Shiz_080493ff49

Susp_Dropper (Kaspersky), Trojan.Generic.KDV.384775 (B) (Emsisoft), Trojan.Generic.KDV.384775 (AdAware), Backdoor.Win32.Shiz.FD, Shiz.YR, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR, BankerGeneric.YR (Lavasoft MAS)Behaviour: Banker, Trojan, Backdoor

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

u.bmp

u.bmp

\\.\PhysicalDrive%u

\\.\PhysicalDrive%u

/topic.php

/topic.php

keylog.txt

keylog.txt

passwords.txt

passwords.txt

%s%u.zip

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

Referer: http://www.google.com

Referer: http://www.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

Content-Type: multipart/form-data; boundary=---------------------------%s

www.bing.com

www.bing.com

www.microsoft.com

www.microsoft.com

frd.exe

frd.exe

command=config&update_url=

command=config&update_url=

/search.php

/search.php

&port=

&port=

command=load&url=

command=load&url=

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

\chrome.exe

\chrome.exe

\svchost.exe

\svchost.exe

\java.exe

\java.exe

\javaw.exe

\javaw.exe

\javaws.exe

\javaws.exe

\opera.exe

\opera.exe

\firefox.exe

\firefox.exe

\maxthon.exe

\maxthon.exe

\avant.exe

\avant.exe

\mnp.exe

\mnp.exe

\safari.exe

\safari.exe

\netscape.exe

\netscape.exe

\tbb-firefox.exe

\tbb-firefox.exe

\frd.exe

\frd.exe

\isclient.exe

\isclient.exe

\ipc_full.exe

\ipc_full.exe

\intpro.exe

\intpro.exe

\cbsmain.dll

\cbsmain.dll

\clmain.exe

\clmain.exe

\core.exe

\core.exe

\rundll32.exe

\rundll32.exe

\notepad.exe

\notepad.exe

\cbank.exe

\cbank.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|

%s.dbf

%s.dbf

%s.DBF

%s.DBF

j_password=

j_password=

pass.log

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edClientLogin=

edUserLogin=

edUserLogin=

edPassword=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

&LOGIN_AUTHORIZATION_CODE=

login=

login=

password=

password=

pass_

pass_

advapi32.dll

advapi32.dll

path.txt

path.txt

keys.zip

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

%s\d.bmp

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

keys

private.txt

private.txt

public.txt

public.txt

\*.key

\*.key

\self.cer

\self.cer

self.cer

self.cer

self.pub

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.exe

ctunnel.zip

ctunnel.zip

path_ctunnel.txt

path_ctunnel.txt

header.key

header.key

keys99

keys99

\header.key

\header.key

masks2.key

masks2.key

\masks2.key

\masks2.key

masks.key

masks.key

\masks.key

\masks.key

\name.key

\name.key

primary2.key

primary2.key

\primary2.key

\primary2.key

primary.key

primary.key

\primary.key

\primary.key

keys99.zip

keys99.zip

path99.txt

path99.txt

bsi.dll

bsi.dll

&domain=letitbit.net&

&domain=letitbit.net&

cc.txt

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

prv_key.pfx

keys\

keys\

sign.cer

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

sks2xyz.dll

vb_pfx_import

vb_pfx_import

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

secret.key

pubkeys.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

path1.txt

inter.zip

inter.zip

interpro.ini

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

cbsmain.dll

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

pass.txt

pass.txt

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

FilialRCon.dll

ISClient.cfg

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

rfk.zip

client.zip

client.zip

path_client.txt

path_client.txt

path_keys.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

Agava_Client.exe

KeysDiskPath

KeysDiskPath

Agava_Client.ini

Agava_Client.ini

Agava_keys

Agava_keys

keys_path.txt

keys_path.txt

mespro.dll

mespro.dll

AddPSEPrivateKeyEx

AddPSEPrivateKeyEx

core.exe

core.exe

data\id.dbf

data\id.dbf

\data\id.dbf

\data\id.dbf

keys%i.zip

keys%i.zip

path%i.txt

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

winmm.dll

%s\%s

%s\%s

LibVNCServer 0.9.7

LibVNCServer 0.9.7

%s (%s)

%s (%s)

d/d/d d:d

d/d/d d:d

password check failed!

password check failed!

WinSCard.dll

WinSCard.dll

SensApi.dll

SensApi.dll

GetTcpTable

GetTcpTable

IPHLPAPI.DLL

IPHLPAPI.DLL

dbghelp.dll

dbghelp.dll

MSVCRT.dll

MSVCRT.dll

PSAPI.DLL

PSAPI.DLL

NETAPI32.dll

NETAPI32.dll

DNSAPI.dll

DNSAPI.dll

HttpQueryInfoA

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpAddRequestHeadersA

HttpOpenRequestA

HttpOpenRequestA

WININET.dll

WININET.dll

WS2_32.dll

WS2_32.dll

ShellExecuteA

ShellExecuteA

SHFileOperationA

SHFileOperationA

SHELL32.dll

SHELL32.dll

SHLWAPI.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetSystemWindowsDirectoryA

GetProcessHeap

GetProcessHeap

WinExec

WinExec

KERNEL32.dll

KERNEL32.dll

MapVirtualKeyW

MapVirtualKeyW

SetKeyboardState

SetKeyboardState

EnumChildWindows

EnumChildWindows

GetKeyboardState

GetKeyboardState

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

USER32.dll

USER32.dll

SetViewportOrgEx

SetViewportOrgEx

GetViewportOrgEx

GetViewportOrgEx

GDI32.dll

GDI32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

RegFlushKey

RegFlushKey

RegEnumKeyExA

RegEnumKeyExA

RegNotifyChangeKeyValue

RegNotifyChangeKeyValue

RegDeleteKeyA

RegDeleteKeyA

ADVAPI32.dll

ADVAPI32.dll

?456789:;<=

?456789:;<=

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

;3 #>6.&

;3 #>6.&

'2, / 0&7!4-)1#

'2, / 0&7!4-)1#

MSCTF.Shared.MAPPING.%x

MSCTF.Shared.MAPPING.%x

Desk_%u%x

Desk_%u%x

MSCTF.Shared.MUTEX.%x

MSCTF.Shared.MUTEX.%x

.Prev

.Prev

.current

.current

1-191j1w1}1

1-191j1w1}1

?"?(?-?~?

?"?(?-?~?

;-;5;=;^;|;

;-;5;=;^;|;

7"7)7\7~7

7"7)7\7~7

6 6$6(6,6064686

6 6$6(6,6064686

mavast.com

mavast.com

ya.ru

ya.ru

serverkey.dat

serverkey.dat

\windows\

\windows\

winlogon.exe_708_rwx_01D70000_000C3000:

.text

.text

`.rdata

`.rdata

@.data

@.data

.reloc

.reloc

<>http

<>http

PSShL

PSShL

SSShp

SSShp

tUSSSh

tUSSSh

SSShp;

SSShp;

SSSh0

SSSh0

SSShpk

SSShpk

SSShpF

SSShpF

t9SSSh

t9SSSh

u1SSShP

u1SSShP

name.key

name.key

\secrets.key

\secrets.key

sign.key

sign.key

kernel32.dll

kernel32.dll

\explorer.exe

\explorer.exe

user32.dll

user32.dll

multi_pot.exe

multi_pot.exe

HookExplorer.exe

HookExplorer.exe

proc_analyzer.exe

proc_analyzer.exe

sckTool.exe

sckTool.exe

sniff_hit.exe

sniff_hit.exe

sysAnalyzer.exe

sysAnalyzer.exe

idag.exe

idag.exe

ollydbg.exe

ollydbg.exe

dumpcap.exe

dumpcap.exe

wireshark.exe

wireshark.exe

C:\iDEFENSE

C:\iDEFENSE

\\.\NPF_NdisWanIp

\\.\NPF_NdisWanIp

avp.exe

avp.exe

Software\Microsoft\Windows NT\CurrentVersion

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

software\microsoft\windows\currentversion\run

\winlogon.exe

\winlogon.exe

sysinfo.log

sysinfo.log

scr.bmp

scr.bmp

minidump.bin

minidump.bin

%d.%d.%d.%d

%d.%d.%d.%d

Ý %dh %dm

Ý %dh %dm

%s:%d

%s:%d

Software\Microsoft\Internet Explorer\TypedURLs

Software\Microsoft\Internet Explorer\TypedURLs

url%i

url%i

4.4.10

4.4.10

%dx%d@%d

%dx%d@%d

%c%d:d

%c%d:d

{Windows directory:

{Windows directory:

links.log

links.log

\History.IE5\index.dat

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

\Opera\Opera\typed_history.xml

avast.com

avast.com

93.191.13.100

93.191.13.100

drweb

drweb

eset.com

eset.com

z-oleg.com

z-oleg.com

kltest.org.ru

kltest.org.ru

.comodo.com

.comodo.com

google.com

google.com

Dnsapi.dll

Dnsapi.dll

ws2_32.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/login.php

/login.php

ntdll.dll

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

Global\HighMemoryEvent_x

explorer.exe

explorer.exe

1.2.5

1.2.5

- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

Winmm.dll

Winmm.dll

Kernel32.dll

Kernel32.dll

Gdi32.dll

Gdi32.dll

http://

http://

https://

https://

HTTP/1.

HTTP/1.

nspr4.dll

nspr4.dll

PR_OpenTCPSocket

PR_OpenTCPSocket

[[[URL: %s

[[[URL: %s

Process: %s

Process: %s

User-agent: %s]]]

User-agent: %s]]]

{{{%s

{{{%s

Crypt32.dll

Crypt32.dll

CertVerifyCertificateChainPolicy

CertVerifyCertificateChainPolicy

Wininet.dll

Wininet.dll

HttpSendRequestA

HttpSendRequestA

HttpSendRequestW

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestExW

set_url

set_url

microsoft.public.win32.programmer.kernel

microsoft.public.win32.programmer.kernel

\iexplore.exe

\iexplore.exe

keygrab

keygrab

u.bmp

u.bmp

\\.\PhysicalDrive%u

\\.\PhysicalDrive%u

/topic.php

/topic.php

keylog.txt

keylog.txt

passwords.txt

passwords.txt

%s%u.zip

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

Referer: http://www.google.com

Referer: http://www.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

Content-Type: multipart/form-data; boundary=---------------------------%s

www.bing.com

www.bing.com

www.microsoft.com

www.microsoft.com

frd.exe

frd.exe

command=config&update_url=

command=config&update_url=

/search.php

/search.php

&port=

&port=

command=load&url=

command=load&url=

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

\chrome.exe

\chrome.exe

\svchost.exe

\svchost.exe

\java.exe

\java.exe

\javaw.exe

\javaw.exe

\javaws.exe

\javaws.exe

\opera.exe

\opera.exe

\firefox.exe

\firefox.exe

\maxthon.exe

\maxthon.exe

\avant.exe

\avant.exe

\mnp.exe

\mnp.exe

\safari.exe

\safari.exe

\netscape.exe

\netscape.exe

\tbb-firefox.exe

\tbb-firefox.exe

\frd.exe

\frd.exe

\isclient.exe

\isclient.exe

\ipc_full.exe

\ipc_full.exe

\intpro.exe

\intpro.exe

\cbsmain.dll

\cbsmain.dll

\clmain.exe

\clmain.exe

\core.exe

\core.exe

\rundll32.exe

\rundll32.exe

\notepad.exe

\notepad.exe

\cbank.exe

\cbank.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|

%s.dbf

%s.dbf

%s.DBF

%s.DBF

j_password=

j_password=

pass.log

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edClientLogin=

edUserLogin=

edUserLogin=

edPassword=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

&LOGIN_AUTHORIZATION_CODE=

login=

login=

password=

password=

pass_

pass_

advapi32.dll

advapi32.dll

path.txt

path.txt

keys.zip

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

%s\d.bmp

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

keys

private.txt

private.txt

public.txt

public.txt

\*.key

\*.key

\self.cer

\self.cer

self.cer

self.cer

self.pub

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.exe

ctunnel.zip

ctunnel.zip

path_ctunnel.txt

path_ctunnel.txt

header.key

header.key

keys99

keys99

\header.key

\header.key

masks2.key

masks2.key

\masks2.key

\masks2.key

masks.key

masks.key

\masks.key

\masks.key

\name.key

\name.key

primary2.key

primary2.key

\primary2.key

\primary2.key

primary.key

primary.key

\primary.key

\primary.key

keys99.zip

keys99.zip

path99.txt

path99.txt

bsi.dll

bsi.dll

&domain=letitbit.net&

&domain=letitbit.net&

cc.txt

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

prv_key.pfx

keys\

keys\

sign.cer

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

sks2xyz.dll

vb_pfx_import

vb_pfx_import

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

secret.key

pubkeys.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

path1.txt

inter.zip

inter.zip

interpro.ini

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

cbsmain.dll

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

pass.txt

pass.txt

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

FilialRCon.dll

ISClient.cfg

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

rfk.zip

client.zip

client.zip

path_client.txt

path_client.txt

path_keys.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

Agava_Client.exe

KeysDiskPath

KeysDiskPath

Agava_Client.ini

Agava_Client.ini

Agava_keys

Agava_keys

keys_path.txt

keys_path.txt

mespro.dll

mespro.dll

AddPSEPrivateKeyEx

AddPSEPrivateKeyEx

core.exe

core.exe

data\id.dbf

data\id.dbf

\data\id.dbf

\data\id.dbf

keys%i.zip

keys%i.zip

path%i.txt

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

winmm.dll

%s\%s

%s\%s

LibVNCServer 0.9.7

LibVNCServer 0.9.7

%s (%s)

%s (%s)

d/d/d d:d

d/d/d d:d

password check failed!

password check failed!

