Trojan-Dropper.Win32.Agent.axza (Kaspersky), Win32.Worm.Autorun.TD (B) (Emsisoft), DeepScan:Generic.Malware.P!Tk.DC788440 (AdAware), Backdoor.Win32.PcClient.FD, GenericAutorunWorm.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan, Backdoor, Worm, WormAutorun, Malware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: b716fb5b5e0ecd14fb839d4d27875601
SHA1: 2862d3c66bdbfb75eac0773da77b56d5e12a93f1
SHA256: 15d5da5c700d8e17a02cf3cb1904215a7b406125219468af3b3b3c6d10b74a8d
SSDeep: 768:s4o oy/qdgQFXfxtaw8E4RYphsyN9AEVCteAe:kbyiiQB5r8E2 AjeAe
Size: 37888 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company:
Created at: 2009-07-25 18:30:12
Analyzed on: WindowsXPESX SP3 32-bit
Summary: Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the DeepScan's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The DeepScan creates the following process(es):
taskkill.exe:504
taskkill.exe:744
taskkill.exe:1764
sc.exe:1144
rundll32.exe:2008
cacls.exe:1336
The DeepScan injects its code into the following process(es):
%original file name%.exe:368
Mutexes
The following mutexes were created/opened:
RasPbFileWininetProxyRegistryMutexc:!documents and settings!adm!local settings!history!history.ie5!WininetConnectionMutexWininetStartupMutexc:!documents and settings!adm!cookies!c:!documents and settings!adm!local settings!temporary internet files!content.ie5!_!MSFTHISTORY!_ZonesLockedCacheCounterMutexZonesCacheCounterMutexZonesCounterMutexDBWinMutexShimCacheMutex135896
File activity
The process %original file name%.exe:368 makes changes in the file system.
The DeepScan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\10A8YH0M\desktop.ini (67 bytes)
C:\ (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0SRP20XU\desktop.ini (67 bytes)
C:\autorun.inf (21 bytes)
%System%\m1846741.dll (12169462 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\V7JJDNL4\desktop.ini (67 bytes)
%WinDir%\Temp\Perflib_Perfdata_7b0.dat (4 bytes)
%System%\drivers\etc\hosts (5 bytes)
%WinDir% (384 bytes)
%System%\drivers\pcidump.sys (5404535 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\94S2IMRP\desktop.ini (67 bytes)
%System% (744 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%System%\config (100 bytes)
%System%\drivers (96 bytes)
%WinDir%\s265006334.dll (35485887 bytes)
C:\1.exe (37 bytes)
The process rundll32.exe:2008 makes changes in the file system.
The DeepScan creates and/or writes to the following file(s):
%System%\drivers\acpiec.sys (14 bytes)
Registry activity
The process taskkill.exe:504 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7D 11 BC C7 61 61 E7 2C 13 31 AC 36 38 11 24 E8"
