Gen:Variant.Mikey.53671 (B) (Emsisoft), Gen:Variant.Mikey.53671 (AdAware), Trojan.Win32.Swrort.3.FD, SearchProtectToolbar_pcap.YR, SearchProtectToolbar.YR, PUPSpigot.YR (Lavasoft MAS)Behaviour: Trojan, PUP
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: a5f67d72585374944214bf0515a8f89e
SHA1: 3fbf23c2a2816e7715c1e58061fd90072d7b52b1
SHA256: 031c1e3b2e7a7116d763020ee95a73d0d80905fee5235cfce29053748e51987e
SSDeep: 24576:2Xidl4Xf8noZwpKQcim9YOmTRXYypqfFkiYjPu3wNb53N/ A9Qs5:2X l4Xf8noZwpKQcim9YOmTRIyp Fkia
Size: 866304 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2016-09-30 20:25:07
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:3640
AF8.tmp.exe:704
2DB5.tmp.exe:3392
The Trojan injects its code into the following process(es):
2DB5.tmp.exe:3784
mshta.exe:1876
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:3640 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2DB5.tmp.exe (203151 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AF8.tmp.exe (14717 bytes)
The process AF8.tmp.exe:704 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\Admin Cleaner\Admin Cleaner.exe (601 bytes)
The process 2DB5.tmp.exe:3784 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\scripts\install.js (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\i18n\pt.json (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\3rdparty\FS.ocx (998 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\install.1479267018.zip (283430 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\logo_Yandex_RU_UA_vertical.png (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\shell_scripts\check_if_cscript_is_working.js (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\uTorrent\settings.dat.new (73 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SP9GL4YV.txt (89 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\shell_scripts\shell_ping_after_close.js (312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\loading.gif (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\index.hta (617 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-732923889-1296844034-1208581001-1000\1f91d2d17ea675d4c2c3192e241743f9_88dcd395-b062-45b3-a6cd-79f37c0eba08 (105 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\scripts\es5-shim.js (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\BP8T0ROY.txt (88 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\main_utorrent.ico (107 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\index.hta.log (26 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\i18n\br.json (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\i18n\ru.json (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\main_bittorrent.ico (103 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\scripts\common.js (350 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\i18n\fr.json (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\search_protect.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\styles\common.css (102 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\i18n\en.json (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\utt5041.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\3rdparty\FS.dll (933 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\yandex_horz.png (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\i18n\de.json (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\uninstall.hta (575 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\scripts\uninstall.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\yandex_horz_ru.png (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\scripts\initialize.js (978 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\yandex_browser_setup.bmp (204 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\main_icon.png (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\bt_icon_48px.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\styles\installer.css (587 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\i18n\es.json (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\i18n\it.json (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\shell_scripts\shell_install_offer.js (7 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\utt5041.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SP9GL4YV.txt (0 bytes)
