ThreatExpert Report: Suspicious.MH690, Mal/FakeVirPk-A, Mal/FakeVirPk-A, Mal/TibsPk-A, Generic..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 12 March 2009, 07:42:15
Processing time: 12 min 36 sec
Submitted sample:

File MD5: 0xB0F84299C2F30DCDF64F68591A8A862F
File SHA-1: 0x8278D16F980133605D4C1B59AA1FA07C7ED62C4E
Filesize: 489,984 bytes
Alias:

Suspicious.MH690 [Symantec]
Mal/FakeVirPk-A [Sophos]

Summary of the findings:

What's been found	Severity Level
Produces outbound traffic.
Downloads/requests other files from Internet.
Modifies some system settings that may have negative impact on overall system security state.
Creates a startup registry entry.
Registers a 32-bit in-process server DLL.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risks were identified in the system:

Security Risk	Description
Trojan.FakeAlert	Trojan.FakeAlert will hijack the desktop background with an image alerting the user that their computer system has been infected with spyware. It also changes some settings of windows which include:- disabling permissions for the user to change the background image and setting the active desktop to 'show web content'. It is usually installed in conjunction with a rogue anti-spyware application.
Trojan-Downloader.Agent	Trojan.Downloader.Agent downloads and installs other malware onto infected machine.
Backdoor.UltimateDefender.GVW	Backdoor.UltimateDefender.GVW runs in the background and allows remote access to the infected machine. It also attempts to download and execute other malicious files onto the compromised system.
Trojan-Clicker.Osewlone	Trojan-Clicker.Osewlone is a trojan that silently runs in the background and connects to predetermined websites to increase the hit counter.
Backdoor.Hupigon.GEN	Backdoor.Hupigon.GEN has rootkit functionality. It injects itself into Internet Explorer causing IE to hide itself. It also logs keystrokes and sends this information to remote servers.
Backdoor.Hupigon	Backdoor.Hupigon is a backdoor trojan which allows unauthorized remote access into the infected computer to perform other malicious activities.
Backdoor.UltimateDefender	Backdoor.UltimateDefender runs in the background and allows remote access to the infected machine. It also attempts to download and execute other malicious files onto the compromised system.
Trojan-Spy.Zbot	Trojan-Spy.Zbot is a rootkit trojan which steals online banking information and downloads other malware as well. It opens backdoors on infected computer to allow malicious attacker unauthorized access.

