Behavioral Pattern Analysis: 6941 samples, 32 behavioral profiles

ClusterNumber of
samples		TimelineVictim OSAttack portPortsDropsDrop sizesSnort IDsSnort Egg IDsSnort Outbound IDsAntivirus labelsProcessesPacked MD5Unpacked MD5Registry keysRegistry valuesDNS LookupsFailed connectionsFTP chatterHTTP chatterIRC chatterC & C IPs
A857Win2K-f (81%)445 (100%)-msnmanegers.exe (100%)200441 (72%)1:1390:5 (79%)
1:2001944:3 (79%)
1:99998:2 (79%)
1:3003:4 (78%)		1:3000006:99 (97%)
1:2001684:3 (79%)		555:5555005:1 (100%)
1:2001569:11 (97%)		sophos (100%)
webwasher (100%)
kaspersky (96%)
ikarus (93%)
spybot (90%)
kolab (89%)

full list

msnmanegers.exe (89%)5f78ff... (71%)

diversity: 18.0%

full list

d4a06b... (71%)

diversity: 0.8%

full list

...currentversion/runservices (100%)
...currentversion/run (100%)

full list

hotefix (100%)CN:hail.dns2go.com (74%)
CN:scorti1.dns2go.com (63%)		CN:211.96.97.44:7000 (57%)exec=msnmanegers.exe (100%)
user=a (100%)
pass=a (74%)		-url=http://embers.lycos.c... (75%)

full list

211.96.97.44:7000 (56%)
222.177.11.165:7000 (23%)
209.250.232.240:7000 (13%)
210.217.196.11:7000 (4%)
85.114.137.60:65520 (2%)
B812WinXP (61%)
Win2K-f (39%)		445 (100%)-msnmanegers.exe (100%)
cmd.exe (61%)
csrss.exe (61%)
explorer.exe (61%)
lsass.exe (61%)
services.exe (61%)

full list

200441 (81%)1:1390:5 (78%)
1:2001944:3 (78%)
1:99998:2 (78%)
1:3003:4 (76%)		1:3000006:99 (97%)
1:2001684:3 (78%)		555:5555005:1 (100%)
1:2001569:11 (93%)		sophos (100%)
webwasher (100%)
kaspersky (96%)
ikarus (95%)
spybot (94%)
drweb (93%)

full list

msnmanegers.exe (99%)
cmd.exe (61%)
csrss.exe (61%)
explorer.exe (61%)
lsass.exe (61%)
services.exe (61%)

full list

5f78ff... (78%)

diversity: 14.4%

full list

d4a06b... (78%)

diversity: 0.8%

full list

...currentversion/runservices (100%)
...currentversion/runonce (62%)
...currentversion/runonce (62%)
...currentversion/run (38%)

full list

hotefix (100%)CN:hail.dns2go.com (74%)
CN:scorti1.dns2go.com (61%)		CN:211.96.97.44:7000 (57%)exec=msnmanegers.exe (100%)
user=a (100%)
pass=a (64%)
pass=saad (31%)		--211.96.97.44:7000 (59%)
222.177.11.165:7000 (22%)
209.250.232.240:7000 (10%)
210.217.196.11:7000 (6%)
C656WinXP (100%)445 (100%)-x.exe (100%)
ftpupd.exe (84%)
cmd.exe (83%)
csrss.exe (83%)
explorer.exe (83%)
lsass.exe (83%)

full list

9353 (30%)1:22000032:6 (65%)
1:22466:7 (65%)
1:292000032:99 (65%)
1:299913:1 (65%)
1:2000032:6 (35%)
1:2000032:99 (35%)

full list

1:3000003:99 (100%)
1:2001683:3 (99%)
1:3000000:99 (99%)
1:5001684:99 (99%)		555:5555005:1 (89%)
1:2001569:11 (88%)		sophos (100%)
korgo (99%)
symantec (99%)
padobot (99%)
authentium (99%)
etrust (99%)

full list

cmd.exe (94%)
csrss.exe (94%)
explorer.exe (94%)
lsass.exe (94%)
services.exe (94%)
spoolsv.exe (94%)

full list

7d99b0... (29%)
7f6016... (18%)
d42c1c... (7%)
3ae357... (5%)

diversity: 16.3%

full list

7a70e1... (29%)
1aad8e... (18%)
af9ca5... (7%)
462a7b... (5%)

diversity: 7.7%

full list

...microsoft/wireless (100%)

full list

id (100%)UA:citi-bank.ru (76%)UA:194.54.90.246:80 (88%)-UA=mozilla/4.0 (100%)
filename=/x.exe (100%)
version=1.0 (100%)		-194.54.90.246:80 (87%)
85.114.137.60:65520 (8%)
85.114.137.60:80 (5%)
D519Win2K-f (70%)
WinXP (30%)		445 (100%)12045 (96%)iexplorer.exe (54%)
exlorers.exe (45%)		85363 (31%)1:22000032:6 (100%)
1:22466:7 (100%)
1:292000032:99 (100%)
1:299906:1 (70%)
1:299913:1 (30%)		1:5001684:99 (100%)1:52123:3 (100%)ikarus (98%)
webwasher (78%)
authentium (77%)
fortinet (67%)
trendmicro (64%)
sophos (62%)

