Jump to content
Aerosol

Recommended Posts

Aerosol Newbie

Aerosol

Posted
Posted

Sample of the Babar malware discovered by NSA. It is believed to originate from French intelligence.

1424232310598487.png

More info:

http://www.spiegel.de/media/media-35683.pdf

Cyphort » Blog Archive Babar: Suspected Nation State Spyware In The Spotlight - Cyphort

yara rules: [YARA] Barbar/SNOWGLOBE Rules - Pastebin.com

babar.exe Strings:

!This program cannot be run in DOS mode.
`.rdata
@.data
QVVVWVVSV
PSSSSSSh
PSSSSSSSj
^tLHt-Hu
uS9F`u%V
QQSVWd
<\tM</tI
HtHu4j
s[S;7|G;w
tR99u2
0A@@Ju
0SSSSS
HHtXHHt
>If90t
0WWWWW
j@j ^V
<at9<rt,<wt
URPQQhl
>=Yt1j
u[SSSP
t"SS9]
;t$,v-
UQPXY]Y[
0SSSSS
0SSSSS
PPPPPPPP
PPPPPPPP
^SSSSS
j"^SSSSS
tGHt.Ht&
^SSSSS
8VVVVV
>:u8FV
VVVVVQRSSj
t+WWVPV
/u /i:-"
/c start /wait
1000 && del
ComSpec
cmd.exe
DLLPATH
D:(D;OICI;FA;;;AN)(A;OICI;FA;;;BG)(A;OICI;FA;;;SY)(A;OICI;FA;;;LS)(A;OICI;FA;;;AU)(A;OICI;FA;;;BA)
advapi32.dll
CommonProgramFiles
ALLUSERSPROFILE
COMMON_APPDATA
WINDIR
USERPROFILE
APPDATA
kernel32.dll
Shell32.dll
kernel32
IsWow64Process
EnableLUA
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
%%%s%%
/s /n %s "%s"
%%WINDIR%%\%s\%s
regsvr32.exe
System32
SysWOW64
Wow64RevertWow64FsRedirection
Wow64DisableWow64FsRedirection
%COMMON_APPDATA%
=j&&LZ66lA??~
}{))R>
f""D~**T
V22dN::t
o%%Jr..\$
&&Lj66lZ??~A
99rKJJ
==zGdd
""Df**T~
;22dV::tN
$$Hl\\
C77nYmm
%%Jo..\r
>!KK
55j_WW
&Lj&6lZ6?~A?
~=zG=d
"Df"*T~*
2dV2:tN:
x%Jo%.\r.
t>!K
a5j_5W
ggV}++
Lj&&lZ66~A??
bS11*?
Xt,,4.
RRvM;;
MMfU33
PPxD<<%
Bc!! 0
~~zG==
Df""T~**;
dV22tN::
xxJo%%\r..8$
tt>!
pp|B>>q
aaj_55
UUPx((
cccc||||wwww{{{{
kkkkoooo
gggg++++
YYYYGGGG
&&&&6666????
nnnnZZZZ
RRRR;;;;
[[[[jjjj
9999JJJJLLLLXXXX
CCCCMMMM3333
PPPP<<<<
~~~~====dddd]]]]
ssss````
""""****
2222::::
$$$$\\\\
7777mmmm
llllVVVV
eeeezzzz
xxxx%%%%....
ttttKKKK
pppp>>>>
ffffHHHH
aaaa5555WWWW
UUUU((((
BBBBhhhhAAAA
='9-6d
_jbF~T
11#?*0
,4$8_@
t\lHBW
QPeA~S
>4$8,@
p\lHtW
+HpXhE
T[$:.6
00006666
CCCCDDDD
TTTT{{{{
####====
ffff((((
vvvv[[[[
IIIImmmm
%%%%rrrr
]]]]eeee
llllppppHHHHPPPP
FFFFWWWW
kkkk::::
AAAAOOOOgggg
tttt""""
nnnnGGGG
VVVV>>>>KKKK
yyyy
YYYY''''
____````QQQQ
;;;;MMMM
ccccUUUU!!!!
bad allocation
Unknown exception
bad exception
EncodePointer
DecodePointer
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
runtime error
TLOSS error
SING error
DOMAIN error
An application has made an attempt to load the C runtime library incorrectly.