The process taskkill.exe:744 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0C E1 C4 B7 A3 52 FD F5 84 B1 79 5E 56 2E 50 44"
The process taskkill.exe:1764 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 49 62 01 9C 06 C0 5B CF B7 F5 33 E6 7F C1 39"
The process sc.exe:1144 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 35 4D 48 51 80 C1 C9 18 F6 BC E5 FC 88 CF 09"
The process rundll32.exe:2008 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 5A 2B 36 60 61 86 EA A3 42 48 57 EE 97 46 55"
The process cacls.exe:1336 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 EF E8 C7 13 09 BE 1D 37 7D 9F 18 E3 97 83 99"
Dropped PE files
MD5 | File path |
---|---|
47ce67ae447dba7ca7349f53812e9f89 | c:\WINDOWS\LastGood\system32\drivers\acpiec.sys |
e5c13e37ada96e76677362a5e870ee7d | c:\WINDOWS\s265006334.dll |
9859c0f6936e723e4892d7141b1327d5 | c:\WINDOWS\system32\dllcache\acpiec.sys |
47ce67ae447dba7ca7349f53812e9f89 | c:\WINDOWS\system32\drivers\OLD7F.tmp |
601b3f2466bfa6989b9c7586b5ba54aa | c:\WINDOWS\system32\drivers\pcidump.sys |
3e3b8a35aefc6e462746d6689348fa7e | c:\WINDOWS\system32\m1846741.dll |
HOSTS file anomalies
The DeepScan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 5743 bytes in size. The following strings are added to the hosts file listed below:
127.0.0.1 | v.onondown.com.cn |
127.0.0.2 | ymsdasdw1.cn |
127.0.0.3 | h96b.info |
127.0.0.0 | fuck.zttwp.cn |
127.0.0.0 | www.hackerbf.cn |
127.0.0.0 | geekbyfeng.cn |
127.0.0.0 | 121.14.101.68 |
127.0.0.0 | ppp.etimes888.com |
127.0.0.0 | www.bypk.com |
127.0.0.0 | CSC3-2004-crl.verisign.com |
127.0.0.1 | va9sdhun23.cn |
127.0.0.0 | udp.hjob123.com |
127.0.0.2 | bnasnd83nd.cn |
127.0.0.0 | www.gamehacker.com.cn |
127.0.0.0 | gamehacker.com.cn |
127.0.0.3 | adlaji.cn |
127.0.0.1 | 858656.com |
127.1.1.1 | bnasnd83nd.cn |
127.0.0.1 | my123.com |
127.0.0.0 | user1.12-27.net |
127.0.0.1 | 8749.com |
127.0.0.0 | fengent.cn |
127.0.0.1 | 4199.com |
127.0.0.1 | user1.16-22.net |
127.0.0.1 | 7379.com |
127.0.0.1 | 2be37c5f.3f6e2cc5f0b.com |
127.0.0.1 | 7255.com |
127.0.0.1 | user1.23-12.net |
127.0.0.1 | 3448.com |
127.0.0.1 | www.guccia.net |
127.0.0.1 | 7939.com |
127.0.0.1 | a.o1o1o1.nEt |
127.0.0.1 | 8009.com |
127.0.0.1 | user1.12-73.cn |
127.0.0.1 | piaoxue.com |
127.0.0.1 | 3n8nlasd.cn |
127.0.0.1 | kzdh.com |
127.0.0.0 | www.sony888.cn |
127.0.0.1 | about.blank.la |
127.0.0.0 | user1.asp-33.cn |
127.0.0.1 | 6781.com |
127.0.0.0 | www.netkwek.cn |
127.0.0.1 | 7322.com |
127.0.0.0 | ymsdkad6.cn |
127.0.0.0 | www.lkwueir.cn |
