Skip to main content

TrojanPSW.Win32.Zbot_c7287e4422


Trojan.Win32.Buzus.vwbo (Kaspersky), Trojan-PSW.Win32.Zbot.6.FD, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR, TrojanPSWZbot.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan, Backdoor

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: c7287e4422871dc4acfce32a2458fc5b

SHA1: 685e8277768bf6d529fb7eab47dd433f0679bfca

SHA256: c1cf5eb6e4991d2a9bab8b240a02a551354a31f811d47ea451f911a2fb38e535

SSDeep: 6144:0lu5m7JSwimyjqVQe2JdwmzyRUC0Tq70vv0c:0YEJSLOVivwiIN6Em9

Size: 222745 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: Bunndle, Inc.

Created at: 2014-05-11 23:03:52

Analyzed on: WindowsXPESX SP3 32-bit

Summary: Trojan-PSW. Trojan program intended for stealing users passwords.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan-PSW creates the following process(es):

awury.exe:1312
awury.exe:516
%original file name%.exe:2824
%original file name%.exe:188

The Trojan-PSW injects its code into the following process(es):

infos.exe:2808
Explorer.EXE:1948

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process infos.exe:2808 makes changes in the file system.


The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Start Menu\Programs\Windows Movie Maker.lnk (759 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp (6 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\Component Services.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Entertainment\Windows Media Player.lnk (777 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp (6 bytes)
%Documents and Settings%\%current user%\Recent\install.lnk (325 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games\Spider Solitaire.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows Media\9.0\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Templates\powerpnt.ppt (12 bytes)
%Documents and Settings%\All Users\Application Data\VMware\hostd\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Accessibility\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Templates\excel4.xls (1 bytes)
%Documents and Settings%\All Users\DRM\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Suyzos\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Favorites\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\VMware\VMware Tools\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8XIJ0P23\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games\Internet Spades.lnk (886 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Remote Desktop Connection.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Set Program Access and Defaults.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds\Microsoft Feeds~\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds Cache\SKDVNS35\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Tour Windows XP.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Wireshark\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\VMware\hostd\backup\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\NetHood\SandboxOutput on Super File Server (192.168.1.163)\target.lnk (458 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp (6 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Windows Explorer.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\Data Sources (ODBC).lnk (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wireshark.txt (498 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\Services.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Calculator.lnk (1 bytes)
%Documents and Settings%\All Users\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\9.0\Cache\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\System Restore.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Total Commander\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\Files and Settings Transfer Wizard.lnk (1 bytes)
%Documents and Settings%\%current user%\Recent\f3460226658fbb23ea3dca1a1a87079d.lnk (827 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware Tools\Unity Filters\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware Tools\Unity Filters\adobeflashcs3.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Templates\sndrec.wav (31 bytes)
%Documents and Settings%\%current user%\Start Menu\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Recent\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware Tools\Unity Filters\visualstudio2005.txt (125 bytes)
%Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Accessibility\Accessibility Wizard.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games\Internet Reversi.lnk (886 bytes)
%Documents and Settings%\%current user%\Templates\excel4.xls (1 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware Tools\manifest.txt (3 bytes)
%Documents and Settings%\Default User\Local Settings\History\History.IE5\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\49634LEN\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp (6 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Adobe Reader 9.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games\Pinball.lnk (858 bytes)
%Documents and Settings%\%current user%\Recent\2b6200d46c1082edec8ab31bb817a5d0.lnk (827 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware Tools\Unity Filters\microsoftoffice2003.txt (428 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\Local Security Policy.lnk (1 bytes)
%Documents and Settings%\All Users\Application Data\Windows Genuine Advantage\Data\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Templates\powerpnt.ppt (12 bytes)
%Documents and Settings%\%current user%\Recent\keys.lnk (420 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\System Information.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Outlook Express.lnk (711 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp (6 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\Performance.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Total Commander\Total Commander.lnk (533 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds Cache\K9HEIEIK\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\Scheduled Tasks.lnk (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp (6 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware Tools\Unity Filters\googledesktop.txt (561 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\WordPad.lnk (852 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Desktop\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk (806 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Address Book\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\Computer Management.lnk (1 bytes)
%Documents and Settings%\Default User\Templates\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp (6 bytes)
%Documents and Settings%\%current user%\Cookies\71NENNCD.txt (319 bytes)
%Documents and Settings%\%current user%\Favorites\Links\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Cookies\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Protect\S-1-5-21-796845957-1563985344-1801674531-1003\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Microsoft PowerPoint Viewer .lnk (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp (6 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Protect\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\Disk Defragmenter.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Notepad.lnk (1 bytes)
%Documents and Settings%\%current user%\Recent\651992aa60dd3d5383d4d53b5a674ad3.lnk (827 bytes)
%Documents and Settings%\All Users\Desktop\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp (6 bytes)
C:\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Wireshark.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Media Player\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Accessibility\Magnifier.lnk (1 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\32\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Communications\New Connection Wizard.lnk (1 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Accessibility\On-Screen Keyboard.lnk (1 bytes)
%Documents and Settings%\%current user%\NetHood\SandboxOutput on Super File Server (192.168.1.163)\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (788 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Templates\excel.xls (5 bytes)
%Documents and Settings%\All Users\Start Menu\Windows Update.lnk (1 bytes)
%Documents and Settings%\%current user%\Templates\winword2.doc (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Total Commander\Total Commander Help.lnk (533 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Program Compatibility Wizard.lnk (359 bytes)
%Documents and Settings%\%current user%\PrivacIE\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp (6 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Internet Explorer.lnk (776 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft\Internet Explorer\brndlog.txt (114 bytes)
%Documents and Settings%\LocalService\Cookies\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\echopraxia\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp (6 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Color\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SXI7GPA3\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Desktop\Adobe Reader 9.lnk (1 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Notepad.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games\Internet Backgammon.lnk (886 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Recent\Images.lnk (558 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Total Commander\Uninstall or Repair Total Commander.lnk (533 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Synchronize.lnk (1 bytes)
%Documents and Settings%\NetworkService\Local Settings\History\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Windows\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Recent\e3e988e157cdf6b58472dd7196f054b9.lnk (827 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Accessibility\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Playlists\000BB706\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\Themes\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware vCenter Converter Standalone\db\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware Tools\Unity Filters\vistasidebar.txt (880 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware Tools\Unity Filters\win7gadgets.txt (372 bytes)
%Documents and Settings%\All Users\Application Data\Adobe\Acrobat\9.0\Replicate\Security\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\NetworkService\Local Settings\History\History.IE5\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Ynid\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Accessibility\Magnifier.lnk (1 bytes)
%Documents and Settings%\LocalService\Local Settings\History\History.IE5\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Entertainment\Volume Control.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Recent\9f21b82663666fd739702d12a15aa4bb.lnk (1 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware Player\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Local Settings\History\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma (4299 bytes)