Please contact the application's support team for more information.
- Attempt to use MSIL code from this assembly during native code initialization
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
- not enough space for locale information
- Attempt to initialize the CRT more than once.
This indicates a bug in your application.
- CRT not initialized
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
- not enough space for environment
- not enough space for arguments
- floating point support not loaded
Microsoft Visual C++ Runtime Library
<program name unknown>
Runtime Error!
Program:
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
CorExitProcess
(null)
`h````
xpxxxx
UTF-16LE
UNICODE
Complete Object Locator'
Class Hierarchy Descriptor'
Base Class Array'
Base Class Descriptor at (
Type Descriptor'
`local static thread guard'
`managed vector copy constructor iterator'
`vector vbase copy constructor iterator'
`vector copy constructor iterator'
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector vbase copy constructor iterator'
`eh vector copy constructor iterator'
`managed vector destructor iterator'
`managed vector constructor iterator'
`placement delete[] closure'
`placement delete closure'
`omni callsig'
delete[]
new[]
`local vftable constructor closure'
`local vftable'
`udt returning'
`copy constructor closure'
`eh vector vbase constructor iterator'
`eh vector destructor iterator'
`eh vector constructor iterator'
`virtual displacement map'
`vector vbase constructor iterator'
`vector destructor iterator'
`vector constructor iterator'
`scalar deleting destructor'
`default constructor closure'
`vector deleting destructor'
`vbase destructor'
`string'
`local static guard'
`typeof'
`vcall'
`vbtable'
`vftable'
operator
delete
__unaligned
__restrict
__ptr64
__clrcall
__fastcall
__thiscall
__stdcall
__pascal
__cdecl
__based(
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
USER32.DLL
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
CONOUT$
`h`hhh
xppwpp
RSDSa2
c:\Documents and Settings\admin\Desktop\Babar64\Babar64\obj\DllWrapper Release\Release.pdb
DeleteFileA
GetModuleFileNameA
GetEnvironmentVariableA
lstrcatA
lstrcpyA
GetShortPathNameA
LocalFree
CloseHandle
LoadLibraryA
FreeLibrary
LockResource
SizeofResource
LoadResource
FindResourceA
KERNEL32.dll
GetProcAddress
GetModuleHandleA
GetCurrentProcess
WaitForSingleObject
GetStartupInfoA
RtlUnwind
GetSystemTimeAsFileTime
GetCommandLineA
GetLastError
FindClose
FileTimeToSystemTime
FileTimeToLocalFileTime
GetDriveTypeA
FindFirstFileA
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
HeapFree
HeapAlloc
RaiseException
GetModuleHandleW
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
WriteFile
GetStdHandle
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
WideCharToMultiByte
ExitProcess
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
MultiByteToWideChar
ReadFile
SetHandleCount
GetFileType
SetFilePointer
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
HeapCreate
VirtualFree
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetFullPathNameA
GetCurrentDirectoryA
LCMapStringA
LCMapStringW
HeapSize
VirtualAlloc
HeapReAlloc
GetLocaleInfoA
GetStringTypeA
GetStringTypeW
CompareStringA
CompareStringW
SetEnvironmentVariableA
InitializeCriticalSectionAndSpinCount
GetConsoleCP
GetConsoleMode
SetStdHandle
FlushFileBuffers
CreateFileA
GetTimeZoneInformation
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
SetEndOfFile
GetProcessHeap
FreeSid
CheckTokenMembership
RegCloseKey
RegQueryValueExA
RegCreateKeyExA
RegOpenKeyExA
ADVAPI32.dll
.?AVAutoPathHelper@@
.?AVIAutoPath@@
.?AVCImportSddl@@
.?AVCAbstractImport@@
.?AVbad_alloc@std@@
.?AVexception@std@@
.?AVtype_info@@
.?AVbad_exception@std@@
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
om]+F`
7TH,H{
1DL>[l
:#;5d2
=U|%F'
v#bN<st(
aXp|Na9:
tX/gk=
hsH(~X
LARFP<
[s'Na5
hS~9p8
aqUpIe2
F!ih,:
xp2s.z
95X"K5;oR/
jxaTv(B
w_]@E&7
\yvVo}
1MBd#$=
<jQCJ-0
[|.1Ln
{e.*6b
aFC5&.