The process mshta.exe:1876 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\index.hta.log (33 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\main_utorrent.ico (110 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\json[1].js (321 bytes)
Registry activity
The process %original file name%.exe:3640 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Classes\Local Settings\MuiCache\2F\52C64B7E]
"LanguageList" = "en-US, en"
The process AF8.tmp.exe:704 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\SecureWebChannel]
"channel" = "UN"
[HKCU\Software\Classes\Local Settings\MuiCache\2F\52C64B7E]
"LanguageList" = "en-US, en"
The process 2DB5.tmp.exe:3784 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}]
"(Default)" = "ActiveBinderX Control"
[HKCR\Interface\{8ACDC97A-ED69-44A0-9FA7-214AB3450F2D}\TypeLib]
"Version" = "1.0"
[HKCU\Software\Classes\FalconBetaAccount]
"remote_access_client_id" = "3465448718"
[HKCU\Software\BitTorrent\uTorrent]
"OfferProvider" = ""
[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\Verb]
"(Default)" = ""
[HKCR\TypeLib\{C86D85A1-58F7-4E88-993F-F6435AAAAE5F}\1.0]
"(Default)" = "ActiveBinderProj Library"
[HKCR\Interface\{8ACDC97A-ED69-44A0-9FA7-214AB3450F2D}]
"(Default)" = "FS"
[HKCR\Interface\{C936EC34-11FC-4F15-81C3-8AA143BA8E4B}\TypeLib]
"(Default)" = "{C86D85A1-58F7-4E88-993F-F6435AAAAE5F}"
[HKCR\FS.ActiveBinderX]
"(Default)" = "ActiveBinderX Control"
[HKCR\TypeLib\{C86D85A1-58F7-4E88-993F-F6435AAAAE5F}\1.0\0\win32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\3rdparty\FS.ocx"
[HKCU\Software\Classes\Local Settings\MuiCache\2F\52C64B7E]
"LanguageList" = "en-US, en"
[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\ToolboxBitmap32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\3rdparty\FS.ocx,1"
[HKCR\Interface\{8ACDC97A-ED69-44A0-9FA7-214AB3450F2D}\TypeLib]
"(Default)" = "{C86D85A1-58F7-4E88-993F-F6435AAAAE5F}"
[HKCU\Software\BitTorrent\uTorrent]
"OfferViaCAU" = "0"
[HKCR\Interface\{C936EC34-11FC-4F15-81C3-8AA143BA8E4B}]
"(Default)" = "IActiveBinderXEvents"
[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\Version]
"(Default)" = "1.0"
[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\FS.ActiveBinderX\Clsid]
"(Default)" = "{4E120188-0CAC-468C-B2D9-9D1F079EBC25}"
[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\ProgID]
"(Default)" = "FS.ActiveBinderX"
[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\Control]
"(Default)" = ""
[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\MiscStatus]
"(Default)" = "0"
[HKCR\Interface\{C936EC34-11FC-4F15-81C3-8AA143BA8E4B}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{8ACDC97A-ED69-44A0-9FA7-214AB3450F2D}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{C936EC34-11FC-4F15-81C3-8AA143BA8E4B}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\Verb\0]
"(Default)" = "Properties,0,2"
[HKCR\Interface\{8ACDC97A-ED69-44A0-9FA7-214AB3450F2D}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{C86D85A1-58F7-4E88-993F-F6435AAAAE5F}\1.0\FLAGS]
"(Default)" = "2"
[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\TypeLib]
"(Default)" = "{C86D85A1-58F7-4E88-993F-F6435AAAAE5F}"
[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\MiscStatus\1]
"(Default)" = "205201"
[HKCU\Software\BitTorrent\uTorrent]
"OfferName" = ""
[HKCR\Interface\{C936EC34-11FC-4F15-81C3-8AA143BA8E4B}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\InprocServer32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\3rdparty\FS.ocx"
[HKCU\Software\BitTorrent\uTorrent]
"OfferAccepted" = "0"
[HKCR\TypeLib\{C86D85A1-58F7-4E88-993F-F6435AAAAE5F}\1.0\HELPDIR]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\3rdparty\"
The process mshta.exe:1876 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASMANCS]
"MaxFileSize" = "1048576"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
"WpadLastNetwork" = "{24C5EDBC-2851-452A-B521-5DA992F6C1B5}"
[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASAPI32]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1299588363"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 09 00 00 00 09 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadDecision" = "3"
