Skip to main content

Gen.Variant.Kazy.651510_bbaa166030


Trojan-Downloader.Win32.Dofoil.bqxt (Kaspersky), Gen:Variant.Kazy.651510 (B) (Emsisoft), Gen:Variant.Kazy.651510 (AdAware), Backdoor.Win32.Farfli.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan, Backdoor

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: bbaa166030f437fd4f202c8d60c730b7

SHA1: 7ae6fc5bc6a26912d9d49117341c76db0e931192

SHA256: b756dce0576a570d0e5fdfd28e46cf2b533c11ee23b9e4a16bf4ecaf4e494fab

SSDeep: 6144:QQ/XrBxnFWdTkbtxZLIhD7rpVw2gxbE9A86ck/zGrcAgEIY0ujITABtM2agxC0wD:Q4rBxnLxZWrpVw2 A9nuiQAgPumAwF

Size: 413741 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2015-06-24 22:24:48

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:580
mofcomp.exe:2552
WindowsXP-KB968930-x86-ENG.exe:1964
ngen.exe:3920
ngen.exe:3496
ngen.exe:3928
ngen.exe:3944
ngen.exe:3556
ngen.exe:3456
ngen.exe:3472
ngen.exe:3516
ngen.exe:3572
ngen.exe:3580
ngen.exe:3488
ngen.exe:3912
ngen.exe:3588
ngen.exe:3480
ngen.exe:3936
ngen.exe:3464
ngen.exe:3404
ngen.exe:3508
ngen.exe:3428
ngen.exe:3540
ngen.exe:3564
ngen.exe:3548
ngen.exe:3888
update.exe:1944
PSCustomSetupUtil.exe:2928
PSCustomSetupUtil.exe:3612
PSCustomSetupUtil.exe:3716
PSCustomSetupUtil.exe:2612
PSCustomSetupUtil.exe:3636
PSCustomSetupUtil.exe:2652
PSCustomSetupUtil.exe:2840
PSCustomSetupUtil.exe:3064
PSCustomSetupUtil.exe:3596
PSCustomSetupUtil.exe:2880
PSCustomSetupUtil.exe:3692
PSCustomSetupUtil.exe:3024
PSCustomSetupUtil.exe:3088
PSCustomSetupUtil.exe:2816
PSCustomSetupUtil.exe:3768
PSCustomSetupUtil.exe:3668
PSCustomSetupUtil.exe:3740
PSCustomSetupUtil.exe:3136
PSCustomSetupUtil.exe:3172
PSCustomSetupUtil.exe:2976
PSCustomSetupUtil.exe:2952
PSCustomSetupUtil.exe:3808
PSCustomSetupUtil.exe:3112
PSCustomSetupUtil.exe:2752
PSCustomSetupUtil.exe:2676
PSCustomSetupUtil.exe:2792
PSSetupNativeUtils.exe:4052
mscorsvw.exe:3580
mscorsvw.exe:600
mscorsvw.exe:3940
mscorsvw.exe:2436
mscorsvw.exe:2808
mscorsvw.exe:3412
mscorsvw.exe:2524
mscorsvw.exe:2204
mscorsvw.exe:3512
mscorsvw.exe:2328
mscorsvw.exe:1072
mscorsvw.exe:2268
mscorsvw.exe:1508
mscorsvw.exe:2604
mscorsvw.exe:2708
mscorsvw.exe:3264
mscorsvw.exe:164
mscorsvw.exe:3700
mscorsvw.exe:3204
mscorsvw.exe:960
mscorsvw.exe:3788
mscorsvw.exe:4076
mscorsvw.exe:1064
mscorsvw.exe:2168
mscorsvw.exe:2376
wsmanhttpconfig.exe:2532
wsmanhttpconfig.exe:2484

The Trojan injects its code into the following process(es):

svchost.exe:636
svchost.exe:1324

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process mofcomp.exe:2552 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%System%\wbem\Logs\mofcomp.log (1814 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpCF.tmp (1 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmpCF.tmp (0 bytes)