full list

iexplorer.exe (96%)
cmd.exe (43%)
csrss.exe (43%)
explorer.exe (43%)
lsass.exe (43%)
services.exe (43%)

full list

d2c26e... (21%)
ca15c0... (19%)

diversity: 40.3%

full list

diversity: 100.0%

...currentversion/runservices (100%)
...currentversion/run (58%)
...currentversion/runonce (42%)
...currentversion/runonce (42%)

full list

syspersonalfirewall (100%)US:chat-shqip.org (84%)
US:w3bs.chat-shqip.org (73%)		US:69.247.147.113:13001 (96%)
US:69.247.147.113:12351 (85%)		pass=a (100%)
user=a (100%)
exec=iexplorer.exe (54%)
exec=exlorers.exe (45%)		UA=mozilla/4.0 (compatibl... (100%)
filename=/aim/win95/insta... (100%)
sourceIP=ftp.newaol.compr... (100%)
sourceport= no-cache (100%)
version=1.0 (100%)

full list

-69.247.147.113:13001 (75%)
69.247.147.113:12351 (14%)
72.10.172.218:7763 (5%)
E387WinXP (54%)
Win2K-f (46%)		445 (100%)12045 (100%)ctfmom.exe (80%)
cmd.exe (48%)
csrss.exe (48%)
explorer.exe (48%)
lsass.exe (48%)
services.exe (48%)

full list

87882 (44%)1:22000032:6 (100%)
1:22466:7 (100%)
1:292000032:99 (100%)
1:299913:1 (54%)
1:299906:1 (46%)		1:5001684:99 (100%)1:52123:3 (100%)sophos (96%)
wootbot (72%)
forbot (61%)
drweb (58%)
backdoorwootbot (57%)
fortinet (56%)

full list

cmd.exe (98%)
csrss.exe (98%)
explorer.exe (98%)
lsass.exe (98%)
services.exe (98%)
spoolsv.exe (98%)

full list

17739a... (43%)
ca15c0... (10%)

diversity: 34.4%

full list

diversity: N/A

...currentversion/runservices (100%)
...currentversion/runonce (100%)
...currentversion/runonce (100%)

full list

windowsupdatess (54%)
syspersonalfirewall (46%)		US:chat-shqip.org (84%)
US:w3bs.chat-shqip.org (73%)		US:69.247.147.113:13001 (96%)
US:69.247.147.113:12351 (92%)		pass=a (100%)
user=a (100%)
exec=ctfmom.exe (80%)		--69.247.147.113:13001 (80%)
69.247.147.113:12351 (20%)
F331WinXP (98%)445 (76%)
135 (23%)		1035 (30%)agentsvr.exe (100%)
cacls.exe (100%)
calc.exe (100%)
charmap.exe (100%)
chkntfs.exe (100%)
cidaemon.exe (100%)

full list

26112 (100%)
45056 (100%)
15872 (100%)
19456 (100%)
20992 (100%)
60928 (100%)

full list

1:299913:1 (66%)
1:22000032:6 (44%)
1:22466:7 (44%)
1:292000032:99 (44%)		1:5001684:99 (62%)
1:2001683:3 (41%)
1:3000003:99 (37%)
1:3000000:99 (28%)		1:52123:3 (73%)webwasher (100%)
sophos (98%)
virut (98%)
fortinet (92%)
etrust (91%)
virutas (87%)

full list

cmd.exe (99%)
spoolsv.exe (83%)
explorer.exe (82%)
csrss.exe (81%)
lsass.exe (81%)
services.exe (81%)

full list

3f5ec5... (5%)

diversity: 77.0%

full list

4a7743... (5%)

diversity: 58.3%

full list

...currentversion/runservices (48%)
...currentversion/runonce (41%)
...currentversion/runonce (41%)
...microsoft/wireless (29%)

full list

id (35%):proxim.ircgalaxy.pl (45%)
DE:proxim.ircgalaxy.pl (34%)		DE:85.114.137.60:65520 (29%)user=a (94%)
pass=a (80%)
exec=msnmanegers.exe (26%)		version=1.0 (100%)
UA=mozilla/4.0 (70%)
filename=/x.exe (70%)		-85.114.137.60:65520 (26%)
69.247.147.113:13001 (13%)
210.245.211.11:65520 (12%)
85.114.137.60:80 (9%)
222.177.11.165:7000 (7%)
211.96.97.44:7000 (6%)

full list

G316WinXP (100%)445 (100%)5554 (100%)
9996 (100%)
445 (67%)
4858 (50%)
1041 (33%)
1050 (33%)

full list

-15872 (72%)1:22466:7 (76%)
1:299913:1 (76%)
1:22001056:5 (41%)		1:31000004:99 (60%)
1:2001683:3 (55%)
1:5001684:99 (55%)
1:2000047:4 (41%)		1:52123:3 (58%)
555:5555005:1 (35%)
1:2001569:11 (34%)		_sasser (100%)
etrust (100%)
ewido (100%)
ikarus (100%)
kaspersky (100%)
webwasher (100%)

