158.0
74.208.158.0
74.125.77.0
74.125.77.0
72.32.70.0
72.32.70.0
72.32.149.0
72.32.149.0
72.32.125.0
72.32.125.0
72.3.254.0
72.3.254.0
72.232.246.0
72.232.246.0
70.84.211.0
70.84.211.0
69.93.226.0
69.93.226.0
69.57.142.0
69.57.142.0
69.20.104.0
69.20.104.0
69.18.148.0
69.18.148.0
69.162.79.0
69.162.79.0
68.177.102.0
68.177.102.0
67.227.172.0
67.227.172.0
67.225.206.0
67.225.206.0
67.192.135.0
67.192.135.0
67.19.34.0
67.19.34.0
67.15.231.0
67.15.231.0
67.15.103.0
67.15.103.0
67.134.208.0
67.134.208.0
66.77.70.0
66.77.70.0
66.249.17.0
66.249.17.0
66.223.50.0
66.223.50.0
65.55.240.0
65.55.240.0
65.55.184.0
65.55.184.0
65.175.38.0
65.175.38.0
64.78.182.0
64.78.182.0
64.66.190.0
64.66.190.0
64.41.151.0
64.41.151.0
64.41.142.0
64.41.142.0
64.246.4.0
64.246.4.0
64.202.189.0
64.202.189.0
64.13.134.0
64.13.134.0
64.128.133.0
64.128.133.0
63.85.36.0
63.85.36.0
62.75.216.0
62.75.216.0
62.75.163.0
62.75.163.0
62.213.110.0
62.213.110.0
62.189.194.0
62.189.194.0
62.146.66.0
62.146.66.0
62.146.210.0
62.146.210.0
62.14.249.0
62.14.249.0
38.113.1.0
38.113.1.0
217.174.103.0
217.174.103.0
217.170.21.0
217.170.21.0
217.16.16.0
217.16.16.0
217.106.234.0
217.106.234.0
216.99.133.0
216.99.133.0
216.55.183.0
216.55.183.0
216.49.94.0
216.49.94.0
216.49.88.0
216.49.88.0
216.246.90.0
216.246.90.0
216.239.122.0
216.239.122.0
216.12.145.0
216.12.145.0
216.10.192.0
216.10.192.0
213.31.172.0
213.31.172.0
213.220.100.0
213.220.100.0
213.198.89.0
213.198.89.0
213.171.218.0
213.171.218.0
213.133.34.0
213.133.34.0
212.8.79.0
212.8.79.0
212.72.62.0
212.72.62.0
212.67.88.0
212.67.88.0
212.47.219.0
212.47.219.0
209.87.209.0
209.87.209.0
209.62.68.0
209.62.68.0
209.62.112.0
209.62.112.0
209.51.167.0
209.51.167.0
209.216.46.0
209.216.46.0
209.160.22.0
209.160.22.0
209.157.69.0
209.157.69.0
209.124.55.0
209.124.55.0
208.79.250.0
208.79.250.0
207.66.0.0
207.66.0.0
207.46.232.0
207.46.232.0
207.46.20.0
207.46.20.0
207.46.18.0
207.46.18.0
207.44.154.0
207.44.154.0
206.204.52.0
206.204.52.0
205.227.136.0
205.227.136.0
205.178.145.0
205.178.145.0
204.14.90.0
204.14.90.0
203.160.188.0
203.160.188.0
199.203.243.0
199.203.243.0
198.6.49.0
198.6.49.0
195.70.37.0
195.70.37.0
195.64.225.0
195.64.225.0
195.55.72.0
195.55.72.0
195.210.42.0
195.210.42.0
195.2.240.0
195.2.240.0
195.146.235.0
195.146.235.0
195.137.160.0
195.137.160.0
194.33.180.0
194.33.180.0
194.206.126.0
194.206.126.0
194.112.106.0
194.112.106.0
194.109.142.0
194.109.142.0
194.0.200.0
194.0.200.0
193.71.68.0
193.71.68.0
193.69.114.0
193.69.114.0
193.66.251.0
193.66.251.0
193.24.237.0
193.24.237.0
193.193.194.0
193.193.194.0
193.17.85.0
193.17.85.0
193.110.109.0
193.110.109.0
193.1.193.0
193.1.193.0
193.0.6.0
193.0.6.0
192.150.94.0
192.150.94.0
188.93.8.0
188.93.8.0
18.85.2.0
18.85.2.0
166.70.98.0
166.70.98.0
165.160.15.0
165.160.15.0
162.40.10.0
162.40.10.0
155.35.248.0
155.35.248.0
150.70.93.0
150.70.93.0
149.101.225.0
149.101.225.0
141.202.248.0
141.202.248.0
139.91.222.0
139.91.222.0
128.130.60.0
128.130.60.0
128.130.56.0
128.130.56.0
128.111.48.0
128.111.48.0
sfc.dll
sfc.dll
winlogon.exe
winlogon.exe
\\.\PhysicalDrive
\\.\PhysicalDrive
smss.exe
smss.exe
csrss.exe
csrss.exe
lsass.exe
lsass.exe
%s\%s
%s\%s
%d.%d.%d.%d
%d.%d.%d.%d
route.exe -p add %s mask 255.255.255.0 %s
route.exe -p add %s mask 255.255.255.0 %s
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
%s!%s!X
SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command
SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command
[[[URL: %s
[[[URL: %s
Process: %s
Process: %s
Referer: %s
Referer: %s
User-Agent: %s
User-Agent: %s
Title: %s]]]
Title: %s]]]
ntdll.dll
ntdll.dll
keys
keys
bssrepp\private.txt
bssrepp\private.txt
bssrepp\keys
bssrepp\keys
bssrepp\public.txt
bssrepp\public.txt