<_QR?.
:@AiXm
aAR)sDm
GS>,Jy]
4C`JB5
DuH\zB
*67uxR
gNU$=oA
?]Ci<}N
]G&b(HG
J<{5RJ
_N[+H{
CF0qwL
gb>wbY
Y8L~}R
<VRYb!
\*sQ#9\
PygEc~
mcMtmh4a
t`.a7?{
H[mN]
|I1hC:c
sc,c?o
0>3&Ol
S9\fu/
OU{Wa)
8D@49`
F&Hh74Z
@I?,$>
]<~6F7
{I||I|
i4@,K<Yoz,%>
t7zG.+
aaR:kqF
*vK/Y\
[4'-]h
AX#xoF
P,7'x*
7kE2.
9 -5,2
ZRse`Wg
x'Z$p9
&ze;@n
\F4~[&s
Vo$R+
@%csxA@q
5a&M M
MBCU0;|
]sI$Uf
g?]IBADa
0e)3 p
[EC1iF4tf
Wg1B+:
a5['n!D
ol$'iHJ
u&pf;#
[B`t#
.Ue&N1/
Il`C$e
$NH0tg
Ur9L!.
nbLS0tx
P(<L|
"`A/2Q
Vo`9!v
zVma+K
>WwsLP
D'ezQ|0IgEp
{q!"9v~
l(XB.U8
Z@{iq=fK
8z0!$/b?
)*>.<x
b1c4ap$
)c82q7
^R*aa;
On~T^[
}Rg+#w
dxO|Y<H77
9UjZ|Wmv
gu3Z?@
;Y[mHj
hR%&Bvz
~q5EpLP
EQ418DVi6
}4Hj,;
2;(#5
w|=p{-fa
nwdF,F6
Ec|S@=
qT,Mz#
.E Y)F
utG`)p
|69z!Z
{.V>nV-
+1(|$Cx4\
v9%H#]
,9@7SD1&
_l<<W/r
lE R:!
FY?F*&
f/0#n]
e~%JT5
gHS ((7`
79l#fO
4$gFMN1
/9ba7f
)+dEzS
St:%H~8
Beh*w^e:
p&7.^j\
l}4/WdU
l]]]Ve
c4\]Wj
L-at.6
*CVr__
q6|lYN
`h6VwJ
+/B!NI$s
pJ-^c9
k}$a)_
+,kyEsz
*Kw,Fk
S=#yjQ
\nh9gy
^rX9"=
I)`Y4>
a-t8-E
242/OL
Crn#]ZN
BNo5O(
{xp|S,
K4y=v*z
K;\|<^h
1syS,f
En=_O@Z
qW+rEV
Hm]z5g
(NF!K\+
%aH<`P
65%}sfihgzYQ
*i{P9Gh
C+E'r0@
!ux!l"
[-<]]mI:
yG <M*=y
W@f:1b
Ahh*k~a
Aw[qq4
i`p8]4
|kLeXf
>Trs@":;Cs
yQ;J0OL
^(J<1^
vyM]}OZ
V?;;d7g
n/M_1r
|#U_I_
~eI.zd
Br_kmi
)w<7`rl
|f%q
/i|T$K
Bmy5>n
-lyV>=
NHceu}
Ut<K[7
DSJ.)"
wY-K$4
o5dAf4[yTVVZo!I
F\tzQ:D
d>0_Qt
ul_""M
AV'rS8x
,MB:f$
S&~wV8
Se@(,R
8s,FBw
%oO{l^
ni{)s9s
>,3B^y
MQmIFSn
]NTgbX
>*aZgs
KZzKQmvXI
n`oH`3
TjyG6ln
7b-A<
%NN{`QX
PyN~-V
RtnvAg
4cW{ht
xgkdtG
6fq,L]
RIX*d@
oaaE!7A
3t}[J~
S]N7VF
cRGm}Ox
OY:l]0
XTd2_y
j?jb.!