full list

cmd.exe (86%)
csrss.exe (86%)
explorer.exe (86%)
lsass.exe (86%)
services.exe (86%)
spoolsv.exe (86%)

full list

random 8
character filename

831f4e... (28%)
1a2c0e... (22%)
741e3b... (20%)
03f912... (6%)

diversity: 13.3%

full list

eb7546... (28%)
048df7... (22%)
e0197e... (20%)
83893b... (6%)

diversity: 5.1%

full list

--:proxim.ircgalaxy.pl (31%)
DE:proxim.ircgalaxy.pl (25%)		DE:85.114.137.60:65520 (57%)pass=bin (100%)
user=anonymous (72%)		---
H333Win2K-f (54%)
WinXP (46%)		445 (100%)44445 (100%)resource32w.exe (100%)
cmd.exe (31%)
csrss.exe (31%)
explorer.exe (31%)
lsass.exe (31%)
services.exe (31%)

full list

100864 (76%)1:22466:7 (62%)
1:292000032:99 (62%)
1:22000032:6 (59%)
1:2000032:99 (38%)
1:2466:7 (38%)
1:2000032:6 (38%)

full list

1:5001684:99 (98%)
1:2001683:3 (97%)
1:31000004:99 (62%)
1:3000004:99 (38%)		1:52123:3 (63%)
555:5555005:1 (37%)		sdbot (99%)
rbot (99%)
spybot (97%)
_trojano (96%)
antivir (88%)
backdoorrbot (84%)

full list

cmd.exe (45%)
csrss.exe (45%)
explorer.exe (45%)
lsass.exe (45%)
services.exe (45%)
spoolsv.exe (45%)

full list

random 9
character filename

7fdfe3... (71%)

diversity: 18.4%

full list

10862e... (71%)

diversity: 3.6%

full list

...currentversion/runservices (87%)
...microsoft/ole (86%)
...internetsettings/5.0 (55%)
...internetsettings/connections (55%)
...microsoft/ole (32%)

full list

networkhostservice (86%)
defaultconnectionsettings (55%)		:proxim.ircgalaxy.pl (45%)
DE:proxim.ircgalaxy.pl (38%)		CZ:217.170.244.2:443 (98%)
CZ:82.114.64.251:443 (87%)		exec=resource32w.exe (100%)
pass=a (98%)
user=a (98%)		--217.170.244.2:443 (90%)
I310Win2K-f (60%)
WinXP (40%)		135 (100%)707 (88%)
69 (88%)
1031 (86%)
1027 (51%)
1034 (37%)		dllhost.exe (95%)
cmd.exe (40%)
csrss.exe (40%)
explorer.exe (40%)
lsass.exe (40%)
services.exe (40%)

full list

10240 (82%)
19728 (31%)		1:299913:1 (100%)1:1444:3 (100%)
1:2008120:1 (100%)
1:3001441:1 (100%)
1:3000003:99 (34%)		1:52123:3 (100%)sophos (90%)
authentium (79%)
fortinet (78%)
kaspersky (78%)
microsoft (78%)
webwasher (78%)

full list

dllhost.exe (100%)
cmd.exe (42%)
csrss.exe (42%)
explorer.exe (42%)
lsass.exe (42%)
services.exe (42%)

full list

53bfe1... (75%)

diversity: 16.8%

full list

73f108... (34%)
a08f3b... (28%)
57ce4a... (7%)

diversity: 14.8%

full list

...microsoft/downloadmanager (100%)
...internetsettings/5.0 (58%)
...internetsettings/connections (58%)

full list

defaultconnectionsettings (87%)
filename (28%)
flags (28%)
installed (28%)
installeddate (28%)		US:download.microsoft.com (100%)
US:microsoft.com (100%)		--sourceIP=download.microso... (100%)
sourceport= keep-alive (100%)
version=1.0 (100%)
UA=mozilla/4.0 (compatibl... (62%)
filename=/download/0/1/f/... (62%)
UA=mozilla/4.0 (compatibl... (38%)

full list

--
J314Win2K-f (59%)
WinXP (41%)		445 (100%)-msnnmaneger.exe (100%)
cmd.exe (29%)
csrss.exe (29%)
explorer.exe (29%)
lsass.exe (29%)
services.exe (29%)

full list

-1:1390:5 (70%)
1:2001944:3 (70%)
1:99998:2 (70%)
1:3003:4 (68%)
1:21390:5 (30%)
1:299998:1 (30%)		1:3000006:99 (97%)
1:2001683:3 (53%)
1:5001684:99 (53%)
1:2001684:3 (32%)		1:2001569:11 (100%)
555:5555005:1 (100%)		webwasher (86%)
antivir (69%)
sdbot (69%)
sophos (62%)
forbot (57%)
ikarus (51%)

full list

msnnmaneger.exe (85%)
cmd.exe (58%)
csrss.exe (58%)
explorer.exe (58%)
lsass.exe (58%)
services.exe (58%)

full list

8f3671... (12%)
53123f... (11%)
dc8e1c... (10%)
c1f12e... (6%)

diversity: 26.6%

full list

01a069... (12%)
e0eb86... (10%)

diversity: 17.2%

full list

...currentversion/runservices (100%)
...currentversion/runonce (54%)
...currentversion/runonce (54%)
...currentversion/run (46%)