keys.zip
keys.zip
\*.key
\*.key
\self.cer
\self.cer
self.cer
self.cer
path.txt
path.txt
pass.log
pass.log
ctunnel.exe
ctunnel.exe
ctunnel.zip
ctunnel.zip
path_ctunnel.txt
path_ctunnel.txt
keylog.txt
keylog.txt
links.log
links.log
Content-Disposition: form-data; name="file"; filename="report"
Content-Disposition: form-data; name="file"; filename="report"
header.key
header.key
keys99
keys99
\header.key
\header.key
masks2.key
masks2.key
\masks2.key
\masks2.key
masks.key
masks.key
\masks.key
\masks.key
name.key
name.key
\name.key
\name.key
primary2.key
primary2.key
\primary2.key
\primary2.key
primary.key
primary.key
\primary.key
\primary.key
keys99.zip
keys99.zip
path99.txt
path99.txt
user32.dll
user32.dll
prv_key.pfx
prv_key.pfx
keys\
keys\
sign.cer
sign.cer
\History.IE5\index.dat
\History.IE5\index.dat
https
https
\Opera\Opera\typed_history.xml
\Opera\Opera\typed_history.xml
secret.key
secret.key
pubkeys.key
pubkeys.key
\\.\KmxAgent
\\.\KmxAgent
\Windows Defender
\Windows Defender
MpClient.dll
MpClient.dll
____AVP.Root
____AVP.Root
avipc.dll
avipc.dll
\AVG\AVG9\dfncfg.dat
\AVG\AVG9\dfncfg.dat
\AVG\AVG9\dfmcfg.dat
\AVG\AVG9\dfmcfg.dat
kernel32.dll
kernel32.dll
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q246009
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q246009
Server 2003 for Itanium64
Server 2003 for Itanium64
Server 2003 for AMD64
Server 2003 for AMD64
smime3.dll
smime3.dll
nss3.dll
nss3.dll
softokn3.dll
softokn3.dll
nssutil3.dll
nssutil3.dll
sqlite3.dll
sqlite3.dll
plc4.dll
plc4.dll
plds4.dll
plds4.dll
nspr4.dll
nspr4.dll
mozcrt19.dll
mozcrt19.dll
webmoney
webmoney
PK11_ListCerts
PK11_ListCerts
CERT_DestroyCertList
CERT_DestroyCertList
CERT_GetDefaultCertDB
CERT_GetDefaultCertDB
PORT_UCS2_UTF8Conversion
PORT_UCS2_UTF8Conversion
PORT_SetUCS2_ASCIIConversionFunction
PORT_SetUCS2_ASCIIConversionFunction
PK11_GetInternalKeySlot
PK11_GetInternalKeySlot
PK11_CheckUserPassword
PK11_CheckUserPassword
SEC_PKCS12AddPasswordIntegrity
SEC_PKCS12AddPasswordIntegrity
SEC_PKCS12CreatePasswordPrivSafe
SEC_PKCS12CreatePasswordPrivSafe
SEC_PKCS12AddCertAndKey
SEC_PKCS12AddCertAndKey
SEC_PKCS12DestroyExportContext
SEC_PKCS12DestroyExportContext
SEC_PKCS12CreateExportContext
SEC_PKCS12CreateExportContext
1234567890
1234567890
firefox
firefox
\Mozilla\Firefox\profiles.ini
\Mozilla\Firefox\profiles.ini
\Mozilla\Firefox\
\Mozilla\Firefox\
balance.htm
balance.htm
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
action=auth&np=&login=
action=auth&np=&login=
IW_FormName=fmLogin&IW_FormClass=TfmLogin
IW_FormName=fmLogin&IW_FormClass=TfmLogin
opera.dll
opera.dll
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
Title: %s
Title: %s
User-agent: %s]]]
User-agent: %s]]]
{{{%s}}}
{{{%s}}}
Kernel32.dll
Kernel32.dll
\*.bk
\*.bk
ISClient.cfg
ISClient.cfg
interpro.ini
interpro.ini
rfk.zip
rfk.zip
pass_
pass_
login=
login=
password=
password=
ws2_32.dll
ws2_32.dll
Agava_Client.exe
Agava_Client.exe
KeysDiskPath
KeysDiskPath
Agava_Client.ini
Agava_Client.ini
Agava_keys
Agava_keys
keys_path.txt
keys_path.txt
path1.txt
path1.txt
inter.zip
inter.zip
cbsmain.dll
cbsmain.dll
bsi.dll
bsi.dll
vb_pfx_import
vb_pfx_import
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|mnp.exe|loadmain.exe
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|mnp.exe|loadmain.exe
hXXp://
hXXp://
/knok.php?id=
/knok.php?id=
hXXp://beautifumortimer.com/knok.php?id=
hXXp://beautifumortimer.com/knok.php?id=
C:\temp_file_bin
C:\temp_file_bin
login
login
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows nt\currentversion\winlogon
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
%d:TCP
%d:TCP
%d:TCP:*:Enabled:%d
%d:TCP:*:Enabled:%d
%Program Files%
%Program Files%
services.exe
services.exe