WinSCard.dll

WinSCard.dll

SensApi.dll

SensApi.dll

GetTcpTable

GetTcpTable

IPHLPAPI.DLL

IPHLPAPI.DLL

dbghelp.dll

dbghelp.dll

MSVCRT.dll

MSVCRT.dll

PSAPI.DLL

PSAPI.DLL

NETAPI32.dll

NETAPI32.dll

DNSAPI.dll

DNSAPI.dll

HttpQueryInfoA

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpAddRequestHeadersA

HttpOpenRequestA

HttpOpenRequestA

WININET.dll

WININET.dll

WS2_32.dll

WS2_32.dll

ShellExecuteA

ShellExecuteA

SHFileOperationA

SHFileOperationA

SHELL32.dll

SHELL32.dll

SHLWAPI.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetSystemWindowsDirectoryA

GetProcessHeap

GetProcessHeap

WinExec

WinExec

KERNEL32.dll

KERNEL32.dll

MapVirtualKeyW

MapVirtualKeyW

SetKeyboardState

SetKeyboardState

EnumChildWindows

EnumChildWindows

GetKeyboardState

GetKeyboardState

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

USER32.dll

USER32.dll

SetViewportOrgEx

SetViewportOrgEx

GetViewportOrgEx

GetViewportOrgEx

GDI32.dll

GDI32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

RegFlushKey

RegFlushKey

RegEnumKeyExA

RegEnumKeyExA

RegNotifyChangeKeyValue

RegNotifyChangeKeyValue

RegDeleteKeyA

RegDeleteKeyA

ADVAPI32.dll

ADVAPI32.dll

?456789:;<=

?456789:;<=

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

;3 #>6.&

;3 #>6.&

'2, / 0&7!4-)1#

'2, / 0&7!4-)1#

MSCTF.Shared.MAPPING.%x

MSCTF.Shared.MAPPING.%x

Desk_%u%x

Desk_%u%x

MSCTF.Shared.MUTEX.%x

MSCTF.Shared.MUTEX.%x

.Prev

.Prev

.current

.current

SYSTEM!XP3!F9BE9A8A

SYSTEM!XP3!F9BE9A8A

%Documents and Settings%\%current user%\Application Data\

%Documents and Settings%\%current user%\Application Data\

1-191j1w1}1

1-191j1w1}1

?"?(?-?~?

?"?(?-?~?

;-;5;=;^;|;

;-;5;=;^;|;

7"7)7\7~7

7"7)7\7~7

6 6$6(6,6064686

6 6$6(6,6064686

`.data

`.data

mavast.com

mavast.com

ya.ru

ya.ru

serverkey.dat

serverkey.dat

\windows\

\windows\

Explorer.EXE_880_rwx_01E50000_0005B000:

.text

.text

`.data

`.data

.reloc

.reloc

`.rdata

`.rdata

@.data

@.data

<>http

<>http

PSShL

PSShL

SSShp

SSShp

tUSSSh

tUSSSh

SSShp;

SSShp;

SSSh0

SSSh0

SSShpk

SSShpk

SSShpF

SSShpF

t9SSSh

t9SSSh

u1SSShP

u1SSShP

name.key

name.key

\secrets.key

\secrets.key

sign.key

sign.key

kernel32.dll

kernel32.dll

\explorer.exe

\explorer.exe

user32.dll

user32.dll

multi_pot.exe

multi_pot.exe

HookExplorer.exe

HookExplorer.exe

proc_analyzer.exe

proc_analyzer.exe

sckTool.exe

sckTool.exe

sniff_hit.exe

sniff_hit.exe

sysAnalyzer.exe

sysAnalyzer.exe

idag.exe

idag.exe

ollydbg.exe

ollydbg.exe

dumpcap.exe

dumpcap.exe

wireshark.exe

wireshark.exe

C:\iDEFENSE

C:\iDEFENSE

\\.\NPF_NdisWanIp

\\.\NPF_NdisWanIp

avp.exe

avp.exe

Software\Microsoft\Windows NT\CurrentVersion

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

software\microsoft\windows\currentversion\run

\winlogon.exe

\winlogon.exe

sysinfo.log

sysinfo.log

scr.bmp

scr.bmp

minidump.bin

minidump.bin

%d.%d.%d.%d

%d.%d.%d.%d

Ý %dh %dm

Ý %dh %dm

%s:%d

%s:%d

Software\Microsoft\Internet Explorer\TypedURLs

Software\Microsoft\Internet Explorer\TypedURLs

url%i

url%i

4.4.10

4.4.10

%dx%d@%d

%dx%d@%d

%c%d:d

%c%d:d

{Windows directory:

{Windows directory:

links.log

links.log

\History.IE5\index.dat

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

\Opera\Opera\typed_history.xml

avast.com

avast.com

93.191.13.100

93.191.13.100

drweb

drweb

eset.com

eset.com

z-oleg.com

z-oleg.com

kltest.org.ru

kltest.org.ru

.comodo.com

.comodo.com

google.com

google.com

Dnsapi.dll

Dnsapi.dll

ws2_32.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/login.php

/login.php

ntdll.dll

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

Global\HighMemoryEvent_x

explorer.exe

explorer.exe

1.2.5

1.2.5

- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

Winmm.dll

Winmm.dll

Kernel32.dll

Kernel32.dll

Gdi32.dll

Gdi32.dll

http://

http://

https://

https://

HTTP/1.

HTTP/1.

nspr4.dll

nspr4.dll

PR_OpenTCPSocket

PR_OpenTCPSocket

[[[URL: %s

[[[URL: %s

Process: %s

Process: %s

User-agent: %s]]]

User-agent: %s]]]

{{{%s

{{{%s

Crypt32.dll

Crypt32.dll

CertVerifyCertificateChainPolicy

CertVerifyCertificateChainPolicy

Wininet.dll

Wininet.dll

HttpSendRequestA

HttpSendRequestA

HttpSendRequestW

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestExW

set_url

set_url

microsoft.public.win32.programmer.kernel

microsoft.public.win32.programmer.kernel

\iexplore.exe

\iexplore.exe

keygrab

keygrab

u.bmp

u.bmp

\\.\PhysicalDrive%u

\\.\PhysicalDrive%u

/topic.php

/topic.php

keylog.txt

keylog.txt

passwords.txt

passwords.txt

%s%u.zip

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

Referer: http://www.google.com

Referer: http://www.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

Content-Type: multipart/form-data; boundary=---------------------------%s

www.bing.com

www.bing.com

www.microsoft.com

www.microsoft.com

frd.exe

frd.exe

command=config&update_url=

command=config&update_url=

/search.php

/search.php

&port=

&port=

command=load&url=

command=load&url=

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

\chrome.exe

\chrome.exe

\svchost.exe

\svchost.exe

\java.exe

\java.exe

\javaw.exe

\javaw.exe

\javaws.exe

\javaws.exe

\opera.exe

\opera.exe

\firefox.exe

\firefox.exe

\maxthon.exe

\maxthon.exe

\avant.exe

\avant.exe

\mnp.exe

\mnp.exe

\safari.exe

\safari.exe

\netscape.exe

\netscape.exe

\tbb-firefox.exe

\tbb-firefox.exe

\frd.exe

\frd.exe

\isclient.exe

\isclient.exe

\ipc_full.exe

\ipc_full.exe

\intpro.exe

\intpro.exe

\cbsmain.dll

\cbsmain.dll

\clmain.exe

\clmain.exe

\core.exe

\core.exe

\rundll32.exe

\rundll32.exe

\notepad.exe

\notepad.exe

\cbank.exe

\cbank.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|

%s.dbf

%s.dbf

%s.DBF

%s.DBF

j_password=

j_password=

pass.log

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edClientLogin=

edUserLogin=

edUserLogin=

edPassword=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

&LOGIN_AUTHORIZATION_CODE=

login=

login=

password=

password=

pass_

pass_

advapi32.dll

advapi32.dll

path.txt

path.txt

keys.zip

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

%s\d.bmp

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

keys

private.txt

private.txt

public.txt

public.txt

\*.key

\*.key

\self.cer

\self.cer

self.cer

self.cer

self.pub

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.exe

ctunnel.zip

ctunnel.zip

path_ctunnel.txt

path_ctunnel.txt

header.key

header.key

keys99

keys99

\header.key

\header.key

masks2.key

masks2.key

\masks2.key

\masks2.key

masks.key

masks.key

\masks.key

\masks.key

\name.key

\name.key

primary2.key

primary2.key

\primary2.key

\primary2.key

primary.key

primary.key

\primary.key

\primary.key

keys99.zip

keys99.zip

path99.txt

path99.txt

bsi.dll

bsi.dll

&domain=letitbit.net&

&domain=letitbit.net&

cc.txt

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

prv_key.pfx

keys\

keys\

sign.cer

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

sks2xyz.dll

vb_pfx_import

vb_pfx_import

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

secret.key

pubkeys.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

path1.txt

inter.zip

inter.zip

interpro.ini

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

cbsmain.dll

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

pass.txt

pass.txt

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

FilialRCon.dll

ISClient.cfg

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

rfk.zip

client.zip

client.zip

path_client.txt

path_client.txt

path_keys.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

Agava_Client.exe

KeysDiskPath

KeysDiskPath

Agava_Client.ini

Agava_Client.ini

Agava_keys

Agava_keys

keys_path.txt

keys_path.txt

mespro.dll

mespro.dll

AddPSEPrivateKeyEx

AddPSEPrivateKeyEx

core.exe

core.exe

data\id.dbf

data\id.dbf

\data\id.dbf

\data\id.dbf

keys%i.zip

keys%i.zip

path%i.txt

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

winmm.dll

%s\%s

%s\%s

LibVNCServer 0.9.7

LibVNCServer 0.9.7

%s (%s)

%s (%s)

d/d/d d:d

d/d/d d:d

password check failed!

password check failed!

WinSCard.dll

WinSCard.dll

SensApi.dll

SensApi.dll

GetTcpTable

GetTcpTable

IPHLPAPI.DLL

IPHLPAPI.DLL

dbghelp.dll

dbghelp.dll

MSVCRT.dll

MSVCRT.dll

PSAPI.DLL

PSAPI.DLL

NETAPI32.dll

NETAPI32.dll

DNSAPI.dll

DNSAPI.dll

HttpQueryInfoA

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpAddRequestHeadersA

HttpOpenRequestA

HttpOpenRequestA

WININET.dll

WININET.dll

WS2_32.dll

WS2_32.dll

ShellExecuteA

ShellExecuteA

SHFileOperationA

SHFileOperationA

SHELL32.dll

SHELL32.dll

SHLWAPI.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetSystemWindowsDirectoryA

GetProcessHeap

GetProcessHeap

WinExec

WinExec

KERNEL32.dll

KERNEL32.dll

MapVirtualKeyW

MapVirtualKeyW

SetKeyboardState

SetKeyboardState

EnumChildWindows

EnumChildWindows

GetKeyboardState

GetKeyboardState

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

USER32.dll

USER32.dll

SetViewportOrgEx

SetViewportOrgEx

GetViewportOrgEx

GetViewportOrgEx

GDI32.dll

GDI32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

RegFlushKey

RegFlushKey

RegEnumKeyExA

RegEnumKeyExA

RegNotifyChangeKeyValue

RegNotifyChangeKeyValue

RegDeleteKeyA

RegDeleteKeyA

ADVAPI32.dll

ADVAPI32.dll

?456789:;<=

?456789:;<=

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

;3 #>6.&

;3 #>6.&

'2, / 0&7!4-)1#

'2, / 0&7!4-)1#

MSCTF.Shared.MAPPING.%x

MSCTF.Shared.MAPPING.%x

Desk_%u%x

Desk_%u%x

MSCTF.Shared.MUTEX.%x

MSCTF.Shared.MUTEX.%x

.Prev

.Prev

.current

.current

1-191j1w1}1

1-191j1w1}1

?"?(?-?~?

?"?(?-?~?

;-;5;=;^;|;

;-;5;=;^;|;

7"7)7\7~7

7"7)7\7~7

6 6$6(6,6064686

6 6$6(6,6064686

mavast.com

mavast.com

ya.ru

ya.ru

serverkey.dat

serverkey.dat

\windows\

\windows\

Explorer.EXE_880_rwx_01EF0000_0006A000:

.text

.text

`.rdata

`.rdata

@.data

@.data

.reloc

.reloc

<>http

<>http

PSShL

PSShL

SSShp

SSShp

tUSSSh

tUSSSh

SSShp;

SSShp;

SSSh0

SSSh0

SSShpk

SSShpk

SSShpF

SSShpF

t9SSSh

t9SSSh

u1SSShP

u1SSShP

name.key

name.key

\secrets.key

\secrets.key

sign.key

sign.key

kernel32.dll

kernel32.dll

\explorer.exe

\explorer.exe

user32.dll

user32.dll

multi_pot.exe

multi_pot.exe

HookExplorer.exe

HookExplorer.exe

proc_analyzer.exe

proc_analyzer.exe

sckTool.exe

sckTool.exe

sniff_hit.exe

sniff_hit.exe

sysAnalyzer.exe

sysAnalyzer.exe

idag.exe

idag.exe

ollydbg.exe

ollydbg.exe

dumpcap.exe

dumpcap.exe

wireshark.exe

wireshark.exe

C:\iDEFENSE

C:\iDEFENSE

\\.\NPF_NdisWanIp

\\.\NPF_NdisWanIp

avp.exe

avp.exe

Software\Microsoft\Windows NT\CurrentVersion

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

software\microsoft\windows\currentversion\run

\winlogon.exe

\winlogon.exe

sysinfo.log

sysinfo.log

scr.bmp

scr.bmp

minidump.bin

minidump.bin

%d.%d.%d.%d

%d.%d.%d.%d

Ý %dh %dm

Ý %dh %dm

%s:%d

%s:%d

Software\Microsoft\Internet Explorer\TypedURLs

Software\Microsoft\Internet Explorer\TypedURLs

url%i

url%i

4.4.10

4.4.10

%dx%d@%d

%dx%d@%d

%c%d:d

%c%d:d

{Windows directory:

{Windows directory:

links.log

links.log

\History.IE5\index.dat

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

\Opera\Opera\typed_history.xml

avast.com

avast.com

93.191.13.100

93.191.13.100

drweb

drweb

eset.com

eset.com

z-oleg.com

z-oleg.com

kltest.org.ru

kltest.org.ru

.comodo.com

.comodo.com

google.com

google.com

Dnsapi.dll

Dnsapi.dll

ws2_32.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/login.php

/login.php

ntdll.dll

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

Global\HighMemoryEvent_x

explorer.exe

explorer.exe

1.2.5

1.2.5

- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

Winmm.dll

Winmm.dll

Kernel32.dll

Kernel32.dll

Gdi32.dll

Gdi32.dll

http://

http://

https://

https://

HTTP/1.