127.0.0.1 | 06.jacai.com |
127.0.1.1 | user1.23-17.net |
127.0.0.1 | 1.jopenkk.com |
127.0.0.0 | upa.luzhiai.net |
127.0.0.1 | 1.jopenqc.com |
127.0.0.0 | www.guccia.net |
127.0.0.1 | 1.joppnqq.com |
127.0.0.0 | 4m9mnlmi.cn |
127.0.0.1 | 1.xqhgm.com |
127.0.0.0 | mm119mkssd.cn |
127.0.0.1 | 100.332233.com |
127.0.0.0 | 61.128.171.115:8080 |
127.0.0.1 | 121.11.90.79 |
127.0.0.0 | www.1119111.com |
127.0.0.1 | 121565.net |
127.0.0.0 | win.nihao69.cn |
127.0.0.1 | 125.90.88.38 |
127.0.0.1 | 16888.6to23.com |
127.0.0.1 | 2.joppnqq.com |
127.0.0.0 | puc.lianxiac.net |
127.0.0.1 | 204.177.92.68 |
127.0.0.0 | pud.lianxiac.net |
127.0.0.1 | 210.74.145.236 |
127.0.0.0 | 210.76.0.133 |
127.0.0.1 | 219.129.239.220 |
127.0.0.0 | 61.166.32.2 |
127.0.0.1 | 219.153.40.221 |
127.0.0.0 | 218.92.186.27 |
127.0.0.1 | 219.153.46.27 |
127.0.0.0 | www.fsfsfag.cn |
127.0.0.1 | 219.153.52.123 |
127.0.0.0 | ovo.ovovov.cn |
127.0.0.1 | 221.195.42.71 |
127.0.0.0 | dw.com.com |
127.0.0.1 | 222.73.218.115 |
127.0.0.1 | 203.110.168.233:80 |
127.0.0.1 | 3.joppnqq.com |
127.0.0.1 | 203.110.168.221:80 |
127.0.0.1 | 363xx.com |
127.0.0.1 | www1.ip10086.com.cm |
127.0.0.1 | 4199.com |
127.0.0.1 | blog.ip10086.com.cn |
127.0.0.1 | 43242.com |
127.0.0.1 | www.ccji68.cn |
127.0.0.1 | 5.xqhgm.com |
127.0.0.0 | t.myblank.cn |
127.0.0.1 | 520.mm5208.com |
127.0.0.0 | x.myblank.cn |
127.0.0.1 | 59.34.131.54 |
127.0.0.1 | 210.51.45.5 |
127.0.0.1 | 59.34.198.228 |
127.0.0.1 | www.ew1q.cn |
127.0.0.1 | 59.34.198.88 |
127.0.0.1 | 59.34.198.97 |
127.0.0.1 | 60.190.114.101 |
127.0.0.1 | 60.190.218.34 |
127.0.0.0 | qq-xing.com.cn |
127.0.0.1 | 60.191.124.252 |
127.0.0.1 | 61.145.117.212 |
127.0.0.1 | 61.157.109.222 |
127.0.0.1 | 75.126.3.216 |
127.0.0.1 | 75.126.3.217 |
127.0.0.1 | 75.126.3.218 |
127.0.0.0 | 59.125.231.177:17777 |
127.0.0.1 | 75.126.3.220 |
127.0.0.1 | 75.126.3.221 |
127.0.0.1 | 75.126.3.222 |
127.0.0.1 | 772630.com |
127.0.0.1 | 832823.cn |
127.0.0.1 | 8749.com |
127.0.0.1 | 888.jopenqc.com |
127.0.0.1 | 89382.cn |
127.0.0.1 | 8v8.biz |
127.0.0.1 | 97725.com |
127.0.0.1 | 9gg.biz |
127.0.0.1 | www.9000music.com |
127.0.0.1 | test.591jx.com |
127.0.0.1 | a.topxxxx.cn |
127.0.0.1 | picon.chinaren.com |
127.0.0.1 | www.5566.net |
127.0.0.1 | p.qqkx.com |
127.0.0.1 | news.netandtv.com |
127.0.0.1 | z.neter888.cn |
127.0.0.1 | b.myblank.cn |
127.0.0.1 | wvw.wokutu.com |
127.0.0.1 | unionch.qyule.com |
127.0.0.1 | www.qyule.com |
127.0.0.1 | it.itjc.cn |
127.0.0.1 | www.linkwww.com |
127.0.0.1 | vod.kaicn.com |
127.0.0.1 | www.tx8688.com |
127.0.0.1 | b.neter888.cn |
