{
	"id": "3a4fce2a-6728-4939-9464-a05e682c3534",
	"created_at": "2026-04-06T00:12:57.008215Z",
	"updated_at": "2026-04-10T03:20:38.734309Z",
	"deleted_at": null,
	"sha1_hash": "c146bdd1dfc40e71ca81557ecc5443fdbcf210ab",
	"title": "ZeroAccess / Sirefef Rootkit - 5 fresh samples",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 371685,
	"plain_text": "ZeroAccess / Sirefef Rootkit - 5 fresh samples\r\nArchived: 2026-04-05 13:49:58 UTC\r\nStocking stuffers.\r\nZeroAccess rootkit is far from new and exciting but but this is a fresh lot with still active C2 servers.\r\nAlthough the dropper is detected by at least half of AV engines, post infection detection is another story. I\r\ntried Kaspersky TDSS Killer, Avast Rootkit utility and RootRepeal without any success. I used Gmer and LordPE\r\nto carve out the hidden file from the memory. You can use Redline or Volatility too.\r\nYou can download 5 files below together with pcaps from one of the files and the file dumped from memory. It\r\nappears that free videos and apps names are used as the lure in this case.\r\nDownload the 5 files below plus the file dumped from memory\r\nDownload 2 pcap files from 2 runs of A2611095F689FADFFD3068E0D4E3E7ED\r\nFile information\r\n251a2c7eff890c58a9d9eda5b1391082 160 KB 622.exe_\r\n1a12137bd701bd9ed607671ce1b7806a 160 KB animal-sex-free.avi.exe_\r\n59b247f0266b107451104243261a7ecf 159 KB FlashPlayer_11_4_update_for_Win.exe_\r\n98a993d62d367682048ec70df109e7d8 161 KB readme.exe_\r\na2611095f689fadffd3068e0d4e3e7ed 160 KB ZeroAccess_xxx-porn-movie.avi.exe_\r\nA2611095F689FADFFD3068E0D4E3E7ED\r\n hidden library - injected in Explorer.exe\r\nhttp://contagiodump.blogspot.com/2012/12/zeroaccess-sirefef-rootkit-5-fresh.html\r\nPage 1 of 18\n\nStrings from the dumped z binary\r\nFile: dumped.dll\r\nMD5: fe756584b159fd24dc4b6a572917354c\r\nhttp://contagiodump.blogspot.com/2012/12/zeroaccess-sirefef-rootkit-5-fresh.html\r\nPage 2 of 18\n\nSize: 73728\r\nAscii Strings:\r\n---------------------------------------------------------------------------\r\n!This program cannot be run in DOS mode.\r\nRichK6\r\nt#cP[LordPE]\r\nSPC3\r\n.text\r\n`.rdata\r\n@.data\r\nRtlImageNtHeader\r\nRtlImageDirectoryEntryToData\r\nLdrProcessRelocationBlock\r\n----------------------------------------------------snip------------------------------------------------------\r\nRtlExitUserThread\r\nwcslen\r\nswprintf\r\nLdrGetProcedureAddress\r\nwcsrchr\r\nwcscpy\r\nwcscat\r\nZwOpenFile\r\nRtlInitUnicodeString\r\nZwReadFile\r\nZwClose\r\nZwWriteFile\r\nZwOpenEvent\r\nZwQueryVolumeInformationFile\r\nmemcpy\r\nRtlAppendUnicodeToString\r\nRtlConvertSidToUnicodeString\r\nZwOpenProcessToken\r\nZwQueryInformationToken\r\nZwCreateEvent\r\nLdrFindEntryForAddress\r\nZwCreateEventPair\r\nZwSetHighWaitLowEventPair\r\nZwWaitHighEventPair\r\nZwSetLowEventPair\r\nmemset\r\nRtlInterlockedPushEntrySList\r\nhttp://contagiodump.blogspot.com/2012/12/zeroaccess-sirefef-rootkit-5-fresh.html\r\nPage 3 of 18\n\nRtlInterlockedPopEntrySList\r\nRtlNtStatusToDosError\r\nZwCreateSection\r\nZwMapViewOfSection\r\nZwUnmapViewOfSection\r\nRtlTimeToSecondsSince1980\r\nqsort\r\nZwQueryEaFile\r\nZwQueryDirectoryFile\r\nwcstoul\r\nZwDeleteFile\r\nZwCreateFile\r\nZwSetEaFile\r\nZwSetInformationFile\r\nRtlAddressInSectionTable\r\nRtlComputeCrc32\r\nntdll.dll\r\nVirtualAlloc\r\nLoadLibraryA\r\nEnterCriticalSection\r\nLeaveCriticalSection\r\nVirtualFree\r\nLoadLibraryW\r\nFreeLibrary\r\nSleep\r\nSleepEx\r\nInitializeCriticalSection\r\nDeleteCriticalSection\r\nGetProcAddress\r\nDisableThreadLibraryCalls\r\nCreateThread\r\nCreateTimerQueueTimer\r\nDeleteTimerQueueTimer\r\nLocalAlloc\r\nLocalFree\r\nBindIoCompletionCallback\r\nGetLastError\r\nGetSystemTimeAsFileTime\r\nKERNEL32.dll\r\nMD5Init\r\nMD5Update\r\nMD5Final\r\nhttp://contagiodump.blogspot.com/2012/12/zeroaccess-sirefef-rootkit-5-fresh.html\r\nPage 4 of 18\n\nCryptAcquireContextW\r\nCryptImportKey\r\nCryptGenRandom\r\nCryptDestroyKey\r\nCryptReleaseContext\r\nCryptCreateHash\r\nCryptSetHashParam\r\nCryptVerifySignatureW\r\nCryptDestroyHash\r\nADVAPI32.dll\r\nAcceptEx\r\nMSWSOCK.dll\r\nWSASocketW\r\nWSAIoctl\r\nWSARecv\r\nWSASend\r\nWSASendTo\r\nWSARecvFrom\r\nWS2_32.dll\r\nRtlUnwind\r\nNtQueryVirtualMemory\r\nt#cP\r\np2p.32.dll\r\nDllGetClassObject\r\n@S0j\r\n@p0j\r\n@p0j\r\nT0j@\r\nU0j@\r\n0*0k0\r\n1\u0026101B1J1[1b1p1v1\r\n2#2(2?2H2g2y2\r\n2H3Q3m3s3\r\n41484`4r4x4\r\n546;6B6]6b6n6\r\n7\u0026757;7U7h7q7\r\n8+888=8H8M8X8]8j8p8\r\n9#90969@9J9P9W9^9e9j9o9\r\n9F:M:T:Z:b:\r\n;%;2;\r\n=$=2=\u003c=s= \u003eq?