Trojan.Win32.Buzus.vwbo (Kaspersky), Trojan-PSW.Win32.Zbot.6.FD, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR, TrojanPSWZbot.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: c7287e4422871dc4acfce32a2458fc5b
SHA1: 685e8277768bf6d529fb7eab47dd433f0679bfca
SHA256: c1cf5eb6e4991d2a9bab8b240a02a551354a31f811d47ea451f911a2fb38e535
SSDeep: 6144:0lu5m7JSwimyjqVQe2JdwmzyRUC0Tq70vv0c:0YEJSLOVivwiIN6Em9
Size: 222745 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Bunndle, Inc.
Created at: 2014-05-11 23:03:52
Analyzed on: WindowsXPESX SP3 32-bit
Summary: Trojan-PSW. Trojan program intended for stealing users passwords.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan-PSW creates the following process(es):
awury.exe:1312
awury.exe:516
%original file name%.exe:2824
%original file name%.exe:188
The Trojan-PSW injects its code into the following process(es):
infos.exe:2808
Explorer.EXE:1948
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process infos.exe:2808 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Start Menu\Programs\Windows Movie Maker.lnk (759 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp (6 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\Component Services.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Entertainment\Windows Media Player.lnk (777 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp (6 bytes)
%Documents and Settings%\%current user%\Recent\install.lnk (325 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games\Spider Solitaire.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows Media\9.0\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Templates\powerpnt.ppt (12 bytes)
%Documents and Settings%\All Users\Application Data\VMware\hostd\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Accessibility\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Templates\excel4.xls (1 bytes)
%Documents and Settings%\All Users\DRM\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Suyzos\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Favorites\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\VMware\VMware Tools\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8XIJ0P23\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games\Internet Spades.lnk (886 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Remote Desktop Connection.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Set Program Access and Defaults.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds\Microsoft Feeds~\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds Cache\SKDVNS35\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Tour Windows XP.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Wireshark\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\VMware\hostd\backup\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\NetHood\SandboxOutput on Super File Server (192.168.1.163)\target.lnk (458 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp (6 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Windows Explorer.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\Data Sources (ODBC).lnk (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wireshark.txt (498 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\Services.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Calculator.lnk (1 bytes)
%Documents and Settings%\All Users\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\9.0\Cache\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\System Restore.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Total Commander\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\Files and Settings Transfer Wizard.lnk (1 bytes)
%Documents and Settings%\%current user%\Recent\f3460226658fbb23ea3dca1a1a87079d.lnk (827 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware Tools\Unity Filters\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware Tools\Unity Filters\adobeflashcs3.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Templates\sndrec.wav (31 bytes)
%Documents and Settings%\%current user%\Start Menu\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Recent\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware Tools\Unity Filters\visualstudio2005.txt (125 bytes)
%Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Accessibility\Accessibility Wizard.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games\Internet Reversi.lnk (886 bytes)
%Documents and Settings%\%current user%\Templates\excel4.xls (1 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware Tools\manifest.txt (3 bytes)
%Documents and Settings%\Default User\Local Settings\History\History.IE5\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\49634LEN\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp (6 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Adobe Reader 9.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games\Pinball.lnk (858 bytes)
%Documents and Settings%\%current user%\Recent\2b6200d46c1082edec8ab31bb817a5d0.lnk (827 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware Tools\Unity Filters\microsoftoffice2003.txt (428 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\Local Security Policy.lnk (1 bytes)
%Documents and Settings%\All Users\Application Data\Windows Genuine Advantage\Data\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Templates\powerpnt.ppt (12 bytes)
%Documents and Settings%\%current user%\Recent\keys.lnk (420 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\System Information.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Outlook Express.lnk (711 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp (6 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\Performance.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Total Commander\Total Commander.lnk (533 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds Cache\K9HEIEIK\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\Scheduled Tasks.lnk (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp (6 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware Tools\Unity Filters\googledesktop.txt (561 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\WordPad.lnk (852 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Desktop\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk (806 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Address Book\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\Computer Management.lnk (1 bytes)
%Documents and Settings%\Default User\Templates\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp (6 bytes)
%Documents and Settings%\%current user%\Cookies\71NENNCD.txt (319 bytes)
%Documents and Settings%\%current user%\Favorites\Links\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Cookies\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Protect\S-1-5-21-796845957-1563985344-1801674531-1003\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Microsoft PowerPoint Viewer .lnk (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp (6 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Protect\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\Disk Defragmenter.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Notepad.lnk (1 bytes)
%Documents and Settings%\%current user%\Recent\651992aa60dd3d5383d4d53b5a674ad3.lnk (827 bytes)
%Documents and Settings%\All Users\Desktop\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp (6 bytes)
C:\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Wireshark.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Media Player\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Accessibility\Magnifier.lnk (1 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\32\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Communications\New Connection Wizard.lnk (1 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Accessibility\On-Screen Keyboard.lnk (1 bytes)
%Documents and Settings%\%current user%\NetHood\SandboxOutput on Super File Server (192.168.1.163)\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (788 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Templates\excel.xls (5 bytes)
%Documents and Settings%\All Users\Start Menu\Windows Update.lnk (1 bytes)
%Documents and Settings%\%current user%\Templates\winword2.doc (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Total Commander\Total Commander Help.lnk (533 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Program Compatibility Wizard.lnk (359 bytes)
%Documents and Settings%\%current user%\PrivacIE\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp (6 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Internet Explorer.lnk (776 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft\Internet Explorer\brndlog.txt (114 bytes)
%Documents and Settings%\LocalService\Cookies\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\echopraxia\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp (6 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Color\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SXI7GPA3\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Desktop\Adobe Reader 9.lnk (1 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Notepad.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games\Internet Backgammon.lnk (886 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Recent\Images.lnk (558 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Total Commander\Uninstall or Repair Total Commander.lnk (533 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Synchronize.lnk (1 bytes)