Attention! The following threat category was identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%AppData%\config.cfg	27 bytes	MD5: 0x70B66FFE5F1498AC5F3D26058DC73CAC SHA-1: 0x6BAC97F1F27CAB8F0D9A6001D477FCEA2B71BC0D	(not available)
2	%AppData%\~tmp.html	41,218 bytes	MD5: 0x80342563904C5C68D2B6CC556E2A3CF6 SHA-1: 0x0376F447EDCDE08DAAAB6575699329013EC48F53	(not available)
3	%AppData%\Microsoft\Wallpaper1.bmp	1,440,054 bytes	MD5: 0x2D5DC225AAA06D925031AC3FC28C66A0 SHA-1: 0x2951D9EFEC32FB990E6234408247692040202778	(not available)
4	%Temp%\1_dropper_286962.exe	44,064 bytes	MD5: 0xD3244D17ADB1D6EFA6C821168B0E805C SHA-1: 0xC42F1F4D5628FB3605F6F4EC708A8B75C9A1A571	Suspicious.MH690 [Symantec] Mal/FakeVirPk-A, Mal/TibsPk-A [Sophos]
5	%Temp%\4_jmm7.exe	38,912 bytes	MD5: 0x7451E806AE38AD62B84FEA5D07F43927 SHA-1: 0x365B1614F228D9010A3156378975863A26D68870	Generic Dropper.dn [McAfee] Mal/FakeVirPk-A, Mal/TibsPk-A [Sophos]
6	%Temp%\5_odb.exe %Windir%\odb.exe	233,472 bytes	MD5: 0xDEFBD69BA80DCDB310F9DA90C1F56FBC SHA-1: 0xB79EA19B0CD1B7C3E289B971AC9115243D93DEE9	Generic Dropper.dn [McAfee] Mal/FakeVirPk-A [Sophos]
7	%Temp%\60325cahp25ca0.exe %System%\wsnpoem\audio.dll	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
8	%Temp%\6_ldr.exe	49,152 bytes	MD5: 0xE624C3B0853F37F7767AF72F3CF06992 SHA-1: 0xEA7EAC891F083CB1EF2DFBC0D606E98613148A59	Suspicious.MH690 [Symantec] Mal/FakeVirPk-A, Mal/TibsPk-A [Sophos]
9	%Temp%\avto.exe %Windir%\svc.exe	232,448 bytes	MD5: 0x21F88C15E9306721E628E70E12A19DE9 SHA-1: 0x8F165A622F47C62E71818F5A4E93ABC6F0BDB1F9	(not available)
10	%Temp%\avto1.exe %Windir%\svw.exe	232,960 bytes	MD5: 0x2DC003B5B81652DB42D81FB6A320E9A7 SHA-1: 0x202BCE2AE80BFF2A8CCA17A790A4352496850275	(not available)
11	%Temp%\avto2.exe %Windir%\svx.exe	232,960 bytes	MD5: 0x81F54190488088C07FA9A38E4C8CD4B6 SHA-1: 0x78C9DCE2F1E4AD1CF8B7D07BF5CD56D9BEBCCB53	(not available)
12	%Temp%\avto3.exe %Windir%\wdmon.exe	232,960 bytes	MD5: 0x73B578453DAC2AABD1BB827BB2C4A09E SHA-1: 0xEF7AE8F113FCC2537AF476A0628E6BF984425AE2	(not available)
13	%Temp%\avto4.exe %Windir%\vlc.exe	232,960 bytes	MD5: 0x503A246B2A13AB705844C9B6F8C5EE5A SHA-1: 0xA79F2F04A0EFC13908E4126238CDC5FCBA934C2A	(not available)
14	%Temp%\pinnew.exe	34,304 bytes	MD5: 0xA1CE86BAF10ED3BCC647B141D7C83597 SHA-1: 0x59C16CA12D1498322C97BE8F40EA11CEAF36B98C	(not available)
15	%Temp%\q1.exe	230,400 bytes	MD5: 0xC19100E79000E83096AB81673E124B0D SHA-1: 0x53E6E10D67041B5539B32F80F35E85A4E008D437	Suspicious.MH690 [Symantec]
16	%Temp%\q2.exe	230,400 bytes	MD5: 0x4420F705FF9B2855195C50E1B2D5EBCB SHA-1: 0xD3998A988F4CB6B4D9F31207B258868FF7AF993D	(not available)
17	%Temp%\q3.exe	230,912 bytes	MD5: 0x6F28348237B4D8DBCF83B63AEDC6BC26 SHA-1: 0x668AD2DE8B350E414E1B44036928F7682BAD1391	(not available)