{?\r\n3*3s3~3R4m4z4\r\nhttp://contagiodump.blogspot.com/2012/12/zeroaccess-sirefef-rootkit-5-fresh.html\r\nPage 5 of 18\n\n545Y5z5\r\n6E6J6\r\n6O7t7\r\n9,9C9i9\r\n9$:/:G:i:\r\n;%;,;M;];\r\n;3\u003c: data-blogger-escaped-i=\"i\" data-blogger-escaped-j=\"j\" data-blogger-escaped-z=\"z\"\u003eq\u003e\r\n?.?\u003e?P?^?p?\r\n0(0:0F0W0h0\r\n1#121R1\r\n313R3Y3_3q3v3\r\n4!4t4z4\r\n5?5|5\r\n9+9A9K9\r\n;,;R;[;t;\r\n\u003c$\u003c*\u003c0 data-blogger-escaped-00080=\"00080\" data-blogger-escaped-1.141=\"1.141\" data-blogger-escaped-6=\"6\"\r\ndata-blogger-escaped-al=\"al\" data-blogger-escaped-b=\"b\" data-blogger-escaped-d0t0=\"d0t0\" data-blogger-escaped-ddev=\"ddev\" data-blogger-escaped-h=\"h\" data-blogger-escaped-iy=\"iy\" data-blogger-escaped-m=\"m\"\r\ndata-blogger-escaped-ur=\"ur\"\u003e2i1FQ\r\nq'.C\r\n)5Rb\r\n!Q[#\\\r\n5L@0\r\n5e{u\r\n-~G5\r\niV:RE\r\nScwn=\r\n/dq_\r\nm|XK\r\nvT{!\r\ng]a%Ph\r\nZ,Jn\r\ngf[G:C0!\r\n\u003eZe\\#\r\nb'fg\r\n(m9/\r\n\"0Gk_\r\n@Vc}X\r\nJ+[YR~m\r\nOl\"`o\r\nL*s~t6L\r\n(-w^\r\nhttp://contagiodump.blogspot.com/2012/12/zeroaccess-sirefef-rootkit-5-fresh.html\r\nPage 6 of 18\n\nRdHQ\r\nis*X\r\nLclu)\r\n[TRg\"\r\nk#lhK\u0026\r\n2)\\a\r\nN3?2t-%\r\n}vX}\r\n=0^FBO\r\nJfjo\r\nhNHWF\r\nEub!\r\n%h:A\r\nZn=p\r\n#`N$\r\n%JQ3\r\nCVy\\\r\nn_\"/?\r\nAYQD\r\n_pB0\r\n@-S\r\nWQ\u003c6 data-blogger-escaped-3cbi=\"3cbi\" data-blogger-escaped-fdrtg=\"fdrtg\" data-blogger-escaped-gj=\"gj\" data-blogger-escaped-vb=\"e\" data-blogger-escaped-y=\"y\"\u003e\r\nKz!81\r\n)v L\r\nX-vy\r\nYgB\\\r\n\\Y82aM\"\r\n==.yf\r\n2z\"-{\r\n^guA\r\n,~qw)\r\n7z2F\r\n-IR4j;z1|\r\n\u003e!Nh\r\nOZWG\r\ns\u0026h!\\\r\nrKhi/\r\niVrOhi\r\n7']lM\r\nK64}\r\nivYi\r\nhttp://contagiodump.blogspot.com/2012/12/zeroaccess-sirefef-rootkit-5-fresh.html\r\nPage 7 of 18\n\n|fpK\r\nJd$\u003c 9CX? .t'TR O6qa |-De mTB` \\BL\\* m`Wo mB\"XpH 2C|d X\\,j /\"JE VW\u003eb\r\ngP,.-\r\n%m|SXG\r\naOBY\r\nA`3\"kr9 D\r\ndRIT\r\nPgBeb\r\n~pi2C\r\nUSER32.dll\r\nCreateWindowExW\r\nInvalidateRgn\r\nPostMessageW\r\nUpdateWindow\r\nSetTimer\r\nIsIconic\r\nGetSystemMetrics\r\nGetClientRect\r\nDrawIcon\r\nEnableWindow\r\nPostQuitMessage\r\nSetWindowPos\r\nMapDialogRect\r\nKERNEL32.dll\r\nGetVersionExW\r\nSetUnhandledExceptionFilter\r\nQueryPerformanceCounter\r\nGetSystemTimeAsFileTime\r\nGetModuleHandleW\r\nFreeEnvironmentStringsA\r\nGetEnvironmentStrings\r\nFreeEnvironmentStringsW\r\nGetEnvironmentStringsW\r\nGetCommandLineA\r\nSetHandleCount\r\nGetStdHandle\r\nGetFileType\r\nGetStartupInfoA\r\nHeapDestroy\r\nHeapCreate\r\nVirtualFree\r\nGetModuleFileNameA\r\nhttp://contagiodump.blogspot.com/2012/12/zeroaccess-sirefef-rootkit-5-fresh.html\r\nPage 8 of 18\n\nTerminateProcess\r\nUnhandledExceptionFilter\r\nGetACP\r\nGetOEMCP\r\nGetCPInfo\r\nIsValidCodePage\r\nHeapReAlloc\r\nGetTimeZoneInformation\r\nDebugBreak\r\nOutputDebugStringA\r\nWriteConsoleW\r\nOutputDebugStringW\r\nLCMapStringA\r\nLCMapStringW\r\nGetStringTypeA\r\nOLEAUT32.dll\r\nOleLoadPicture\r\nDispGetIDsOfNames\r\nSafeArrayAllocDescriptor\r\nGetErrorInfo\r\nSetErrorInfo\r\nVariantClear\r\nOleLoadPictureEx\r\nADVAPI32\r\nRegQueryInfoKeyA\r\nRegSetValueExA\r\nRegOpenKeyExA\r\nRegCreateKeyExA\r\nRegCloseKey\r\nRegDeleteValueA\r\nRegDeleteKeyA\r\nRegEnumKeyExA\r\nSHLWAPI.dll\r\nPathFindExtensionA\r\nWIS_EX\r\nO3b3~3\r\n3;4$6\r\n;9=~=)?\r\n4\u003e5L7\r\n=6\u003eS?s?\r\n9.:q:\r\n414S4\r\nhttp://contagiodump.blogspot.com/2012/12/zeroaccess-sirefef-rootkit-5-fresh.html\r\nPage 9 of 18\n\n7H7j7\r\n6?:l;\r\nUnicode Strings:\r\n---------------------------------------------------------------------------\r\n\\BaseNamedObjects\\Restricted\\{A3D35150-6823-4462-8C6E-7417FF841D79}\r\n\\BaseNamedObjects\\Restricted\\{A3D35150-6823-4462-8C6E-7417FF841D77}\r\n\\BaseNamedObjects\\Restricted\\{A3D35150-6823-4462-8C6E-7417FF841D78}\r\n%sU\\%08x.@\r\nS-1-5-18\r\n\\??\\%sU\r\n\\??\\%s@\r\n\\BaseNamedObjects\\Restricted\\{0C5AB9CD-2F90-6754-8374-21D4DAB28CC1}\r\nshell32.dll\r\nwbem\\fastprox.dll\r\n\\systemroot\r\nRECYCLER\\\r\n$Recycle.Bin\\\r\n\\$%08x%04x%04x%02x%02x%02x%02x%02x%02x%02x%02x\\\r\nc:\\windows\\system32\\z\r\n????????.@\r\n%08x.@\r\n%08x.$\r\n%08x.