%Documents and Settings%\NetworkService\Local Settings\History\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Windows\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Recent\e3e988e157cdf6b58472dd7196f054b9.lnk (827 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Accessibility\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Playlists\000BB706\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\Themes\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware vCenter Converter Standalone\db\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware Tools\Unity Filters\vistasidebar.txt (880 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware Tools\Unity Filters\win7gadgets.txt (372 bytes)
%Documents and Settings%\All Users\Application Data\Adobe\Acrobat\9.0\Replicate\Security\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\NetworkService\Local Settings\History\History.IE5\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Ynid\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Accessibility\Magnifier.lnk (1 bytes)
%Documents and Settings%\LocalService\Local Settings\History\History.IE5\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Entertainment\Volume Control.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Recent\9f21b82663666fd739702d12a15aa4bb.lnk (1 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware Player\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Local Settings\History\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma (4299 bytes)
%Documents and Settings%\%current user%\Local Settings\History\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Address Book.lnk (747 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp (6 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Accessibility\Utility Manager.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Remote Assistance.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Updater6\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\Security Center.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games\Freecell.lnk (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\Media Player\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\Disk Cleanup.lnk (1 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma (4593 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games\Internet Hearts.lnk (886 bytes)
%Documents and Settings%\All Users\Application Data\VMware\hostd\stats\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\HTML Help\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp (6 bytes)
%Documents and Settings%\Default User\Local Settings\Application Data\Microsoft\Windows Media\9.0\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\VMware\VMware vCenter Converter Standalone Client\Logs\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\NetworkService\Local Settings\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Command Prompt.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\My Documents\My Music\Sample Music.lnk (611 bytes)
%Documents and Settings%\%current user%\Templates\winword.doc (4 bytes)
%Documents and Settings%\%current user%\Application Data\GHISLER\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Documents\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Accessibility\On-Screen Keyboard.lnk (1 bytes)
%Documents and Settings%\Default User\Application Data\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Recent\7b47b513a4408f2a72d11c60b579db33.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\9xYOG5dWL0R72l4.exe (601 bytes)
%Documents and Settings%\%current user%\My Documents\My Pictures\Sample Pictures.lnk (641 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds Cache\RDELF3AZ\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Windows Media Player.lnk (765 bytes)
%Documents and Settings%\All Users\Start Menu\Windows Catalog.lnk (371 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Tour Windows XP.lnk (1 bytes)
%Documents and Settings%\%current user%\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\WinPcap\Uninstall WinPcap 4.0.1.lnk (653 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Internet Explorer\brndlog.txt (7 bytes)
%Documents and Settings%\Default User\SendTo\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft\Internet Explorer\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\LocalService\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Communications\HyperTerminal.lnk (759 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp (6 bytes)
%Documents and Settings%\%current user%\IETldCache\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Local Settings\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Recent\20ae805884e31ea72fe481068a7642ee.lnk (827 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg (166 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware Tools\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk (1 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\O097NFF5\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\9CVH8W1K\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp (6 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\jre1.6.0_18\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware Workstation\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Remote Assistance.lnk (1 bytes)
%Documents and Settings%\%current user%\Recent\sandbox.lnk (414 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\VMware\VMware vCenter Converter Standalone Client\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Recent\843341fbbc85ced379158380effb462f.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games\Internet Checkers.lnk (886 bytes)
%Documents and Settings%\All Users\Start Menu\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\My Documents\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\Event Viewer.lnk (1 bytes)
%Documents and Settings%\%current user%\Recent\80bb0a4c115ca5309baaf4c85017869e.lnk (493 bytes)
%Documents and Settings%\All Users\Documents\My Videos\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Start Menu\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Favorites\Microsoft Websites\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\GO93GVHZ\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Entertainment\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\SendTo\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Internet Explorer\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games\Hearts.lnk (1 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Entertainment\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Communications\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\Activate Windows.lnk (1 bytes)
%Documents and Settings%\All Users\Documents\My Music\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Paint.lnk (1 bytes)
%Documents and Settings%\Default User\Local Settings\Temporary Internet Files\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Accessibility\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Desktop\Total Commander.lnk (521 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\9.0\Updater\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Templates\winword.doc (4 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\AU\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\NetworkService\Cookies\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games\Solitaire.lnk (1 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\brndlog.txt (10 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\ActivePerl 5.16.2 Build 1602\Perl Package Manager.lnk (592 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware Tools\Unity Filters\vmwarefilters.txt (997 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Recent\release.lnk (540 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Wireshark\Wireshark Program Directory.lnk (565 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\C6SYQ5KI\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\O9IVK92Z\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Templates\winword2.doc (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Windows Explorer.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Synchronize.lnk (1 bytes)
%Documents and Settings%\%current user%\Recent\vmsc.lnk (314 bytes)