The process WindowsXP-KB968930-x86-ENG.exe:1964 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\1825901857bd78668d\about_type_operators.help.txt (5 bytes)
C:\1825901857bd78668d\winrm.vbs (2727 bytes)
C:\1825901857bd78668d\update (4 bytes)
C:\1825901857bd78668d\eventforwarding.adm (2 bytes)
C:\1825901857bd78668d\about_windows_powershell_ise.help.txt (6 bytes)
C:\1825901857bd78668d\about_ref.help.txt (1 bytes)
C:\1825901857bd78668d\pwrshplugin.dll (802 bytes)
C:\1825901857bd78668d\microsoft.powershell.security.resources.dll (9 bytes)
C:\1825901857bd78668d\wsmplpxy.dll (603 bytes)
C:\1825901857bd78668d\powershell_ise.exe (2526 bytes)
C:\1825901857bd78668d\about_join.help.txt (2 bytes)
C:\1825901857bd78668d\winrs.exe (1154 bytes)
C:\1825901857bd78668d\about_hash_tables.help.txt (6 bytes)
C:\1825901857bd78668d\about_data_sections.help.txt (5 bytes)
C:\1825901857bd78668d\wsmauto.dll (1842 bytes)
C:\1825901857bd78668d\about_remote_output.help.txt (887 bytes)
C:\1825901857bd78668d\about_signing.help.txt (12 bytes)
C:\1825901857bd78668d\about_functions.help.txt (586 bytes)
C:\1825901857bd78668d\compiledcomposition.microsoft.powershell.gpowershell.dll (1737 bytes)
C:\1825901857bd78668d\about_functions_advanced.help.txt (3 bytes)
C:\1825901857bd78668d\microsoft.powershell.graphicalhost.dll (4408 bytes)
C:\1825901857bd78668d\spmsg.dll (495 bytes)
C:\1825901857bd78668d\certificate.format.ps1xml (155 bytes)
C:\1825901857bd78668d\about_providers.help.txt (59 bytes)
C:\1825901857bd78668d\about_wmi_cmdlets.help.txt (8 bytes)
C:\1825901857bd78668d\update\update.inf (2457 bytes)
C:\1825901857bd78668d\wevtfwd.dll (3351 bytes)
C:\1825901857bd78668d\powershell.exe.mui (10 bytes)
C:\1825901857bd78668d\pwrshmsg.dll (4 bytes)
C:\1825901857bd78668d\about_break.help.txt (792 bytes)
C:\1825901857bd78668d\wsmprovhost.exe (657 bytes)
C:\1825901857bd78668d\microsoft.backgroundintelligenttransfer.management.resources.dll (7 bytes)
C:\1825901857bd78668d\about_while.help.txt (2 bytes)
C:\1825901857bd78668d\about_methods.help.txt (6 bytes)
C:\1825901857bd78668d\about_session_configurations.help.txt (276 bytes)
C:\1825901857bd78668d\update\eula.txt (586 bytes)
C:\1825901857bd78668d\about_reserved_words.help.txt (1 bytes)
C:\1825901857bd78668d\about_comparison_operators.help.txt (11 bytes)
C:\1825901857bd78668d\microsoft.powershell.commands.management.dll-help.xml (28236 bytes)
C:\1825901857bd78668d\about_switch.help.txt (489 bytes)
C:\1825901857bd78668d\wsmsvc.dll (15909 bytes)
C:\1825901857bd78668d\about_eventlogs.help.txt (5 bytes)
C:\1825901857bd78668d\microsoft.wsman.runtime.dll (33 bytes)
C:\1825901857bd78668d\pwrshsip.dll (24 bytes)
C:\$Directory (800 bytes)
C:\1825901857bd78668d\about_try_catch_finally.help.txt (7 bytes)
C:\1825901857bd78668d\about_job_details.help.txt (824 bytes)
C:\1825901857bd78668d\microsoft.powershell.gpowershell.dll (9738 bytes)
C:\1825901857bd78668d\winrshost.exe (22 bytes)
C:\1825901857bd78668d\about_profiles.help.txt (457 bytes)
C:\1825901857bd78668d\about_for.help.txt (146 bytes)
C:\1825901857bd78668d\about_history.help.txt (3 bytes)
C:\1825901857bd78668d\winrsmgr.dll (2 bytes)
C:\1825901857bd78668d\wtrinstaller.ico (4803 bytes)
C:\1825901857bd78668d\powershelltrace.format.ps1xml (344 bytes)
C:\1825901857bd78668d\about_arrays.help.txt (8 bytes)
C:\1825901857bd78668d\about_execution_policies.help.txt (13 bytes)
C:\1825901857bd78668d\microsoft.powershell.consolehost.resources.dll (778 bytes)
C:\1825901857bd78668d\about_quoting_rules.help.txt (659 bytes)
C:\1825901857bd78668d\system.management.automation.dll (38414 bytes)
C:\1825901857bd78668d\about_scopes.help.txt (76 bytes)
C:\1825901857bd78668d\about_remote_jobs.help.txt (13 bytes)
C:\1825901857bd78668d\about_format.ps1xml.help.txt (17 bytes)
C:\1825901857bd78668d\about_operators.help.txt (770 bytes)