"WpadDecisionTime" = "E0 96 8A CC B9 3F D2 01"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "mshta.exe"
[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASAPI32]
"FileDirectory" = "%windir%\tracing"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecision" = "3"
"WpadDecisionReason" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASAPI32]
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASMANCS]
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASAPI32]
"FileTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 36 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASMANCS]
"FileTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadNetworkName" = "Network 2"
[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASMANCS]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASAPI32]
"ConsoleTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadDecisionReason" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASAPI32]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionTime" = "E0 96 8A CC B9 3F D2 01"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
Dropped PE files
MD5 | File path |
---|---|
5fe59fc57869508e1c84812dbd36ce3b | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\2DB5.tmp.exe |
abd8436cde5d6d9e93f100696833a432 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\AF8.tmp.exe |
eaba486ca44ce139b1a6c2520fe61837 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\3rdparty\FS.dll |
eed49c88dba5f2aa10cbd3acf66d899d | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\3rdparty\FS.ocx |
abd8436cde5d6d9e93f100696833a432 | c:\Users\"%CurrentUserName%"\AppData\Roaming\Admin Cleaner\Admin Cleaner.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:3640
AF8.tmp.exe:704
2DB5.tmp.exe:3392 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2DB5.tmp.exe (203151 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AF8.tmp.exe (14717 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Admin Cleaner\Admin Cleaner.exe (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\scripts\install.js (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\i18n\pt.json (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\3rdparty\FS.ocx (998 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\install.1479267018.zip (283430 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\logo_Yandex_RU_UA_vertical.png (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\shell_scripts\check_if_cscript_is_working.js (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\uTorrent\settings.dat.new (73 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SP9GL4YV.txt (89 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\shell_scripts\shell_ping_after_close.js (312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\loading.gif (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\index.hta (617 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-732923889-1296844034-1208581001-1000\1f91d2d17ea675d4c2c3192e241743f9_88dcd395-b062-45b3-a6cd-79f37c0eba08 (105 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\scripts\es5-shim.js (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\BP8T0ROY.txt (88 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\main_utorrent.ico (107 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\index.hta.log (26 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\i18n\br.json (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\i18n\ru.json (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\main_bittorrent.ico (103 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\scripts\common.js (350 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\i18n\fr.json (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\search_protect.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\styles\common.css (102 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\i18n\en.json (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\utt5041.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\3rdparty\FS.dll (933 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\yandex_horz.png (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\i18n\de.json (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\uninstall.hta (575 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\scripts\uninstall.