%Documents and Settings%\Default User\Local Settings\Application Data\Microsoft\Media Player\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp (6 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Program Compatibility Wizard.lnk (359 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Accessibility\Utility Manager.lnk (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Recent\html.lnk (399 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpf0d43a8c\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\WinPcap\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Sun\Java\Java Update\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Entertainment\Windows Media Player.lnk (777 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware Tools\Unity Filters\adobephotoshopcs3.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\gtk-2.0\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\ActivePerl 5.16.2 Build 1602\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Recent\34e13727ac83abe7e32f4dc4eba26a8f.lnk (827 bytes)
%Documents and Settings%\%current user%\Recent\eb79f14b01c7b5dc6be43942f75a1623.lnk (827 bytes)
%Documents and Settings%\%current user%\Templates\sndrec.wav (31 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp (6 bytes)
%Documents and Settings%\All Users\Application Data\Adobe\Reader\9.3\ARM\18298\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\ActivePerl 5.16.2 Build 1602\Perl Critic.lnk (588 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\VMware\VMware Tools\start VM Statistics Logging.lnk (648 bytes)
%Documents and Settings%\NetworkService\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games\Minesweeper.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds Cache\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0OCWZCA9\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\LocalService\Local Settings\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Recent\1.lnk (647 bytes)
%Documents and Settings%\%current user%\Templates\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp (6 bytes)
%Documents and Settings%\%current user%\My Documents\My Pictures\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds Cache\SJC9ZI9Z\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Wireshark\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\System Tools\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0\JavaScripts\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Windows\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\ActivePerl 5.16.2 Build 1602\Documentation.lnk (596 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-796845957-1563985344-1801674531-1003\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp (6 bytes)
%Documents and Settings%\%current user%\Recent\vmsc (2).lnk (403 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013040820130415\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Adobe\Updater6\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\Network\Downloader\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Communications\Network Connections.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Wireshark\Wireshark.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Command Prompt.lnk (1 bytes)
%Documents and Settings%\LocalService\Local Settings\History\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\My Documents\My Music\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Recent\1045c4f76e09604f49eefd8501bfee0e.lnk (827 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk (1 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp (6 bytes)
%Documents and Settings%\All Users\Application Data\Adobe\Reader\9.3\ARM\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\Network\Connections\Pbk\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\Character Map.lnk (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp (6 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg (142 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Windows Messenger.lnk (582 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg (28 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg (210 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Identities\{6855BFC2-9E4A-4896-A11D-74388FBABDC2}\Microsoft\Outlook Express\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041520130416\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Entertainment\Sound Recorder.lnk (1 bytes)
%Documents and Settings%\All Users\Application Data\VMware\SSL\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Cookies\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Windows Media Player.lnk (765 bytes)
%Documents and Settings%\%current user%\Templates\excel.xls (5 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Entertainment\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\MSN.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Communications\Network Setup Wizard.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Communications\Wireless Network Setup Wizard.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\Backup.lnk (1 bytes)
The process awury.exe:516 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nszB6.tmp (8996 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\echopraxia\killikinick.eau (5064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nssB7.tmp\killikinick.dll (2392 bytes)
The Trojan-PSW deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nskB5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nssB7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nssB7.tmp\killikinick.dll (0 bytes)
The process %original file name%.exe:2824 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\tmp1904682b.bat (177 bytes)
%Documents and Settings%\%current user%\Application Data\Suyzos\awury.exe (222 bytes)
The process %original file name%.exe:188 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\echopraxia\killikinick.eau (5064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB3.tmp (8996 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyB4.tmp\killikinick.dll (2392 bytes)
The Trojan-PSW deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsyB4.tmp\killikinick.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyB4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB2.tmp (0 bytes)
Registry activity
The process infos.exe:2808 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "34 7C 00 D6 2E DE 6C 87 60 33 B5 E0 0F 68 F8 5B"
[HKCR\NNANSSVPASHMXRT\shell\open\command]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\9xYOG5dWL0R72l4.exe"
[HKCR\.CryptoLocker2015CryptoWal]
"(Default)" = "NNANSSVPASHMXRT"
[HKCR\NNANSSVPASHMXRT]
"(Default)" = "CRYPTED!"
[HKCR\NNANSSVPASHMXRT\DefaultIcon]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\9xYOG5dWL0R72l4.exe,0"
[HKCU\Software\Microsoft\Focoy]
"Cano" = "EE B0 DB 91 4A 07 BA 72 C5 3F 5E 37 2B 08 DD 40"
To automatically run itself each time Windows is booted, the Trojan-PSW adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Alcmeter" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\9xYOG5dWL0R72l4.exe"
The process awury.exe:1312 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 EF 36 7E E4 D2 E0 7C 03 1C 95 DE AD 42 3F 9E"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
The process awury.exe:516 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9D 3D 11 89 13 7B E5 8B FE 48 D8 0E 1E E2 FB C9"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
The process %original file name%.exe:2824 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7D 1A DF FF 52 07 EE BA 1E 84 5F 04 C5 AA 13 6A"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
The process %original file name%.exe:188 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F B4 FB 50 2C B0 2F 12 5B 31 33 FA 9A A8 1A C9"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
Dropped PE files
MD5 | File path |
---|---|
eb9950f1438d8896f1fc3ca0a0a78777 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\Suyzos\awury.exe |
e8f3f8e61e61d2aebddee870a2138dc2 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\9xYOG5dWL0R72l4.exe |
e8f3f8e61e61d2aebddee870a2138dc2 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\tmpf0d43a8c\infos.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Trojan-PSW installs the following user-mode hooks in WININET.dll:
HttpSendRequestExW
HttpSendRequestExA
InternetReadFileExA
HttpSendRequestA
HttpSendRequestW
InternetQueryDataAvailable
InternetCloseHandle
HttpQueryInfoA
InternetReadFile
The Trojan-PSW installs the following user-mode hooks in CRYPT32.dll:
PFXImportCertStore
The Trojan-PSW installs the following user-mode hooks in USER32.dll:
SetCursorPos
DefMDIChildProcA
DefFrameProcA
DefDlgProcA
GetClipboardData
DefMDIChildProcW
DefFrameProcW
GetUpdateRgn
RegisterClassA
GetDCEx
ReleaseCapture
SetCapture
DefWindowProcA
CallWindowProcA
GetUpdateRect
PeekMessageA
CallWindowProcW
GetMessagePos
GetCursorPos
EndPaint
BeginPaint
DefWindowProcW
RegisterClassExA
GetMessageA
DefDlgProcW
SwitchDesktop
OpenInputDesktop
RegisterClassExW
RegisterClassW
GetCapture
PeekMessageW
GetMessageW
GetWindowDC
TranslateMessage
GetDC
ReleaseDC
The Trojan-PSW installs the following user-mode hooks in WS2_32.dll:
WSASend
send
closesocket
The Trojan-PSW installs the following user-mode hooks in kernel32.dll:
GetFileAttributesExW
The Trojan-PSW installs the following user-mode hooks in ntdll.dll:
LdrLoadDll
NtCreateThread
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
awury.exe:1312
awury.exe:516
%original file name%.exe:2824
%original file name%.exe:188 - Delete the original Trojan-PSW file.