/socks.php?name=
/socks.php?name=
&port=
&port=
iexplore.exe
iexplore.exe
java.exe
java.exe
javaw.exe
javaw.exe
javaws.exe
javaws.exe
opera.exe
opera.exe
mnp.exe
mnp.exe
explorer.exe
explorer.exe
isclient.exe
isclient.exe
intpro.exe
intpro.exe
loadmain.exe
loadmain.exe
advapi32.dll
advapi32.dll
sks2xyz.dll
sks2xyz.dll
FilialRCon.dll
FilialRCon.dll
Wininet.dll
Wininet.dll
qlogin
qlogin
SYSTEM!XP1!F9BE9A8A
SYSTEM!XP1!F9BE9A8A
XP Service Pack 3
XP Service Pack 3
%Program Files%\Common Files\
%Program Files%\Common Files\
WinExec
WinExec
GetProcessHeap
GetProcessHeap
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryA
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
RegFlushKey
RegFlushKey
RegCloseKey
RegCloseKey
RegOpenKeyA
RegOpenKeyA
CertOpenSystemStoreA
CertOpenSystemStoreA
CertDeleteCertificateFromStore
CertDeleteCertificateFromStore
PFXExportCertStoreEx
PFXExportCertStoreEx
CertDuplicateCertificateContext
CertDuplicateCertificateContext
CertEnumCertificatesInStore
CertEnumCertificatesInStore
PFXImportCertStore
PFXImportCertStore
CertGetNameStringA
CertGetNameStringA
CertCloseStore
CertCloseStore
CertAddCertificateContextToStore
CertAddCertificateContextToStore
CertOpenStore
CertOpenStore
SHFileOperationA
SHFileOperationA
URLDownloadToFileA
URLDownloadToFileA
GetKeyboardState
GetKeyboardState
GetKeyState
GetKeyState
DeleteUrlCacheEntry
DeleteUrlCacheEntry
InternetOpenUrlA
InternetOpenUrlA
6$6$6$6$6 6
6$6$6$6$6 6
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
KERNEL32.DLL
KERNEL32.DLL
ADVAPI32.dll
ADVAPI32.dll
CRYPT32.dll
CRYPT32.dll
IPHLPAPI.DLL
IPHLPAPI.DLL
MSVCRT.dll
MSVCRT.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
PSAPI.DLL
PSAPI.DLL
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
urlmon.dll
urlmon.dll
USER32.dll
USER32.dll
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
J,%u?>
J,%u?>
hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx
hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx
btnLogin
btnLogin
lself.cer
lself.cer
\secrets.key
\secrets.key
services.exe_764_rwx_00093000_00001000:
Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
5.1.2600.551
5.1.2600.551
\Driver\PptpMiniport
\Driver\PptpMiniport
services.exe_764_rwx_000B2000_00001000:
w2.5.29.1
w2.5.29.1
w2.5.29.2
w2.5.29.2
w2.5.29.4
w2.5.29.4
w2.5.29.7
w2.5.29.7
w2.5.29.8
w2.5.29.8
w2.5.29.10
w2.5.29.10
w2.5.29.15
w2.5.29.15
w2.5.29.19
w2.5.29.19
w2.5.29.32
w2.5.29.32
w1.3.6.1.5.5.7.2.2
w1.3.6.1.5.5.7.2.2
w2.5.29.35
w2.5.29.35
w2.5.29.14
w2.5.29.14
w2.5.29.17
w2.5.29.17
w2.5.29.18
w2.5.29.18
w2.5.29.21
w2.5.29.21
w1.3.6.1.5.5.7.1.1
w1.3.6.1.5.5.7.1.1
w2.5.29.31
w2.5.29.31
w1.3.6.1.4.1.311.2.1.14
w1.3.6.1.4.1.311.2.1.14
w1.2.840.113549.1.9.14
w1.2.840.113549.1.9.14
w1.3.6.1.4.1.311.10.2
w1.3.6.1.4.1.311.10.2
w2.5.29.37
w2.5.29.37
w1.3.6.1.4.1.311.10.1
w1.3.6.1.4.1.311.10.1
w1.2.840.113549.3.2
w1.2.840.113549.3.2
w1.2.840.113549.1.9.15
w1.2.840.113549.1.9.15
w1.2.840.113549.1.9.5
w1.2.840.113549.1.9.5
w1.3.6.1.4.1.311.13.2.1
w1.3.6.1.4.1.311.13.2.1
w1.3.6.1.4.1.311.13.2.2
w1.3.6.1.4.1.311.13.2.2
w2.5.29.20
w2.5.29.20
w2.5.29.27
w2.5.29.27
w2.5.29.28
w2.5.29.28
w2.5.29.46
w2.5.29.46
w2.5.29.30
w2.5.29.30
w2.5.29.33
w2.5.29.33
w2.5.29.5
w2.5.29.5
w2.5.29.36
w2.5.29.36
w1.3.6.1.4.1.311.10.9.1
w1.3.6.1.4.1.311.10.9.1
w1.3.6.1.4.1.311.21.7
w1.3.6.1.4.1.311.21.7
w2.5.29.3
w2.5.29.3
\\.\PIPE\scerpc
\\.\PIPE\scerpc
services.exe_764_rwx_000B9000_00001000:
q CKM66.228.61.232
q CKM66.228.61.232
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\
%WinDir%\System32\svchost.exe -k netsvcs
%WinDir%\System32\svchost.exe -k netsvcs
\svchost.exe.Con
\svchost.exe.Con
%System%\svchost -k rpcss
%System%\svchost -k rpcss
services.exe_764_rwx_000C7000_00001000:
.dll,!