L@"{bi^
wRJZu@V
[A{&QE1
SHXw?"
\osz`F
)2[cNmD:
UIf eU
Yxf+A)Yt
;%,_yK(XK
SOU)!=
`<mQ+_
'=[ZE<}8
jE"c{T
<^28,I
{M R[%
sCfslwS,
]42H5c=
nuig|
tHLYk!
"KZVlc
"H/$i5
r+c9c 7
x1GeiAjzX
&`!ZH5
Q|hKYk
oJ{e+y
1rQC;}
(W<]}%TXL
G|0D+O
vR3Da/
S@-doG&
B=srce
rH<tZ|7
,iRiOH
yQDJ4Y
~burG\
G'orq'B
8 mtn/
T.P#a*
hMZo2%
VxILR;
>L$8u\l
!g$t"c
TyxT+-
^.)W\W
FDPAmqh
qil@m
hWvBCY
M?,3p]
|%YxeFlA
'.`~7Or
Jkb=(>
Zht#P
Oh]b6~
$t@gE}
T~}V#b
#Ab{Yu
7chi#/
z$8P-y#>
4+NQF
9.0S"a5
+Q*']Y&
@})tsT.,I
z\!yc0V
Hy37Bp
f?BD{'U{
=!^*
L.dBZaJ
@(B]`M
cF(Skm
1bQ*x~m
8uc!Ds
|!0QP_
_DJ"'A
9}{mJ#RQ
P2b(C?C
'4-0GO
F##STX4
$N=0LtT?
8,^20N
2E;k:m
%CC+"_^
/|LPyk}
|7#6|y
Yy-/8J
hQ[XGN^
u[1Myu
1iq"b[
6xGZyW
GU zBX
!YS@MUu
nF^#ZL?o
KLkFE{
Bp:?HUU
{B7R=}
/q=q|C
%F7f|y
o*K+%Z}
<~(1jF`
'(B$mH
}%dXe[
'Dv>)
(Ssm`
cl~tRn
cEkH%B
%V&pQa|6A
zu<XN'
IX?Q =
[jWW|d
%-&!yn
KHm0fKq
,(!U0f
aUsw;#
\[6BmR
l@@Jj/
#Eha[=
&EbhET
M5%>.6
`\^Q|U{
d.afS=
0uHk]P
9;Y[+{\+
8rXcHb
}noHG8
f+tteo
Do{VN*
u$"+EJiW
-}{}m:*
R<CN[WL
s%rg;Y
V\h [Le
Cv?urg
aAslMr0
{kt')~
"x<A[4
5Y1#h}
s'8]w
7c~t`W
S*tJj.*
4ImD1
`Q2\xD
w{x0^5
{~9rDXaL
*7_S.GY
{y@B3<
AC]=i&
_@Cl&N
/%WYdp+3;
>)N[lt&
H8:A,1'\
K_(!g&
pSh[Ue
"$xMHs
.2ev_c
F$G Tu
S|f?aVk\
C(G2qw6
X-3F(|
jy#tma
qYD1v#M
5ayCi_
"eiRc\k
bO5*&|
TAh5,:m
aj#uN`
l]Uw:|
lMIEf:Bk"Z
Xe"Z`iqM
,G"qao
8Dt4>&
bf>BdN
L9\'sN
d|2Us!V
@&{[b
.B|O[-
Z/[)t0
/DKX^E?4
&Ll~iX
6wD:]-
eJ%qb'W
p!Cj!nY
s}p>6y
V%cAsx
$,IM
1D{Kq/
Rz"BM|
JZ{0o#
V?M?!b
tV\"j)OY
OLm]%&
PpCSdy
Yh /X%
E*AO-s>@
e)R60L
m'C&g\W4
4p=zBm
dWWH1hv
7^[HxB
oS'"fk+p
~Qv>Cx
;g+lVh
}7C-?
k?=Hl.
sI<gvs
aUJ=L+Z
y$#Sc|b
R_C\(G
Aq)>dv(
{_v==\r<
@#fQ]5
`9t(F5dE-U
u0-BXe8
rRo4jb
B>B40e
fCg;U8
A});@]
+E9c[=
EhP1%t
!NI]&[
w]qK~6X
5P7<'M<cz
MDhiW]
7$-'
SuAr#JqC
8*0Tn{K
Gp{?5a
`[W Ux
/Rg.se
}U9BMp4a(
8;GH~J
xP*v~$
GAg`Va
N2M`vvF
y5wx}
D59;ql
LKE97_F
:\S5n;mJ*
vd6XI0
l1x"yExe
&F0I"
#T!)/Ygfm
V=@-<8
Oi)Jcx
~t/"Kg
Y7\`]!