- Delete or disinfect the following files created/modified by the Trojan-PSW:
%Documents and Settings%\All Users\Start Menu\Programs\Windows Movie Maker.lnk (759 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp (6 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\Component Services.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Entertainment\Windows Media Player.lnk (777 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp (6 bytes)
%Documents and Settings%\%current user%\Recent\install.lnk (325 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games\Spider Solitaire.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows Media\9.0\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Templates\powerpnt.ppt (12 bytes)
%Documents and Settings%\All Users\Application Data\VMware\hostd\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Accessibility\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Templates\excel4.xls (1 bytes)
%Documents and Settings%\All Users\DRM\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Suyzos\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Favorites\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\VMware\VMware Tools\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8XIJ0P23\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games\Internet Spades.lnk (886 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Remote Desktop Connection.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Set Program Access and Defaults.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds\Microsoft Feeds~\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds Cache\SKDVNS35\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Tour Windows XP.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Wireshark\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\VMware\hostd\backup\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\NetHood\SandboxOutput on Super File Server (192.168.1.163)\target.lnk (458 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp (6 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Windows Explorer.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\Data Sources (ODBC).lnk (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wireshark.txt (498 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\Services.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Calculator.lnk (1 bytes)
%Documents and Settings%\All Users\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\9.0\Cache\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\System Restore.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Total Commander\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\Files and Settings Transfer Wizard.lnk (1 bytes)
%Documents and Settings%\%current user%\Recent\f3460226658fbb23ea3dca1a1a87079d.lnk (827 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware Tools\Unity Filters\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware Tools\Unity Filters\adobeflashcs3.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Templates\sndrec.wav (31 bytes)
%Documents and Settings%\%current user%\Start Menu\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Recent\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware Tools\Unity Filters\visualstudio2005.txt (125 bytes)
%Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Accessibility\Accessibility Wizard.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games\Internet Reversi.lnk (886 bytes)
%Documents and Settings%\%current user%\Templates\excel4.xls (1 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware Tools\manifest.txt (3 bytes)
%Documents and Settings%\Default User\Local Settings\History\History.IE5\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\49634LEN\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp (6 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Adobe Reader 9.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games\Pinball.lnk (858 bytes)
%Documents and Settings%\%current user%\Recent\2b6200d46c1082edec8ab31bb817a5d0.lnk (827 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware Tools\Unity Filters\microsoftoffice2003.txt (428 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\Local Security Policy.lnk (1 bytes)
%Documents and Settings%\All Users\Application Data\Windows Genuine Advantage\Data\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Templates\powerpnt.ppt (12 bytes)
%Documents and Settings%\%current user%\Recent\keys.lnk (420 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\System Information.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Outlook Express.lnk (711 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp (6 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\Performance.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Total Commander\Total Commander.lnk (533 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds Cache\K9HEIEIK\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\Scheduled Tasks.lnk (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp (6 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware Tools\Unity Filters\googledesktop.txt (561 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\WordPad.lnk (852 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Desktop\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk (806 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Address Book\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\Computer Management.lnk (1 bytes)
%Documents and Settings%\Default User\Templates\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp (6 bytes)
%Documents and Settings%\%current user%\Cookies\71NENNCD.txt (319 bytes)
%Documents and Settings%\%current user%\Favorites\Links\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Cookies\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Protect\S-1-5-21-796845957-1563985344-1801674531-1003\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Microsoft PowerPoint Viewer .lnk (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp (6 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Protect\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\Disk Defragmenter.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Notepad.lnk (1 bytes)
%Documents and Settings%\%current user%\Recent\651992aa60dd3d5383d4d53b5a674ad3.lnk (827 bytes)
%Documents and Settings%\All Users\Desktop\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp (6 bytes)
C:\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Wireshark.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Media Player\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Accessibility\Magnifier.lnk (1 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\32\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Communications\New Connection Wizard.lnk (1 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Accessibility\On-Screen Keyboard.lnk (1 bytes)
%Documents and Settings%\%current user%\NetHood\SandboxOutput on Super File Server (192.168.1.163)\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (788 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Templates\excel.xls (5 bytes)
%Documents and Settings%\All Users\Start Menu\Windows Update.lnk (1 bytes)
%Documents and Settings%\%current user%\Templates\winword2.doc (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Total Commander\Total Commander Help.lnk (533 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Program Compatibility Wizard.lnk (359 bytes)
%Documents and Settings%\%current user%\PrivacIE\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp (6 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Internet Explorer.lnk (776 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft\Internet Explorer\brndlog.txt (114 bytes)
%Documents and Settings%\LocalService\Cookies\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\echopraxia\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp (6 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Color\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SXI7GPA3\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Desktop\Adobe Reader 9.lnk (1 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Notepad.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games\Internet Backgammon.lnk (886 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Recent\Images.lnk (558 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Total Commander\Uninstall or Repair Total Commander.lnk (533 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Synchronize.lnk (1 bytes)
%Documents and Settings%\NetworkService\Local Settings\History\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Windows\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Recent\e3e988e157cdf6b58472dd7196f054b9.lnk (827 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Accessibility\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Playlists\000BB706\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\Themes\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware vCenter Converter Standalone\db\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware Tools\Unity Filters\vistasidebar.txt (880 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware Tools\Unity Filters\win7gadgets.txt (372 bytes)
%Documents and Settings%\All Users\Application Data\Adobe\Acrobat\9.0\Replicate\Security\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\NetworkService\Local Settings\History\History.IE5\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Ynid\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Accessibility\Magnifier.lnk (1 bytes)
%Documents and Settings%\LocalService\Local Settings\History\History.IE5\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Entertainment\Volume Control.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Recent\9f21b82663666fd739702d12a15aa4bb.lnk (1 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware Player\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Local Settings\History\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma (4299 bytes)
%Documents and Settings%\%current user%\Local Settings\History\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Address Book.lnk (747 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp (6 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Accessibility\Utility Manager.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Remote Assistance.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Updater6\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\Security Center.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games\Freecell.lnk (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\Media Player\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\Disk Cleanup.lnk (1 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma (4593 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games\Internet Hearts.lnk (886 bytes)
%Documents and Settings%\All Users\Application Data\VMware\hostd\stats\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\HTML Help\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp (6 bytes)