full list

hotfix (51%)
hotefix (48%)		CN:scorti1.dns2go.com (65%)
US:scorti1.dns2go.com (28%)		CN:211.96.97.44:7000 (30%)
CN:222.177.11.165:7000 (26%)		user=a (100%)
exec=msnnmaneger.exe (98%)
pass=a (75%)		--222.177.11.165:7000 (31%)
209.250.232.240:7000 (24%)
211.96.97.44:7000 (24%)
210.217.196.11:7000 (9%)
85.114.137.60:65520 (3%)
K311Win2K-f (64%)
WinXP (36%)		445 (100%)-hotefix.exe (100%)
cmd.exe (28%)
csrss.exe (28%)
explorer.exe (28%)
lsass.exe (28%)
services.exe (28%)

full list

201286 (88%)1:1390:5 (86%)
1:2001944:3 (86%)
1:99998:2 (86%)
1:3003:4 (85%)		1:3000006:99 (99%)
1:2001684:3 (86%)		555:5555005:1 (100%)
1:2001569:11 (94%)		_agent (100%)
ikarus (100%)
sophos (100%)
webwasher (100%)
kaspersky (99%)
symantec (98%)

full list

hotefix.exe (100%)
cmd.exe (53%)
csrss.exe (53%)
explorer.exe (53%)
lsass.exe (53%)
services.exe (53%)

full list

a2a036... (87%)

diversity: 11.6%

full list

diversity: 100.0%

...currentversion/runservices (100%)
...currentversion/runonce (55%)
...currentversion/runonce (55%)
...currentversion/run (45%)

full list

hotefix (100%)CN:hail.dns2go.com (75%)
CN:scorti1.dns2go.com (63%)		CN:211.96.97.44:7000 (39%)
CN:222.177.11.165:7000 (32%)		exec=hotefix.exe (100%)
user=a (100%)
pass=a (68%)
pass=saad (27%)		--222.177.11.165:7000 (40%)
211.96.97.44:7000 (31%)
209.250.232.240:7000 (14%)
210.217.196.11:7000 (11%)
L291Win2K-f (57%)
WinXP (43%)		139 (100%)1027 (67%)
1028 (67%)		hqghumea.dll (98%)385024 (57%)1:21390:5 (100%)
1:299998:1 (100%)		1:32000004:99 (100%)
1:2001683:3 (97%)
1:5001684:99 (97%)		-sdbot (100%)
sophos (98%)
rbot (97%)
antivir (86%)
webwasher (86%)
kaspersky (85%)

full list

cmd.exe (75%)
csrss.exe (75%)
explorer.exe (75%)
lsass.exe (75%)
services.exe (75%)
spoolsv.exe (75%)

full list

0f143d... (55%)
f7f466... (21%)
b65a42... (13%)

diversity: 3.7%

full list

diversity: N/A

----pass=x (100%)
user=x (100%)
exec=hqghumea.dll (100%)		---
M220Win2K-f (65%)
WinXP (35%)		135 (100%)69 (88%)
707 (88%)
1031 (88%)
1027 (62%)
1034 (38%)		dllhost.exe (81%)
explorer.exe (42%)
cmd.exe (38%)
csrss.exe (38%)
lsass.exe (38%)
services.exe (38%)

full list

-1:299913:1 (100%)1:1444:3 (100%)
1:2008120:1 (100%)
1:3001441:1 (100%)		1:52123:3 (100%)sophos (91%)
authentium (89%)
kaspersky (89%)
webwasher (89%)
fortinet (86%)
ikarus (85%)

full list

-53bfe1... (21%)
168aab... (6%)

diversity: 54.3%

full list

73f108... (10%)
a08f3b... (9%)
4c3df2... (8%)

diversity: 40.3%

full list

--US:download.microsoft.com (86%)
US:microsoft.com (86%)
:proxim.ircgalaxy.pl (46%)		----72.10.172.211:8080, 67.43.236.66:8080 (50%)
67.43.236.66:8080, 72.10.172.211:8080 (33%)
N172Win2K-f (57%)
WinXP (43%)		445 (100%)-hotfixs.exe (100%)
cmd.exe (34%)
csrss.exe (34%)
explorer.exe (34%)
lsass.exe (34%)
services.exe (34%)

full list

524288 (54%)1:1390:5 (78%)
1:2001944:3 (78%)
1:99998:2 (78%)
1:3003:4 (76%)		1:5001684:99 (100%)
1:2001683:3 (99%)
1:3000006:99 (98%)		555:5555005:1 (100%)
1:2001569:11 (96%)		webwasher (100%)
rbot (95%)
sdbot (89%)
forbot (87%)
ircbot (87%)
sheur (87%)

full list

hotfixs.exe (92%)
cmd.exe (61%)
csrss.exe (61%)
explorer.exe (61%)
lsass.exe (61%)
services.exe (61%)

full list

af98fe... (37%)
932824... (10%)
fd0bf4... (7%)
890fb4... (5%)
f515fc... (5%)

diversity: 25.5%

full list

480d07... (37%)
95951d... (10%)
b9c7f0... (5%)
dc7696... (5%)