HTTP/1.

nspr4.dll

nspr4.dll

PR_OpenTCPSocket

PR_OpenTCPSocket

[[[URL: %s

[[[URL: %s

Process: %s

Process: %s

User-agent: %s]]]

User-agent: %s]]]

{{{%s

{{{%s

Crypt32.dll

Crypt32.dll

CertVerifyCertificateChainPolicy

CertVerifyCertificateChainPolicy

Wininet.dll

Wininet.dll

HttpSendRequestA

HttpSendRequestA

HttpSendRequestW

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestExW

set_url

set_url

microsoft.public.win32.programmer.kernel

microsoft.public.win32.programmer.kernel

\iexplore.exe

\iexplore.exe

keygrab

keygrab

u.bmp

u.bmp

\\.\PhysicalDrive%u

\\.\PhysicalDrive%u

/topic.php

/topic.php

keylog.txt

keylog.txt

passwords.txt

passwords.txt

%s%u.zip

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

Referer: http://www.google.com

Referer: http://www.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

Content-Type: multipart/form-data; boundary=---------------------------%s

www.bing.com

www.bing.com

www.microsoft.com

www.microsoft.com

frd.exe

frd.exe

command=config&update_url=

command=config&update_url=

/search.php

/search.php

&port=

&port=

command=load&url=

command=load&url=

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

\chrome.exe

\chrome.exe

\svchost.exe

\svchost.exe

\java.exe

\java.exe

\javaw.exe

\javaw.exe

\javaws.exe

\javaws.exe

\opera.exe

\opera.exe

\firefox.exe

\firefox.exe

\maxthon.exe

\maxthon.exe

\avant.exe

\avant.exe

\mnp.exe

\mnp.exe

\safari.exe

\safari.exe

\netscape.exe

\netscape.exe

\tbb-firefox.exe

\tbb-firefox.exe

\frd.exe

\frd.exe

\isclient.exe

\isclient.exe

\ipc_full.exe

\ipc_full.exe

\intpro.exe

\intpro.exe

\cbsmain.dll

\cbsmain.dll

\clmain.exe

\clmain.exe

\core.exe

\core.exe

\rundll32.exe

\rundll32.exe

\notepad.exe

\notepad.exe

\cbank.exe

\cbank.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|

%s.dbf

%s.dbf

%s.DBF

%s.DBF

j_password=

j_password=

pass.log

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edClientLogin=

edUserLogin=

edUserLogin=

edPassword=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

&LOGIN_AUTHORIZATION_CODE=

login=

login=

password=

password=

pass_

pass_

advapi32.dll

advapi32.dll

path.txt

path.txt

keys.zip

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

%s\d.bmp

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

keys

private.txt

private.txt

public.txt

public.txt

\*.key

\*.key

\self.cer

\self.cer

self.cer

self.cer

self.pub

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.exe

ctunnel.zip

ctunnel.zip

path_ctunnel.txt

path_ctunnel.txt

header.key

header.key

keys99

keys99

\header.key

\header.key

masks2.key

masks2.key

\masks2.key

\masks2.key

masks.key

masks.key

\masks.key

\masks.key

\name.key

\name.key

primary2.key

primary2.key

\primary2.key

\primary2.key

primary.key

primary.key

\primary.key

\primary.key

keys99.zip

keys99.zip

path99.txt

path99.txt

bsi.dll

bsi.dll

&domain=letitbit.net&

&domain=letitbit.net&

cc.txt

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

prv_key.pfx

keys\

keys\

sign.cer

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

sks2xyz.dll

vb_pfx_import

vb_pfx_import

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

secret.key

pubkeys.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

path1.txt

inter.zip

inter.zip

interpro.ini

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

cbsmain.dll

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

pass.txt

pass.txt

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

FilialRCon.dll

ISClient.cfg

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

rfk.zip

client.zip

client.zip

path_client.txt

path_client.txt

path_keys.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

Agava_Client.exe

KeysDiskPath

KeysDiskPath

Agava_Client.ini

Agava_Client.ini

Agava_keys

Agava_keys

keys_path.txt

keys_path.txt

mespro.dll

mespro.dll

AddPSEPrivateKeyEx

AddPSEPrivateKeyEx

core.exe

core.exe

data\id.dbf

data\id.dbf

\data\id.dbf

\data\id.dbf

keys%i.zip

keys%i.zip

path%i.txt

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

winmm.dll

%s\%s

%s\%s

LibVNCServer 0.9.7

LibVNCServer 0.9.7

%s (%s)

%s (%s)

d/d/d d:d

d/d/d d:d

password check failed!

password check failed!

WinSCard.dll

WinSCard.dll

SensApi.dll

SensApi.dll

GetTcpTable

GetTcpTable

IPHLPAPI.DLL

IPHLPAPI.DLL

dbghelp.dll

dbghelp.dll

MSVCRT.dll

MSVCRT.dll

PSAPI.DLL

PSAPI.DLL

NETAPI32.dll

NETAPI32.dll

DNSAPI.dll

DNSAPI.dll

HttpQueryInfoA

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpAddRequestHeadersA

HttpOpenRequestA

HttpOpenRequestA

WININET.dll

WININET.dll

WS2_32.dll

WS2_32.dll

ShellExecuteA

ShellExecuteA

SHFileOperationA

SHFileOperationA

SHELL32.dll

SHELL32.dll

SHLWAPI.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetSystemWindowsDirectoryA

GetProcessHeap

GetProcessHeap

WinExec

WinExec

KERNEL32.dll

KERNEL32.dll

MapVirtualKeyW

MapVirtualKeyW

SetKeyboardState

SetKeyboardState

EnumChildWindows

EnumChildWindows

GetKeyboardState

GetKeyboardState

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

USER32.dll

USER32.dll

SetViewportOrgEx

SetViewportOrgEx

GetViewportOrgEx

GetViewportOrgEx

GDI32.dll

GDI32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

RegFlushKey

RegFlushKey

RegEnumKeyExA

RegEnumKeyExA

RegNotifyChangeKeyValue

RegNotifyChangeKeyValue

RegDeleteKeyA

RegDeleteKeyA

ADVAPI32.dll

ADVAPI32.dll

?456789:;<=

?456789:;<=

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

;3 #>6.&

;3 #>6.&

'2, / 0&7!4-)1#

'2, / 0&7!4-)1#

MSCTF.Shared.MAPPING.%x

MSCTF.Shared.MAPPING.%x

Desk_%u%x

Desk_%u%x

MSCTF.Shared.MUTEX.%x

MSCTF.Shared.MUTEX.%x

.Prev

.Prev

.current

.current

ADM!XP3!F9BE9A8A

ADM!XP3!F9BE9A8A

MSCTF.Shared.MAPPING.fffffe00

MSCTF.Shared.MAPPING.fffffe00

MSCTF.Shared.MAPPING.ffffff00

MSCTF.Shared.MAPPING.ffffff00

MSCTF.Shared.MAPPING.fffffd00

MSCTF.Shared.MAPPING.fffffd00

MSCTF.Shared.MUTEX.fffffe00

MSCTF.Shared.MUTEX.fffffe00

MSCTF.Shared.MUTEX.ffffff00

MSCTF.Shared.MUTEX.ffffff00

%Documents and Settings%\%current user%\Application Data\

%Documents and Settings%\%current user%\Application Data\

1-191j1w1}1

1-191j1w1}1

?"?(?-?~?

?"?(?-?~?

;-;5;=;^;|;

;-;5;=;^;|;

7"7)7\7~7

7"7)7\7~7

6 6$6(6,6064686

6 6$6(6,6064686

mavast.com

mavast.com

ya.ru

ya.ru

serverkey.dat

serverkey.dat

\windows\

\windows\

svchost.exe_956_rwx_00ED0000_0005B000:

.text

.text

`.data

`.data

.reloc

.reloc

`.rdata

`.rdata

@.data

@.data

<>http

<>http

PSShL

PSShL

SSShp

SSShp

tUSSSh

tUSSSh

SSShp;

SSShp;

SSSh0

SSSh0

SSShpk

SSShpk

SSShpF

SSShpF

t9SSSh

t9SSSh

u1SSShP

u1SSShP

name.key

name.key

\secrets.key

\secrets.key

sign.key

sign.key

kernel32.dll

kernel32.dll

\explorer.exe

\explorer.exe

user32.dll

user32.dll

multi_pot.exe

multi_pot.exe

HookExplorer.exe

HookExplorer.exe

proc_analyzer.exe

proc_analyzer.exe

sckTool.exe

sckTool.exe

sniff_hit.exe

sniff_hit.exe

sysAnalyzer.exe

sysAnalyzer.exe

idag.exe

idag.exe

ollydbg.exe

ollydbg.exe

dumpcap.exe

dumpcap.exe

wireshark.exe

wireshark.exe

C:\iDEFENSE

C:\iDEFENSE

\\.\NPF_NdisWanIp

\\.\NPF_NdisWanIp

avp.exe

avp.exe

Software\Microsoft\Windows NT\CurrentVersion

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

software\microsoft\windows\currentversion\run

\winlogon.exe

\winlogon.exe

sysinfo.log

sysinfo.log

scr.bmp

scr.bmp

minidump.bin

minidump.bin

%d.%d.%d.%d

%d.%d.%d.%d

Ý %dh %dm

Ý %dh %dm

%s:%d

%s:%d

Software\Microsoft\Internet Explorer\TypedURLs

Software\Microsoft\Internet Explorer\TypedURLs

url%i

url%i

4.4.10

4.4.10

%dx%d@%d

%dx%d@%d

%c%d:d

%c%d:d

{Windows directory:

{Windows directory:

links.log

links.log

\History.IE5\index.dat

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

\Opera\Opera\typed_history.xml

avast.com

avast.com

93.191.13.100

93.191.13.100

drweb

drweb

eset.com

eset.com

z-oleg.com

z-oleg.com

kltest.org.ru

kltest.org.ru

.comodo.com

.comodo.com

google.com

google.com

Dnsapi.dll

Dnsapi.dll

ws2_32.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/login.php

/login.php

ntdll.dll

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

Global\HighMemoryEvent_x

explorer.exe

explorer.exe

1.2.5

1.2.5

- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

Winmm.dll

Winmm.dll

Kernel32.dll

Kernel32.dll

Gdi32.dll

Gdi32.dll

http://

http://

https://

https://

HTTP/1.

HTTP/1.

nspr4.dll

nspr4.dll

PR_OpenTCPSocket

PR_OpenTCPSocket

[[[URL: %s

[[[URL: %s

Process: %s

Process: %s

User-agent: %s]]]

User-agent: %s]]]

{{{%s

{{{%s

Crypt32.dll

Crypt32.dll

CertVerifyCertificateChainPolicy

CertVerifyCertificateChainPolicy

Wininet.dll

Wininet.dll

HttpSendRequestA

HttpSendRequestA

HttpSendRequestW

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestExW

set_url

set_url

microsoft.public.win32.programmer.kernel

microsoft.public.win32.programmer.kernel

\iexplore.exe

\iexplore.exe

keygrab

keygrab

u.bmp

u.bmp

\\.\PhysicalDrive%u

\\.\PhysicalDrive%u

/topic.php

/topic.php

keylog.txt

keylog.txt

passwords.txt

passwords.txt

%s%u.zip

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

Referer: http://www.google.com

Referer: http://www.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

Content-Type: multipart/form-data; boundary=---------------------------%s

www.bing.com

www.bing.com

www.microsoft.com

www.microsoft.com

frd.exe

frd.exe

command=config&update_url=

command=config&update_url=

/search.php

/search.php

&port=

&port=

command=load&url=

command=load&url=

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

\chrome.exe

\chrome.exe

\svchost.exe

\svchost.exe

\java.exe

\java.exe

\javaw.exe

\javaw.exe

\javaws.exe

\javaws.exe

\opera.exe

\opera.exe

\firefox.exe

\firefox.exe

\maxthon.exe

\maxthon.exe

\avant.exe

\avant.exe

\mnp.exe

\mnp.exe

\safari.exe

\safari.exe

\netscape.exe

\netscape.exe

\tbb-firefox.exe

\tbb-firefox.exe

\frd.exe

\frd.exe

\isclient.exe

\isclient.exe

\ipc_full.exe

\ipc_full.exe

\intpro.exe

\intpro.exe

\cbsmain.dll

\cbsmain.dll

\clmain.exe

\clmain.exe

\core.exe

\core.exe

\rundll32.exe

\rundll32.exe

\notepad.exe

\notepad.exe

\cbank.exe

\cbank.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|

%s.dbf

%s.dbf

%s.DBF

%s.DBF

j_password=

j_password=

pass.log

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edClientLogin=

edUserLogin=

edUserLogin=

edPassword=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

&LOGIN_AUTHORIZATION_CODE=

login=

login=

password=

password=

pass_

pass_

advapi32.dll

advapi32.dll

path.txt

path.txt

keys.zip

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

%s\d.bmp

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

keys

private.txt

private.txt

public.txt

public.txt

\*.key

\*.key

\self.cer

\self.cer

self.cer

self.cer

self.pub

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.exe

ctunnel.zip

ctunnel.zip

path_ctunnel.txt

path_ctunnel.txt

header.key

header.key

keys99

keys99

\header.key

\header.key

masks2.key

masks2.key

\masks2.key

\masks2.key

masks.key

masks.key

\masks.key

\masks.key

\name.key

\name.key

primary2.key

primary2.key

\primary2.key

\primary2.key

primary.key

primary.key

\primary.key

\primary.key

keys99.zip

keys99.zip

path99.txt

path99.txt

bsi.dll

bsi.dll

&domain=letitbit.net&

&domain=letitbit.net&

cc.txt

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

prv_key.pfx

keys\

keys\

sign.cer

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

sks2xyz.dll

vb_pfx_import

vb_pfx_import

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

secret.key

pubkeys.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

path1.txt

inter.zip

inter.zip

interpro.ini

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

cbsmain.dll

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

pass.txt

pass.txt

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

FilialRCon.dll

ISClient.cfg

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

rfk.zip

client.zip

client.zip

path_client.txt

path_client.txt

path_keys.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

Agava_Client.exe

KeysDiskPath

KeysDiskPath

Agava_Client.ini

Agava_Client.ini

Agava_keys

Agava_keys

keys_path.txt

keys_path.txt

mespro.dll

mespro.dll

AddPSEPrivateKeyEx

AddPSEPrivateKeyEx

core.exe

core.exe

data\id.dbf

data\id.dbf

\data\id.dbf

\data\id.dbf

keys%i.zip

keys%i.zip

path%i.txt

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

winmm.dll

%s\%s

%s\%s

LibVNCServer 0.9.7

LibVNCServer 0.9.7

%s (%s)

%s (%s)

d/d/d d:d

d/d/d d:d

password check failed!

password check failed!