%Documents and Settings%\%current user%\Local Settings\History\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Address Book.lnk (747 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp (6 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Accessibility\Utility Manager.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Remote Assistance.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Updater6\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\Security Center.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games\Freecell.lnk (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\Media Player\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\Disk Cleanup.lnk (1 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma (4593 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games\Internet Hearts.lnk (886 bytes)
%Documents and Settings%\All Users\Application Data\VMware\hostd\stats\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\HTML Help\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp (6 bytes)
%Documents and Settings%\Default User\Local Settings\Application Data\Microsoft\Windows Media\9.0\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\VMware\VMware vCenter Converter Standalone Client\Logs\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\NetworkService\Local Settings\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Command Prompt.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\My Documents\My Music\Sample Music.lnk (611 bytes)
%Documents and Settings%\%current user%\Templates\winword.doc (4 bytes)
%Documents and Settings%\%current user%\Application Data\GHISLER\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Documents\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Accessibility\On-Screen Keyboard.lnk (1 bytes)
%Documents and Settings%\Default User\Application Data\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Recent\7b47b513a4408f2a72d11c60b579db33.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\9xYOG5dWL0R72l4.exe (601 bytes)
%Documents and Settings%\%current user%\My Documents\My Pictures\Sample Pictures.lnk (641 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds Cache\RDELF3AZ\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Windows Media Player.lnk (765 bytes)
%Documents and Settings%\All Users\Start Menu\Windows Catalog.lnk (371 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Tour Windows XP.lnk (1 bytes)
%Documents and Settings%\%current user%\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\WinPcap\Uninstall WinPcap 4.0.1.lnk (653 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Internet Explorer\brndlog.txt (7 bytes)
%Documents and Settings%\Default User\SendTo\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft\Internet Explorer\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\LocalService\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Communications\HyperTerminal.lnk (759 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp (6 bytes)
%Documents and Settings%\%current user%\IETldCache\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Local Settings\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Recent\20ae805884e31ea72fe481068a7642ee.lnk (827 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg (166 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware Tools\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk (1 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\O097NFF5\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\9CVH8W1K\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp (6 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\jre1.6.0_18\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware Workstation\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Remote Assistance.lnk (1 bytes)
%Documents and Settings%\%current user%\Recent\sandbox.lnk (414 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\VMware\VMware vCenter Converter Standalone Client\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Recent\843341fbbc85ced379158380effb462f.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games\Internet Checkers.lnk (886 bytes)
%Documents and Settings%\All Users\Start Menu\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\My Documents\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\Event Viewer.lnk (1 bytes)
%Documents and Settings%\%current user%\Recent\80bb0a4c115ca5309baaf4c85017869e.lnk (493 bytes)
%Documents and Settings%\All Users\Documents\My Videos\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Start Menu\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Favorites\Microsoft Websites\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\GO93GVHZ\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Entertainment\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\SendTo\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Internet Explorer\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games\Hearts.lnk (1 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Entertainment\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Communications\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\Activate Windows.lnk (1 bytes)
%Documents and Settings%\All Users\Documents\My Music\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Paint.lnk (1 bytes)
%Documents and Settings%\Default User\Local Settings\Temporary Internet Files\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Accessibility\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Desktop\Total Commander.lnk (521 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\9.0\Updater\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Templates\winword.doc (4 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\AU\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\NetworkService\Cookies\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games\Solitaire.lnk (1 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\brndlog.txt (10 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\ActivePerl 5.16.2 Build 1602\Perl Package Manager.lnk (592 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware Tools\Unity Filters\vmwarefilters.txt (997 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Recent\release.lnk (540 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Wireshark\Wireshark Program Directory.lnk (565 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\C6SYQ5KI\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\O9IVK92Z\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Templates\winword2.doc (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Windows Explorer.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Synchronize.lnk (1 bytes)
%Documents and Settings%\%current user%\Recent\vmsc.lnk (314 bytes)
%Documents and Settings%\Default User\Local Settings\Application Data\Microsoft\Media Player\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp (6 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Program Compatibility Wizard.lnk (359 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Accessibility\Utility Manager.lnk (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Recent\html.lnk (399 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpf0d43a8c\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\WinPcap\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Sun\Java\Java Update\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Entertainment\Windows Media Player.lnk (777 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware Tools\Unity Filters\adobephotoshopcs3.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\gtk-2.0\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\ActivePerl 5.16.2 Build 1602\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Recent\34e13727ac83abe7e32f4dc4eba26a8f.lnk (827 bytes)
%Documents and Settings%\%current user%\Recent\eb79f14b01c7b5dc6be43942f75a1623.lnk (827 bytes)
%Documents and Settings%\%current user%\Templates\sndrec.wav (31 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp (6 bytes)
%Documents and Settings%\All Users\Application Data\Adobe\Reader\9.3\ARM\18298\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\ActivePerl 5.16.2 Build 1602\Perl Critic.lnk (588 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\VMware\VMware Tools\start VM Statistics Logging.lnk (648 bytes)
%Documents and Settings%\NetworkService\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games\Minesweeper.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds Cache\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0OCWZCA9\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\LocalService\Local Settings\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Recent\1.lnk (647 bytes)
%Documents and Settings%\%current user%\Templates\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp (6 bytes)
%Documents and Settings%\%current user%\My Documents\My Pictures\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds Cache\SJC9ZI9Z\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Wireshark\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\System Tools\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0\JavaScripts\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Windows\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\ActivePerl 5.16.2 Build 1602\Documentation.lnk (596 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-796845957-1563985344-1801674531-1003\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp (6 bytes)
%Documents and Settings%\%current user%\Recent\vmsc (2).lnk (403 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013040820130415\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Adobe\Updater6\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\Network\Downloader\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Communications\Network Connections.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Wireshark\Wireshark.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Command Prompt.lnk (1 bytes)
%Documents and Settings%\LocalService\Local Settings\History\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\My Documents\My Music\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Recent\1045c4f76e09604f49eefd8501bfee0e.lnk (827 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk (1 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp (6 bytes)
%Documents and Settings%\All Users\Application Data\Adobe\Reader\9.3\ARM\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\Network\Connections\Pbk\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\Character Map.lnk (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp (6 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg (142 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Windows Messenger.lnk (582 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg (28 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg (210 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Identities\{6855BFC2-9E4A-4896-A11D-74388FBABDC2}\Microsoft\Outlook Express\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041520130416\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Entertainment\Sound Recorder.lnk (1 bytes)
%Documents and Settings%\All Users\Application Data\VMware\SSL\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Cookies\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Windows Media Player.lnk (765 bytes)
%Documents and Settings%\%current user%\Templates\excel.xls (5 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Entertainment\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\MSN.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Communications\Network Setup Wizard.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Communications\Wireless Network Setup Wizard.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\Backup.lnk (1 bytes)