%Documents and Settings%\Default User\Local Settings\Application Data\Microsoft\Windows Media\9.0\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\VMware\VMware vCenter Converter Standalone Client\Logs\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\NetworkService\Local Settings\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Command Prompt.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\My Documents\My Music\Sample Music.lnk (611 bytes)
%Documents and Settings%\%current user%\Templates\winword.doc (4 bytes)
%Documents and Settings%\%current user%\Application Data\GHISLER\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Documents\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Accessibility\On-Screen Keyboard.lnk (1 bytes)
%Documents and Settings%\Default User\Application Data\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Recent\7b47b513a4408f2a72d11c60b579db33.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\9xYOG5dWL0R72l4.exe (601 bytes)
%Documents and Settings%\%current user%\My Documents\My Pictures\Sample Pictures.lnk (641 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds Cache\RDELF3AZ\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Windows Media Player.lnk (765 bytes)
%Documents and Settings%\All Users\Start Menu\Windows Catalog.lnk (371 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Tour Windows XP.lnk (1 bytes)
%Documents and Settings%\%current user%\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\WinPcap\Uninstall WinPcap 4.0.1.lnk (653 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Internet Explorer\brndlog.txt (7 bytes)
%Documents and Settings%\Default User\SendTo\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft\Internet Explorer\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\LocalService\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Communications\HyperTerminal.lnk (759 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp (6 bytes)
%Documents and Settings%\%current user%\IETldCache\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Local Settings\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Recent\20ae805884e31ea72fe481068a7642ee.lnk (827 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg (166 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware Tools\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk (1 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\O097NFF5\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\9CVH8W1K\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp (6 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\jre1.6.0_18\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware Workstation\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Remote Assistance.lnk (1 bytes)
%Documents and Settings%\%current user%\Recent\sandbox.lnk (414 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\VMware\VMware vCenter Converter Standalone Client\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Recent\843341fbbc85ced379158380effb462f.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games\Internet Checkers.lnk (886 bytes)
%Documents and Settings%\All Users\Start Menu\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\My Documents\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\Event Viewer.lnk (1 bytes)
%Documents and Settings%\%current user%\Recent\80bb0a4c115ca5309baaf4c85017869e.lnk (493 bytes)
%Documents and Settings%\All Users\Documents\My Videos\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Start Menu\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Favorites\Microsoft Websites\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\GO93GVHZ\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Entertainment\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\SendTo\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Internet Explorer\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games\Hearts.lnk (1 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Entertainment\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Communications\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\Activate Windows.lnk (1 bytes)
%Documents and Settings%\All Users\Documents\My Music\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Paint.lnk (1 bytes)
%Documents and Settings%\Default User\Local Settings\Temporary Internet Files\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Accessibility\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Desktop\Total Commander.lnk (521 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\9.0\Updater\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Templates\winword.doc (4 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\AU\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\NetworkService\Cookies\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games\Solitaire.lnk (1 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\brndlog.txt (10 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\ActivePerl 5.16.2 Build 1602\Perl Package Manager.lnk (592 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware Tools\Unity Filters\vmwarefilters.txt (997 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Recent\release.lnk (540 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Wireshark\Wireshark Program Directory.lnk (565 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\C6SYQ5KI\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\O9IVK92Z\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Templates\winword2.doc (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Windows Explorer.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Synchronize.lnk (1 bytes)
%Documents and Settings%\%current user%\Recent\vmsc.lnk (314 bytes)
%Documents and Settings%\Default User\Local Settings\Application Data\Microsoft\Media Player\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp (6 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Program Compatibility Wizard.lnk (359 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Accessibility\Utility Manager.lnk (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Recent\html.lnk (399 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpf0d43a8c\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\WinPcap\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Sun\Java\Java Update\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Entertainment\Windows Media Player.lnk (777 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware Tools\Unity Filters\adobephotoshopcs3.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\gtk-2.0\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\ActivePerl 5.16.2 Build 1602\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Recent\34e13727ac83abe7e32f4dc4eba26a8f.lnk (827 bytes)
%Documents and Settings%\%current user%\Recent\eb79f14b01c7b5dc6be43942f75a1623.lnk (827 bytes)
%Documents and Settings%\%current user%\Templates\sndrec.wav (31 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp (6 bytes)
%Documents and Settings%\All Users\Application Data\Adobe\Reader\9.3\ARM\18298\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\ActivePerl 5.16.2 Build 1602\Perl Critic.lnk (588 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\VMware\VMware Tools\start VM Statistics Logging.lnk (648 bytes)
%Documents and Settings%\NetworkService\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games\Minesweeper.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds Cache\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0OCWZCA9\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\LocalService\Local Settings\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Recent\1.lnk (647 bytes)
%Documents and Settings%\%current user%\Templates\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp (6 bytes)
%Documents and Settings%\%current user%\My Documents\My Pictures\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds Cache\SJC9ZI9Z\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Wireshark\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\System Tools\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0\JavaScripts\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Windows\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\ActivePerl 5.16.2 Build 1602\Documentation.lnk (596 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-796845957-1563985344-1801674531-1003\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp (6 bytes)
%Documents and Settings%\%current user%\Recent\vmsc (2).lnk (403 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013040820130415\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Adobe\Updater6\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\Network\Downloader\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Communications\Network Connections.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Wireshark\Wireshark.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Command Prompt.lnk (1 bytes)
%Documents and Settings%\LocalService\Local Settings\History\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\My Documents\My Music\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Recent\1045c4f76e09604f49eefd8501bfee0e.lnk (827 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk (1 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp (6 bytes)
%Documents and Settings%\All Users\Application Data\Adobe\Reader\9.3\ARM\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\Network\Connections\Pbk\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\Character Map.lnk (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp (6 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg (142 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Windows Messenger.lnk (582 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg (28 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg (210 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Identities\{6855BFC2-9E4A-4896-A11D-74388FBABDC2}\Microsoft\Outlook Express\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041520130416\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Entertainment\Sound Recorder.lnk (1 bytes)
%Documents and Settings%\All Users\Application Data\VMware\SSL\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Cookies\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Windows Media Player.lnk (765 bytes)
%Documents and Settings%\%current user%\Templates\excel.xls (5 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Entertainment\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\MSN.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Communications\Network Setup Wizard.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Communications\Wireless Network Setup Wizard.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\Backup.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB6.tmp (8996 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\echopraxia\killikinick.eau (5064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nssB7.tmp\killikinick.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp1904682b.bat (177 bytes)
%Documents and Settings%\%current user%\Application Data\Suyzos\awury.exe (222 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB3.tmp (8996 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyB4.tmp\killikinick.dll (2392 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Alcmeter" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\9xYOG5dWL0R72l4.exe" - Reboot the computer.