WinSCard.dll

WinSCard.dll

SensApi.dll

SensApi.dll

GetTcpTable

GetTcpTable

IPHLPAPI.DLL

IPHLPAPI.DLL

dbghelp.dll

dbghelp.dll

MSVCRT.dll

MSVCRT.dll

PSAPI.DLL

PSAPI.DLL

NETAPI32.dll

NETAPI32.dll

DNSAPI.dll

DNSAPI.dll

HttpQueryInfoA

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpAddRequestHeadersA

HttpOpenRequestA

HttpOpenRequestA

WININET.dll

WININET.dll

WS2_32.dll

WS2_32.dll

ShellExecuteA

ShellExecuteA

SHFileOperationA

SHFileOperationA

SHELL32.dll

SHELL32.dll

SHLWAPI.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetSystemWindowsDirectoryA

GetProcessHeap

GetProcessHeap

WinExec

WinExec

KERNEL32.dll

KERNEL32.dll

MapVirtualKeyW

MapVirtualKeyW

SetKeyboardState

SetKeyboardState

EnumChildWindows

EnumChildWindows

GetKeyboardState

GetKeyboardState

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

USER32.dll

USER32.dll

SetViewportOrgEx

SetViewportOrgEx

GetViewportOrgEx

GetViewportOrgEx

GDI32.dll

GDI32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

RegFlushKey

RegFlushKey

RegEnumKeyExA

RegEnumKeyExA

RegNotifyChangeKeyValue

RegNotifyChangeKeyValue

RegDeleteKeyA

RegDeleteKeyA

ADVAPI32.dll

ADVAPI32.dll

?456789:;<=

?456789:;<=

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

;3 #>6.&

;3 #>6.&

'2, / 0&7!4-)1#

'2, / 0&7!4-)1#

MSCTF.Shared.MAPPING.%x

MSCTF.Shared.MAPPING.%x

Desk_%u%x

Desk_%u%x

MSCTF.Shared.MUTEX.%x

MSCTF.Shared.MUTEX.%x

.Prev

.Prev

.current

.current

1-191j1w1}1

1-191j1w1}1

?"?(?-?~?

?"?(?-?~?

;-;5;=;^;|;

;-;5;=;^;|;

7"7)7\7~7

7"7)7\7~7

6 6$6(6,6064686

6 6$6(6,6064686

mavast.com

mavast.com

ya.ru

ya.ru

serverkey.dat

serverkey.dat

\windows\

\windows\

svchost.exe_956_rwx_00F30000_0006A000:

.text

.text

`.rdata

`.rdata

@.data

@.data

.reloc

.reloc

<>http

<>http

PSShL

PSShL

SSShp

SSShp

tUSSSh

tUSSSh

SSShp;

SSShp;

SSSh0

SSSh0

SSShpk

SSShpk

SSShpF

SSShpF

t9SSSh

t9SSSh

u1SSShP

u1SSShP

name.key

name.key

\secrets.key

\secrets.key

sign.key

sign.key

kernel32.dll

kernel32.dll

\explorer.exe

\explorer.exe

user32.dll

user32.dll

multi_pot.exe

multi_pot.exe

HookExplorer.exe

HookExplorer.exe

proc_analyzer.exe

proc_analyzer.exe

sckTool.exe

sckTool.exe

sniff_hit.exe

sniff_hit.exe

sysAnalyzer.exe

sysAnalyzer.exe

idag.exe

idag.exe

ollydbg.exe

ollydbg.exe

dumpcap.exe

dumpcap.exe

wireshark.exe

wireshark.exe

C:\iDEFENSE

C:\iDEFENSE

\\.\NPF_NdisWanIp

\\.\NPF_NdisWanIp

avp.exe

avp.exe

Software\Microsoft\Windows NT\CurrentVersion

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

software\microsoft\windows\currentversion\run

\winlogon.exe

\winlogon.exe

sysinfo.log

sysinfo.log

scr.bmp

scr.bmp

minidump.bin

minidump.bin

%d.%d.%d.%d

%d.%d.%d.%d

Ý %dh %dm

Ý %dh %dm

%s:%d

%s:%d

Software\Microsoft\Internet Explorer\TypedURLs

Software\Microsoft\Internet Explorer\TypedURLs

url%i

url%i

4.4.10

4.4.10

%dx%d@%d

%dx%d@%d

%c%d:d

%c%d:d

{Windows directory:

{Windows directory:

links.log

links.log

\History.IE5\index.dat

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

\Opera\Opera\typed_history.xml

avast.com

avast.com

93.191.13.100

93.191.13.100

drweb

drweb

eset.com

eset.com

z-oleg.com

z-oleg.com

kltest.org.ru

kltest.org.ru

.comodo.com

.comodo.com

google.com

google.com

Dnsapi.dll

Dnsapi.dll

ws2_32.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/login.php

/login.php

ntdll.dll

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

Global\HighMemoryEvent_x

explorer.exe

explorer.exe

1.2.5

1.2.5

- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

Winmm.dll

Winmm.dll

Kernel32.dll

Kernel32.dll

Gdi32.dll

Gdi32.dll

http://

http://

https://

https://

HTTP/1.

HTTP/1.

nspr4.dll

nspr4.dll

PR_OpenTCPSocket

PR_OpenTCPSocket

[[[URL: %s

[[[URL: %s

Process: %s

Process: %s

User-agent: %s]]]

User-agent: %s]]]

{{{%s

{{{%s

Crypt32.dll

Crypt32.dll

CertVerifyCertificateChainPolicy

CertVerifyCertificateChainPolicy

Wininet.dll

Wininet.dll

HttpSendRequestA

HttpSendRequestA

HttpSendRequestW

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestExW

set_url

set_url

microsoft.public.win32.programmer.kernel

microsoft.public.win32.programmer.kernel

\iexplore.exe

\iexplore.exe

keygrab

keygrab

u.bmp

u.bmp

\\.\PhysicalDrive%u

\\.\PhysicalDrive%u

/topic.php

/topic.php

keylog.txt

keylog.txt

passwords.txt

passwords.txt

%s%u.zip

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

Referer: http://www.google.com

Referer: http://www.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

Content-Type: multipart/form-data; boundary=---------------------------%s

www.bing.com

www.bing.com

www.microsoft.com

www.microsoft.com

frd.exe

frd.exe

command=config&update_url=

command=config&update_url=

/search.php

/search.php

&port=

&port=

command=load&url=

command=load&url=

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

\chrome.exe

\chrome.exe

\svchost.exe

\svchost.exe

\java.exe

\java.exe

\javaw.exe

\javaw.exe

\javaws.exe

\javaws.exe

\opera.exe

\opera.exe

\firefox.exe

\firefox.exe

\maxthon.exe

\maxthon.exe

\avant.exe

\avant.exe

\mnp.exe

\mnp.exe

\safari.exe

\safari.exe

\netscape.exe

\netscape.exe

\tbb-firefox.exe

\tbb-firefox.exe

\frd.exe

\frd.exe

\isclient.exe

\isclient.exe

\ipc_full.exe

\ipc_full.exe

\intpro.exe

\intpro.exe

\cbsmain.dll

\cbsmain.dll

\clmain.exe

\clmain.exe

\core.exe

\core.exe

\rundll32.exe

\rundll32.exe

\notepad.exe

\notepad.exe

\cbank.exe

\cbank.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|

%s.dbf

%s.dbf

%s.DBF

%s.DBF

j_password=

j_password=

pass.log

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edClientLogin=

edUserLogin=

edUserLogin=

edPassword=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

&LOGIN_AUTHORIZATION_CODE=

login=

login=

password=

password=

pass_

pass_

advapi32.dll

advapi32.dll

path.txt

path.txt

keys.zip

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

%s\d.bmp

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

keys

private.txt

private.txt

public.txt

public.txt

\*.key

\*.key

\self.cer

\self.cer

self.cer

self.cer

self.pub

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.exe

ctunnel.zip

ctunnel.zip

path_ctunnel.txt

path_ctunnel.txt

header.key

header.key

keys99

keys99

\header.key

\header.key

masks2.key

masks2.key

\masks2.key

\masks2.key

masks.key

masks.key

\masks.key

\masks.key

\name.key

\name.key

primary2.key

primary2.key

\primary2.key

\primary2.key

primary.key

primary.key

\primary.key

\primary.key

keys99.zip

keys99.zip

path99.txt

path99.txt

bsi.dll

bsi.dll

&domain=letitbit.net&

&domain=letitbit.net&

cc.txt

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

prv_key.pfx

keys\

keys\

sign.cer

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

sks2xyz.dll

vb_pfx_import

vb_pfx_import

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

secret.key

pubkeys.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

path1.txt

inter.zip

inter.zip

interpro.ini

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

cbsmain.dll

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

pass.txt

pass.txt

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

FilialRCon.dll

ISClient.cfg

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

rfk.zip

client.zip

client.zip

path_client.txt

path_client.txt

path_keys.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

Agava_Client.exe

KeysDiskPath

KeysDiskPath

Agava_Client.ini

Agava_Client.ini

Agava_keys

Agava_keys

keys_path.txt

keys_path.txt

mespro.dll

mespro.dll

AddPSEPrivateKeyEx

AddPSEPrivateKeyEx

core.exe

core.exe

data\id.dbf

data\id.dbf

\data\id.dbf

\data\id.dbf

keys%i.zip

keys%i.zip

path%i.txt

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

winmm.dll

%s\%s

%s\%s

LibVNCServer 0.9.7

LibVNCServer 0.9.7

%s (%s)

%s (%s)

d/d/d d:d

d/d/d d:d

password check failed!

password check failed!

WinSCard.dll

WinSCard.dll

SensApi.dll

SensApi.dll

GetTcpTable

GetTcpTable

IPHLPAPI.DLL

IPHLPAPI.DLL

dbghelp.dll

dbghelp.dll

MSVCRT.dll

MSVCRT.dll

PSAPI.DLL

PSAPI.DLL

NETAPI32.dll

NETAPI32.dll

DNSAPI.dll

DNSAPI.dll

HttpQueryInfoA

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpAddRequestHeadersA

HttpOpenRequestA

HttpOpenRequestA

WININET.dll

WININET.dll

WS2_32.dll

WS2_32.dll

ShellExecuteA

ShellExecuteA

SHFileOperationA

SHFileOperationA

SHELL32.dll

SHELL32.dll

SHLWAPI.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetSystemWindowsDirectoryA

GetProcessHeap

GetProcessHeap

WinExec

WinExec

KERNEL32.dll

KERNEL32.dll

MapVirtualKeyW

MapVirtualKeyW

SetKeyboardState

SetKeyboardState

EnumChildWindows

EnumChildWindows

GetKeyboardState

GetKeyboardState

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

USER32.dll

USER32.dll

SetViewportOrgEx

SetViewportOrgEx

GetViewportOrgEx

GetViewportOrgEx

GDI32.dll

GDI32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

RegFlushKey

RegFlushKey

RegEnumKeyExA

RegEnumKeyExA

RegNotifyChangeKeyValue

RegNotifyChangeKeyValue

RegDeleteKeyA

RegDeleteKeyA

ADVAPI32.dll

ADVAPI32.dll

?456789:;<=

?456789:;<=

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

;3 #>6.&

;3 #>6.&

'2, / 0&7!4-)1#

'2, / 0&7!4-)1#

MSCTF.Shared.MAPPING.%x

MSCTF.Shared.MAPPING.%x

Desk_%u%x

Desk_%u%x

MSCTF.Shared.MUTEX.%x

MSCTF.Shared.MUTEX.%x

.Prev

.Prev

.current

.current

SYSTEM!XP3!F9BE9A8A

SYSTEM!XP3!F9BE9A8A

MSCTF.Shared.MAPPING.fffffe00

MSCTF.Shared.MAPPING.fffffe00

MSCTF.Shared.MAPPING.ffffff00

MSCTF.Shared.MAPPING.ffffff00

MSCTF.Shared.MAPPING.fffffd00

MSCTF.Shared.MAPPING.fffffd00

MSCTF.Shared.MUTEX.fffffe00

MSCTF.Shared.MUTEX.fffffe00

MSCTF.Shared.MUTEX.ffffff00

MSCTF.Shared.MUTEX.ffffff00

%System%\config\systemprofile\Application Data\

%System%\config\systemprofile\Application Data\

1-191j1w1}1

1-191j1w1}1

?"?(?-?~?

?"?(?-?~?