The process awury.exe:516 makes changes in the file system.


The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nszB6.tmp (8996 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\echopraxia\killikinick.eau (5064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nssB7.tmp\killikinick.dll (2392 bytes)

The Trojan-PSW deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nskB5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nssB7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nssB7.tmp\killikinick.dll (0 bytes)

The process %original file name%.exe:2824 makes changes in the file system.


The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmp1904682b.bat (177 bytes)
%Documents and Settings%\%current user%\Application Data\Suyzos\awury.exe (222 bytes)

The process %original file name%.exe:188 makes changes in the file system.


The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\echopraxia\killikinick.eau (5064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB3.tmp (8996 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyB4.tmp\killikinick.dll (2392 bytes)

The Trojan-PSW deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsyB4.tmp\killikinick.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyB4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB2.tmp (0 bytes)

Registry activity

The process infos.exe:2808 makes changes in the system registry.


The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "34 7C 00 D6 2E DE 6C 87 60 33 B5 E0 0F 68 F8 5B"

[HKCR\NNANSSVPASHMXRT\shell\open\command]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\9xYOG5dWL0R72l4.exe"

[HKCR\.CryptoLocker2015CryptoWal]
"(Default)" = "NNANSSVPASHMXRT"

[HKCR\NNANSSVPASHMXRT]
"(Default)" = "CRYPTED!"

[HKCR\NNANSSVPASHMXRT\DefaultIcon]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\9xYOG5dWL0R72l4.exe,0"

[HKCU\Software\Microsoft\Focoy]
"Cano" = "EE B0 DB 91 4A 07 BA 72 C5 3F 5E 37 2B 08 DD 40"

To automatically run itself each time Windows is booted, the Trojan-PSW adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Alcmeter" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\9xYOG5dWL0R72l4.exe"

The process awury.exe:1312 makes changes in the system registry.


The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 EF 36 7E E4 D2 E0 7C 03 1C 95 DE AD 42 3F 9E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process awury.exe:516 makes changes in the system registry.


The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9D 3D 11 89 13 7B E5 8B FE 48 D8 0E 1E E2 FB C9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

The process %original file name%.exe:2824 makes changes in the system registry.


The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7D 1A DF FF 52 07 EE BA 1E 84 5F 04 C5 AA 13 6A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process %original file name%.exe:188 makes changes in the system registry.


The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F B4 FB 50 2C B0 2F 12 5B 31 33 FA 9A A8 1A C9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

Dropped PE files

MD5 File path
eb9950f1438d8896f1fc3ca0a0a78777c:\Documents and Settings\"%CurrentUserName%"\Application Data\Suyzos\awury.exe
e8f3f8e61e61d2aebddee870a2138dc2c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\9xYOG5dWL0R72l4.exe
e8f3f8e61e61d2aebddee870a2138dc2c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\tmpf0d43a8c\infos.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan-PSW installs the following user-mode hooks in WININET.dll:

HttpSendRequestExW
HttpSendRequestExA
InternetReadFileExA
HttpSendRequestA
HttpSendRequestW
InternetQueryDataAvailable
InternetCloseHandle
HttpQueryInfoA
InternetReadFile

The Trojan-PSW installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Trojan-PSW installs the following user-mode hooks in USER32.dll:

SetCursorPos
DefMDIChildProcA
DefFrameProcA
DefDlgProcA
GetClipboardData
DefMDIChildProcW
DefFrameProcW
GetUpdateRgn
RegisterClassA
GetDCEx
ReleaseCapture
SetCapture
DefWindowProcA
CallWindowProcA
GetUpdateRect
PeekMessageA
CallWindowProcW
GetMessagePos
GetCursorPos
EndPaint
BeginPaint
DefWindowProcW
RegisterClassExA
GetMessageA
DefDlgProcW
SwitchDesktop
OpenInputDesktop
RegisterClassExW
RegisterClassW
GetCapture
PeekMessageW
GetMessageW
GetWindowDC
TranslateMessage
GetDC
ReleaseDC

The Trojan-PSW installs the following user-mode hooks in WS2_32.dll:

WSASend
send
closesocket

The Trojan-PSW installs the following user-mode hooks in kernel32.dll:

GetFileAttributesExW

The Trojan-PSW installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtCreateThread

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    awury.exe:1312
    awury.exe:516
    %original file name%.exe:2824
    %original file name%.exe:188