~\r\nMicrosoft Base Cryptographic Provider v1.0\r\nTraffic\r\n| \u003c- data-blogger-escaped--=\"-\"\u003e | | Total |\r\n| Frames Bytes | | Frames Bytes | | Frames Bytes |\r\n172.16.253.130 \u003c-\u003e 81.17.26.187 50 46654 31 3711 81 50365\r\n172.16.253.130 \u003c-\u003e 67.81.86.2 41 38700 30 1696 71 40396\r\n172.16.253.255 \u003c-\u003e 172.16.253.1 57 10592 0 0 57 10592\r\n172.16.253.130 \u003c-\u003e 50.22.196.70 8 1880 10 696 18 2576\r\n194.165.17.3 \u003c-\u003e 172.16.253.130 10 620 0 0 10 620\r\n172.16.253.130 \u003c-\u003e 66.85.130.234 0 0 9 558 9 558\r\n172.16.253.130 \u003c-\u003e 8.8.8.8 4 463 4 296 8 759\r\n224.0.0.22 \u003c-\u003e 172.16.253.130 7 378 0 0 7 378\r\n217.16.132.181 \u003c-\u003e 172.16.253.130 3 174 3 1830 6 2004\r\n172.16.253.130 \u003c-\u003e 24.177.187.254 2 1220 2 116 4 1336\r\n172.16.253.130 \u003c-\u003e 90.230.66.250 2 1220 2 116 4 1336\r\n172.16.253.130 \u003c-\u003e 68.3.172.252 2 1220 2 116 4 1336\r\n172.16.253.130 \u003c-\u003e 68.39.227.12 2 1220 2 116 4 1336\r\nhttp://contagiodump.blogspot.com/2012/12/zeroaccess-sirefef-rootkit-5-fresh.html\r\nPage 10 of 18\n\n172.16.253.130 \u003c-\u003e 98.192.218.116 2 1220 2 116 4 1336\r\n172.16.253.130 \u003c-\u003e 85.137.174.6 2 1220 2 116 4 1336\r\n201.211.32.247 \u003c-\u003e 172.16.253.130 2 116 2 1220 4 1336\r\n211.7.72.252 \u003c-\u003e 172.16.253.130 1 58 3 1830 4 1888\r\n172.16.253.130 \u003c-\u003e 71.205.240.248 2 1220 2 116 4 1336\r\n222.147.143.23 \u003c-\u003e 172.16.253.130 2 116 2 1220 4 1336\r\n172.16.253.130 \u003c-\u003e 66.31.49.90 2 1220 2 116 4 1336\r\n180.253.253.254 \u003c-\u003e 172.16.253.130 4 232 0 0 4 232\r\n184.253.253.254 \u003c-\u003e 172.16.253.130 4 232 0 0 4 232\r\n190.253.253.254 \u003c-\u003e 172.16.253.130 4 232 0 0 4 232\r\n201.253.253.254 \u003c-\u003e 172.16.253.130 4 232 0 0 4 232\r\n212.253.253.254 \u003c-\u003e 172.16.253.130 4 232 0 0 4 232\r\n213.253.253.254 \u003c-\u003e 172.16.253.130 4 232 0 0 4 232\r\n172.16.253.130 \u003c-\u003e 71.254.253.254 0 0 4 232 4 232\r\n172.16.253.130 \u003c-\u003e 87.254.253.254 0 0 4 232 4 232\r\n172.16.253.130 \u003c-\u003e 88.254.253.254 0 0 4 232 4 232\r\n172.16.253.130 \u003c-\u003e 115.254.253.254 0 0 4 232 4 232\r\n172.16.253.130 \u003c-\u003e 135.254.253.254 0 0 4 232 4 232\r\n180.254.253.254 \u003c-\u003e 172.16.253.130 4 232 0 0 4 232\r\n190.254.253.254 \u003c-\u003e 172.16.253.130 4 232 0 0 4 232\r\n172.16.253.130 \u003c-\u003e 122.108.42.3 2 1220 1 58 3 1278\r\n172.16.253.130 \u003c-\u003e 77.38.241.250 2 1220 1 58 3 1278\r\n172.16.253.130 \u003c-\u003e 24.192.219.246 0 0 3 174 3 174\r\n187.24.70.8 \u003c-\u003e 172.16.253.130 1 58 2 660 3 718\r\n172.16.253.130 \u003c-\u003e 24.62.58.244 1 610 2 116 3 726\r\n239.255.255.250 \u003c-\u003e 172.16.253.130 3 525 0 0 3 525\r\n173.217.207.244 \u003c-\u003e 172.16.253.130 1 58 1 610 2 668\r\n187.37.221.247 \u003c-\u003e 172.16.253.130 1 58 1 610 2 668\r\n172.16.253.130 \u003c-\u003e 77.239.75.251 1 190 1 58 2 248\r\n174.6.201.58 \u003c-\u003e 172.16.253.130 1 58 1 610 2 668\r\n172.16.253.130 \u003c-\u003e 96.37.24.59 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 74.134.198.91 1 610 1 58 2 668\r\n217.122.27.18 \u003c-\u003e 172.16.253.130 1 58 1 610 2 668\r\n172.16.253.130 \u003c-\u003e 67.249.162.249 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 149.169.251.240 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 79.119.48.248 1 610 1 58 2 668\r\n213.238.99.54 \u003c-\u003e 172.16.253.130 1 58 1 610 2 668\r\n190.18.75.10 \u003c-\u003e 172.16.253.130 1 58 1 610 2 668\r\n174.5.212.39 \u003c-\u003e 172.16.253.130 1 58 1 610 2 668\r\n172.16.253.130 \u003c-\u003e 72.185.161.253 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 76.10.148.252 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 121.88.136.25 1 610 1 58 2 668\r\nhttp://contagiodump.blogspot.com/2012/12/zeroaccess-sirefef-rootkit-5-fresh.html\r\nPage 11 of 18\n\n190.188.23.234 \u003c-\u003e 172.16.253.130 1 58 1 610 2 668\r\n181.46.99.30 \u003c-\u003e 172.16.253.130 1 58 1 610 2 668\r\n172.16.253.130 \u003c-\u003e 24.251.155.31 1 610 1 58 2 668\r\n216.212.30.6 \u003c-\u003e 172.16.253.130 1 58 1 610 2 668\r\n172.16.253.130 \u003c-\u003e 68.227.164.2 1 610 1 58 2 668\r\n221.31.86.14 \u003c-\u003e 172.16.253.130 1 58 1 610 2 668\r\n172.16.253.130 \u003c-\u003e 50.89.229.3 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 24.8.220.1 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 76.85.130.1 1 610 1 58 2 668\r\n201.242.155.52 \u003c-\u003e 172.16.253.130 1 58 1 610 2 668\r\n172.16.253.130 \u003c-\u003e 68.97.69.21 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 78.210.148.146 