C:\1825901857bd78668d\about_comment_based_help.help.txt (595 bytes)
C:\1825901857bd78668d\powershell_ise.resources.dll (4 bytes)
C:\1825901857bd78668d\wsmanhttpconfig.exe (3009 bytes)
C:\1825901857bd78668d\microsoft.backgroundintelligenttransfer.management.interop.dll (1532 bytes)
C:\1825901857bd78668d\about_jobs.help.txt (12 bytes)
C:\1825901857bd78668d\filesystem.format.ps1xml (133 bytes)
C:\1825901857bd78668d\about_types.ps1xml.help.txt (481 bytes)
C:\1825901857bd78668d\microsoft.powershell.commands.management.dll (3386 bytes)
C:\1825901857bd78668d\microsoft.powershell.commands.management.resources.dll (508 bytes)
C:\1825901857bd78668d\about_bits_cmdlets.help.txt (7 bytes)
C:\1825901857bd78668d\microsoft.backgroundintelligenttransfer.management.dll (1537 bytes)
C:\1825901857bd78668d\system.management.automation.dll-help.xml (16567 bytes)
C:\1825901857bd78668d\system.management.automation.resources.dll (3153 bytes)
C:\1825901857bd78668d\windowsremotemanagement.adm (574 bytes)
C:\1825901857bd78668d\about_special_characters.help.txt (3 bytes)
C:\1825901857bd78668d\dotnettypes.format.ps1xml (266 bytes)
C:\1825901857bd78668d\update\spcustom.dll (23 bytes)
C:\1825901857bd78668d\wsmtxt.xsl (2 bytes)
C:\1825901857bd78668d\about_script_internationalization.help.txt (9 bytes)
C:\1825901857bd78668d\update\updspapi.dll (5940 bytes)
C:\1825901857bd78668d\about_parsing.help.txt (2 bytes)
C:\1825901857bd78668d\winrssrv.dll (12 bytes)
C:\1825901857bd78668d\about_functions_advanced_methods.help.txt (9 bytes)
C:\1825901857bd78668d\about_logical_operators.help.txt (2 bytes)
C:\1825901857bd78668d\winrmprov.mof (789 bytes)
C:\1825901857bd78668d\about_return.help.txt (3 bytes)
C:\1825901857bd78668d\about_remote_requirements.help.txt (6 bytes)
C:\1825901857bd78668d\about_trap.help.txt (10 bytes)
C:\1825901857bd78668d\about_line_editing.help.txt (1 bytes)
C:\1825901857bd78668d\about_throw.help.txt (5 bytes)
C:\1825901857bd78668d\wsmauto.mof (4 bytes)
C:\1825901857bd78668d\about_arithmetic_operators.help.txt (168 bytes)
C:\1825901857bd78668d\about_redirection.help.txt (2 bytes)
C:\1825901857bd78668d\microsoft.powershell.gpowershell.resources.dll (408 bytes)
C:\1825901857bd78668d\about_remote_faq.help.txt (775 bytes)
C:\1825901857bd78668d\spuninst.exe (3787 bytes)
C:\1825901857bd78668d\microsoft.powershell.editor.resources.dll (562 bytes)
C:\1825901857bd78668d\bitstransfer.format.ps1xml (16 bytes)
C:\1825901857bd78668d\about_pipelines.help.txt (411 bytes)
C:\1825901857bd78668d\pspluginwkr.dll (1756 bytes)
C:\1825901857bd78668d\about_functions_advanced_parameters.help.txt (962 bytes)
C:\1825901857bd78668d\powershell.exe (7339 bytes)
C:\1825901857bd78668d\microsoft.powershell.commands.diagnostics.resources.dll (470 bytes)
C:\1825901857bd78668d\about_remote.help.txt (7 bytes)
C:\1825901857bd78668d\microsoft.powershell.commands.diagnostics.dll-help.xml (2301 bytes)
C:\1825901857bd78668d\about_prompts.help.txt (7 bytes)
C:\1825901857bd78668d\about_pssnapins.help.txt (6 bytes)
C:\1825901857bd78668d\importallmodules.psd1 (438 bytes)
C:\1825901857bd78668d\about_wildcards.help.txt (3 bytes)
C:\1825901857bd78668d\microsoft.backgroundintelligenttransfer.management.dll-help.xml (2472 bytes)
C:\1825901857bd78668d\about_debuggers.help.txt (21 bytes)
C:\1825901857bd78668d\microsoft.powershell.consolehost.dll (3118 bytes)
C:\1825901857bd78668d\winrm.cmd (35 bytes)
C:\1825901857bd78668d\wsmpty.xsl (1 bytes)
C:\1825901857bd78668d\about_pssession_details.help.txt (9 bytes)
C:\1825901857bd78668d\wsmwmipl.dll (2816 bytes)
C:\1825901857bd78668d\microsoft.wsman.management.dll (5010 bytes)
C:\1825901857bd78668d\update\update.exe (10748 bytes)
C:\1825901857bd78668d\about_if.help.txt (3 bytes)
C:\1825901857bd78668d\microsoft.powershell.commands.utility.dll (9684 bytes)
C:\1825901857bd78668d\about_continue.help.txt (1 bytes)