  3. Delete the original Trojan-PSW file.
  4. Delete or disinfect the following files created/modified by the Trojan-PSW:

    %Documents and Settings%\All Users\Start Menu\Programs\Windows Movie Maker.lnk (759 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp (6 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\Component Services.lnk (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Entertainment\Windows Media Player.lnk (777 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp (6 bytes)
    %Documents and Settings%\%current user%\Recent\install.lnk (325 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Games\Spider Solitaire.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows Media\9.0\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Templates\powerpnt.ppt (12 bytes)
    %Documents and Settings%\All Users\Application Data\VMware\hostd\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\Accessories\Accessibility\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\Default User\Templates\excel4.xls (1 bytes)
    %Documents and Settings%\All Users\DRM\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Suyzos\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Favorites\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\VMware\VMware Tools\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8XIJ0P23\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Games\Internet Spades.lnk (886 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Remote Desktop Connection.lnk (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Set Program Access and Defaults.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds\Microsoft Feeds~\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds Cache\SKDVNS35\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Tour Windows XP.lnk (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Wireshark\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\VMware\hostd\backup\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\NetHood\SandboxOutput on Super File Server (192.168.1.163)\target.lnk (458 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp (6 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\Accessories\Windows Explorer.lnk (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\Data Sources (ODBC).lnk (1 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wireshark.txt (498 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\Services.lnk (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Calculator.lnk (1 bytes)
    %Documents and Settings%\All Users\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\9.0\Cache\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\System Restore.lnk (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Total Commander\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\Files and Settings Transfer Wizard.lnk (1 bytes)
    %Documents and Settings%\%current user%\Recent\f3460226658fbb23ea3dca1a1a87079d.lnk (827 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\VMware\VMware Tools\Unity Filters\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\VMware\VMware Tools\Unity Filters\adobeflashcs3.txt (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\Default User\Templates\sndrec.wav (31 bytes)
    %Documents and Settings%\%current user%\Start Menu\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Recent\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\VMware\VMware Tools\Unity Filters\visualstudio2005.txt (125 bytes)
    %Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Accessibility\Accessibility Wizard.lnk (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Games\Internet Reversi.lnk (886 bytes)
    %Documents and Settings%\%current user%\Templates\excel4.xls (1 bytes)
    %Documents and Settings%\All Users\Application Data\VMware\VMware Tools\manifest.txt (3 bytes)
    %Documents and Settings%\Default User\Local Settings\History\History.IE5\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\49634LEN\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp (6 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Adobe Reader 9.lnk (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Games\Pinball.lnk (858 bytes)
    %Documents and Settings%\%current user%\Recent\2b6200d46c1082edec8ab31bb817a5d0.lnk (827 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\VMware\VMware Tools\Unity Filters\microsoftoffice2003.txt (428 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\Local Security Policy.lnk (1 bytes)
    %Documents and Settings%\All Users\Application Data\Windows Genuine Advantage\Data\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\Default User\Templates\powerpnt.ppt (12 bytes)
    %Documents and Settings%\%current user%\Recent\keys.lnk (420 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\System Information.lnk (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Outlook Express.lnk (711 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp (6 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\Performance.lnk (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Total Commander\Total Commander.lnk (533 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds Cache\K9HEIEIK\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\Scheduled Tasks.lnk (1 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp (6 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\VMware\VMware Tools\Unity Filters\googledesktop.txt (561 bytes)
    %Documents and Settings%\All Users\Documents\My Music\Sample Music\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\WordPad.lnk (852 bytes)
    %Documents and Settings%\LocalService\Local Settings\Application Data\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Desktop\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk (806 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Address Book\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\Computer Management.lnk (1 bytes)
    %Documents and Settings%\Default User\Templates\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp (6 bytes)
    %Documents and Settings%\%current user%\Cookies\71NENNCD.txt (319 bytes)
    %Documents and Settings%\%current user%\Favorites\Links\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Cookies\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Protect\S-1-5-21-796845957-1563985344-1801674531-1003\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Microsoft PowerPoint Viewer .lnk (1 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Protect\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\Disk Defragmenter.lnk (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Notepad.lnk (1 bytes)
    %Documents and Settings%\%current user%\Recent\651992aa60dd3d5383d4d53b5a674ad3.lnk (827 bytes)
    %Documents and Settings%\All Users\Desktop\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp (6 bytes)
    C:\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\Default User\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Wireshark.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Media Player\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Accessibility\Magnifier.lnk (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\32\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Communications\New Connection Wizard.lnk (1 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\Accessories\Accessibility\On-Screen Keyboard.lnk (1 bytes)
    %Documents and Settings%\%current user%\NetHood\SandboxOutput on Super File Server (192.168.1.163)\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (788 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\Default User\Templates\excel.xls (5 bytes)
    %Documents and Settings%\All Users\Start Menu\Windows Update.lnk (1 bytes)
    %Documents and Settings%\%current user%\Templates\winword2.doc (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Total Commander\Total Commander Help.lnk (533 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Program Compatibility Wizard.lnk (359 bytes)
    %Documents and Settings%\%current user%\PrivacIE\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp (6 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Internet Explorer.lnk (776 bytes)
    %Documents and Settings%\Default User\Application Data\Microsoft\Internet Explorer\brndlog.txt (114 bytes)
    %Documents and Settings%\LocalService\Cookies\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\echopraxia\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp (6 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Color\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SXI7GPA3\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Desktop\Adobe Reader 9.lnk (1 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\Accessories\Notepad.lnk (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Games\Internet Backgammon.lnk (886 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Recent\Images.lnk (558 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Total Commander\Uninstall or Repair Total Commander.lnk (533 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\Accessories\Synchronize.lnk (1 bytes)
    %Documents and Settings%\NetworkService\Local Settings\History\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Windows\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Recent\e3e988e157cdf6b58472dd7196f054b9.lnk (827 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Accessibility\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Documents\My Music\Sample Playlists\000BB706\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Windows\Themes\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\VMware\VMware vCenter Converter Standalone\db\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\VMware\VMware Tools\Unity Filters\vistasidebar.txt (880 bytes)
    %Documents and Settings%\All Users\Application Data\VMware\VMware Tools\Unity Filters\win7gadgets.txt (372 bytes)
    %Documents and Settings%\All Users\Application Data\Adobe\Acrobat\9.0\Replicate\Security\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\NetworkService\Local Settings\History\History.IE5\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Ynid\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\Accessories\Accessibility\Magnifier.lnk (1 bytes)
    %Documents and Settings%\LocalService\Local Settings\History\History.IE5\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Entertainment\Volume Control.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Recent\9f21b82663666fd739702d12a15aa4bb.lnk (1 bytes)
    %Documents and Settings%\All Users\Application Data\VMware\VMware Player\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\Default User\Local Settings\History\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma (4299 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Address Book.lnk (747 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp (6 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Accessibility\Utility Manager.lnk (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Remote Assistance.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Updater6\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\Security Center.lnk (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Games\Freecell.lnk (1 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\Media Player\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\Disk Cleanup.lnk (1 bytes)
    %Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma (4593 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Games\Internet Hearts.lnk (886 bytes)
    %Documents and Settings%\All Users\Application Data\VMware\hostd\stats\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\HTML Help\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp (6 bytes)