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\yandex_horz_ru.png (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\scripts\initialize.js (978 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\yandex_browser_setup.bmp (204 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\main_icon.png (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\bt_icon_48px.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\styles\installer.css (587 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\i18n\es.json (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\i18n\it.json (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\shell_scripts\shell_install_offer.js (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\json[1].js (321 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: Russian
Company Name: Product Name: Product Version: Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: File Description: Comments: Language: Russian
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 804428 | 804864 | 4.03481 | 155fea8d8fe3d0ecd5d1496f7e6807ae |
.rdata | 811008 | 15226 | 15360 | 3.72657 | 7ec49599859d637936160683ed7c4691 |
.data | 827392 | 19468 | 5120 | 2.36152 | dca73757d8c69906e7ea30d4a202ef06 |
.rsrc | 847872 | 1944 | 2048 | 3.40613 | 906292853ebc9065ed2761365638d1c5 |
.reloc | 851968 | 37846 | 37888 | 4.38762 | bbca78fffe2008893ae82c0edbdc7037 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://com-utorrent-prod-bench-290894750.us-east-1.elb.amazonaws.com/e?i=50 | |
hxxp://download-new.utorrent.com/endpoint/hydra-ut/os/win7/track/stable/browser/ie/os-region/US/os-lang/en/os-ver/6.1/enc-ver/110339694/ | |
hxxp://ip-api.com/json?callback=jQuery19104680431319236995_1479267031092&_=1479267031093 | |
hxxp://com-utorrent-prod-bench-290894750.us-east-1.elb.amazonaws.com/e?i=50&e=eyJldmVudE5hbWUiOiJoeWRyYTEiLCJhY3Rpb24iOiJodGFiZWdpbiIsInBpZCI6IjM3ODQiLCJoIjoibzNlTmlNS0RVQWtSckVMYiIsInYiOiIxMTAzMzk2OTQiLCJiIjo0MjYwNiwiY2wiOiJ1VG9ycmVudCIsImxuZyI6InJ1Iiwib3NhIjoiMzIiLCJzbG5nIjoiZW4iLCJkYiI6IldpbmRvd3MgSW50ZXJuZXQgRXhwbG9yZXIiLCJkYnYiOiI5LjAiLCJpYnIiOlt7Im5hbWUiOiJGaXJlZm94IiwidmVyc2lvbiI6IjQ5LjAiLCJleGVOYW1lIjoiZmlyZWZveCJ9LHsibmFtZSI6Ikdvb2dsZSBDaHJvbWUiLCJ2ZXJzaW9uIjoiNTQuMCIsImV4ZU5hbWUiOiJjaHJvbWUifSx7Im5hbWUiOiJXaW5kb3dzIEludGVybmV0IEV4cGxvcmVyIiwidmVyc2lvbiI6IjkuMCIsImV4ZU5hbWUiOiJpZXhwbG9yZSJ9XSwiaXAiOiIxOTQuMjQyLjk2LjIyNiIsImNuIjoiVWtyYWluZSIsInBhY2tpZCI6InJ1X3lhbmRleF9pcyJ9 | |
hxxp://download-lb.utorrent.com/endpoint/hydra-ut/os/win7/track/stable/browser/ie/os-region/US/os-lang/en/os-ver/6.1/enc-ver/110339694/ | 67.215.238.66 |
hxxp://i-50.b-000.xyz.bench.utorrent.com/e?i=50 | 107.20.217.71 |
hxxp://i-50.b-000.xyz.bench.utorrent.com/e?i=50&e=eyJldmVudE5hbWUiOiJoeWRyYTEiLCJhY3Rpb24iOiJodGFiZWdpbiIsInBpZCI6IjM3ODQiLCJoIjoibzNlTmlNS0RVQWtSckVMYiIsInYiOiIxMTAzMzk2OTQiLCJiIjo0MjYwNiwiY2wiOiJ1VG9ycmVudCIsImxuZyI6InJ1Iiwib3NhIjoiMzIiLCJzbG5nIjoiZW4iLCJkYiI6IldpbmRvd3MgSW50ZXJuZXQgRXhwbG9yZXIiLCJkYnYiOiI5LjAiLCJpYnIiOlt7Im5hbWUiOiJGaXJlZm94IiwidmVyc2lvbiI6IjQ5LjAiLCJleGVOYW1lIjoiZmlyZWZveCJ9LHsibmFtZSI6Ikdvb2dsZSBDaHJvbWUiLCJ2ZXJzaW9uIjoiNTQuMCIsImV4ZU5hbWUiOiJjaHJvbWUifSx7Im5hbWUiOiJXaW5kb3dzIEludGVybmV0IEV4cGxvcmVyIiwidmVyc2lvbiI6IjkuMCIsImV4ZU5hbWUiOiJpZXhwbG9yZSJ9XSwiaXAiOiIxOTQuMjQyLjk2LjIyNiIsImNuIjoiVWtyYWluZSIsInBhY2tpZCI6InJ1X3lhbmRleF9pcyJ9 | 107.20.217.71 |
router.utorrent.com | 82.221.103.244 |
s3-us-west-2.amazonaws.com | 54.231.176.240 |
router.bittorrent.com | 67.215.246.10 |
api.mediaconfig.net | 104.27.181.218 |
s3.amazonaws.com | 54.231.113.200 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
POST /e?i=50 HTTP/1.1
Host: i-50.b-000.xyz.bench.utorrent.com
User-Agent: Hydra HttpRequest
Connection: close
Content-Length: 248
{"eventName":"hydra1","action":"packDownloadStarted","type":"i","cau":"0","pv":"","cc":"0","bkt1":"0","ssb":"1","v":"110339694","cl":"uTorrent","osv":"6.1","l":"en","pid":"3784","h":"o3eNiMKDUAkRrELb","sid":"o3eNiMKDUAkRrELb1479267018","order":"1"}
HTTP/1.1 200 OK
Content-Type: text/html
Date: Wed, 16 Nov 2016 03:30:19 GMT
Server: nginx
X-Powered-By: PHP/5.4.30
Content-Length: 21
Connection: Close
{"response_code":200}..