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 132.239.127.98 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 74.197.22.12 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 71.86.90.31 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 82.130.176.36 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 71.75.94.251 1 610 1 58 2 668\r\n184.63.10.2 \u003c-\u003e 172.16.253.130 1 58 1 610 2 668\r\n172.16.253.130 \u003c-\u003e 68.198.104.16 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 68.63.59.19 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 72.208.52.19 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 74.88.223.17 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 74.78.96.3 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 62.83.76.8 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 24.189.56.15 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 72.9.76.230 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 37.61.145.4 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 114.42.77.245 1 610 1 58 2 668\r\n186.95.53.23 \u003c-\u003e 172.16.253.130 1 58 1 610 2 668\r\n172.16.253.130 \u003c-\u003e 98.244.14.31 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 50.138.151.250 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 83.166.29.245 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 97.82.141.252 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 74.210.227.231 1 610 1 58 2 668\r\n190.183.66.239 \u003c-\u003e 172.16.253.130 2 116 0 0 2 116\r\n172.16.253.130 \u003c-\u003e 83.155.101.250 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 67.171.167.239 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 98.226.151.245 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 78.136.84.249 1 610 1 58 2 668\r\n187.11.74.251 \u003c-\u003e 172.16.253.130 1 58 1 330 2 388\r\n172.16.253.130 \u003c-\u003e 98.15.165.19 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 83.250.104.244 1 610 1 58 2 668\r\nhttp://contagiodump.blogspot.com/2012/12/zeroaccess-sirefef-rootkit-5-fresh.html\r\nPage 12 of 18\n\n172.16.253.130 \u003c-\u003e 66.25.254.251 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 75.108.175.6 1 610 1 58 2 668\r\n200.83.116.254 \u003c-\u003e 172.16.253.130 1 58 1 610 2 668\r\n172.16.253.130 \u003c-\u003e 67.86.22.250 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 85.219.65.249 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 93.129.51.17 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 50.82.72.7 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 84.22.46.10 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 68.3.136.248 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 42.2.8.26 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 74.50.161.16 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 92.36.232.253 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 67.242.141.7 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 68.97.192.245 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 76.179.132.243 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 109.91.69.10 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 72.228.143.4 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 24.122.95.248 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 71.230.164.254 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 88.156.158.252 1 610 1 58 2 668\r\n184.155.119.6 \u003c-\u003e 172.16.253.130 1 58 1 610 2 668\r\n172.16.253.130 \u003c-\u003e 92.245.80.12 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 75.74.147.252 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 75.178.72.213 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 24.50.88.235 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 68.200.221.136 1 610 1 58 2 668\r\n201.82.178.48 \u003c-\u003e 172.16.253.130 1 58 1 610 2 668\r\n201.213.33.102 \u003c-\u003e 172.16.253.130 1 58 1 610 2 668\r\n172.16.253.130 \u003c-\u003e 68.230.14.194 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 66.75.24.66 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 50.149.21.3 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 69.244.161.47 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 68.50.37.55 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 75.109.4.31 1 610 1 58 2 668\r\n217.29.105.122 \u003c-\u003e 172.16.253.130 1 58 1 610 2 668\r\n172.16.253.130 \u003c-\u003e 