.dll,!
w0.9.2342.19200300.100.1.25
w0.9.2342.19200300.100.1.25
%System%\userinit.exe,%System%\mqbgmm.exe,
%System%\userinit.exe,%System%\mqbgmm.exe,
%Documents and Settings%\LocalService\Local Settings\History\History.IE5\index.dat
%Documents and Settings%\LocalService\Local Settings\History\History.IE5\index.dat
%System%\mqbgmm.exe,
%System%\mqbgmm.exe,
ware\microsoft\windows nt\currentversion\winlogon
ware\microsoft\windows nt\currentversion\winlogon
services.exe_764_rwx_000CD000_00001000:
hXXp://beautifumortimer.com/knok.php?id=SYSTEM!XP1!F9BE9A8A&ver=16&up=1348&os=XP Service Pack 3
hXXp://beautifumortimer.com/knok.php?id=SYSTEM!XP1!F9BE9A8A&ver=16&up=1348&os=XP Service Pack 3
CryptDllExportPublicKeyInfoEx
CryptDllExportPublicKeyInfoEx
CryptDllImportPublicKeyInfoEx
CryptDllImportPublicKeyInfoEx
CryptDllConvertPublicKeyInfo
CryptDllConvertPublicKeyInfo
w1.3.14.3.2.12
w1.3.14.3.2.12
services.exe_764_rwx_000D2000_00001000:
w2.5.4.4
w2.5.4.4
:2013021120130212:
:2013021120130212:
beautifumortimer.com
beautifumortimer.com
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat
w2.5.4.10
w2.5.4.10
w2.5.4.3
w2.5.4.3
INDOWS\system32\route.exe
INDOWS\system32\route.exe
5.1.2600.5512
5.1.2600.5512
0303030303030303
0303030303030303
Explorer.EXE_1684_rwx_000C4000_00001000:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat
\\?\IDE#CdRomNECVMWar_VMware_IDE_CDR10_______________1.00____#3031303030303030303030303030303030303130#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
\\?\IDE#CdRomNECVMWar_VMware_IDE_CDR10_______________1.00____#3031303030303030303030303030303030303130#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
%Documents and Settings%\All Users\Start Menu\Programs\Startup
%Documents and Settings%\All Users\Start Menu\Programs\Startup
%System%\stobject.dll
%System%\stobject.dll
Explorer.EXE_1684_rwx_000E2000_00001000:
%SystemRoot%\system32\mswsock.dll
%SystemRoot%\system32\mswsock.dll
%Program Files%\VMware\VMware Tools\VSock SDK\bin\win32\vsocklib.dll
%Program Files%\VMware\VMware Tools\VSock SDK\bin\win32\vsocklib.dll
Tcpip
Tcpip
CLSID\{8C7461EF-2B13-11D2-BE35-3078302C2030}
CLSID\{8C7461EF-2B13-11D2-BE35-3078302C2030}
%System%\browseui.dll
%System%\browseui.dll
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
%Documents and Settings%\%current user%\My Documents
%Documents and Settings%\%current user%\My Documents
ice\{E1070104-F404-44CE-B556-0622F9D63EE5}
ice\{E1070104-F404-44CE-B556-0622F9D63EE5}
CLSID\{26FDC864-BE88-46E7-9235-032D8EA5162E}
CLSID\{26FDC864-BE88-46E7-9235-032D8EA5162E}
%System%\SHELL32.dll
%System%\SHELL32.dll
Explorer.EXE_1684_rwx_000F4000_00001000:
@C:\PROGRA~1\MOVIEM~1\wmm2res.dll,-61446
@C:\PROGRA~1\MOVIEM~1\wmm2res.dll,-61446
%SystemRoot%\system32\mswsock.dll
%SystemRoot%\system32\mswsock.dll
%WinDir%\LastGood
%WinDir%\LastGood
ice\{E1070104-F404-44CE-B556-0622F9D63EE5}
ice\{E1070104-F404-44CE-B556-0622F9D63EE5}
Maker.lnk
Maker.lnk
%Program Files%\Movie Mak
%Program Files%\Movie Mak
%WinDir%\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\
%WinDir%\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\
%Documents and Settings%\All Users\Application Data\Adobe\Acrobat\9.0\Replicate\Security\
%Documents and Settings%\All Users\Application Data\Adobe\Acrobat\9.0\Replicate\Security\
ISTRY\USER\S-1-5-21-1844237615-1960408961-1801674531-1003_Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}
ISTRY\USER\S-1-5-21-1844237615-1960408961-1801674531-1003_Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}
MSAFD NetBIOS [\Device\NetBT_Tcpip_{FA3B3797-8A29-4E30-9B14-9ECEA8F69703}] SEQPACKET 2
MSAFD NetBIOS [\Device\NetBT_Tcpip_{FA3B3797-8A29-4E30-9B14-9ECEA8F69703}] SEQPACKET 2