diversity: 16.0%

full list

...currentversion/runservices (100%)
...currentversion/runonce (58%)
...currentversion/runonce (58%)
...currentversion/run (42%)

full list

hotfixs (99%)CN:scorti1.dns2go.com (76%)CN:211.96.97.44:7000 (46%)exec=hotfixs.exe (100%)
pass=a (100%)
user=a (100%)		-url=http://embers.lycos.c... (100%)

full list

211.96.97.44:7000 (40%)
222.177.11.165:7000 (31%)
209.250.232.240:7000 (12%)
218.93.14.236:7000 (10%)
O159WinXP (100%)445 (100%)80 (100%)cmd.exe (100%)
ndisrd.sys (100%)
csrss.exe (93%)
explorer.exe (93%)
lsass.exe (93%)
services.exe (93%)

full list

6657 (100%)
10752 (100%)
15338 (100%)
2094 (91%)
46592 (52%)
57856 (31%)		1:22466:7 (66%)
1:22000032:6 (65%)
1:292000032:99 (65%)
1:299913:1 (65%)
1:2000032:6 (34%)
1:2000032:99 (34%)

full list

1:3000000:99 (99%)
1:2001683:3 (72%)
1:5001684:99 (72%)		555:5555005:1 (100%)etrust (100%)
microsoft (100%)
padobot (100%)
sophos (100%)
berbew (97%)
symantec (97%)

full list

cmd.exe (100%)
csrss.exe (93%)
explorer.exe (93%)
lsass.exe (93%)
services.exe (93%)
spoolsv.exe (93%)

full list

a12cab... (50%)
df17a6... (27%)

diversity: 15.3%

full list

40f7f4... (50%)
9bbdd0... (15%)

diversity: 8.5%

full list

...windows/currentversion (100%)
...currentversion/internetsettings (100%)
...internetsettings/zones (100%)
...zones/0 (100%)
...zones/1 (100%)
...zones/2 (100%)

full list

1601 (100%)
@ (100%)
iexplore.exe (100%)
settings (98%)
locked (93%)		:wpad (91%)
DE:siliconfireware.ru (65%)
US:searchportal.informati... (43%)
EU:siliconfireware.ru (27%)

full list

DE:217.11.54.126:80 (75%)
EU:78.47.200.154:80 (74%)
DE:212.227.111.29:80 (67%)		--url=http://ew.egg.com/w.p... (41%)
url=http://iliconfireware... (38%)

full list

85.114.137.60:80 (83%)
P117Win2K-f (53%)
WinXP (47%)		445 (100%)-igxdfdfds.com (100%)
cmd.exe (39%)
csrss.exe (39%)
explorer.exe (39%)
lsass.exe (39%)
services.exe (39%)

full list

552960 (92%)1:21390:5 (60%)
1:299998:1 (60%)
1:1390:5 (40%)
1:2001944:3 (40%)
1:99998:2 (40%)
1:3003:4 (38%)		1:2001683:3 (99%)
1:3000007:99 (99%)
1:5001684:99 (99%)		-webwasher (100%)
rbot (99%)
sdbot (99%)
sophos (99%)
thehacker (99%)
antivir (98%)

full list

cmd.exe (100%)
csrss.exe (100%)
explorer.exe (100%)
lsass.exe (100%)
services.exe (100%)
spoolsv.exe (100%)

full list

e8d4d8... (91%)

diversity: 5.3%

full list

fda109... (91%)

diversity: 0.9%

full list

...currentversion/runservices (100%)
...currentversion/runonce (67%)
...currentversion/runonce (67%)
...currentversion/run (33%)

full list

microsoftvisualsp (100%):f.unicat.org (100%)69.42.216.90:9890 (100%)exec=igxdfdfds.com (100%)
pass=a (100%)
user=a (100%)		--69.42.216.90:9890 (100%)
Q112WinXP (98%)135 (100%)-cmd.exe (98%)
csrss.exe (98%)
explorer.exe (98%)
lsass.exe (98%)
services.exe (98%)
spoolsv.exe (98%)

full list

0 (89%)1:299913:1 (92%)1:1444:3 (100%)
1:3001441:1 (100%)
1:2008120:1 (92%)		1:52123:3 (100%)ikarus (83%)
authentium (75%)
fortinet (75%)
kaspersky (75%)
sophos (75%)
webwasher (75%)

full list

cmd.exe (98%)
csrss.exe (98%)
explorer.exe (98%)
lsass.exe (98%)
services.exe (98%)
spoolsv.exe (98%)

full list

diversity: 88.9%

diversity: 80.0%

--------
R89Win2K-f (71%)
WinXP (29%)		445 (100%)1041 (29%)hotefixs.exe (100%)199517 (78%)1:21390:5 (100%)
1:299998:1 (100%)
1:23003:4 (33%)		1:3000006:99 (100%)
1:2000427:9 (99%)		-sophos (99%)
webwasher (99%)
kaspersky (97%)
symantec (97%)
antivir (90%)
bitdefender (89%)

full list

hotefixs.exe (100%)
cmd.exe (41%)
csrss.exe (41%)
explorer.exe (41%)
lsass.exe (41%)
services.exe (41%)

full list

5ee412... (74%)
6c4c32... (13%)