71.142.137.30 1 610 1 58 2 668\r\n189.47.43.134 \u003c-\u003e 172.16.253.130 1 58 1 610 2 668\r\n172.16.253.130 \u003c-\u003e 96.54.179.14 1 610 1 58 2 668\r\n172.16.253.130 \u003c-\u003e 65.55.21.20 1 90 1 90 2 180\r\n172.16.253.254 \u003c-\u003e 172.16.253.130 0 0 2 684 2 684\r\n255.255.255.255 \u003c-\u003e 0.0.0.0 2 697 0 0 2 697\r\n209.33.87.124 \u003c-\u003e 172.16.253.130 1 58 0 0 1 58\r\nhttp://contagiodump.blogspot.com/2012/12/zeroaccess-sirefef-rootkit-5-fresh.html\r\nPage 13 of 18\n\n172.16.253.130 \u003c-\u003e 66.67.35.253 0 0 1 58 1 58\r\n172.16.253.130 \u003c-\u003e 66.103.121.14 0 0 1 58 1 58\r\n172.16.253.130 \u003c-\u003e 76.209.55.86 0 0 1 58 1 58\r\n181.164.33.60 \u003c-\u003e 172.16.253.130 1 58 0 0 1 58\r\n172.16.253.130 \u003c-\u003e 75.72.214.254 0 0 1 58 1 58\r\n172.16.253.130 \u003c-\u003e 95.234.193.232 0 0 1 58 1 58\r\n209.188.69.239 \u003c-\u003e 172.16.253.130 1 58 0 0 1 58\r\n172.16.253.130 \u003c-\u003e 114.42.103.2 0 0 1 58 1 58\r\n172.16.253.130 \u003c-\u003e 69.113.243.26 0 0 1 58 1 58\r\n172.16.253.130 \u003c-\u003e 46.42.233.237 0 0 1 58 1 58\r\n172.16.253.130 \u003c-\u003e 170.51.113.2 0 0 1 58 1 58\r\n172.16.253.130 \u003c-\u003e 65.181.33.2 0 0 1 58 1 58\r\n172.16.253.130 \u003c-\u003e 31.147.118.11 0 0 1 58 1 58\r\n189.100.56.246 \u003c-\u003e 172.16.253.130 1 58 0 0 1 58\r\n172.16.253.130 \u003c-\u003e 80.198.94.247 0 0 1 58 1 58\r\n172.16.253.130 \u003c-\u003e 41.200.172.238 0 0 1 58 1 58\r\n172.16.253.130 \u003c-\u003e 42.72.147.237 0 0 1 58 1 58\r\n184.41.210.243 \u003c-\u003e 172.16.253.130 1 58 0 0 1 58\r\n172.16.253.130 \u003c-\u003e 108.35.221.6 0 0 1 58 1 58\r\n172.16.253.130 \u003c-\u003e 96.20.100.20 0 0 1 58 1 58\r\n172.16.253.130 \u003c-\u003e 93.114.195.25 0 0 1 58 1 58\r\n189.68.39.1 \u003c-\u003e 172.16.253.130 1 58 0 0 1 58\r\n172.16.253.130 \u003c-\u003e 92.86.70.249 0 0 1 58 1 58\r\n190.108.27.11 \u003c-\u003e 172.16.253.130 1 58 0 0 1 58\r\n184.6.88.20 \u003c-\u003e 172.16.253.130 1 58 0 0 1 58\r\n205.204.22.110 \u003c-\u003e 172.16.253.130 1 58 0 0 1 58\r\n172.16.253.130 \u003c-\u003e 24.247.237.237 0 0 1 58 1 58\r\n172.16.253.130 \u003c-\u003e 76.20.50.19 0 0 1 58 1 58\r\n172.16.253.130 \u003c-\u003e 91.242.217.247 0 0 1 62 1 62\r\n172.16.253.130 \u003c-\u003e 4.2.2.2 0 0 1 76 1 76\r\n=========================================================\r\nhttps://www.virustotal.com/file/984fb2e07de82bc4a228c715dd0790e45dc1d104f6a9b082da9a4cecc0e151b7/analysis/\r\nSHA256: 984fb2e07de82bc4a228c715dd0790e45dc1d104f6a9b082da9a4cecc0e151b7\r\nSHA1: 5842f0d4fe3f177f2bb06a2e5878da55f7d814c7\r\nMD5: 251a2c7eff890c58a9d9eda5b1391082\r\nFile size: 160.5 KB ( 164352 bytes )\r\nFile name: vti-rescan\r\nFile type: Win32 EXE\r\nTags: peexe\r\nDetection ratio: 14 / 46\r\nAnalysis date: 2012-12-26 05:35:35 UTC ( 1 hour, 12 minutes ago )\r\nhttp://contagiodump.blogspot.com/2012/12/zeroaccess-sirefef-rootkit-5-fresh.html\r\nPage 14 of 18\n\nAntiVir TR/Kazy.131060 20121225\r\nAvast Win32:ZAccess-NF [Trj] 20121226\r\nBitDefender Trojan.Generic.KDZ.2714 20121226\r\nDrWeb Trojan.DownLoader7.45342 20121226\r\nESET-NOD32 a variant of Win32/Kryptik.AREI 20121225\r\nF-Secure Trojan.Generic.KDZ.2714 20121225\r\nFortinet W32/Kryptik.ARCN!tr 20121226\r\nGData Trojan.Generic.KDZ.2714 20121226\r\nKaspersky Backdoor.Win32.ZAccess.apvo 20121226\r\nKingsoft Win32.Hack.ZAccess.ap.(kcloud) 20121225\r\nMalwarebytes Rootkit.0Access 20121226\r\nMicrosoft Trojan:Win32/Sirefef.P 20121226\r\nTrendMicro-HouseCall TROJ_GEN.R47H1LP 20121225\r\nViRobot Backdoor.Win32.A.ZAccess.164352.E 20121226\r\nhttps://www.virustotal.com/file/d9dfcc507d773bf76075eed8abbb61e54f03f5f920b5c348fd7a0bf5f7bab3dd/analysis/\r\nSHA256: d9dfcc507d773bf76075eed8abbb61e54f03f5f920b5c348fd7a0bf5f7bab3dd\r\nSHA1: 56104a626101126eed10e65171a26e25b6e50712\r\nMD5: 1a12137bd701bd9ed607671ce1b7806a\r\nFile size: 160.5 KB ( 164352 bytes )\r\nFile name: amateur_dog_sex_01.avi.exe\r\nFile type: Win32 EXE\r\nTags: peexe\r\nDetection ratio: 6 / 46\r\nAnalysis date: 2012-12-25 10:50:38 UTC ( 19 hours, 59 minutes ago )\r\nBitDefender Gen:Variant.Kazy.131060 20121225\r\nF-Secure Gen:Variant.Kazy.131060 20121225\r\nKaspersky Backdoor.Win32.ZAccess.apvo 20121225\r\nMalwarebytes Rootkit.0Access 20121225\r\nTrendMicro-HouseCall TROJ_GEN.F47V1225 20121225\r\nhttps://www.virustotal.com/file/13586ffeca632e34c5813dcce4729b20852db0c9fb3ae0b6319699c739f5be29/analysis/\r\nSHA256: 