*i:*$:
7,^"|;n;"
#Ie6{n
`1ZACjq
v1\CZJ
$vQg)s
YG]#!.x
NqB<eH
P1Ncr!
RsR F>XJ{j
.Ss@*W
|S4KAS4JL
<sEb.y9
.\vuPP
.PFNTZ
)`*lEG
j&>mgQ`
|$g~%8
ms$9"P
O)3EltW
C5 ;b@
n=zyMV;
^CodcK+\h
jSC]>m&
ChdkjOy
q>Z]\%
?X*rX]
p['iO\
3(4bu?;L
|nD?@
E=d?h&y
]?&xAF
XO 4LL
~EoCT:
ihhK&-
kz+;t~
c]xE];
p})t
v<gD5K
!:eI019
r,A:{k
VSF8$9H
})58II
Fgea;7
hsKWOZ
R+3E,=
R51/`*$8B
xS%ls9
;^a\wM[
Ovv1t}x
5nMlVDI
P@t<;1QhR
5u?4nH
LjqB>:
6jMDJH
VqO^<b
6'u @ML
23HO#@k
=V%+'#
|_D$Z>4
ia_[pI
*Ivv/2L
?[`5&X
9~u3S]_
{[~{gl5
W?!7\~
R-OoMI
=bTpWdf
<kGN\}V<d
|O)k{Oc
kT!NUrO
R{9^v5
k(+/$Z
<.3Z"Z
lK\-0m,
0#jQiI
KJEpkq3
Rs.'F}
.0(K YQ
Us_Ycy
M# 5od
4d_sj\
}_ag%J
q~""4i
bhV94'
`nzs^R
FFL=lX
,d@!?tU
#*_PUv!
NcJ@gC$
wlRds
kcQiE5
oLN\G!+
QW'U~F
XPt|e,
7XV8*B
z*j7G5
1fyncl
; (SXscZ
Q:6Li
v%3Dj(S|
$3Q6r(
YUL(un
`*?'gT
s~+Tth
NbX2?
P&`*k%
]RS=O6g;
r[W+r8
#GC%)O
wRqA:k`
V|>bBu
QaIQ8E
VyI!cZW
pv{7S]1
a[n350p
HPZ=K
b=LAil
%=\$(F
Kgy#S
V,VmNN
:x/n#}
.=WPoDT
&NA?;G]
B@v'jR>
<.B^Cx<|
,*X"d?
&~KT`7
xFQny$t
d.'VR
5Q@R`INv
CW4p }
1A$B&O
;zl.3G
W~qJ_-A
&'4^LDB
c{3+$nl
0RD&_aw
2r_ust
+\9f>c
R-H,E7D
w&]^$i
jovO@K
gDWb{V
(V{l`?
e{.t4j21
MZMVKK
A_lynd
.4j{l[3R
{[@r
y}wQe}t
)g=l'%*
"'%!}'||X
YACH7*
uZ90*Q
+B`loW
[f@r<M
4T<S6e}?
x&C4PFV
_9dB1GK8
!@BXpU
AM9P7?R
q*=?^Jm
(M#l%n
r7=eB?D
)xB5vab`l
Ke8Cdd\
ot]Rwyc
go"Qu&
<Ygcre
DXW&2<U
!#(m|2^#
NSrST*w
iXn,C%
FAJhSJ
F\qHxg
>nV~6|-
]o<Jk:D
q[{U&zTO
shS|Ip
axI}F6
\0)=}/5
b-P?3Z7
HQq'qM
-w#2Sn
BQ:^*
&sb+rx
?jAQm{a
5Pc|kZ
!MMc3n$
~Kl+-o4
ko|;&?
btGtAf~^E
9+8Kvl
G4ts=d
h*k?N;8
pL;`Z*_
GOE?-6
X8D0^.u
^;$"4+
]Fe}9>
E8aS&.
jx['o
o>2Up;*
>_~_lp
fT<l&*$
);IG
F;!S=I
uzLVdVi
;7Cxw6
f~2:]3
nQxm@c
vk_5B}`
FfVxK/?
