contagio malware exchange: Kelihos strings

File: Kelihos_C94DC5C9BB7B99658C275B7337C64B33
MD5: c94dc5c9bb7b99658c275b7337c64b33
Size: 1220125

GET /index.htm HTTP/1.1
Host: 188.129.243.106
Content-Length: 164
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130331 Firefox/21.0

..D.lUUE..H@.q..#.....K.zfgE0F.A..K.z.fI..-.(.-..Q..uN.6.}k.P.@.......,$6....`j.....=+....C& m. c...og...5...7E.L.........[j=.K.).o.....b...O..........?H..'C.......HTTP/1.1 200

Server: Apache
Content-Length: 229
Content-Type:
Last-Modified: .., 08 ... 2013 22:22:53 GMT
Accept-Ranges: bytes
Server:nginx/1.2.6
Date:Sun, 08 Sep 2013 22:22:53 GMT
Last-Modified:Sun, 08 Sep 2013 22:22:53 GMT
Accept-Ranges:bytes

.@....^b....6F"g...#.)..c...Is...*..S.6.r....c..?Z|G.t.n....(..<..G
.U...........
hF..\.J....4S.%..yXc.K.n..8V...0em..S.. ...|w.u ......o...:hV..8.u........-.s.....2^f....)HN. 'h....C..#y,..;j.0~..u.F.i..9
!R.J=..YU..C....gWHL-..

GET /search.htm HTTP/1.1
Host: 188.129.243.106
Content-Length: 1721
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_7; da-dk) AppleWebKit/533.21.1 (KHTML, like Gecko) Version/5.0.5 Safari/533.21.1
Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
ERich
.text
`.idata
.rdata
@.data
.rsrc
NWVS
u7WPS
u&WVS
_^[]
t---------------------snip
{*v|u*v@w*v
x*vlz*v
n*vt}*v
.?AV_com_error@@
E1-,
HKCR
COMSVCS.ActivityUnmarshal.1 = s 'Activity Property Unmarshal Class'
CLSID = s '{ecabafaa-7f19-11d2-978e-0000f8757e2a}'
COMSVCS.ActivityUnmarshal = s 'Activity Property Unmarshal Class'
CurVer = s 'COMSVCS.ActivityUnmarshal.1'
NoRemove CLSID
ForceRemove {ecabafaa-7f19-11d2-978e-0000f8757e2a} = s 'Activity Property Unmarshal Class'
ProgID = s 'COMSVCS.ActivityUnmarshal.1'
VersionIndependentProgID = s 'COMSVCS.ActivityUnmarshal'
InprocServer32 = s '%MODULE%'
val ThreadingModel = s 'Both'
HKCR
COMSVCS.PartitionPropertyUnmarshal.1 = s 'Partition Property Unmarshal Class'
CLSID = s '{ecabafcc-7f19-11d2-978e-0000f8757e2a}'
COMSVCS.PartitionPropertyUnmarshal = s 'Partition Property Unmarshal Class'
CurVer = s 'COMSVCS.PartitionPropertyUnmarshal.1'
NoRemove CLSID
ForceRemove {ecabafcc-7f19-11d2-978e-0000f8757e2a} = s 'Partition Property Unmarshal Class'
ProgID = s 'COMSVCS.PartitionPropertyUnmarshal.1'
VersionIndependentProgID = s 'COMSVCS.PartitionPropertyUnmarshal'
InprocServer32 = s '%MODULE%'
val ThreadingModel = s 'Both'
HKCR
COMSVCS.TransactionUnmarshal.1 = s 'Transaction Property Unmarshal Class'
CLSID = s '{ecabafac-7f19-11d2-978e-0000f8757e2a}'
COMSVCS.TransactionUnmarshal = s 'Transaction Property Unmarshal Class'
CurVer = s 'COMSVCS.TransactionUnmar
D|jg
H(`e
~.F1
UK5 $
#;h5
ZnHQA
MmUrce
@MR5
BN<<M
-QS^
J-8,
9qrb
$y+V
oyHK
h>j2
sg I
Rb89'
54 'F
$y.V
oVHK
APV4
h,j2
n9p}b
3ve*
Up9p*
oQHK
APV0
hsj2
,y9pQs
rkSasdf
/xVt1:
Ax+j2
TJ?zU
1tf
Iq1:-pY
6TUl
s.XQv
R,E]"h
}\5#----------------------------snip
DZT.
|IJ=
KvTX
cG; (
QsUl4
H!bz
7b,^im
^4)G
M+B1
qZdy
l vE
ASzHF
vDog?x
i"@~
{KXw
@R^:S
kxb^
1ZWPs
Bh_tF
Oq7b=
y\Cg
AM,qTQ8c
$e<sj!
T>*i
G3['
[yuR\
$iX{tva
u$a!
N\YR
R)w)ff
4CDM
Z{|y
^$U1
w.K+@
#L;Cm
]-4"
"swl
N~B@/
82Oo
8h0K
*u$8t
mrUR?
sn$`W_t
"Oo{
}zMZ
qHxk
o,3^
F D|
1 k0
QjtM
YX2&
J^++
d6owM4
M!kO
,rCp4
)/'T
>/t<
j+S8
^nd.%s
AT^i
?d'=]1
sU`cv4
%^gE
9r^ u
K0C9
:{/}6
-r)e
/:Oh
B"Gd
GYiJ
uaFM
p8C1
J=j$t
YJwc
BNWfg
7X:v
Oy1-
Dx1-
"B_bd
TQi(
BOlnI