13586ffeca632e34c5813dcce4729b20852db0c9fb3ae0b6319699c739f5be29\r\nSHA1: 865cf7a7ff3dde0828e7764751d76c8df6291506\r\nMD5: 59b247f0266b107451104243261a7ecf\r\nFile size: 159.5 KB ( 163328 bytes )\r\nFile name: animal-xxx-movie.avi.exe\r\nFile type: Win32 EXE\r\nTags: peexe\r\nDetection ratio: 13 / 46\r\nAnalysis date: 2012-12-25 19:00:57 UTC ( 11 hours, 50 minutes ago )\r\nAhnLab-V3 Backdoor/Win32.ZAccess 20121225\r\nhttp://contagiodump.blogspot.com/2012/12/zeroaccess-sirefef-rootkit-5-fresh.html\r\nPage 15 of 18\n\nAvast Win32:ZAccess-NF [Trj] 20121226\r\nBitDefender Trojan.Generic.KD.817138 20121225\r\nDrWeb Trojan.DownLoader7.45437 20121226\r\nESET-NOD32 a variant of Win32/Kryptik.AREI 20121225\r\nF-Secure Trojan.Generic.KD.817138 20121225\r\nFortinet W32/Kryptik.ARCN!tr 20121225\r\nGData Trojan.Generic.KD.817138 20121225\r\nKaspersky Backdoor.Win32.ZAccess.apzt 20121225\r\nMalwarebytes Rootkit.0Access 20121225\r\nMcAfee-GW-Edition - 20121225\r\nMicrosoft Trojan:Win32/Meredrop 20121226\r\nMicroWorld-eScan Trojan.Generic.KD.817138 20121225\r\nTrendMicro-HouseCall TROJ_GEN.F47V1225 20121225\r\nSHA256: ac263c2267892fc9995ad841fc649e2071f8626dcc0d2d27cbce4ab6cb54f4ca\r\nSHA1: 33395e02036526ef7c3ab05afb137c7af2bcd6df\r\nMD5: 98a993d62d367682048ec70df109e7d8\r\nFile size: 161.0 KB ( 164864 bytes )\r\nFile name: vti-rescan\r\nFile type: Win32 EXE\r\nTags: peexe\r\nDetection ratio: 20 / 46\r\nAnalysis date: 2012-12-26 05:39:43 UTC ( 1 hour, 12 minutes ago ) \r\nAhnLab-V3 Backdoor/Win32.ZAccess 20121225\r\nAntiVir TR/Rogue.kdz.2666.1 20121225\r\nAvast Win32:ZAccess-NE [Trj] 20121226\r\nAVG BackDoor.Generic16.ZLB 20121225\r\nBitDefender Trojan.Generic.KDZ.2666 20121226\r\nComodo UnclassifiedMalware 20121226\r\nDrWeb Trojan.DownLoader7.45110 20121226\r\nESET-NOD32 a variant of Win32/Kryptik.AREI 20121225\r\nF-Secure Trojan.Generic.KDZ.2666 20121225\r\nhttp://contagiodump.blogspot.com/2012/12/zeroaccess-sirefef-rootkit-5-fresh.html\r\nPage 16 of 18\n\nFortinet W32/ZAccess.APQP!tr.bdr 20121226\r\nGData Trojan.Generic.KDZ.2666 20121226\r\nKaspersky Backdoor.Win32.ZAccess.apqp 20121226\r\nKingsoft Win32.Malware.Generic.a.(kcloud) 20121225\r\nMalwarebytes Rootkit.0Access 20121226\r\nMcAfee-GW-Edition - 20121226\r\nMicrosoft Trojan:Win32/Sirefef.P 20121226\r\nnProtect Trojan.Generic.KDZ.2666 20121225\r\nPanda Suspicious file 20121225\r\nTrendMicro-HouseCall TROJ_GEN.R47H1LP 20121225\r\nVIPRE Trojan.Win32.Generic!BT 20121226\r\nViRobot Backdoor.Win32.A.ZAccess.164864.L 20121226\r\nSHA256: 71b38f041b4a4ae169c44e3aff412e527e1156f92c27f1340a8abe70a45bee10\r\nSHA1: 6d21fc25b9da49d746b2b7609a5efaed4d332e6a\r\nMD5: a2611095f689fadffd3068e0d4e3e7ed\r\nFile size: 160.0 KB ( 163840 bytes )\r\nFile name: amateur_dog_sex_01.avi.exe\r\nFile type: Win32 EXE\r\nTags: peexe\r\nDetection ratio: 14 / 45\r\nAnalysis date: 2012-12-26 00:19:54 UTC ( 6 hours, 35 minutes ago ) \r\nAvast Win32:ZAccess-NF [Trj] 20121226\r\nBitDefender Trojan.Generic.KD.817217 20121226\r\nComodo TrojWare.Win32.Trojan.Agent.Gen 20121226\r\nDrWeb Trojan.DownLoader7.45527 20121226\r\nEmsisoft Backdoor.Win32.ZAccess (A) 20121226\r\nhttp://contagiodump.blogspot.com/2012/12/zeroaccess-sirefef-rootkit-5-fresh.html\r\nPage 17 of 18\n\nFortinet W32/Kryptik.ARCN!tr 20121226\r\nGData Trojan.Generic.KD.817217 20121226\r\nIkarus Backdoor.Win32.ZAccess 20121226\r\nKaspersky Backdoor.Win32.ZAccess.aqep 20121226\r\nKingsoft Win32.Malware.Generic.a.(kcloud) 20121225\r\nMalwarebytes Rootkit.0Access 20121226\r\nMcAfee-GW-Edition - 20121226\r\nMicroWorld-eScan Trojan.Generic.KD.817217 20121226\r\nSUPERAntiSpyware - 20121224\r\nSymantec WS.Reputation.1 20121226\r\nTrendMicro-HouseCall TROJ_GEN.RFFH1LQ 20121226\r\nSource: http://contagiodump.blogspot.com/2012/12/zeroaccess-sirefef-rootkit-5-fresh.html\r\nhttp://contagiodump.blogspot.com/2012/12/zeroaccess-sirefef-rootkit-5-fresh.html\r\nPage 18 of 18\n\n| \u003c- data-blogger-escaped--=\"-\"\u003e | Frames Bytes | | Frames Bytes | | Total | | | Frames Bytes |\n172.16.253.130 \u003c-\u003e 81.17.26.187 50 46654 31 3711 81 50365\n172.16.253.130 \u003c-\u003e 67.81.86.2 41 38700 30 1696 71 40396\n172.16.253.255 \u003c-\u003e 172.16.253.1 57 10592 0 0 57 10592\n172.16.253.130 \u003c-\u003e 50.22.196.70 8 1880 10 696 18 2576\n194.165.17.3 \u003c-\u003e 172.16.253.130 10 620 0 0 10 620\n172.16.253.130 \u003c-\u003e 66.85.130.234 0 0 9 558 9 558\n172.16.253.130 \u003c-\u003e 8.8.8.8 4 463 4 296 8 759\n224.0.0.22 \u003c-\u003e 