18	%Temp%\q4.exe	230,400 bytes	MD5: 0xCA6E4F6816D6416F67943CA4F61CA1F9 SHA-1: 0xB70D1D484232E3017D6B40CC979D26FDE242215E	(not available)
19	%Temp%\q5.exe	230,912 bytes	MD5: 0x50841AC4062794E753CB69DBC23135F7 SHA-1: 0xED593F00D2FD21AA39FA6615E3D172E884FC3B34	(not available)
20	%Temp%\q6.exe	230,912 bytes	MD5: 0xF1CC13CF2D8FFF61CE7AC86BAB73A291 SHA-1: 0x5605F9608D6FC269FFF86AE5258490F39A9BCADC	(not available)
21	%Temp%\q7.exe	230,400 bytes	MD5: 0x49F51488DC6916B540F45C4C73BECBC9 SHA-1: 0x78B5E3EF73EDF78F4353C194DB9F717832CFD7CF	(not available)
22	%Temp%\q8.exe	230,400 bytes	MD5: 0x3C8EDF246D04E3CDA1FAF45B91CEB8FA SHA-1: 0xEE0439C48ED3114D0F40F17D98CD3673C7FF98F5	(not available)
23	%Temp%\q9.exe	230,912 bytes	MD5: 0x960847024097D9C483882C04B0785A95 SHA-1: 0x16DA1B35B6336E0523CD36A9095F4006D94EF326	(not available)
24	%Temp%\teste1_p.exe %Windir%\svhoster.exe	279,552 bytes	MD5: 0x86D10BB526608666D7A937DD7DA1092B SHA-1: 0x56C8877CBFC5FF4FF85D28F7947DE2B65548D6FD	(not available)
25	%Temp%\teste2_p.exe %Windir%\svzip.exe	281,088 bytes	MD5: 0x2B7D0D521D8E8F6D02295C10FEB4ACBC SHA-1: 0x7B851C8576002167547A39D2108D42708E63849E	(not available)
26	%Temp%\teste3_p.exe %Windir%\sv.exe	281,088 bytes	MD5: 0xA36E453AD9FE0CC7AB9B3CC5CF821A78 SHA-1: 0xA9E6F669426F6C550F8A1A95B8476598CC877571	(not available)
27	%Temp%\teste4_p.exe %Windir%\runsql.exe	281,088 bytes	MD5: 0x529CC0BDA8394DD930931C11EF736A67 SHA-1: 0xBA6CE733DC058DCC966A7C0253F2188897434856	(not available)
28	%Temp%\wndutl32.dll	14,848 bytes	MD5: 0x14D4B994516E407A80C8AC452148A33A SHA-1: 0xB3D2665B4BE56E88FD498958E556487F620683E4	Trojan.Fakeavalert [Symantec] Hoax.Win32.Renos.vbrl [Kaspersky Lab] Generic Downloader.x [McAfee] Mal/Padodor-B [Sophos] Trojan-Downloader.Win32.Renos [Ikarus]
29	%Windir%\Plakafaripecil.dll	38,912 bytes	MD5: 0xDEC7EF8A53547B85F0183751334F36A1 SHA-1: 0x2A99043572A4075CE8F620099D16F6C95A97F381	Generic Dropper.dn [McAfee] Mal/FakeVirPk-A, Mal/TibsPk-A [Sophos]
30	%System%\13441600.dat	109 bytes	MD5: 0x2D5442D8E8F6FE0A05F620CF97D748A7 SHA-1: 0x0395CF02A6B0C92A54FF53DAAA804730C2681AB3	(not available)
31	%System%\adsldpcf.exe	40,960 bytes	MD5: 0xC07CC31A599AA5118A22C122D39BFAE8 SHA-1: 0xD809CFC909E22EE522ECA82CE0516C021E2EDB17	Suspicious.MH690 [Symantec] Mal/FakeVirPk-A, Mal/TibsPk-A, Mal/Basine-C [Sophos]
32	%System%\ntos.exe	464,384 bytes	MD5: 0xC4BC2399F272EBC34CF08E3F3EFA2078 SHA-1: 0x62321C0D9ECB8B4A3C12D0C09B1123B371B1C09D	Suspicious.MH690 [Symantec] Mal/FakeVirPk-A [Sophos]
33	[file and pathname of the sample #1]	489,984 bytes	MD5: 0xB0F84299C2F30DCDF64F68591A8A862F SHA-1: 0x8278D16F980133605D4C1B59AA1FA07C7ED62C4E	Suspicious.MH690 [Symantec] Mal/FakeVirPk-A [Sophos]
34	%System%\wsnpoem\video.dll	2,261 bytes	MD5: 0x905DFAB98B33E750BF78C8B29765279B SHA-1: 0xA3B6ABA15B235DED4590B247D5DE54AA252BCCEB	(not available)