Explorer.EXE_1684_rwx_0010C000_00001000:
@shell32.dll,-22016
@shell32.dll,-22016
4/04/10 13:22:14 1684.35]
4/04/10 13:22:14 1684.35]
4/04/10 13:22:14 1684.36]
4/04/10 13:22:14 1684.36]
Wizard.lnk
Wizard.lnk
[2014/04/10 13:22:14 1684.37]
[2014/04/10 13:22:14 1684.37]
wiz.exe
wiz.exe
b8a05-beee-4442-
b8a05-beee-4442-
Explorer.EXE_1684_rwx_0013A000_00001000:
1.2.840.113549.1.9.16.2.3
1.2.840.113549.1.9.16.2.3
1.2.840.113549.1.9.16.2.4
1.2.840.113549.1.9.16.2.4
1.3.6.1.4.1.311.12.1.1
1.3.6.1.4.1.311.12.1.1
1.3.6.1.4.1.311.12.1.2
1.3.6.1.4.1.311.12.1.2
sk: 255.255.255.0
sk: 255.255.255.0
02:\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.193_x-ww_ac24e7bf\downlevel_manifest.8.0.50727.193\
02:\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.193_x-ww_ac24e7bf\downlevel_manifest.8.0.50727.193\
NDOWS;%WinDir%\System32\Wbem;c:\Program Files\Wireshark
NDOWS;%WinDir%\System32\Wbem;c:\Program Files\Wireshark
Explorer.EXE_1684_rwx_00142000_00001000:
IsFileSupportedName
IsFileSupportedName
Set\ServCLSID\{F020E586-5264-11D1-A532-0000F8757D7E}
Set\ServCLSID\{F020E586-5264-11D1-A532-0000F8757D7E}
%System%\hnetcfg.dll
%System%\hnetcfg.dll
CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}
CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}
%System%\wbem\wbemprox.dll
%System%\wbem\wbemprox.dll
0D04FE0-3AEA-1069-A2D8-08002B30309D}\::{21EC2020-3AEA-1069-A2DD-08002B30309D}
0D04FE0-3AEA-1069-A2D8-08002B30309D}\::{21EC2020-3AEA-1069-A2DD-08002B30309D}
Explorer.EXE_1684_rwx_00153000_00002000:
ice\NetBT_Tcpip_{E1070104-F404-44CE-B556-0622F9D63EE5}
ice\NetBT_Tcpip_{E1070104-F404-44CE-B556-0622F9D63EE5}
DCLSID\{5B4DAE26-B807-11D0-9815-00C04FD91972}
DCLSID\{5B4DAE26-B807-11D0-9815-00C04FD91972}
NDOWS;%WinDir%\System32\Wbem;c:\Program Files\Wireshark
NDOWS;%WinDir%\System32\Wbem;c:\Program Files\Wireshark
ADOBER~1.LNKAdobe Reader 9.lnk
ADOBER~1.LNKAdobe Reader 9.lnk
Explorer.EXE_1684_rwx_0015B000_00001000:
{E1070104-F404-44CE-B556-0622F9D63EE5}
{E1070104-F404-44CE-B556-0622F9D63EE5}
AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
192.168.25.207
192.168.25.207
255.255.255.0
255.255.255.0
192.168.25.3
192.168.25.3
0.0.0.0
0.0.0.0
255.255.255.255
255.255.255.255
192.168.25.26
192.168.25.26
urCLSID\{ECD4FC4F-521C-11D0-B792-00A0C90312E1}
urCLSID\{ECD4FC4F-521C-11D0-B792-00A0C90312E1}
erl\site\bin;C:\Perl\bin;%System%;%WinDir%;%WinDir%\System32\Wbem;c:\Program Files\Wireshark
erl\site\bin;C:\Perl\bin;%System%;%WinDir%;%WinDir%\System32\Wbem;c:\Program Files\Wireshark
ess Monitor - Exporting event data
ess Monitor - Exporting event data
Explorer.EXE_1684_rwx_00EE0000_00021000:
|$L.tj
|$L.tj
t.Vh
t.Vh
SSSh*
SSSh*
u#SSSh
u#SSSh
SSShh@
SSShh@
SSShP
SSShP
SSShV
SSShV
beautifumortimer.com
beautifumortimer.com
POST /gate.php HTTP/1.0
POST /gate.php HTTP/1.0
Host: %s
Host: %s
Content-Length: %u
Content-Length: %u
195.222.17.0
195.222.17.0
74.55.143.0
74.55.143.0
62.67.184.0
62.67.184.0
208.43.44.0
208.43.44.0
188.40.74.0
188.40.74.0
212.59.118.0
212.59.118.0
81.176.67.0
81.176.67.0
87.242.75.0
87.242.75.0
83.102.130.0
83.102.130.0
207.44.254.0
207.44.254.0
75.125.212.0
75.125.212.0
74.86.125.0
74.86.125.0
75.125.43.0
75.125.43.0
75.125.189.0
75.125.189.0
74.54.46.0
74.54.46.0
74.54.130.0
74.54.130.0
174.120.184.0
174.120.184.0
174.120.185.0
174.120.185.0
174.133.38.0
174.133.38.0
74.54.139.0
74.54.139.0
74.86.232.0
74.86.232.0
74.53.70.0
74.53.70.0
208.43.71.0
208.43.71.0
174.120.186.0
174.120.186.0
75.125.185.0
75.125.185.0
74.55.74.0
74.55.74.0
95.140.225.0
95.140.225.0
94.236.0.0
94.236.0.0
94.23.206.0
94.23.206.0
93.191.13.0
93.191.13.0
93.184.71.0
93.184.71.0