C:\1825901857bd78668d\about_regular_expressions.help.txt (5 bytes)
C:\1825901857bd78668d\winrmprov.dll (591 bytes)
C:\1825901857bd78668d\about_functions_cmdletbindingattribute.help.txt (3 bytes)
C:\1825901857bd78668d\diagnostics.format.ps1xml (590 bytes)
C:\1825901857bd78668d\about_automatic_variables.help.txt (14 bytes)
C:\1825901857bd78668d\microsoft.powershell.commands.utility.dll-help.xml (20810 bytes)
C:\1825901857bd78668d\about_language_keywords.help.txt (11 bytes)
C:\1825901857bd78668d\microsoft.powershell.consolehost.dll-help.xml (900 bytes)
C:\1825901857bd78668d\pscustomsetuputil.exe (316 bytes)
C:\1825901857bd78668d\about_path_syntax.help.txt (5 bytes)
C:\1825901857bd78668d\microsoft.powershell.security.dll (1145 bytes)
C:\1825901857bd78668d\about_command_syntax.help.txt (5 bytes)
C:\1825901857bd78668d\about_commonparameters.help.txt (12 bytes)
C:\1825901857bd78668d\about_assignment_operators.help.txt (379 bytes)
C:\1825901857bd78668d\about_remote_troubleshooting.help.txt (146 bytes)
C:\1825901857bd78668d\powershellcore.format.ps1xml (1492 bytes)
C:\1825901857bd78668d\about_escape_characters.help.txt (2 bytes)
C:\1825901857bd78668d\about_objects.help.txt (2 bytes)
C:\1825901857bd78668d\about_transactions.help.txt (1011 bytes)
C:\1825901857bd78668d\about_pssessions.help.txt (9 bytes)
C:\1825901857bd78668d\about_preference_variables.help.txt (37 bytes)
C:\1825901857bd78668d\update\kb968930xp.cat (512 bytes)
C:\1825901857bd78668d\microsoft.powershell.commands.diagnostics.dll (998 bytes)
C:\1825901857bd78668d\registry.format.ps1xml (20 bytes)
C:\1825901857bd78668d\microsoft.powershell.graphicalhost.resources.dll (16 bytes)
C:\1825901857bd78668d\microsoft.wsman.management.dll-help.xml (8740 bytes)
C:\1825901857bd78668d\microsoft.powershell.commands.utility.resources.dll (508 bytes)
C:\1825901857bd78668d\about_locations.help.txt (794 bytes)
C:\1825901857bd78668d\$shtdwn$.req (788 bytes)
C:\1825901857bd78668d\about_core_commands.help.txt (221 bytes)
C:\1825901857bd78668d\about_windows_powershell_2.0.help.txt (453 bytes)
C:\1825901857bd78668d\about_command_precedence.help.txt (8 bytes)
C:\1825901857bd78668d\profile.ps1 (772 bytes)
C:\1825901857bd78668d\microsoft.wsman.management.resources.dll (13 bytes)
C:\1825901857bd78668d\about_parameters.help.txt (9 bytes)
C:\1825901857bd78668d\about_do.help.txt (2 bytes)
C:\1825901857bd78668d\about_scripts.help.txt (12 bytes)
C:\1825901857bd78668d\update\update.ver (14 bytes)
C:\1825901857bd78668d\windowsremoteshell.adm (12 bytes)
C:\1825901857bd78668d\default.help.txt (2 bytes)
C:\1825901857bd78668d\pssetupnativeutils.exe (9 bytes)
C:\1825901857bd78668d\help.format.ps1xml (3947 bytes)
C:\1825901857bd78668d\about_environment_variables.help.txt (417 bytes)
C:\1825901857bd78668d\bitstransfer.psd1 (950 bytes)
C:\1825901857bd78668d\about_split.help.txt (10 bytes)
C:\1825901857bd78668d\windowspowershellhelp.chm (26041 bytes)
C:\1825901857bd78668d\getevent.types.ps1xml (15 bytes)
C:\1825901857bd78668d\types.ps1xml (2510 bytes)
C:\1825901857bd78668d\microsoft.powershell.security.dll-help.xml (1797 bytes)
C:\1825901857bd78668d\about_properties.help.txt (7 bytes)
C:\1825901857bd78668d\winrm.ini (1956 bytes)
C:\1825901857bd78668d\about_ws-management_cmdlets.help.txt (405 bytes)
C:\1825901857bd78668d\spupdsvc.exe (287 bytes)
C:\1825901857bd78668d\about_foreach.help.txt (10 bytes)
C:\1825901857bd78668d\about_requires.help.txt (2 bytes)
C:\1825901857bd78668d\wsman.format.ps1xml (837 bytes)
C:\1825901857bd78668d\about_aliases.help.txt (6 bytes)
C:\1825901857bd78668d\wsmres.dll (6164 bytes)
C:\1825901857bd78668d\about_modules.help.txt (13 bytes)
C:\1825901857bd78668d\about_script_blocks.help.txt (3 bytes)
C:\1825901857bd78668d\microsoft.powershell.editor.dll (14450 bytes)
C:\1825901857bd78668d\about_variables.help.txt (6 bytes)
C:\1825901857bd78668d\winrscmd.dll (2907 bytes)