GET /json?callback=jQuery19104680431319236995_1479267031092&_=1479267031093 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: ip-api.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Content-Type: text/javascript; charset=utf-8
Date: Wed, 16 Nov 2016 03:30:41 GMT
Content-Length: 321
jQuery19104680431319236995_1479267031092({"as":"AS31561 PITLINE-AS","city":"Kharkiv","country":"Ukraine","countryCode":"UA","isp":"Pitline Ltd","lat":49.9808,"lon":36.2527,"org":"Pitline Ltd","query":"194.242.96.226","region":"63","regionName":"Kharkivs'ka Oblast'","status":"success","timezone":"Europe/Kiev","zip":""});HTTP/1.1 200 OK..Access-Control-Allow-Origin: *..Content-Type: text/javascript; charset=utf-8..Date: Wed, 16 Nov 2016 03:30:41 GMT..Content-Length: 321..jQuery19104680431319236995_1479267031092({"as":"AS31561 PITLINE-AS","city":"Kharkiv","country":"Ukraine","countryCode":"UA","isp":"Pitline Ltd","lat":49.9808,"lon":36.2527,"org":"Pitline Ltd","query":"194.242.96.226","region":"63","regionName":"Kharkivs'ka Oblast'","status":"success","timezone":"Europe/Kiev","zip":""});..
GET /endpoint/hydra-ut/os/win7/track/stable/browser/ie/os-region/US/os-lang/en/os-ver/6.1/enc-ver/110339694/ HTTP/1.1
Host: download-lb.utorrent.com
User-Agent: Hydra HttpRequest
Connection: close
Content-Length: 0
HTTP/1.1 200 OK
Server: nginx/1.6.1
Date: Wed, 16 Nov 2016 03:30:19 GMT
Content-Type: application/octet-stream
Content-Length: 2433394
Connection: close
X-bt-sig: e45628ba9017b03bf753bb594522832bb887f01252f10e491abd62777107f08c164919d4cd2c6a689096026ed96ba079eae046a1f8e849ee260627522f6e3e8187fafc361ac39ee6ea4286bc191fe72d2b04fdc1c1e959967f9b1071bd545a21d57cf685d753e90fe2716cbc373f6111bbc08e80a8ab6dc4e7b7ca1875491d3250a413091460df232811157e8ac94ccc16e27f86e1b2fae06d85134b412bfea212ca232e8d54563d735c41cdc5e9fa04e71e6bc882efe31a3785104a37fe8d1518016cc9816654e2d16f3cfa2c55726e9a0f7547367f873b23eb28f8c00937e6f30a8cd6aa6fdc6170de1da1630830d62b7b81d84ddf630cefcc3727a277846c
Last-Modified: Wed, 26 Oct 2016 01:55:28 0000
Accept-Ranges: none
Content-Disposition: attachment; filename="hta.zip"
X-bt-size: 2433394
Cache-Control: private
X-rl-mx: true
Rule-UUID: de7f6050-4f7c-45cf-a888-37b23152e2e9
Content-MD5: a2929026e7bb88527b8fae3606ec75fa
Expires: Tue, 01 Jan 1980 00:00:00 0000
X-bt-hash: 827ff98342a0f809fee80ea0dd3a701d77d2578d
PK.........[YIF1~ti...i.......index.hta<html>..<head>. <title>Loading...</title>. <meta charset="utf-8">. <meta http-equiv="X-UA-Compatible" content="IE=9">. <meta http-equiv="MSThemeCompatible" content="yes">.. <script src="scripts/initialize.js"></script>.. <link rel="stylesheet" href="styles/common.css"/>.. <!--[if lte IE 8]>. <script src="scripts/es5-shim.js"></script>. <![endif]-->..</head>..<body class="installer_body">. <!