8,G)(O/cH
f4qv/ss~&I}
8?Bs*I/
-a"v5V
]B#{(|w
SG(*2k
`t:K+V
Ge9nL
y;}3bf
ziNxb
< 4hGY
BZ}WH\&
TQ3~`{
DkgM[U
K%ZDp*
l49_,)h
h?bn"@jPC*
0Uq'?xd
:%A4jD
$zjj1Xgs
aID}m>
SpA?3]G.B
LsR}T7
?bMny}
U6{ #~
M.]@Eff
jzwkeP
EbXQH
)^ag_"
q+:*o:
u<&e<(
DH?-lZGB
}<[~%a
,{oD5)
]}/"`3
pV3t{h
]:e=[7-
1P+U2N
Yiv4a3
:'B:X@
eX7tau
;,-{?h
KV-/E5
cUMHT'
:>%F>N+
|XtPKK
|>yPzl
bhcbG-
c&7MjEW
6pi}a@
hcYW2=
DXeW:ZD]=W6
s{QJ"5t#
2,Ft@
D(DJ<J
)m 5(S
4 N\D5!(
ggI XFD
ayWfItuq]
!l1Fz%
]6D%(86
azDO/c
_7q9P>
H,GLfH
0hPQug)
uuM,,
:fE{/F-
|#aG\'
_)w?~z
}O0m76
x0%it[
Z94l%H
|?a-H!
A60]0\^
F;mn&U">nIq
sb 1Gz
4c~,1,1H.
Uh/ST2
#P% ?*.
b%4e(?8
$u7e_NN
?o]@8%7
+n`9W
^\9~kdMR
"]p1a=
2co{}C)d'
YWN-QE
cNUx,M%
FfMVo!m
EA"q#g
W||2j:
&:45g6
ez7*2p%
FYjSYvfv
bC"x1A
i|~}]"
Pvk[=`o~L&
pfSvdQ
a*wqF\A
G\'nJ|
0K@B9~
O<|49
EY7!v:
+,YUJ|
khP<&3
tsV){O
468DF}#=
fxS{}od
Q74Wrr
Mq/!)O
y]\_qB[
G)<yNz
5.P]Tm
g_2al#
k/RS7f%&8
vE~{ @
B)",Wu
H[$121
^/vYGF
l1bifyPH
<|A:E,Bdw
/eSn8B
)L~yQm
Dmq\_yC=
S>GC:Y
oq"5Ug
X8lJu&
sBXzNV;
v0lf-'
\02X%O
4mv Oq
Y/3hX~
Se_)E"
=*D5%s
jtD=u~`Q
sHI^Bs
L6T9GT I
nSF^RH
x]I:=B
**{x;^
Q}/R:X
St?mC$/
Y'N,?&Q
l_@hz{
AZ&+{m
pY5NwK
c4)d%m
T%f-`l
r/&3E
W~<7fa6
J{FpA
7`CPsT
KT@Xr
UL!V(Qa^
E&I)#t
\<lToW-
9}N}k2E)~
\yHQ(D;]
e1'S2~
A~6#)O
C7Q#+H
v[UHXQa=
oQT="cw
LHrD2
_#&gI2
#0w^`8
<TekU6
<nhO6(~_^
ndda?;8
7ogDC0
VD+}C{
;rzZ}.@,
lPo+ZV
;[## \@
@FImM3
'I81d+>
MyxW^&"Y
fs$[#
`b:I;d
OpRJB7%
N}?yEQ
&K?(7O;6
z!b N0
v38at$^v)*
!l{K`HH
K1s@mE
O[% mzW
@'{jMZ
K@yzRn
Nlkr%6
? %Ko'
K&u-l!