    %Documents and Settings%\Default User\Local Settings\Application Data\Microsoft\Windows Media\9.0\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\VMware\VMware vCenter Converter Standalone Client\Logs\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\NetworkService\Local Settings\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\Accessories\Command Prompt.lnk (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\My Documents\My Music\Sample Music.lnk (611 bytes)
    %Documents and Settings%\%current user%\Templates\winword.doc (4 bytes)
    %Documents and Settings%\%current user%\Application Data\GHISLER\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Documents\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Accessibility\On-Screen Keyboard.lnk (1 bytes)
    %Documents and Settings%\Default User\Application Data\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Recent\7b47b513a4408f2a72d11c60b579db33.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\9xYOG5dWL0R72l4.exe (601 bytes)
    %Documents and Settings%\%current user%\My Documents\My Pictures\Sample Pictures.lnk (641 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds Cache\RDELF3AZ\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Windows Media Player.lnk (765 bytes)
    %Documents and Settings%\All Users\Start Menu\Windows Catalog.lnk (371 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\Accessories\Tour Windows XP.lnk (1 bytes)
    %Documents and Settings%\%current user%\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\WinPcap\Uninstall WinPcap 4.0.1.lnk (653 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Internet Explorer\brndlog.txt (7 bytes)
    %Documents and Settings%\Default User\SendTo\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\Default User\Application Data\Microsoft\Internet Explorer\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\LocalService\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Communications\HyperTerminal.lnk (759 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp (6 bytes)
    %Documents and Settings%\%current user%\IETldCache\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\Default User\Local Settings\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Recent\20ae805884e31ea72fe481068a7642ee.lnk (827 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg (166 bytes)
    %Documents and Settings%\All Users\Application Data\VMware\VMware Tools\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Games\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk (1 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\O097NFF5\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\9CVH8W1K\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp (6 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\jre1.6.0_18\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\VMware\VMware Workstation\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\Remote Assistance.lnk (1 bytes)
    %Documents and Settings%\%current user%\Recent\sandbox.lnk (414 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\VMware\VMware vCenter Converter Standalone Client\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Recent\843341fbbc85ced379158380effb462f.lnk (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Games\Internet Checkers.lnk (886 bytes)
    %Documents and Settings%\All Users\Start Menu\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\My Documents\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\Event Viewer.lnk (1 bytes)
    %Documents and Settings%\%current user%\Recent\80bb0a4c115ca5309baaf4c85017869e.lnk (493 bytes)
    %Documents and Settings%\All Users\Documents\My Videos\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\Default User\Start Menu\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Favorites\Microsoft Websites\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\GO93GVHZ\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Entertainment\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\SendTo\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Internet Explorer\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Games\Hearts.lnk (1 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\Accessories\Entertainment\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Communications\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\Activate Windows.lnk (1 bytes)
    %Documents and Settings%\All Users\Documents\My Music\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Paint.lnk (1 bytes)
    %Documents and Settings%\Default User\Local Settings\Temporary Internet Files\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Accessibility\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Desktop\Total Commander.lnk (521 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\9.0\Updater\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\Default User\Templates\winword.doc (4 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\AU\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\NetworkService\Cookies\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Games\Solitaire.lnk (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\brndlog.txt (10 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\ActivePerl 5.16.2 Build 1602\Perl Package Manager.lnk (592 bytes)
    %Documents and Settings%\All Users\Application Data\VMware\VMware Tools\Unity Filters\vmwarefilters.txt (997 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Recent\release.lnk (540 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Wireshark\Wireshark Program Directory.lnk (565 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\C6SYQ5KI\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\O9IVK92Z\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\Default User\Templates\winword2.doc (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Windows Explorer.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Synchronize.lnk (1 bytes)
    %Documents and Settings%\%current user%\Recent\vmsc.lnk (314 bytes)
    %Documents and Settings%\Default User\Local Settings\Application Data\Microsoft\Media Player\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp (6 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\Accessories\Program Compatibility Wizard.lnk (359 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\Accessories\Accessibility\Utility Manager.lnk (1 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Recent\html.lnk (399 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmpf0d43a8c\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\WinPcap\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\Sun\Java\Java Update\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\Accessories\Entertainment\Windows Media Player.lnk (777 bytes)
    %Documents and Settings%\All Users\Application Data\VMware\VMware Tools\Unity Filters\adobephotoshopcs3.txt (1 bytes)
    %Documents and Settings%\%current user%\Application Data\gtk-2.0\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\ActivePerl 5.16.2 Build 1602\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Recent\34e13727ac83abe7e32f4dc4eba26a8f.lnk (827 bytes)
    %Documents and Settings%\%current user%\Recent\eb79f14b01c7b5dc6be43942f75a1623.lnk (827 bytes)
    %Documents and Settings%\%current user%\Templates\sndrec.wav (31 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp (6 bytes)
    %Documents and Settings%\All Users\Application Data\Adobe\Reader\9.3\ARM\18298\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\ActivePerl 5.16.2 Build 1602\Perl Critic.lnk (588 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\VMware\VMware Tools\start VM Statistics Logging.lnk (648 bytes)
    %Documents and Settings%\NetworkService\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Games\Minesweeper.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds Cache\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0OCWZCA9\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\LocalService\Local Settings\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Recent\1.lnk (647 bytes)
    %Documents and Settings%\%current user%\Templates\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp (6 bytes)
    %Documents and Settings%\%current user%\My Documents\My Pictures\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds Cache\SJC9ZI9Z\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Wireshark\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Accessories\System Tools\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0\JavaScripts\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Windows\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\ActivePerl 5.16.2 Build 1602\Documentation.lnk (596 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-796845957-1563985344-1801674531-1003\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp (6 bytes)
    %Documents and Settings%\%current user%\Recent\vmsc (2).lnk (403 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013040820130415\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\Adobe\Updater6\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\Network\Downloader\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Communications\Network Connections.lnk (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Wireshark\Wireshark.lnk (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Command Prompt.lnk (1 bytes)
    %Documents and Settings%\LocalService\Local Settings\History\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\My Documents\My Music\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Recent\1045c4f76e09604f49eefd8501bfee0e.lnk (827 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk (1 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\Accessories\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp (6 bytes)
    %Documents and Settings%\All Users\Application Data\Adobe\Reader\9.3\ARM\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Application Data\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\Network\Connections\Pbk\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\Character Map.lnk (1 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp (6 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Accessories\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg (142 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Windows Messenger.lnk (582 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg (28 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg (210 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Identities\{6855BFC2-9E4A-4896-A11D-74388FBABDC2}\Microsoft\Outlook Express\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041520130416\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Entertainment\Sound Recorder.lnk (1 bytes)
    %Documents and Settings%\All Users\Application Data\VMware\SSL\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\Default User\Cookies\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\Windows Media Player.lnk (765 bytes)
    %Documents and Settings%\%current user%\Templates\excel.xls (5 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Entertainment\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\MSN.lnk (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Communications\Network Setup Wizard.lnk (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Communications\Wireless Network Setup Wizard.lnk (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\Backup.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nszB6.tmp (8996 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\echopraxia\killikinick.eau (5064 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nssB7.tmp\killikinick.dll (2392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmp1904682b.bat (177 bytes)
    %Documents and Settings%\%current user%\Application Data\Suyzos\awury.exe (222 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsfB3.tmp (8996 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsyB4.tmp\killikinick.dll (2392 bytes)