diversity: 12.4%

full list

51c152... (65%)
47300e... (12%)

diversity: 2.9%

full list

...currentversion/runservices (100%)
...currentversion/run (57%)
...currentversion/runonce (43%)
...currentversion/runonce (43%)

full list

hotefixs (100%)CN:hail2.dns2go.com (99%)CN:222.177.11.165:8885 (82%)exec=hotefixs.exe (100%)
user=a (100%)
pass=a (54%)
pass=saad (37%)		--222.177.11.165:8885 (75%)
S84WinXP (100%)445 (100%)12045 (43%)
44445 (38%)		cmd.exe (100%)
csrss.exe (100%)
explorer.exe (100%)
lsass.exe (100%)
services.exe (100%)
spoolsv.exe (100%)

full list

84 (40%)
81 (31%)		1:22000032:6 (100%)
1:22466:7 (100%)
1:292000032:99 (100%)
1:299913:1 (100%)		1:31000004:99 (62%)
1:5001684:99 (38%)
1:2001683:3 (28%)		1:52123:3 (100%)authentium (100%)
stz_like (100%)
suspicious_malware (100%)		cmd.exe (100%)
csrss.exe (100%)
explorer.exe (100%)
lsass.exe (100%)
services.exe (100%)
spoolsv.exe (100%)

full list

diversity: 100.0%

diversity: N/A

----user=a (100%)
pass=a (68%)
exec=iexplorer.exe (27%)		---
T78Win2K-f (59%)
WinXP (41%)		139 (72%)
445 (28%)		3278 (44%)
1032 (33%)
1034 (28%)		cpaner.com (42%)
cmd.exe (33%)
csrss.exe (33%)
explorer.exe (33%)
lsass.exe (33%)
services.exe (33%)

full list

-1:1390:5 (73%)
1:99998:1 (72%)		1:5001684:99 (90%)
1:2001683:3 (87%)
1:3000005:99 (55%)		1:52123:3 (100%)sdbot (84%)
kaspersky (81%)
ikarus (76%)
_eggdrop (69%)
vipre (61%)
sdbot4 (59%)

full list

cmd.exe (86%)
csrss.exe (86%)
explorer.exe (86%)
lsass.exe (86%)
services.exe (86%)
spoolsv.exe (86%)

full list

4dd704... (9%)
beb836... (9%)
382279... (8%)
8be304... (6%)
9caca0... (6%)
45d304... (5%)

diversity: 46.7%

full list

f1b2b1... (22%)
665f1d... (14%)
1b8c24... (10%)
51c0a7... (6%)

diversity: 30.5%

full list

...currentversion/runservices (94%)
...microsoft/ole (91%)
...microsoft/ole (69%)
...internetsettings/5.0 (31%)
...internetsettings/connections (28%)

full list

topiccpanr (62%)
defaultconnectionsettings (28%)		US:freee.najd.us (76%)US:69.50.209.31:51115 (79%)
US:69.50.208.3:51115 (72%)		pass=1 (100%)
user=1 (100%)
exec=cpaner.com (42%)		--69.50.209.31:51115 (38%)
69.50.208.3:51115 (25%)
213.239.192.125:5001 (12%)
75.127.96.88:5001 (12%)
U41WinXP (100%)445 (100%)-cmd.exe (100%)
csrss.exe (100%)
explorer.exe (100%)
lsass.exe (100%)
services.exe (100%)
spoolsv.exe (100%)

full list

0 (37%)1:1390:5 (66%)
1:2001944:3 (66%)
1:99998:2 (66%)
1:3003:4 (63%)
1:21390:5 (34%)
1:299998:1 (34%)		1:3000006:99 (100%)
1:2001684:3 (50%)		--cmd.exe (100%)
csrss.exe (100%)
explorer.exe (100%)
lsass.exe (100%)
services.exe (100%)
spoolsv.exe (100%)

full list

diversity: N/A

diversity: N/A

----pass=a (100%)
user=a (100%)
exec=msnmanegers.exe (78%)		---
V38Win2K-f (100%)445 (97%)1027 (100%)
445 (74%)
1031 (42%)		mdm.exe (61%)
mumie.exe (32%)
mixit.exe (29%)
rundll32.exe (29%)		-1:299913:1 (66%)
1:22466:7 (63%)
1:2466:7 (34%)
1:99913:2 (34%)		1:3000003:99 (100%)
1:5001684:99 (34%)
1:2001683:3 (32%)		1:2001569:11 (100%)
555:5555005:1 (100%)		kaspersky (70%)
ircbot (40%)
microsoft (40%)
suspicious_malware (30%)
webwasher (23%)		mdm.exe (84%)05ec07... (11%)
67e72b... (8%)
1c8163... (5%)
60ccb4... (5%)
694747... (5%)
859e67... (5%)

diversity: 65.7%

full list

05ec07... (11%)
67e72b... (8%)
60ccb4... (5%)
859e67... (5%)
bb3911... (5%)
bcdf9c... (5%)

diversity: 64.3%

full list

...microsoft/downloadmanager (100%)
...internetsettings/5.0 (100%)
...internetsettings/connections (100%)
...currentversion/run (86%)