92.53.106.0
92.53.106.0
92.123.155.0
92.123.155.0
91.209.196.0
91.209.196.0
91.199.212.0
91.199.212.0
91.121.97.0
91.121.97.0
90.183.101.0
90.183.101.0
90.156.159.0
90.156.159.0
89.202.157.0
89.202.157.0
89.202.149.0
89.202.149.0
89.111.176.0
89.111.176.0
89.108.66.0
89.108.66.0
88.221.119.0
88.221.119.0
87.242.79.0
87.242.79.0
87.242.74.0
87.242.74.0
87.242.72.0
87.242.72.0
87.238.48.0
87.238.48.0
87.230.79.0
87.230.79.0
87.106.254.0
87.106.254.0
87.106.242.0
87.106.242.0
85.31.222.0
85.31.222.0
85.255.19.0
85.255.19.0
85.214.106.0
85.214.106.0
85.17.210.0
85.17.210.0
85.12.57.0
85.12.57.0
84.40.30.0
84.40.30.0
83.223.117.0
83.223.117.0
83.222.31.0
83.222.31.0
83.222.23.0
83.222.23.0
83.202.175.0
83.202.175.0
82.98.86.0
82.98.86.0
82.165.103.0
82.165.103.0
82.151.107.0
82.151.107.0
82.117.238.0
82.117.238.0
81.24.35.0
81.24.35.0
81.177.31.0
81.177.31.0
81.176.66.0
81.176.66.0
80.86.107.0
80.86.107.0
80.237.132.0
80.237.132.0
80.190.154.0
80.190.154.0
80.190.130.0
80.190.130.0
80.153.193.0
80.153.193.0
79.125.5.0
79.125.5.0
78.47.87.0
78.47.87.0
78.137.164.0
78.137.164.0
78.108.86.0
78.108.86.0
75.125.82.0
75.125.82.0
75.125.29.0
75.125.29.0
74.55.40.0
74.55.40.0
74.53.201.0
74.53.201.0
74.52.233.0
74.52.233.0
74.50.0.0
74.50.0.0
74.208.20.0
74.208.20.0
74.208.158.0
74.208.158.0
74.125.77.0
74.125.77.0
72.32.70.0
72.32.70.0
72.32.149.0
72.32.149.0
72.32.125.0
72.32.125.0
72.3.254.0
72.3.254.0
72.232.246.0
72.232.246.0
70.84.211.0
70.84.211.0
69.93.226.0
69.93.226.0
69.57.142.0
69.57.142.0
69.20.104.0
69.20.104.0
69.18.148.0
69.18.148.0
69.162.79.0
69.162.79.0
68.177.102.0
68.177.102.0
67.227.172.0
67.227.172.0
67.225.206.0
67.225.206.0
67.192.135.0
67.192.135.0
67.19.34.0
67.19.34.0
67.15.231.0
67.15.231.0
67.15.103.0
67.15.103.0
67.134.208.0
67.134.208.0
66.77.70.0
66.77.70.0
66.249.17.0
66.249.17.0
66.223.50.0
66.223.50.0
65.55.240.0
65.55.240.0
65.55.184.0
65.55.184.0
65.175.38.0
65.175.38.0
64.78.182.0
64.78.182.0
64.66.190.0
64.66.190.0
64.41.151.0
64.41.151.0
64.41.142.0
64.41.142.0
64.246.4.0
64.246.4.0
64.202.189.0
64.202.189.0
64.13.134.0
64.13.134.0
64.128.133.0
64.128.133.0
63.85.36.0
63.85.36.0
62.75.216.0
62.75.216.0
62.75.163.0
62.75.163.0
62.213.110.0
62.213.110.0
62.189.194.0
62.189.194.0
62.146.66.0
62.146.66.0
62.146.210.0
62.146.210.0
62.14.249.0
62.14.249.0
38.113.1.0
38.113.1.0
217.174.103.0
217.174.103.0
217.170.21.0
217.170.21.0
217.16.16.0
217.16.16.0
217.106.234.0
217.106.234.0
216.99.133.0
216.99.133.0
216.55.183.0
216.55.183.0
216.49.94.0
216.49.94.0
216.49.88.0
216.49.88.0
216.246.90.0
216.246.90.0
216.239.122.0
216.239.122.0
216.12.145.0
216.12.145.0
216.10.192.0
216.10.192.0
213.31.172.0
213.31.172.0
213.220.100.0
213.220.100.0
213.198.89.0
213.198.89.0
213.171.218.0
213.171.218.0
213.133.34.0
213.133.34.0
212.8.79.0
212.8.79.0
212.72.62.0
212.72.62.0
212.67.88.0
212.67.88.0
212.47.219.0
212.47.219.0
209.87.209.0
209.87.209.0
209.62.68.0
209.62.68.0
209.62.112.0
209.62.112.0
209.51.167.0
209.51.167.0
209.216.46.0
209.216.46.0
209.160.22.0
209.160.22.0
209.157.69.0
209.157.69.0
209.124.55.0
209.124.55.0
208.79.250.0
208.79.250.0
207.66.0.0
207.66.0.0
207.46.232.0
207.46.232.0
207.46.20.0
207.46.20.0
207.46.18.0
207.46.18.0
207.44.154.0
207.44.154.0
206.204.52.0
206.204.52.0
205.227.136.0
205.227.136.0
205.178.145.0
205.178.145.0
204.14.90.0
204.14.90.0
203.160.188.0
203.160.188.0
199.203.243.0
199.203.243.0
198.6.49.0
198.6.49.0
195.70.37.0
195.70.37.0
195.64.225.0
195.64.225.0
195.55.72.0
195.55.72.0
195.210.42.0
195.210.42.0
195.2.240.0
195.2.240.0
195.146.235.0
195.146.235.0
195.137.160.0
195.137.160.0
194.33.180.0
194.33.180.0
194.206.126.0
194.206.126.0