127.0.0.1 | promote.huanqiu.com |
127.0.0.1 | www.huanqiu.com |
127.0.0.1 | www.haokanla.com |
127.0.0.1 | play.unionsky.cn |
127.0.0.1 | www.52v.com |
127.0.0.1 | www.gghka.cn |
127.0.0.1 | icon.ajiang.net |
127.0.0.1 | new.ete.cn |
127.0.0.1 | www.stiae.cn |
127.0.0.1 | o.neter888.cn |
127.0.0.1 | comm.jinti.com |
127.0.0.1 | www.google-analytics.com |
127.0.0.1 | hz.mmstat.com |
127.0.0.1 | www.game175.cn |
127.0.0.1 | x.neter888.cn |
127.0.0.1 | z.neter888.cn |
127.0.0.1 | p.etimes888.com |
127.0.0.1 | hx.etimes888.com |
127.0.0.1 | abc.qqkx.com |
127.0.0.1 | dm.popdm.cn |
127.0.0.1 | www.yl9999.com |
127.0.0.1 | www.dajiadoushe.cn |
127.0.0.1 | v.onondown.com.cn |
127.0.0.1 | www.interoo.net |
127.0.0.1 | bally1.bally-bally.net |
127.0.0.1 | www.bao5605509.cn |
127.0.0.1 | www.rty456.cn |
127.0.0.1 | www.werqwer.cn |
127.0.0.1 | 1.360-1.cn |
127.0.0.1 | user1.23-16.net |
127.0.0.1 | www.guccia.net |
127.0.0.1 | www.interoo.net |
127.0.0.1 | upa.netsool.net |
127.0.0.1 | js.users.51.la |
127.0.0.1 | vip2.51.la |
127.0.0.1 | web.51.la |
127.0.0.1 | qq.gong2008.com |
127.0.0.1 | 2008tl.copyip.com |
127.0.0.1 | tla.laozihuolaile.cn |
127.0.0.1 | www.tx6868.cn |
127.0.0.1 | p001.tiloaiai.com |
127.0.0.1 | s1.tl8tl.com |
127.0.0.1 | s1.gong2008.com |
127.0.0.1 | 4b3ce56f9g.3f6e2cc5f0b.com |
Rootkit activity
The DeepScan installs the following kernel-mode hooks:
ZwQuerySystemInformation
Using the driver "%System%\drivers\pcidump.sys" the DeepScan substitutes IRP handlers in a file system driver (NTFS) to control operations with files:
MJ_CREATE
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the DeepScan's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
taskkill.exe:504
taskkill.exe:744
taskkill.exe:1764
sc.exe:1144
rundll32.exe:2008
cacls.exe:1336 - Delete the original DeepScan file.
- Delete or disinfect the following files created/modified by the DeepScan:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\10A8YH0M\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0SRP20XU\desktop.ini (67 bytes)
C:\autorun.inf (21 bytes)
%System%\m1846741.dll (12169462 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\V7JJDNL4\desktop.ini (67 bytes)
%WinDir%\Temp\Perflib_Perfdata_7b0.dat (4 bytes)
%System%\drivers\etc\hosts (5 bytes)
%System%\drivers\pcidump.sys (5404535 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\94S2IMRP\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%System%\config (100 bytes)
%WinDir%\s265006334.dll (35485887 bytes)
C:\1.exe (37 bytes)
%System%\drivers\acpiec.sys (14 bytes) - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: Microsoft Corporation