Notes:

%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following directory was created:

%System%\wsnpoem

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{020487CC-FC04-4B1E-863F-D9801796230B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{020487CC-FC04-4B1E-863F-D9801796230B}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\{020487CC-FC04-4B1E-863F-D9801796230B}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Phuxobab
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\OLE
HKEY_CURRENT_USER\Software\wndantv
HKEY_CURRENT_USER\SYSTEM
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{020487CC-FC04-4B1E-863F-D9801796230B}\InProcServer32]

(Default) = "%Temp%\wndutl32.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\{020487CC-FC04-4B1E-863F-D9801796230B}]

(Default) = "%Temp%\wndutl32.dll"
Apartment = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]

UpdateWin = "%System%\adsldpcf.exe"

[[pathname with a string SHARE]\SharedTaskScheduler]

IPC Configuration Utility = "IPC Configuration Utility"
{020487CC-FC04-4B1E-863F-D9801796230B} = "Windows Installer Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]

DisableTaskMgr = 0x00000001
DisableRegistryTools = 0x00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop]

NoChangingWallpaper = 0x00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]

NoSetActiveDesktop = 0x00000001
NoActiveDesktopChanges = 0x00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

odb = "%Windir%\odb.exe"
Pwulinubesida = "rundll32.exe "%Windir%\Plakafaripecil.dll",e"
UpdateWin = "%System%\adsldpcf.exe"
runsql = "%Windir%\runsql.exe"
netzip = "%Windir%\svzip.exe"
netsv32 = "%Windir%\sv.exe"
net64 = "%Windir%\svhoster.exe"
netw = "%Windir%\svw.exe"
netx = "%Windir%\svx.exe"
wdmon = "%Windir%\wdmon.exe"
vlc = "%Windir%\vlc.exe"
netc = "%Windir%\svc.exe"

so that odb.exe runs every time Windows starts

so that Plakafaripecil.dll runs every time Windows starts

so that adsldpcf.exe runs every time Windows starts

so that runsql.exe runs every time Windows starts

so that svzip.exe runs every time Windows starts

so that sv.exe runs every time Windows starts

so that svhoster.exe runs every time Windows starts

so that svw.exe runs every time Windows starts

so that svx.exe runs every time Windows starts

so that wdmon.exe runs every time Windows starts

so that vlc.exe runs every time Windows starts

so that svc.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Phuxobab]

Sheqid = "54"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

UpdateWin = "%System%\adsldpcf.exe"

so that adsldpcf.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network]

UID = "%ComputerName%_00048643"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa]

UpdateWin = "%System%\adsldpcf.exe"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer]

{F710FA10-2031-3106-8872-93A2B5C5C620} = F7 09 F2 0D
{02FFAC45-0B10-5633-4296-1801F1A36678} = FD 0C F2 0E

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]

ProxyEnable = 0x00000000

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

userinit = "%System%\ntos.exe"

so that ntos.exe runs every time Windows starts

[HKEY_CURRENT_USER\Control Panel\Desktop]

ConvertedWallpaper = "%AppData%\~tmp.html"
ConvertedWallpaper Last WriteTime = C0 1E 79 29 29 A3 C9 01

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General]

BackupWallpaper = "%USERPROFILE%\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Wallpaper = "%APPDATA%\~tmp.html"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]

NoSetActiveDesktop = 0x00000001
NoActiveDesktopChanges = 0x00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]

NoChangingWallpaper = 0x00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]

DisableTaskMgr = 0x00000001
DisableRegistryTools = 0x00000001

to prevent users from starting Task Manager (Taskmgr.exe)

to disable the Windows registry editors (Regedt32.exe and Regedit.exe)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

UpdateWin = "%System%\adsldpcf.exe"

so that adsldpcf.exe runs every time Windows starts

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]

UpdateWin = "%System%\adsldpcf.exe"

so that adsldpcf.exe runs every time Windows starts

[HKEY_CURRENT_USER\Software\Microsoft\OLE]

UpdateWin = "%System%\adsldpcf.exe"

[HKEY_CURRENT_USER\Software\wndantv]

wmid = "308"

[HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa]

UpdateWin = "%System%\adsldpcf.exe"

Other details

Analysis of the file resources indicate the following possible country of origin:

Russian Federation

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
203.26.28.144	80
64.86.133.58	80
64.86.133.59	80
64.86.16.8	80
72.232.117.84	80
72.233.50.144	80

The data identified by the following URLs was then requested from the remote web server:

http://us.i1.yimg.com/us.yimg.com/i/ww/beta/y3.gif
http://yourcatfree.cn/trashes/cfg.bin
http://theyourbest.cn/rssfeederd/stat1.php?1=computername_00048643&i=
http://theyourbest.cn/rssfeederd/stat1.php?2=computername_00048643&n=1&v=16777991&i=&s=0&sp=0&lcp=0&pr=0
http://hypertds.com/gate/gate.php
http://tryourteam.cn/robo/robo.php?r=5
http://tryourteam.cn/robo/robo.php?r=6
http://tryourteam.cn/robo/robo.php?r=1
http://tryourteam.cn/robo/files/tasks/AC
http://tryourteam.cn/robo/robo.php?r=4
http://tryourteam.cn/robo/f/123.exe
http://lafastfind.com/s/exx.php
http://greatinstant.net/s/exx.php
http://justimportant.com/s/exx.php
http://estplanete.com/s/exx.php
http://yourseekerz.com/s/exx.php
http://cutrecord.in/scripts/index.php