-- this is the loading img while loading offer page -->. <div id='loading_img'></div>.</body>..<script src="scripts/common.js"></script>..<script src="scripts/install.js"></script>..</html>.PK.........[YIw[Yy?...?.......uninstall.hta<html>..<head>. <title>Loading...</title>. <meta charset="utf-8">. <meta http-equiv="X-UA-Compatible" content="IE=9">. <meta http-equiv="MSThemeCompatible" content="yes">.. <script src="scripts/initialize.js"></script>.. <link rel="stylesheet" href="styles/common.css"/>... <!--[if lte IE 8]>. <script language="javascript" type="text/javascript" src='scripts/es5-shim.js'></script>. <![endif]-->..</head>..<body class="installer_body">.</body>..<script src="scripts/common.js"></script>...<script src="scripts/uninstall.js"></script
<<< skipped >>>
POST /e?i=50 HTTP/1.1
Host: i-50.b-000.xyz.bench.utorrent.com
User-Agent: Hydra HttpRequest
Connection: close
Content-Length: 234
{"eventName":"hydra1","action":"begin","type":"i","cau":"0","pv":"","cc":"0","bkt1":"0","ssb":"1","v":"110339694","cl":"uTorrent","osv":"6.1","l":"en","pid":"3784","h":"o3eNiMKDUAkRrELb","sid":"o3eNiMKDUAkRrELb1479267018","order":"0"}
HTTP/1.1 200 OK
Content-Type: text/html
Date: Wed, 16 Nov 2016 03:30:19 GMT
Server: nginx
X-Powered-By: PHP/5.4.30
Content-Length: 21
Connection: Close
{"response_code":200}..
POST /e?i=50 HTTP/1.1
Host: i-50.b-000.xyz.bench.utorrent.com
User-Agent: Hydra HttpRequest
Connection: close
Content-Length: 261
{"eventName":"hydra1","action":"packDownloadResult","type":"i","result":"1","cau":"0","pv":"","cc":"0","bkt1":"0","ssb":"11","v":"110339694","cl":"uTorrent","osv":"6.1","l":"en","pid":"3784","h":"o3eNiMKDUAkRrELb","sid":"o3eNiMKDUAkRrELb1479267018","order":"2"}
HTTP/1.1 200 OK
Content-Type: text/html
Date: Wed, 16 Nov 2016 03:30:29 GMT
Server: nginx
X-Powered-By: PHP/5.4.30
Content-Length: 21
Connection: Close
{"response_code":200}..
GET /e?i=50&e=eyJldmVudE5hbWUiOiJoeWRyYTEiLCJhY3Rpb24iOiJodGFiZWdpbiIsInBpZCI6IjM3ODQiLCJoIjoibzNlTmlNS0RVQWtSckVMYiIsInYiOiIxMTAzMzk2OTQiLCJiIjo0MjYwNiwiY2wiOiJ1VG9ycmVudCIsImxuZyI6InJ1Iiwib3NhIjoiMzIiLCJzbG5nIjoiZW4iLCJkYiI6IldpbmRvd3MgSW50ZXJuZXQgRXhwbG9yZXIiLCJkYnYiOiI5LjAiLCJpYnIiOlt7Im5hbWUiOiJGaXJlZm94IiwidmVyc2lvbiI6IjQ5LjAiLCJleGVOYW1lIjoiZmlyZWZveCJ9LHsibmFtZSI6Ikdvb2dsZSBDaHJvbWUiLCJ2ZXJzaW9uIjoiNTQuMCIsImV4ZU5hbWUiOiJjaHJvbWUifSx7Im5hbWUiOiJXaW5kb3dzIEludGVybmV0IEV4cGxvcmVyIiwidmVyc2lvbiI6IjkuMCIsImV4ZU5hbWUiOiJpZXhwbG9yZSJ9XSwiaXAiOiIxOTQuMjQyLjk2LjIyNiIsImNuIjoiVWtyYWluZSIsInBhY2tpZCI6InJ1X3lhbmRleF9pcyJ9 HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: i-50.b-000.xyz.bench.utorrent.com
HTTP/1.1 200 OK
Content-Type: text/html
Date: Wed, 16 Nov 2016 03:30:42 GMT
Server: nginx
X-Powered-By: PHP/5.4.30
Content-Length: 21
Connection: keep-alive
{"response_code":200}..