;-;5;=;^;|;

;-;5;=;^;|;

7"7)7\7~7

7"7)7\7~7

6 6$6(6,6064686

6 6$6(6,6064686

mavast.com

mavast.com

ya.ru

ya.ru

serverkey.dat

serverkey.dat

\windows\

\windows\

svchost.exe_1020_rwx_00AC0000_0005B000:

.text

.text

`.data

`.data

.reloc

.reloc

`.rdata

`.rdata

@.data

@.data

<>http

<>http

PSShL

PSShL

SSShp

SSShp

tUSSSh

tUSSSh

SSShp;

SSShp;

SSSh0

SSSh0

SSShpk

SSShpk

SSShpF

SSShpF

t9SSSh

t9SSSh

u1SSShP

u1SSShP

name.key

name.key

\secrets.key

\secrets.key

sign.key

sign.key

kernel32.dll

kernel32.dll

\explorer.exe

\explorer.exe

user32.dll

user32.dll

multi_pot.exe

multi_pot.exe

HookExplorer.exe

HookExplorer.exe

proc_analyzer.exe

proc_analyzer.exe

sckTool.exe

sckTool.exe

sniff_hit.exe

sniff_hit.exe

sysAnalyzer.exe

sysAnalyzer.exe

idag.exe

idag.exe

ollydbg.exe

ollydbg.exe

dumpcap.exe

dumpcap.exe

wireshark.exe

wireshark.exe

C:\iDEFENSE

C:\iDEFENSE

\\.\NPF_NdisWanIp

\\.\NPF_NdisWanIp

avp.exe

avp.exe

Software\Microsoft\Windows NT\CurrentVersion

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

software\microsoft\windows\currentversion\run

\winlogon.exe

\winlogon.exe

sysinfo.log

sysinfo.log

scr.bmp

scr.bmp

minidump.bin

minidump.bin

%d.%d.%d.%d

%d.%d.%d.%d

Ý %dh %dm

Ý %dh %dm

%s:%d

%s:%d

Software\Microsoft\Internet Explorer\TypedURLs

Software\Microsoft\Internet Explorer\TypedURLs

url%i

url%i

4.4.10

4.4.10

%dx%d@%d

%dx%d@%d

%c%d:d

%c%d:d

{Windows directory:

{Windows directory:

links.log

links.log

\History.IE5\index.dat

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

\Opera\Opera\typed_history.xml

avast.com

avast.com

93.191.13.100

93.191.13.100

drweb

drweb

eset.com

eset.com

z-oleg.com

z-oleg.com

kltest.org.ru

kltest.org.ru

.comodo.com

.comodo.com

google.com

google.com

Dnsapi.dll

Dnsapi.dll

ws2_32.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/login.php

/login.php

ntdll.dll

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

Global\HighMemoryEvent_x

explorer.exe

explorer.exe

1.2.5

1.2.5

- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

Winmm.dll

Winmm.dll

Kernel32.dll

Kernel32.dll

Gdi32.dll

Gdi32.dll

http://

http://

https://

https://

HTTP/1.

HTTP/1.

nspr4.dll

nspr4.dll

PR_OpenTCPSocket

PR_OpenTCPSocket

[[[URL: %s

[[[URL: %s

Process: %s

Process: %s

User-agent: %s]]]

User-agent: %s]]]

{{{%s

{{{%s

Crypt32.dll

Crypt32.dll

CertVerifyCertificateChainPolicy

CertVerifyCertificateChainPolicy

Wininet.dll

Wininet.dll

HttpSendRequestA

HttpSendRequestA

HttpSendRequestW

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestExW

set_url

set_url

microsoft.public.win32.programmer.kernel

microsoft.public.win32.programmer.kernel

\iexplore.exe

\iexplore.exe

keygrab

keygrab

u.bmp

u.bmp

\\.\PhysicalDrive%u

\\.\PhysicalDrive%u

/topic.php

/topic.php

keylog.txt

keylog.txt

passwords.txt

passwords.txt

%s%u.zip

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

Referer: http://www.google.com

Referer: http://www.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

Content-Type: multipart/form-data; boundary=---------------------------%s

www.bing.com

www.bing.com

www.microsoft.com

www.microsoft.com

frd.exe

frd.exe

command=config&update_url=

command=config&update_url=

/search.php

/search.php

&port=

&port=

command=load&url=

command=load&url=

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

\chrome.exe

\chrome.exe

\svchost.exe

\svchost.exe

\java.exe

\java.exe

\javaw.exe

\javaw.exe

\javaws.exe

\javaws.exe

\opera.exe

\opera.exe

\firefox.exe

\firefox.exe

\maxthon.exe

\maxthon.exe

\avant.exe

\avant.exe

\mnp.exe

\mnp.exe

\safari.exe

\safari.exe

\netscape.exe

\netscape.exe

\tbb-firefox.exe

\tbb-firefox.exe

\frd.exe

\frd.exe

\isclient.exe

\isclient.exe

\ipc_full.exe

\ipc_full.exe

\intpro.exe

\intpro.exe

\cbsmain.dll

\cbsmain.dll

\clmain.exe

\clmain.exe

\core.exe

\core.exe

\rundll32.exe

\rundll32.exe

\notepad.exe

\notepad.exe

\cbank.exe

\cbank.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|

%s.dbf

%s.dbf

%s.DBF

%s.DBF

j_password=

j_password=

pass.log

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edClientLogin=

edUserLogin=

edUserLogin=

edPassword=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

&LOGIN_AUTHORIZATION_CODE=

login=

login=

password=

password=

pass_

pass_

advapi32.dll

advapi32.dll

path.txt

path.txt

keys.zip

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

%s\d.bmp

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

keys

private.txt

private.txt

public.txt

public.txt

\*.key

\*.key

\self.cer

\self.cer

self.cer

self.cer

self.pub

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.exe

ctunnel.zip

ctunnel.zip

path_ctunnel.txt

path_ctunnel.txt

header.key

header.key

keys99

keys99

\header.key

\header.key

masks2.key

masks2.key

\masks2.key

\masks2.key

masks.key

masks.key

\masks.key

\masks.key

\name.key

\name.key

primary2.key

primary2.key

\primary2.key

\primary2.key

primary.key

primary.key

\primary.key

\primary.key

keys99.zip

keys99.zip

path99.txt

path99.txt

bsi.dll

bsi.dll

&domain=letitbit.net&

&domain=letitbit.net&

cc.txt

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

prv_key.pfx

keys\

keys\

sign.cer

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

sks2xyz.dll

vb_pfx_import

vb_pfx_import

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

secret.key

pubkeys.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

path1.txt

inter.zip

inter.zip

interpro.ini

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

cbsmain.dll

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

pass.txt

pass.txt

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

FilialRCon.dll

ISClient.cfg

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

rfk.zip

client.zip

client.zip

path_client.txt

path_client.txt

path_keys.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

Agava_Client.exe

KeysDiskPath

KeysDiskPath

Agava_Client.ini

Agava_Client.ini

Agava_keys

Agava_keys

keys_path.txt

keys_path.txt

mespro.dll

mespro.dll

AddPSEPrivateKeyEx

AddPSEPrivateKeyEx

core.exe

core.exe

data\id.dbf

data\id.dbf

\data\id.dbf

\data\id.dbf

keys%i.zip

keys%i.zip

path%i.txt

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

winmm.dll

%s\%s

%s\%s

LibVNCServer 0.9.7

LibVNCServer 0.9.7

%s (%s)

%s (%s)

d/d/d d:d

d/d/d d:d

password check failed!

password check failed!

WinSCard.dll

WinSCard.dll

SensApi.dll

SensApi.dll

GetTcpTable

GetTcpTable

IPHLPAPI.DLL

IPHLPAPI.DLL

dbghelp.dll

dbghelp.dll

MSVCRT.dll

MSVCRT.dll

PSAPI.DLL

PSAPI.DLL

NETAPI32.dll

NETAPI32.dll

DNSAPI.dll

DNSAPI.dll

HttpQueryInfoA

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpAddRequestHeadersA

HttpOpenRequestA

HttpOpenRequestA

WININET.dll

WININET.dll

WS2_32.dll

WS2_32.dll

ShellExecuteA

ShellExecuteA

SHFileOperationA

SHFileOperationA

SHELL32.dll

SHELL32.dll

SHLWAPI.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetSystemWindowsDirectoryA

GetProcessHeap

GetProcessHeap

WinExec

WinExec

KERNEL32.dll

KERNEL32.dll

MapVirtualKeyW

MapVirtualKeyW

SetKeyboardState

SetKeyboardState

EnumChildWindows

EnumChildWindows

GetKeyboardState

GetKeyboardState

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

USER32.dll

USER32.dll

SetViewportOrgEx

SetViewportOrgEx

GetViewportOrgEx

GetViewportOrgEx

GDI32.dll

GDI32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

RegFlushKey

RegFlushKey

RegEnumKeyExA

RegEnumKeyExA

RegNotifyChangeKeyValue

RegNotifyChangeKeyValue

RegDeleteKeyA

RegDeleteKeyA

ADVAPI32.dll

ADVAPI32.dll

?456789:;<=

?456789:;<=

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

;3 #>6.&

;3 #>6.&

'2, / 0&7!4-)1#

'2, / 0&7!4-)1#

MSCTF.Shared.MAPPING.%x

MSCTF.Shared.MAPPING.%x

Desk_%u%x

Desk_%u%x

MSCTF.Shared.MUTEX.%x

MSCTF.Shared.MUTEX.%x

.Prev

.Prev

.current

.current

1-191j1w1}1

1-191j1w1}1

?"?(?-?~?

?"?(?-?~?

;-;5;=;^;|;

;-;5;=;^;|;

7"7)7\7~7

7"7)7\7~7

6 6$6(6,6064686

6 6$6(6,6064686

mavast.com

mavast.com

ya.ru

ya.ru

serverkey.dat

serverkey.dat

\windows\

\windows\

svchost.exe_1020_rwx_00B60000_0006A000:

.text

.text

`.rdata

`.rdata

@.data

@.data

.reloc

.reloc

<>http

<>http

PSShL

PSShL

SSShp

SSShp

tUSSSh

tUSSSh

SSShp;

SSShp;

SSSh0

SSSh0

SSShpk

SSShpk

SSShpF

SSShpF

t9SSSh

t9SSSh

u1SSShP

u1SSShP

name.key

name.key

\secrets.key

\secrets.key

sign.key

sign.key

kernel32.dll

kernel32.dll

\explorer.exe

\explorer.exe

user32.dll

user32.dll

multi_pot.exe

multi_pot.exe

HookExplorer.exe

HookExplorer.exe

proc_analyzer.exe

proc_analyzer.exe

sckTool.exe

sckTool.exe

sniff_hit.exe

sniff_hit.exe

sysAnalyzer.exe

sysAnalyzer.exe

idag.exe

idag.exe

ollydbg.exe

ollydbg.exe

dumpcap.exe

dumpcap.exe

wireshark.exe

wireshark.exe

C:\iDEFENSE

C:\iDEFENSE

\\.\NPF_NdisWanIp

\\.\NPF_NdisWanIp

avp.exe

avp.exe

Software\Microsoft\Windows NT\CurrentVersion

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

software\microsoft\windows\currentversion\run

\winlogon.exe

\winlogon.exe

sysinfo.log

sysinfo.log

scr.bmp

scr.bmp

minidump.bin

minidump.bin

%d.%d.%d.%d

%d.%d.%d.%d

Ý %dh %dm

Ý %dh %dm

%s:%d

%s:%d

Software\Microsoft\Internet Explorer\TypedURLs

Software\Microsoft\Internet Explorer\TypedURLs

url%i

url%i

4.4.10

4.4.10

%dx%d@%d

%dx%d@%d

%c%d:d

%c%d:d

{Windows directory:

{Windows directory:

links.log

links.log

\History.IE5\index.dat

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

\Opera\Opera\typed_history.xml

avast.com

avast.com

93.191.13.100

93.191.13.100

drweb

drweb

eset.com

eset.com

z-oleg.com

z-oleg.com

kltest.org.ru

kltest.org.ru

.comodo.com

.comodo.com

google.com

google.com

Dnsapi.dll

Dnsapi.dll

ws2_32.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/login.php

/login.php

ntdll.dll

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

Global\HighMemoryEvent_x

explorer.exe

explorer.exe

1.2.5

1.2.5

- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

Winmm.dll

Winmm.dll

Kernel32.dll

Kernel32.dll

Gdi32.dll

Gdi32.dll

http://

http://

https://

https://

HTTP/1.