Product Name: Microsoft(R) Windows(R) Operating System
Product Version: 5.1.2600.0
Legal Copyright: (C) Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: CALC.EXE
Internal Name: CALC
File Version: 5.1.2600.0 (xpclient.010817-1148)
File Description: Windows Calculator application file
Comments:
Language: English (United States)
Company Name: Microsoft CorporationProduct Name: Microsoft(R) Windows(R) Operating SystemProduct Version: 5.1.2600.0Legal Copyright: (C) Microsoft Corporation. All rights reserved.Legal Trademarks: Original Filename: CALC.EXEInternal Name: CALCFile Version: 5.1.2600.0 (xpclient.010817-1148)File Description: Windows Calculator application fileComments: Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
UPX0 | 4096 | 86016 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
UPX1 | 90112 | 36864 | 34816 | 5.46762 | f1bba76e65088c04ba69ed62b67d8c64 |
.rsrc | 126976 | 4096 | 2048 | 1.91925 | 0b2c49604cc338a65a6b41dff3b6d7f9 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 1
24e75bde7d18226edd597ae697d87e7e
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The DeepScan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_368:
`.rsrc
`.rsrc
%s\s%d
%s\s%d
32.exe m
32.exe m
:%dm^`[
:%dm^`[
%s\s%d%d.dll
%s\s%d%d.dll
rundll32.exe %s, droqp
rundll32.exe %s, droqp
%s\system32\m%d%d.dll
%s\system32\m%d%d.dll
cmd /c taskkill /im ScanFrm.exe /f
cmd /c taskkill /im ScanFrm.exe /f
cmd /c taskkill /im egui.exe /f
cmd /c taskkill /im egui.exe /f
cmd /c taskkill /im ekrn.exe /f
cmd /c taskkill /im ekrn.exe /f
cmd /c sc config ekrn start= disabled
cmd /c sc config ekrn start= disabled
cacls %s /e /p everyone:f
cacls %s /e /p everyone:f
cacls "%s" /e /p everyone:f
cacls "%s" /e /p everyone:f
\temp\explorer.exe
\temp\explorer.exe
\drivers\gm.dls
\drivers\gm.dls
explorer.exe
explorer.exe
[ffi][nil:>:,::mn^::K
[ffi][nil:>:,::mn^::K
,1(*(*(
,1(*(*(
,1(*(*(,
,1(*(*(,
,1(*(*(-
,1(*(*(-
,1(*(*(*
,1(*(*(*
, ( .( * (02
, ( .( * (02
,1( ( (
,1( ( (
,1(*( (
,1(*( (
0 ( ,2( 1 ( /42*2*
0 ( ,2( 1 ( /42*2*
, ( (3*(13
, ( (3*(13
,/(3*(22(-2
,/(3*(22(-2
,*.( 11(3,(02
,*.( 11(3,(02
, *(1.( ./(,-0
, *(1.( ./(,-0
, *(10(*( --
, *(10(*( --
, 3( ,3(,-3(,,*
, 3( ,3(,-3(,,*
0 ( 00(-,(,
0 ( 00(-,(,
, 3( /-(.*(,,
, 3( /-(.*(,,
, 2(3,( 20(,1
, 2(3,( 20(,1
, 3( /-(.0(,1
, 3( /-(.0(,1
, 3( /-(/,( ,-
, 3( /-(/,( ,-
,, ( 3/(.,(1
,, ( 3/(.,(1
,,,(1-(, 2( /
,,,(1-(, 2( /
,*-( *( 02(,--42*
,*-( *( 02(,--42*
,*-( *( 02(,, 42*
,*-( *( 02(,, 42*
/3(-.( - (/.
/3(-.( - (/.
, *(/ (./(/
, *(/ (./(/
/3(-.( 32(,,2
/3(-.( 32(,,2
/3(-.( 32(22