POST /e?i=50 HTTP/1.1
Host: i-50.b-000.xyz.bench.utorrent.com
User-Agent: Hydra HttpRequest
Connection: close
Content-Length: 270
{"eventName":"hydra1","action":"INFO","type":"i","res":"1916x902","cts":"1479267028","pv":"","cau":"0","cc":"0","bkt1":"0","ssb":"11","v":"110339694","cl":"uTorrent","osv":"6.1","l":"en","pid":"3784","h":"o3eNiMKDUAkRrELb","sid":"o3eNiMKDUAkRrELb1479267018","order":"3"}
HTTP/1.1 200 OK
Content-Type: text/html
Date: Wed, 16 Nov 2016 03:30:29 GMT
Server: nginx
X-Powered-By: PHP/5.4.30
Content-Length: 21
Connection: Close
{"response_code":200}..
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_3640:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
%s.ef
%s.ef
HKEY
HKEY
%s %s
%s %s
%s %d
%s %d
%s%s%s%s%s
%s%s%s%s%s
%s near end of file
%s near end of file
%s near '%s'
%s near '%s'
unable to decode byte 0x%x
unable to decode byte 0x%x
invalid Unicode '\uX'
invalid Unicode '\uX'
invalid Unicode '\uX\uX'
invalid Unicode '\uX\uX'
control character 0x%x
control character 0x%x
duplicate object key
duplicate object key
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
GetProcessWindowStation
GetProcessWindowStation
operator
operator
ole32.dll
ole32.dll
GetProcessHeap
GetProcessHeap
GetWindowsDirectoryW
GetWindowsDirectoryW
GetCPInfo
GetCPInfo
KERNEL32.dll
KERNEL32.dll
WinHttpOpenRequest
WinHttpOpenRequest
WinHttpCloseHandle
WinHttpCloseHandle
WinHttpConnect
WinHttpConnect
WinHttpOpen
WinHttpOpen
WinHttpReceiveResponse
WinHttpReceiveResponse
WinHttpSendRequest
WinHttpSendRequest
WinHttpReadData
WinHttpReadData
WinHttpQueryDataAvailable
WinHttpQueryDataAvailable
WINHTTP.dll
WINHTTP.dll
USER32.dll
USER32.dll
OLEAUT32.dll
OLEAUT32.dll
IPHLPAPI.DLL
IPHLPAPI.DLL
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
zcÃ
zcÃ
status=IS&uuid=44add590-e741-f447-b13e-dd9039a59e82&user_os=Win7 32&user_hash=&v=35.34&nuuid=11b152f39435d677c83fadb989059307&user_agent=IE&trsrc=1
status=IS&uuid=44add590-e741-f447-b13e-dd9039a59e82&user_os=Win7 32&user_hash=&v=35.34&nuuid=11b152f39435d677c83fadb989059307&user_agent=IE&trsrc=1
user_agent=IE&uuid=44add590-e741-f447-b13e-dd9039a59e82&user_os=Win7 32&proc=System,smss.exe,csrss.exe,wininit.exe,csrss.exe,winlogon.exe,services.exe,lsass.exe,lsm.exe,svchost.exe,svchost.exe,svchost.exe,svchost.exe,svchost.exe,svchost.exe,svchost.exe,spoolsv.exe,svchost.exe,vmtoolsd.exe,TPAutoConnSvc.exe,taskhost.exe,explorer.exe,svchost.exe,TPAutoConnect.exe,conhost.exe,vmtoolsd.exe,dllhost.exe,SearchIndexer.exe,msdtc.exe,svchost.exe,WmiPrvSE.exe,sandbox_svc.exe,conhost.exe,taskhost.exe,cmd.exe,conhost.exe,tshark.exe,cmd.exe,conhost.exe,Procmon.exe&main=1&v=35.34&nuuid=11b152f39435d677c83fadb989059307&user_hash=&trsrc=1 &aff=trs1&enc=