HTTP/1.

nspr4.dll

nspr4.dll

PR_OpenTCPSocket

PR_OpenTCPSocket

[[[URL: %s

[[[URL: %s

Process: %s

Process: %s

User-agent: %s]]]

User-agent: %s]]]

{{{%s

{{{%s

Crypt32.dll

Crypt32.dll

CertVerifyCertificateChainPolicy

CertVerifyCertificateChainPolicy

Wininet.dll

Wininet.dll

HttpSendRequestA

HttpSendRequestA

HttpSendRequestW

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestExW

set_url

set_url

microsoft.public.win32.programmer.kernel

microsoft.public.win32.programmer.kernel

\iexplore.exe

\iexplore.exe

keygrab

keygrab

u.bmp

u.bmp

\\.\PhysicalDrive%u

\\.\PhysicalDrive%u

/topic.php

/topic.php

keylog.txt

keylog.txt

passwords.txt

passwords.txt

%s%u.zip

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

Referer: http://www.google.com

Referer: http://www.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

Content-Type: multipart/form-data; boundary=---------------------------%s

www.bing.com

www.bing.com

www.microsoft.com

www.microsoft.com

frd.exe

frd.exe

command=config&update_url=

command=config&update_url=

/search.php

/search.php

&port=

&port=

command=load&url=

command=load&url=

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

\chrome.exe

\chrome.exe

\svchost.exe

\svchost.exe

\java.exe

\java.exe

\javaw.exe

\javaw.exe

\javaws.exe

\javaws.exe

\opera.exe

\opera.exe

\firefox.exe

\firefox.exe

\maxthon.exe

\maxthon.exe

\avant.exe

\avant.exe

\mnp.exe

\mnp.exe

\safari.exe

\safari.exe

\netscape.exe

\netscape.exe

\tbb-firefox.exe

\tbb-firefox.exe

\frd.exe

\frd.exe

\isclient.exe

\isclient.exe

\ipc_full.exe

\ipc_full.exe

\intpro.exe

\intpro.exe

\cbsmain.dll

\cbsmain.dll

\clmain.exe

\clmain.exe

\core.exe

\core.exe

\rundll32.exe

\rundll32.exe

\notepad.exe

\notepad.exe

\cbank.exe

\cbank.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|

%s.dbf

%s.dbf

%s.DBF

%s.DBF

j_password=

j_password=

pass.log

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edClientLogin=

edUserLogin=

edUserLogin=

edPassword=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

&LOGIN_AUTHORIZATION_CODE=

login=

login=

password=

password=

pass_

pass_

advapi32.dll

advapi32.dll

path.txt

path.txt

keys.zip

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

%s\d.bmp

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

keys

private.txt

private.txt

public.txt

public.txt

\*.key

\*.key

\self.cer

\self.cer

self.cer

self.cer

self.pub

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.exe

ctunnel.zip

ctunnel.zip

path_ctunnel.txt

path_ctunnel.txt

header.key

header.key

keys99

keys99

\header.key

\header.key

masks2.key

masks2.key

\masks2.key

\masks2.key

masks.key

masks.key

\masks.key

\masks.key

\name.key

\name.key

primary2.key

primary2.key

\primary2.key

\primary2.key

primary.key

primary.key

\primary.key

\primary.key

keys99.zip

keys99.zip

path99.txt

path99.txt

bsi.dll

bsi.dll

&domain=letitbit.net&

&domain=letitbit.net&

cc.txt

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

prv_key.pfx

keys\

keys\

sign.cer

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

sks2xyz.dll

vb_pfx_import

vb_pfx_import

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

secret.key

pubkeys.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

path1.txt

inter.zip

inter.zip

interpro.ini

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

cbsmain.dll

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

pass.txt

pass.txt

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

FilialRCon.dll

ISClient.cfg

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

rfk.zip

client.zip

client.zip

path_client.txt

path_client.txt

path_keys.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

Agava_Client.exe

KeysDiskPath

KeysDiskPath

Agava_Client.ini

Agava_Client.ini

Agava_keys

Agava_keys

keys_path.txt

keys_path.txt

mespro.dll

mespro.dll

AddPSEPrivateKeyEx

AddPSEPrivateKeyEx

core.exe

core.exe

data\id.dbf

data\id.dbf

\data\id.dbf

\data\id.dbf

keys%i.zip

keys%i.zip

path%i.txt

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

winmm.dll

%s\%s

%s\%s

LibVNCServer 0.9.7

LibVNCServer 0.9.7

%s (%s)

%s (%s)

d/d/d d:d

d/d/d d:d

password check failed!

password check failed!

WinSCard.dll

WinSCard.dll

SensApi.dll

SensApi.dll

GetTcpTable

GetTcpTable

IPHLPAPI.DLL

IPHLPAPI.DLL

dbghelp.dll

dbghelp.dll

MSVCRT.dll

MSVCRT.dll

PSAPI.DLL

PSAPI.DLL

NETAPI32.dll

NETAPI32.dll

DNSAPI.dll

DNSAPI.dll

HttpQueryInfoA

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpAddRequestHeadersA

HttpOpenRequestA

HttpOpenRequestA

WININET.dll

WININET.dll

WS2_32.dll

WS2_32.dll

ShellExecuteA

ShellExecuteA

SHFileOperationA

SHFileOperationA

SHELL32.dll

SHELL32.dll

SHLWAPI.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetSystemWindowsDirectoryA

GetProcessHeap

GetProcessHeap

WinExec

WinExec

KERNEL32.dll

KERNEL32.dll

MapVirtualKeyW

MapVirtualKeyW

SetKeyboardState

SetKeyboardState

EnumChildWindows

EnumChildWindows

GetKeyboardState

GetKeyboardState

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

USER32.dll

USER32.dll

SetViewportOrgEx

SetViewportOrgEx

GetViewportOrgEx

GetViewportOrgEx

GDI32.dll

GDI32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

RegFlushKey

RegFlushKey

RegEnumKeyExA

RegEnumKeyExA

RegNotifyChangeKeyValue

RegNotifyChangeKeyValue

RegDeleteKeyA

RegDeleteKeyA

ADVAPI32.dll

ADVAPI32.dll

?456789:;<=

?456789:;<=

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

;3 #>6.&

;3 #>6.&

'2, / 0&7!4-)1#

'2, / 0&7!4-)1#

MSCTF.Shared.MAPPING.%x

MSCTF.Shared.MAPPING.%x

Desk_%u%x

Desk_%u%x

MSCTF.Shared.MUTEX.%x

MSCTF.Shared.MUTEX.%x

.Prev

.Prev

.current

.current

NETWORKSERVICE!XP3!F9BE9A8A

NETWORKSERVICE!XP3!F9BE9A8A

MSCTF.Shared.MAPPING.fffffe00

MSCTF.Shared.MAPPING.fffffe00

MSCTF.Shared.MAPPING.ffffff00

MSCTF.Shared.MAPPING.ffffff00

MSCTF.Shared.MAPPING.fffffd00

MSCTF.Shared.MAPPING.fffffd00

MSCTF.Shared.MUTEX.fffffe00

MSCTF.Shared.MUTEX.fffffe00

MSCTF.Shared.MUTEX.ffffff00

MSCTF.Shared.MUTEX.ffffff00

%Documents and Settings%\NetworkService\Application Data\

%Documents and Settings%\NetworkService\Application Data\

1-191j1w1}1

1-191j1w1}1

?"?(?-?~?

?"?(?-?~?

;-;5;=;^;|;

;-;5;=;^;|;

7"7)7\7~7

7"7)7\7~7

6 6$6(6,6064686

6 6$6(6,6064686

mavast.com

mavast.com

ya.ru

ya.ru

serverkey.dat

serverkey.dat

\windows\

\windows\

svchost.exe_1104_rwx_02BD0000_0005B000:

.text

.text

`.data

`.data

.reloc

.reloc

`.rdata

`.rdata

@.data

@.data

<>http

<>http

PSShL

PSShL

SSShp

SSShp

tUSSSh

tUSSSh

SSShp;

SSShp;

SSSh0

SSSh0

SSShpk

SSShpk

SSShpF

SSShpF

t9SSSh

t9SSSh

u1SSShP

u1SSShP

name.key

name.key

\secrets.key

\secrets.key

sign.key

sign.key

kernel32.dll

kernel32.dll

\explorer.exe

\explorer.exe

user32.dll

user32.dll

multi_pot.exe

multi_pot.exe

HookExplorer.exe

HookExplorer.exe

proc_analyzer.exe

proc_analyzer.exe

sckTool.exe

sckTool.exe

sniff_hit.exe

sniff_hit.exe

sysAnalyzer.exe

sysAnalyzer.exe

idag.exe

idag.exe

ollydbg.exe

ollydbg.exe

dumpcap.exe

dumpcap.exe

wireshark.exe

wireshark.exe

C:\iDEFENSE

C:\iDEFENSE

\\.\NPF_NdisWanIp

\\.\NPF_NdisWanIp

avp.exe

avp.exe

Software\Microsoft\Windows NT\CurrentVersion

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

software\microsoft\windows\currentversion\run

\winlogon.exe

\winlogon.exe

sysinfo.log

sysinfo.log

scr.bmp

scr.bmp

minidump.bin

minidump.bin

%d.%d.%d.%d

%d.%d.%d.%d

Ý %dh %dm

Ý %dh %dm

%s:%d

%s:%d

Software\Microsoft\Internet Explorer\TypedURLs

Software\Microsoft\Internet Explorer\TypedURLs

url%i

url%i

4.4.10

4.4.10

%dx%d@%d

%dx%d@%d

%c%d:d

%c%d:d

{Windows directory:

{Windows directory:

links.log

links.log

\History.IE5\index.dat

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

\Opera\Opera\typed_history.xml

avast.com

avast.com

93.191.13.100

93.191.13.100

drweb

drweb

eset.com

eset.com

z-oleg.com

z-oleg.com

kltest.org.ru

kltest.org.ru

.comodo.com

.comodo.com

google.com

google.com

Dnsapi.dll

Dnsapi.dll

ws2_32.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/login.php

/login.php

ntdll.dll

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

Global\HighMemoryEvent_x

explorer.exe

explorer.exe

1.2.5

1.2.5

- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

Winmm.dll

Winmm.dll

Kernel32.dll

Kernel32.dll

Gdi32.dll

Gdi32.dll

http://

http://

https://

https://

HTTP/1.

HTTP/1.

nspr4.dll

nspr4.dll

PR_OpenTCPSocket

PR_OpenTCPSocket

[[[URL: %s

[[[URL: %s

Process: %s

Process: %s

User-agent: %s]]]

User-agent: %s]]]

{{{%s

{{{%s

Crypt32.dll

Crypt32.dll

CertVerifyCertificateChainPolicy

CertVerifyCertificateChainPolicy

Wininet.dll

Wininet.dll

HttpSendRequestA

HttpSendRequestA

HttpSendRequestW

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestExW

set_url

set_url

microsoft.public.win32.programmer.kernel

microsoft.public.win32.programmer.kernel

\iexplore.exe

\iexplore.exe

keygrab

keygrab

u.bmp

u.bmp

\\.\PhysicalDrive%u

\\.\PhysicalDrive%u

/topic.php

/topic.php

keylog.txt

keylog.txt

passwords.txt

passwords.txt

%s%u.zip

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

Referer: http://www.google.com

Referer: http://www.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

Content-Type: multipart/form-data; boundary=---------------------------%s

www.bing.com

www.bing.com

www.microsoft.com

www.microsoft.com

frd.exe

frd.exe

command=config&update_url=

command=config&update_url=

/search.php

/search.php

&port=

&port=

command=load&url=

command=load&url=

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

\chrome.exe

\chrome.exe

\svchost.exe

\svchost.exe

\java.exe

\java.exe

\javaw.exe

\javaw.exe

\javaws.exe

\javaws.exe

\opera.exe

\opera.exe

\firefox.exe

\firefox.exe

\maxthon.exe

\maxthon.exe

\avant.exe

\avant.exe

\mnp.exe

\mnp.exe

\safari.exe

\safari.exe

\netscape.exe

\netscape.exe

\tbb-firefox.exe

\tbb-firefox.exe

\frd.exe

\frd.exe

\isclient.exe

\isclient.exe

\ipc_full.exe

\ipc_full.exe

\intpro.exe

\intpro.exe

\cbsmain.dll

\cbsmain.dll

\clmain.exe

\clmain.exe

\core.exe

\core.exe

\rundll32.exe

\rundll32.exe

\notepad.exe

\notepad.exe

\cbank.exe

\cbank.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|

%s.dbf

%s.dbf

%s.DBF

%s.DBF

j_password=

j_password=

pass.log

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edClientLogin=

edUserLogin=

edUserLogin=

edPassword=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

&LOGIN_AUTHORIZATION_CODE=

login=

login=

password=

password=

pass_

pass_

advapi32.dll

advapi32.dll

path.txt

path.txt

keys.zip

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

%s\d.bmp

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

keys

private.txt

private.txt

public.txt

public.txt

\*.key

\*.key

\self.cer

\self.cer

self.cer

self.cer

self.pub

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.exe

ctunnel.zip

ctunnel.zip

path_ctunnel.txt

path_ctunnel.txt

header.key

header.key

keys99

keys99

\header.key

\header.key

masks2.key

masks2.key

\masks2.key

\masks2.key

masks.key

masks.key

\masks.key

\masks.key

\name.key

\name.key

primary2.key

primary2.key

\primary2.key

\primary2.key

primary.key

primary.key

\primary.key

\primary.key

keys99.zip

keys99.zip

path99.txt

path99.txt

bsi.dll

bsi.dll

&domain=letitbit.net&

&domain=letitbit.net&

cc.txt

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

prv_key.pfx

keys\

keys\

sign.cer

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

sks2xyz.dll

vb_pfx_import

vb_pfx_import

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

secret.key

pubkeys.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

path1.txt

inter.zip

inter.zip

interpro.ini

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

cbsmain.dll

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

pass.txt

pass.txt

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

FilialRCon.dll

ISClient.cfg

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

rfk.zip

client.zip

client.zip

path_client.txt

path_client.txt

path_keys.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

Agava_Client.exe

KeysDiskPath

KeysDiskPath

Agava_Client.ini

Agava_Client.ini

Agava_keys

Agava_keys

keys_path.txt

keys_path.txt

mespro.dll

mespro.dll

AddPSEPrivateKeyEx

AddPSEPrivateKeyEx

core.exe

core.exe

data\id.dbf

data\id.dbf

\data\id.dbf

\data\id.dbf

keys%i.zip

keys%i.zip

path%i.txt

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

winmm.dll

%s\%s

%s\%s

LibVNCServer 0.9.7

LibVNCServer 0.9.7

%s (%s)

%s (%s)

d/d/d d:d

d/d/d d:d

password check failed!

password check failed!