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Alcmeter" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\9xYOG5dWL0R72l4.exe"

  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: TrueCrypt Foundation
Product Name: TrueCrypt
Product Version: 7.1.0
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 7.1.0
File Description: TrueCrypt Setup
Comments:
Language: Chinese (Simplified, PRC)

Company Name: TrueCrypt FoundationProduct Name: TrueCryptProduct Version: 7.1.0Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: 7.1.0File Description: TrueCrypt SetupComments: Language: Chinese (Simplified, PRC)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text409625046250884.51043a436e6a5ee718deeb0af89624d941715
.rdata32768521656323.427949b909cc04ca8fa423df16432e48f502c
.data4096017605615362.69571f6e758c86da20cc0ec6efc2daea8d45a
.ndata2170886553600d41d8cd98f00b204e9800998ecf8427e
.rsrc282624728876802.8191677a127e8424957d702582f9bd02074eb

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan-PSW connects to the servers at the folowing location(s):

Strings from Dumps

infos.exe_2808:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

Wh%u@

Wh%u@

user32.dll

user32.dll

GetProcessHeap

GetProcessHeap

GetWindowsDirectoryA

GetWindowsDirectoryA

kernel32.dll

kernel32.dll

ShellExecuteA

ShellExecuteA

shell32.dll

shell32.dll

RegCloseKey

RegCloseKey

RegCreateKeyExA

RegCreateKeyExA

RegDeleteKeyA

RegDeleteKeyA

advapi32.dll

advapi32.dll

shlwapi.dll

shlwapi.dll

gdi32.dll

gdi32.dll

comctl32.dll

comctl32.dll

HOW TO DECRYPT FILES.txt

HOW TO DECRYPT FILES.txt

Password is incorrect!

Password is incorrect!

To decrypt files, please enter correct password!

To decrypt files, please enter correct password!

Entered password is correct. Press OK to start decrypting of files. Dont close window and wait until message "Files have been decrypted successfully!" appears.

Entered password is correct. Press OK to start decrypting of files. Dont close window and wait until message "Files have been decrypted successfully!" appears.

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

explorer.exe

explorer.exe

Password:

Password:

C:\Perl\html\lib\SQL\Dialects\ANSI.html

C:\Perl\html\lib\SQL\Dialects\ANSI.html

t.html

t.html

n.html

n.html

ars.html

ars.html

.html

.html

s.html

s.html

3BDF2F}.dat

3BDF2F}.dat

rd.lnk

rd.lnk

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\tmpf0d43a8c\infos.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\tmpf0d43a8c\infos.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\9xYOG5dWL0R72l4.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\9xYOG5dWL0R72l4.exe