Static Analysis
VersionInfo
Company Name: TrueCrypt Foundation
Product Name: TrueCrypt
Product Version: 7.1.0
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 7.1.0
File Description: TrueCrypt Setup
Comments:
Language: Chinese (Simplified, PRC)
Company Name: TrueCrypt FoundationProduct Name: TrueCryptProduct Version: 7.1.0Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: 7.1.0File Description: TrueCrypt SetupComments: Language: Chinese (Simplified, PRC)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 25046 | 25088 | 4.51043 | a436e6a5ee718deeb0af89624d941715 |
.rdata | 32768 | 5216 | 5632 | 3.42794 | 9b909cc04ca8fa423df16432e48f502c |
.data | 40960 | 176056 | 1536 | 2.69571 | f6e758c86da20cc0ec6efc2daea8d45a |
.ndata | 217088 | 65536 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 282624 | 7288 | 7680 | 2.81916 | 77a127e8424957d702582f9bd02074eb |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan-PSW connects to the servers at the folowing location(s):
Strings from Dumps
infos.exe_2808:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
Wh%u@
Wh%u@
user32.dll
user32.dll
GetProcessHeap
GetProcessHeap
GetWindowsDirectoryA
GetWindowsDirectoryA
kernel32.dll
kernel32.dll
ShellExecuteA
ShellExecuteA
shell32.dll
shell32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegDeleteKeyA
RegDeleteKeyA
advapi32.dll
advapi32.dll
shlwapi.dll
shlwapi.dll
gdi32.dll
gdi32.dll
comctl32.dll
comctl32.dll
HOW TO DECRYPT FILES.txt
HOW TO DECRYPT FILES.txt
Password is incorrect!
Password is incorrect!
To decrypt files, please enter correct password!
To decrypt files, please enter correct password!
Entered password is correct. Press OK to start decrypting of files. Dont close window and wait until message "Files have been decrypted successfully!" appears.
Entered password is correct. Press OK to start decrypting of files. Dont close window and wait until message "Files have been decrypted successfully!" appears.
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
explorer.exe
explorer.exe
Password:
Password:
C:\Perl\html\lib\SQL\Dialects\ANSI.html
C:\Perl\html\lib\SQL\Dialects\ANSI.html
t.html
t.html
n.html
n.html
ars.html
ars.html
.html
.html
s.html
s.html
3BDF2F}.dat
3BDF2F}.dat
rd.lnk
rd.lnk
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\tmpf0d43a8c\infos.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\tmpf0d43a8c\infos.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\9xYOG5dWL0R72l4.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\9xYOG5dWL0R72l4.exe
C:\Perl\html\lib\SQL\Dialects\ANSI.html.CryptoLocker2015CryptoWal
C:\Perl\html\lib\SQL\Dialects\ANSI.html.CryptoLocker2015CryptoWal
C:\Perl\html\lib\SQL\Dialects\HOW TO DECRYPT FILES.txt
C:\Perl\html\lib\SQL\Dialects\HOW TO DECRYPT FILES.txt
FILES.txt
FILES.txt
S.txt
S.txt
ES.txt
ES.txt
YPT FILES.txt
YPT FILES.txt
TO DECRYPT FILES.txt
TO DECRYPT FILES.txt
RYPT FILES.txt
RYPT FILES.txt
T FILES.txt
T FILES.txt
ILES.txt
ILES.txt
%WinDir%\explorer.exe
%WinDir%\explorer.exe
2009:03:12 13:48:18
2009:03:12 13:48:18
2008:03:24 16:41:53
2008:03:24 16:41:53
(7),01444
(7),01444
'9=82<.342>
'9=82<.342>
:R%fxf
:R%fxf
[XXf'.Ie
[XXf'.Ie
.tMCP
.tMCP
.ZDS5
.ZDS5
.OBiF
.OBiF
*.zip
*.zip
*.rar
*.rar
*.tar
*.tar
*.gzip
*.gzip
*.jpg
*.jpg
*.jpeg
*.jpeg
*.psd
*.psd
*.cdr
*.cdr
*.dwg
*.dwg
*.max
*.max
*.bmp
*.bmp
*.gif
*.gif
*.png
*.png
*.doc
*.doc
*.docx
*.docx
*.xls
*.xls
*.xlsx
*.xlsx
*.ppt
*.ppt
*.pptx
*.pptx
*.txt
*.txt
*.djvu
*.djvu
*.htm
*.htm
*.html
*.html
*.mdb
*.mdb
*.cer
*.cer
*.pfx
*.pfx
*.kwm
*.kwm
*.pwm
*.pwm
*.mdf
*.mdf
*.dbf
*.dbf
*.odt
*.odt
*.vob
*.vob
*.ifo
*.ifo
*.lnk
*.lnk
*.torrent
*.torrent
*.mov
*.mov
*.mpeg
*.mpeg
*.mpg
*.mpg
*.flv
*.flv
*.avi
*.avi
*.mp4
*.mp4
*.wmv
*.wmv
*.divx
*.divx
*.mkv
*.mkv
*.mp3
*.mp3
*.wav
*.wav
*.flac
*.flac
*.ape
*.ape
*.wma
*.wma
*.ac3
*.ac3
*.ods
*.ods
*.odp
*.odp
*.odm
*.odm
*.odb
*.odb
*.docm
*.docm
*.wps
*.wps
*.xlsm
*.xlsm
*.xlsb
*.xlsb
*.xlk
*.xlk
*.pptm
*.pptm
*.accdb
*.accdb
*wallet*.dat
*wallet*.dat
Cryptolocker Modefications CryptoWal 2015 Your important files Encryption produces on this computer: photos, videos, documents, etc. Here is a complete list in practic of encrypted files, and you can personally verify this.