Unicode Strings:
---------------------------------------------------------------------------
jjjj
jjjjj
jjjh
jjjj
jjjj
VS_VERSION_INFO
StringFileInfo
040904B0
CompanyName
Microsoft Corporation
FileDescription
Gemplus Cryptographic Service Provider
FileVersion
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
Inte
nalName
gpkcsp.dll
LegalCopyright
Microsoft Corporation. All rights reserved.
OriginalFilename
gpkcsp.dll
ProductName
Microsoft
Windows
Operating System
ProductVersion
5.2.3790.1830
VarFileInfo
Translation
Gemplus GemSAFE Card CSP v1.0
Gemplus GemSAFE Card
GemSAFE\x0\x0
0SOFTWARE\Gemplus\Cryptography\SmartCards\GemSAFE$Cannot load GUI library into memory.
<<<Obsolete>>
SubC
2Windows .NET PRS Catalog
OnAppActivation;OnAppShutdown;OnAppForceShutdown
OnThreadStart;OnThreadTerminate;OnThreadBindToApartment;OnThreadUnBind;OnThreadWorkEnque;OnThreadWorkPrivate;OnThreadWorkPublic;OnThreadWorkRedirect;OnThreadWorkReject;OnThreadAssignApartment;OnThreadUnassignApartment
OnObjectCreate;OnObjectDestroy
OnTransactionStart;OnTransactionPrepare;OnTransactionAbort;OnTransactionCommit
OnMethodCall;OnMethodReturn;OnMethodException
OnObjectActivate;OnObjectDeactivate;OnDisableCommit;OnEnableCommit;OnSetComplete;OnSetAbort
OnUserEvent
OnAuthenticate;OnAuthenticateFail
OnResourceCreate;OnResourceAllocate;OnResourceRecycle;OnResourceDestroy;OnResourceTrack
OnObjPoolPutObject;OnObjPoolGetObject;OnObjPoolRecycleToTx;OnObjPoolGetFromTx
OnObjPoolCreateObject;OnObjPoolDestroyObject;OnObjPoolCreateDecision;OnObjPoolTimeout;OnObjPoolCreatePool
OnObjectConstruct
OnActivityCreate;OnActivityDestroy;OnActivityEnter;OnActivityTimeout;OnActivityReenter;OnActivityLeave;OnActivityLeaveSame
OnIISRequestInfo
OnQCRecord;OnQCQueueOpen;OnQCReceive;OnQCReceiveFail;OnQCMoveToReTryQueue;OnQCMoveToDeadQueue;OnQCPlayback
OnExceptionUser
OnCRMRecoveryStart;OnCRMRecoveryDone;OnCRMCheckpoint;OnCRMBegin;OnCRMPrepare;OnCRMCommit;OnCRMAbort;OnCRMIndoubt;OnCRMDone;OnCRMRelease;OnCRMAnalyze;OnCRMWrite;OnCRMForget;OnCRMForce;OnCRMDeliver
OnMethodCall2;OnMethodReturn2;OnMethodException2
OnAppActivation2;OnAppShutdown2;OnAppForceShutdown2;OnAppPaused2;OnAppRecycle2
OnTransactionStart2;OnTransactionPrepare2;OnTransactionAbort2;OnTransactionCommit2
OnObjectCreate2;OnObjectDestroy2
OnObjPoolPutObject2;OnObjPoolGetObject2;OnObjPoolRecycleToTx2;OnObjPoolGetFromTx2
@OnObjectConstruct2
REGISTRY
TYPELIB
MOFDATA
COSMOFRESOURCE
WEVT_TEMPLATE
Microsoft-Windows-Wininit/Diagnostic
System
EventData
Data
Name
Win32Status
Win32Status
EventData
Data
Name
SessionId
Data
Name
Flags
SessionId
Flags
EventData
Data
Name
SessionId
Data
Name
IsRemote
Data
Name
GracePeriod
Data
Name
Flags
Data
Name
Reason
Data
Name
Message
SessionId
IsRemote
GracePeriod
Flags
Reason
Message
EventData
Data
Name
Flags
Flags
EventData
Data
Name
StringCount
Data
Name
String
StringCount
String
win:Info
win:Start
win:Stop
win:Warning
win:Informational
WaitForWinstationShutdown
PreShutdownNotification
WaitForSystemProcesses
ShutdownSystemRestore
ShutdownWindows
NtShutdownSystem
SentLogoffRequest
ReceivedShutdownRequest
ShutdownDiagnostics
PerfInstrumentation
PerfDiagnostics
win:EventlogClassic
VS_VERSION_INFO
StringFileInf
040904B0
CompanyName
Microsoft Corporation
FileDescription
Windows Start-Up Application
FileVersion
6.1.7600.16385 (win7_rtm.090713-1255)
InternalName
WinInit
LegalCopyright
Microsoft Corporation. All rights reserved.
OriginalFilename
WinInit.exe
ProductName
Microsoft
Windows
Operating System
ProductVersion
6.1.7600.16385
VarFileInfo
Translation
WEVT_TEMPLATE
en-US

About contagio exchange

Sunday, September 8, 2013

Kelihos strings - CRIME