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 80:

00000000 | 5A78 3134 7153 4E61 4D45 3546 654C 6951 | Zx14qSNaME5FeLiQ
00000010 | 7346 4368 6469 376C 574F 3678 0D0A 4979 | sFChdi7lWO6x..Iy
00000020 | 555A 634C 4A6E 756E 4377 6456 7870 736D | UZcLJnunCwdVxpsm
00000030 | 6159 5451 6A72 7335 6163 6374 4A74 6179 | aYTQjrs5acctJtay
00000040 | 7245 6933 6D78 5A47 7A47 4652 4167 2F47 | rEi3mxZGzGFRAg/G
00000050 | 4736 3650 572F 334E 4D73 6942 742B 3647 | G66PW/3NMsiBt+6G
00000060 | 5474 5869 6370 0D0A 592F 584F 7666 6349 | TtXicp..Y/XOvfcI
00000070 | 6241 7474 4A6D 4670 6339 6B65 5769 6449 | bAttJmFpc9keWidI
00000080 | 7A4F 6433 5A6E 6D38 6E55 5973 6275 7172 | zOd3Znm8nUYsbuqr
00000090 | 5659 4D63 666A 484E 796C 6435 5A30 776B | VYMcfjHNyld5Z0wk
000000A0 | 5155 5254 5446 5230 6350 7731 436C 3976 | QURTTFR0cPw1Cl9v
000000B0 | 0D0A 5A47 4934 6353 386A 4F4B 544A 3866 | ..ZGI4cS8jOKTJ8f
000000C0 | 756E 6E72 2F6B 616C 4E51 4A47 7451 7A70 | unnr/kalNQJGtQzp
000000D0 | 5253 306D 6C7A 4977 2B38 4949 6668 636E | RS0mlzIw+8IIfhcn
000000E0 | 5675 4A58 436A 4569 7838 6834 4E35 4C79 | VuJXCjEix8h4N5Ly
000000F0 | 4968 2B57 574A 6A77 5930 0D0A 587A 5537 | Ih+WWJjwY0..XzU7
00000100 | 7669 4D7A 3345 6379 7566 4938 5169 6E34 | viMz3EcyufI8Qin4
00000110 | 6356 5935 4E62 6734 6A64 4533 4736 4932 | cVY5Nbg4jdE3G6I2
00000120 | 4E30 5131 626F 6730 3352 457A 7569 4D79 | N0Q1bog03REzuiMy
00000130 | 6450 4561 4953 3138 3558 4530 7838 4A33 | dPEaIS185XE0x8J3
00000140 | 3753 4E34 0D0A 5958 5956 6447 3830 4F4C | 7SN4..YXYVdG80OL
00000150 | 736A 4D33 3547 4D76 3375 4E45 4D72 7551 | sjM35GMv3uNEMruQ
00000160 | 4933 444E 6E35 7978 7845 5477 7869 2F78 | I3DNn5yxxETwxi/x
00000170 | 506E 5773 554D 7067 5970 496D 7865 5767 | PnWsUMpgYpImxeWg
00000180 | 7869 6C43 4F58 6D73 554D 7069 6370 0D0A | xilCOXmsUMpicp..
00000190 | 5069 2B47 6232 4E31 5341 6475 6448 4D67 | Pi+Gb2N1SAdudHMg
000001A0 | 5956 7444 4A64 6566 5638 6462 326A 3153 | YVtDJdefV8db2j1S
000001B0 | 6544 667A 7A43 424E 7955 5231 5472 3953 | eDfzzCBNyUR1Tr9S
000001C0 | 6378 514C 6458 414E 5233 5556 674C 4170 | cxQLdXANR3UVgLAp
000001D0 | 4468 426C 3445 7266 0D0A 4478 4261 3658 | DhBl4Erf..DxBa6X
000001E0 | 4156 6547 7268 5157 7A46 4945 646B 4E52 | AVeGrhQWzFIEdkNR
000001F0 | 576A 346F 4245 5A57 5A68 6453 7073 6442 | Wj4oBEZWZhdSpsdB
00000200 | 6D48 4742 524D 7042 6468 624A 6C50 4752 | mHGBRMpBdhbJlPGR
00000210 | 6743 6255 364C 726D 727A 4E68 7130 3848 | gCbU6LrmrzNhq08H
00000220 | 7057 0D0A 494B 3036 5541 514D 417A 3149 | pW..IK06UAQMAz1I