Cryptolocker Modefications CryptoWal 2015 Your important files Encryption produces on this computer: photos, videos, documents, etc. Here is a complete list in practic of encrypted files, and you can personally verify this.
Just after payment specify ONLY the Bitcoin Address. Our robot will check the Bitcoin ID and when the transaction will be completed, you'll receive your product code activation. Price How 1 Hamburger EASY Piza ON YOUR BRAIN After You Make Payment Your System Files Automaticaly Decrypt Start! Question Where You Buy Bitcoins? 1. We Reccommendation individual Specific Fast To You localbitcoins.com and Here Read Where Bitcoins Market 2. Visit Bitcoin.org
Just after payment specify ONLY the Bitcoin Address. Our robot will check the Bitcoin ID and when the transaction will be completed, you'll receive your product code activation. Price How 1 Hamburger EASY Piza ON YOUR BRAIN After You Make Payment Your System Files Automaticaly Decrypt Start! Question Where You Buy Bitcoins? 1. We Reccommendation individual Specific Fast To You localbitcoins.com and Here Read Where Bitcoins Market 2. Visit Bitcoin.org
infos.exe_2808_rwx_00130000_00027000:
.text
.text
`.data
`.data
.reloc
.reloc
hXXp://VVV.google.com/webhp
hXXp://VVV.google.com/webhp
PR_OpenTCPSocket
PR_OpenTCPSocket
k.cim
k.cim
gdiplus.dll
gdiplus.dll
GdiplusShutdown
GdiplusShutdown
ole32.dll
ole32.dll
gdi32.dll
gdi32.dll
: ;2*8.>
: ;2*8.>
3.#70!2)
3.#70!2)
x#m`a`cmddt-
x#m`a`cmddt-
6 !26!1'1
6 !26!1'1
7"52),,>
7"52),,>
;
;
71.(5;4=
71.(5;4=
(203,2$0
(203,2$0
/?./,5
/?./,5
:>(
:>(
8%/
8%/
%/>!
%/>!
HTTP/1.1
HTTP/1.1
userenv.dll
userenv.dll
del "%s"
del "%s"
if exist "%s" goto d
if exist "%s" goto d
del /F "%s"
del /F "%s"
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)
urlmon.dll
urlmon.dll
cabinet.dll
cabinet.dll
hXXp://
hXXp://
hXXps://
hXXps://
HTTP/1.
HTTP/1.
SSSh,4
SSSh,4
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
SetKeyboardState
SetKeyboardState
ExitWindowsEx
ExitWindowsEx
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
MapVirtualKeyW
MapVirtualKeyW
GetKeyboardState
GetKeyboardState
OpenWindowStationW
OpenWindowStationW
GetProcessWindowStation
GetProcessWindowStation
CreateWindowStationW
CreateWindowStationW
CloseWindowStation
CloseWindowStation
SetProcessWindowStation
SetProcessWindowStation
USER32.dll
USER32.dll
RegOpenKeyExW
RegOpenKeyExW
RegEnumKeyExW
RegEnumKeyExW
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
ADVAPI32.dll
ADVAPI32.dll
PathIsURLW
PathIsURLW
UrlUnescapeA
UrlUnescapeA
SHDeleteKeyW
SHDeleteKeyW
SHLWAPI.dll
SHLWAPI.dll
ShellExecuteW
ShellExecuteW
SHELL32.dll
SHELL32.dll
Secur32.dll
Secur32.dll
SetViewportOrgEx
SetViewportOrgEx
GDI32.dll
GDI32.dll
WS2_32.dll
WS2_32.dll
PFXImportCertStore
PFXImportCertStore
CertDeleteCertificateFromStore
CertDeleteCertificateFromStore
CertOpenSystemStoreW
CertOpenSystemStoreW
CertCloseStore
CertCloseStore
CertEnumCertificatesInStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
CertDuplicateCertificateContext
PFXExportCertStoreEx
PFXExportCertStoreEx
CRYPT32.dll
CRYPT32.dll
HttpSendRequestExA
HttpSendRequestExA
HttpQueryInfoA
HttpQueryInfoA
HttpSendRequestExW
HttpSendRequestExW
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
InternetCrackUrlA
InternetCrackUrlA
HttpOpenRequestA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
GetUrlCacheEntryInfoW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersW
HttpAddRequestHeadersW
WININET.dll
WININET.dll
OLEAUT32.dll
OLEAUT32.dll
NETAPI32.dll
NETAPI32.dll
TUSSHO#
TUSSHO#
6 6&6/656{6
6 6&6/656{6
cGlobal\XXX
cGlobal\XXX
nspr4.dll
nspr4.dll
nss3.dll
nss3.dll
SysShadow
SysShadow
kernel32.dll
kernel32.dll
"%s" %s
"%s" %s
/c "%s"
/c "%s"
%sx.%s
%sx.%s
%sx
%sx
:\Documents and Settings\"%CurrentUserName%"\Application Data\Ynid\kyuz.ani