/3(-.( 32(22
/3(-.( 32(31
/3(-.( 32(31
0*( 3*( .( *
0*( 3*( .( *
0*( 3*(, 2(-.
0*( 3*(, 2(-.
0*( 3 ( ,.(,/,
0*( 3 ( ,.(,/,
0 ( ./( 1(, ,
0 ( ./( 1(, ,
0 ( /1( *3(,,,
0 ( /1( *3(,,,
1/( ,0(-(, 0
1/( ,0(-(, 0
1/( ,0(-(, 1
1/( ,0(-(, 1
1/( ,0(-(, 2
1/( ,0(-(, 2
/3( ,/(,- ( 114 1111
/3( ,/(,- ( 114 1111
1/( ,0(-(,,*
1/( ,0(-(,,*
1/( ,0(-(,,
1/( ,0(-(,,
1/( ,0(-(,,,
1/( ,0(-(,,,
3-3?3\3{3
3-3?3\3{3
/!/-/6/`0~0
/!/-/6/`0~0
Ci>_f_n_Msg\ifc]Fche
Ci>_f_n_Msg\ifc]Fche
Ci=l_[n_Msg\ifc]Fche
Ci=l_[n_Msg\ifc]Fche
windows
windows
webtrap
webtrap
WEBSCANX
WEBSCANX
WEBSCAN
WEBSCAN
smtpsvc
smtpsvc
safeweb
safeweb
Kabackreport
Kabackreport
WinExec
WinExec
GetWindowsDirectoryA
GetWindowsDirectoryA
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
.CJ66
.CJ66
aMSg3u
aMSg3u
O`.rdha
O`.rdha
KERNEL32.DLL
KERNEL32.DLL
MSVCRT.dll
MSVCRT.dll
SHELL32.dll
SHELL32.dll
Windows Calculator application file
Windows Calculator application file
5.1.2600.0 (xpclient.010817-1148)
5.1.2600.0 (xpclient.010817-1148)
CALC.EXE
CALC.EXE
Microsoft(R) Windows(R) Operating System
Microsoft(R) Windows(R) Operating System
5.1.2600.0
5.1.2600.0
%original file name%.exe_368_rwx_00401000_0001D000:
%s\s%d%d.dll
%s\s%d%d.dll
rundll32.exe %s, droqp
rundll32.exe %s, droqp
%s\system32\m%d%d.dll
%s\system32\m%d%d.dll
cmd /c taskkill /im ScanFrm.exe /f
cmd /c taskkill /im ScanFrm.exe /f
cmd /c taskkill /im egui.exe /f
cmd /c taskkill /im egui.exe /f
cmd /c taskkill /im ekrn.exe /f
cmd /c taskkill /im ekrn.exe /f
cmd /c sc config ekrn start= disabled
cmd /c sc config ekrn start= disabled
cacls %s /e /p everyone:f
cacls %s /e /p everyone:f
cacls "%s" /e /p everyone:f
cacls "%s" /e /p everyone:f
\temp\explorer.exe
\temp\explorer.exe
\drivers\gm.dls
\drivers\gm.dls
explorer.exe
explorer.exe
[ffi][nil:>:,::mn^::K
[ffi][nil:>:,::mn^::K
,1(*(*(
,1(*(*(
,1(*(*(,
,1(*(*(,
,1(*(*(-
,1(*(*(-
,1(*(*(*
,1(*(*(*
, ( .( * (02
, ( .( * (02
,1( ( (
,1( ( (
,1(*( (
,1(*( (
0 ( ,2( 1 ( /42*2*
0 ( ,2( 1 ( /42*2*
, ( (3*(13
, ( (3*(13
,/(3*(22(-2
,/(3*(22(-2
,*.( 11(3,(02
,*.( 11(3,(02
, *(1.( ./(,-0
, *(1.( ./(,-0
, *(10(*( --
, *(10(*( --
, 3( ,3(,-3(,,*
, 3( ,3(,-3(,,*
0 ( 00(-,(,
0 ( 00(-,(,
, 3( /-(.*(,,
, 3( /-(.*(,,
, 2(3,( 20(,1
, 2(3,( 20(,1
, 3( /-(.0(,1
, 3( /-(.0(,1
, 3( /-(/,( ,-
, 3( /-(/,( ,-
,, ( 3/(.,(1
,, ( 3/(.,(1
,,,(1-(, 2( /
,,,(1-(, 2( /
,*-( *( 02(,--42*
,*-( *( 02(,--42*
,*-( *( 02(,, 42*
,*-( *( 02(,, 42*
/3(-.( - (/.
/3(-.( - (/.
, *(/ (./(/
, *(/ (./(/
/3(-.( 32(,,2
/3(-.( 32(,,2
/3(-.( 32(22
/3(-.( 32(22
/3(-.( 32(31
/3(-.( 32(31
0*( 3*( .( *
0*( 3*( .( *
0*( 3*(, 2(-.
0*( 3*(, 2(-.