C:\Perl\html\lib\SQL\Dialects\ANSI.html.CryptoLocker2015CryptoWal

C:\Perl\html\lib\SQL\Dialects\ANSI.html.CryptoLocker2015CryptoWal

C:\Perl\html\lib\SQL\Dialects\HOW TO DECRYPT FILES.txt

C:\Perl\html\lib\SQL\Dialects\HOW TO DECRYPT FILES.txt

FILES.txt

FILES.txt

S.txt

S.txt

ES.txt

ES.txt

YPT FILES.txt

YPT FILES.txt

TO DECRYPT FILES.txt

TO DECRYPT FILES.txt

RYPT FILES.txt

RYPT FILES.txt

T FILES.txt

T FILES.txt

ILES.txt

ILES.txt

%WinDir%\explorer.exe

%WinDir%\explorer.exe

2009:03:12 13:48:18

2009:03:12 13:48:18

2008:03:24 16:41:53

2008:03:24 16:41:53

(7),01444

(7),01444

'9=82<.342>

'9=82<.342>

:R%fxf

:R%fxf

[XXf'.Ie

[XXf'.Ie

.tMCP

.tMCP

.ZDS5

.ZDS5

.OBiF

.OBiF

*.zip

*.zip

*.rar

*.rar

*.tar

*.tar

*.gzip

*.gzip

*.jpg

*.jpg

*.jpeg

*.jpeg

*.psd

*.psd

*.cdr

*.cdr

*.dwg

*.dwg

*.max

*.max

*.bmp

*.bmp

*.gif

*.gif

*.png

*.png

*.doc

*.doc

*.docx

*.docx

*.xls

*.xls

*.xlsx

*.xlsx

*.ppt

*.ppt

*.pptx

*.pptx

*.txt

*.txt

*.pdf

*.pdf

*.djvu

*.djvu

*.htm

*.htm

*.html

*.html

*.mdb

*.mdb

*.cer

*.cer

*.pfx

*.pfx

*.kwm

*.kwm

*.pwm

*.pwm

*.mdf

*.mdf

*.dbf

*.dbf

*.odt

*.odt

*.vob

*.vob

*.ifo

*.ifo

*.lnk

*.lnk

*.torrent

*.torrent

*.mov

*.mov

*.mpeg

*.mpeg

*.mpg

*.mpg

*.flv

*.flv

*.avi

*.avi

*.mp4

*.mp4

*.wmv

*.wmv

*.divx

*.divx

*.mkv

*.mkv

*.mp3

*.mp3

*.wav

*.wav

*.flac

*.flac

*.ape

*.ape

*.wma

*.wma

*.ac3

*.ac3

*.ods

*.ods

*.odp

*.odp

*.odm

*.odm

*.odb

*.odb

*.docm

*.docm

*.wps

*.wps

*.xlsm

*.xlsm

*.xlsb

*.xlsb

*.xlk

*.xlk

*.pptm

*.pptm

*.accdb

*.accdb

*wallet*.dat

*wallet*.dat

Cryptolocker Modefications CryptoWal 2015 Your important files Encryption produces on this computer: photos, videos, documents, etc. Here is a complete list in practic of encrypted files, and you can personally verify this.

Cryptolocker Modefications CryptoWal 2015 Your important files Encryption produces on this computer: photos, videos, documents, etc. Here is a complete list in practic of encrypted files, and you can personally verify this.

Just after payment specify ONLY the Bitcoin Address. Our robot will check the Bitcoin ID and when the transaction will be completed, you'll receive your product code activation. Price How 1 Hamburger EASY Piza ON YOUR BRAIN After You Make Payment Your System Files Automaticaly Decrypt Start! Question Where You Buy Bitcoins? 1. We Reccommendation individual Specific Fast To You localbitcoins.com and Here Read Where Bitcoins Market 2. Visit Bitcoin.org

Just after payment specify ONLY the Bitcoin Address. Our robot will check the Bitcoin ID and when the transaction will be completed, you'll receive your product code activation. Price How 1 Hamburger EASY Piza ON YOUR BRAIN After You Make Payment Your System Files Automaticaly Decrypt Start! Question Where You Buy Bitcoins? 1. We Reccommendation individual Specific Fast To You localbitcoins.com and Here Read Where Bitcoins Market 2. Visit Bitcoin.org

infos.exe_2808_rwx_00130000_00027000:

.text

.text

`.data

`.data

.reloc

.reloc

hXXp://VVV.google.com/webhp

hXXp://VVV.google.com/webhp

PR_OpenTCPSocket

PR_OpenTCPSocket

k.cim

k.cim

gdiplus.dll

gdiplus.dll

GdiplusShutdown

GdiplusShutdown

ole32.dll

ole32.dll

gdi32.dll

gdi32.dll

: ;2*8.>

: ;2*8.>

3.#70!2)

3.#70!2)

x#m`a`cmddt-

x#m`a`cmddt-

6 !26!1'1

6 !26!1'1

7"52),,>

7"52),,>

;

;

71.(5;4=

71.(5;4=

(203,2$0

(203,2$0

/?./,5

/?./,5

:>(

:>(

8%/

8%/

%/>!

%/>!

HTTP/1.1

HTTP/1.1

userenv.dll

userenv.dll

del "%s"

del "%s"

if exist "%s" goto d

if exist "%s" goto d

del /F "%s"

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

urlmon.dll

urlmon.dll

cabinet.dll

cabinet.dll

hXXp://

hXXp://

hXXps://

hXXps://

HTTP/1.

HTTP/1.

SSSh,4

SSSh,4

GetProcessHeap

GetProcessHeap

KERNEL32.dll

KERNEL32.dll

SetKeyboardState

SetKeyboardState

ExitWindowsEx

ExitWindowsEx

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

MapVirtualKeyW

MapVirtualKeyW

GetKeyboardState

GetKeyboardState

OpenWindowStationW

OpenWindowStationW

GetProcessWindowStation

GetProcessWindowStation

CreateWindowStationW

CreateWindowStationW

CloseWindowStation

CloseWindowStation

SetProcessWindowStation

SetProcessWindowStation

USER32.dll

USER32.dll

RegOpenKeyExW

RegOpenKeyExW

RegEnumKeyExW

RegEnumKeyExW

RegCloseKey

RegCloseKey

RegCreateKeyExW

RegCreateKeyExW

ADVAPI32.dll

ADVAPI32.dll

PathIsURLW

PathIsURLW

UrlUnescapeA

UrlUnescapeA

SHDeleteKeyW

SHDeleteKeyW

SHLWAPI.dll

SHLWAPI.dll

ShellExecuteW

ShellExecuteW

SHELL32.dll

SHELL32.dll

Secur32.dll

Secur32.dll

SetViewportOrgEx

SetViewportOrgEx

GDI32.dll

GDI32.dll

WS2_32.dll

WS2_32.dll

PFXImportCertStore

PFXImportCertStore

CertDeleteCertificateFromStore

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertOpenSystemStoreW

CertCloseStore

CertCloseStore

CertEnumCertificatesInStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertDuplicateCertificateContext

PFXExportCertStoreEx

PFXExportCertStoreEx

CRYPT32.dll

CRYPT32.dll

HttpSendRequestExA

HttpSendRequestExA

HttpQueryInfoA

HttpQueryInfoA

HttpSendRequestExW

HttpSendRequestExW

HttpSendRequestW

HttpSendRequestW

HttpSendRequestA

HttpSendRequestA

InternetCrackUrlA

InternetCrackUrlA

HttpOpenRequestA

HttpOpenRequestA

HttpAddRequestHeadersA

HttpAddRequestHeadersA

GetUrlCacheEntryInfoW

GetUrlCacheEntryInfoW

HttpAddRequestHeadersW

HttpAddRequestHeadersW

WININET.dll

WININET.dll

OLEAUT32.dll

OLEAUT32.dll

NETAPI32.dll

NETAPI32.dll

TUSSHO#

TUSSHO#

6 6&6/656{6

6 6&6/656{6

cGlobal\XXX

cGlobal\XXX

nspr4.dll

nspr4.dll

nss3.dll

nss3.dll

SysShadow

SysShadow

kernel32.dll

kernel32.dll

"%s" %s

"%s" %s

/c "%s"