The Trojan deletes the following file(s):

C:\1825901857bd78668d\about_type_operators.help.txt (0 bytes)
C:\1825901857bd78668d\microsoft.powershell.commands.utility.dll (0 bytes)
C:\1825901857bd78668d\winrm.vbs (0 bytes)
C:\1825901857bd78668d\about_core_commands.help.txt (0 bytes)
C:\1825901857bd78668d\eventforwarding.adm (0 bytes)
C:\1825901857bd78668d\about_windows_powershell_ise.help.txt (0 bytes)
C:\1825901857bd78668d\update (0 bytes)
C:\1825901857bd78668d\about_session_configurations.help.txt (0 bytes)
C:\1825901857bd78668d\pwrshplugin.dll (0 bytes)
C:\1825901857bd78668d\about_methods.help.txt (0 bytes)
C:\1825901857bd78668d\wsmplpxy.dll (0 bytes)
C:\1825901857bd78668d\powershell_ise.exe (0 bytes)
C:\1825901857bd78668d\about_join.help.txt (0 bytes)
C:\1825901857bd78668d\winrs.exe (0 bytes)
C:\1825901857bd78668d\about_hash_tables.help.txt (0 bytes)
C:\1825901857bd78668d\about_remote_requirements.help.txt (0 bytes)
C:\1825901857bd78668d\about_throw.help.txt (0 bytes)
C:\1825901857bd78668d\about_remote_output.help.txt (0 bytes)
C:\1825901857bd78668d\about_signing.help.txt (0 bytes)
C:\1825901857bd78668d\microsoft.powershell.security.resources.dll (0 bytes)
C:\1825901857bd78668d\about_functions.help.txt (0 bytes)
C:\1825901857bd78668d\about_remote.help.txt (0 bytes)
C:\1825901857bd78668d\about_functions_advanced.help.txt (0 bytes)
C:\_533875_ (0 bytes)
C:\1825901857bd78668d\pscustomsetuputil.exe (0 bytes)
C:\1825901857bd78668d\spmsg.dll (0 bytes)
C:\1825901857bd78668d\certificate.format.ps1xml (0 bytes)
C:\1825901857bd78668d\about_wmi_cmdlets.help.txt (0 bytes)
C:\1825901857bd78668d\update\update.inf (0 bytes)
C:\1825901857bd78668d\about_ws-management_cmdlets.help.txt (0 bytes)
C:\1825901857bd78668d\powershell.exe.mui (0 bytes)
C:\1825901857bd78668d\pwrshmsg.dll (0 bytes)
C:\1825901857bd78668d\about_break.help.txt (0 bytes)
C:\1825901857bd78668d\wsmprovhost.exe (0 bytes)
C:\1825901857bd78668d\microsoft.backgroundintelligenttransfer.management.resources.dll (0 bytes)
C:\1825901857bd78668d\about_while.help.txt (0 bytes)
C:\1825901857bd78668d\about_ref.help.txt (0 bytes)
C:\1825901857bd78668d\update\eula.txt (0 bytes)
C:\1825901857bd78668d\wevtfwd.dll (0 bytes)
C:\1825901857bd78668d\about_types.ps1xml.help.txt (0 bytes)
C:\1825901857bd78668d\winrmprov.dll (0 bytes)
C:\1825901857bd78668d\microsoft.powershell.commands.management.dll-help.xml (0 bytes)
C:\1825901857bd78668d\about_switch.help.txt (0 bytes)
C:\1825901857bd78668d\wsmsvc.dll (0 bytes)
C:\1825901857bd78668d\about_quoting_rules.help.txt (0 bytes)
C:\1825901857bd78668d\microsoft.wsman.runtime.dll (0 bytes)
C:\1825901857bd78668d\pwrshsip.dll (0 bytes)
C:\1825901857bd78668d\about_try_catch_finally.help.txt (0 bytes)
C:\1825901857bd78668d\about_job_details.help.txt (0 bytes)
C:\1825901857bd78668d\about_parsing.help.txt (0 bytes)
C:\1825901857bd78668d\winrshost.exe (0 bytes)
C:\1825901857bd78668d\about_profiles.help.txt (0 bytes)
C:\1825901857bd78668d\about_for.help.txt (0 bytes)
C:\1825901857bd78668d\wsmpty.xsl (0 bytes)
C:\1825901857bd78668d\winrsmgr.dll (0 bytes)
C:\1825901857bd78668d\wtrinstaller.ico (0 bytes)
C:\1825901857bd78668d\powershelltrace.format.ps1xml (0 bytes)
C:\1825901857bd78668d\about_arrays.help.txt (0 bytes)
C:\1825901857bd78668d\about_locations.help.txt (0 bytes)