full list

defaultconnectionsettings (100%)
windowsnetworkingmonitoring (72%)		US:qtas.net (32%)
SE:dzuc.net (26%)
SE:tap.radioprishtina.net (26%)
US:wow.blackirc.us (26%)		SE:84.244.5.183:2345 (58%)pass=4lamer5sexy7 (100%)UA=mozilla/4.0 (compatibl... (100%)
sourceport= keep-alive (100%)
version=1.0 (100%)
filename=/mumie.exe (32%)
sourceIP=qtas.netconnecti... (32%)
filename=/mixit.exe (29%)

full list

-84.244.5.183:2345 (36%)
69.65.40.234:2345, 66.29.25.194:80 (18%)
84.244.6.253:2345, 66.29.25.194:80 (18%)
84.244.11.226:2345 (9%)
84.244.5.183:2345, 66.29.25.194:80 (9%)
W33Win2K-f (88%)445 (100%)-msnmanegers.exe (100%)-1:21390:5 (100%)
1:299998:1 (100%)
1:23003:4 (42%)		1:3000006:99 (91%)
1:2000427:9 (88%)		-sophos (100%)
kaspersky (97%)
virut (97%)
webwasher (97%)
fortinet (94%)
microsoft (87%)

full list

-01506e... (6%)
18b909... (6%)
a7e366... (6%)

diversity: 90.9%

full list

diversity: 100.0%

--US:hail.dns2go.com (52%)
CN:scorti1.dns2go.com (48%)
CN:hail.dns2go.com (43%)
US:scorti1.dns2go.com (39%)
DE:proxim.ircgalaxy.pl (35%)		CN:211.96.97.44:7000 (57%)
CN:218.93.14.236:7000 (52%)		exec=msnmanegers.exe (100%)
user=a (97%)
pass=a (94%)		--211.96.97.44:7000 (44%)
85.114.137.60:65520, 211.96.97.44:7000 (25%)
85.114.137.60:80, 211.96.97.44:7000 (12%)
X27-WinXP (100%)445 (100%)-cmd.exe (100%)
csrss.exe (100%)
explorer.exe (100%)
lsass.exe (100%)
services.exe (100%)
spoolsv.exe (100%)

full list

-1:1390:5 (56%)
1:2001944:3 (56%)
1:99998:2 (56%)
1:3003:4 (52%)
1:21390:5 (44%)
1:299998:1 (44%)

full list

1:3000006:99 (78%)--cmd.exe (100%)
csrss.exe (100%)
explorer.exe (100%)
lsass.exe (100%)
services.exe (100%)
spoolsv.exe (100%)

full list

diversity: N/A

diversity: N/A

--:www.google.com (100%)-----
Y23-WinXP (100%)445 (100%)1031 (100%)
113 (95%)
3067 (95%)		ftpupd.exe (95%)
cmd.exe (91%)
csrss.exe (91%)
explorer.exe (91%)
lsass.exe (91%)
services.exe (91%)

full list

10879 (47%)
10752 (41%)		1:22000032:6 (65%)
1:22466:7 (65%)
1:292000032:99 (65%)
1:299913:1 (65%)
1:2000032:6 (35%)
1:2000032:99 (35%)

full list

1:2001683:3 (100%)
1:5001684:99 (100%)		1:2001569:11 (89%)
555:5555005:1 (89%)		_korgo (100%)
authentium (100%)
etrust (100%)
fortinet (100%)
korgo (100%)
microsoft (100%)

full list

cmd.exe (88%)
csrss.exe (88%)
explorer.exe (88%)
lsass.exe (88%)
services.exe (88%)
spoolsv.exe (88%)

full list

random 7/8
character filename

042774... (39%)
32a0d7... (35%)
9edaa6... (13%)

diversity: 26.1%

full list

1c9a47... (39%)
d79176... (35%)

diversity: 25.0%

full list

...microsoft/wireless (100%)

full list

-RU:moscow-advokat.ru (100%)RU:194.6.222.11:6667 (100%)----
Z22-Win2K-f (91%)445 (86%)-unpr.exe (95%)-1:22466:7 (50%)
1:292000032:99 (50%)
1:22000032:6 (45%)
1:299906:1 (45%)		1:5001684:99 (67%)
1:3000003:99 (56%)
1:2001683:3 (39%)
1:2001684:3 (39%)		1:52123:3 (90%)kaspersky (100%)
sophos (100%)
ikarus (95%)
symantec (95%)
fortinet (90%)
microsoft (90%)

full list

-897d59... (32%)

diversity: 72.7%

full list

54df1d... (9%)

diversity: 85.7%

full list

--DE:dl2.teenpassage.com (68%)
US:ksn.a1001186.wrs.mcboo... (59%)
DE:proxim.ircgalaxy.pl (36%)

full list

HK:210.245.211.11:65520 (55%)
DE:85.114.137.60:80 (25%)		user=a (100%)
pass=a (82%)
exec=msnmanegers.exe (27%)		sourceport= no-cache (100%)
version=1.0 (100%)
UA=download (95%)
filename=/~grander/unpr.e... (95%)
sourceIP=dl2.teenpassage.... (95%)