/c "%s"

%sx.%s

%sx.%s

%sx

%sx

:\Documents and Settings\"%CurrentUserName%"\Application Data\Ynid\kyuz.ani

:\Documents and Settings\"%CurrentUserName%"\Application Data\Ynid\kyuz.ani

%Documents and Settings%\%current user%\Application Data\Ynid

%Documents and Settings%\%current user%\Application Data\Ynid

kyuz.ani

kyuz.ani

Global\{632C47B2-723D-1422-8350-35ECEA6ED5DB}

Global\{632C47B2-723D-1422-8350-35ECEA6ED5DB}

%Documents and Settings%\%current user%\Application Data

%Documents and Settings%\%current user%\Application Data

{F557F597-C018-8259-8350-35ECEA6ED5DB}

{F557F597-C018-8259-8350-35ECEA6ED5DB}

lobal\{632C47B3-723C-1422-8350-35ECEA6ED5DB}

lobal\{632C47B3-723C-1422-8350-35ECEA6ED5DB}

Explorer.EXE_1948_rwx_01100000_00027000:

.text

.text

`.data

`.data

.reloc

.reloc

hXXp://VVV.google.com/webhp

hXXp://VVV.google.com/webhp

PR_OpenTCPSocket

PR_OpenTCPSocket

k.cim

k.cim

gdiplus.dll

gdiplus.dll

GdiplusShutdown

GdiplusShutdown

ole32.dll

ole32.dll

gdi32.dll

gdi32.dll

: ;2*8.>

: ;2*8.>

3.#70!2)

3.#70!2)

x#m`a`cmddt-

x#m`a`cmddt-

6 !26!1'1

6 !26!1'1

7"52),,>

7"52),,>

;

;

71.(5;4=

71.(5;4=

(203,2$0

(203,2$0

/?./,5

/?./,5

:>(

:>(

8%/

8%/

%/>!

%/>!

HTTP/1.1

HTTP/1.1

userenv.dll

userenv.dll

del "%s"

del "%s"

if exist "%s" goto d

if exist "%s" goto d

del /F "%s"

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

urlmon.dll

urlmon.dll

cabinet.dll

cabinet.dll

hXXp://

hXXp://

hXXps://

hXXps://

HTTP/1.

HTTP/1.

SSSh,4

SSSh,4

GetProcessHeap

GetProcessHeap

KERNEL32.dll

KERNEL32.dll

SetKeyboardState

SetKeyboardState

ExitWindowsEx

ExitWindowsEx

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

MapVirtualKeyW

MapVirtualKeyW

GetKeyboardState

GetKeyboardState

OpenWindowStationW

OpenWindowStationW

GetProcessWindowStation

GetProcessWindowStation

CreateWindowStationW

CreateWindowStationW

CloseWindowStation

CloseWindowStation

SetProcessWindowStation

SetProcessWindowStation

USER32.dll

USER32.dll

RegOpenKeyExW

RegOpenKeyExW

RegEnumKeyExW

RegEnumKeyExW

RegCloseKey

RegCloseKey

RegCreateKeyExW

RegCreateKeyExW

ADVAPI32.dll

ADVAPI32.dll

PathIsURLW

PathIsURLW

UrlUnescapeA

UrlUnescapeA

SHDeleteKeyW

SHDeleteKeyW

SHLWAPI.dll

SHLWAPI.dll

ShellExecuteW

ShellExecuteW

SHELL32.dll

SHELL32.dll

Secur32.dll

Secur32.dll

SetViewportOrgEx

SetViewportOrgEx

GDI32.dll

GDI32.dll

WS2_32.dll

WS2_32.dll

PFXImportCertStore

PFXImportCertStore

CertDeleteCertificateFromStore

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertOpenSystemStoreW

CertCloseStore

CertCloseStore

CertEnumCertificatesInStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertDuplicateCertificateContext

PFXExportCertStoreEx

PFXExportCertStoreEx

CRYPT32.dll

CRYPT32.dll

HttpSendRequestExA

HttpSendRequestExA

HttpQueryInfoA

HttpQueryInfoA

HttpSendRequestExW

HttpSendRequestExW

HttpSendRequestW

HttpSendRequestW

HttpSendRequestA

HttpSendRequestA

InternetCrackUrlA

InternetCrackUrlA

HttpOpenRequestA

HttpOpenRequestA

HttpAddRequestHeadersA

HttpAddRequestHeadersA

GetUrlCacheEntryInfoW

GetUrlCacheEntryInfoW

HttpAddRequestHeadersW

HttpAddRequestHeadersW

WININET.dll

WININET.dll

OLEAUT32.dll

OLEAUT32.dll

NETAPI32.dll

NETAPI32.dll

6 6&6/656{6

6 6&6/656{6

cGlobal\XXX

cGlobal\XXX

nspr4.dll

nspr4.dll

nss3.dll

nss3.dll

SysShadow

SysShadow

kernel32.dll

kernel32.dll

"%s" %s

"%s" %s

/c "%s"

/c "%s"

%sx.%s

%sx.%s

%sx

%sx

%Documents and Settings%\%current user%\Application Data\Ynid\kyuz.ani

%Documents and Settings%\%current user%\Application Data\Ynid\kyuz.ani

%Documents and Settings%\%current user%\Application Data\Ynid

%Documents and Settings%\%current user%\Application Data\Ynid

kyuz.ani

kyuz.ani

Global\{632C47B2-723D-1422-8350-35ECEA6ED5DB}

Global\{632C47B2-723D-1422-8350-35ECEA6ED5DB}

%Documents and Settings%\%current user%\Application Data

%Documents and Settings%\%current user%\Application Data

{F557F597-C018-8259-8350-35ECEA6ED5DB}

{F557F597-C018-8259-8350-35ECEA6ED5DB}

Global\{632C47B3-723C-1422-8350-35ECEA6ED5DB}

Global\{632C47B3-723C-1422-8350-35ECEA6ED5DB}