C:\1825901857bd78668d\microsoft.powershell.consolehost.resources.dll (0 bytes)
C:\1825901857bd78668d\about_eventlogs.help.txt (0 bytes)
C:\1825901857bd78668d\system.management.automation.dll (0 bytes)
C:\1825901857bd78668d\about_scopes.help.txt (0 bytes)
C:\1825901857bd78668d\about_remote_jobs.help.txt (0 bytes)
C:\1825901857bd78668d\about_format.ps1xml.help.txt (0 bytes)
C:\1825901857bd78668d\about_operators.help.txt (0 bytes)
C:\1825901857bd78668d\about_comment_based_help.help.txt (0 bytes)
C:\1825901857bd78668d\about_reserved_words.help.txt (0 bytes)
C:\1825901857bd78668d\wsmanhttpconfig.exe (0 bytes)
C:\1825901857bd78668d\microsoft.backgroundintelligenttransfer.management.interop.dll (0 bytes)
C:\1825901857bd78668d\microsoft.powershell.editor.resources.dll (0 bytes)
C:\1825901857bd78668d\about_jobs.help.txt (0 bytes)
C:\1825901857bd78668d\filesystem.format.ps1xml (0 bytes)
C:\1825901857bd78668d\microsoft.powershell.commands.management.dll (0 bytes)
C:\1825901857bd78668d\microsoft.powershell.commands.management.resources.dll (0 bytes)
C:\1825901857bd78668d\about_bits_cmdlets.help.txt (0 bytes)
C:\1825901857bd78668d\microsoft.backgroundintelligenttransfer.management.dll (0 bytes)
C:\1825901857bd78668d\system.management.automation.dll-help.xml (0 bytes)
C:\1825901857bd78668d\about_return.help.txt (0 bytes)
C:\1825901857bd78668d\windowsremotemanagement.adm (0 bytes)
C:\1825901857bd78668d\about_special_characters.help.txt (0 bytes)
C:\1825901857bd78668d\about_wildcards.help.txt (0 bytes)
C:\1825901857bd78668d\about_environment_variables.help.txt (0 bytes)
C:\1825901857bd78668d\wsmtxt.xsl (0 bytes)
C:\1825901857bd78668d\about_script_internationalization.help.txt (0 bytes)
C:\1825901857bd78668d\about_providers.help.txt (0 bytes)
C:\1825901857bd78668d\winrssrv.dll (0 bytes)
C:\1825901857bd78668d\about_functions_advanced_methods.help.txt (0 bytes)
C:\1825901857bd78668d\winrmprov.mof (0 bytes)
C:\1825901857bd78668d\system.management.automation.resources.dll (0 bytes)
C:\1825901857bd78668d\about_data_sections.help.txt (0 bytes)
C:\1825901857bd78668d\about_trap.help.txt (0 bytes)
C:\1825901857bd78668d\about_line_editing.help.txt (0 bytes)
C:\1825901857bd78668d\wsmauto.dll (0 bytes)
C:\1825901857bd78668d\wsmauto.mof (0 bytes)
C:\1825901857bd78668d\about_arithmetic_operators.help.txt (0 bytes)
C:\1825901857bd78668d\about_redirection.help.txt (0 bytes)
C:\1825901857bd78668d\microsoft.powershell.gpowershell.resources.dll (0 bytes)
C:\1825901857bd78668d\about_remote_faq.help.txt (0 bytes)
C:\1825901857bd78668d\spuninst.exe (0 bytes)
C:\1825901857bd78668d (0 bytes)
C:\1825901857bd78668d\about_pssnapins.help.txt (0 bytes)
C:\1825901857bd78668d\bitstransfer.format.ps1xml (0 bytes)
C:\1825901857bd78668d\about_pipelines.help.txt (0 bytes)
C:\1825901857bd78668d\pspluginwkr.dll (0 bytes)
C:\1825901857bd78668d\dotnettypes.format.ps1xml (0 bytes)
C:\1825901857bd78668d\about_functions_advanced_parameters.help.txt (0 bytes)
C:\1825901857bd78668d\powershell.exe (0 bytes)
C:\1825901857bd78668d\about_scripts.help.txt (0 bytes)
C:\1825901857bd78668d\compiledcomposition.microsoft.powershell.gpowershell.dll (0 bytes)
C:\1825901857bd78668d\microsoft.powershell.commands.diagnostics.dll-help.xml (0 bytes)
C:\1825901857bd78668d\about_prompts.help.txt (0 bytes)
C:\1825901857bd78668d\microsoft.wsman.management.dll-help.xml (0 bytes)