user_agent=IE&uuid=44add590-e741-f447-b13e-dd9039a59e82&user_os=Win7 32&proc=System,smss.exe,csrss.exe,wininit.exe,csrss.exe,winlogon.exe,services.exe,lsass.exe,lsm.exe,svchost.exe,svchost.exe,svchost.exe,svchost.exe,svchost.exe,svchost.exe,svchost.exe,spoolsv.exe,svchost.exe,vmtoolsd.exe,TPAutoConnSvc.exe,taskhost.exe,explorer.exe,svchost.exe,TPAutoConnect.exe,conhost.exe,vmtoolsd.exe,dllhost.exe,SearchIndexer.exe,msdtc.exe,svchost.exe,WmiPrvSE.exe,sandbox_svc.exe,conhost.exe,taskhost.exe,cmd.exe,conhost.exe,tshark.exe,cmd.exe,conhost.exe,Procmon.exe&main=1&v=35.34&nuuid=11b152f39435d677c83fadb989059307&user_hash=&trsrc=1 &aff=trs1&enc=
C:\Users\"%CurrentUserName%"\AppData\Local\Temp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp
status=%s&uuid=%s&user_os=%s&user_hash=%s&v=%s&nuuid=%s&user_agent=%s&trsrc=%s
status=%s&uuid=%s&user_os=%s&user_hash=%s&v=%s&nuuid=%s&user_agent=%s&trsrc=%s
kernel32.dll
kernel32.dll
updater_url
updater_url
%s.exe
%s.exe
updater_cmd
updater_cmd
c:\%original file name%.exe
c:\%original file name%.exe
= =,=2=]=
= =,=2=]=
0 0,020]0
0 0,020]0
5l6
5l6
6{7€8^8
6{7€8^8
5#5/555`5
5#5/555`5
?!?%?)?4?:?
?!?%?)?4?:?
7"7.747_7
7"7.747_7
4!4%4)43494
4!4%4)43494
:#:/:5:`:
:#:/:5:`:
8 809;9-;
8 809;9-;
>#>'> >/>:>@>
>#>'> >/>:>@>
> >,>2>)?4?
> >,>2>)?4?
3!4-4H4g4}4
3!4-4H4g4}4
? ?$?(?,?0?4?8?@?
? ?$?(?,?0?4?8?@?
7 7$7(7,7
7 7$7(7,7
:$:(:,:0:4:8:<:>
:$:(:,:0:4:8:<:>
;(;/;4;8;
;(;/;4;8;
;&
;&
mscoree.dll
mscoree.dll
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
KERNEL32.DLL
KERNEL32.DLL
WUSER32.DLL
WUSER32.DLL
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
user_agent=IE&uuid=%hs&user_os=%hs&proc=%s&main=%hs&v=%hs&nuuid=%hs&user_hash=%hs&trsrc=%hs&aff=%hs&enc=%hs
user_agent=IE&uuid=%hs&user_os=%hs&proc=%s&main=%hs&v=%hs&nuuid=%hs&user_hash=%hs&trsrc=%hs&aff=%hs&enc=%hs
https
https
hXXps://s3-us-west-2.amazonaws.com/151125/helloworld.exe
hXXps://s3-us-west-2.amazonaws.com/151125/helloworld.exe
api.wiseinstaller.net
api.wiseinstaller.net
4.6.1.4
4.6.1.4
quia.mp3
quia.mp3
mshta.exe_1876:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32
clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32
msvcrt.dll
msvcrt.dll
KERNEL32.dll
KERNEL32.dll
ADVAPI32.dll
ADVAPI32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
_amsg_exit
_amsg_exit
_acmdln
_acmdln
mshta.pdb
mshta.pdb
name="Microsoft.Windows.InetCore.mshta"
name="Microsoft.Windows.InetCore.mshta"
version="5.1.0.0"
version="5.1.0.0"
Kernel32.dll
Kernel32.dll
2kernel32.dll
2kernel32.dll
9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
MSHTA.EXE
MSHTA.EXE
Windows
Windows
9.00.8112.16421
9.00.8112.16421