194.112.106.0
194.112.106.0
194.109.142.0
194.109.142.0
194.0.200.0
194.0.200.0
193.71.68.0
193.71.68.0
193.69.114.0
193.69.114.0
193.66.251.0
193.66.251.0
193.24.237.0
193.24.237.0
193.193.194.0
193.193.194.0
193.17.85.0
193.17.85.0
193.110.109.0
193.110.109.0
193.1.193.0
193.1.193.0
193.0.6.0
193.0.6.0
192.150.94.0
192.150.94.0
188.93.8.0
188.93.8.0
18.85.2.0
18.85.2.0
166.70.98.0
166.70.98.0
165.160.15.0
165.160.15.0
162.40.10.0
162.40.10.0
155.35.248.0
155.35.248.0
150.70.93.0
150.70.93.0
149.101.225.0
149.101.225.0
141.202.248.0
141.202.248.0
139.91.222.0
139.91.222.0
128.130.60.0
128.130.60.0
128.130.56.0
128.130.56.0
128.111.48.0
128.111.48.0
sfc.dll
sfc.dll
winlogon.exe
winlogon.exe
\\.\PhysicalDrive
\\.\PhysicalDrive
smss.exe
smss.exe
csrss.exe
csrss.exe
lsass.exe
lsass.exe
%s\%s
%s\%s
%d.%d.%d.%d
%d.%d.%d.%d
route.exe -p add %s mask 255.255.255.0 %s
route.exe -p add %s mask 255.255.255.0 %s
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
%s!%s!X
SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command
SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command
[[[URL: %s
[[[URL: %s
Process: %s
Process: %s
Referer: %s
Referer: %s
User-Agent: %s
User-Agent: %s
Title: %s]]]
Title: %s]]]
ntdll.dll
ntdll.dll
keys
keys
bssrepp\private.txt
bssrepp\private.txt
bssrepp\keys
bssrepp\keys
bssrepp\public.txt
bssrepp\public.txt
keys.zip
keys.zip
\*.key
\*.key
\self.cer
\self.cer
self.cer
self.cer
path.txt
path.txt
pass.log
pass.log
ctunnel.exe
ctunnel.exe
ctunnel.zip
ctunnel.zip
path_ctunnel.txt
path_ctunnel.txt
keylog.txt
keylog.txt
links.log
links.log
Content-Disposition: form-data; name="file"; filename="report"
Content-Disposition: form-data; name="file"; filename="report"
header.key
header.key
keys99
keys99
\header.key
\header.key
masks2.key
masks2.key
\masks2.key
\masks2.key
masks.key
masks.key
\masks.key
\masks.key
name.key
name.key
\name.key
\name.key
primary2.key
primary2.key
\primary2.key
\primary2.key
primary.key
primary.key
\primary.key
\primary.key
keys99.zip
keys99.zip
path99.txt
path99.txt
user32.dll
user32.dll
prv_key.pfx
prv_key.pfx
keys\
keys\
sign.cer
sign.cer
\History.IE5\index.dat
\History.IE5\index.dat
https
https
\Opera\Opera\typed_history.xml
\Opera\Opera\typed_history.xml
secret.key
secret.key
pubkeys.key
pubkeys.key
\\.\KmxAgent
\\.\KmxAgent
\Windows Defender
\Windows Defender
MpClient.dll
MpClient.dll
____AVP.Root
____AVP.Root
avipc.dll
avipc.dll
\AVG\AVG9\dfncfg.dat
\AVG\AVG9\dfncfg.dat
\AVG\AVG9\dfmcfg.dat
\AVG\AVG9\dfmcfg.dat
kernel32.dll
kernel32.dll
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q246009
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q246009
Server 2003 for Itanium64
Server 2003 for Itanium64
Server 2003 for AMD64
Server 2003 for AMD64
smime3.dll
smime3.dll
nss3.dll
nss3.dll
softokn3.dll
softokn3.dll
nssutil3.dll
nssutil3.dll
sqlite3.dll
sqlite3.dll
plc4.dll
plc4.dll
plds4.dll
plds4.dll
nspr4.dll
nspr4.dll
mozcrt19.dll
mozcrt19.dll
webmoney
webmoney
PK11_ListCerts
PK11_ListCerts
CERT_DestroyCertList
CERT_DestroyCertList
CERT_GetDefaultCertDB
CERT_GetDefaultCertDB
PORT_UCS2_UTF8Conversion
PORT_UCS2_UTF8Conversion
PORT_SetUCS2_ASCIIConversionFunction
PORT_SetUCS2_ASCIIConversionFunction
PK11_GetInternalKeySlot
PK11_GetInternalKeySlot
PK11_CheckUserPassword
PK11_CheckUserPassword
SEC_PKCS12AddPasswordIntegrity
SEC_PKCS12AddPasswordIntegrity
SEC_PKCS12CreatePasswordPrivSafe
SEC_PKCS12CreatePasswordPrivSafe
SEC_PKCS12AddCertAndKey
SEC_PKCS12AddCertAndKey
SEC_PKCS12DestroyExportContext
SEC_PKCS12DestroyExportContext
SEC_PKCS12CreateExportContext
SEC_PKCS12CreateExportContext
1234567890
1234567890
firefox
firefox