0*( 3 ( ,.(,/,
0*( 3 ( ,.(,/,
0 ( ./( 1(, ,
0 ( ./( 1(, ,
0 ( /1( *3(,,,
0 ( /1( *3(,,,
1/( ,0(-(, 0
1/( ,0(-(, 0
1/( ,0(-(, 1
1/( ,0(-(, 1
1/( ,0(-(, 2
1/( ,0(-(, 2
/3( ,/(,- ( 114 1111
/3( ,/(,- ( 114 1111
1/( ,0(-(,,*
1/( ,0(-(,,*
1/( ,0(-(,,
1/( ,0(-(,,
1/( ,0(-(,,,
1/( ,0(-(,,,
3-3?3\3{3
3-3?3\3{3
/!/-/6/`0~0
/!/-/6/`0~0
Ci>_f_n_Msg\ifc]Fche
Ci>_f_n_Msg\ifc]Fche
Ci=l_[n_Msg\ifc]Fche
Ci=l_[n_Msg\ifc]Fche
windows
windows
webtrap
webtrap
WEBSCANX
WEBSCANX
WEBSCAN
WEBSCAN
smtpsvc
smtpsvc
safeweb
safeweb
Kabackreport
Kabackreport
WinExec
WinExec
GetWindowsDirectoryA
GetWindowsDirectoryA
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
.CJ66
.CJ66
aMSg3u
aMSg3u
%original file name%.exe_368_rwx_10000000_00001000:
.data
.data
.rsrc
.rsrc
@.reloc
@.reloc
psapi.dll
psapi.dll
\patch.exe
\patch.exe
\dstdisk.exe
\dstdisk.exe
\defence.exe
\defence.exe
192yuioealdjfiefjsdfas.txt
192yuioealdjfiefjsdfas.txt
%SystemRoot%\System32\DRIVERS\puid.sys
%SystemRoot%\System32\DRIVERS\puid.sys
\drivers\pcidump.sys
\drivers\pcidump.sys
System32\DRIVERS\pcidump.sys
System32\DRIVERS\pcidump.sys
%SystemRoot%\system32\drivers\puid.sys
%SystemRoot%\system32\drivers\puid.sys
\\.\pcidump
\\.\pcidump
\drivers\gm.dls
\drivers\gm.dls
%s%d.txt
%s%d.txt
>>tmp.tmp
>>tmp.tmp
@echo rcx>>tmp.tmp
@echo rcx>>tmp.tmp
@echo %X>>tmp.tmp
@echo %X>>tmp.tmp
@echo n tmp2>>tmp.tmp
@echo n tmp2>>tmp.tmp
@echo w>>tmp.tmp
@echo w>>tmp.tmp
@echo q>>tmp.tmp
@echo q>>tmp.tmp
@debugnul
@debugnul
@rename tmp2 tmp2.exe
@rename tmp2 tmp2.exe
tmp2.exe
tmp2.exe
Windows
Windows
1.exe
1.exe
autorun.inf
autorun.inf
Open=1.exe
Open=1.exe
urlmon
urlmon
\setup.exe
\setup.exe
?mac=%s&ver=%s&key=%d&os=windows
?mac=%s&ver=%s&key=%d&os=windows
.html
.html
.hhqg
.hhqg
qq.exe
qq.exe
360safe.exe
360safe.exe
\explorer.exe
\explorer.exe
\temp\explorer.exe
\temp\explorer.exe
nfect_exe
nfect_exe
\pipe\browser
\pipe\browser
\\%s\IPC$
\\%s\IPC$
Bd
Bd
%original file name%.exe_368_rwx_1000A000_00002000:
\??\c:\%original file name%.exe
\??\c:\%original file name%.exe
\??\%WinDir%\explorer.exe
\??\%WinDir%\explorer.exe
ers\gm.dls
ers\gm.dls
WinExec
WinExec
CreatePipe
CreatePipe
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
ADVAPI32.dll
ADVAPI32.dll
WS2_32.dll
WS2_32.dll
InternetOpenUrlA
InternetOpenUrlA
WININET.dll
WININET.dll
rundll32.exe_2008:
.text
.text
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
GDI32.dll
GDI32.dll
USER32.dll
USER32.dll
IMAGEHLP.dll
IMAGEHLP.dll
rundll32.pdb
rundll32.pdb
.....eZXnnnnnnnnnnnn3
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
O3$dS7"%U9
.manifest
.manifest
5.1.2600.5512 (xpsp.080413-2105)
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
RUNDLL.EXE
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
YThere is not enough memory to run the file %s.
YThere is not enough memory to run the file %s.
Please close other windows and try again.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Error in %s
Missing entry:%s
Missing entry:%s
Error loading %s
Error loading %s