172.16.253.130 7 378 0 0 7 378\n217.16.132.181 \u003c-\u003e 172.16.253.130 3 174 3 1830 6 2004\n172.16.253.130 \u003c-\u003e 24.177.187.254 2 1220 2 116 4 1336\n172.16.253.130 \u003c-\u003e 90.230.66.250 2 1220 2 116 4 1336\n172.16.253.130 \u003c-\u003e 68.3.172.252 2 1220 2 116 4 1336\n172.16.253.130 \u003c-\u003e 68.39.227.12 2 1220 2 116 4 1336\n   Page 10 of 18\n\n  http://contagiodump.blogspot.com/2012/12/zeroaccess-sirefef-rootkit-5-fresh.html \n172.16.253.130 \u003c-\u003e 98.192.218.116 2 1220 2 116 4 1336\n172.16.253.130 \u003c-\u003e 85.137.174.6 2 1220 2 116 4 1336\n201.211.32.247 \u003c-\u003e 172.16.253.130 2 116 2 1220 4 1336\n211.7.72.252 \u003c-\u003e 172.16.253.130 1 58 3 1830 4 1888\n172.16.253.130 \u003c-\u003e 71.205.240.248 2 1220 2 116 4 1336\n222.147.143.23 \u003c-\u003e 172.16.253.130 2 116 2 1220 4 1336\n172.16.253.130 \u003c-\u003e 66.31.49.90 2 1220 2 116 4 1336\n180.253.253.254 \u003c-\u003e 172.16.253.130 4 232 0 0 4 232\n184.253.253.254 \u003c-\u003e 172.16.253.130 4 232 0 0 4 232\n190.253.253.254 \u003c-\u003e 172.16.253.130 4 232 0 0 4 232\n201.253.253.254 \u003c-\u003e 172.16.253.130 4 232 0 0 4 232\n212.253.253.254 \u003c-\u003e 172.16.253.130 4 232 0 0 4 232\n213.253.253.254 \u003c-\u003e 172.16.253.130 4 232 0 0 4 232\n172.16.253.130 \u003c-\u003e 71.254.253.254 0 0 4 232 4 232\n172.16.253.130 \u003c-\u003e 87.254.253.254 0 0 4 232 4 232\n172.16.253.130 \u003c-\u003e 88.254.253.254 0 0 4 232 4 232\n172.16.253.130 \u003c-\u003e 115.254.253.254 0 0 4 232 4 232\n172.16.253.130 \u003c-\u003e 135.254.253.254 0 0 4 232 4 232\n180.254.253.254 \u003c-\u003e 172.16.253.130 4 232 0 0 4 232\n190.254.253.254 \u003c-\u003e 172.16.253.130 4 232 0 0 4 232\n172.16.253.130 \u003c-\u003e 122.108.42.3 2 1220 1 58 3 1278\n172.16.253.130 \u003c-\u003e 77.38.241.250 2 1220 1 58 3 1278\n172.16.253.130 \u003c-\u003e 24.192.219.246 0 0 3 174 3 174\n187.24.70.8 \u003c-\u003e 172.16.253.130 1 58 2 660 3 718\n172.16.253.130 \u003c-\u003e 24.62.58.244 1 610 2 116 3 726\n239.255.255.250 \u003c-\u003e 172.16.253.130 3 525 0 0 3 525\n173.217.207.244 \u003c-\u003e 172.16.253.130 1 58 1 610 2 668\n187.37.221.247 \u003c-\u003e 172.16.253.130 1 58 1 610 2 668\n172.16.253.130 \u003c-\u003e 77.239.75.251 1 190 1 58 2 248\n174.6.201.58 \u003c-\u003e 172.16.253.130 1 58 1 610 2 668\n172.16.253.130 \u003c-\u003e 96.37.24.59 1 610 1 58 2 668\n172.16.253.130 \u003c-\u003e 74.134.198.91 1 610 1 58 2 668\n217.122.27.18 \u003c-\u003e 172.16.253.130 1 58 1 610 2 668\n172.16.253.130 \u003c-\u003e 67.249.162.249 1 610 1 58 2 668\n172.16.253.130 \u003c-\u003e 149.169.251.240 1 610 1 58 2 668\n172.16.253.130 \u003c-\u003e 79.119.48.248 1 610 1 58 2 668\n213.238.99.54 \u003c-\u003e 172.16.253.130 1 58 1 610 2 668\n190.18.75.10 \u003c-\u003e 172.16.253.130 1 58 1 610 2 668\n174.5.212.39 \u003c-\u003e 172.16.253.130 1 58 1 610 2 668\n172.16.253.130 \u003c-\u003e 72.185.161.253 1 610 1 58 2 668\n172.16.253.130 \u003c-\u003e 76.10.148.252 1 610 1 58 2 668\n172.16.253.130 \u003c-\u003e 121.88.136.25 1 610 1 58 2 668\n   Page 11 of 18\n\n  http://contagiodump.blogspot.com/2012/12/zeroaccess-sirefef-rootkit-5-fresh.html \n190.188.23.234 \u003c-\u003e 172.16.253.130 1 58 1 610 2 668\n181.46.99.30 \u003c-\u003e 172.16.253.130 1 58 1 610 2 668\n172.16.253.130 \u003c-\u003e 24.251.155.31 1 610 1 58 2 668\n216.212.30.6 \u003c-\u003e 172.16.253.130 1 58 1 610 2 668\n172.16.253.130 \u003c-\u003e 68.227.164.2 1 610 1 58 2 668\n221.31.86.14 \u003c-\u003e 172.16.253.130 1 58 1 610 2 668\n172.16.253.130 \u003c-\u003e 50.89.229.3 1 610 1 58 2 668\n172.16.253.130 \u003c-\u003e 24.8.220.1 1 610 1 58 2 668 \n172.16.253.130 \u003c-\u003e 76.85.130.1 1 610 1 58 2 668\n201.242.155.52 \u003c-\u003e 172.16.253.130 1 58 1 610 2 668\n172.16.253.130 \u003c-\u003e 68.97.69.21 1 610 1 58 2 668\n172.16.253.130 \u003c-\u003e 78.210.148.146 1 610 1 58 2 668\n172.16.253.130 \u003c-\u003e 132.239.127.98 1 610 1 58 2 668\n172.16.253.130 \u003c-\u003e 74.197.22.12 1 610 1 58 2 668\n172.16.253.130 \u003c-\u003e 71.86.90.31 1 610 1 58 2 668\n172.16.253.130 \u003c-\u003e 82.130.176.36 1 610 1 58 2 668\n172.16.253.130 \u003c-\u003e 71.75.94.251 1 610 1 58 2 668\n184.63.10.2 \u003c-\u003e 172.16.253.130 1 58 1 610 2 668\n172.16.253.130 \u003c-\u003e 68.198.104.16 1 610 1 58 2 668\n172.16.253.130 \u003c-\u003e 68.63.59.19 1 610 1 58 2 668\n172.16.253.130 \u003c-\u003e 72.208.52.19 1 610 1 58 2 668\n172.16.253.130 \u003c-\u003e 