\Mozilla\Firefox\profiles.ini
\Mozilla\Firefox\profiles.ini
\Mozilla\Firefox\
\Mozilla\Firefox\
balance.htm
balance.htm
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
action=auth&np=&login=
action=auth&np=&login=
IW_FormName=fmLogin&IW_FormClass=TfmLogin
IW_FormName=fmLogin&IW_FormClass=TfmLogin
opera.dll
opera.dll
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
Title: %s
Title: %s
User-agent: %s]]]
User-agent: %s]]]
{{{%s}}}
{{{%s}}}
Kernel32.dll
Kernel32.dll
\*.bk
\*.bk
ISClient.cfg
ISClient.cfg
interpro.ini
interpro.ini
rfk.zip
rfk.zip
pass_
pass_
login=
login=
password=
password=
ws2_32.dll
ws2_32.dll
Agava_Client.exe
Agava_Client.exe
KeysDiskPath
KeysDiskPath
Agava_Client.ini
Agava_Client.ini
Agava_keys
Agava_keys
keys_path.txt
keys_path.txt
path1.txt
path1.txt
inter.zip
inter.zip
cbsmain.dll
cbsmain.dll
bsi.dll
bsi.dll
vb_pfx_import
vb_pfx_import
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|mnp.exe|loadmain.exe
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|mnp.exe|loadmain.exe
hXXp://
hXXp://
/knok.php?id=
/knok.php?id=
hXXp://beautifumortimer.com/knok.php?id=
hXXp://beautifumortimer.com/knok.php?id=
C:\temp_file_bin
C:\temp_file_bin
login
login
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows nt\currentversion\winlogon
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
%d:TCP
%d:TCP
%d:TCP:*:Enabled:%d
%d:TCP:*:Enabled:%d
%Program Files%
%Program Files%
services.exe
services.exe
/socks.php?name=
/socks.php?name=
&port=
&port=
iexplore.exe
iexplore.exe
java.exe
java.exe
javaw.exe
javaw.exe
javaws.exe
javaws.exe
opera.exe
opera.exe
mnp.exe
mnp.exe
explorer.exe
explorer.exe
isclient.exe
isclient.exe
intpro.exe
intpro.exe
loadmain.exe
loadmain.exe
advapi32.dll
advapi32.dll
sks2xyz.dll
sks2xyz.dll
FilialRCon.dll
FilialRCon.dll
Wininet.dll
Wininet.dll
%Program Files%\Common Files\
%Program Files%\Common Files\
WinExec
WinExec
GetProcessHeap
GetProcessHeap
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryA
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
RegFlushKey
RegFlushKey
RegCloseKey
RegCloseKey
RegOpenKeyA
RegOpenKeyA
CertOpenSystemStoreA
CertOpenSystemStoreA
CertDeleteCertificateFromStore
CertDeleteCertificateFromStore
PFXExportCertStoreEx
PFXExportCertStoreEx
CertDuplicateCertificateContext
CertDuplicateCertificateContext
CertEnumCertificatesInStore
CertEnumCertificatesInStore
PFXImportCertStore
PFXImportCertStore
CertGetNameStringA
CertGetNameStringA
CertCloseStore
CertCloseStore
CertAddCertificateContextToStore
CertAddCertificateContextToStore
CertOpenStore
CertOpenStore
SHFileOperationA
SHFileOperationA
URLDownloadToFileA
URLDownloadToFileA
GetKeyboardState
GetKeyboardState
GetKeyState
GetKeyState
DeleteUrlCacheEntry
DeleteUrlCacheEntry
InternetOpenUrlA
InternetOpenUrlA
6$6$6$6$6 6
6$6$6$6$6 6
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
KERNEL32.DLL
KERNEL32.DLL
ADVAPI32.dll
ADVAPI32.dll
CRYPT32.dll
CRYPT32.dll
IPHLPAPI.DLL
IPHLPAPI.DLL
MSVCRT.dll
MSVCRT.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
PSAPI.DLL
PSAPI.DLL
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
urlmon.dll
urlmon.dll
USER32.dll
USER32.dll
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx
hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx
btnLogin
btnLogin
lself.cer
lself.cer
\secrets.key
\secrets.key
Explorer.EXE_1684_rwx_03171000_00001000:
Software\Policies\Microsoft\SystemCertificates\trust
Software\Policies\Microsoft\SystemCertificates\trust
%Documents and Settings%\%current user%\Application Data\Microsoft\SystemCertificates\My
%Documents and Settings%\%current user%\Application Data\Microsoft\SystemCertificates\My