WinSCard.dll

WinSCard.dll

SensApi.dll

SensApi.dll

GetTcpTable

GetTcpTable

IPHLPAPI.DLL

IPHLPAPI.DLL

dbghelp.dll

dbghelp.dll

MSVCRT.dll

MSVCRT.dll

PSAPI.DLL

PSAPI.DLL

NETAPI32.dll

NETAPI32.dll

DNSAPI.dll

DNSAPI.dll

HttpQueryInfoA

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpAddRequestHeadersA

HttpOpenRequestA

HttpOpenRequestA

WININET.dll

WININET.dll

WS2_32.dll

WS2_32.dll

ShellExecuteA

ShellExecuteA

SHFileOperationA

SHFileOperationA

SHELL32.dll

SHELL32.dll

SHLWAPI.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetSystemWindowsDirectoryA

GetProcessHeap

GetProcessHeap

WinExec

WinExec

KERNEL32.dll

KERNEL32.dll

MapVirtualKeyW

MapVirtualKeyW

SetKeyboardState

SetKeyboardState

EnumChildWindows

EnumChildWindows

GetKeyboardState

GetKeyboardState

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

USER32.dll

USER32.dll

SetViewportOrgEx

SetViewportOrgEx

GetViewportOrgEx

GetViewportOrgEx

GDI32.dll

GDI32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

RegFlushKey

RegFlushKey

RegEnumKeyExA

RegEnumKeyExA

RegNotifyChangeKeyValue

RegNotifyChangeKeyValue

RegDeleteKeyA

RegDeleteKeyA

ADVAPI32.dll

ADVAPI32.dll

?456789:;<=

?456789:;<=

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

;3 #>6.&

;3 #>6.&

'2, / 0&7!4-)1#

'2, / 0&7!4-)1#

MSCTF.Shared.MAPPING.%x

MSCTF.Shared.MAPPING.%x

Desk_%u%x

Desk_%u%x

MSCTF.Shared.MUTEX.%x

MSCTF.Shared.MUTEX.%x

.Prev

.Prev

.current

.current

1-191j1w1}1

1-191j1w1}1

?"?(?-?~?

?"?(?-?~?

;-;5;=;^;|;

;-;5;=;^;|;

7"7)7\7~7

7"7)7\7~7

6 6$6(6,6064686

6 6$6(6,6064686

mavast.com

mavast.com

ya.ru

ya.ru

serverkey.dat

serverkey.dat

\windows\

\windows\

svchost.exe_1104_rwx_02C30000_0006A000:

.text

.text

`.rdata

`.rdata

@.data

@.data

.reloc

.reloc

<>http

<>http

PSShL

PSShL

SSShp

SSShp

tUSSSh

tUSSSh

SSShp;

SSShp;

SSSh0

SSSh0

SSShpk

SSShpk

SSShpF

SSShpF

t9SSSh

t9SSSh

u1SSShP

u1SSShP

name.key

name.key

\secrets.key

\secrets.key

sign.key

sign.key

kernel32.dll

kernel32.dll

\explorer.exe

\explorer.exe

user32.dll

user32.dll

multi_pot.exe

multi_pot.exe

HookExplorer.exe

HookExplorer.exe

proc_analyzer.exe

proc_analyzer.exe

sckTool.exe

sckTool.exe

sniff_hit.exe

sniff_hit.exe

sysAnalyzer.exe

sysAnalyzer.exe

idag.exe

idag.exe

ollydbg.exe

ollydbg.exe

dumpcap.exe

dumpcap.exe

wireshark.exe

wireshark.exe

C:\iDEFENSE

C:\iDEFENSE

\\.\NPF_NdisWanIp

\\.\NPF_NdisWanIp

avp.exe

avp.exe

Software\Microsoft\Windows NT\CurrentVersion

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

software\microsoft\windows\currentversion\run

\winlogon.exe

\winlogon.exe

sysinfo.log

sysinfo.log

scr.bmp

scr.bmp

minidump.bin

minidump.bin

%d.%d.%d.%d

%d.%d.%d.%d

Ý %dh %dm

Ý %dh %dm

%s:%d

%s:%d

Software\Microsoft\Internet Explorer\TypedURLs

Software\Microsoft\Internet Explorer\TypedURLs

url%i

url%i

4.4.10

4.4.10

%dx%d@%d

%dx%d@%d

%c%d:d

%c%d:d

{Windows directory:

{Windows directory:

links.log

links.log

\History.IE5\index.dat

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

\Opera\Opera\typed_history.xml

avast.com

avast.com

93.191.13.100

93.191.13.100

drweb

drweb

eset.com

eset.com

z-oleg.com

z-oleg.com

kltest.org.ru

kltest.org.ru

.comodo.com

.comodo.com

google.com

google.com

Dnsapi.dll

Dnsapi.dll

ws2_32.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/login.php

/login.php

ntdll.dll

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

Global\HighMemoryEvent_x

explorer.exe

explorer.exe

1.2.5

1.2.5

- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

Winmm.dll

Winmm.dll

Kernel32.dll

Kernel32.dll

Gdi32.dll

Gdi32.dll

http://

http://

https://

https://

HTTP/1.

HTTP/1.

nspr4.dll

nspr4.dll

PR_OpenTCPSocket

PR_OpenTCPSocket

[[[URL: %s

[[[URL: %s

Process: %s

Process: %s

User-agent: %s]]]

User-agent: %s]]]

{{{%s

{{{%s

Crypt32.dll

Crypt32.dll

CertVerifyCertificateChainPolicy

CertVerifyCertificateChainPolicy

Wininet.dll

Wininet.dll

HttpSendRequestA

HttpSendRequestA

HttpSendRequestW

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestExW

set_url

set_url

microsoft.public.win32.programmer.kernel

microsoft.public.win32.programmer.kernel

\iexplore.exe

\iexplore.exe

keygrab

keygrab

u.bmp

u.bmp

\\.\PhysicalDrive%u

\\.\PhysicalDrive%u

/topic.php

/topic.php

keylog.txt

keylog.txt

passwords.txt

passwords.txt

%s%u.zip

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

Referer: http://www.google.com

Referer: http://www.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

Content-Type: multipart/form-data; boundary=---------------------------%s

www.bing.com

www.bing.com

www.microsoft.com

www.microsoft.com

frd.exe

frd.exe

command=config&update_url=

command=config&update_url=

/search.php

/search.php

&port=

&port=

command=load&url=

command=load&url=

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

\chrome.exe

\chrome.exe

\svchost.exe

\svchost.exe

\java.exe

\java.exe

\javaw.exe

\javaw.exe

\javaws.exe

\javaws.exe

\opera.exe

\opera.exe

\firefox.exe

\firefox.exe

\maxthon.exe

\maxthon.exe

\avant.exe

\avant.exe

\mnp.exe

\mnp.exe

\safari.exe

\safari.exe

\netscape.exe

\netscape.exe

\tbb-firefox.exe

\tbb-firefox.exe

\frd.exe

\frd.exe

\isclient.exe

\isclient.exe

\ipc_full.exe

\ipc_full.exe

\intpro.exe

\intpro.exe

\cbsmain.dll

\cbsmain.dll

\clmain.exe

\clmain.exe

\core.exe

\core.exe

\rundll32.exe

\rundll32.exe

\notepad.exe

\notepad.exe

\cbank.exe

\cbank.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|

%s.dbf

%s.dbf

%s.DBF

%s.DBF

j_password=

j_password=

pass.log

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edClientLogin=

edUserLogin=

edUserLogin=

edPassword=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

&LOGIN_AUTHORIZATION_CODE=

login=

login=

password=

password=

pass_

pass_

advapi32.dll

advapi32.dll

path.txt

path.txt

keys.zip

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

%s\d.bmp

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

keys

private.txt

private.txt

public.txt

public.txt

\*.key

\*.key

\self.cer

\self.cer

self.cer

self.cer

self.pub

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.exe

ctunnel.zip

ctunnel.zip

path_ctunnel.txt

path_ctunnel.txt

header.key

header.key

keys99

keys99

\header.key

\header.key

masks2.key

masks2.key

\masks2.key

\masks2.key

masks.key

masks.key

\masks.key

\masks.key

\name.key

\name.key

primary2.key

primary2.key

\primary2.key

\primary2.key

primary.key

primary.key

\primary.key

\primary.key

keys99.zip

keys99.zip

path99.txt

path99.txt

bsi.dll

bsi.dll

&domain=letitbit.net&

&domain=letitbit.net&

cc.txt

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

prv_key.pfx

keys\

keys\

sign.cer

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

sks2xyz.dll

vb_pfx_import

vb_pfx_import

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

secret.key

pubkeys.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

path1.txt

inter.zip

inter.zip

interpro.ini

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

cbsmain.dll

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

pass.txt

pass.txt

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

FilialRCon.dll

ISClient.cfg

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

rfk.zip

client.zip

client.zip

path_client.txt

path_client.txt

path_keys.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

Agava_Client.exe

KeysDiskPath

KeysDiskPath

Agava_Client.ini

Agava_Client.ini

Agava_keys

Agava_keys

keys_path.txt

keys_path.txt

mespro.dll

mespro.dll

AddPSEPrivateKeyEx

AddPSEPrivateKeyEx

core.exe

core.exe

data\id.dbf

data\id.dbf

\data\id.dbf

\data\id.dbf

keys%i.zip

keys%i.zip

path%i.txt

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

winmm.dll

%s\%s

%s\%s

LibVNCServer 0.9.7

LibVNCServer 0.9.7

%s (%s)

%s (%s)

d/d/d d:d

d/d/d d:d

password check failed!

password check failed!

WinSCard.dll

WinSCard.dll

SensApi.dll

SensApi.dll

GetTcpTable

GetTcpTable

IPHLPAPI.DLL

IPHLPAPI.DLL

dbghelp.dll

dbghelp.dll

MSVCRT.dll

MSVCRT.dll

PSAPI.DLL

PSAPI.DLL

NETAPI32.dll

NETAPI32.dll

DNSAPI.dll

DNSAPI.dll

HttpQueryInfoA

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpAddRequestHeadersA

HttpOpenRequestA

HttpOpenRequestA

WININET.dll

WININET.dll

WS2_32.dll

WS2_32.dll

ShellExecuteA

ShellExecuteA

SHFileOperationA

SHFileOperationA

SHELL32.dll

SHELL32.dll

SHLWAPI.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetSystemWindowsDirectoryA

GetProcessHeap

GetProcessHeap

WinExec

WinExec

KERNEL32.dll

KERNEL32.dll

MapVirtualKeyW

MapVirtualKeyW

SetKeyboardState

SetKeyboardState

EnumChildWindows

EnumChildWindows

GetKeyboardState

GetKeyboardState

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

USER32.dll

USER32.dll

SetViewportOrgEx

SetViewportOrgEx

GetViewportOrgEx

GetViewportOrgEx

GDI32.dll

GDI32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

RegFlushKey

RegFlushKey

RegEnumKeyExA

RegEnumKeyExA

RegNotifyChangeKeyValue

RegNotifyChangeKeyValue

RegDeleteKeyA

RegDeleteKeyA

ADVAPI32.dll

ADVAPI32.dll

?456789:;<=

?456789:;<=

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

;3 #>6.&

;3 #>6.&

'2, / 0&7!4-)1#

'2, / 0&7!4-)1#

MSCTF.Shared.MAPPING.%x

MSCTF.Shared.MAPPING.%x

Desk_%u%x

Desk_%u%x

MSCTF.Shared.MUTEX.%x

MSCTF.Shared.MUTEX.%x

.Prev

.Prev

.current

.current

SYSTEM!XP3!F9BE9A8A

SYSTEM!XP3!F9BE9A8A

MSCTF.Shared.MAPPING.fffffe00

MSCTF.Shared.MAPPING.fffffe00

MSCTF.Shared.MAPPING.ffffff00

MSCTF.Shared.MAPPING.ffffff00

MSCTF.Shared.MAPPING.fffffd00

MSCTF.Shared.MAPPING.fffffd00

MSCTF.Shared.MUTEX.fffffe00

MSCTF.Shared.MUTEX.fffffe00

MSCTF.Shared.MUTEX.ffffff00

MSCTF.Shared.MUTEX.ffffff00

%Documents and Settings%\NetworkService\Application Data\

%Documents and Settings%\NetworkService\Application Data\

1-191j1w1}1

1-191j1w1}1

?"?(?-?~?

?"?(?-?~?

;-;5;=;^;|;

;-;5;=;^;|;

7"7)7\7~7

7"7)7\7~7

6 6$6(6,6064686

6 6$6(6,6064686

mavast.com

mavast.com

ya.ru

ya.ru

serverkey.dat

serverkey.dat

\windows\

\windows\

svchost.exe_1156_rwx_00860000_0005B000:

.text

.text

`.data

`.data

.reloc

.reloc

`.rdata

`.rdata

@.data

@.data

<>http

<>http

PSShL

PSShL

SSShp

SSShp

tUSSSh

tUSSSh

SSShp;

SSShp;

SSSh0

SSSh0

SSShpk

SSShpk

SSShpF

SSShpF

t9SSSh

t9SSSh

u1SSShP

u1SSShP

name.key

name.key

\secrets.key

\secrets.key

sign.key

sign.key

kernel32.dll

kernel32.dll

\explorer.exe

\explorer.exe

user32.dll

user32.dll

multi_pot.exe

multi_pot.exe

HookExplorer.exe

HookExplorer.exe

proc_analyzer.exe

proc_analyzer.exe

sckTool.exe

sckTool.exe

sniff_hit.exe

sniff_hit.exe

sysAnalyzer.exe

sysAnalyzer.exe

idag.exe

idag.exe

ollydbg.exe

ollydbg.exe

dumpcap.exe

dumpcap.exe

wireshark.exe

wireshark.exe

C:\iDEFENSE

C:\iDEFENSE

\\.\NPF_NdisWanIp

\\.\NPF_NdisWanIp

avp.exe

avp.exe

Software\Microsoft\Windows NT\CurrentVersion

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

software\microsoft\windows\currentversion\run

\winlogon.exe

\winlogon.exe

sysinfo.log

sysinfo.log

scr.bmp

scr.bmp

minidump.bin

minidump.bin

%d.%d.%d.%d

%d.%d.%d.%d

Ý %dh %dm

Ý %dh %dm

%s:%d

%s:%d

Software\Microsoft\Internet Explorer\TypedURLs

Software\Microsoft\Internet Explorer\TypedURLs

url%i

url%i

4.4.10

4.4.10

%dx%d@%d

%dx%d@%d

%c%d:d

%c%d:d

{Windows directory:

{Windows directory:

links.log

links.log

\History.IE5\index.dat

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

\Opera\Opera\typed_history.xml

avast.com

avast.com

93.191.13.100

93.191.13.100

drweb

drweb

eset.com

eset.com

z-oleg.com

z-oleg.com

kltest.org.ru

kltest.org.ru

.comodo.com

.comodo.com

google.com

google.com

Dnsapi.dll

Dnsapi.dll

ws2_32.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/login.php

/login.php

ntdll.dll

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

Global\HighMemoryEvent_x

explorer.exe

explorer.exe

1.2.5

1.2.5

- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

Winmm.dll

Winmm.dll

Kernel32.dll

Kernel32.dll

Gdi32.dll

Gdi32.dll

http://

http://

https://

https://

HTTP/1.