00000230 | 6752 5356 6E47 6956 756A 6750 484A 516F | gRSVnGiVujgPHJQo
00000240 | 7367 5757 4445 4D49 7941 5A35 4351 3869 | sgWWDEMIyAZ5CQ8i
00000250 | 436D 7343 3638 3545 5243 3577 3447 2F5A | CmsC685ERC5w4G/Z
00000260 | 4352 526B 6E42 4674 4847 4563 0D0A 6152 | CRRknBFtHGEc..aR
00000270 | 6C75 4857 4D4D 5165 4132 3444 6E67 5275 | luHWMMQeA24DngRu
00000280 | 4177 7941 3034 7448 5764 4833 6769 6E6D | AwyA04tHWdH3ginm
00000290 | 6363 706D 5A4A 6732 5633 6148 5343 424C | ccpmZJg2V3aHSCBL
000002A0 | 4D59 6332 336D 6E77 7A69 6C6A 4F4E 3151 | MYc23mnwziljON1Q
000002B0 | 704D 364B 634D 0D0A 724F 6B49 7449 6B44 | pM6KcM..rOkItIkD
000002C0 | 5378 6838 706D 6445 456C 4D43 5456 5251 | Sxh8pmdEElMCTVRQ
000002D0 | 4945 5674 564E 694F 5157 5170 6375 4850 | IEVtVNiOQWQpcuHP
000002E0 | 4130 744B 4A48 564C 6B57 344A 5147 5276 | A0tKJHVLkW4JQGRv
000002F0 | 3544 6C6F 5977 342B 3541 3546 5545 3858 | 5DloYw4+5A5FUE8X
00000300 | 0D0A 3959 626B 6171 694C 5A44 4B73 4F6B | ..9YbkaqiLZDKsOk
00000310 | 5577 3451 4A50 392B 5269 5667 7355 6C5A | Uw4QJP9+RiVgsUlZ
00000320 | 724D 4D56 4D50 4558 4276 7953 3565 694A | rMMVMPEXBvyS5eiJ
00000330 | 5434 6E57 2B65 3655 304A 4463 6875 6F69 | T4nW+e6U0JDchuoi
00000340 | 2F70 4977 4856 4461 5176 0D0A 474F 5349 | /pIwHVDaQv..GOSI
00000350 | 4367 795A 4675 554F 4C41 7750 6835 4152 | CgyZFuUOLAwPh5AR
00000360 | 3868 4965 5178 5849 466E 6B5A 447A 662F | 8hIeQxXIFnkZDzf/
00000370 | 4177 6977 4141 3D3D                     | AwiwAA==
00000000 | 2D2D 2D2D 3432 3338 3334 3332 3839 0D0A | ----4238343289..
00000010 | 436F 6E74 656E 742D 4469 7370 6F73 6974 | Content-Disposit
00000020 | 696F 6E3A 2066 6F72 6D2D 6461 7461 3B20 | ion: form-data;
00000030 | 6E61 6D65 3D22 6967 7222 3B20 6669 6C65 | name="igr"; file
00000040 | 6E61 6D65 3D22 3331 3530 3135 220D 0A43 | name="315015"..C
00000050 | 6F6E 7465 6E74 2D54 7970 653A 2061 7070 | ontent-Type: app
00000060 | 6C69 6361 7469 6F6E 2F6F 6374 6574 2D73 | lication/octet-s
00000070 | 7472 6561 6D0D 0A0D 0A41 5033 3218 0000 | tream....AP32...
00000080 | 0077 0200 0078 76EA A7C8 0500 00A6 0CD7 | .w...xv.........
00000090 | 256F 003A 376D 5E59 6260 67E3 D065 63E3 | %o.:7m^Yb`g..ec.
000000A0 | 8A14 6F7C 11B2 2E23 2263 7DA8 0216 9023 | ..o|...#"c}....#
000000B0 | 801C 2627 3F3C E238 3812 30EE 1D00 1E07 | ..&'?<.88.0.....
000000C0 | 0373 160E 3E32 3A3F C712 3711 2136 20C7 | .s..>2:?..7.!6 .
000000D0 | F36E D326 B78F 433D 323E E813 373C DE35 | .n.&..C=2>..7<.5
000000E0 | 8D7D 300E 0D2A C336 3225 0647 0520 3E27 | .}0..*.62%.G. >'