C:\1825901857bd78668d\importallmodules.psd1 (0 bytes)
C:\1825901857bd78668d\update\updspapi.dll (0 bytes)
C:\1825901857bd78668d\about_debuggers.help.txt (0 bytes)
C:\1825901857bd78668d\microsoft.powershell.consolehost.dll (0 bytes)
C:\1825901857bd78668d\winrm.cmd (0 bytes)
C:\1825901857bd78668d\about_history.help.txt (0 bytes)
C:\1825901857bd78668d\about_pssession_details.help.txt (0 bytes)
C:\1825901857bd78668d\wsmwmipl.dll (0 bytes)
C:\1825901857bd78668d\microsoft.wsman.management.dll (0 bytes)
C:\1825901857bd78668d\about_if.help.txt (0 bytes)
C:\1825901857bd78668d\about_logical_operators.help.txt (0 bytes)
C:\1825901857bd78668d\about_continue.help.txt (0 bytes)
C:\1825901857bd78668d\about_regular_expressions.help.txt (0 bytes)
C:\1825901857bd78668d\about_comparison_operators.help.txt (0 bytes)
C:\1825901857bd78668d\about_functions_cmdletbindingattribute.help.txt (0 bytes)
C:\1825901857bd78668d\diagnostics.format.ps1xml (0 bytes)
C:\1825901857bd78668d\about_automatic_variables.help.txt (0 bytes)
C:\1825901857bd78668d\microsoft.powershell.commands.utility.dll-help.xml (0 bytes)
C:\1825901857bd78668d\microsoft.powershell.gpowershell.dll (0 bytes)
C:\1825901857bd78668d\about_language_keywords.help.txt (0 bytes)
C:\1825901857bd78668d\microsoft.powershell.consolehost.dll-help.xml (0 bytes)
C:\1825901857bd78668d\microsoft.powershell.graphicalhost.dll (0 bytes)
C:\1825901857bd78668d\about_path_syntax.help.txt (0 bytes)
C:\1825901857bd78668d\microsoft.powershell.security.dll (0 bytes)
C:\1825901857bd78668d\about_command_syntax.help.txt (0 bytes)
C:\1825901857bd78668d\about_commonparameters.help.txt (0 bytes)
C:\1825901857bd78668d\about_assignment_operators.help.txt (0 bytes)
C:\1825901857bd78668d\about_remote_troubleshooting.help.txt (0 bytes)
C:\1825901857bd78668d\powershellcore.format.ps1xml (0 bytes)
C:\1825901857bd78668d\about_escape_characters.help.txt (0 bytes)
C:\1825901857bd78668d\about_objects.help.txt (0 bytes)
C:\1825901857bd78668d\about_transactions.help.txt (0 bytes)
C:\1825901857bd78668d\about_pssessions.help.txt (0 bytes)
C:\1825901857bd78668d\about_preference_variables.help.txt (0 bytes)
C:\1825901857bd78668d\update\kb968930xp.cat (0 bytes)
C:\1825901857bd78668d\microsoft.powershell.commands.diagnostics.dll (0 bytes)
C:\1825901857bd78668d\powershell_ise.resources.dll (0 bytes)
C:\1825901857bd78668d\registry.format.ps1xml (0 bytes)
C:\1825901857bd78668d\microsoft.powershell.graphicalhost.resources.dll (0 bytes)
C:\1825901857bd78668d\microsoft.powershell.commands.utility.resources.dll (0 bytes)
C:\1825901857bd78668d\about_execution_policies.help.txt (0 bytes)
C:\1825901857bd78668d\update\update.exe (0 bytes)
C:\1825901857bd78668d\about_windows_powershell_2.0.help.txt (0 bytes)
C:\1825901857bd78668d\about_command_precedence.help.txt (0 bytes)
C:\1825901857bd78668d\profile.ps1 (0 bytes)
C:\1825901857bd78668d\microsoft.wsman.management.resources.dll (0 bytes)
C:\1825901857bd78668d\about_parameters.help.txt (0 bytes)
C:\1825901857bd78668d\about_do.help.txt (0 bytes)
C:\1825901857bd78668d\update\update.ver (0 bytes)
C:\1825901857bd78668d\windowsremoteshell.adm (0 bytes)
C:\1825901857bd78668d\default.help.txt (0 bytes)
C:\1825901857bd78668d\pssetupnativeutils.exe (0 bytes)
C:\1825901857bd78668d\help.format.ps1xml (0 bytes)