full list

-210.245.211.11:65520 (59%)
85.114.137.60:80 (18%)
85.114.137.60:65520 (14%)
AA18-WinXP (100%)445 (100%)-xxxxxxxxx (50%)
xxxxxxxx (28%)		61952 (69%)1:2000032:6 (56%)
1:2000032:99 (56%)
1:2000033:5 (56%)
1:2466:7 (56%)
1:99913:2 (56%)
1:22000032:6 (44%)

full list

1:3000000:99 (100%)
1:2001683:3 (83%)
1:5001684:99 (83%)		-berbew (100%)
etrust (100%)
fortinet (100%)
kaspersky (100%)
microsoft (100%)
padobot (100%)

full list

-f58222... (28%)
1ab4d3... (11%)
7a3936... (11%)

diversity: 66.7%

full list

2a5643... (28%)
cc366b... (11%)

diversity: 37.5%

full list

--DE:proxim.ircgalaxy.pl (61%)
:proxim.ircgalaxy.pl (28%)		DE:85.114.137.60:80 (92%)---85.114.137.60:80 (100%)
AB16-WinXP (100%)445 (100%)80 (100%)cmd.exe (38%)
csrss.exe (38%)
dcpromo.log (38%)
explorer.exe (38%)
lsass.exe (38%)
ndisrd.sys (38%)

full list

46592 (50%)
57856 (50%)		1:22000032:6 (94%)
1:22466:7 (94%)
1:292000032:99 (94%)
1:299913:1 (94%)		1:3000000:99 (93%)
1:2001683:3 (53%)
1:5001684:99 (53%)		-berbew (100%)
drweb (100%)
etrust (100%)
microsoft (100%)
padobot (100%)
sophos (100%)

full list

-a12cab... (50%)
ab5e47... (31%)
df17a6... (19%)

diversity: 18.8%

full list

40f7f4... (50%)
9bbdd0... (12%)

diversity: 20.0%

full list

--:wpad (67%)
DE:siliconfireware.ru (60%)
EU:siliconfireware.ru (40%)
:chripress.org (33%)
:daymohk.info (33%)
FI:kavkazchat.com (33%)

full list

DE:217.11.54.126:80 (100%)
EU:78.47.200.154:80 (100%)
DE:212.227.111.29:80 (92%)		--url=http://ww.chechenpres... (75%)

full list

-
AC15-Win2K-f (67%)
WinXP (33%)		445 (100%)1027 (67%)
1028 (67%)
1032 (33%)
1033 (33%)		ftp.exe (100%)
cmd.exe (33%)
csrss.exe (33%)
explorer.exe (33%)
ii (33%)
lsass.exe (33%)

full list

79 (50%)
80 (33%)		1:1390:5 (67%)
1:2001944:3 (67%)
1:3003:4 (67%)
1:99998:2 (67%)		1:3000006:99 (64%)
1:3000007:99 (29%)		--ftp.exe (100%)
cmd.exe (33%)
csrss.exe (33%)
explorer.exe (33%)
lsass.exe (33%)
services.exe (33%)

full list

diversity: N/A

diversity: N/A

----pass=a (100%)
user=a (100%)
exec=msnmanegers.exe (33%)
exec=igxdfdfds.com (27%)		---
AD11-WinXP (100%)445 (91%)-lsd (100%)
lsd.dll (45%)		18432 (100%)1:22000032:6 (100%)
1:22466:7 (100%)
1:292000032:99 (100%)
1:299913:1 (100%)		1:2001683:3 (100%)
1:3000000:99 (100%)
1:5001684:99 (100%)		-05c0 (100%)
_padobot (100%)
authentium (100%)
clamav (100%)
doxpar (100%)
etrust (100%)

full list

-17028f... (100%)

diversity: 9.1%

full list

diversity: N/A

...windows/help (100%)

full list

browser (100%):jbeegvia.ru (100%)
US:www.yahoo.com (82%)
US:www.altavista.com (55%)
:aadqca.ru (27%)
:bqpuqt.ru (27%)
:dhagunb.ru (27%)

full list

-----
AE10-WinXP (90%)135 (100%)-cmd.exe (100%)
csrss.exe (100%)
explorer.exe (100%)
lsass.exe (100%)
services.exe (100%)
spoolsv.exe (100%)

full list

-1:299913:1 (90%)-1:52123:3 (100%)-cmd.exe (100%)
csrss.exe (100%)
explorer.exe (100%)
lsass.exe (100%)
services.exe (100%)
spoolsv.exe (100%)

full list

diversity: N/A

diversity: N/A

--------
AF10-WinXP (100%)445 (100%)44445 (80%)cmd.exe (100%)
csrss.exe (100%)
explorer.exe (100%)
lsass.exe (100%)
services.exe (100%)
spoolsv.exe (100%)

full list

-1:2000032:6 (100%)
1:2000032:99 (100%)
1:2000033:5 (100%)
1:2466:7 (100%)
1:99913:2 (100%)		1:3000004:99 (80%)--cmd.exe (100%)
csrss.exe (100%)
explorer.exe (100%)
lsass.exe (100%)
services.exe (100%)
spoolsv.exe (100%)

full list

diversity: N/A

diversity: N/A

----user=a (100%)---