Y-FutJ
RAe3S
D.2m} h
R#GITXz[
R"]FFP
*!r+G+7^
1CC(.2
>p:b8?
,y'.WMI
Iz0Ah:Z
m>bRq}
!u7[~/
\%f&E/\
64V8SQ
Iz?A*9
($(ssw7L
z;{m`n$
yI~*nk%A
}rp"N*T
\cFR#f?V
j~oAtei
XPuw3n
5!@E;>
FEz:!a
~E3>&E.
<+~P&-
Lh7d'l
h>f?M8'
:el+&k
`7vEaj
]3x]Su
#_.;oT
1]2i.
~*p5s
M)xEEE
A-cplk
ONR/WP
ql )23
4E_w)[
}yuvqL
7!S_le
O-@0Ew
&4}rkF
swlA5=@WZ
"ji&K^
&BCbx#^m
-eYu@j
-w`2+V
l&$Qsg
fhebq-
G=@4pA
X6Hve5Z
be8~x3vx
LC'ym>
$-nn?;
/fh6.|
V2W04y]]
<l@P.;+
DQU',2iy
0G?pzkT
{Xg-I
gGQ!UO
0w^7_OxE
51Dj0F\f
71eaU6
%zQG7y
M}=k<f>
<ckf{f'
Ait+Fx^b
qsD}KB
//:eX*
!&,B&t
<TGml
[7}H7B
].tOq&
PC5m\w15g
_}uSt?
=sI>_G<,
_iEJ$6
)Un@KP
%Dk$Of
Kq#2}{
g7}[{|{
(~}=\G
SPAL_D
a'"Wc\p
Hli/.ye
^v98Ee/
q~IxJN
e=ra(B(
xD0S,Y&s
m<Z.(lI
$g)caP
l+6KHlw
~jD1Rb
7m:4Am
=y$usj2@
AnL%K3
Z![7\
LWd| a
sGe]j1F`Yz
wYq5i&
(byIZ-
JnM3mR
LKgL;M
&7?AS^Y
5nPngW+bP
_N'|pi"yU
IMlNHq
9gyu(&l
?xU1yA
]>&22
@igsjX
L1Exm}"
v8z1!rm
mK%GIK
Lyjl@Dz
7RwpVSn
O+`]ZB
-aNg=`
ON=k:v
S.w2:+
djKg6-qt
g< [)O
i,~VB^
Y2`%$Xx
Y[ukW{p+)<V
8(SF9&x
>AAtF=+f
wb1?CT
JwpGPs+
EF*3~Q
U7xnqPRj;
4.h06gg
d&V?|P
m\$Km+
rx7cH~r
POSaU6
M7p&UH
;O5*g(
n;qZqX
'Y4c\*
|LFB,k
Eoc0Z9
mU}G(c@
&)5-im
}?C7Xv
OkQ%t
_uHi583
A~o/Jx$gH
~PH\5?
A'a;BDM$S
FM`&^h
W'\l>l
tu4#S$3C`d
c)-B}f
5K) OY
&h<<U
k&gD7=
o|9dGC
sAv;*`,tK
rH+%ww
"Td-|4
NvHyqt
H?DO1e
<A: 03
"xH9Jw;
PNpd20
a(Qh8kL
?}uxgU}8
`U_C({
=nl1@"'[
u2(S`U
N*ek$~
^!F}9Z
+TB8\N
pR(AK
s:kGXF
R2;93X
NkGmH}
9e]{5-
TBoyD2#5
*nu0gy
:2I!%k~
$+s/U(
kv:EHd
bi3a[{
KERNEL32.DLL
mscoree.dll
(null)
((((( H
h(((( H
H

MD5s:

48fe7f28.msi = 8ead84dd36d8f14ca98f7755a9f5a069

Barbar.exe = 9fff114f15b86896d8d4978c0ad2813d

perf_585.dll [implant] = 4525141d9e6e7b5a7f4e8c3db3f0c24c

update.msi = f2ccf4cccead21b1674d7df288722a3d

wbemprox.log = 577b71cd95333f6df5bfc1fbc64d98ca

DOWNLOAD

Pass: infected

Source

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...