C:\1825901857bd78668d\update\spcustom.dll (0 bytes)
C:\1825901857bd78668d\bitstransfer.psd1 (0 bytes)
C:\1825901857bd78668d\about_split.help.txt (0 bytes)
C:\1825901857bd78668d\windowspowershellhelp.chm (0 bytes)
C:\1825901857bd78668d\getevent.types.ps1xml (0 bytes)
C:\1825901857bd78668d\types.ps1xml (0 bytes)
C:\1825901857bd78668d\microsoft.powershell.security.dll-help.xml (0 bytes)
C:\1825901857bd78668d\about_properties.help.txt (0 bytes)
C:\1825901857bd78668d\winrm.ini (0 bytes)
C:\1825901857bd78668d\microsoft.backgroundintelligenttransfer.management.dll-help.xml (0 bytes)
C:\1825901857bd78668d\spupdsvc.exe (0 bytes)
C:\1825901857bd78668d\about_foreach.help.txt (0 bytes)
C:\1825901857bd78668d\about_requires.help.txt (0 bytes)
C:\1825901857bd78668d\wsman.format.ps1xml (0 bytes)
C:\1825901857bd78668d\about_aliases.help.txt (0 bytes)
C:\1825901857bd78668d\wsmres.dll (0 bytes)
C:\1825901857bd78668d\about_modules.help.txt (0 bytes)
C:\1825901857bd78668d\about_script_blocks.help.txt (0 bytes)
C:\1825901857bd78668d\microsoft.powershell.commands.diagnostics.resources.dll (0 bytes)
C:\1825901857bd78668d\microsoft.powershell.editor.dll (0 bytes)
C:\1825901857bd78668d\about_variables.help.txt (0 bytes)
C:\1825901857bd78668d\winrscmd.dll (0 bytes)

The process ngen.exe:3920 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (784 bytes)

The process ngen.exe:3496 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (772 bytes)

The process ngen.exe:3928 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1106 bytes)

The process ngen.exe:3944 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (746 bytes)

The process ngen.exe:3556 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (468 bytes)

The process ngen.exe:3456 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1220 bytes)

The process ngen.exe:3472 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (866 bytes)

The process ngen.exe:3516 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1450 bytes)

The process ngen.exe:3572 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1140 bytes)

The process ngen.exe:3580 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (474 bytes)

The process ngen.exe:3488 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (494 bytes)

The process ngen.exe:3912 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (486 bytes)

The process ngen.exe:3588 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (826 bytes)

The process ngen.exe:3480 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1186 bytes)

The process ngen.exe:3936 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1428 bytes)

The process ngen.exe:3464 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (554 bytes)

The process ngen.exe:3404 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (596 bytes)

The process ngen.exe:3508 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1104 bytes)

The process ngen.exe:3428 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (896 bytes)

The process ngen.exe:3540 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (770 bytes)

The process ngen.exe:3564 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (800 bytes)

The process ngen.exe:3548 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

Removals

Static Analysis

Network Activity

Map

Strings from Dumps