74.88.223.17 1 610 1 58 2 668\n172.16.253.130 \u003c-\u003e 74.78.96.3 1 610 1 58 2 668 \n172.16.253.130 \u003c-\u003e 62.83.76.8 1 610 1 58 2 668 \n172.16.253.130 \u003c-\u003e 24.189.56.15 1 610 1 58 2 668\n172.16.253.130 \u003c-\u003e 72.9.76.230 1 610 1 58 2 668\n172.16.253.130 \u003c-\u003e 37.61.145.4 1 610 1 58 2 668\n172.16.253.130 \u003c-\u003e 114.42.77.245 1 610 1 58 2 668\n186.95.53.23 \u003c-\u003e 172.16.253.130 1 58 1 610 2 668\n172.16.253.130 \u003c-\u003e 98.244.14.31 1 610 1 58 2 668\n172.16.253.130 \u003c-\u003e 50.138.151.250 1 610 1 58 2 668\n172.16.253.130 \u003c-\u003e 83.166.29.245 1 610 1 58 2 668\n172.16.253.130 \u003c-\u003e 97.82.141.252 1 610 1 58 2 668\n172.16.253.130 \u003c-\u003e 74.210.227.231 1 610 1 58 2 668\n190.183.66.239 \u003c-\u003e 172.16.253.130 2 116 0 0 2 116\n172.16.253.130 \u003c-\u003e 83.155.101.250 1 610 1 58 2 668\n172.16.253.130 \u003c-\u003e 67.171.167.239 1 610 1 58 2 668\n172.16.253.130 \u003c-\u003e 98.226.151.245 1 610 1 58 2 668\n172.16.253.130 \u003c-\u003e 78.136.84.249 1 610 1 58 2 668\n187.11.74.251 \u003c-\u003e 172.16.253.130 1 58 1 330 2 388\n172.16.253.130 \u003c-\u003e 98.15.165.19 1 610 1 58 2 668\n172.16.253.130 \u003c-\u003e 83.250.104.244 1 610 1 58 2 668\n   Page 12 of 18\n\n  http://contagiodump.blogspot.com/2012/12/zeroaccess-sirefef-rootkit-5-fresh.html \n172.16.253.130 \u003c-\u003e 66.25.254.251 1 610 1 58 2 668\n172.16.253.130 \u003c-\u003e 75.108.175.6 1 610 1 58 2 668\n200.83.116.254 \u003c-\u003e 172.16.253.130 1 58 1 610 2 668\n172.16.253.130 \u003c-\u003e 67.86.22.250 1 610 1 58 2 668\n172.16.253.130 \u003c-\u003e 85.219.65.249 1 610 1 58 2 668\n172.16.253.130 \u003c-\u003e 93.129.51.17 1 610 1 58 2 668\n172.16.253.130 \u003c-\u003e 50.82.72.7 1 610 1 58 2 668\n172.16.253.130 \u003c-\u003e 84.22.46.10 1 610 1 58 2 668\n172.16.253.130 \u003c-\u003e 68.3.136.248 1 610 1 58 2 668\n172.16.253.130 \u003c-\u003e 42.2.8.26 1 610 1 58 2 668 \n172.16.253.130 \u003c-\u003e 74.50.161.16 1 610 1 58 2 668\n172.16.253.130 \u003c-\u003e 92.36.232.253 1 610 1 58 2 668\n172.16.253.130 \u003c-\u003e 67.242.141.7 1 610 1 58 2 668\n172.16.253.130 \u003c-\u003e 68.97.192.245 1 610 1 58 2 668\n172.16.253.130 \u003c-\u003e 76.179.132.243 1 610 1 58 2 668\n172.16.253.130 \u003c-\u003e 109.91.69.10 1 610 1 58 2 668\n172.16.253.130 \u003c-\u003e 72.228.143.4 1 610 1 58 2 668\n172.16.253.130 \u003c-\u003e 24.122.95.248 1 610 1 58 2 668\n172.16.253.130 \u003c-\u003e 71.230.164.254 1 610 1 58 2 668\n172.16.253.130 \u003c-\u003e 88.156.158.252 1 610 1 58 2 668\n184.155.119.6 \u003c-\u003e 172.16.253.130 1 58 1 610 2 668\n172.16.253.130 \u003c-\u003e 92.245.80.12 1 610 1 58 2 668\n172.16.253.130 \u003c-\u003e 75.74.147.252 1 610 1 58 2 668\n172.16.253.130 \u003c-\u003e 75.178.72.213 1 610 1 58 2 668\n172.16.253.130 \u003c-\u003e 24.50.88.235 1 610 1 58 2 668\n172.16.253.130 \u003c-\u003e 68.200.221.136 1 610 1 58 2 668\n201.82.178.48 \u003c-\u003e 172.16.253.130 1 58 1 610 2 668\n201.213.33.102 \u003c-\u003e 172.16.253.130 1 58 1 610 2 668\n172.16.253.130 \u003c-\u003e 68.230.14.194 1 610 1 58 2 668\n172.16.253.130 \u003c-\u003e 66.75.24.66 1 610 1 58 2 668\n172.16.253.130 \u003c-\u003e 50.149.21.3 1 610 1 58 2 668\n172.16.253.130 \u003c-\u003e 69.244.161.47 1 610 1 58 2 668\n172.16.253.130 \u003c-\u003e 68.50.37.55 1 610 1 58 2 668\n172.16.253.130 \u003c-\u003e 75.109.4.31 1 610 1 58 2 668\n217.29.105.122 \u003c-\u003e 172.16.253.130 1 58 1 610 2 668\n172.16.253.130 \u003c-\u003e 71.142.137.30 1 610 1 58 2 668\n189.47.43.134 \u003c-\u003e 172.16.253.130 1 58 1 610 2 668\n172.16.253.130 \u003c-\u003e 96.54.179.14 1 610 1 58 2 668\n172.16.253.130 \u003c-\u003e 65.55.21.20 1 90 1 90 2 180\n172.16.253.254 \u003c-\u003e 172.16.253.130 0 0 2 684 2 684\n255.255.255.255 \u003c-\u003e 0.0.0.0 2 697 0 0 2 697 \n209.33.87.124 \u003c-\u003e 172.16.253.130 1 58 0 0 1 58\n   Page 13 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://contagiodump.blogspot.com/2012/12/zeroaccess-sirefef-rootkit-5-fresh.html"
	],
	"report_names": [
		"zeroaccess-sirefef-rootkit-5-fresh.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434377,
	"ts_updated_at": 1775791238,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c146bdd1dfc40e71ca81557ecc5443fdbcf210ab.pdf",
		"text": "https://archive.orkl.eu/c146bdd1dfc40e71ca81557ecc5443fdbcf210ab.txt",
		"img": "https://archive.orkl.eu/c146bdd1dfc40e71ca81557ecc5443fdbcf210ab.jpg"
	}
}