000000F0 | 237D 381F 0372 1C1B 6073 0673 AB1D 6F75 | #}8..r..`s.s..ou
00000100 | 4594 45D0 1BD1 3AC5 233C 6939 0999 1B93 | E.E...:.#<i9....
00000110 | 7F70 03FD F421 3228 3436 0C1F 1A3D 351E | .p...!2(46...=5.
00000120 | 178C 3F3A 792A C721 5A08 0026 3120 30F9 | ..?:y*.!Z..&1 0.
00000130 | 43CA 2799 3C3D E50E 4122 3736 E73F 1A35 | C.'.<=..A"76.?.5
00000140 | 9430 3213 4424 1A03 1D16 0710 1C1E 8D61 | .02.D$.........a
00000150 | 7503 3243 D724 28A6 3730 8D7F 0112 656A | u.2C.$(.70....ej
00000160 | 1563 CD6B CEA8 984B EE41 2A1E 3421 4948 | .c.k...K.A*.4!IH
00000170 | 0910 CBB5 1039 0DA4 104F 318E 1E0A 1D29 | .....9...O1....)
00000180 | B411 228B 7CBC BA7D 20F6 3FE2 1248 2375 | ..".|..} .?..H#u
00000190 | 8717 3ADF 1F3F 242A 1BE5 120F C33C D4F3 | ..:..?$*.....<..
000001A0 | 6316 073A 4720 A547 2437 0518 8AC9 B04F | c..:G .G$7.....O
000001B0 | 607D 6192 BAEC 62C2 3606 011F 4409 DC70 | `}a...b.6...D..p
000001C0 | F66C 3375 3B90 7D38 697C B024 027D 353F | .l3u;.}8i|.$.}5?
000001D0 | 0D36 2B3A 310A BDA2 2927 D11A 7C5A 3C6E | .6+:1...)'..|Z<n
000001E0 | 7C06 7C37 DAD9 7E85 0904 10F6 FC28 24BD | |.|7..~......($.
000001F0 | 480B CA03 7B18 116A 620A 0265 677A 7A56 | H...{..jb..egzzV
00000200 | 8773 E720 DACF 3690 D448 3E6F 76F1 5974 | .s. ..6..H>ov.Yt
00000210 | 0A73 8A1E 1FCF 897D 2F8B EF15 BA2F A781 | .s.....}/..../..
00000220 | 38FA D1A1 2E5B 879A 43DC 6405 3026 8749 | 8....[..C.d.0&.I
00000230 | 7E1E BB28 379E FC65 D484 D065 3435 10F2 | ~..(7..e...e45..
00000240 | AC99 3116 A92C F923 4271 04FD 31A4 6838 | ..1..,.#Bq..1.h8
00000250 | 193F 3E3B 2001 3492 0626 2932 0D20 E514 | .?>; .4..&)2. ..
00000260 | 7D66 6036 A952 2303 614B 23E9 6724 7B61 | }f`6.R#.aK#.g${a
00000270 | 911B 7967 634F 3A62 F8EF 2797 A684 E436 | ..ygcO:b..'....6
00000280 | FDCB B23B 471F C890 9F15 AC6D 2988 2162 | ...;G......m).!b
00000290 | 596A 4698 C274 6421 6160 5A15 4A1E 16BF | YjF..td!a`Z.J...
000002A0 | 4CAE 4CBD 831C 3139 3EDE 27D2 4FB5 5C31 | L.L...19>.'.O.\1
000002B0 | A94B 5C12 051E 2412 1653 9304 883F 20CE | .K\...$..S...? .
000002C0 | 8DC8 6282 6165 666B BDF8 0A25 3E45 21F6 | ..b.aefk...%>E!.
000002D0 | F387 EEFB 1C3F 1217 F090 8D90 FE48 205C | .....?.......H \
000002E0 | F955 5D84 C39E F2CA 2047 9637 125E 6E7B | .U]..... G.7.^n{
000002F0 | 9173 F62D A96F 64DF 948A 22E9 09BE A903 | .s.-.od...".....
00000300 | 21DC B032 B326 6C00 0D0A 2D2D 2D2D 3432 | !..2.&l...----42
00000310 | 3338 3334 3332 3839 2D2D                | 38343289--

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.