HTTP/1.

nspr4.dll

nspr4.dll

PR_OpenTCPSocket

PR_OpenTCPSocket

[[[URL: %s

[[[URL: %s

Process: %s

Process: %s

User-agent: %s]]]

User-agent: %s]]]

{{{%s

{{{%s

Crypt32.dll

Crypt32.dll

CertVerifyCertificateChainPolicy

CertVerifyCertificateChainPolicy

Wininet.dll

Wininet.dll

HttpSendRequestA

HttpSendRequestA

HttpSendRequestW

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestExW

set_url

set_url

microsoft.public.win32.programmer.kernel

microsoft.public.win32.programmer.kernel

\iexplore.exe

\iexplore.exe

keygrab

keygrab

u.bmp

u.bmp

\\.\PhysicalDrive%u

\\.\PhysicalDrive%u

/topic.php

/topic.php

keylog.txt

keylog.txt

passwords.txt

passwords.txt

%s%u.zip

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

Referer: http://www.google.com

Referer: http://www.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

Content-Type: multipart/form-data; boundary=---------------------------%s

www.bing.com

www.bing.com

www.microsoft.com

www.microsoft.com

frd.exe

frd.exe

command=config&update_url=

command=config&update_url=

/search.php

/search.php

&port=

&port=

command=load&url=

command=load&url=

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

\chrome.exe

\chrome.exe

\svchost.exe

\svchost.exe

\java.exe

\java.exe

\javaw.exe

\javaw.exe

\javaws.exe

\javaws.exe

\opera.exe

\opera.exe

\firefox.exe

\firefox.exe

\maxthon.exe

\maxthon.exe

\avant.exe

\avant.exe

\mnp.exe

\mnp.exe

\safari.exe

\safari.exe

\netscape.exe

\netscape.exe

\tbb-firefox.exe

\tbb-firefox.exe

\frd.exe

\frd.exe

\isclient.exe

\isclient.exe

\ipc_full.exe

\ipc_full.exe

\intpro.exe

\intpro.exe

\cbsmain.dll

\cbsmain.dll

\clmain.exe

\clmain.exe

\core.exe

\core.exe

\rundll32.exe

\rundll32.exe

\notepad.exe

\notepad.exe

\cbank.exe

\cbank.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|

%s.dbf

%s.dbf

%s.DBF

%s.DBF

j_password=

j_password=

pass.log

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edClientLogin=

edUserLogin=

edUserLogin=

edPassword=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

&LOGIN_AUTHORIZATION_CODE=

login=

login=

password=

password=

pass_

pass_

advapi32.dll

advapi32.dll

path.txt

path.txt

keys.zip

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

%s\d.bmp

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

keys

private.txt

private.txt

public.txt

public.txt

\*.key

\*.key

\self.cer

\self.cer

self.cer

self.cer

self.pub

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.exe

ctunnel.zip

ctunnel.zip

path_ctunnel.txt

path_ctunnel.txt

header.key

header.key

keys99

keys99

\header.key

\header.key

masks2.key

masks2.key

\masks2.key

\masks2.key

masks.key

masks.key

\masks.key

\masks.key

\name.key

\name.key

primary2.key

primary2.key

\primary2.key

\primary2.key

primary.key

primary.key

\primary.key

\primary.key

keys99.zip

keys99.zip

path99.txt

path99.txt

bsi.dll

bsi.dll

&domain=letitbit.net&

&domain=letitbit.net&

cc.txt

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

prv_key.pfx

keys\

keys\

sign.cer

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

sks2xyz.dll

vb_pfx_import

vb_pfx_import

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

secret.key

pubkeys.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

path1.txt

inter.zip

inter.zip

interpro.ini

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

cbsmain.dll

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

pass.txt

pass.txt

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

FilialRCon.dll

ISClient.cfg

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

rfk.zip

client.zip

client.zip

path_client.txt

path_client.txt

path_keys.txt

path_keys.txt

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

Agava_Client.exe

KeysDiskPath

KeysDiskPath

Agava_Client.ini

Agava_Client.ini

Agava_keys

Agava_keys

keys_path.txt

keys_path.txt

mespro.dll

mespro.dll

AddPSEPrivateKeyEx

AddPSEPrivateKeyEx

core.exe

core.exe

data\id.dbf

data\id.dbf

\data\id.dbf

\data\id.dbf

keys%i.zip

keys%i.zip

path%i.txt

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

winmm.dll

winmm.dll

%s\%s

%s\%s

LibVNCServer 0.9.7

LibVNCServer 0.9.7

%s (%s)

%s (%s)

d/d/d d:d

d/d/d d:d

password check failed!

password check failed!

WinSCard.dll

WinSCard.dll

SensApi.dll

SensApi.dll

GetTcpTable

GetTcpTable

IPHLPAPI.DLL

IPHLPAPI.DLL

dbghelp.dll

dbghelp.dll

MSVCRT.dll

MSVCRT.dll

PSAPI.DLL

PSAPI.DLL

NETAPI32.dll

NETAPI32.dll

DNSAPI.dll

DNSAPI.dll

HttpQueryInfoA

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpAddRequestHeadersA

HttpOpenRequestA

HttpOpenRequestA

WININET.dll

WININET.dll

WS2_32.dll

WS2_32.dll

ShellExecuteA

ShellExecuteA

SHFileOperationA

SHFileOperationA

SHELL32.dll

SHELL32.dll

SHLWAPI.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

GetSystemWindowsDirectoryA

GetProcessHeap

GetProcessHeap

WinExec

WinExec

KERNEL32.dll

KERNEL32.dll

MapVirtualKeyW

MapVirtualKeyW

SetKeyboardState

SetKeyboardState

EnumChildWindows

EnumChildWindows

GetKeyboardState

GetKeyboardState

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

USER32.dll

USER32.dll

SetViewportOrgEx

SetViewportOrgEx

GetViewportOrgEx

GetViewportOrgEx

GDI32.dll

GDI32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

RegFlushKey

RegFlushKey

RegEnumKeyExA

RegEnumKeyExA

RegNotifyChangeKeyValue

RegNotifyChangeKeyValue

RegDeleteKeyA

RegDeleteKeyA

ADVAPI32.dll

ADVAPI32.dll

?456789:;<=

?456789:;<=

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

;3 #>6.&

;3 #>6.&

'2, / 0&7!4-)1#

'2, / 0&7!4-)1#

MSCTF.Shared.MAPPING.%x

MSCTF.Shared.MAPPING.%x

Desk_%u%x

Desk_%u%x

MSCTF.Shared.MUTEX.%x

MSCTF.Shared.MUTEX.%x

.Prev

.Prev

.current

.current

1-191j1w1}1

1-191j1w1}1

?"?(?-?~?

?"?(?-?~?

;-;5;=;^;|;

;-;5;=;^;|;

7"7)7\7~7

7"7)7\7~7

6 6$6(6,6064686

6 6$6(6,6064686

mavast.com

mavast.com

ya.ru

ya.ru

serverkey.dat

serverkey.dat

\windows\

\windows\

svchost.exe_1156_rwx_00900000_0006A000:

.text

.text

`.rdata

`.rdata

@.data

@.data

.reloc

.reloc

<>http

<>http

PSShL

PSShL

SSShp

SSShp

tUSSSh

tUSSSh

SSShp;

SSShp;

SSSh0

SSSh0

SSShpk

SSShpk

SSShpF

SSShpF

t9SSSh

t9SSSh

u1SSShP

u1SSShP

name.key

name.key

\secrets.key

\secrets.key

sign.key

sign.key

kernel32.dll

kernel32.dll

\explorer.exe

\explorer.exe

user32.dll

user32.dll

multi_pot.exe

multi_pot.exe

HookExplorer.exe

HookExplorer.exe

proc_analyzer.exe

proc_analyzer.exe

sckTool.exe

sckTool.exe

sniff_hit.exe

sniff_hit.exe

sysAnalyzer.exe

sysAnalyzer.exe

idag.exe

idag.exe

ollydbg.exe

ollydbg.exe

dumpcap.exe

dumpcap.exe

wireshark.exe

wireshark.exe

C:\iDEFENSE

C:\iDEFENSE

\\.\NPF_NdisWanIp

\\.\NPF_NdisWanIp

avp.exe

avp.exe

Software\Microsoft\Windows NT\CurrentVersion

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

%s!%s!X

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows nt\currentversion\winlogon

software\microsoft\windows\currentversion\run

software\microsoft\windows\currentversion\run

\winlogon.exe

\winlogon.exe

sysinfo.log

sysinfo.log

scr.bmp

scr.bmp

minidump.bin

minidump.bin

%d.%d.%d.%d

%d.%d.%d.%d

Ý %dh %dm

Ý %dh %dm

%s:%d

%s:%d

Software\Microsoft\Internet Explorer\TypedURLs

Software\Microsoft\Internet Explorer\TypedURLs

url%i

url%i

4.4.10

4.4.10

%dx%d@%d

%dx%d@%d

%c%d:d

%c%d:d

{Windows directory:

{Windows directory:

links.log

links.log

\History.IE5\index.dat

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

\Opera\Opera\typed_history.xml

avast.com

avast.com

93.191.13.100

93.191.13.100

drweb

drweb

eset.com

eset.com

z-oleg.com

z-oleg.com

kltest.org.ru

kltest.org.ru

.comodo.com

.comodo.com

google.com

google.com

Dnsapi.dll

Dnsapi.dll

ws2_32.dll

ws2_32.dll

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/login.php

/login.php

ntdll.dll

ntdll.dll

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

Global\HighMemoryEvent_x

Global\HighMemoryEvent_x

explorer.exe

explorer.exe

1.2.5

1.2.5

- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

Winmm.dll

Winmm.dll

Kernel32.dll

Kernel32.dll

Gdi32.dll

Gdi32.dll

http://

http://

https://

https://

HTTP/1.

HTTP/1.

nspr4.dll

nspr4.dll

PR_OpenTCPSocket

PR_OpenTCPSocket

[[[URL: %s

[[[URL: %s

Process: %s

Process: %s

User-agent: %s]]]

User-agent: %s]]]

{{{%s

{{{%s

Crypt32.dll

Crypt32.dll

CertVerifyCertificateChainPolicy

CertVerifyCertificateChainPolicy

Wininet.dll

Wininet.dll

HttpSendRequestA

HttpSendRequestA

HttpSendRequestW

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestExW

set_url

set_url

microsoft.public.win32.programmer.kernel

microsoft.public.win32.programmer.kernel

\iexplore.exe

\iexplore.exe

keygrab

keygrab

u.bmp

u.bmp

\\.\PhysicalDrive%u

\\.\PhysicalDrive%u

/topic.php

/topic.php

keylog.txt

keylog.txt

passwords.txt

passwords.txt

%s%u.zip

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

Referer: http://www.google.com

Referer: http://www.google.com

Content-Type: multipart/form-data; boundary=---------------------------%s

Content-Type: multipart/form-data; boundary=---------------------------%s

www.bing.com

www.bing.com

www.microsoft.com

www.microsoft.com

frd.exe

frd.exe

command=config&update_url=

command=config&update_url=

/search.php

/search.php

&port=

&port=

command=load&url=

command=load&url=

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

\chrome.exe

\chrome.exe

\svchost.exe

\svchost.exe

\java.exe

\java.exe

\javaw.exe

\javaw.exe

\javaws.exe

\javaws.exe

\opera.exe

\opera.exe

\firefox.exe

\firefox.exe

\maxthon.exe

\maxthon.exe

\avant.exe

\avant.exe

\mnp.exe

\mnp.exe

\safari.exe

\safari.exe

\netscape.exe

\netscape.exe

\tbb-firefox.exe

\tbb-firefox.exe

\frd.exe

\frd.exe

\isclient.exe

\isclient.exe

\ipc_full.exe

\ipc_full.exe

\intpro.exe

\intpro.exe

\cbsmain.dll

\cbsmain.dll

\clmain.exe

\clmain.exe

\core.exe

\core.exe

\rundll32.exe

\rundll32.exe

\notepad.exe

\notepad.exe

\cbank.exe

\cbank.exe

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|

%s.dbf

%s.dbf

%s.DBF

%s.DBF

j_password=

j_password=

pass.log

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edClientLogin=

edUserLogin=

edUserLogin=

edPassword=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

&LOGIN_AUTHORIZATION_CODE=

login=

login=

password=

password=

pass_

pass_

advapi32.dll

advapi32.dll

path.txt

path.txt

keys.zip

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.bmp

%s\d.bmp

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

keys

private.txt

private.txt

public.txt

public.txt

\*.key

\*.key

\self.cer

\self.cer

self.cer

self.cer

self.pub

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.exe

ctunnel.zip

ctunnel.zip

path_ctunnel.txt

path_ctunnel.txt

header.key

header.key

keys99

keys99

\header.key

\header.key

masks2.key

masks2.key

\masks2.key

\masks2.key

masks.key

masks.key

\masks.key

\masks.key

\name.key

\name.key

primary2.key

primary2.key

\primary2.key

\primary2.key

primary.key

primary.key

\primary.key

\primary.key

keys99.zip

keys99.zip

path99.txt

path99.txt

bsi.dll

bsi.dll

&domain=letitbit.net&

&domain=letitbit.net&

cc.txt

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

prv_key.pfx

keys\

keys\

sign.cer

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

sks2xyz.dll

vb_pfx_import

vb_pfx_import

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

secret.key

pubkeys.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

path1.txt

inter.zip

inter.zip

interpro.ini

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}