:\Documents and Settings\"%CurrentUserName%"\Application Data\Ynid\kyuz.ani
%Documents and Settings%\%current user%\Application Data\Ynid
%Documents and Settings%\%current user%\Application Data\Ynid
kyuz.ani
kyuz.ani
Global\{632C47B2-723D-1422-8350-35ECEA6ED5DB}
Global\{632C47B2-723D-1422-8350-35ECEA6ED5DB}
%Documents and Settings%\%current user%\Application Data
%Documents and Settings%\%current user%\Application Data
{F557F597-C018-8259-8350-35ECEA6ED5DB}
{F557F597-C018-8259-8350-35ECEA6ED5DB}
lobal\{632C47B3-723C-1422-8350-35ECEA6ED5DB}
lobal\{632C47B3-723C-1422-8350-35ECEA6ED5DB}
Explorer.EXE_1948_rwx_01100000_00027000:
.text
.text
`.data
`.data
.reloc
.reloc
hXXp://VVV.google.com/webhp
hXXp://VVV.google.com/webhp
PR_OpenTCPSocket
PR_OpenTCPSocket
k.cim
k.cim
gdiplus.dll
gdiplus.dll
GdiplusShutdown
GdiplusShutdown
ole32.dll
ole32.dll
gdi32.dll
gdi32.dll
: ;2*8.>
: ;2*8.>
3.#70!2)
3.#70!2)
x#m`a`cmddt-
x#m`a`cmddt-
6 !26!1'1
6 !26!1'1
7"52),,>
7"52),,>
;
;
71.(5;4=
71.(5;4=
(203,2$0
(203,2$0
/?./,5
/?./,5
:>(
:>(
8%/
8%/
%/>!
%/>!
HTTP/1.1
HTTP/1.1
userenv.dll
userenv.dll
del "%s"
del "%s"
if exist "%s" goto d
if exist "%s" goto d
del /F "%s"
del /F "%s"
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)
urlmon.dll
urlmon.dll
cabinet.dll
cabinet.dll
hXXp://
hXXp://
hXXps://
hXXps://
HTTP/1.
HTTP/1.
SSSh,4
SSSh,4
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
SetKeyboardState
SetKeyboardState
ExitWindowsEx
ExitWindowsEx
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
MapVirtualKeyW
MapVirtualKeyW
GetKeyboardState
GetKeyboardState
OpenWindowStationW
OpenWindowStationW
GetProcessWindowStation
GetProcessWindowStation
CreateWindowStationW
CreateWindowStationW
CloseWindowStation
CloseWindowStation
SetProcessWindowStation
SetProcessWindowStation
USER32.dll
USER32.dll
RegOpenKeyExW
RegOpenKeyExW
RegEnumKeyExW
RegEnumKeyExW
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
ADVAPI32.dll
ADVAPI32.dll
PathIsURLW
PathIsURLW
UrlUnescapeA
UrlUnescapeA
SHDeleteKeyW
SHDeleteKeyW
SHLWAPI.dll
SHLWAPI.dll
ShellExecuteW
ShellExecuteW
SHELL32.dll
SHELL32.dll
Secur32.dll
Secur32.dll
SetViewportOrgEx
SetViewportOrgEx
GDI32.dll
GDI32.dll
WS2_32.dll
WS2_32.dll
PFXImportCertStore
PFXImportCertStore
CertDeleteCertificateFromStore
CertDeleteCertificateFromStore
CertOpenSystemStoreW
CertOpenSystemStoreW
CertCloseStore
CertCloseStore
CertEnumCertificatesInStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
CertDuplicateCertificateContext
PFXExportCertStoreEx
PFXExportCertStoreEx
CRYPT32.dll
CRYPT32.dll
HttpSendRequestExA
HttpSendRequestExA
HttpQueryInfoA
HttpQueryInfoA
HttpSendRequestExW
HttpSendRequestExW
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
InternetCrackUrlA
InternetCrackUrlA
HttpOpenRequestA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
GetUrlCacheEntryInfoW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersW
HttpAddRequestHeadersW
WININET.dll
WININET.dll
OLEAUT32.dll
OLEAUT32.dll
NETAPI32.dll
NETAPI32.dll
6 6&6/656{6
6 6&6/656{6
cGlobal\XXX
cGlobal\XXX
nspr4.dll
nspr4.dll
nss3.dll
nss3.dll
SysShadow
SysShadow
kernel32.dll
kernel32.dll
"%s" %s
"%s" %s
/c "%s"
/c "%s"
%sx.%s
%sx.%s
%sx
%sx
%Documents and Settings%\%current user%\Application Data\Ynid\kyuz.ani
%Documents and Settings%\%current user%\Application Data\Ynid\kyuz.ani
%Documents and Settings%\%current user%\Application Data\Ynid
%Documents and Settings%\%current user%\Application Data\Ynid
kyuz.ani
kyuz.ani
Global\{632C47B2-723D-1422-8350-35ECEA6ED5DB}
Global\{632C47B2-723D-1422-8350-35ECEA6ED5DB}
%Documents and Settings%\%current user%\Application Data
%Documents and Settings%\%current user%\Application Data
{F557F597-C018-8259-8350-35ECEA6ED5DB}
{F557F597-C018-8259-8350-35ECEA6ED5DB}
Global\{632C47B3-723C-1422-8350-35ECEA6ED5DB}
Global\{632C47B3-723C-1422-8350-35ECEA6ED5DB}